 In computer security, a vulnerability is a weakness

which allows an attacker to reduce a system's

information assurance. Vulnerability is the intersection
of three elements: a system susceptibility or flaw,
attacker access to the flaw, and attacker capability to
exploit the flaw.
 Examples of vulnerability:
 an attacker convinces a user to open an email message
with attached malware;
 a flood damage your computer systems installed at
ground floor.
• Advances in telecommunications and computer
software

• Unauthorized access, abuse, or fraud

• Hackers

• Computer virus
• Hardware problems
• Breakdowns, configuration errors, damage from improper use or
crime

• Software problems
• Programming errors, installation errors, unauthorized changes)

• Disasters
• Power failures, flood, fires, etc.
 The types of threats that large public networks, like
the Internet, face because they are open to virtually
anyone. Internet is so huge that when abuses do
occur, they can have an enormously widespread
impact. And when the Internet becomes part of the
corporate network, the organization’s information
systems are even more vulnerable to actions from
outsiders.
• Network open to anyone
• Size of Internet means abuses can have wide impact
• E-mail used for transmitting trade secrets
• Identity theft: Theft of personal Information (social
security id, driver’s license or credit card numbers)
to impersonate someone else
• Phishing: Setting up fake Web sites or sending e-
mail messages that look like legitimate businesses to
ask users for confidential personal data.
• Evil twins: Wireless networks that pretend to offer
trustworthy Wi-Fi connections to the Internet.
• Internal threats – Employees
• Security threats often originate inside an
organization
• Inside knowledge

People inside the company with access to the system

can leak the information.
• Social engineering:

• Tricking employees into revealing their passwords by

pretending to be legitimate members of the company in need
of information
• Inadequate security and control may create serious
legal liability.

• Businesses must protect not only their own

information assets but also those of customers,
employees, and business partners. Failure to do so
can lead to costly litigation for data exposure or theft.

• A sound security and control framework that protects

business information assets can thus produce a high
return on investment.
• Lack of security, control can lead to
• Loss of revenue
• Failed computer systems can lead to significant or total loss of
business function
• Lowered market value:
• Information assets can have tremendous value
• A security breach may cut into firm’s market value almost
immediately
• Lowered employee productivity
• Higher operational costs
 Electronic Records Management (ERM): Policies,
procedures and tools for managing the retention,
destruction, and storage of electronic records .
 Data Security and Control Laws:
• Firms face new legal obligations for the retention and
storage of electronic records as well as for privacy
protection
• HIPAA (The Health Insurance Portability and Accountability Act ):
Medical security and privacy rules and procedures
• Gramm-Leach-Bliley Act: Requires financial institutions to ensure the
security and confidentiality of customer data
• Sarbanes-Oxley Act: Imposes responsibility on
companies and their management to safeguard the
accuracy and integrity of financial information
that is used internally and released externally
• the Computer Fraud and Abuse Act in 1986
• the National Information Infrastructure
Protection Act in 1996
 Ensuring Business Continuity
• Fault-tolerant computer systems: Redundant
hardware, software, and power supply
components to provide continuous, uninterrupted
service

• High-availability computing: Designing to

maximize application and system availability
 Recovery-oriented computing: Designing
computing systems to recover more rapidly
from mishaps
• Disaster recovery planning: Plans for
restoration of computing and communications
disrupted by an event such as an earthquake,
flood, or terrorist attack
• Business continuity planning: Focuses on
restoring business operations after disaster.
• MIS audit: Identifies all of the controls that
govern individual information systems and
assesses their effectiveness

• Security audits: Review technologies,

procedures, documentation, training, and
personnel.
 Access control: Consists of all the policies and
procedures a company uses to prevent
improper access to systems by unauthorized
insiders and outsiders.
 Firewalls: Hardware and software controlling
flow of incoming and outgoing network traffic.
 Intrusion detection systems: Full-time
monitoring tools placed at the most vulnerable
points of corporate networks to detect the
intruders.
 Antivirus software: Software that checks
computer systems and drives for the presence
of computer viruses and can eliminate the
virus from the infected area
• Walkthrough: Review of specification or
design document by small group of people

• Debugging: Process of discovering and

eliminating errors and defects in program code
 Data quality audit

• Survey and/or sample of files

• Determines accuracy and completeness of data

 Data cleansing

• Correcting errors and inconsistencies in data to increase

accuracy
 Message integrity: The ability to be certain
that the message being sent arrives at the
proper destination without being copied or
changed.
• Digital signature: A digital code attached to an
electronically transmitted message that is used
to verify the origin and contents of a message
• Digital certificates: Data files used to establish
the identity of users and electronic assets for
protection of online transactions