6.5 Identify Threats to Critical Assets

At this point in the evaluation you begin to examine the range of threats that can affect your critical assets. You perform a gap analysis of the areas of concern you elicited earlier in the evaluation, creating a complete threat profile for each critical asset.

Recall that a generic threat profile is a structured way of presenting a range of potential threats to a critical asset. In this activity you essentially tailor the generic threat profile for each critical asset by deciding which threats in the range of possibilities actually apply to a critical asset. This information helps to form the basis for examining the computing infrastructure for vulnerabilities as well as for identifying and analyzing risks to critical assets.

Step 1: Map Areas of Concern to Generic Threat Profile

For each critical asset, review the consolidated areas of concern that affect that asset. Consider the following question: How do the areas of concern map to the threat profile?

To map an area of concern to the threat profile, you must first determine which category of threat (e.g., human actors using network access) is represented by the area of concern. You then determine which threat properties (asset, access, actor, motive, outcome) are represented by the area of concern. Finally, you map the threat properties to the corresponding asset-based threat tree.

Let's examine how the analysis team at MedSite performed the mapping. Figure 6-11 shows three areas of concern for PIDS. Each is from the human actors using network access category. The team determined which threat properties were represented by each area of concern. In the first area of concern, the asset is the information on the PIDS system. The concern focuses on staff members using network access to enter data into PIDS. Thus, network access and people inside the organization are part of the concern, and the motive in this case is accidental. Finally, the outcome is modification—the data are entered incorrectly.

Notice how much interpretation is required when mapping areas of concern, which can be ambiguous. That is why it is important to be as precise as possible when capturing areas of concern during the knowledge elicitation work shops. For example, in the first item in the table, the threat actor is stated as "too many people." The analysis team interpreted this to mean insiders (staff members). Figure 6-12 shows the threat properties for the areas of concern from Figure 6-11.

Once you have identified the threat properties for each area of concern, you can easily map the threat properties to the generic threat profile. Figure 6-13 shows the asset-based threat tree for human actors using network access, including the mapping of the properties from Figure 6-12. The numbers in parentheses on Figure 6-13 refer to the areas of concern. Note that a solid line in Figure 6-13 indicates the existence of a threat, while a dashed line indicates no threat to the asset. Also note that an area of concern could be mapped to multiple branches.

This completes the mapping process. However, your task of identifying threats is not finished. You must now perform a gap analysis of the remaining (unmarked) threats on the profile to determine if any of them affect the critical asset.

Step 2: Perform a Gap Analysis

During this step you must remember that the areas of concern were elicited during the knowledge elicitation workshops. It is unlikely that all threats for an asset will be elicited during those workshops. Your job during this step is to determine what other threats could affect your organization's critical assets.

Consider the following questions:

• For which remaining potential threats is there a more than negligible possibility of a threat to the asset? Mark these branches in the threat profile.

• For which remaining potential threats is there a negligible possibility or no possibility at all of a threat to the asset? Do not mark these branches in the threat profile.

When discussing the questions, remember to consider all remaining branches for each threat tree. When you reach a decision, mark each additional more than negligible threat on the appropriate asset-based threat tree.

Always remember to record relevant contextual information on the threat profile. This information elaborates on the information represented by the trees. If a branch of the human actors using network access tree indicates an outside threat actor, you might want to add contextual notes to supplement the areas of concern. For example, if the threat refers specifically to threats from corporate spies, make sure that you add a note indicating this.

In some cases you might find that an area of concern contains a threat actor not in the generic threat profile. This is especially true in the systems problems and other problems threat categories. These categories might contain threats that are unique to a system or to your environment, or new threats that haven't been added to the generic threat profile. Since these unique threats might not easily map to the threat actors in the generic threat profile, you must add them to threat profiles for the affected critical assets. Depending on the nature of the threat actor identified from an area of concern, you might decide to add it to the generic threat profile.

The analysis team at MedSite performed a gap analysis on the PIDS threat profile. During the analysis the team members decided that if insiders could deliberately disclose and modify PIDS information, they could also destroy or deny access to the information. The team then identified other threats to the PIDS information. In fact, the analysis team felt that all threats except accidental actions by outsiders were applicable to the information on PIDS. They felt that PIDS was too difficult to access by accident. Only a determined outsider would be able to get in. Figure 6-14 shows the asset-based threat tree for human actors using network access after the gap analysis. The team used the same process for the other categories of threats, yielding a threat profile for the critical asset. (Appendix A presents the entire threat profile for PIDS.)

In addition, the team noticed that some of the areas of concerns contained threat actors not in the generic threat profile. Team members extended the threat profile for the affected critical assets to include those threat actors. Figure 6-15 shows the asset-based threat tree for the category of other problems for PIDS. A comparison of that tree with the generic tree in Figure 6-4 shows that the team modified the tree in the following ways:

• The team removed the following threat actors from the PIDS threat profile: third-party problems or unavailability of third-party systems and telecommunications problems or unavailability.

• The team added the following threat actors to the PIDS threat profile: lack of control over hardware and software and lack of trained maintenance personnel.

Step 3: Check Threat Profiles for Consistency and Completeness

After you have created a threat profile for each critical asset, look at the outcomes across the threat profile. Compare the outcomes with the security requirements to check for consistency and completeness.

When comparing threat trees and security requirements, you must understand the relationships among the outcomes and the security requirements, as shown in Table 6-4.

Table 6-4. Relationships Among Security Requirements and Outcomes

Security	Requirement Related Outcome
Confidentiality	Disclosure
Integrity	Modification
Availability	Loss, destruction, interruption

For example, if you have a security requirement for confidentiality but no threats with disclosure as an outcome, you need to interpret the meaning of this situation. Consider the following possibilities:

• Confidentiality is not really a security requirement.

• You might have missed threats that result in disclosure of the critical asset.

• There is no possibility or only a negligible possibility, of threats resulting in disclosure of the critical asset.

• The security requirement might be driven by law or regulation rather than by an existing threat.

Threat Profiles and Asset Categories

You should note that the category of asset dictates which threat categories you should consider for a critical asset. Complete the threat trees for these categories, using the following information as a guide:

• For information assets, you need to determine whether the asset is represented electronically (on a systems asset), physically, or both. For electronic information, the following threat categories apply: human actors using network access, human actors using physical access, systems problems, and other problems.

• For information that is represented physically (for example, on paper only), the following threat categories apply: human actors using physical access and other problems.

• Systems assets generally represent groupings of information, software, and hardware assets. The following threat categories apply to systems assets: human actors using network access, human actors using physical access, systems problems, and other problems.

• Software assets focus on software applications or services. The following threat categories apply to software assets: human actors using network access, human actors using physical access, systems problems, and other problems.

• Hardware assets focus only on the physical information technology hardware. The following threat categories apply to hardware assets: human actors using physical access and other problems.

• People assets focus on either a special skill that the people have or a service that they provide. The only threat category that applies to people assets is other problems.

Looking Across Critical Assets

You should also consider checking for consistency across critical assets. For example, the analysis team at MedSite identified three systems assets as being critical (PIDS, ECDS, and personal computers). When mapping areas of concern to the PIDS threat profile, team members identified two unique threat actors for PIDS (lack of control over hardware and software and lack of trained maintenance personnel). As a consistency check, the team examined the threat profiles for ECDS and personal computers to see if either of the unique threat actors for PIDS affects those systems as well.

This completes our presentation of process 4. Chapter 7 looks at process 5, in which you identify the key components of your organization's computing infrastructure. These components are used to store, transmit, and process your organization's critical information, and they are evaluated for technological weaknesses during phase 2 of the OCTAVE Method.