Module 2: The Need for Information Security
The primary mission of an information security program is to ensure that information assets - information and the systems that house them - remain safe and useful.
If threats didn’t exist, resources could be used exclusively to improve systems that contain, use, and transmit information.
The threat of attacks on information systems is a constant concern.
Organizations must understand the environment in which information assets reside so their information security programs can address actual and potential problems.
Information security performs four important functions for an organization. Protecting the organization’s ability to function. Protecting the data and information the organization collects and uses. Enabling the safe operation of applications running on the organization’s IT systems. Safeguarding the organization’s technology assets.
When security needs and business needs collide, business wins.
Without the underlying business to generate revenue and use the information, the information may lose value, and there would be no need for it.
If the business cannot function, information security becomes less important.
The key is to balance the needs of the organization with the need to protect information assets, realizing that business needs come first.
All three communities of interest are responsible for facilitating security programs.
Implementing information security has more to do with management than technology.
Communities of interest should address information security in terms of business impact and cost of business interruption, rather than isolating security as a technical problem.
Without data, an organization loses its record of transactions and the ability to deliver value to customers.
Protecting data in transmission, in processing, and at rest (storage) is a critical aspect of information security.
Securing databases encompasses managerial, technical, and physical controls.
Organizations needs environments that safeguard applications using IT systems.
Management must continue to oversee infrastructure once in place - not relegate it to the IT department.
Organizations must employ secure infrastructure hardware appropriate to the size and scope of the enterprise.
Additional security services may be needed as the organization grows.
More robust solutions should replace security programs the organization has outgrown.
IT continues to add new capabilities and methods that allow organizations to solve business information management challenges.
Threat: A potential risk to an asset’s loss of value.
Attack: An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.
Exploit: A technique used to compromise a system.
Vulnerability: A potential weakness in an asset or its defensive control system(s).
Management must be informed about the various threats to an organization’s people, applications, data, and information systems.
Overall, security is improving, but the number of potential hackers is growing.
A tool that security professionals can use to understand attacks is the Common Attack Pattern Enumeration and Classification (CAPEC) Web site hosted by Mitre - a nonprofit research and development organization sponsored by the U.S. government.
This online repository can be searched for characteristics of a particular attack or simply browsed by professionals who want additional knowledge of how attacks occur procedurally.
MITRE also uses CAPEC for it’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework
Compromises to intellectual property. e.g. Piracy, copyright infringement
Deviations in quality of service. e.g. Internet Service Provider, power, or WAN service Problems
Espionage or trespass. e.g. Unauthorized access and/or data collection
Forces of nature. e.g. Fire, floods, earthquakes, lightning
Human error or failure. e.g. Accidents, employee mistakes
Information Extortion. e.g. Blackmail, information disclosure
Sabotage or vandalism. e.g. Destruction of systems or information
Software attacks. e.g. Viruses, worms, macros, denial of service.
Technical hardware failures or errors. e.g. Equipment failure
Technical software failures or errors. e.g. Bugs, code problems, unknown loopholes.
Technological obsolescence. e.g. Antiquated or outdated technologies
Theft. e.g. Illegal confiscation of equipment or information.
Intellectual property (IP): Creation, ownership, and control of original ideas as well as the representation of those ideas.
IP includes trade secrets, copyrights, trademarks, and patents.
The most common IP breaches involve software piracy.
Two watchdog organizations investigate software abuse: Software and Information Industry Association (SIIA) and Business Software Alliance (BSA).
According to BSA, in 2018, approximately 37 percent of software installed on personal computers globally was not properly licensed.
An information system depends on the successful operation of many interdependent support systems.
Internet service, communications, and power irregularities dramatically affect the availability of information and systems.
Services are usually arranged with a service level agreement. (SLA)
Internet Service Issues: Internet Service Provider (ISP) failures can considerably undermine the availability of information. An outsourced Web hosting provider assumes responsibility for all internet services as well as for the hardware and Web site operating system.
Communications and other server provider issues: Other utility services affect organizations: telephone, water, wastewater, trash pickup. Loss of these services can affect an organizations ability to function.
Power irregularities: Commonplace. Lead to fluctuations such as power excesses, power shortages, and power losses (blackout, brownout, fault, noise, sag, spike, or surge). Sensitive electronic equipment vulnerable to and easily damaged/destroyed by fluctuations. Controls can be applied to manage power quality.
Access of protected information by unauthorized individuals.
Competitive intelligence techniques are legal, whereas industrial espionage techniques are not.
Shoulder surfing can occur anywhere a person accesses confidential information.
Acts of trespass can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems without permission.
Hackers use skill, guile, or fraud to bypass controls protecting others’ information.
Expert Hacker: Develops software scripts and program exploits. Usually a master of many skills. Will often create attack software and share with others.
Unskilled hacker: Many more unskilled hackers than expert hackers. Use expertly written software to exploit a system. Do not usually fully understand the systems they hack. Also known as script kiddies or packet monkeys.
Other terms for system rule breakers: Cracker: “Cracks” or removes software protection designed to prevent unauthorized duplication. Phreaker: Hacks the public telephone system to make free calls or disrupt services.
Password attacks: Cracking, brute force, dictionary, rainbow tables, social engineering.
Forces of nature can present some of the most dangerous threats.
They disrupt not only individual lives, but also storage, transmission, and use of information.
Threats include fires, floods, earthquakes, lightning, landslides, tornados, hurricanes, tsunamis, ESD, dust contamination, solar activity, civil unrest, and acts of war.
Organizations must implement controls to limit damage and prepare contingency plans for continued operations.
Includes acts performed without malicious intent or in ignorance.
Causes include inexperience, improper training, incorrect assumptions.
Employees are among the greatest threats to an organization’s s data.
Employee mistakes can easily lead to revelation of classified data, entry of erroneous data, accidental data deletion or modification, data storage in unprotected areas, and failure to protect information.
Many of these threats can be prevented with training, ongoing awareness activities, and controls.
Social Engineering uses social skills to convince people to reveal access credentials or other valuable information to an attacker.
“People are the weakest link. You can have the best technology; firewalls, intrusion-detection systems, biometric devices … and somebody can call an unsuspecting employee. That’s all she wrote, baby. They got everything.” - Kevin Mitnick
Business e-mail compromise: exploiting business e-mail systems and users.
Advance-fee fraud: Indicates recipient is due money and small advance fee or personal banking information required to facilitate transfer.
Phishing: attempt to gain personal/confidential information; apparent legitimate communication hides embedded code that redirects user to third-party site.
Also known as cyberextortion.
Attacker steals information from a computer system and demands compensation for its return or nondisclosure.
Common in credit card number theft.
Ransomware is a malware attack on the host system that denies access to the user and then offers to provide a key to allow access back to the user’s system and data for a fee.
There are two types of ransomware: lock screen and encryption.
Common phishing mechanisms to get a user to download ransomware include pop-ups indicating that illegal information or malware was detected on the user’s system, threatening to notify law enforcement, or offering to delete the offending material if the user clicks a link or button.
Threats can range from petty vandalism to organized sabotage.
Web site defacing can erode consumer confidence, diminishing an organization’s sales, net worth, and reputation.
Threat of hacktivist or cyberactivist operations is rising.
Cyberterrorism/cyberwarfare: a much more sinister form of hacking.
Malicious software (malware) is used to overwhelm the processing capabilities of online systems or to gain access to protected systems via hidden means.
Software attacks occur when an individual or a group designs and deploys software to attack a system.
When an attack makes use of malware that is not yet known by the antimalware software companies, it is said to be a zero-day attack.
Types of attacks include:
Malware (malicious code): It includes the execution of viruses, worms, Trojan horses, and active web scripts with the intent to destroy or steal information.
Virus: It consists of code segments that attach to existing program and take control of access to the targeted computer.
Worms: They replicate themselves until they completely fill available resources such as memory and hard drive space.
Trojan horses: malware disguised as helpful, interesting, or necessary pieces of software.
Polymorphic threat: actually evolves to elude detection.
Virus and worm hoaxes: nonexistent malware that employees waste time spreading awareness about.
Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism.
Denial-of-service (DoS): An attacker sends a large number of connection or information requests to a target. The target system becomes overloaded and cannot respond to legitimate requests for service. It may results in a system crash or inability to perform ordinary functions.
Distributed Denial-of-Service (DDoS): A coordinated stream of requests is launched against a target from many locations simultaneously.
Mail bombing(also a DoS): An attacker routes large quantities of e-mail to a target to overwhelm the receiver.
Spam (unsolicited commercial e-mail): It is considered more a nuisance than an attack, though it is emerging as a vector for some attacks.
Packet sniffer: It monitors data traveling over a network; it can be used both for legitimate management purposes and for stealing information from a network.
Spoofing: A technique used to gain unauthorized access; an intruder assumes a trusted IP address.
Pharming: It attacks a browsers address bar to redirect users to an illegitimate site for the purpose of obtaining private information.
Man-in-the-middle: An attacker monitors the network packets, modifies them, and inserts them back into the network.
They occur when a manufacturer distributes equipment containing a known or unknown flaw.
They can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability.
Some errors are terminal, while others are intermittent.
Intel Pentium CPU failure is a notable example.
Mean time between failure and annualized failure rates measure hardware failure rates.
Large quantities of computer code are written, debugged, published, and sold before all bugs are detected and resolved.
Combinations of certain software and hardware can reveal new software bugs.
Entire web sites are dedicated to documenting bugs.
Open Web Application Security Project (OWASP) is dedicated to helping organizations create/operate trustworthy software and publishes a list of top security risks.
Common failures in software development:
SQL injection
Web server-related vulnerabilities (XSS, XSRF, and response splitting)
Web client-related vulnerability (XSS)
Use of magic URLs and hidden forms
Buffer overrun
Format string problems
Integer bugs (overflows/underflows)
C++ catastrophes
Catching exceptions
Command injection
Failure to handle errors
Information leakage
Race conditions
Poor usability
Not updating easily
Executing code with too much privilege
Failure to protect stored data
Use of weak password-based systems
Weak random numbers
Using cryptography incorrectly
Failure to protect network traffic
Improper use of PKI, especially SSL
Trusting network name resolution
Neglecting change control
Antiquated/outdated infrastructure can lead to unreliable and untrustworthy systems.
Proper managerial planning should prevent technology obsolescence.
IT plays a large role.
It is the illegal taking of another’s physical, electronic, or intellectual property.
Physical theft is a controlled relatively easily.
Electronic theft is a more complex problem; the evidence of crime is not readily apparent.
Information security performs four important functions:
Information security performs for important functions to ensure that information assets remain safe and useful: protecting the organizations ability to function, enabling the safe operation of applications implemented on the organizations IT systems, protecting the data an organization collects and uses, and safeguarding the organizations technology assets.
To make sound decisions about information security, management must be informed about threats to its people, applications, data, and information systems, and the attacks they face.
Threats are any events or circumstances that have the potential to adversely affect operations and assets. An attack is an intentional or unintentional act that can damage or otherwise a compromise information and the systems that support it. A vulnerability is a potential weakness in an asset or its defensive controls.
Threats or dangers facing an organizations people, information, and systems fall into the following categories:
Compromises to intellectual property - Intellectual property, such as trade secrets, copyrights, trademarks, or patents, are intangible assets that may be attacked via software piracy or the exploitation of asset protection controls.
Deviations in quality of service - Organizations rely on services provided by others. Losses can come from interruptions to those services.
Espionage or trespass - Asset losses may result when electronic and human activities breach the confidentiality to cause losses to data and availability.
Forces of nature - A wide range of natural events can overwhelm control systems and preparations to cause losses to data and availability.
Human error or failure - Losses to assets may come from intentional or accidental actions by people inside and outside the organization.
Information extortion - Stolen or inactivated assets may be held hostage to extract payment of ransom
Sabotage or vandalism - Losses may result from the deliberate sabotage of a computer system or business, or from acts of vandalism. These acts can either destroy an asset or damage the image of an organization.
Software attacks - Losses may result when attackers use software to gain unauthorized access to systems or causes disruptions in systems availability.
Technical hardware failures or errors - Technical defects in hardware systems can cause unexpected results, including unreliable service or lack of availability.
Technical software failures or errors - Software used by systems may have purposeful or unintentional errors that results in failures, which can lead to loss of availability or unauthorized access to information.
Technological obsolescence - Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems that may result in loss of availability or unauthorized access to information.
Theft - Theft of information can result from a wide variety of attacks.
The primary mission of an information security program is to ensure that information assets - information and the systems that house them - remain safe and useful.
If threats didn’t exist, resources could be used exclusively to improve systems that contain, use, and transmit information.
The threat of attacks on information systems is a constant concern.
Organizations must understand the environment in which information assets reside so their information security programs can address actual and potential problems.
Information security performs four important functions for an organization. Protecting the organization’s ability to function. Protecting the data and information the organization collects and uses. Enabling the safe operation of applications running on the organization’s IT systems. Safeguarding the organization’s technology assets.
When security needs and business needs collide, business wins.
Without the underlying business to generate revenue and use the information, the information may lose value, and there would be no need for it.
If the business cannot function, information security becomes less important.
The key is to balance the needs of the organization with the need to protect information assets, realizing that business needs come first.
All three communities of interest are responsible for facilitating security programs.
Implementing information security has more to do with management than technology.
Communities of interest should address information security in terms of business impact and cost of business interruption, rather than isolating security as a technical problem.
Without data, an organization loses its record of transactions and the ability to deliver value to customers.
Protecting data in transmission, in processing, and at rest (storage) is a critical aspect of information security.
Securing databases encompasses managerial, technical, and physical controls.
Organizations needs environments that safeguard applications using IT systems.
Management must continue to oversee infrastructure once in place - not relegate it to the IT department.
Organizations must employ secure infrastructure hardware appropriate to the size and scope of the enterprise.
Additional security services may be needed as the organization grows.
More robust solutions should replace security programs the organization has outgrown.
IT continues to add new capabilities and methods that allow organizations to solve business information management challenges.
Threat: A potential risk to an asset’s loss of value.
Attack: An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.
Exploit: A technique used to compromise a system.
Vulnerability: A potential weakness in an asset or its defensive control system(s).
Management must be informed about the various threats to an organization’s people, applications, data, and information systems.
Overall, security is improving, but the number of potential hackers is growing.
A tool that security professionals can use to understand attacks is the Common Attack Pattern Enumeration and Classification (CAPEC) Web site hosted by Mitre - a nonprofit research and development organization sponsored by the U.S. government.
This online repository can be searched for characteristics of a particular attack or simply browsed by professionals who want additional knowledge of how attacks occur procedurally.
MITRE also uses CAPEC for it’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework
Compromises to intellectual property. e.g. Piracy, copyright infringement
Deviations in quality of service. e.g. Internet Service Provider, power, or WAN service Problems
Espionage or trespass. e.g. Unauthorized access and/or data collection
Forces of nature. e.g. Fire, floods, earthquakes, lightning
Human error or failure. e.g. Accidents, employee mistakes
Information Extortion. e.g. Blackmail, information disclosure
Sabotage or vandalism. e.g. Destruction of systems or information
Software attacks. e.g. Viruses, worms, macros, denial of service.
Technical hardware failures or errors. e.g. Equipment failure
Technical software failures or errors. e.g. Bugs, code problems, unknown loopholes.
Technological obsolescence. e.g. Antiquated or outdated technologies
Theft. e.g. Illegal confiscation of equipment or information.
Intellectual property (IP): Creation, ownership, and control of original ideas as well as the representation of those ideas.
IP includes trade secrets, copyrights, trademarks, and patents.
The most common IP breaches involve software piracy.
Two watchdog organizations investigate software abuse: Software and Information Industry Association (SIIA) and Business Software Alliance (BSA).
According to BSA, in 2018, approximately 37 percent of software installed on personal computers globally was not properly licensed.
An information system depends on the successful operation of many interdependent support systems.
Internet service, communications, and power irregularities dramatically affect the availability of information and systems.
Services are usually arranged with a service level agreement. (SLA)
Internet Service Issues: Internet Service Provider (ISP) failures can considerably undermine the availability of information. An outsourced Web hosting provider assumes responsibility for all internet services as well as for the hardware and Web site operating system.
Communications and other server provider issues: Other utility services affect organizations: telephone, water, wastewater, trash pickup. Loss of these services can affect an organizations ability to function.
Power irregularities: Commonplace. Lead to fluctuations such as power excesses, power shortages, and power losses (blackout, brownout, fault, noise, sag, spike, or surge). Sensitive electronic equipment vulnerable to and easily damaged/destroyed by fluctuations. Controls can be applied to manage power quality.
Access of protected information by unauthorized individuals.
Competitive intelligence techniques are legal, whereas industrial espionage techniques are not.
Shoulder surfing can occur anywhere a person accesses confidential information.
Acts of trespass can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems without permission.
Hackers use skill, guile, or fraud to bypass controls protecting others’ information.
Expert Hacker: Develops software scripts and program exploits. Usually a master of many skills. Will often create attack software and share with others.
Unskilled hacker: Many more unskilled hackers than expert hackers. Use expertly written software to exploit a system. Do not usually fully understand the systems they hack. Also known as script kiddies or packet monkeys.
Other terms for system rule breakers: Cracker: “Cracks” or removes software protection designed to prevent unauthorized duplication. Phreaker: Hacks the public telephone system to make free calls or disrupt services.
Password attacks: Cracking, brute force, dictionary, rainbow tables, social engineering.
Forces of nature can present some of the most dangerous threats.
They disrupt not only individual lives, but also storage, transmission, and use of information.
Threats include fires, floods, earthquakes, lightning, landslides, tornados, hurricanes, tsunamis, ESD, dust contamination, solar activity, civil unrest, and acts of war.
Organizations must implement controls to limit damage and prepare contingency plans for continued operations.
Includes acts performed without malicious intent or in ignorance.
Causes include inexperience, improper training, incorrect assumptions.
Employees are among the greatest threats to an organization’s s data.
Employee mistakes can easily lead to revelation of classified data, entry of erroneous data, accidental data deletion or modification, data storage in unprotected areas, and failure to protect information.
Many of these threats can be prevented with training, ongoing awareness activities, and controls.
Social Engineering uses social skills to convince people to reveal access credentials or other valuable information to an attacker.
“People are the weakest link. You can have the best technology; firewalls, intrusion-detection systems, biometric devices … and somebody can call an unsuspecting employee. That’s all she wrote, baby. They got everything.” - Kevin Mitnick
Business e-mail compromise: exploiting business e-mail systems and users.
Advance-fee fraud: Indicates recipient is due money and small advance fee or personal banking information required to facilitate transfer.
Phishing: attempt to gain personal/confidential information; apparent legitimate communication hides embedded code that redirects user to third-party site.
Also known as cyberextortion.
Attacker steals information from a computer system and demands compensation for its return or nondisclosure.
Common in credit card number theft.
Ransomware is a malware attack on the host system that denies access to the user and then offers to provide a key to allow access back to the user’s system and data for a fee.
There are two types of ransomware: lock screen and encryption.
Common phishing mechanisms to get a user to download ransomware include pop-ups indicating that illegal information or malware was detected on the user’s system, threatening to notify law enforcement, or offering to delete the offending material if the user clicks a link or button.
Threats can range from petty vandalism to organized sabotage.
Web site defacing can erode consumer confidence, diminishing an organization’s sales, net worth, and reputation.
Threat of hacktivist or cyberactivist operations is rising.
Cyberterrorism/cyberwarfare: a much more sinister form of hacking.
Malicious software (malware) is used to overwhelm the processing capabilities of online systems or to gain access to protected systems via hidden means.
Software attacks occur when an individual or a group designs and deploys software to attack a system.
When an attack makes use of malware that is not yet known by the antimalware software companies, it is said to be a zero-day attack.
Types of attacks include:
Malware (malicious code): It includes the execution of viruses, worms, Trojan horses, and active web scripts with the intent to destroy or steal information.
Virus: It consists of code segments that attach to existing program and take control of access to the targeted computer.
Worms: They replicate themselves until they completely fill available resources such as memory and hard drive space.
Trojan horses: malware disguised as helpful, interesting, or necessary pieces of software.
Polymorphic threat: actually evolves to elude detection.
Virus and worm hoaxes: nonexistent malware that employees waste time spreading awareness about.
Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism.
Denial-of-service (DoS): An attacker sends a large number of connection or information requests to a target. The target system becomes overloaded and cannot respond to legitimate requests for service. It may results in a system crash or inability to perform ordinary functions.
Distributed Denial-of-Service (DDoS): A coordinated stream of requests is launched against a target from many locations simultaneously.
Mail bombing(also a DoS): An attacker routes large quantities of e-mail to a target to overwhelm the receiver.
Spam (unsolicited commercial e-mail): It is considered more a nuisance than an attack, though it is emerging as a vector for some attacks.
Packet sniffer: It monitors data traveling over a network; it can be used both for legitimate management purposes and for stealing information from a network.
Spoofing: A technique used to gain unauthorized access; an intruder assumes a trusted IP address.
Pharming: It attacks a browsers address bar to redirect users to an illegitimate site for the purpose of obtaining private information.
Man-in-the-middle: An attacker monitors the network packets, modifies them, and inserts them back into the network.
They occur when a manufacturer distributes equipment containing a known or unknown flaw.
They can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability.
Some errors are terminal, while others are intermittent.
Intel Pentium CPU failure is a notable example.
Mean time between failure and annualized failure rates measure hardware failure rates.
Large quantities of computer code are written, debugged, published, and sold before all bugs are detected and resolved.
Combinations of certain software and hardware can reveal new software bugs.
Entire web sites are dedicated to documenting bugs.
Open Web Application Security Project (OWASP) is dedicated to helping organizations create/operate trustworthy software and publishes a list of top security risks.
Common failures in software development:
SQL injection
Web server-related vulnerabilities (XSS, XSRF, and response splitting)
Web client-related vulnerability (XSS)
Use of magic URLs and hidden forms
Buffer overrun
Format string problems
Integer bugs (overflows/underflows)
C++ catastrophes
Catching exceptions
Command injection
Failure to handle errors
Information leakage
Race conditions
Poor usability
Not updating easily
Executing code with too much privilege
Failure to protect stored data
Use of weak password-based systems
Weak random numbers
Using cryptography incorrectly
Failure to protect network traffic
Improper use of PKI, especially SSL
Trusting network name resolution
Neglecting change control
Antiquated/outdated infrastructure can lead to unreliable and untrustworthy systems.
Proper managerial planning should prevent technology obsolescence.
IT plays a large role.
It is the illegal taking of another’s physical, electronic, or intellectual property.
Physical theft is a controlled relatively easily.
Electronic theft is a more complex problem; the evidence of crime is not readily apparent.
Information security performs four important functions:
Information security performs for important functions to ensure that information assets remain safe and useful: protecting the organizations ability to function, enabling the safe operation of applications implemented on the organizations IT systems, protecting the data an organization collects and uses, and safeguarding the organizations technology assets.
To make sound decisions about information security, management must be informed about threats to its people, applications, data, and information systems, and the attacks they face.
Threats are any events or circumstances that have the potential to adversely affect operations and assets. An attack is an intentional or unintentional act that can damage or otherwise a compromise information and the systems that support it. A vulnerability is a potential weakness in an asset or its defensive controls.
Threats or dangers facing an organizations people, information, and systems fall into the following categories:
Compromises to intellectual property - Intellectual property, such as trade secrets, copyrights, trademarks, or patents, are intangible assets that may be attacked via software piracy or the exploitation of asset protection controls.
Deviations in quality of service - Organizations rely on services provided by others. Losses can come from interruptions to those services.
Espionage or trespass - Asset losses may result when electronic and human activities breach the confidentiality to cause losses to data and availability.
Forces of nature - A wide range of natural events can overwhelm control systems and preparations to cause losses to data and availability.
Human error or failure - Losses to assets may come from intentional or accidental actions by people inside and outside the organization.
Information extortion - Stolen or inactivated assets may be held hostage to extract payment of ransom
Sabotage or vandalism - Losses may result from the deliberate sabotage of a computer system or business, or from acts of vandalism. These acts can either destroy an asset or damage the image of an organization.
Software attacks - Losses may result when attackers use software to gain unauthorized access to systems or causes disruptions in systems availability.
Technical hardware failures or errors - Technical defects in hardware systems can cause unexpected results, including unreliable service or lack of availability.
Technical software failures or errors - Software used by systems may have purposeful or unintentional errors that results in failures, which can lead to loss of availability or unauthorized access to information.
Technological obsolescence - Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems that may result in loss of availability or unauthorized access to information.
Theft - Theft of information can result from a wide variety of attacks.