new versus old asset/threat models
DESCRIPTION
New versus old asset/threat models. Brian Smithson Ricoh Americas Corporation. What are our choices?. Adapt the old asset/threat model to the new FPP organization - PowerPoint PPT PresentationTRANSCRIPT
May 15, 2007 IEEE P2600 1
New versus old asset/threat models
Brian SmithsonRicoh Americas Corporation
May 15, 2007 IEEE P2600 B. Smithson 2
What are our choices?
1. Adapt the old asset/threat model to the new FPP organizationa) P2600 std would need some rework because of decision to use
some OSPs, fixing some poorly defined assets and threats , filling some holes, and dividing up some threats that cross FPP TOE boundaries.
b) FPP would require major rework – models, assets, threats, and objectives
2. Apply the new asset/threat model to the P2600 std.a) P2600 std would require major rework – aligning asset definitions,
replacing threats, dealing with threats that are outside of the PP scope, adjusting or discarding “vector” descriptions, rationalizing “risk ratings” (or adopting the “informal security requirements” approach), and aligning mitigation strategies
b) FPP for OpEnv A is nearly done; would still need to agree on informal security requirements for B,C,D and then derive FPPs
3. Decouple the P2600 and FPP and use different modelsI think this is a very bad idea, but we could do it
May 15, 2007 IEEE P2600 B. Smithson 3
New/old model pros/cons
New model pro Generic data-oriented model Symmetrical threats Consistent, traceable
nomenclature Divisible by function
Old model con Originated with anecdotal
threats, then was made to fit a model; may limit scope or imply implementation
Assumes asset valuation on behalf of others; not credible
Some inconsistencies between asset, threat, objective definitions
Functional crossover, requires major rework to FPP and some rework to P2600
New model con Abstract and unfamiliar; may
require some worked examples for understanding
Major rework to P2600
Old model pro Great deal of investment Captures practical experience Good fit with P2600 “best
practices” and “mitigation techniques”
Threat vector model is useful
May 15, 2007 IEEE P2600 B. Smithson 4
Comparing the old and new PPs
New (27a) versus Old (24b) PP Assets
27a does not have an asset for resident digital components
Threats has no equivalent for T.EA.DOS T.DOC.STORED.DIS does not
cover user docs that are not deleted (i.e. it does not yet have an O.PROTECT)
P.COMMS.NO_BRIDGE does not cover access to internal data or firmware
Objectives No O.GENIUNE No OE.NET_MANAGE No O.PROTECT (yet?)
Old (24b) versus New (27a) PP Assets
24b mgmt data doesn’t distinguish secrets from non-secrets
Threats T.UD.ACC threats poorly defined
Objectives No OE to require support for secure
communications I&A/ACCESS cover all assets, not
just IT-controlled assets O.NETWORK specifies
confidentiality of disclosable data FAXONLY only covers fax, not other
bridgable interfaces OE.TRAIN assumes same training
for users as for administrators
http://grouper.ieee.org/groups/2600/presentations/WashingtonDC2007/fpp-pp24-compare-27a.xls (note that there are three tabs)
May 15, 2007 IEEE P2600 B. Smithson 5
Possible mapping of non-PP threats to new model
T.DOS.NET.CONNECT T.DOS.NET.CRAFT T.DOS.NET.FLOOD T.DOS.PRT.CRASH T.DOS.PRT.DELETE T.DOS.PRT.CHANNEL T.DOS.PRT.PRIORTY T.DOS.FAX.HOOK T.DOS.FAX.LOOP T.DOS.FAX.TRAIN T.DOS.FAX.VOLUME T.DOS.PHY.ALTER T.DOS.PHY.INTERFERE T.RESOURCE.SUPPLIES T.RESOURCE.EXHAUST T.UD.PHY.INPUT T.UD.PHY.CAMERA T.UD.PHY.EM T.UD.ANALYZE T.TSF.SALVAGE T.EA.DOS
T.DOS.<service>.<attack>
T.CONSUMMABLES.THEFT T.CONSUMMABLES.EXHAUST T.DOC.INPUT.DIS (in PP but ignored) Needs redefinition anyway T.DOC.EM.DIS? T.DOC.STORED.ANALYZE? T.SEC.STORED.ANALYZE? Why not call this another T.DOS?
See http://grouper.ieee.org/groups/2600/presentations/WashingtonDC2007/fpp-p2600-compare-27a.xls
May 15, 2007 IEEE P2600 B. Smithson 6
Possible way to retain practicalknowledge of old model but use new model
Apply new model to P2600 Use the threat vector model to show practical examples
of threats Threat vector examples flow nicely into best practices
and mitigation techniques Abstract threats are (appropriately) dealt with in the FPP