threat profiling for cyber security and information security programs

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Created by; Mark E.S. Bernard, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT, ISO 27001 Lead Auditor


Threats can come from anywhere, internally, externally, Employees, Contractors, Partners, Service Providers, the Cloud, Robots, and even Nature.


Threat Agents

Human Non-

Human

Acts of

Nature

Deliberate Accidental

Threats can come from anywhere, but generally fall under three categories Human, Non-human, and Nature. Threats can also be deliberate or accidental.


Threat Profiling should always begin by understanding the organization’s. I generally group these assets into six categories - people, information, software, hardware,

telecommunications and facilities. Threat Profiling needs to quantify assets, attack vectors like physical access, threat sources /actors, motivation and potential impacts.


Threat profiling needs to quantify the goals and outcomes of a threat against organizational assets to understand the potential attack vectors and counter them.


Threat profiling helps the organization to prepare by planning, training and developing risk mitigating strategies including counter measurers to prevent

successfully attacks that negatively impact the organization.


Threat Description : Description of the threat or vulnerability including details as described

within the Security Management System and its asset inventory – Threats are accessed

against five unique pieces of criteria to determine “is it a real threat?” these including:

•Knowledge /Intelligence: What knowledge does the threat agent have about the

target?

•Skill: What skills are required to exploit the matching vulnerability?

•Resource: How many individuals need to be involved in the exploit?

•Capability: Does the threat agent have access to people and/or technology to be

successful?

•Motive: What rational would drive the exploitation?

Asset at Risk : Data, Information or Knowledge in digital or hardcopy, Intellectual Property,

Intellectual Capital, Software, and Hardware that maintains a value to the organization

(information in electronic or physical form, information systems, a group of people with

unique expertise).

Attack Vector : Who or what that maintains the ability to circumvent the security perimeter

will also be contingent upon the channels that are available and the strength of each security

layer. Threat Agents can leverage attack vectors from inside or outside the organization.


Threat Description :

Asset(s) at Risk :

Attack Vector :Threat Source :

Human, Non-human, Nature. TCP/IP or OSI - Transportation Layer Security (TLS)

64 kb bytes of information traversing telecommunication lines or wireless

On April 7, 2014, it was announced that OpenSSL 1.0.2-beta, as well as all versions of

OpenSSL in the 1.0.1 series before 1.0.1g had a severe memory handling bug in their

implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to

64 kilobytes of the application's memory with every heartbeat. Its CVE number is CVE-

2014-0160.

Existing Risk Mitigating Controls:

Threat /Risk Rating :


The assessment and quantification of Threats will be used in determining a risk rating to the organization. In the example below we used a simple yet effective three scale rating system – high, medium and low to assess five key elements

associated with threats.

The assessment of this threat was rated as 67%. The threat rating can be used in conjunction with a pre-established and management approved risk appetite to determine if immediate corrective action should be taken or if the threat can be

prioritized for follow up preventive action to be taken at a later date.


Attack Vector : Who or what that maintains the ability to circumvent the security perimeter will also be

contingent upon the vulnerabilities that are available in addition to the strength of each security layer. Threat

Agents can leverage attack vectors from inside or outside the organization. The attack vector maybe

contingent on how effectively we manage vulnerabilities which can be assessed based on the following

criteria:

Consequence:

a).Lost Confidentiality – Exploitation of this vulnerability will result in sensitive or classified data,

information or knowledge disclosure to unauthorized persons?

b).Lost Availability - Exploitation of this vulnerability will result in the inability to access data,

information or knowledge?

c).Lost Integrity - Exploitation of this vulnerability will result in the corruption or destruction of data,

information or knowledge?

Impact:

a).Severity - Exploitation of this vulnerability will result in legal action, unplanned expenses, financial

losses or damage to the organizations reputation?

b). Exposure - Exploitation of this vulnerability may exceed current insurance coverage or risk

mitigating controls managed by our security program?


This step of the threat profile assessment is used to determine a vulnerability rating that will be combined with the Threat rating. In the example below we utilize a simple yet effective three scale

rating system – high, medium and low to assess five key elements which contribute to every vulnerability.

This example has assessed the organizations vulnerability at 67%. The vulnerability rating is combined with the threat rating and control effectiveness to determine if immediate corrective action should be taken or if the vulnerability can be remediated and prioritized as a preventive

action to be completed at a later date.


Existing Control Effectiveness is crucial to ensuring that unnecessary controls are not imposed

leading to negative impacts to the organization such as agility, resilience. This can drive up operational

costs and unplanned expenses. There are literally thousands of threats to most organizations.

Organizations with higher value assets maintain higher risks. Most organization have already invested

time and effort in the adoption and design of risk mitigating controls which needs to be leveraged. The

scale for assessing these controls is based on a proven capability and maturity model. Evidence may

also be gathered from previous assessments and testing of these controls to further refine the threat

profiling process.

• Fully Matured level 5 = business process documented, improved, and reported on to

Executive or BoD.

• Implemented and managed level 4 = business process documented and reported on to

Executive or BoD.

• Implemented level 3 = business process documented only.

• Partly implemented level 2 = business process documented only.

• Non-existent level 1 = business process executed thru tacit knowledge otherwise know as

tribal knowledge.

Threat Description :

Asset(s) at Risk :

Attack Vector :Threat Source :


Human, Non-human, Nature. TCP/IP or OSI - Transportation Layer Security (TLS)

64 kb bytes of information traversing telecommunication lines or wireless

On April 7, 2014, it was announced that OpenSSL 1.0.2-beta, as well as all versions of

OpenSSL in the 1.0.1 series before 1.0.1g had a severe memory handling bug in their

implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to

64 kilobytes of the application's memory with every heartbeat. Its CVE number is CVE-

2014-0160.

Implemented and managed level 4Existing Risk Mitigating Controls:

Threat /Risk Rating :


Skype; Mark_E_S_BernardTwitter; @Security_KM

LinkedIn; http://ca.linkedin.com/in/markesbernard

threat profiling for cyber security and information security programs

Business