[ISM3 Users] Tuesday Insight: Threat Taxonomy

[Jeff Warren]

The ISf uses a threat list for its work, but it is not
public domain.

How about the CERT annual ecrime lists?

AusCERT publishes an annual report and uses a
consistent model to categorise adverse events.


--- Vicente Aceituno <vac at zenobia.es> wrote:

> I haven't been able to find a good and commonly
> accepted threat taxonomy.
> 
> A threat causes harm sometimes helped by a weakness,
> sometimes impeded
> by a countermeasure.
> 
> A threat has an agent, a mechanism and consequences
> for an information
> system or repository.
> 
> Using agent and consequences for classification,
> threats can be
> classed as Errors (unintentional human action),
> Attacks (intentional
> human action) and Accidents (&Disasters) (non-human
> action).
> 
> The consequences of an Attack, Error or Accident can
> be:
> 
> 1 Failure to destroy of repositories or messages
> 2 Destruction or Loss of repositories or messages
> 3 Theft of repositories or messages
> 4 Interruption of repositories or messages
> 5 Corruption of repositories or messages
> 6 Outdated repositories or messages
> 7 Unauthorized access, Disclosure of repositories or
> messages
> 8 Improper use of authorized access of repositories
> or messages
> 9 Improper recording of access to services, channels
> or interfaces
> 10 Failure to stop services, channels or interfaces
> 11 Destruction or Loss of services, channels or
> interfaces
> 12 Eavesdropping of services, channels or interfaces
> 13 Underperformance or Interruption of services,
> channels or interfaces
> 14 Corruption of services, channels or interfaces
> 15 Unauthorized use of services, channels or
> interfaces
> 16 Improper use of authorized access of services,
> channels or interfaces
> 17 Improper recording of use of services, channels
> or interfaces
> 18 Aging of services, channels or interfaces
> 
> While some will argue that the mechanism of the
> threat is important, I
> don't think it is always necessary. There are
> hundreds of different
> and subtle ways to attack a system. Is it necessary
> to analyze every
> single way, or is it better to design and protect
> the systems in a way
> that makes it resilient to any threat?
> 
> For example a good backup process can protect any
> system from several
> of these threats...
> 
> My best
> 
> Vicente
> _______________________________________________
> Users mailing list
> Users at ism3.com
> http://lists.ism3.com/mailman/listinfo/users
> 


Jeff Warren
0414 610 343
Suite 323 
45 Glenferrie Rd 
MALVERN 3144
Australia

Send instant messages to your online friends http://au.messenger.yahoo.com