Upload
josh-tuibeo
View
222
Download
0
Embed Size (px)
Citation preview
7/25/2019 Risk Analysis Notes
1/26
RISK ANALYSIS
A risk analysis is an ongoing process of discovering, correcting andpreventing security problems. It is an integral part of a risk management
process designed to provide appropriate levels of security for informationsystems. We need to identify the levels of risk associated with any of theitems in our network infrastructure. Once we have identied the level ofrisk we can then develop an action plan to mitigate (ease or reduce theidentied risk.
We use two measures to identify the level of risk!
A "he likelihoodof the event occurring, and# "he likely impacton the assets or network if the event occurred.
LIKELIHOOD
$%&' $%&')*I+%*' )*I+%*' O-%&A"% *I+%*' *I+%*'
1 2 3 4 5
IMA!"
)%*II#*% I)O& O-%&A"% /I)I0I1A)" /%$%&%
1 2 3 4 5
"his can then be portrayed in a grid to determine the level of risk!
7/25/2019 Risk Analysis Notes
2/26
"he following matri2 demonstrates how risk is calculated based on the impact
and likelihood scores
We can convert this into a numerical value, where the higher the score the
higher the risk!
E#EN"S likel$ to a%ect the
Ai&po&t3ossible event to consider include the
following!
/ystem /oftware
Application /oftware
I" 4ardware
$endor failure
$iruses
nauthorised attacks, hacks, etc.
1ommunications, 1onnectivity 5 local,
internet
Operations 6 error (human
tilities failure 5 power 5 power supply
backup 5 3/
"errorism
1riminal Activity 5 vandalism, etc
Work /toppage 6 /trikes
Weather
0ire 6 0lood
ASSE"S likel$ to 'e
a%ected3ossible assets to consider include!
1abling
Wi network
/ervers and /erver room
Web server
&outer
/witches
0irewall
/ystem /oftware
Application /oftware
I" 4ardware
3ortable devices
)etwork Access
3ublicly Accessed network
7/25/2019 Risk Analysis Notes
3/26
7/25/2019 Risk Analysis Notes
4/26
7/25/2019 Risk Analysis Notes
5/26
"he above diagram was created to help e2plain the relationship between the various
components of an information risk assessment using the basic formula for risk.
Audiences that are new to Information /ecurity and6or &isk anagement may need to
have some of the basic terms e2plained.
The Basic Statement
Likelihood ( Impact ) Ri*k
"he risk statement is derived by following the +l,earrows!
"he *ikelihood -"hat -"hreats Will e2ploit -$ulnerabilities -"o attack -
"argets -and compromise -Information (condentiality and6or integrity and6or
availability -causing -Impact 7 &isk.
LIKELIH
OOD
that
"h&eat*
will
%2ploit
#,l.e&a'ili
tie*
to attack
"a&/et*
and
1ompromis
e
I.0o&mati
o.
causing
IMA!"
)
RISK
Greenarrows present the following control statements:
RISK
can be
Accepted by Executive
Reduce Impact
Reduce
RISK
Transferred to an
External body
Reduce Vulnerability Reduce Likelihood
Mitigated with Controls Reduce Vulnerability Reduce Likelihood
http://www.tru.ca/its/infosecurity/
http://www.tru.ca/its/infosecurity/http://www.tru.ca/its/infosecurity/7/25/2019 Risk Analysis Notes
6/26
This diagram is shared here for non-commercial use under Creative Commons Attribution-
Noncommercial-Share Alike 2.5 Canada (http://creativecommons.org/licenses/by-nc-sa/2.5/ca/).
1 Minor )oticeable disruption to the achievement of results. "his outcome
would result in response from I" professional and trades sta8 for
the issue, usually under routine procedures
2 Moderate
aterial deterioration in the achievement of results. "his outcome
would result in response from I" management sta8 and the
potential for establishing a dedicated working level, multidiscipline
team to resolve
3 Major /ignicant deterioration in achievement of results. "his outcome
would result in response from divisional management sta8 and
may re9uire the formulation of interdepartmental working level
teams, with management oversight to resolve
4 Severe 0undamental threat to operating results. "his outcome would
result in immediate senior management attention and the
formulation of a dedicated management team and working teams
to identify and resolve the underlying issues.
5 Catastrophic
Worst Case
&esults threaten the survival of the organisation in its current
form. "his outcome would result in full:time senior management
attention and the formulation of dedicated full:time management
teams and working level teams to identify and resolve the
underlying issues.
THREAT SOURCES
A th&eatis any circumstance or event with the potential to adversely impact
organi;ational operations and assets, individuals, other organi;ations, or the )ation
through an information system via unauthori;ed access, destruction, disclosure, or
modication of information, and6or denial of service. "here are two aspects to threat
considered in this publication! (i threat sources< and (ii threat events.
A th&eat *o,&ceis an actor (causal agent with the intent and method targeted at the
e2ploitation of a vulnerability or a situation and method that may accidentally e2ploit a
vulnerability. In general, types of threat sources include! (i hostile cyber6physical
attacks< (ii human errors of omission or commission< (iii structural failures of
organi;ation:controlled resources (e.g., hardware, software, environmental controls< and
(iv natural and man:made disasters, accidents, and failures beyond the control of the
organi;ation.
http://creativecommons.org/licenses/by-nc-sa/2.5/ca/http://creativecommons.org/licenses/by-nc-sa/2.5/ca/7/25/2019 Risk Analysis Notes
7/26
"$pe o0 "h&eat So,&ce De*c&iptio. !ha&acte&i*t
ic*
ADVERSARIAL
Individual
Outsider
Insider
"rusted Insider=
3rivileged Insider
roup
Ad hoc
%stablished
Organisation
)ation:/tate
Individuals, groups, organi;ations, or
states that seek to e2ploit the
organi;ation>s dependence on cyber
resources (i.e., information in electronicform, information and communications
technologies, and the communications
and information:handling capabilities
provided by those technologies.
1apability,
Intent,
"argeting
ACCIDENTAL
Ordinary ser
3rivileged ser6Administrator
%rroneous actions taken by individuals in
the course of e2ecuting their everydayresponsibilities.
&ange of
e8ects
STRUCTURAL
I" %9uipment
/torage
3rocessing
1ommunications
-isplay
/ensor
1ontroller
%nvironmental 1ontrols
"emperature64umidity 1ontrols
0ailures of e9uipment, environmental
controls, or software due to aging,
resource depletion, or other circumstances
which e2ceed e2pected operating
parameters.
&ange of
e8ects
)ote! "aken from )I/" /pecial3ublication ?@@:@ &evision B,Initial 3ublic -raft, uide for1onducting &isk Assessments,/eptember C@BB, pp. D:? andAppendi2 -:C
7/25/2019 Risk Analysis Notes
8/26
3ower /upply
/oftware
Operating /ystem
)etworking
eneral:3urpose Application
: ission:/pecic Application
ENVIRONMENTAL
)atural or man:made disaster
0ire
0lood6tsunami
Windstorm6"ornado
4urricane
%arth9uake
#ombing
Overrun
nusual natural event 5 e.g.
sunspots
Infrastructure 0ailure6Outage
"elecommunications
%lectrical 3ower
)atural disasters and failures of critical
infrastructures on which the organi;ation
depends, but which are outside the control
of the organi;ation.
)ote! )atural and man:made disasters
can also be characteri;ed in terms of their
severity and6or duration.
4owever, because the threat source and
the threat event are strongly identied,
severity and duration can be
included in the description of the threat
event (e.g., 1ategory E hurricane causes
e2tensive damage to the facilities housingmission:critical systems, making those
systems unavailable for three weeks.
&ange of
e8ects
ADVERSARIAL THREAT EVENTS - Representative Examples
A threat event is an event or situation initiated or caused by a threat source that has the
potential for causing adverse impact. "hreat events for cyber attacks are typically
characteri;ed by the tactics, techni9ues, and procedures (""3s employed by
adversaries. (/ee also the list of non:adversarial threat events
"h&eat Ee.t* De*c&iptio.
7/25/2019 Risk Analysis Notes
9/26
Access sensitive information
through network sniFng
Adversary gains access to the e2posed wired or
wireless data channels that organi;ations (or
organi;ational personnel use to transmit information,
and intercept communications. Adversary actions might
include, for e2ample, targeting public kiosks or hotel
networking connections.
Adapt cyber attacks based on
detailed surveillance.
Adversary adapts attacks in response to surveillance of
organi;ations and the protective measures that
organi;ations employ.
%2ploit recently discovered
vulnerabilities.
Adversary e2ploits recently discovered vulnerabilities in
organi;ational information systems in an attempt to
attack the systems before mitigation measures are
available or in place.
%mploy brute force loginattempts6password guessing.
Adversary attempts to gain access to organi;ationalinformation systems by random or systematic guessing
of passwords, possibly supported by password cracking
utilities.
1ause degradation or denial of
attacker selected services or
capabilities.
Adversary launches attacks specically intended to
impede the ability of organi;ations to function.
1ause
deterioration6destruction ofcritical information system
components and functions.
Adversary attempts to destroy or deteriorate critical
information system components for purposes ofimpeding or eliminating the ability of organi;ations to
carry out missions or business functions. -etection of
this action is not a concern.
1ombine internal and e2ternal
attacks across multiple
information systems and
information technologies to
achieve a breach or
compromise.
Adversary combines attacks that re9uire both physical
presence within organi;ations and cyber methods to
achieve success. 3hysical components may be as
simple as convincing maintenance personnel to leave
doors or cabinets open.
1ompromise critical
information systems via
physical access by outsiders.
Adversary without authori;ed access to organi;ational
information systems, attempts to physically gain access
to the systems.
1ompromise mission critical
information.
Adversary takes action to compromise the integrity of
mission critical information, thus preventing6impeding
ability of organi;ations to which information is supplied,
from carrying out operations.
1ompromise informationsystems or devices used
e2ternally and reintroduce into
Adversary manages to install malware on informationsystems or devices while the systems6devices are
e2ternal to organi;ations for purposes of subse9uently
7/25/2019 Risk Analysis Notes
10/26
the enterprise. infecting organi;ations when reconnected.
1ompromise design,
manufacture, and6or
distribution of information
system components (including
hardware, software, and
rmware organi;ations are
known to use.
Adversary is able to compromise the design,
manufacturing, and6or distribution of critical
information system components at selected suppliers.
1onduct reconnaissance,
surveillance, and target
ac9uisition of targeted
organi;ations.
Adversary uses various means (e.g., scanning, physical
observation to e2amine and assess organi;ations and
ascertain points of vulnerability.
1onduct phishing attacks. Adversary attempts to ac9uire sensitive information
such as usernames, passwords, or //)s, by pretendingto be communications from a legitimate6trustworthy
source. "ypical attacks occur via email, instant
messaging, or comparable means< commonly directing
users to Web sites that appear to be legitimate sites,
while actually stealing the entered information.
1ontinuous, adaptive and
changing cyber attacks based
on detailed surveillance of
organi;ations.
Adversary attacks continually change in response to
surveillance of organi;ations and protective measures
that organi;ations take.
1oordinating cyber attacks on
organi;ations using e2ternal
(outsider, internal (insider,
and supply chain (supplier
attack vectors.
Adversary employs continuous, coordinated attacks,
potentially using all three attack vectors for the
purpose of impeding organi;ational operations.
1reate and operate false front
organi;ations that operate
within the critical life cycle
path to inGect malicious
information system
components into the supply
chain.
Adversary creates the appearance of legitimate
suppliers that then inGect corrupted6malicious
information system components into the supply chain
of organi;ations.
-eliver known malware to
internal organi;ational
information systems (e.g.,
virus via email.
Adversary uses common delivery mechanisms (e.g.,
email to install6insert known malware (e. g., malware
whose e2istence is known into organi;ational
information systems.
-eliver modied malware tointernal organi;ational
information systems.
Adversary uses more sophisticated means (e.g., WebtraFc, instant messaging, 0"3 to deliver malware and
possibly modications of known malware to gain access
7/25/2019 Risk Analysis Notes
11/26
to internal organi;ational information systems.
-evise attacks specically
based on deployed
information technology
environment.
Adversary develops attacks, using known and unknown
attacks that are designed to take advantage of
adversary knowledge of the information technology
infrastructure.
-iscovering and accessing
sensitive data6information
stored on publicly accessible
information systems.
Adversary attempts to scan or mine information on
publically accessible servers and Web pages of
organi;ations with the intent of nding information that
is sensitive (i.e., not approved for public release.
-istributed -enial of /ervice
(--o/ attack.
Adversary uses multiple compromised information
systems to attack a single target, thereby causing
denial of service for users of the targeted information
systems.
%2ploit known vulnerabilities
in mobile systems (e.g.,
laptops, 3-As, smart phones.
Adversary takes advantage of fact that transportable
information systems are outside physical protection of
organi;ations and logical protection of corporate
rewalls, and compromises the systems based on
known vulnerabilities to gather information from those
systems.
%2ploiting vulnerabilities in
information systems timed
with organi;ationalmission6business operations
tempo.
Adversary launches attacks on organi;ations in a time
and manner consistent with organi;ational needs to
conduct mission6business operations.
%2ternally placed adversary
sniFng and intercepting of
wireless network traFc.
Adversary strategically in position to intercept wireless
communications of organi;ations.
4iGacking information system
sessions of data traFc
between the organi;ation and
e2ternal entities.
Adversary takes control of (hiGacks already established,
legitimate information system sessions between
organi;ations and e2ternal entities (e.g., users
connecting from o8:site locations.
InGecting false but believable
data6information into
organi;ational information
systems.
Adversary inGects false but believable data into
organi;ational information systems. "his action by the
adversary may impede the ability of organi;ations to
carry out missions6business functions correctly and6or
undercut the credibility other entities may place in the
information or services provided by organi;ations.
Insert subverted individuals
into privileged positions inorgani;ations.
Adversary has individuals in privileged positions within
organi;ations that are willing and able to carry outactions to cause harm to organi;ational
missions6business functions. /ubverted individuals may
7/25/2019 Risk Analysis Notes
12/26
be active supporters of adversary, supporting
adversary (albeit under duress, or unknowingly
supporting adversary (e.g., false Hag. Adversary may
target privileged functions to gain access to sensitive
information (e.g., user accounts, system les, etc. and
may leverage access to one privileged capability to getto another capability.
1ounterfeit6/poofed Web site. Adversary creates duplicates of legitimate Web sites
and directs users to counterfeit sites to gather
information.
-eliver targeted "roGan for
control of internal systems and
e2ltration of data.
Adversary manages to install software containing "roGan
horses that are specically designed to take control of
internal organi;ational information systems, identify
sensitive information, e2ltrate the information back to
adversary, and conceal these actions.
%mploy open source discovery
of organi;ational information
useful for future cyber attacks.
Adversary mines publically accessible information with
the goal of discerning information about information
systems, users, or organi;ational personnel that the
adversary can subse9uently employ in support of an
attack.
%2ploit vulnerabilities on
internal organi;ational
information systems.
Adversary searches for known vulnerabilities in
organi;ational internal information systems and
e2ploits those vulnerabilities.
Inserting malicious code into
organi;ational information
systems to facilitate
e2ltration of
data6information.
Adversary successfully implants malware into internal
organi;ational information systems, where the malware
over time identies and then successfully e2ltrates
valuable information.
Installing general:purpose
sni8ers on organi;ation:
controlled information systems
or networks.
adversary manages to install sniFng software onto
internal organi;ational information systems or
networks.
*everage traFc6data
movement allowed across
perimeter (e.g., email
communications, removable
storage to compromise
internal information systems
(e.g., using open ports to
e2ltrate information.
Adversary makes use of permitted information Hows
(e.g., email communications to facilitate compromises
to internal information systems (e.g., phishing attacks
to direct users to go to Web sites containing malware
which allows adversary to obtain and e2ltrate
sensitive information through perimeters.
Insert subverted individuals
into the organi;ations.
Adversary has individuals in place within organi;ations
that are willing and able to carry out actions to cause
7/25/2019 Risk Analysis Notes
13/26
harm to organi;ational missions6business functions.
/ubverted individuals may be active supporters of
adversary, supporting adversary (albeit under duress,
or unknowingly supporting adversary (e.g., false Hag.
Insert counterfeited hardware
into the supply chain.
Adversary intercepts hardware from legitimate
suppliers. Adversary modies the hardware or replaces
it with faulty or otherwise modied hardware.
Inserting malicious code into
organi;ational information
systems and information
system components (e.g.,
commercial information
technology products known to
be used by organi;ations.
Adversary inserts malware into information systems
specically targeted to the hardware, software, and
rmware used by organi;ations (resulting from the
reconnaissance of organi;ations by adversary.
Inserting speciali;ed, non:
detectable, malicious code
into organi;ational information
systems based on system
congurations.
Adversary launches multiple, potentially changing
attacks specically targeting critical information system
components based on reconnaissance and placement
within organi;ational information systems.
Insider:based session
hiGacking.
Adversary places an entity within organi;ations in order
to gain access to organi;ational information systems or
networks for the e2press purpose of taking control
(hiGacking an already established, legitimate sessioneither between organi;ations and e2ternal entities
(e.g., users connecting from remote locations or
between two locations within internal networks.
Installing persistent and
targeted sni8ers on
organi;ational information
systems and networks.
Adversary places within the internal organi;ational
information systems or networks software designed to
(over a continuous period of time collect (sni8
network traFc.
Intercept6decrypt weak or
unencrypted communication
traFc and protocols.
Adversary takes advantage of communications that are
either unencrypted or use weak encryption (e.g.,
encryption containing publically known Haws, targets
those communications, and gains access to transmitted
information and channels.
amming wireless
communications.
Adversary takes measures to interfere with the wireless
communications so as to impede or prevent
communications from reaching intended recipients.
alicious activity using
unauthori;ed ports, protocols,and services.
Adversary conducts attacks using ports, protocols, and
services for ingress and egress that are not authori;edfor use by organi;ations.
7/25/2019 Risk Analysis Notes
14/26
alicious creation, deletion,
and6or modication of les on
publicly accessible information
systems (e.g., Web
defacement.
Adversary vandali;es, or otherwise makes unauthori;ed
changes to organi;ational Web sites or les on Web
sites.
apping and scanning
organi;ation:controlled
(internal networks and
information systems from
within (inside organi;ations.
Adversary installs malware inside perimeter that allows
the adversary to scan network to identify targets of
opportunity. #ecause the scanning does not cross the
perimeter, it is not detected by e2ternally placed
intrusion detection systems.
ishandling of critical and6or
sensitive information by
authori;ed users.
Authori;ed users inadvertently e2pose critical6sensitive
information.
ultistage attacks (e.g.,hopping.
Adversary moves attack location from onecompromised information system to other information
systems making identication of source diFcult.
)etwork traFc modication
(man in the middle attacks by
e2ternally placed adversary.
Adversary intercepts6eavesdrops on sessions between
organi;ations and e2ternal entities. Adversary then
relays messages between the organi;ations and
e2ternal entities, making them believe that they are
talking directly to each other over a private connection,
when in fact the entire communication is controlled by
the adversary.
)etwork traFc modication
(man in the middle attacks by
internally placed adversary.
Adversary operating within the infrastructure of
organi;ations intercepts and corrupts data sessions.
)on:target specic insertion of
malware into downloadable
software and6or into
commercial information
technology products.
Adversary corrupts or inserts malware into common
freeware, shareware, or commercial information
technology products. Adversary is not targeting specic
organi;ations in this attack, simply looking for entry
points into internal organi;ational information systems.
Operate across organi;ations
to ac9uire specic information
or achieve desired outcome.
Adversary does not limit planning to the targeting of
one organi;ation. Adversary observes multiple
organi;ations to ac9uire necessary information on
targets of interest.
Opportunistically stealing or
scavenging information
systems6components.
Adversary takes advantage of opportunities (due to
advantageous positioning to steal information systems
or components (e. g., laptop computers or data storage
media that are left unattended outside of the physical
perimeters of organi;ations.
3erimeter network Adversary uses commercial or free software to scan
7/25/2019 Risk Analysis Notes
15/26
reconnaissance6scanning. organi;ational perimeters with the goal of obtaining
information that provides the adversary with a better
understanding of the information technology
infrastructure and facilitates the ability of the adversary
to launch successful attacks.
3ollution of critical data. Adversary implants corrupted and incorrect data in the
critical data that organi;ations use to cause
organi;ations to take suboptimal actions or to
subse9uently disbelieve reliable inputs.
3oorly congured or
unauthori;ed information
systems e2posed to the
Internet.
Adversary gains access through the Internet, to
information systems that are not authori;ed for such
access or that do not meet the specied conguration
re9uirements of organi;ations.
/alting the physical perimeterof organi;ations with
removable media containing
malware.
Adversary places removable media (e.g., Hash drivescontaining malware in locations e2ternal to the physical
perimeters of organi;ations but where employees are
likely to nd and install on organi;ational information
systems.
/imple -enial of /ervice (-o/
Attack.
Adversary attempts to make an Internet:accessible
resource unavailable to intended users, or prevent the
resource from functioning eFciently or at all,
temporarily or indenitely.
/ocial engineering by insiders
within organi;ations to
convince other insiders to take
harmful actions.
Internally placed adversaries take actions (e.g., using
email, phone so that individuals within organi;ations
reveal critical6sensitive information (e.g., personally
identiable information.
/ocial engineering by
outsiders to convince insiders
to take armful actions.
%2ternally placed adversaries take actions (using email,
phone with the intent of persuading or otherwise
tricking individuals within organi;ations into revealing
critical6sensitive information (e.g., personally
identiable information.
/pear phishing attack. Adversary employs phishing attacks targeted at high:
value targets (e.g., senior leaders6e2ecutives.
/pill sensitive information. Adversary contaminates organi;ational information
systems (including devices and networks by placing on
the systems or sending to6over the systems,
information of a classication6sensitivity which the
systems have not been authori;ed to handle. "he
information is e2posed to individuals that are not
authori;ed access to such information, and theinformation system, device, or network is unavailable
while the spill is investigated and mitigated.
7/25/2019 Risk Analysis Notes
16/26
/pread attacks across
organi;ations from e2isting
footholds.
adversary builds upon e2isting footholds within
organi;ations and works to e2tend the footholds to
other parts of organi;ations including organi;ational
infrastructure. Adversary places itself in positions to
further undermine the ability for organi;ations to carry
out missions6business functions.
/uccessfully compromise
software of critical information
systems within organi;ations.
Adversary inserts malware or otherwise corrupts critical
internal organi;ational information systems.
"ailgate authori;ed sta8 to
gain access to organi;ational
facilities.
Adversary follows authori;ed individuals into
secure6controlled locations with the goal of gaining
access to facilities, circumventing physical security
checks.
"ailored ;ero:day attacks onorgani;ational information
systems.
Adversary employs attacks that e2ploit as yetunpublici;ed vulnerabilities. Jero:day attacks are based
on adversary insight into the information systems and
applications used by organi;ations as well as adversary
reconnaissance of organi;ations.
"amper with critical
organi;ational information
system components and inGect
the components into the
systems.
Adversary replaces, though supply chain, subverted
insider, or some combination thereof, critical
information system components with modied or
corrupted components that operate in such a manner
as to severely disrupt organi;ational missions6businessfunctions or operations.
"argeting and compromising
home computers (including
personal digital assistants and
smart phones of critical
employees within
organi;ations.
Adversary targets key employees of organi;ations
outside the security perimeters established by
organi;ations by placing malware in the personally
owned information systems and devices of individuals
(e.g., laptop6notebook computers, personal digital
assistants, smart phones. "he intent is to take
advantage of any instances where employees use
personal information systems or devices to convey
critical6sensitive information.
"argeting and e2ploiting
critical hardware, software, or
rmware (both commercial o8:
the:shelf and custom
information systems and
components.
Adversary targets and attempts to compromise the
operation of software (e.g., through malware inGections
that performs critical functions for organi;ations. "his is
largely accomplished as supply chain attacks.
nauthori;ed internal
information system access byinsiders.
Adversary is an individual who has authori;ed access to
organi;ational information systems, but gains (orattempts to gain access that e2ceeds authori;ation.
7/25/2019 Risk Analysis Notes
17/26
ndermine the ability of
organi;ations to detect
attacks.
Adversary takes actions to inhibit the e8ectiveness of
the intrusion detection systems or auditing capabilities
within organi;ations.
se remote information
system connections of
authori;ed users as bridge to
gain unauthori;ed access to
internal networks (i.e., split
tunneling.
Adversary takes advantage of e2ternal information
systems (e.g., laptop computers at remote locations
that are simultaneously connected securely to
organi;ations and to nonsecure remote connections
gaining unauthori;ed access to organi;ations via
nonsecure, open channels.
sing postal service or other
commercial delivery services
to insert malicious scanning
devices (e.g., wireless sni8ers
inside facilities.
Adversary uses courier service to deliver to
organi;ational mailrooms a device that is able to scan
wireless communications accessible from within the
mailrooms and then wirelessly transmit information
back to adversary.
Jero:day attacks (non:
targeted.
Adversary employs attacks that e2ploit as yet
unpublici;ed vulnerabilities. Attacks are not based on
any adversary insights into specic vulnerabilities of
organi;ations.
7/25/2019 Risk Analysis Notes
18/26
NON-ADVERSARIAL THREAT EVENTS - Representative Examples
Threat Source Threat Event Description
Accidental :Ordinary ser
/pill 5 sensitive information Authori;ed user erroneouslycontaminates a device, information
system, or network by placing on it or
sending to it information of a
classication6sensitivity which it has not
been authori;ed to handle. "he
information is e2posed to access by
unauthori;ed individuals, and as a
result, the device, system, or network is
unavailable while the spill is
investigated and mitigated.Accidental :
3rivileged ser
or
Administrator
ishandling of critical
and6or sensitive information
by authori;ed users
Authori;ed privileged user inadvertently
e2poses critical6sensitive information.
1ommunicatio
n
1ommunications 1ontention -egraded communications performance
due to contention.-isplay nreadable display -isplay unreadable due to aging
e9uipment.%arth9uake %arth9uake at primary
facility
%arth9uake of organi;ation:dened
magnitude at primary facility makes
facility inoperable.0ire 0ire at primary facility 0ire (not due to adversarial activity at
primary facility makes facility
inoperable.0ire 0ire at backup facility 0ire (not due to adversarial activity at
backup facility makes facility inoperable
or destroys backups of software,
congurations, data, and6or logs.0lood 0lood at primary 0acility 0lood (not due to adversarial activity at
primary facility makes facility
inoperable.0lood 0lood at backup facility 0lood (not due to adversarial activity at
backup facility makes facility inoperable
or destroys backups of software,
congurations, data, and6or logs.4urricane 4urricane at primary facility 4urricane of organi;ation:dened
strength at primary facility makes
facility inoperable.4urricane 4urricane at backup facility 4urricane of organi;ation:dened
strength at backup facility makes facility
inoperable or destroys backups of
software, congurations, data, and6or
logs.3rocessing &esource depletion -egraded processing performance due
7/25/2019 Risk Analysis Notes
19/26
to resource depletion./torage -isk error 1orrupted storage due to a disk error./torage 3ervasive disk error ultiple disk errors due to aging of a set
of devices all ac9uired at the same time,
from the same supplier.Windstorm or
"ornado
Windstorm6tornado at
primary facility
Windstorm6tornado of organi;ation:
dened strength at primary facility
makes facility inoperable.Windstorm or
"ornado
Windstorm6tornado at
backup facility
Windstorm6tornado of organi;ation:
dened strength at backup facility
makes facility inoperable or destroys
backups of software, congurations,
data, and6or logs.
7/25/2019 Risk Analysis Notes
20/26
Vulnerability T!reat "airs
A vulnerability is an inherent weakness in an information system, security procedures,
internal controls, or implementation that could be e2ploited by a threat source. ost
information system vulnerabilities can be identied with security controls either which
have not been applied or which, while applied, retain some weakness.
4owever, vulnerabilities need not be identied only within information systems. $iewing
information systems in a broader conte2t, vulnerabilities can be found in organi;ational
governance structures (e.g., lack of e8ective risk management strategies, poor intra:
agency communications, inconsistent decisions about relative priorities of core missions
and business functions. $ulnerabilities can also be found in e2ternal relationships (e.g.,
dependencies on energy sources, the supply chain, technology, and telecommunications
providers, mission6business processes (e.g., poorly dened processes or processes that
are not risk:aware, and enterprise and information security architectures (e.g., poor
architectural decisions resulting in lack of diversity or resiliency in organi;ationalinformation systems.
Vulnerability ThreatSource Threat Action
Terminated employees'
accounts are not removed
from the system or made
inactive
Adversarial insiders (continuing
employees with ill intent and
knowledge of terminated
employee user IDs and
passwords) and/or adversarial
outsiders (unauthorized eternal
individuals)
Accessing the company's network
(whether remotely or through
having an otherwise valid reason
for !eing physically present within
the organization)" logging into an
application as a terminated
employee" and accessing
company proprietary data or
protected health information#
$ompany firewall allows
in!ound telnet and guest ID
is ena!led on %& server
Adversarial outsiders
unauthorized users (e#g#"
hackers" terminated employees"
computer criminals" terrorists)
sing telnet to %& server and
!rowsing files with guest ID#
The vendor has identified
flaws in the security design
of *indows +,,- server.however" new patches have
not !een applied to the
system#
Adversarial outsiders
unauthorized users (e#g#"
hackers" disgruntled employees"computer criminals" terrorists)
) 0!taining unauthorized access
to sensitive system files !ased on
known system vulnera!ilities#+) A virus or worm could take
down the 1A2" servers and could
transmit data to a computer
criminal#
Data center uses water
sprinklers to suppress fire.
tarpaulins to protect
hardware and e3uipment
from water damage are not
in place#
4nvironmental 5 6ire *ater sprinklers !eing turned on
in the data center#
Inconsistent patient identity
verification safeguards are
applied in the practice
Adversarial outsiders (e#g#"
individuals attempting to
misappropriate another's identity
The medical identity thief
successfully receives care and the
integrity of the legitimate patient's
7/25/2019 Risk Analysis Notes
21/26
for purposes of seeking
healthcare)
protected health information is
compromised#
1ack of detailed operating
procedures designed to
direct the work of !usiness
associates in their
performance of services for
the covered entity
Accidents or errors caused !y
valid ordinary or privileged users
The !usiness associate may carry
out work according to their normal
mode of operations for their non5
healthcare clients and accidentally
violate some component of
7I8AA's 9ecurity :ule !ecause
the !usiness associate is not
familiar with every specific
9ecurity :ule re3uirement#
De#initi$ns $# %ey Terms& Li'eli!$$() Impa*t) Ris'
Ri*k "he determination of risk for a particular threat 6 vulnerability pair is a functionof!
B "he likelihood of a given threat:source>s attempting to e2ercise a given
vulnerability
C "he magnitude of the impact should a threat:source successfully e2ercise the
vulnerability
"he ade9uacy of planned or e2isting security controls for reducing or eliminating
risk
Likelihood*ikelihood is an indication of the probability that a potential vulnerability may be
e2ercised given the threat environment.
1onsider the following factors!
B "hreat:source motivation and capability
C )ature of the vulnerability
%2istence and e8ectiveness of current or planned controls
Li!elihoo"
Level
Li!elihoo" De#inition
Anticipate" #re$uency o# occurrence is%
#e&$
Hi/h
%rror, accident, or act of nature is almost certain to occur< or occurs K B@@
times a year.
Hi/h
%rror, accident, or act of nature is highly likely to occur< or occurs between
B@:B@@ times p.a
Medi,m
%rror, accident, or act of nature is somewhat likely to occur< or occurs
between B:B@ times p.a.
Lo
%rror, accident, or act of nature is unlikely to occur< or occurs less than once
a year, but more than once every B@ years.Ne/li/i'l
e
%rror, accident, or act of nature is highly unlikely to occur< or occurs L once
every B@ years.
7/25/2019 Risk Analysis Notes
22/26
Impact
"he level of impact from a threat event is the magnitude of harm that can be e2pected
to result from the unauthori;ed disclosure, modication, disruption, destruction, or loss
of information and6or denial of service. /uch adverse impact, and hence harm, can bee2perienced by a variety of organi;ational and non:organi;ational stakeholders
including, for e2ample, heads of agencies, mission and business owners, information
owners6stewards, mission6business process owners, information system owners, or
individuals6groups in the public or private sectors relying on the organi;ationMin
essence, anyone with a vested interest in the organi;ation>s operations, assets, or
individuals, including other organi;ations in partnership with the organi;ation, or the
)ation (for critical infrastructure:related considerations
"he following are adverse impacts that should be considered when scoring!Type o# I&pact I&pact
4arm toOperations
Inability to perform current missions6business functions.o In a suFciently timely manner.
o With suFcient condence and6or correctness.
o Within planned resource constraints.
Inability, or limited ability, to perform missions6business functions in the
future.o Inability to restore missions6business functions.
o In a suFciently timely manner.
o With suFcient condence and6or correctness.
o Within planned resource constraints.
4arms (e.g., nancial costs, sanctions due to noncompliance.
o With applicable laws or regulations.o With contractual re9uirements or other re9uirements in other binding
agreements. -irect nancial costs.
&elational harms.
o -amage to trust relationships.
o -amage to image or reputation (and hence future or potential trust
relationships.4arm to
Assets
-amage to or loss of physical facilities.
-amage to or loss of information systems or networks.
-amage to or loss of information technology or e9uipment. -amage to or loss of component parts or supplies.
-amage to or of loss of information assets.
*oss of intellectual property.
4arm to
Individuals
Identity theft.
*oss of 3ersonally Identiable Information Nor 3rotected 4ealth
Information=. InGury or loss of life.
-amage to image or reputation.
3hysical or psychological mistreatment.
4arm to
OtherOrgani;ati
ons
4arms (e.g., nancial costs, sanctions due to noncompliance.
o With applicable laws or regulations.o With contractual re9uirements or other re9uirements in other binding
agreements. -irect nancial costs.
7/25/2019 Risk Analysis Notes
23/26
&elational harms.
o -amage to trust relationships.
o -amage to reputation (and hence future or potential trust
relationships.4arm to
the nation
-amage to or incapacitation of a critical infrastructure sector.
*oss of government continuity of operations.
&elational harms.
o -amage to trust relationships with other governments or with
nongovernmental entities.o -amage to national reputation (and hence future or potential trust
relationships. -amage to current or future ability to achieve national obGectives.
Ma'nitu"e
o# I&pactI&pact De#inition
#e&$
Hi/h
"he threat event could be e2pected to have multiple severe or catastrophic
adverse e8ects on organi;ational operations, organi;ational assets,
individuals, other organi;ations, or the )ation.Hi/h "he threat event could be e2pected to have a severe or catastrophic adverse
e8ect on organi;ational operations, organi;ational assets, individuals, other
organi;ations, or the )ation. A severe or catastrophic adverse e8ect means
that, for e2ample, the threat event might! (i cause a severe degradation in
or loss of mission capability to an e2tent and duration that the organi;ation is
not able to perform one or more of its primary functions< (ii result in maGor
damage to organi;ational assets< (iii result in maGor nancial loss< or (iv
result in severe or catastrophic harm to individuals involving loss of life or
serious life:threatening inGuries.Medi,m "he threat event could be e2pected to have a serious adverse e8ect on
organi;ational operations, organi;ational assets, individuals other
organi;ations, or the )ation. A serious adverse e8ect means that, for
e2ample, the threat event might! (i cause a signicant degradation in
mission capability to an e2tent and duration that the organi;ation is able to
perform its primary functions,
but the e8ectiveness of the functions is signicantly reduced< (ii result in
signicant damage to organi;ational assets< (iii result in signicant nancial
loss< or (iv result in signicant harm to individuals that does not involve loss
of life or serious life:threatening inGuries.Lo "he threat event could be e2pected to have a limited adverse e8ect on
organi;ational operations, organi;ational assets, individuals other
organi;ations, or the )ation. A limited adverse e8ect means that, for
e2ample, the threat event might! (i cause a degradation in mission capability
to an e2tent and duration that the organi;ation is able to perform its primary
functions, but the e8ectiveness of the functions is noticeably reduced< (ii
result in minor damage to organi;ational assets< (iii result in minor nancial
loss< or (iv result in minor harm to individuals.Ne/li/i
'le
)o signicant impact. "he threat event could be e2pected to have a
negligible adverse e8ect on organi;ational operations, organi;ational assets,individuals other organi;ations, or the )ation.
7/25/2019 Risk Analysis Notes
24/26
7/25/2019 Risk Analysis Notes
25/26
Our Se*urity Ris' Analysis "r$*ess +l$,
7/25/2019 Risk Analysis Notes
26/26