Professional Documents
Culture Documents
Threat Notes
Threat Notes
Contents
1 Definitions
2 Phenomenology
3 Threats classification
4 Threat model
5 Threat classification
6 Associated terms
o 6.1 Threat Agents
o 6.2 Threat Communities
o 6.3 Threat action
o 6.4 Threat analysis
o 6.5 Threat consequence
7 Threat management
8 Threat literature
9 See also
10 References
11 External links
Definitions
In Computer security a threat is a potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and cause harm.
That is, a threat is a possible danger that might exploit a vulnerability. A threat can be either
"intentional" (i.e., intelligent; e.g., an individual cracker or a criminal organization) or
"accidental" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of
God" such as an earthquake, a fire, or a tornado).
A threat is: A potential cause of an incident, that may result in harm of systems and
organization.
A more comprehensive definition, tied to an Information assurance point of view, can be found
in "Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for
Federal Information and Information Systems" by NIST of United States of America [3]
Any circumstance or event with the potential to adversely impact an asset [G.3] through
unauthorized access, destruction, disclosure, modification of data, and/or denial of
service.
threats are anything (e.g., object, substance, human, etc.) that are capable of acting
against an asset in a manner that can result in harm. A tornado is a threat, as is a flood,
as is a hacker. The key consideration is that threats apply the force (water, wind, exploit
code, etc.) against an asset that can cause a loss event to occur.
National Information Assurance Training and Education Center gives a more articulated
definition of threat:
The means through which the ability or intent of a threat agent to adversely affect an
automated system, facility, or operation can be manifest. Categorize and classify threats
as follows: Categories Classes Human Intentional Unintentional Environmental Natural
Fabricated 2. Any circumstance or event with the potential to cause harm to a system in
the form of destruction, disclosure, modification or data, and/or denial of service. 3. Any
circumstance or event with the potential to cause harm to the ADP system or activity in
the form of destruction, disclosure, and modification of data, or denial of service. A
threat is a potential for harm. The presence of a threat does not mean that it will
necessarily cause actual harm. Threats exist because of the very existence of the system
or activity and not because of any specific weakness. For example, the threat of fire
exists at all facilities regardless of the amount of fire protection available. 4. Types of
computer systems related adverse events (i. e. , perils) that may result in losses.
Examples are flooding, sabotage and fraud. 5. An assertion primarily concerning entities
of the external environment (agents); we say that an agent (or class of agents) poses a
threat to one or more assets; we write: T(e;i) where: e is an external entity; i is an
internal entity or an empty set. 6. An undesirable occurrence that might be anticipated
but is not the result of a conscious act or decision. In threat analysis, a threat is defined
as an ordered pair, <peril; asset category>, suggesting the nature of these occurrences
but not the details (details are specific to events). 7. A potential violation of security. 8. A
set of properties of a specific external entity (which may be either an individual or class
of entities) that, in union with a set of properties of a specific internal entity, implies a
risk (according to some body of knowledge).
Phenomenology
The term "threat" relates to some other basic security terms as shown in the following diagram:[1]
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
| An Attack: | |Counter- | | A System Resource: |
| i.e., A Threat Action | | measure | | Target of the Attack |
| +----------+ | | | | +-----------------+ |
| | Attacker |<==================||<========= | |
| | i.e., | Passive | | | | | Vulnerability | |
| | A Threat |<=================>||<========> | |
| | Agent | or Active | | | | +-------|||-------+ |
| +----------+ Attack | | | | VVV |
| | | | | Threat Consequences |
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
A resource (both physical or logical) can have one or more vulnerabilities that can be exploited
by a threat agent in a threat action. The result can potentially compromises the Confidentiality,
Integrity or Availability properties of resources (potentially different that the vulnerable one) of
the organization and others involved parties (customers, suppliers).
The so called CIA triad is the basis of Information Security.
The attack can be active when it attempts to alter system resources or affect their operation: so it
compromises Integrity or Availability. A "passive attack" attempts to learn or make use of
information from the system but does not affect system resources: so it compromises
Confidentiality.[1]
OWASP (see figure) depicts the same phenomenon in slightly different terms: a threat agent
through an attack vector exploits a weakness (vulnerability) of the system and the related
security controls causing an technical impact on an IT resource (asset) connected to a business
impact.
A set of policies concerned with information security management, the Information Security
Management Systems (ISMS), has been developed to manage, according to Risk management
principles, the countermeasures in order to accomplish to a security strategy set up following
rules and regulations applicable in a country. Countermeasures are also called Security controls;
when applied to the transmission of information are named security services.[9]
The overall picture represents the risk factors of the risk scenario.[10]
The widespread of computer dependencies and the consequent raising of the consequence of a
successful attack, led to a new term cyberwarfare.
It should be noted that nowadays the many real attacks exploit Psychology at least as much as
technology. Phishing and Pretexting and other methods are called social engineering techniques.
[11]
The Web 2.0 applications, specifically Social network services, can be a mean to get in touch
with people in charge of system administration or even system security, inducing them to reveal
sensitive information.[12] One famous case is Robin Sage.[13]
The most widespread documentation on Computer insecurity is about technical threats such
computer virus, trojan and other malware, but a serious study to apply cost effective
countermeasures can only be conducted following a rigorous IT risk analysis in the framework of
an ISMS: a pure technical approach will let out the psychological attacks, that are increasing
threats.
Threats classification
Threats can be classified according to their type and origin:[2]
Type
o Physical damage
fire
water
pollution
o natural events
climatic
seismic
volcanic
o loss of essential services
electrical power
air conditioning
telecommunication
o compromise of information
eavesdropping,
theft of media
retrieval of discarded materials
o technical failures
equipment
software
capacity saturation
o compromise of functions
error in use
abuse of rights
denial of actions
Origin
o Deliberate: aiming at information asset
spying
illegal processing of data
o accidental
equipment failure
software failure
o environmental
natural event
loss of power supply
Threat model
Main article: Threat model
affect an asset,
affect a software system
are brought by a threat agent
Threat classification
Microsoft has proposed a threat classification called STRIDE, from the initial of threat
categories:
The DREAD name comes from the initials of the five categories listed.
The spread over a network of threats can led to dangerous situations. In military and civil fields,
threat level as been defined: for example INFOCOM is a threat level used by USA. Leading
antivirus software vendors publish global threat level on their websites[15][16]
Associated terms
Threat Agents
Threat Agents
Individuals within a threat population; Practically anyone and anything can, under the
right circumstances, be a threat agent – the well-intentioned, but inept, computer
operator who trashes a daily batch job by typing the wrong command, the regulator
performing an audit, or the squirrel that chews through a data cable.[6]
Threat agents can take one or more of the following actions against an asset[6]:
It’s important to recognize that each of these actions affects different assets differently, which
drives the degree and nature of loss. For example, the potential for productivity loss resulting
from a destroyed or stolen asset depends upon how critical that asset is to the organization’s
productivity. If a critical asset is simply illicitly accessed, there is no direct productivity loss.
Similarly, the destruction of a highly sensitive asset that doesn’t play a critical role in
productivity won’t directly result in a significant productivity loss. Yet that same asset, if
disclosed, can result in significant loss of competitive advantage or reputation, and generate legal
costs. The point is that it’s the combination of the asset and type of action against the asset that
determines the fundamental nature and degree of loss. Which action(s) a threat agent takes will
be driven primarily by that agent’s motive (e.g., financial gain, revenge, recreation, etc.) and the
nature of the asset. For example, a threat agent bent on financial gain is less likely to destroy a
critical server than they are to steal an easily pawned asset like a laptop.[6]
It is important to separate the concept of the event that a threat agent get in contact with the asset
(even virtually, i.e. through the network) and the event that a threat agent act against the asset.[6]
OWASP collects a list of potential threat agents in order to prevent system designers and
programmers insert vulnerabilities in the software.[17]
The term Threat Agent is used to indicate an individual or group that can manifest a threat. It is
fundamental to identify who would want to exploit the assets of a company, and how they might
use them against the company.[17]
Non-Target Specific: Non-Target Specific Threat Agents are computer viruses, worms,
trojans and logic bombs.
Employees: Staff, contractors, operational/maintenance personnel, or security guards who
are annoyed with the company.
Organized Crime and Criminals: Criminals target information that is of value to them,
such as bank accounts, credit cards or intellectual property that can be converted into
money. Criminals will often make use of insiders to help them.
Corporations: Corporations are engaged in offensive information warfare or competitive
intelligence. Partners and competitors come under this category.
Human, Unintentional: Accidents, carelessness.
Human, Intentional: Insider, outsider.
Natural: Flood, fire, lightning, meteor, earthquakes.
Threat Communities
Threat Communities
Subsets of the overall threat agent population that share key characteristics. The notion
of threat communities is a powerful tool for understanding who and what we’re up
against as we try to manage risk. For example, the probability that an organization
would be subject to an attack from the terrorist threat community would depend in large
part on the characteristics of your organization relative to the motives, intents, and
capabilities of the terrorists. Is the organization closely affiliated with ideology that
conflicts with known, active terrorist groups? Does the organization represent a high
profile, high impact target? Is the organization a soft target? How does the organization
compare with other potential targets? If the organization were to come under attack,
what components of the organization would be likely targets? For example, how likely is
it that terrorists would target the company information or systems?[6]
The following threat communities are examples of the human malicious threat landscape
many organizations face:
Internal
o Employees
o Contractors (and vendors)
o Partners
External
o Cyber-criminals (professional hackers)
o Spies
o Non-professional hackers
o Activists
o Nation-state intelligence services (e.g., counterparts to the CIA, etc.)
o Malware (virus/worm/etc.) authors
Threat analysis is the analysis of the probability of occurrences and consequences of damaging
actions to a system.[1] It is the basis of risk analysis.
The following subentries describe four kinds of threat consequences, and also list and describe
the kinds of threat actions that cause each consequence.[1] Threat actions that are accidental
events are marked by "*".
Very large organizations tend to adopt business continuity management plans in order to protect,
maintain and recover business-critical processes and systems. Some of these plans foreseen to set
up computer security incident response team (CSIRT) or computer emergency response
team (CERT)
Most organizations perform a subset of these steps, adopting countermeasures based on a non
systematic approach: Computer insecurity studies the battlefield of computer security exploits
and defences that results.
Information security awareness generates quite a large business: (see the category:Computer
security companies).
Countermeasures may include tools such as firewalls, intrusion detection system and anti-virus
software, Physical Security measures, policies and procedures such as regular backups and
configuration hardening, training such as security awareness education.