Threats in IT are manifold and do not necessarily have to be intentional or criminal in nature. IT can also be threatened by “force majeure” and/or technical failure – for example, an earthquake could cause a power outage that results in data loss.
But of course, human error is also conceivable. A classic example of this is: the password for online banking has been forgotten – so the information would then no longer be available.
You will now learn about the possible IT threats – always keep the protection goals of the previous chapter in mind.
By the way, a potential threat or vulnerability does not automatically mean that the IT is at risk. An actual threat is only considered to be a threat if vulnerability (e.g. programming error or easily accessible WLAN) also meets a threat (e.g. hacker attack).
Targeted attacks by people or organisations
First and foremost, of course, it is attacks that are deliberately carried out that must be averted by IT security. Usually referred to as “hacking”, an individual or even an entire organization gains unauthorized access to foreign data and tries to circumvent the protection goals. This can have various reasons: Theft of funds, sabotage of competing companies, political motivation, sometimes just “fun” – but it is always a matter of obtaining, manipulating or destroying foreign information via the network to which the target devices are connected.
The most important tools of such hacking attacks are known from Hollywood movies of the turn of the millennium and usually have funny names – “viruses”, “trojans”, “worms”, “spoofing”, “phishing” and others. Let’s take a closer look at some of these examples:
Computer viruses are quite simply programs that automatically perform their programmed task in the target systems: for example, to track down a password. Viruses need a so-called host to spread them. This can be a mass email or a so-called “pop-up” – a self-opening website, for example, which points to an allegedly necessary update.
These are viruses that can actively spread themselves – this means that they actively detect weak points in systems and networks and forward themselves accordingly without a so-called “host” being present.
Also known as “Trojan horses”, these are apparently useful programs that the victim installs himself – but in the background, Trojans independently open backdoors in the system, forward data and information and can, for example, record passwords that are entered.
Here, the availability of the data is more likely to be manipulated – by deliberately overloading the system from outside (this can be done, for example, by automatically repeatedly calling up a website), the system is brought to a standstill. Sometimes this happens until the affected organization pays a ransom, for example. By the way, software for blackmailing methods is also referred to as “ransomware”.
This is mainly about identity theft. Fake websites on the Internet and emails that link to them entice the victim to actively share passwords or account information. These are mainly found in the private sector of IT security.
By the way, the probably best-known term in IT security describes nothing more than unsolicited emails – these can be annoying newsletters, but of course also hosts of viruses or phishing attempts.
The above-mentioned malware can of course also be personally “injected” into the computer system – information can be stolen or manipulated by physically breaking into the company building or home. Due to the networking of computer systems, however, this is usually no longer necessary.
But sometimes such physical manipulation happens simply internally. For example, when your own company personnel steal customer data or product secrets without authorisation in order to sell them externally.
Unintentional threat of human error
But threats to IT security do not always have to be highly criminal and deliberate. Sometimes it is simply ignorance in dealing with IT that poses a threat:
A good password is at best hard to remember – this is of course impractical. Many people still use passwords that are far too weak. 12345 for example is a weak password. UfNS3-?ßsDa-hUdk& – it looks quite different – the more different symbols, special characters, numbers and letters, the better. But not if the password is then only noted down again on a piece of paper directly on the screen.
So you see – finding a suitable and secure password that the person concerned can remember is not that easy. Especially since many systems regularly prompt you to change passwords and it is not recommended to use the same password more than once.
There are so-called password manager which can be used both privately and in companies. These are programs that can generate and store secure passwords for websites or programs. The program itself is secured with a so-called master key, i.e. ONE main password.
The advantages and disadvantages are obvious: You can use a variety of different, secure passwords and do not have to remember them individually. But if the main password is cracked, all stored passwords can be accessed. A password manager is only secure if the main password is strong and preferably changed regularly.
However, the passing on of passwords is also a problem. This does not have to be intentionally negligent. You want to help a colleague and quickly give him your own access to the system. Or the system administrator requests the password for a check. This can lead to critical situations – especially when people are involved who deliberately steal passwords in this way.
- Bring your own device
“Bring you own device” – this does not mean a wild Christmas party in the company, but rather taking your own devices, such as external hard drives, USB sticks, smartphones and the like. If company-internal information is stored or edited on these devices, then internal IT security cannot really help. This is especially critical when so-called “home office” is the practice, i.e. working for an organisation from home.
Sometimes, by the way, storage media are deliberately “prepared” with malware by third parties and then deliberately distributed to people who work for certain companies, for example. This happens, for example, at professional trade fairs, where USB sticks are often given away.
- Installing unauthorized applications
The company laptop is too slow, so you “take care of it yourself” by installing antivirus programs and other stuff. Or you like to play a game in your spare time at work and download malware onto your company PC. This can also lead to threats to IT security due to a lack of awareness.
These are essentially the greatest threats to IT security. As already explained, completely unforeseeable events can of course also threaten IT – natural disasters such as fire, lightning strikes or floods can completely paralyse or destroy computer systems.
One speaks of an actual threat in terms of IT security when an internal vulnerability meets an external threat.
Such a threat can be a deliberate attack, unintentional by humans or by “force majeure” like natural disasters.
which subsequently lead to the destruction or paralysis of the computer systems.