Often an extension of unauthorized access, data destruction means more than
just intentionally or accidentally erasing or corrupting data. It’s easy to imagine
some evil hacker accessing your network and deleting all your important files,
but consider the case in which authorized users access certain data, but what
they do to that data goes beyond what they are authorized to do. A good example
is the person who legitimately accesses aMicrosoft Access product database
to modify product descriptions, only to discover he or she can change the prices
of the products, too.
This type of threat is particularly dangerous when users are not clearly informed
about the extent to which they are authorized to make changes.A fellow
tech once told me about a user who managed to mangle an important database
due to someone giving him incorrect access.When confronted, the user said, “If
I wasn’t allowed to change it, the system wouldn’t let me do it!”Many users believe
that systems are configured in a paternalistic way that wouldn’t allow them
to do anything inappropriate. As a result, users will often assume they’re authorized
to make any changes they believe are necessarywhenworking on a piece of
data they know they’re authorized to access.