6.5 Identify Threats to Critical Assets
At this point in the evaluation you begin to examine the range of threats that can affect your critical assets. You perform a gap analysis of the areas of concern you elicited earlier in the evaluation, creating a complete threat profile for each critical asset.
Recall that a generic threat profile is a structured way of presenting a range of potential threats to a critical asset. In this activity you essentially tailor the generic threat profile for each critical asset by deciding which threats in the range of possibilities actually apply to a critical asset. This information helps to form the basis for examining the computing infrastructure for vulnerabilities as well as for identifying and analyzing risks to critical assets.
Step 1: Map Areas of Concern to Generic Threat Profile
For each critical asset, review the consolidated areas of concern that affect that asset. Consider the following question: How do the areas of concern map to the threat profile?
To map an area of concern to the threat profile, you must first determine which category of threat (e.g., human actors using network access) is represented by the area of concern. You then determine which threat properties (asset, access, actor, motive, outcome) are represented by the area of concern. Finally, you map the threat properties to the corresponding asset-based threat tree.
Let's examine how the analysis team at MedSite performed the mapping. Figure 6-11 shows three areas of concern for PIDS. Each is from the human actors using network access category. The team determined which threat properties were represented by each area of concern. In the first area of concern, the asset is the information on the PIDS system. The concern focuses on staff members using network access to enter data into PIDS. Thus, network access and people inside the organization are part of the concern, and the motive in this case is accidental. Finally, the outcome is modification—the data are entered incorrectly.
Notice how much interpretation is required when mapping areas of concern, which can be ambiguous. That is why it is important to be as precise as possible when capturing areas of concern during the knowledge elicitation work shops. For example, in the first item in the table, the threat actor is stated as "too many people." The analysis team interpreted this to mean insiders (staff members). Figure 6-12 shows the threat properties for the areas of concern from Figure 6-11.
Once you have identified the threat properties for each area of concern, you can easily map the threat properties to the generic threat profile. Figure 6-13 shows the asset-based threat tree for human actors using network access, including the mapping of the properties from Figure 6-12. The numbers in parentheses on Figure 6-13 refer to the areas of concern. Note that a solid line in Figure 6-13 indicates the existence of a threat, while a dashed line indicates no threat to the asset. Also note that an area of concern could be mapped to multiple branches.
This completes the mapping process. However, your task of identifying threats is not finished. You must now perform a gap analysis of the remaining (unmarked) threats on the profile to determine if any of them affect the critical asset.
Step 2: Perform a Gap Analysis
During this step you must remember that the areas of concern were elicited during the knowledge elicitation workshops. It is unlikely that all threats for an asset will be elicited during those workshops. Your job during this step is to determine what other threats could affect your organization's critical assets.
Consider the following questions:
When discussing the questions, remember to consider all remaining branches for each threat tree. When you reach a decision, mark each additional more than negligible threat on the appropriate asset-based threat tree.
Always remember to record relevant contextual information on the threat profile. This information elaborates on the information represented by the trees. If a branch of the human actors using network access tree indicates an outside threat actor, you might want to add contextual notes to supplement the areas of concern. For example, if the threat refers specifically to threats from corporate spies, make sure that you add a note indicating this.
In some cases you might find that an area of concern contains a threat actor not in the generic threat profile. This is especially true in the systems problems and other problems threat categories. These categories might contain threats that are unique to a system or to your environment, or new threats that haven't been added to the generic threat profile. Since these unique threats might not easily map to the threat actors in the generic threat profile, you must add them to threat profiles for the affected critical assets. Depending on the nature of the threat actor identified from an area of concern, you might decide to add it to the generic threat profile.
The analysis team at MedSite performed a gap analysis on the PIDS threat profile. During the analysis the team members decided that if insiders could deliberately disclose and modify PIDS information, they could also destroy or deny access to the information. The team then identified other threats to the PIDS information. In fact, the analysis team felt that all threats except accidental actions by outsiders were applicable to the information on PIDS. They felt that PIDS was too difficult to access by accident. Only a determined outsider would be able to get in. Figure 6-14 shows the asset-based threat tree for human actors using network access after the gap analysis. The team used the same process for the other categories of threats, yielding a threat profile for the critical asset. (Appendix A presents the entire threat profile for PIDS.)
In addition, the team noticed that some of the areas of concerns contained threat actors not in the generic threat profile. Team members extended the threat profile for the affected critical assets to include those threat actors. Figure 6-15 shows the asset-based threat tree for the category of other problems for PIDS. A comparison of that tree with the generic tree in Figure 6-4 shows that the team modified the tree in the following ways:
Step 3: Check Threat Profiles for Consistency and Completeness
After you have created a threat profile for each critical asset, look at the outcomes across the threat profile. Compare the outcomes with the security requirements to check for consistency and completeness.
When comparing threat trees and security requirements, you must understand the relationships among the outcomes and the security requirements, as shown in Table 6-4.
For example, if you have a security requirement for confidentiality but no threats with disclosure as an outcome, you need to interpret the meaning of this situation. Consider the following possibilities:
Threat Profiles and Asset Categories
You should note that the category of asset dictates which threat categories you should consider for a critical asset. Complete the threat trees for these categories, using the following information as a guide:
Looking Across Critical Assets
You should also consider checking for consistency across critical assets. For example, the analysis team at MedSite identified three systems assets as being critical (PIDS, ECDS, and personal computers). When mapping areas of concern to the PIDS threat profile, team members identified two unique threat actors for PIDS (lack of control over hardware and software and lack of trained maintenance personnel). As a consistency check, the team examined the threat profiles for ECDS and personal computers to see if either of the unique threat actors for PIDS affects those systems as well.
This completes our presentation of process 4. Chapter 7 looks at process 5, in which you identify the key components of your organization's computing infrastructure. These components are used to store, transmit, and process your organization's critical information, and they are evaluated for technological weaknesses during phase 2 of the OCTAVE Method.