Information Technology Reference
In-Depth Information
of a hurricane within proximity of an organizational asset. A kinetic threat poses a
real imminent risk. An incident is when the kinetic threat actually affects the orga-
nizational assets, that is, the hurricane rips the roof off the data center.
A risk assessment looks at both the asset space and the threat space. Knowl-
edge of high-probability threats is valuable input to the decision-making process
for assigning risk probabilities to assets. An asset vulnerability with a high threat
probability is a higher priority for remediation than an asset vulnerability with no
known or no expected threat.
13.4.2
IA
2
Threat Taxonomy
An
information assurance
(IA)
taxonomy
categorizes incidents by connecting threat
agents to consequences through vulnerabilities.
Howard and Meunier's
Common Language
describes a lexicon and taxonomy for
computer-related crime
. The common language (CL) taxonomy is: an
attacker
uses a
tool
to exploit a
vulnerability
to perform some
action
on a
target
to achieve an
unau-
thorized result.
The CL categories are attacker, tool, vulnerability, action, target, and
unauthorized result. Each CL category has many examples: attackers
∈
(hackers,
spies, terrorists, insiders, competition, etc.); tool
∈
(hacker toolkit, physical attack,
malware, etc.); vulnerability
∈
(design, configuration, implementation, etc.); action
∈
(probe, scan, spoof, etc.); target
∈
(account, process, system, data, etc.); unauthor-
ized result
∈
(increased access, denial of service, theft, etc.). The CL taxonomy cov-
ers only malicious incidents, and though very useful, it is limited in scope. Malice
implies intent that in turn implies human involvement—some volition; hence, CL is
limited to computer crime. However, IA requires a broader lexicon and taxonomy.
A broader IA taxonomy is the IA
2
threat taxonomy, which is a threat agent
either unaccompanied or through use of a tool that exploits a vulnerability to per-
form some action against an asset achieving some undesired result. Table 13.3 pro-
vides threat taxonomy examples. Using the threat taxonomy, you can read the first
line in the table as “a hacker using a password cracker exploits the use of simple
(noncomplex) passwords to gain unrestricted access to the R&D server, resulting
in disclosure and loss of proprietary data. You can read the second line in the table
as “a hurricane exploits poor roof construction, causing flooding in the data center,
resulting in loss of all computing equipment.”
he IA
2
threat taxonomy provides a method to describe the relationship between
threat agents and vulnerabilities. This relationship is the intersection between the
threat space and the asset space.
13.5 expanding on the Adersary threat Space
Adversaries have intelligence and intent and pose significant risk to the organi-
zation. Naturally occurring conditions are largely predictable; if not the actual
