Risk and Vulnerability

Attackers strategically and deliberately choose their targets based on vulnerabilities they have observed. Individuals and organizations often try to shield themselves from one instance or form of an attack, but they must keep in mind that the attacker can easily shift focus to newly exposed vulnerabilities. Even if you experience some success in tackling several attacks, risks always remain, and the need to confront threats is going to exist for the foreseeable future.

Attackers continue to benefit from certain tactical advantages. Time, location, place, and method of attack are just some of the parameters the aggressor can choose to act unpredictably and unexpectedly. After reducing vulnerability in one area, you can expect attackers to alter their plans by pursuing other exposed and unprotected targets. Most of the time, the attacker has no time pressure at all and can carefully and patiently plan an attack weeks, months, or even years in advance. As a security administrator, you can be assured that new plans are underway that have not yet been considered by your organization.

With the increasing popularity of the Internet, terrorist groups might seek to cause damage by means of a cyber attack. They can exploit the Internet to collect information and to recruit, command, and control their accomplices. Terrorists can even raise funds for their activities through the Internet. Terrorist groups can also use the Internet to expand their technical capabilities to further explore cyber attacks. They can develop their skill sets with the intention of targeting commercial and governmental computer-driven applications in order to disturb financial networks such as stock market exchanges and international banking. Other targets that are increasingly threatened include energy delivery, aviation, and security networks.

As with all types of threats, adequate security protection against cyber attacks is a never-ending struggle. It is implemented through new technologies, system redesign, and adaptation of existing procedures, as discussed in the chapters of this book that follow.

The enterprise or organization should always be conscious of designing systems and procedures that eliminate vulnerabilities and reduce risks. If an identified vulnerability cannot be eliminated immediately, reduction of the associated risk to an acceptable level should be the primary goal. When risks cannot be reduced to a level that is acceptable through network design, security equipment, alerts, and alarms, the alternative of personnel awareness through training and procedures should be utilized.