Types of Computer Security Threats
For some ideas of harm, look at Figure 1-8, taken from Willis Ware's report. Although it was
written when computers were so big, so expensive, and so difficult to operate that only large
organizations like universities, major corporations, or government departments would have one.
Ware's discussion is still instructive today. Ware was concerned primarily with the protection
of classified data, that is preserving confidentiality. In the figure, he depicts humans such
as programmers and maintenance staff gaining access to data, as well as radiation by which
data can escape as signals. From the figure you can see some of the many kinds of threats
to a computer system.
figure 1-8 Computer [Network] Vulnerabilities
One way to analyze harm is to consider the cause or source. We call a potential of harm a
threat. harm can be caused by either nonhuman events or humans. Examples of
nonhuman threats include natural disasters like fires or floods; loss of electrical
power; failure of a component such as a communications cable, processor chip, or disk drive;
or attack by a wild boar.
Threats are caused both by human and other sources
Human threats can be either benign (nonmalicious) or malicious. Nonmalicious
kinds of harm include someone's accidentally spilling drink on a laptop, unintentionally
deleting text, inadvertently sending an email message to the wrong person, and carelessly
typing "12" instead of "21" when entering a phone number or clicking "yes" instead of "no"
to overwrite a file. These inadvertent, human errors happen to most people; we just hope
that the seriousness of harm is not too great, or if it is, that we will not repeat the mistake.
Threats can be malicious or not
Most computer security activity relates to malicious, human-caused harm: A malicious
person actually wants to cause harm, and so we often use the term attack for a
malicious computer security event. Malicious attacks can be random or directed. In a
random attack the attacker wants to harm any computer or user; such an attack is
analogous to accosting the next pedestrian who walks down the street. An example of a
random attack is malicious code posted on a website that could be visited by anybody.
In a directed attack. the attacker intends harm to specific computers, perhaps at one
organization (think of attacks against a political organization) or belonging to a specific
individual (think of trying to drain a specific person's bank account, for example, by
impersonation). Another class of directed attack is against a particular product, such as
any computer running a particular browser. (We do not want to split hairs about whether
such an attack is directed - at that one software product - or random, against any user
of that product; the point is not semantic perfection but protecting against the attacks.)
The range of possible directed attacks is practically unlimited.