CHAPTER 2: Computer Threat

Introduction:
Threat in a computer system is a possible danger that might put your data security on stake. The
damage is at times irreparable.

Definition
As defined by the National Information Assurance Glossary −
 “Any circumstance or event with the potential to adversely impact an IS through
unauthorized access, destruction, disclosure, modification of data, and/or denial of
service.”
 A computer threat can be "intentional" such as hacking or "accidental" such as
malfunctioning of or physical damage.

Types of Threat
Following are the most common types of computer threats −
 Physical damage − It includes fire, water, pollution, etc.
 Natural events − It includes climatic, earthquake, volcanic activity, etc.
 Loss of services − It includes electrical power, air conditioning, telecommunication, etc.
 Technical failures − It includes problems in equipment, software, capacity saturation,
etc.
 Deliberate type − It includes spying, illegal processing of data, etc.
Some other threats include error in use, abuse of rights, denial of actions, eavesdropping, theft of
media, retrieval of discarded materials, etc.
Sources of Threat
The possible sources of a computer threat may be −
 Internal − It includes employees, partners, contractors (and vendors).
 External − It includes cyber-criminals (professional hackers), spies, non-professional
hackers, activists, malware (virus/worm/etc.), etc.

How to Secure Your Computer System from Threats?

Following are the significant tips through which you can protect your system from different
types of threat −
 Install, use, and keep updated Anti-Virus in your system.
 Install, use, and keep updated a Firewall Program.
 Always take backups of your important Files and Folders.
 Use Strong and Typical Passwords.
 Take precaution especially when Downloading and Installing Programs.
 Install, use, and keep updated a File Encryption Program.
 Take precaution especially when Reading Email with Attachments.
 Keep your Children aware of Internet threats and safe browsing.
2.1 Malicious code

Malicious code is code inserted in a software system or web script intended to cause undesired
effects, security breaches, or damage to a system.

1
What is Malicious Code?

Malicious code is a self-executable computer program that assumes various forms. Malicious
code is designed to grant cybercriminals unlawful remote access to the targeted system, thus
creating an application backdoor. In doing so, hackers gain access to private data stored on the
network and can go as far as to steal, leak, encrypt, or completely wipe it.

Examples of Malicious Code

The most common examples of malicious code out there include computer viruses, Trojan
horses, worms, bots, spyware, ransomware, and logic bombs. Examples of malicious code
computer program types include, but are not limited to:
 scripting languages,
 plug-ins,
 pushed content,
 ActiveX controls, and
 Java Applets.

2.1.1 Viruses

A computer virus is a type of malicious software, or malware, that spreads between computers
and causes damage to data and software.

Computer viruses aim to disrupt systems, cause major operational issues, and result in data loss
and leakage. A key thing to know about computer viruses is that they are designed to spread
across programs and systems. Computer viruses typically attach to an executable host file, which
results in their viral codes executing when a file is opened. The code then spreads from the
document or software it is attached to via networks, drives, file-sharing programs, or infected
email attachments.

Common Signs of Computer Viruses

Speed of System: A computer system running slower than usual is one of the most common
signs that the device has a virus

Pop-up Windows: Unwanted pop-up windows appearing on a computer or in a web browser are
a telltale sign of a computer virus.

Programs Self-executing: If computer programs unexpectedly close by themselves, then it is

highly likely that the software has been infected with some form of virus or malware. Another
indicator of a virus is when applications fail to load when selected from the Start menu or their
desktop icon.

2
Accounts Being Logged Out: Some viruses are designed to affect specific applications, which
will either cause them to crash or force the user to automatically log out of the service.

Crashing of the Device: System crashes and the computer itself unexpectedly closing down are
common indicators of a virus.

Mass Emails Being Sent from Your Email Account: Computer viruses are commonly spread
via email. Hackers can use other people's email accounts to spread malware and carry out wider
cyber attacks. Therefore, if an email account has sent emails in the outbox that a user did not
send, then this could be a sign of a computer virus.

Changes to Your Homepage: Any unexpected changes to a computer—such as your system’s

homepage being amended or any browser settings being updated—are signs that a computer virus
may be present on the device.

How To Prevent Your Computer From Virus?

There are several ways to protect your computer from viruses, including:

Use a Trusted Antivirus Product: Trusted computer antivirus products are crucial to stop
malware attacks and prevent computers from being infected with viruses.

Avoid Clicking Pop-up Advertisements: Never click on pop-up advertisements because this
can lead to inadvertently downloading viruses onto a computer.

Scan Your Email Attachments: A popular way to protect your device from computer viruses is
to avoid suspicious email attachments, which are commonly used to spread malware. Computer
antivirus solutions can be used to scan email attachments for potential viruses.

Scan the Files That You Download Using File-sharing Programs: File-sharing programs,
particularly unofficial sites, are also popular resources for attackers to spread computer viruses.
Avoid downloading applications, games, or software from unofficial sites, and always scan files
that have been downloaded from any file-sharing program.

2.1.2 Trojan horses

Trojan horse malware is a file, program, or piece of code that appears to be legitimate and
safe, but is actually malware. Trojans are packaged and delivered inside legitimate software
(hence their name), and they’re often designed to spy on victims or steal data. Many Trojans
also download additional malware after you install them.

How to protect from Trojan horses?

There are a couple of best practices in addition to installing cyber security software to help guard
yourself:
 Never download or install software from a source you don’t trust totally

3
  Never open a link or run a program shipped to you in an email from somebody you
don’t have the foggiest idea about.
 Ensure a Trojan antivirus is installed and running on your PC

2.1.3 Worms
A computer worm is a subset of the Trojan horse malware that can propagate or self-replicate
from one computer to another without human activation after breaching a system. Typically, a
worm spreads across a network through your Internet or LAN (Local Area Network) connection.

How does a computer worm spread?

 Phishing: Fraudulent emails that look authentic can carry worms in corrupt attachments.
Such emails may also invite users to click malicious links or visit websites designed to
infect users with worms.
 Spear-Phishing: Targeted phishing attempts can carry dangerous malware like
ransomware and crypto worms.
 Networks: Worms can self-replicate across networks via shared access.
 Security holes: Some worm variants can infiltrate a system by exploiting software
vulnerabilities.
 File sharing: P2P file networks can carry malware like worms.
 Social networks: Social platforms like MySpace have been affected by certain types of
worms.
 Instant messengers (IMs): All types of malware, including worms, can spread through
text messages and IM platforms such as Internet Relay Chat (IRC).
 External devices: Worms can infect USB sticks and external hard drives.

What does a computer worm do?

Once a computer worm has breached your computer’s defenses it can perform several malicious
actions:

 Drop other malware like spyware or ransomware

 Consume bandwidth
 Delete files
 Overload networks
 Steal data
 Open a backdoor

4
  Deplete hard drive space

Computer worm examples

Over the years, there have been some particularly devastating worms. Some worms have caused
billions in damage. Here is a brief list of some infamous ones:

 Morris Worm: Also known as the Internet worm, this was one of the first computer
worms to spread via the Internet and earn notoriety in the media.
 Bagle: Also known as Beagle, Mitglieder, and Lodeight, this mass-mailing worm had
many variants.
 Blaster: Also known as MSBlast, Lovesan, and Lovsan, this worm attacked computers
running Windows XP and Windows 2000.
 Conficker: Also known as Downup, Downadup, and Kido, this worm exploited flaws in
Windows to infect millions of computers in over a hundred countries.
 ILOVEYOU: The ILOVEYOU worm infected tens of millions of computers globally,
resulting in billions of dollars in damage.
 Mydoom: This became the fastest-spreading email worm in 2004, sending junk email
across computers.
 Ryuk: Although Ryuk wasn't always a worm, it's now worm-like ransomware.
 SQL Slammer: The SQL Slammer worm gained infamy for slowing down Internet
traffic with denial-of-service attacks on some Internet hosts.
 Storm Worm: This worm utilized social engineering with fake news of a disastrous
storm to drop botnets on compromised machines.
 Stuxnet: This sophisticated worm was developed for years to launch a cyber attack.

Symptoms of a computer worm

Many of the symptoms of a computer worm are like that of a computer virus.

For example, you may have a computer worm if

 Computer slows down, freezes and crashes

 Throws up error messages

 Files are missing or corrupted

 Hard drive's space is rapidly depleting inexplicably

5
  You may see alerts from your firewall about a breach.

How to stop computer worms

Like other forms of malware — computer worms can be stopped by enabling the followings

 Installing right antivirus, anti-malware software and safe computing practices.

 Don’t entertain suspicious links, emails, texts, messages, websites, P2P file networks,
and drives.

 Update your essential software regularly to shield your computer from vulnerabilities like
the wormable Windows flaw and the like.

2.1.4 Spy-wares

Spyware is a type of malware that tracks your internet activity in order to gather sensitive
information such as credit card numbers or demographics. Most of the time, spyware works in
the background of a device, invisible to the unsuspecting. Some of the most common reasons
attackers use spyware include collecting data to sell to third-parties, to steal someone's identity,
or to spy on an individual's computer usage.

How Do You Get Spyware on Your Computer?

Spyware comes in the form of a broad range of programs that hide in the background of your
computer. There are several ways spyware can make its way onto your device including:

 The attacker installing the spyware on your device

 Downloading software or content from an infected source
 Opening suspicious emails
 Via non-secure internet connections

How Does Spyware Work?

Spyware silently tracks cookies to map your internet usage, tracks your social media activity,
tracks the emails you send, and more. It is often used to gather personal information to sell to
third-parties such as advertisers. It's also used as a method to spy on others and exploit a victim's
actions for the hacker's own gain.

Examples

 Keyloggers, or tools that record what you type or tools that take screenshots of your device.
 A pop-up windows that tells you your computer clock's time is off, another claiming to be a
spyware alert, or even a file download box suddenly appearing that you weren't expecting. In
this example, it appears as a pop-up warning you about a computer virus.
6
How to Protect Yourself Against Spyware

 Use anti-spyware software. Software is the front-line between you and an attacker. There are
various types of anti-virus software available to fit your budget and needs.
 Update your system. Make sure you update your browser and device often. There may be a
bug that leaves your device open to spyware that only a current update may fix.

 Pay attention to your downloads. Be careful when downloading content from file sharing
websites. Spyware and malware often hide inside these downloads.

 Avoid pop-ups. As tantalizing as they might be, don't select pop-ups that appear on your
screen. You can also install a pop-up blocker and never deal with them.

 Keep an eye on your email. Don't download documents from emails you don't recognize.
Better yet, don't open the emails at all. Delete them.

2.1.5 Phishing

Phishing is a type of social engineering attack often used to steal user data, including login
credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity,
dupes a victim into opening an email, instant message, or text message. The recipient is then
tricked into clicking a malicious link, which can lead to the installation of malware, the freezing
of the system as part of a ransomware attack or the revealing of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized purchases, the
stealing of funds, or identify theft.

Phishing attack examples

The following illustrates a common phishing scam attempt:

 A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty

members as possible.
 The email claims that the user’s password is about to expire. Instructions are given to go
to myuniversity.edu/renewal to renew their password within 24 hours.

Several things can occur by clicking the link. For example:

 The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly

like the real renewal page, where both new and existing passwords are requested. The
attacker, monitoring the page, hijacks the original password to gain access to secured
areas on the university network.
 The user is sent to the actual password renewal page. However, while being redirected, a
malicious script activates in the background to hijack the user’s session cookie. This

7
 results in a reflected XSS attack, giving the perpetrator privileged access to the university
network.

How to prevent phishing

Phishing attack protection requires steps be taken by both users and enterprises.

For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its
true identity. These can include spelling mistakes or changes to domain names, as seen in the
earlier URL example. Users should also stop and think about why they’re even receiving such
an email.

For enterprises, a number of steps can be taken to mitigate from phishing attacks:

 Two-factor authentication (2FA)

o is the most effective method for countering phishing attacks, as it adds an extra
verification layer when logging in to sensitive applications.
o 2FA relies on users having two things: something they know, such as a password and
user name, and something they have, such as their smartphones.
o Even when employees are compromised, 2FA prevents the use of their compromised
credentials, since these alone are insufficient to gain entry.
 Enforce strict password management policies. For example, employees should be
required to frequently change their passwords and to not be allowed to reuse a password
for multiple applications.
 Educational campaigns can also help diminish the threat of phishing attacks by enforcing
secure practices, such as not clicking on external email links.

2.2 Class of Attacks

Network attacks are unauthorized actions on the digital assets within an organizational network.
Malicious parties usually execute network attacks to alter, destroy, or steal private data.
Perpetrators in network attacks tend to target network perimeters to gain access to internal
systems.

2.2.1 Reconnaissance

What is a reconnaissance attack?

A reconnaissance attack is a type of security attack that an attacker uses to gather all possible
information about the target before launching an actual attack. An attacker uses a reconnaissance
attack as a preparation tool for an actual attack.
A reconnaissance is the practice of covertly discovering and collecting information about a
system. This method is often used in ethical hacking or penetration testing. Like many cyber

8
security terms, reconnaissance derives from military language, where it refers to a mission with
the goal of obtaining information from enemy territory.

How Reconnaissance Works

Reconnaissance generally follows seven steps:
1. Collect initial information
2. Determine the network range
3. Identify active machines
4. Find access points and open ports
5. Fingerprint the operating system
6. Discover services on ports
7. Map the network
Using these steps, an attacker will aim to gain the following information about a network:
 File permissions
 Running network services
 OS platform
 Trust relationships
 User account information

Port scanning: One of the most common techniques involved with reconnaissance is port
scanning, which sends data to various TCP and UDP (user datagram protocol) ports on a device
and evaluates the response.

Types of reconnaissance:

There are two main types of reconnaissance: Active and Passive reconnaissance.

Active reconnaissance:
 With active reconnaissance, hackers interact directly with the computer system and
attempt to obtain information through techniques like automated scanning or manual
testing and tools like ping and netcat.
 Active recon is generally faster and more accurate, but riskier because it creates more
noise within a system and has a higher chance of being detected.
Passive reconnaissance:
 Gut directly interacting with systems, using tools such as Wireshark and Shodan and
methods such as OS fingerprinting to gain information.
How To Prevent Reconnaissance
 Organizations can use penetration testing to determine what their network would reveal
in the event of a reconnaissance attack.
 During testing, organizations can deploy port scanning tools (which scan large networks
and determine which hosts are up) and vulnerability scanners (which find known
vulnerabilities in the network).

2.2.2 Access

9
Access attacks are an attempt to access another user account or network device through
improper means. An access attack is just what it sounds like: an attempt to access another user
account or network device through improper means. If proper security measures are not in place,
the network may be left vulnerable to intrusion. A network administrator is responsible for
ensuring that only authorized users access the network.
Unauthorized attacks are attempted via four means, all of which try to bypass some facet of the
authentication process: password attacks, trust exploitation, port redirection, and man-in-the-
middle attacks.

Two types of Access Attack:

1.Logical access attack

 Attacks like exploitation through brute force attacks or testing passwords on the net by rainbow
tables or dictionary attacks tend to create a ton of traffic on the network and can be easily
spotted by even a lower experienced level network monitor.
 Most of the logical access attacks are usually put forward after enough reconnaissance or
credentials have been obtained.
 There is also a tendency to lean on the passive side of attacking like man in the middle attacks
to try to gather more information before becoming overly suspicious.
2.Physical access attack
 This is really either access to the hardware or access to the people.
 Social engineering is very dangerous and hard to defend against simply because your users are
usually the weakest link in cyber security.
 The easiest type of social engineering attack involves sending out phishing emails designed to
hook someone that way or getting a key logger on a person inside’s computer to gain
credentials that may escalate privileges of the attacker.
 Even the best of cyber security can fall subject to these types of attacks simply because they
play on humanity as it exists, and we are not perfect begins without mistakes.
Solution
 This type of attack really comes down to network hardening.
 Most companies are limited to the capabilities of their equipment, so if your Cisco router is
vulnerable to attack, then the best course of action is to know that attack, look for it and set
rules on your network IDS/IPS for it.
 Update often and regularly.
 Monitoring the probing from any recently recognized reconnaissance attacks.
 Bring in outsourced teams to test and audit current security standings.

2.2.3 Denial of Service attack

 Denial-of-service (DoS) attack is a type of cyber-attack in which a malicious actor aims to

render a computer or other device unavailable to its intended users by interrupting the
device's normal functioning. DoS attacks typically function by overwhelming or flooding a
targeted machine with requests until normal traffic is unable to be processed, resulting in

10
 denial-of-service to addition users. A DoS attack is characterized by using a single computer
to launch the attack.
 Distributed denial-of-service (DDoS) attack is a type of DoS attack that comes from many
distributed sources, such as a botnet DDoS attack.
How does a DoS attack work?
The primary focus of a DoS attack is to oversaturate the capacity of a targeted machine, resulting
in denial-of-service to additional requests. The multiple attack vectors of DoS attacks can be
grouped by their similarities.
DoS attacks typically fall in 2 categories:
1.Buffer overflow attacks
 An attack type in which a memory buffer overflow can cause a machine to consume all
available hard disk space, memory, or CPU time.
 This form of exploit often results in sluggish behavior, system crashes, or other deleterious
server behaviors, resulting in denial-of-service.
2.Flood attacks
 By saturating a targeted server with an overwhelming amount of packets, a malicious actor is
able to oversaturate server capacity, resulting in denial-of-service.
 In order for most DoS flood attacks to be successful, the malicious actor must have more
available bandwidth than the target.
Examples:
A few common historic DoS attacks include:
 Smurf attack - a DoS attack in which a malicious actor utilizes the broadcast address of
vulnerable network by sending spoofed packets, resulting in the flooding of a targeted IP
address.
 Ping flood - this simple DoS attack is based on overwhelming a target with ICMP (ping)
packets. By flodding a target with more pings than it is able to respond to efficiently, denial-
of-service can occur. This attack can also be used as a DDoS attack.
 Ping of Death - a ping of death attack involves sending a malformed packet to a targeted
machine, resulting in deleterious behavior such as system crashes.
How can you tell if a computer is experiencing a DoS attack?
Indicators of a DoS attack include:
 Atypically slow network performance such as long load times for files or websites
 The inability to load a particular website such as your web property
 A sudden loss of connectivity across devices on the same network

What is the difference between a DDoS attack and a DOS attack?

The distinguishing difference between DDoS and DoS is the number of connections utilized in
the attack. Some DoS attacks, such as “low and slow” attacks like Slowloris, derive their power
in the simplicity and minimal requirements needed to them be effective.
DoS utilizes a single connection, while a DDoS attack utilizes many sources of attack traffic,
often in the form of a botnet. Generally speaking, many of the attacks are fundamentally similar
and can be attempted using one more many sources of malicious traffic.
11
2.3 Program flaws
Program flaw is a term used to describe a problem that exists in a software program. A flaw
is a security risk, cause the program to crash, or cause other issues. To resolve flaws, the
software developer release updates or patches that updates the code and corrects the issue.

2.3.1 Buffer overflows

Buffers are memory storage regions that temporarily hold data while it is being transferred from
one location to another. A buffer overflow (or buffer overrun) occurs when the volume of data
exceeds the storage capacity of the memory buffer. As a result, the program attempting to write
the data to the buffer overwrites adjacent memory locations.
Buffer overflow example
For example, a buffer for log-in credentials may be designed to expect username and password
inputs of 8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes more than
expected), the program may write the excess data past the buffer boundary.
Buffer overflows can affect all types of software. They typically result from malformed inputs or
failure to allocate enough space for the buffer. If the transaction overwrites executable code, it
can cause the program to behave unpredictably and generate incorrect results, memory access
errors, or crashes.

What is a Buffer Overflow Attack

Attackers exploit buffer overflow issues by overwriting the memory of an application. This
changes the execution path of the program, triggering a response that damages files or exposes
private information.
For example, an attacker can overwrite a pointer (an object that points to another area in
memory) and point it to an exploit payload, to gain control over the program.

What Programming Languages are More Vulnerable?

C and C++ are two languages that are highly susceptible to buffer overflow attacks, as they
don’t have built-in safeguards against overwriting or accessing data in their memory. Mac OSX,
Windows, and Linux all use code written in C and C++.
Languages such as PERL, Java, JavaScript, and C# use built-in safety mechanisms that minimize
the likelihood of buffer overflow.

How to Prevent Buffer Overflows

Developers can protect against buffer overflow vulnerabilities via security measures in their
code, or by using languages that offer built-in protection. In addition, modern operating systems
have runtime protection.
Three common protections are:

12
  Address space randomization (ASLR)— Randomly moves around the address space
locations of data regions. Typically, buffer overflow attacks need to know the locality of
executable code, and randomizing address spaces makes this virtually impossible.
 Data execution prevention—flags certain areas of memory as non-executable or
executable, which stops an attack from running code in a non-executable region.
 Structured exception handler overwrite protection (SEHOP)—helps stop malicious
code from attacking Structured Exception Handling (SEH), a built-in system for
managing hardware and software exceptions. It thus prevents an attacker from being able
to make use of the SEH overwrite exploitation technique.
2.3.2 Time-of-check to time-of-use flaws
What is a Time-of-Check-Time-of-Use?
Time-of-Check-Time-of-Use (TOCTOU) attacks fall under the category of a race condition
(which occurs when two or more operations that should be done in sequence are attempted
simultaneously). A hacker is able to access a file and make harmful changes between the time of
check (first time the program accesses the file) and the time of use (when the software uses the
file). The opportunity window is very short due to that near simultaneous overlap.
How to Recognize This Threat: Shared files that multiple users can access are susceptible to
TOCTOU issues. A file that has been corrupted could cause a system crash or corrupt data
related to the file.
How to Prevent This Threat: Ensure your network has processes in place to avoid race
conditions, such as prioritizing file access so that only one user can edit the file at a time.

2.3.3 Incomplete mediation

Incomplete mediation occurs when the application accepts incorrect data from the user.
Sometimes this is hard to avoid. Phone number: 519-886-4567.
Example
URL to be generated by client’s browser to access server,
e.g.:
http://www.things.com/order/
final&custID=101&part=555A&qy=20&price=10&ship=boat&shipcost=5&total=205
Instead, user edits URL directly, changing price and total cost as follows:
http://www.things.com/order/
final&custID=101&part=555A&qy=20&price=1&ship=boat&shipcost=5&total=25
User uses forged URL to access server
 The server takes 25 as the total cost

2.4 Controls to protect against program flaws in execution

What is a security flaw in a program?
Generally, a security flaw is a part of a program that can cause the system to violate its security
requirements. Computer security flaws are any conditions or circumstances that can result in
denial of service, unauthorized disclosure, unauthorized destruction of data, or unauthorized
modification of data.
13
Types of Flaws
A taxonomy of program flaws, dividing them first into intentional and inadvertent flaws. They
further divide intentional flaws into malicious and nonmalicious ones.
In the taxonomy, the inadvertent flaws fall into six categories:
 validation error (incomplete or inconsistent)
 domain error
 serialization and aliasing
 inadequate identification and authentication
 boundary condition violation
 other exploitable logic errors
This list gives us a useful overview of the ways programs can fail to meet their security
requirements
 Allowing only authorized software limits the attack surface of a facility.
 Preventing known dangerous file types reduces the attack surface.
 Vulnerability scanners help identify both code-based vulnerabilities and configuration-
based vulnerabilities.
 Reducing the time required to enhance protections against new types of malware would
reduce information security risks.
 Reduces threats from malware. Scanning should be done before the email is placed in the
user's inbox. This includes email content filtering and web content filtering,
 Move data between networks using secure, authenticated, and encrypted mechanisms.
 Audit all access to password files in the system. Verify that all password files are
encrypted or hashed and that these files cannot be accessed without root or administrator
privileges.

2.4.1 Operating system support and administrative controls

We considered two general classes of security flaws:
 those that compromise or change data and
 those that affect computer service.
There are essentially three controls on such activities:
 Development controls,
 Operating system controls, and
 Administrative controls.
Development controls limit software development activities, making it harder for a developer to
create malicious programs. These same controls are effective against inadvertent mistakes made
by developers.
The operating system control provides some degree of control by limiting access to computing
system objects.
Administrative controls limit the kinds of actions people can take.
These controls are important for more than simply the actions they prohibit. They have
significant positive effects that contribute to the overall quality of a system, from the points of
view of developer, maintainer, and user.
Program controls help produce better software. Operating systems limit access as a way of
promoting the safe sharing of information among programs. And administrative controls and
14
standards improve system usability, reusability, and maintainability. For all of them, the security
features are a secondary but important aspect of the controls' goals.
Program controls are part of the more general problem of limiting the effect of one user on
another. Administrative security controls refer to policies, procedures, or guidelines that define
personnel or business practices in accordance with the organization’s security goals.
The processes that monitor and enforce the administrative controls are:
 Management controls: The security controls that focus on the management of risk and
the management of information system security.
 Operational controls: The security controls that are primarily implemented and executed
by people (as opposed to systems).

For example, a security policy is a management control, but its security requirements are
implemented by people (operational controls) and systems (technical controls).

An organization may have an acceptable use policy that specifies the conduct of users, including
not visiting malicious websites. The security control to monitor and enforce could be in the form
of a web content filter, which can enforce the policy and log simultaneously.

The remediation of a phishing attack is another example that employs a combination of

management and operation controls.
Security controls to help thwart phishing, besides the management control of the acceptable use
policy itself, include operational controls, such as training users not to fall for phishing scams,
and technical controls that monitor emails and web site usage for signs of phishing activity.

15