Realizing a few basic facts about threats is important:

• Threats can’t be eliminated.
• Threats are always present.
• Sometimes, threats can persist. Some threats remain undetected in an asset, such as a network, for a long period of time.
• Action can be taken to reduce the potential for a threat to occur.
• Action can be taken to reduce the impact of a threat.

For example, a thief can’t be stopped from wanting to break into a computer lab to steal computers or the data they contain. However, steps can be taken to either enhance or reduce the threat against the computer lab. To increase the chances of a thief breaking into the computer lab, the doors can be left unlocked or open, the computers can be unchained and easy to move from the tables, or the lights can be left on at night. In any of those scenarios, it’s just a matter of time before the computer lab will be broken into.

However, steps can be taken to reduce the potential threat and impact. Doors can be shut at all times, intrusion detectors and alarms can be installed, all important data can be backed up on the computers, all the computers in the lab can be labeled, and the computers can be chained down to make them difficult to be physically moved. These are only a few measures that can be taken to make it difficult for a thief to gain access to a computer lab, the computers in it, and the data on the computers.

Threats to IT software are similar. Lightning strikes hit buildings, malware authors constantly write new programs, and script kiddies run malware programs just to see what they can do. Professional attackers spend 100 percent of their work time trying to break into personal, government, and corporate networks. They can’t be stopped from wanting to do this, but they can be thwarted in their efforts by making it difficult for them.

Unintentional threats are threats that don’t have a perpetrator; they don’t occur because someone is specifically trying to attack. Such things as natural events and disasters, human errors, and simple accidents are considered unintentional.

There are four primary categories of unintentional threats:

• Environmental—Threats affecting the environment. They include weather events, such as floods, tornadoes, and hurricanes. Earthquakes and volcanoes are environmental threats, too. Illnesses or an epidemic can cause a loss to the labor force and reduce the availability of systems.
• Human—Errors caused by people. A simple keystroke error can cause incorrect or invalid data to be entered. A user may forget to enter key data. A technician could fail to follow a backup procedure that results in an incomplete backup. An administrator might write incomplete or incorrect backup procedures. Undiscovered software bugs can also cause serious problems.
• Accidents—Anything from a minor mishap to a major catastrophe. A backhoe digging a new trench for new cables can accidentally cut power or data cables. An employee might accidentally start a fire in a break room.
• Failures—Equipment problems. A hard drive can crash, a server can fail, or a router can stop routing traffic. The air-conditioner might stop blowing cool air, causing multiple systems to overheat and fail. Any of these failures can result in the loss of availability of data or services.

Although these threats are unintentional, they can be addressed with a risk management plan. Here are some common methods:

• Managing environmental threats—Insurance can be purchased to reduce the impact of many environmental threats. A business might decide to move to reduce the threat. For example, a business in the area of the Mount St. Helens volcano can relocate to avoid eruptions. Companies in a hurricane zone can transfer operations elsewhere.
• Reducing human errors—Automation and input validation are common methods used to reduce errors. Any process that can be automated will consistently run the same way. Input validation checks data to ensure it is valid before it is used. For example, if a program expects a first name, the input validator checks whether the data looks like a valid name. Rules for a valid first name may be no more than 20 characters, no numbers, and only specific special characters. Input validation can’t check to ensure that data is accurate, but it can ensure that data is valid.
• Preventing accidents—In Michigan, the 1-800-MISS-DIG company or similar companies or agencies in other areas can be contacted to identify underground cables before digging. The server room should be air-conditioned to prevent crashes. To prevent common accidents, safety should be stressed.
• Avoiding failures—Fault-tolerant and redundant systems can be used to protect against the immediate impact of failures. A redundant array of independent disks (RAID) system helps ensure data availability, and failover clusters help ensure that users can access servers at all times.

Intentional threats are acts that are hostile to an organization. One or more perpetrators are involved in carrying out the threat. Perpetrators are generally motivated by one of the following:

• Greed—Many attackers want to make money through the attacks. Attackers steal data and use it to perform acts of fraud. They steal customer data from databases and commit identity theft. Criminals steal proprietary data from competitors. Social engineers try to trick users into giving up passwords for financial sites.
• Anger—When anger is the motivator, the attacker often wants the victim to pay a price. Anger can result in attempts to destroy assets or disrupt operations. These threats often result in a loss of availability.
• Desire to damage—Some attackers just want to cause damage. The result is the same as an attacker being motivated by anger. The damage can result in a loss of availability.

Although the preceding list helps in understanding what motivates attackers, the items don’t identify who the attackers are. Some people still have the image of bored teenagers launching random threats from their room. However, attackers are much more sophisticated today.

Some of the more common attackers today are:

• Criminals—Opportunities to make money from online attacks have resulted in a growth in criminal activity. Furthermore, criminal activity is far more organized today than ever before. This activity includes fraud and theft. For example, rogueware tricks users into installing bogus antivirus software. Then, they must pay to get it removed. Criminals have extorted millions of dollars using rogueware. More recently, rogueware has morphed into ransomware. Criminals restrict access to the system and display messages to the user demanding ransoms to get access to their computer and/or files. Another common attack by criminals is formjacking. This type of attack uses malicious JavaScript codes to steal customers’ personal financial details, such as credit card information, at the checkout stage of an e-commerce site.
• Advanced persistent threats (APTs)—These attackers focus on a specific target and have high levels of expertise and almost unlimited resources. Nation-states or terrorist groups often sponsor them. They attack both government and private targets. Operation Aurora is an example of an APT attack. Investigations indicate the APT attack originated from China. It attacked several private companies, such as Google. A McAfee white paper titled “Revealed: Operation Shady RAT” discusses 71 different APT attacks. Twenty-one of these attacks were on government targets, and 50 were on private companies.
• Vandals—Some attackers are intent on doing damage. They damage just for the sake of damaging something. Their targets are often targets of opportunity.
• Saboteurs—A saboteur commits sabotage. The sabotage could be against a competing company or another country. The primary goal is to cause a loss of availability.
• Disgruntled employees—Disgruntled employees often present significant threats to a company. Countless reasons exist for why an employee might be disgruntled, for example, not receiving a pay raise. Employees with a great deal of access can cause so much damage.
• Activists—Occasionally, activists present a threat to a company. They often operate with a mindset of the end justifies the means. In other words, if the company does something the activist doesn’t approve of, the activist considers it acceptable to attack. Sometimes, these attacks happen at a national level with nonstate actors motivated by the desire for some form of change in a country’s policies or decisions.
• Other nations—International espionage is a common and persistent threat. For example, McAfee’s “Operation Shady RAT” white paper details espionage activities widely believed to have come from China. Attackers use remote access tools (RATs) to collect information. They have infiltrated several governments and private companies. Many countries include cyberwarfare as a part of their offensive and defensive strategies.
• Hackers—Hackers attempt to breach systems. Depending on the goal of the hacker, the motivation may range from innocent curiosity to malicious intent.

Many steps can be taken to manage risk within an IT infrastructure. The following list represents steps that IT security professionals consider best practices:

• Creating a security policy—Senior managers identify and support the role of security and create a security policy, which provides a high-level overview of the goals of security but not the details of how to implement the security techniques. Managers use this policy to identify resources and create plans to implement the policy. Security policies are an important first step in reducing the impact from threats. Once the security policy has been approved, it needs to be implemented and enforced.
• Purchasing insurance—Companies purchase insurance to reduce the impact of threats. They commonly purchase insurance for fire, theft, and losses due to environmental events. One important principle to consider here is the:
  • Principle of proportionality—The amount spent on mitigating a risk, such as buying insurance, should be proportional to the risk. For example, a $100,000 insurance policy should not be bought to protect a $50,000 asset.
• Using access controls—Users should be required to authenticate and granted access to only what they need. Using access controls includes the following two principles:
  • Principle of least privilege—The principle of least privilege involves granting users only the rights and permissions they need to perform their job and no more. By doing this, users are prevented from accidentally or intentionally causing problems.
  • Principle of need to know—The principle of need to know involves granting users access only to the data they need to perform their job and no more. For example, a person may have a security clearance for Secret data. However, that person doesn’t automatically receive access to all Secret data. Instead, the person is granted access only to what he or she needs for the job. This helps prevent abuse of unnecessary access.
• Using automation—Processes should be automated as much as possible to reduce human errors.
• Including input validation—To determine whether data is valid, it should be tested before any applications use it.
• Providing training—Training can be used to increase safety awareness and reduce accidents as well as to increase security awareness to reduce security incidents.
• Using antivirus software—Antivirus software should be installed on all systems, and virus definition updates should be scheduled to occur automatically.
• Protecting the boundary—A firewall, at a minimum, should be used to protect the boundary between the intranet and the Internet. Intrusion detection systems (IDSs) can also be used for an added layer of protection.

Ernst & Young, a professional services firm, completes regular surveys that identify many of the trends related to IT security. The 2018–2019 report includes responses from more than 1,400 security practitioners, including chief information officers, chief information security officers, and other executives.

Some of the notable findings in this report are:

• Cyberrisks are evolving; any organization that regards itself as safe from cyberattacks is likely to be in for a shock.
• Organizations are being called on to make some progress on three fronts: protecting the enterprise by focusing on identifying assets and building lines of defense; optimizing security by focusing on stopping low-value activities, increasing efficiency, and reinvesting the funds in emerging and innovative technologies to enhance existing protection; and enabling growth by focusing on implementing security by design as a key success factor for the digital transformations that most organizations are going through.
• The report indicates that there are 6.4 billion fake emails sent worldwide every day, with an average cost of a data breach in 2017 totaling $3.62 million. The number of phishing emails sent out in 2018 was approximately 550 million.
• Of respondents, approximately 40 percent of organizations reported that their organization’s cybersecurity budget stayed about the same compared to the previous year and about 15 percent plan to increase their cybersecurity budget by over 25 percent. Only 1 percent of organizations surveyed reported a 25 percent cybersecurity budget decrease.
• Of respondents, approximately 17 percent reported customer information as the most valuable information to cybercriminals, and another 12 percent reported financial information and strategic plans. Approximately 22 percent reported phishing as the biggest cyberthreat, and 20 percent reported malware as their biggest cyberthreat.
• Respondents reported that the biggest source of vulnerabilities (34 percent) is with careless/unaware employees, and 26 percent indicated the source is from outdated security controls.
• Respondents indicated that organizations need to spend on relatively new technologies, such as cloud computing, cybersecurity analytics, mobile computing, artificial intelligence, machine learning, robotic process automation, and blockchain.
• The respondents agreed on the need for governance, indicating that cybersecurity needs to be in the DNA of the organization and must be included in the business strategy.