In our last post we talked about the need for a structured approach in evaluating risk and the scenarios associated with the phrase “what’s the worst that could happen?” In this post, let’s take a look at ways we think about threats – those bad things that might happen to our business systems.

First, let’s define the word Threat. The National Institute of Standards and Technology (NIST) defines Threat as “any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.”

Furthermore, NIST makes further distinctions by considering Threat Sources and Threat Events. There are several categories of Threat Sources:

Adversarial

Individuals, groups, organizations, or states that seek to exploit the organization’s dependence on cyber resources (i.e., information in electronic form, information and communications technologies, and the communications and the information-handling capabilities provided by those technologies).

Characteristics / Factors
Capability, Intent, Targeting

Types
– Individual: Outsider, Insider, Trusted Insider, Privileged Insider
– Group: Ad hoc, Established
– Organization: Competitor, Supplier, Partner, Customer
– Nation State

Accidental

Erroneous actions taken by individuals in the course of executing their everyday responsibilities.

Characteristics / Factors
Range of effects

Types
– User
– Privileged User/Admin

Structural

Failures of equipment, environmental controls, or software due to aging, resource depletion, or other circumstances which exceed expected operating parameters.

Characteristics / Factors
Range of effects

Types
– IT Equipment: Storage, Processing, Communications, Display, Sensor, Controller
– Environmental Conditions: Temp/Humidity Controls, Power Supply
– Software: Operating System, Networking, General Application, Mission Specific App

Environmental

Natural disasters and failures of critical infrastructures on which the organization depends, but which are outside the control of the organization.

Note: Natural and man-made disasters can also be characterized in terms of their severity and/or duration. However, because the threat source and the threat event are strongly identified, severity and duration can be included in the description of the threat event (e.g., Cat 5 hurricane causes extensive damage to the facilities housing critical systems making them unavailable for 3 weeks).

Characteristics / Factors
Range of effects

Types
– Natural or Man-Made Disaster: Fire, Flood/Tsunami, Windstorm/Tornado, Hurricane, Earthquake, Bombing, Overrun
– Unusual Natural Event: Sunspots
– Infrastructure Failure/Outage: Telecommunications, Electrical Power

Source – NIST SP 800-30 Table D-2 Taxonomy of Threat Sources

Threat Sources & Events

In the NIST paradigm, adversarial threat sources can be weighted or factored on a qualitative or “semi-quantitative” approach that considers the adversary’s level of expertise and resources (capability), the motivation or intent (intent), and the ability of the adversary to individually or specifically target the organization (targeting). By contrast, all non-adversarial threat sources are factored using a single scale of “Range of effect” that has values from minimal to sweeping.

So what about Threat Events? Threat Events are usually described for adversarial events as tactics, techniques, and procedures or TTPs. For example, an “outsider” may perform perimeter network reconnaissance or scanning. This is mainly to obtain a better understanding of the infrastructure and improve the ability to launch successful attacks. Furthermore, a threat event for a non-adversarial threat source would be a “trusted insider” who spills or leaks sensitive information by accidentally sending it to the wrong person.

To reduce the likelihood of not considering important threats, a number of organizations have taken on the task of cataloging threat sources and events. Resources for additional information include:

  1. National Institute of Standards and Technology (NIST)
  2. European Union Agency for Network and Information Security (ENISA)
  3. SANS Institute

Conclusion

Determining which taxonomy is best for your organization will depend on your industry and the level of maturity of your risk assessment process. The ultimate goal is to determine and use a list of threat sources and events that captures those “threats” that you would reasonably want to consider in your environment.

Considering the threats relevant to your environment is key to doing a proper risk assessment. Simply doing a controls gap assessment may or may not pass muster with an auditor; however, that approach will consistently be shot down by regulators or examiners if you are attempting to comply with mandates in healthcare or financial services. Above all, not doing a proper risk analysis against your likely threats makes it very difficult to provide the executive team or board with meaningful information. This might include fending off a threat event an executive has been reading about in an industry publication.

“Hey Steve, I saw that article about our competitor. How likely is it we would be seriously infected by ransomware?” Your reply… “Ummm, not really sure, but I suspect pretty darn likely?” (In other words, “I don’t know”)

In the next post, we will tie in how to think about threats in the context of how they may or may not pair with conditions in your environment that affect your level of vulnerability. This is where the evaluation of controls comes into play. We will also discuss the art and science of mapping controls to the threats they may mitigate.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.