Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Practical Threat Analysis for the Software Industry


{LANG_NAVORIGIN} Vulnerability Management Risk Assessment
Ygor Goldberg 01/10/2005



Terminology

System

System is a cluster of software modules and hardware components together with sets of operational and business procedures that are the target of the threat analysis process. Systems are characterized by their specific goals, functionality, architecture, configuration and users.

System’s Maximal Risk is a calculated value that expresses the maximal loss that may be caused to the system’s assets due to the threats that were identified. It reflects the potential risks of all threats to the system’s assets and is displayed both in $ value as well as in percentage of the total system’s assets.

System’s Minimal Risk is a calculated value that expresses the loss that may be caused to the system’s assets after all the countermeasures in mitigation plans are implemented. It reflects the remaining risks of all threats after full implementation of all the mitigation plans and is the actual lowest value of risk that can be achieved. It is displayed both in $ value as well as in percentage of the total system’s assets.

System’s Current Risk is a calculated value that expresses the loss that may be caused to the system’s assets according to current implementation level of mitigation plans. It is displayed both in $ value as well as in percentage of the total system’s assets.

System’s Total Value of Assets is the calculated total value of all the system’s assets.

System’s Countermeasures Implementation Cost is the calculated value of the cost of the implementation of the countermeasures in all mitigation plans.

System’s Current Investment in Implementation is the cost of the implementation of the countermeasures that are already applied to the system.

Vulnerability

Vulnerability is a weakness, limitation or a defect in one or more of the system’s elements that can be exploited to disrupt the normal functionality of the system. The weakness or defect may be either in specific modules of the system, its layout, its users, operators, and/or in its associated regulations, operational and business procedures.

Countermeasure

Countermeasure is a procedure, action or mean for mitigating a specific vulnerability. A specific countermeasure may mitigate several different vulnerabilities. In some standards documentation, countermeasures are called “controls” or “safeguards”.

Countermeasure’s Fixed Cost is the estimated value (in $) of the one-time expense associated with the implementation of the countermeasure, e.g. purchase of equipment, enhancing the software, etc.

Countermeasure’s Fixed Cost Period is the number of years over which the fixed cost expense lasts (both from economical aspects as well as from book-accounting considerations).

Countermeasure’s Recurring Cost is the estimated recurring expense (in $) that derives from applying the countermeasure, e.g. administrator’s salary, insurance payments etc.

Countermeasure’s Weighted Cost is the calculated weighted average of the countermeasure’s fixed and recurring implementation costs and is displayed in ‘annual $’ units.

Countermeasure’s Overall Mitigation is the calculated degree of mitigation provided by a specific countermeasure to the overall risk of the system and is displayed as in percentage of the overall risk.

Countermeasure’s Cost-Effectiveness is the degree of mitigation provided by a specific countermeasure to the overall risk in the system in relation with the cost of implementing this specific countermeasure. The value is displayed in “percents of overall mitigation per 1,000 $” units. Note that the countermeasure’s cost-effectiveness does not take into consideration the countermeasures which are already implemented therefore it is not necessarily identical to the practical PTA recommendation on the countermeasures that should be implemented in order to reduce the system’s risk.

Asset

Asset is information, capability, an advantage, a feature, a financial or a technical resource that may be damaged, lost or disrupted. Assets may be digital (software sources), physical (a server machine) or commercial (the corporate brand). The damage to an asset may affect the normal functionality of the system as well as of the individuals and/or organizations involved with the system.

Asset’s Fixed Value is the estimated value (in $) of the one-time expense associated with the loss of the asset, e.g. the value of the loss caused by blocking the company’s e-commerce operation for 7 days etc.

Asset’s Fixed Value Period is the number of years over which the fixed value expense lasts (both from economical aspects as well as from book-accounting considerations).

Asset’s Recurring Value is the estimated recurring value (in $) of losses that may be caused when the asset is damaged e.g. recurring expense due to the non-availability of a software service.

Asset’s Weighted Value is the calculated financial value of the loss when asset is totally damaged, destroyed or stolen. The value is displayed in ‘annual $’ and expresses the weighted average of the asset’s fixed and recurring values in $ per year units.

Asset’s Relative Value is the calculated percentage of the specific asset's value from the total value of all the system’s assets.

Asset’s Maximal Risk is the calculated maximal risk (in percentage of the asset's value) that threatens the asset. The calculation is based on the parameters of all threats that might damage the asset.

Asset’s Minimal Risk is the calculated risk that threatens the asset after all mitigation plans are implemented. It reflects the actual lowest value of risk that can be achieved after the full implementation of all mitigation plans of the threats that threaten the asset.

Asset’s Current Risk is the calculated risk that threatens the asset according to current implementation level of mitigation plans.

Threat

Threat is a specific scenario or a sequence of actions that exploits a set of vulnerabilities and may cause damage to one or more of the system’s assets.

Threat’s Probability is the likelihood that the threat scenario will materialize. In some documentation the threat’s probability is characterized by the term “Annual Occurrence Rate” (AOR).

Threat's Damage Level to Asset is the financial value of damage caused by a specific threat to a specific asset expressed in percentage of the asset's value - if level is 100% the damage to the asset is maximal.

Threat’s Damage is the total damage (in percentage of the total value of all assets) that the threat may cause to the system. The calculation is based on the damage caused to each of the assets threatened by the threat.

Threat’s Maximal Risk is a calculated value that expresses the maximal loss that may be caused to the system’s assets due to the specific threat. It reflects the potential risk of the threat to the system’s assets and is displayed both in $ value as well as in percentage of the total system’s assets. In some documentation the threat’s risk is called “Annual Loss Expectancy” (ALE).

Threat’s Minimal Risk is a calculated value that expresses the loss that may be caused to the system’s assets after all the countermeasures in mitigation plan of the specific threat are implemented. It reflects the actual lowest value of risk that can be achieved after the full implementation of all mitigation plans of the threat and is displayed both in $ value as well as in percentage of the total system’s assets.

Threat’s Current Risk is a calculated value that expresses the loss that may be caused to the system’s assets according to current implementation level of the threat’s mitigation plan. It is displayed both in $ value as well as in percentage of the total system’s assets.

Threat’s Recommended Countermeasures is a set of all possible countermeasures that may mitigate the threat and reduce the threat’s risk. This set is based on the countermeasures that mitigate the threat’s vulnerabilities.

Threat’s Mitigation Plan is a subset of threat’s recommended countermeasures that is assumed to be the most effective for mitigating a specific threat. The decision which of the recommended countermeasures will be included in the Threat’s Mitigation Plan is made by the analyst, who uses his/her expertise to decide which countermeasures are most effective when applied together.

Threat’s Countermeasure Mitigation Level is the mitigation level that a specific countermeasure would provide to a specific threat if it was the only countermeasure in the mitigation plan. It is displayed in percentage of the threat’s overall risk.

Threat’s Maximal Mitigation is the maximal mitigation level (in percentage of the specific threat’s risk) that may be achieved by applying all countermeasures in threat’s mitigation plan.

Threat’s Current Mitigation is the portion of mitigation (in percentage of the specific threat’s risk) that is provided by the countermeasures that are already implemented.

The Threat Model
The following scheme describes the interrelations between a threat and the assets, vulnerabilities and countermeasures entities.



Figure 1: PTA data model sample scheme

The threat described in Figure 1, causes damage to Asset-1 and Asset-2 and exploits two vulnerabilities: Vulnerability-1 and Vulnerability-2. Vulnerability-1 is mitigated by Countermeasure-1 and Vulnerability-2 is mitigated by Countermeasure-2 and Countermeasure-3 as noted by the blue arrows. Since a threat may exploit several vulnerabilities, the set of possible countermeasures that might mitigate a threat is completely defined by the set of vulnerabilities used in a threat scenario and is noted by the green arrows in the scheme.

Attacker Type
Attacker is a person (or group of people) that may perform the steps of a specific threat scenario and attack the system’s assets.

Attacker Types are the various classes of attackers differentiated by their motivation, qualification, available attack tools and their accessibility to the attacked system’s resources e.g. hackers, insiders, users etc.

Entry Point
Entry Point is a “door”, either in the system itself or in the human operation associated with it that is used by attackers to penetrate the system, e.g. Web site, IVR service, SMS server, CRM representatives called by customers over the phone etc. The attacker may use several entry points for materializing a specific threat.

Tag
Tag is a free text descriptive attribute that might be associated with assets, threats, vulnerabilities and countermeasures. Tags are often used for helping the analyst in classifying the various entities in the threat model and improving their comprehensibility.

Attached Document
Attached Document contains additional unstructured information relevant to the threat analysis entities and process e.g. security notes, standards specifications, development ideas, design schemes etc. Attached documents may be associated with specific assets, vulnerabilities, countermeasures and threats at any step in the threat analysis process.













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
17277 Views
4.63/5 Rating
68 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact