new versus old asset/threat models

May 15, 2007 IEEE P2600 1

New versus old asset/threat models

Brian SmithsonRicoh Americas Corporation

May 15, 2007 IEEE P2600 B. Smithson 2

What are our choices?

1. Adapt the old asset/threat model to the new FPP organizationa) P2600 std would need some rework because of decision to use

some OSPs, fixing some poorly defined assets and threats , filling some holes, and dividing up some threats that cross FPP TOE boundaries.

b) FPP would require major rework – models, assets, threats, and objectives

2. Apply the new asset/threat model to the P2600 std.a) P2600 std would require major rework – aligning asset definitions,

replacing threats, dealing with threats that are outside of the PP scope, adjusting or discarding “vector” descriptions, rationalizing “risk ratings” (or adopting the “informal security requirements” approach), and aligning mitigation strategies

b) FPP for OpEnv A is nearly done; would still need to agree on informal security requirements for B,C,D and then derive FPPs

3. Decouple the P2600 and FPP and use different modelsI think this is a very bad idea, but we could do it


New/old model pros/cons

New model pro Generic data-oriented model Symmetrical threats Consistent, traceable

nomenclature Divisible by function

Old model con Originated with anecdotal

threats, then was made to fit a model; may limit scope or imply implementation

Assumes asset valuation on behalf of others; not credible

Some inconsistencies between asset, threat, objective definitions

Functional crossover, requires major rework to FPP and some rework to P2600

New model con Abstract and unfamiliar; may

require some worked examples for understanding

Major rework to P2600

Old model pro Great deal of investment Captures practical experience Good fit with P2600 “best

practices” and “mitigation techniques”

Threat vector model is useful


Comparing the old and new PPs

New (27a) versus Old (24b) PP Assets

27a does not have an asset for resident digital components

Threats has no equivalent for T.EA.DOS T.DOC.STORED.DIS does not

cover user docs that are not deleted (i.e. it does not yet have an O.PROTECT)

P.COMMS.NO_BRIDGE does not cover access to internal data or firmware

Objectives No O.GENIUNE No OE.NET_MANAGE No O.PROTECT (yet?)

Old (24b) versus New (27a) PP Assets

24b mgmt data doesn’t distinguish secrets from non-secrets

Threats T.UD.ACC threats poorly defined

Objectives No OE to require support for secure

communications I&A/ACCESS cover all assets, not

just IT-controlled assets O.NETWORK specifies

confidentiality of disclosable data FAXONLY only covers fax, not other

bridgable interfaces OE.TRAIN assumes same training

for users as for administrators

http://grouper.ieee.org/groups/2600/presentations/WashingtonDC2007/fpp-pp24-compare-27a.xls (note that there are three tabs)


Possible mapping of non-PP threats to new model

T.DOS.NET.CONNECT T.DOS.NET.CRAFT T.DOS.NET.FLOOD T.DOS.PRT.CRASH T.DOS.PRT.DELETE T.DOS.PRT.CHANNEL T.DOS.PRT.PRIORTY T.DOS.FAX.HOOK T.DOS.FAX.LOOP T.DOS.FAX.TRAIN T.DOS.FAX.VOLUME T.DOS.PHY.ALTER T.DOS.PHY.INTERFERE T.RESOURCE.SUPPLIES T.RESOURCE.EXHAUST T.UD.PHY.INPUT T.UD.PHY.CAMERA T.UD.PHY.EM T.UD.ANALYZE T.TSF.SALVAGE T.EA.DOS

T.DOS.<service>.<attack>

T.CONSUMMABLES.THEFT T.CONSUMMABLES.EXHAUST T.DOC.INPUT.DIS (in PP but ignored) Needs redefinition anyway T.DOC.EM.DIS? T.DOC.STORED.ANALYZE? T.SEC.STORED.ANALYZE? Why not call this another T.DOS?

See http://grouper.ieee.org/groups/2600/presentations/WashingtonDC2007/fpp-p2600-compare-27a.xls


Possible way to retain practicalknowledge of old model but use new model

Apply new model to P2600 Use the threat vector model to show practical examples

of threats Threat vector examples flow nicely into best practices

and mitigation techniques Abstract threats are (appropriately) dealt with in the FPP

new versus old asset/threat models

Documents