- Email: [email protected]
Threat Analysis: An Example
APPENDIX B THREAT ANALYSIS: AN EXAMPLE Asset type: Physical infrastructure Threats
Vulnerabilities
Fire
Availability of flammable materials such as paper or boxes Backup files and systems not available Lack of fire detection devices Lack of physical security Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Lack of maintenance of equipment and facilities Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets
Earthquake
Flood
Storm
Tidal surge/wave
Contamination
Electronic interference
Continued
157
158
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Extremes of temperature and humidity
Backup files and systems not available Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin No business continuity plans or procedures for recovery of information and information assets Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Inadequate recovery procedure No formal or informal disaster or recovery plans No concrete assignment of continuity or disasterrelated roles and responsibilities Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Location is in an area susceptible to environmental conditions such as extreme temperature and humidity Lack of backup facilities or processes Inadequate data backup procedure for both software and data Inadequate backup policy Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Location is in an area susceptible to power fluctuations No uninterruptible power supply equipment No power conditioning equipment Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities
Power fluctuations
Appendix B: Threat Analysis: An Example
159
—Continued Threats
Vulnerabilities
Vermin (adware, malware, phishing, pop-ups, spyware, viruses, trojans, and worms) Failure of outsourced operations
Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets
Transmission errors
Unauthorized software changes Technical failures Denial of service Unauthorized dial-in access Unauthorized data access Web site intrusion Theft and fraud
Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Lack careful planning and laying of cables Lack of properly operation of network equipment Lack of cryptographic means to protect integrity of data Backup files and systems not available Lack of backup facilities or processes Inadequate network management (resilience of routing) Lack of a firewall Lack of a firewall Lack of physical security Incorrectly configured or maintained security safeguards Inadequate physical and environmental security policy and procedures No documented policies and procedures for physical control of hardware and software Inadequate physical security Lack of logical access security Lack of a uniform policy and procedure for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media enforcement Inadequate monitoring of the organization premises Inadequate audit logs to detect unauthorized access of the premises Lack of a formal entitlement review process regarding the access rights of the employees in the organization’s premises Inadequate maintenance of the records regarding the repairs and modifications of the organization facilities physical components Inadequate change management procedure for infrastructure components Continued
160
Appendix B: Threat Analysis: An Example
—Continued Threats
Industrial action Malicious destruction of data and facilities Sabotage Terrorist attacks
Vulnerabilities
No documented and tested security plans for safeguarding the systems and networks Lack of a comprehensive security awareness and training program Insufficient security training No concrete assignment of security roles and responsibilities Lack of physical security Lack of an industrial agreement Lack of physical security Lack of physical security Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection No business continuity plans for recovery of information and information assets Inadequate recovery procedure No formal or informal disaster or recovery plans No concrete assignment of continuity or disasterrelated roles and responsibilities Improper or inappropriate maintenance of technical facilities Lack of backup facilities or processes Inadequate data backup procedure for both software and data Inadequate backup policy Backup files and systems not available Inadequate physical security Lack of logical access security Lack of a uniform policy and procedure for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media enforcement Inadequate monitoring of the organization premises Inadequate audit logs to detect unauthorized access of the premises Lack of a formal entitlement review process regarding the access rights of the employees in the organization’s premises Inadequate maintenance of the records regarding the repairs and modifications of the organization facilities physical components
Appendix B: Threat Analysis: An Example
161
Asset type: ICT infrastructure Threat
Vulnerability
Fire
Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions No business continuity plans for recovery of information and information assets Inadequate recovery procedure No formal or informal disaster or recovery plans No concrete assignment of continuity or disasterrelated roles and responsibilities Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Lack of automatic fire suppression system Lack of backup facilities or processes Inadequate backup policy Backup files and systems not available Lack of fire detection devices Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Lack of maintenance of equipment and facilities Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin No business continuity plans or procedures for recovery of information and information assets
Earthquake
Flood
Storm
Tidal surge/wave
Contamination
Continued
162
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Electronic interference
Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin No business continuity plans or procedures for recovery of information and information assets Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Inadequate recovery procedure No formal or informal disaster or recovery plans No concrete assignment of continuity or disaster-related roles and responsibilities Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Location is in an area susceptible to environmental conditions such as extreme temperature and humidity Lack of backup facilities or processes Inadequate data backup procedure for both software and data Inadequate backup policy Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Location is in an area susceptible to power fluctuations No uninterruptible power supply equipment No power conditioning equipment Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities
Extremes of temperature and humidity
Power fluctuations
Appendix B: Threat Analysis: An Example
163
—Continued Threats
Vulnerabilities
Vermin
Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Lack careful planning and laying of cables Lack of properly operation of network equipment Lack of cryptographic means to protect integrity of data Backup files and systems not available
Failure of outsourced operations Transmission errors
Unauthorized software changes Technical failures
Industrial action
Operational staff or user errors
Failures in the change management process Improper or inappropriate maintenance of technical facilities Lack of network capacity through improper planning or maintenance Lack of environmental protection Lack of user awareness Incorrect access rights Lack of audit logs to detect unauthorized use of application Lack of an industrial agreement No incident response and reporting procedures and policies No formally documented procedures for identifying, reporting, and responding to suspected security incidents and violations No concrete assignment of security incidents roles and responsibilities No formal incident review and handling process Inadequate incident handling Lack of user awareness Lack of a comprehensive security awareness and training program Lack of means to assess the employee awareness level Inadequate documentation Unskilled staff Continued
164
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Malicious destruction of data and facilities Sabotage Theft and fraud
Lack of physical security
Unauthorized data access Reduced budgets
Lack of physical security Inadequate physical and environmental security policy and procedures No documented policies and procedures for physical control of hardware and software Inadequate physical security Lack of logical access security Lack of a uniform policy and procedure for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media enforcement Inadequate monitoring of the organization premises Inadequate audit logs to detect unauthorized access of the premises Lack of a formal entitlement review process regarding the access rights of the employees in the organization’s premises Inadequate maintenance of the records regarding the repairs and modifications of the organization facilities physical components Inadequate change management procedure for infrastructure components No documented and tested security plans for safeguarding the systems and networks Lack of a comprehensive security awareness and training program Insufficient security training No concrete assignment of security roles and responsibilities Lack of physical security Lack of physical security Lack of logical access control and audit Inadequate investment in appropriate security controls
Appendix B: Threat Analysis: An Example
165
Asset type: Software Threat
Vulnerability
Earthquake Fire Flood
Backup files and systems not available Backup files and systems not available Backup files and systems not available Inadequate data backup procedure for both software and data Backup files and systems not available Backup files and systems not available Backup files and systems not available Backup files and systems not available Backup files and systems not available
Storm Tidal surge/wave Contamination Electronic interference Extremes of temperature and humidity Power fluctuations Vermin Failure of outsourced operations Transmission errors Unauthorized software changes
Use of pirated software
Backup files and systems not available Backup files and systems not available Backup files and systems not available Unclear obligations in outsourcing agreements Backup files and systems not available Backup files and systems not available Inadequate reporting and handling of software malfunctions Inadequate segregation of duties between software developers and operations staff Inadequate supervision of programming staff Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of configuration management software to enforce configuration management Lack of intrusion detection software Lack of software configuration lack of software configuration management policies and procedures Inadequate reporting and handling of software malfunctions Lack of policy restricting staff to use of licensed software Inadequate control of software distribution Lack of software auditing Unrestricted copying of software Inadequate control of software distribution Lack of policies in respect of software use Uncontrolled copying of data and/or software Continued
166
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Malicious code
Inadequate information security policy No antivirus software Legacy systems Lack of regular update of antivirus software Inadequate education of staff on software viruses Lack of policy for opening email attachments Lack of checks for unauthorized software Lack of policy on using portable storage devices and media before scanning by antivirus software Inadequate software development standards Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of intrusion detection software Lack of update of operating system security patches Inadequate system development life cycle procedures Lack of efficient and effective configuration change control Unclear or incomplete specifications Unskilled staff Inadequate engineering code security guidelines for developing web based applications Inadequate security testing of the applications No check for security flaws, covert channels, and back doors as part of the applied software change control procedures Lack of software auditing Inadequate reporting and handling of software malfunctions Inadequate segregation of duties between software developers and operations staff Inadequate supervision of programming staff Inadequate software development standards Inadequate system development life cycle procedures Incorrect access rights Lack of configuration management controls Lack of logical access security Lack of physical security
Web site intrusion
Software or programming errors
Sabotage
Appendix B: Threat Analysis: An Example
167
—Continued Threats
Vulnerabilities
Unauthorized data access
Incorrectly configured or maintained operating system Inadequate firewall policies Incorrectly configured or maintained security safeguards Lack of a firewall Lack of intrusion detection software Incorrectly configured or maintained security safeguards Inadequate investment in appropriate security controls Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Inadequate investment in appropriate security controls Lack of a firewall Lack of checks for unauthorized software Lack of communication between HR and IT groups in respect of terminated employees leading to such employees still having access to system Lack of intrusion detection software Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of checks for unauthorized software Uncontrolled copying of data and or software Lack of a comprehensive security awareness and training program Insufficient security training No concrete assignment of security roles and responsibilities Lack of awareness of the social engineering threat Lack of policy requiring enquires for information to be withheld until the identity of the requestor can be verified Lack of policy restricting the provision of information by staff over the phone
Malicious destruction of data
Theft and fraud
Social engineering
Continued
168
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Operational staff or user errors Technical failures Denial of service
Lack of user awareness Unskilled staff Lack of user awareness No antivirus software Incorrectly configured or maintained Lack of a firewall Lack of regular update of antivirus software Inefficient configuration of antivirus software Inadequate investment in appropriate security controls
Reduced budgets
Asset type: Information and electronic data Threats
Vulnerabilities
Fire
Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions No business continuity plans for recovery of information and information assets Inadequate recovery procedure No formal or informal disaster recovery plans No concrete assignment of continuity or disaster-related roles and responsibilities Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Lack of automatic fire suppression system Lack of backup facilities or processes Inadequate backup policy Backup files and systems not available Lack of fire detection devices Backup files and systems not available Location is in an area susceptible to natural disasters Backup files and systems not available Location is in an area susceptible to natural disasters Backup files and systems not available Location is in an area susceptible to natural disasters Backup files and systems not available Location is in an area susceptible to natural disasters
Earthquake Flood Storm Tidal surge/wave
Appendix B: Threat Analysis: An Example
169
—Continued Threats
Vulnerabilities
Contamination
Backup files and systems not available Lack of maintenance of equipment and facilities Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin Backup files and systems not available
Electronic interference Extremes of temperature and humidity
Power fluctuations
Vermin
Backup files and systems not available Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Inadequate recovery procedure No formal or informal disaster recovery plans No concrete assignment of continuity or disaster-related roles and responsibilities Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Location is in an area susceptible to environmental conditions such as extreme temperature and humidity Lack of backup facilities or processes Inadequate data backup procedure for both software and data Inadequate backup policy Backup files and systems not available Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Location is in an area susceptible to power fluctuations No uninterruptible power supply equipment No power conditioning equipment Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Backup files and systems not available Continued
170
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Failure of outsourced operations Transmission errors
Backup files and systems not available Unclear obligations in outsourcing agreements Backup files and systems not available Improper or inappropriate cabling Inadequate incident handling Backup files and systems not available Easily accessible SCADA devices Inadequate engineering and quality processes for design and code review Inadequate reporting and handling of software malfunctions Inadequate segregation of duties between software developers and operations staff Inadequate supervision of programming staff Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of backups Lack of configuration management software to enforce configuration management Lack of intrusion detection software Lack of software configuration management policies and procedures Complicated user interface Lack of a comprehensive security awareness and training program Lack of means to assess the employee awareness level Inadequate documentation Unskilled staff Lack of user awareness Dial-in banner leading to information that can expose the organization to unauthorized dial-in access Lack of an inventory of dial-up lines leading to inability to monitor dial-up access Lack of audit logs to detect unauthorized access Lack of user authentication Lack of intrusion detection software Lack of firewall Lack of policies in respect of dial-up access, modem use, and software use Lack of time restrictions on user access Lack of physical security over telecommunications equipment cabinets Lack of dial back authentication
Unauthorized software changes
Operational staff or user errors
Unauthorized dial-in access
Appendix B: Threat Analysis: An Example
171
—Continued Threats
Vulnerabilities
Malicious code
No antivirus software Lack of regular update of antivirus software Inadequate education of staff on software viruses Lack of policy for opening email attachments Lack of control of instant messaging Legacy systems Lack of checks for unauthorized software Lack of policy on using portable storage devices and media before scanning by antivirus software Inadequate firewall policies Inadequate software development standards Incorrectly configured or maintained operating system Lack of intrusion detection software Lack of update of operating system security patches Inadequate firewall policies Inadequate operating policies for handling, processing, or storing sensitive information Incorrectly configured or maintained application security features Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of intrusion detection software Unsecured wireless ports Transmission of unencrypted sensitive data or information Lack of physical security over data communications cabinets Portable devices storing unencrypted data and information Inability to authenticate requests for information No formal policy for the establishment and termination of the access right to information assets Inadequate investment in appropriate security controls Inadequate identity and password policy Unprotected password tables Lack of identification and authentication mechanisms Incorrect access rights Inadequate review of the user’s access rights
Web site intrusion
Unauthorized data access
Continued
172
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Malicious destruction of data
Inadequate firewall policies Inadequate operating policies for handling, processing, or storing sensitive information Incorrectly configured or maintained application security features Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Inadequate investment in appropriate security controls Lack of a firewall Lack of intrusion detection software Unsecured wireless ports Lack of physical security Inadequate firewall policies Inadequate operating policies for handling, processing, or storing sensitive information Incorrectly configured or maintained application security features Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of application safeguards leading to fraudulent payments being made Lack of appropriate control of outbound traffic Lack of checks for unauthorized software Lack of safeguards leading to false credentials being created or accepted Lack of effective software change management leading to unauthorized software modifications that could be used to perpetrate a fraud Lack of logical access security Lack of physical security Lack of procedural safeguards leading to fraudulent payments being made Revealing too much information about systems to people without a “need to know” Uncontrolled copying of data and or software Unsecured wireless ports Lack of appropriate control of outbound traffic Lack of a uniform policy and procedure for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media enforcement Inadequate monitoring of the organization premises
Theft and fraud
Appendix B: Threat Analysis: An Example
173
—Continued Threats
Denial of service
Software or programming errors Misrouting or rerouting messages Sabotage
Industrial action
Vulnerabilities
Lack of a formal entitlement review process regarding the access rights of the employees in the organization’s premises Inadequate change management procedure for infrastructure components Lack of a comprehensive security awareness and training program Insufficient security training No concrete assignment of security roles and responsibilities Inadequate network management (resilience of routing) Incorrectly configured or maintained security safeguards Lack of a firewall No antivirus software Not keeping up to date with security advisories will lead to a known weakness not being corrected in a timely manner Lack of regular update of antivirus software Inefficient configuration of antivirus software Inadequate system development life cycle procedures Unclear or incomplete specifications Unskilled staff Inadequate user training Transmission of unencrypted confidential data Lack of proof of receiving a message Incorrect access rights Lack of configuration management controls Lack of logical access security Lack of physical security Lack of an industrial agreement Incorrect access rights Lack of audit logs to detect unauthorized use of application Inadequate network administration tools Lack of intrusion and prevention systems detection software Lack of event management and correlation system Lack of data leak systems Lack of audit logs to detect unauthorized use of application Inadequate audit logs to detect unauthorized access Inadequate audit logs to detect malicious use of information systems or applications Continued
174
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Social engineering
Lack of awareness of the social engineering threat Lack of policy requiring enquires for information to be withheld until the identity of the requestor can be verified Lack of policy restricting the provision of information by staff over the phone Lack of identification and authentication mechanisms Lack of identification of sender and receiver Unprotected password tables Lack of a comprehensive security awareness and training program Inadequate user training Insufficient security training Lack of means to assess the employee awareness level Inadequate identity and password policy Unencrypted communications Lack of physical security over data communications closets or hubs Use of shared ethernet means that all traffic is broadcast to any machine on a local segment Inadequate security controls for the protection of sensitive information being either in storage or during transmission (e.g., data encryption, public key infrastructure, virtual private network technology) Lack of encryption mechanisms Lack of proof of sending or receiving a message Lack of use of digital signatures Inefficient encryption algorithms
Masquerade
Eavesdropping
Repudiation Technical advances such as quantum computing Reduced budgets
Inadequate investment in appropriate security controls
Vulnerabilities
Fire
Availability of flammable materials such as paper or boxes Backup files and systems not available Lack of fire detection devices Lack of physical security Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Lack of maintenance of equipment and facilities Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets
Earthquake
Flood
Storm
Tidal surge/wave
Contamination
Electronic interference
Continued
157
158
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Extremes of temperature and humidity
Backup files and systems not available Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin No business continuity plans or procedures for recovery of information and information assets Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Inadequate recovery procedure No formal or informal disaster or recovery plans No concrete assignment of continuity or disasterrelated roles and responsibilities Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Location is in an area susceptible to environmental conditions such as extreme temperature and humidity Lack of backup facilities or processes Inadequate data backup procedure for both software and data Inadequate backup policy Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Location is in an area susceptible to power fluctuations No uninterruptible power supply equipment No power conditioning equipment Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities
Power fluctuations
Appendix B: Threat Analysis: An Example
159
—Continued Threats
Vulnerabilities
Vermin (adware, malware, phishing, pop-ups, spyware, viruses, trojans, and worms) Failure of outsourced operations
Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets
Transmission errors
Unauthorized software changes Technical failures Denial of service Unauthorized dial-in access Unauthorized data access Web site intrusion Theft and fraud
Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Lack careful planning and laying of cables Lack of properly operation of network equipment Lack of cryptographic means to protect integrity of data Backup files and systems not available Lack of backup facilities or processes Inadequate network management (resilience of routing) Lack of a firewall Lack of a firewall Lack of physical security Incorrectly configured or maintained security safeguards Inadequate physical and environmental security policy and procedures No documented policies and procedures for physical control of hardware and software Inadequate physical security Lack of logical access security Lack of a uniform policy and procedure for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media enforcement Inadequate monitoring of the organization premises Inadequate audit logs to detect unauthorized access of the premises Lack of a formal entitlement review process regarding the access rights of the employees in the organization’s premises Inadequate maintenance of the records regarding the repairs and modifications of the organization facilities physical components Inadequate change management procedure for infrastructure components Continued
160
Appendix B: Threat Analysis: An Example
—Continued Threats
Industrial action Malicious destruction of data and facilities Sabotage Terrorist attacks
Vulnerabilities
No documented and tested security plans for safeguarding the systems and networks Lack of a comprehensive security awareness and training program Insufficient security training No concrete assignment of security roles and responsibilities Lack of physical security Lack of an industrial agreement Lack of physical security Lack of physical security Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection No business continuity plans for recovery of information and information assets Inadequate recovery procedure No formal or informal disaster or recovery plans No concrete assignment of continuity or disasterrelated roles and responsibilities Improper or inappropriate maintenance of technical facilities Lack of backup facilities or processes Inadequate data backup procedure for both software and data Inadequate backup policy Backup files and systems not available Inadequate physical security Lack of logical access security Lack of a uniform policy and procedure for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media enforcement Inadequate monitoring of the organization premises Inadequate audit logs to detect unauthorized access of the premises Lack of a formal entitlement review process regarding the access rights of the employees in the organization’s premises Inadequate maintenance of the records regarding the repairs and modifications of the organization facilities physical components
Appendix B: Threat Analysis: An Example
161
Asset type: ICT infrastructure Threat
Vulnerability
Fire
Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions No business continuity plans for recovery of information and information assets Inadequate recovery procedure No formal or informal disaster or recovery plans No concrete assignment of continuity or disasterrelated roles and responsibilities Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Lack of automatic fire suppression system Lack of backup facilities or processes Inadequate backup policy Backup files and systems not available Lack of fire detection devices Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to natural disasters No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Lack of maintenance of equipment and facilities Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin No business continuity plans or procedures for recovery of information and information assets
Earthquake
Flood
Storm
Tidal surge/wave
Contamination
Continued
162
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Electronic interference
Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin No business continuity plans or procedures for recovery of information and information assets Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Inadequate recovery procedure No formal or informal disaster or recovery plans No concrete assignment of continuity or disaster-related roles and responsibilities Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Location is in an area susceptible to environmental conditions such as extreme temperature and humidity Lack of backup facilities or processes Inadequate data backup procedure for both software and data Inadequate backup policy Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Location is in an area susceptible to power fluctuations No uninterruptible power supply equipment No power conditioning equipment Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities
Extremes of temperature and humidity
Power fluctuations
Appendix B: Threat Analysis: An Example
163
—Continued Threats
Vulnerabilities
Vermin
Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Backup files and systems not available No business continuity plans or procedures for recovery of information and information assets Lack careful planning and laying of cables Lack of properly operation of network equipment Lack of cryptographic means to protect integrity of data Backup files and systems not available
Failure of outsourced operations Transmission errors
Unauthorized software changes Technical failures
Industrial action
Operational staff or user errors
Failures in the change management process Improper or inappropriate maintenance of technical facilities Lack of network capacity through improper planning or maintenance Lack of environmental protection Lack of user awareness Incorrect access rights Lack of audit logs to detect unauthorized use of application Lack of an industrial agreement No incident response and reporting procedures and policies No formally documented procedures for identifying, reporting, and responding to suspected security incidents and violations No concrete assignment of security incidents roles and responsibilities No formal incident review and handling process Inadequate incident handling Lack of user awareness Lack of a comprehensive security awareness and training program Lack of means to assess the employee awareness level Inadequate documentation Unskilled staff Continued
164
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Malicious destruction of data and facilities Sabotage Theft and fraud
Lack of physical security
Unauthorized data access Reduced budgets
Lack of physical security Inadequate physical and environmental security policy and procedures No documented policies and procedures for physical control of hardware and software Inadequate physical security Lack of logical access security Lack of a uniform policy and procedure for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media enforcement Inadequate monitoring of the organization premises Inadequate audit logs to detect unauthorized access of the premises Lack of a formal entitlement review process regarding the access rights of the employees in the organization’s premises Inadequate maintenance of the records regarding the repairs and modifications of the organization facilities physical components Inadequate change management procedure for infrastructure components No documented and tested security plans for safeguarding the systems and networks Lack of a comprehensive security awareness and training program Insufficient security training No concrete assignment of security roles and responsibilities Lack of physical security Lack of physical security Lack of logical access control and audit Inadequate investment in appropriate security controls
Appendix B: Threat Analysis: An Example
165
Asset type: Software Threat
Vulnerability
Earthquake Fire Flood
Backup files and systems not available Backup files and systems not available Backup files and systems not available Inadequate data backup procedure for both software and data Backup files and systems not available Backup files and systems not available Backup files and systems not available Backup files and systems not available Backup files and systems not available
Storm Tidal surge/wave Contamination Electronic interference Extremes of temperature and humidity Power fluctuations Vermin Failure of outsourced operations Transmission errors Unauthorized software changes
Use of pirated software
Backup files and systems not available Backup files and systems not available Backup files and systems not available Unclear obligations in outsourcing agreements Backup files and systems not available Backup files and systems not available Inadequate reporting and handling of software malfunctions Inadequate segregation of duties between software developers and operations staff Inadequate supervision of programming staff Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of configuration management software to enforce configuration management Lack of intrusion detection software Lack of software configuration lack of software configuration management policies and procedures Inadequate reporting and handling of software malfunctions Lack of policy restricting staff to use of licensed software Inadequate control of software distribution Lack of software auditing Unrestricted copying of software Inadequate control of software distribution Lack of policies in respect of software use Uncontrolled copying of data and/or software Continued
166
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Malicious code
Inadequate information security policy No antivirus software Legacy systems Lack of regular update of antivirus software Inadequate education of staff on software viruses Lack of policy for opening email attachments Lack of checks for unauthorized software Lack of policy on using portable storage devices and media before scanning by antivirus software Inadequate software development standards Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of intrusion detection software Lack of update of operating system security patches Inadequate system development life cycle procedures Lack of efficient and effective configuration change control Unclear or incomplete specifications Unskilled staff Inadequate engineering code security guidelines for developing web based applications Inadequate security testing of the applications No check for security flaws, covert channels, and back doors as part of the applied software change control procedures Lack of software auditing Inadequate reporting and handling of software malfunctions Inadequate segregation of duties between software developers and operations staff Inadequate supervision of programming staff Inadequate software development standards Inadequate system development life cycle procedures Incorrect access rights Lack of configuration management controls Lack of logical access security Lack of physical security
Web site intrusion
Software or programming errors
Sabotage
Appendix B: Threat Analysis: An Example
167
—Continued Threats
Vulnerabilities
Unauthorized data access
Incorrectly configured or maintained operating system Inadequate firewall policies Incorrectly configured or maintained security safeguards Lack of a firewall Lack of intrusion detection software Incorrectly configured or maintained security safeguards Inadequate investment in appropriate security controls Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Inadequate investment in appropriate security controls Lack of a firewall Lack of checks for unauthorized software Lack of communication between HR and IT groups in respect of terminated employees leading to such employees still having access to system Lack of intrusion detection software Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of checks for unauthorized software Uncontrolled copying of data and or software Lack of a comprehensive security awareness and training program Insufficient security training No concrete assignment of security roles and responsibilities Lack of awareness of the social engineering threat Lack of policy requiring enquires for information to be withheld until the identity of the requestor can be verified Lack of policy restricting the provision of information by staff over the phone
Malicious destruction of data
Theft and fraud
Social engineering
Continued
168
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Operational staff or user errors Technical failures Denial of service
Lack of user awareness Unskilled staff Lack of user awareness No antivirus software Incorrectly configured or maintained Lack of a firewall Lack of regular update of antivirus software Inefficient configuration of antivirus software Inadequate investment in appropriate security controls
Reduced budgets
Asset type: Information and electronic data Threats
Vulnerabilities
Fire
Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions No business continuity plans for recovery of information and information assets Inadequate recovery procedure No formal or informal disaster recovery plans No concrete assignment of continuity or disaster-related roles and responsibilities Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Lack of automatic fire suppression system Lack of backup facilities or processes Inadequate backup policy Backup files and systems not available Lack of fire detection devices Backup files and systems not available Location is in an area susceptible to natural disasters Backup files and systems not available Location is in an area susceptible to natural disasters Backup files and systems not available Location is in an area susceptible to natural disasters Backup files and systems not available Location is in an area susceptible to natural disasters
Earthquake Flood Storm Tidal surge/wave
Appendix B: Threat Analysis: An Example
169
—Continued Threats
Vulnerabilities
Contamination
Backup files and systems not available Lack of maintenance of equipment and facilities Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin Backup files and systems not available
Electronic interference Extremes of temperature and humidity
Power fluctuations
Vermin
Backup files and systems not available Location is in an area susceptible to environmental conditions such as contamination, electronic interference extreme temperature, and humidity vermin Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Inadequate recovery procedure No formal or informal disaster recovery plans No concrete assignment of continuity or disaster-related roles and responsibilities Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Location is in an area susceptible to environmental conditions such as extreme temperature and humidity Lack of backup facilities or processes Inadequate data backup procedure for both software and data Inadequate backup policy Backup files and systems not available Inadequate physical and environmental security policy and procedures Lack of a uniform physical security policy enforcement Lack of environmental protection Inadequate monitoring of environmental conditions Location is in an area susceptible to power fluctuations No uninterruptible power supply equipment No power conditioning equipment Inadequate change management procedure for infrastructure components Improper or inappropriate maintenance of technical facilities Backup files and systems not available Continued
170
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Failure of outsourced operations Transmission errors
Backup files and systems not available Unclear obligations in outsourcing agreements Backup files and systems not available Improper or inappropriate cabling Inadequate incident handling Backup files and systems not available Easily accessible SCADA devices Inadequate engineering and quality processes for design and code review Inadequate reporting and handling of software malfunctions Inadequate segregation of duties between software developers and operations staff Inadequate supervision of programming staff Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of backups Lack of configuration management software to enforce configuration management Lack of intrusion detection software Lack of software configuration management policies and procedures Complicated user interface Lack of a comprehensive security awareness and training program Lack of means to assess the employee awareness level Inadequate documentation Unskilled staff Lack of user awareness Dial-in banner leading to information that can expose the organization to unauthorized dial-in access Lack of an inventory of dial-up lines leading to inability to monitor dial-up access Lack of audit logs to detect unauthorized access Lack of user authentication Lack of intrusion detection software Lack of firewall Lack of policies in respect of dial-up access, modem use, and software use Lack of time restrictions on user access Lack of physical security over telecommunications equipment cabinets Lack of dial back authentication
Unauthorized software changes
Operational staff or user errors
Unauthorized dial-in access
Appendix B: Threat Analysis: An Example
171
—Continued Threats
Vulnerabilities
Malicious code
No antivirus software Lack of regular update of antivirus software Inadequate education of staff on software viruses Lack of policy for opening email attachments Lack of control of instant messaging Legacy systems Lack of checks for unauthorized software Lack of policy on using portable storage devices and media before scanning by antivirus software Inadequate firewall policies Inadequate software development standards Incorrectly configured or maintained operating system Lack of intrusion detection software Lack of update of operating system security patches Inadequate firewall policies Inadequate operating policies for handling, processing, or storing sensitive information Incorrectly configured or maintained application security features Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of intrusion detection software Unsecured wireless ports Transmission of unencrypted sensitive data or information Lack of physical security over data communications cabinets Portable devices storing unencrypted data and information Inability to authenticate requests for information No formal policy for the establishment and termination of the access right to information assets Inadequate investment in appropriate security controls Inadequate identity and password policy Unprotected password tables Lack of identification and authentication mechanisms Incorrect access rights Inadequate review of the user’s access rights
Web site intrusion
Unauthorized data access
Continued
172
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Malicious destruction of data
Inadequate firewall policies Inadequate operating policies for handling, processing, or storing sensitive information Incorrectly configured or maintained application security features Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Inadequate investment in appropriate security controls Lack of a firewall Lack of intrusion detection software Unsecured wireless ports Lack of physical security Inadequate firewall policies Inadequate operating policies for handling, processing, or storing sensitive information Incorrectly configured or maintained application security features Incorrectly configured or maintained operating system Incorrectly configured or maintained security safeguards Lack of a firewall Lack of application safeguards leading to fraudulent payments being made Lack of appropriate control of outbound traffic Lack of checks for unauthorized software Lack of safeguards leading to false credentials being created or accepted Lack of effective software change management leading to unauthorized software modifications that could be used to perpetrate a fraud Lack of logical access security Lack of physical security Lack of procedural safeguards leading to fraudulent payments being made Revealing too much information about systems to people without a “need to know” Uncontrolled copying of data and or software Unsecured wireless ports Lack of appropriate control of outbound traffic Lack of a uniform policy and procedure for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media enforcement Inadequate monitoring of the organization premises
Theft and fraud
Appendix B: Threat Analysis: An Example
173
—Continued Threats
Denial of service
Software or programming errors Misrouting or rerouting messages Sabotage
Industrial action
Vulnerabilities
Lack of a formal entitlement review process regarding the access rights of the employees in the organization’s premises Inadequate change management procedure for infrastructure components Lack of a comprehensive security awareness and training program Insufficient security training No concrete assignment of security roles and responsibilities Inadequate network management (resilience of routing) Incorrectly configured or maintained security safeguards Lack of a firewall No antivirus software Not keeping up to date with security advisories will lead to a known weakness not being corrected in a timely manner Lack of regular update of antivirus software Inefficient configuration of antivirus software Inadequate system development life cycle procedures Unclear or incomplete specifications Unskilled staff Inadequate user training Transmission of unencrypted confidential data Lack of proof of receiving a message Incorrect access rights Lack of configuration management controls Lack of logical access security Lack of physical security Lack of an industrial agreement Incorrect access rights Lack of audit logs to detect unauthorized use of application Inadequate network administration tools Lack of intrusion and prevention systems detection software Lack of event management and correlation system Lack of data leak systems Lack of audit logs to detect unauthorized use of application Inadequate audit logs to detect unauthorized access Inadequate audit logs to detect malicious use of information systems or applications Continued
174
Appendix B: Threat Analysis: An Example
—Continued Threats
Vulnerabilities
Social engineering
Lack of awareness of the social engineering threat Lack of policy requiring enquires for information to be withheld until the identity of the requestor can be verified Lack of policy restricting the provision of information by staff over the phone Lack of identification and authentication mechanisms Lack of identification of sender and receiver Unprotected password tables Lack of a comprehensive security awareness and training program Inadequate user training Insufficient security training Lack of means to assess the employee awareness level Inadequate identity and password policy Unencrypted communications Lack of physical security over data communications closets or hubs Use of shared ethernet means that all traffic is broadcast to any machine on a local segment Inadequate security controls for the protection of sensitive information being either in storage or during transmission (e.g., data encryption, public key infrastructure, virtual private network technology) Lack of encryption mechanisms Lack of proof of sending or receiving a message Lack of use of digital signatures Inefficient encryption algorithms
Masquerade
Eavesdropping
Repudiation Technical advances such as quantum computing Reduced budgets
Inadequate investment in appropriate security controls