Beruflich Dokumente
Kultur Dokumente
DETERMINING THREATS,
VULNERABILITIES, AND THREAT
SCENARIOS
2
Overview
• Threat Overview
• Cyber Threats to ccTLDs
• Vulnerabilities
• Threat Scenarios
Identify Threats
Project Determine Critical
Initiation Assets & Processes Identify Impacts
Identify
Vulnerabilities
Identify Mitigation
Develop Plan
Strategy
D-1
Overview of threat analysis…
What keeps me
“Business Concern”
up at night?
“There’s no physical security for the room where staff log on to the
database system. Anyone could wander in and see sensitive
registry information displayed on the workstations.”
Vulnerability
• Technical
• Design
• Procedural
D-2
• Events that cause a risk to become
Categories of Threats a loss
• Any potential danger that a
vulnerability will be exploited by a
threat agent
Threats
Authorized
…also
Access
Unauthorized
User 10
Threats
• Natural disasters
– Typhoon, tornado, flood, earthquake, tsunami, fire
• Deliberate destruction
– Terrorism, sabotage, war, theft, fraud, arson, labor
dispute
• Loss of utilities or services
– Power, gas, water, oil & petro, communications
• Equipment failure
– Internal power, HVAC, security systems, control
systems
11
D-3
Threats
• Information security
– Malware, cybercrime, IT system failure, system
misconfiguration, unpatched systems
• Other
– Epidemic, contamination, workplace violence,
political (nationalization)
• Non-emergency
– Health, safety, morale, mergers, negative
publicity, legal
12
14
D-4
Sources for Vulnerability Information
Vulnerability Assessment
Technical Vulnerabilities • Red Team, Blue Team, Pen-Test, Network
• Hardware, software, Scanning Tools
configurations
• Weaknesses that can
directly lead to Historical Responses
unauthorized action • Case Studies, Real-world lessons learned
Design Vulnerabilities
• Network architecture and
configuration Exercises or Drills
Worksheet 4 – Threat /
Vulnerability / Impact
17
D-5
Worksheet 4 – Threat/Vulnerability/Impact
18
Worksheet 4 – Threat/Vulnerability/Impact
Create a WS4 for
each critical asset
highlighted in WS2
Depending on the
number of assets,
you may want to id a
cutoff point and
focus on the most
critical assets
19
D-6
Worksheet 4 – Threat / Vulnerability
20
21
D-7
Preview of Outcome vs. Impact
… this is the
outcome to the
If this occurs … critical asset or
process ……
22
Information
Security
What is the outcome
Objectives
to the asset if the
Availability Integrity
vulnerability is
exploited • Lose important or sensitive information, • Modify important or sensitive
hardware, software information
• Interrupt access to important, software,
applications or services
23
D-8
… but wait!
Critical Asset
• People
• Information
• Systems
• Facility
25
27
D-9
Where do controls factor into the process?
… they can reduce the
likelihood of a negative
impact
Impact
Information
Security
Objectives
… results in …
Availability Integrity
Business
30
D-10
Worksheet 4 – Impact
Defined:
An action or process for mitigating a vulnerability or
otherwise limiting the impact from a realized vulnerability
Safeguard
Decreases or eliminates a negative impact
What is the impact to the
business if the asset is
affected?
31
… this is the
outcome to the
If this occurs … critical asset or
process ……
D-11
Threat Scenarios
Critical asset or process
+ Valid threat
+ Real vulnerability
+ Controls or lack of controls
+ Impact on the business
Threat Scenario
• … basis for analyzing risks and determining which response &
recovery plans should be developed and maintained
– Assumes general likelihood of occurring; sets stage for risk analysis
34
Questions?
• Do you understand…
– Concepts of threats, business concerns,
vulnerabilities, and threat scenarios
– A range of possible outcomes of threats to
ccTLD operations
– Cyber threats to ccTLD operations and
infrastructure
– Vulnerabilities of a ccTLD
36
D-12