Threat Analysis and Risk Assessment Steps

Terms:

1. Vulnerability: A flaw or weakness in a systems design implementation or operation and management that could be exploited to violate the systems security policy
2. Threat: A Potential for violation of security, which exists when there is a circumstance, capability, action or event that could breach security and cause harm..a threat is a possible danget that might exploit a vulnerability
3. Attack: An assault on system security that derives from an intelligent threat to evade security services and violate the security policy of a system

Threat Analysis Process:

1. Threat Modelling (Design centric)
2. Exploit the vulnerabilities realted to Threats using a attacker model

Example: Electronic lock in a hotel

1. Define sub-Components: lock can be opened by Guest card, Master key
2. Define security Objectives
1. Allow guest access to the room
2. Allow service personnel access
3. Prevent unauthorized access
4. Every entry should be logged
3. Define Work-flow 
1. Guest is given card and uses it to open or lock the door
4. Trust Boundaries 
1. Central encoder in a secure location
2. Card
3. Interface between lock and lock encoder
5. Security Controls:
1. Central encoder is accessible to hotel staff
2. Lock encoder is physically hard to modify
3. Cards data is encrypted
6. Attacker Targets Assets
1. Encoding master keys
2. Card itself
3. lock programmer
4. Lock Encoder
7. Threats
1.   Integrity:
1.   someone steals guest card
2.   Sneaks into room when door is open
3.   changing the audit log by physical access
4.   Break lock
2.   Confidentiality:
1.   Exposure of audit log by physically acessing the log
3.   Availability:
1.   Central encoder is out of orderm no way to unlock
2.   Power to the lock is lost and no way to open
8. Vulnerabilities
1. Accessing encryption keys in lock programmer
2. Crypto algorithm/key-size weakness
3. Guest card easy to copy
4. Lock Physical strength weakness

Threat Quantification:

Threat |Threat consequence |Probability of Theat|Damage of Threat| Attacker level

Steal card| Unauthorized access | Medium | Medium | Loner

Risk Assessment Steps:

1. Define Scope

Identity what is covered and what is not covered
Agreement with senior management

2. Data Collection

Understand policies and procedures currently in place Analysis. Interview key personnel, check documentation, system and service information

• -services running
• -Network applications running
• -Physical location of systems
• -Access control permissions
• -Firewall testing

Gather information about specific systems and services:

•   Security Focus (www.securityfocus.com) - searchable databases of
•   vulnerabilities and relevant news groups.
•   Incidents.org (www.incidents.org) - information on current threat activities.
•   Packet Storm (packetstormsecurity.org)
•   InfoSysSec (www.infosyssec.com)
•   SANS (www.sans.org)

3. Analysis of Policies and Procedures

Review and analyze existing policies and procedues and guage compliance level within organization
Example:

•   ISO 17799
•   BSI 7799
•   Common Criteria - ISO 15504

4. Vulnerability Analysis

Test the systems for current exposure, safe guards in terms of confidentiality, integrity and availability. Various tools can be used to identity vulnerabilities in the systems:

•   Whisker
•   Portscan
•   IBM AppScan
•   Parfait - static analysis tool
•   Findbugs

Tests include Penetration testing, Zero-knowledge testing performed by external parties

Provide Rating to the threats by Severity and Exposure

•   Severity - Minor, Moderate, High
•   Exposure - Minor, Moderatem, Hign

5. Threat Analysis

Threat Agents are divided into Human (Hackers, theft, current or former employees, service personnels) and non-human (Floods, Lightling Plumbing, Viruses)

6. Analysis of Acceptable Risks

Assess existing policies, procedures and protection items are adequate. Document and inform senior management.

References: 

1. https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
2. https://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76