Threats

A threat is any circumstance or event with the potential to adversely impact data or systems via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. Threats may involve intentional actors (e.g., attacker who wants to access information on a server) or unintentional actors (e.g., administrator who forgets to disable user accounts of a former employee.)  Threats can be local, such as a disgruntled employee, or remote, such as an attacker in another geographical area.

A threat source is the cause of a threat, such as a hostile cyber or physical attack, a human error of omission or commission, a failure of organization-controlled hardware or software, or other failure beyond the control of the organization. A threat event is an event or situation initiated or caused by a threat source that has the potential for causing adverse impact.

Many threats against data and resources are possible because of mistakes—either bugs in operating system and applications that create exploitable vulnerabilities, or errors made by end users and administrators.  

Network traffic typically passes through intermediate computers, such as routers, or is carried over unsecured networks, such as wireless hotspots. Because of this, it can be intercepted by a third party. Threats against network traffic include the following:

• Eavesdropping. Information remains intact, but its privacy is compromised. For example, someone could learn your credit card number, record a sensitive conversation, or intercept classified information.
• Tampering. Information in transit is changed or replaced and then sent on to the recipient. For example, someone could alter an order for goods or change a person's resume.
• Impersonation. Information passes to a person who poses as the intended recipient. Impersonation can take two forms:
  • Spoofing. A person can pretend to be someone else. For example, a person can pretend to have the email address [email protected], or a computer can identify itself as a site called www.example.net when it is not. This type of impersonation is known as spoofing.
  • Misrepresentation. A person or organization can misrepresent itself. For example, suppose the site www.example.net pretends to be a furniture store when it is really just a site that takes credit-card payments but never sends any goods.