Home PagePractical Threat Analysis in-depthPart 2: PTA Methodology, Terminology and Definitions Introducing the Practical Threat Analysis methodologyThe PTA (Practical Threat Analysis) calculative methodology and software technology enable effective management of operational and security risks in your systems. It provides an easy way to maintain dynamic threat models that are capable of reacting to changes in the system’s assets and vulnerabilities. With PTA an analyst can maintain a growing database of threats, create documentation for security reviews and produce recommendations taking into account the importance of various threats and the priorities of the corresponding countermeasures. PTA automatically recalculates threats and countermeasures priorities and provides decision makers with updated action item lists that reflect the changes in threat realities. Countermeasures implementation priorities are expressed as a function of the system’s assets values, degrees of damage, threat probabilities and and level of available threat mitigation. PTA can be used from day one of design and throughout the system’s life cycle. PTA provides intuitive and easy ways for iterative interaction between security analysts, developers and managers. It supports a collaborative process of evaluating threats risks and automatic ranking the cost-effectiveness of proposed mitigation plans - risk assessment analysts can start being productive within hours. How does PTA relate to security standards such as ISO 17799, BS 7799, ISO 27001, SSE-CMM, Octave, FITSAF, FIPS 199, PCI DSS, GAISP, COBIT, ITIL, NIST, ISF, NERC, FERC, FIRM, IRAM, SPRINT, SARA, BIA and others?PTA complements existing standards, appraisal and compliance procedures by supplying means for converting the knowledge embedded in the security standards into actual assets and threats, relevant vulnerabilities and effective countermeasures and mitigation actions. Security standards recommend procedures that ensure information systems security. These recommendations include mapping of assets, vulnerabilities, threats and countermeasures, assessment of risks and implementation of risk mitigation plans. The Practical Threat Analysis methodology provides the systematic methods and data model needed for performing these tasks in a highly effective way as well as the means for producing the documentation for the audit and evaluation steps required by the standards. Some standards provide lists of numerous recommended countermeasures. These lists may serve the analyst as a baseline for defining common vulnerabilities and countermeasures and can help him grasp the standard's terminology and entities. The PTA tool enables the integration of the relevant security entities in its well-design database which serves as the foundation of Information Security Management System - a concept that is promoted by all modern security standards. The Practical Threat Analysis growing database and statistics serve as evidence of the organization’s efforts for constantly improving threat and vulnerability analysis process. However, it should be noted here, that standard lists cannot cover all the particular aspects of customized solutions and the specifics of complex information systems that integrate several technologies, infrastructures and human resources. At best, compliance with standards provides only the baseline security and therefore additional analysis of application-specific risks is always required. Practical Threat Analysis definitionsThe Practical Threat Aanlysis methodology encourages analysts to breakdown risk entities into their component pieces according to the following definitions:
System is a cluster of software modules and/or hardware components together with sets of operational and business procedures. Systems are the target of the threat analysis process. Each system is characterized by its specific goals, functionality, architecture, configuration and users. System’s Maximal Risk is a calculated value that expresses the maximal financial damage that may be caused to the system’s assets due to the identified threats. It reflects the potential risks of all threats to the system’s assets and is displayed in $ value as well as in percentage of the total system assets. System’s Minimal Risk is a calculated value that expresses the financial damage that may be caused to the system’s assets and the remaining risks of all threats after full implementation of all mitigation plans. It is displayed in $ value as well as in percentage of the total system assets. System’s Current Risk is a calculated value that expresses the financial damage that may be caused to the system’s assets according to current implementation level of mitigation plans. It is displayed in $ value as well as in percentage of the total system assets. System’s Total Value of Assets is the calculated total value of all the system assets. System’s Countermeasures Implementation Cost is the calculated cost of implementing all countermeasures in all mitigation plans. System’s Current Investment in Implementation is the cost of countermeasures already applied to the system. Vulnerability is a weakness, limitation or a defect in one or more of the system’s elements that can be exploited to disrupt the normal function of the system. Vulnerabilities may be in specific modules of the system, its layout, its users and operators, and/or in its associated regulations, operational and business procedures. Countermeasure is a procedure, action or mean of mitigating a specific vulnerability. One countermeasure may mitigate several different vulnerabilities. In some standards documentation countermeasures are termed “controls” or “safeguards”. Countermeasure’s Fixed Cost is the estimated one-time expense (in $) for implementing a countermeasure. For example purchase of equipment, enhancing the software, etc. Countermeasure’s Fixed Cost Period is the number of years over which the fixed expense lasts (for economical and accounting considerations). Countermeasure’s Recurring Cost is the estimated recurring cost (in $) of implementing a countermeasure. For example: administrator’s salary, insurance payments etc. Countermeasure’s Weighted Cost is the calculated weighted average of the countermeasure’s fixed and recurring implementation costs, displayed in "annual $" units. Countermeasure’s Overall Mitigation is the calculated degree of mitigation provided by a specific countermeasure to the overall system risk, displayed as percentage of the overall risk. Countermeasure’s Cost-Effectiveness is the degree of mitigation provided by a specific countermeasure to the overall system risk relative to the countermeasure’s implementation cost. The value is displayed in "percents of overall mitigation per $1,000" units. Asset is information, capability, an advantage, a feature, a financial or a technical resource that may be damaged, lost or disrupted. Assets may be digital (software sources), physical (a server machine) or commercial (the corporate brand). Damage to an asset may affect the normal function of the system as well as that of individuals and/or organizations involved with the system. Asset’s Fixed Value is the estimated one-time expense (in $) associated with the loss of the asset. For example: financial losses caused by blocking the company’s e-commerce operation for 7 days etc. Asset’s Fixed Value Period is the number of years over which the asset’s fixed value lasts (for economical and accounting considerations). Asset’s Recurring Value is the estimated recurring value (in $) of losses that may be caused when the asset is damaged. For example: recurring expense due to the non-availability of a software service. Asset’s Weighted Value is the calculated financial value of the loss when asset is totally damaged, destroyed or stolen. The value is displayed in ‘annual $’ and expresses the weighted average of the asset’s fixed and recurring values. Asset’s Relative Value is the calculated percentage of the specific asset's value from the total value of all system assets. Asset’s Maximal Risk is the calculated maximal risk (in percentage of the asset's value) that threatens the asset. The calculation is based on the parameters of all threats that might damage the asset. Asset’s Minimal Risk is the calculated risk that threatens the asset after all mitigation plans are implemented. It reflects the actual lowest value of risk that can be achieved after the full implementation of all mitigation plans of the threats that threaten the asset. Asset’s Current Risk is the calculated risk that threatens the asset according to current implementation level of mitigation plans. Threat is a specific scenario or a sequence of actions that exploits a set of vulnerabilities and may cause damage to one or more of the system’s assets. Threat’s Probability is the likelihood that the threat scenario will materialize. PTA defines the threat's probability as the "expected number of threat incidents per year". In some documentation the threat's probability is termed as the "Annual Rate of Occurrence" (ARO). Threat's Damage Level to Asset is the financial value of damage caused by one incident of a specific threat to a specific asset, expressed in percentage of the asset's value - if level is 100% the damage to the asset is maximal. Threat’s Damage is the total damage (in percentage of the total value of all assets) that the specific threat may cause to the system. The calculation is based on the damage caused to each of the threatened assets. Threat’s Maximal Risk is a calculated value that expresses the maximal potential financial damage to system assets due to the specific threat. It is displayed in $ value as well as in percentage of the total system assets. In some documentation the threat’s risk is termed "Annual Loss Expectancy" (ALE). Threat’s Minimal Risk is a calculated value that expresses the potential financial damage to system assets after all countermeasures relevant to the specific threat are implemented. It is displayed in $ value as well as in percentage of the total system’s assets. Threat’s Current Risk is a calculated value that expresses the potential financial damage to system assets according to current implementation level of the threat’s mitigation plan. It is displayed in $ value as well as in percentage of the total system’s assets. Threat’s Recommended Countermeasures is a set of all possible countermeasures that mitigate the threat’s vulnerabilities and reduce the threat’s risk. Threat’s Mitigation Plan is a subset of recommended countermeasures that is assumed to be the most effective for mitigating a specific threat. The analyst uses his/her expertise to decide which of the recommended countermeasures are most effective when applied together and will be included in the Threat’s Mitigation Plan. A threat mitigation plan is said to be implemented only if all of its countermeasures are implemented. Threat’s Maximal Mitigation is the maximal mitigation level (in percentage of the specific threat’s risk) that may be achieved by applying all countermeasures in the threat’s mitigation plan. Threat’s Current Mitigation is the portion of mitigation (in percentage of the specific threat’s risk) that is provided by the countermeasures that are currently implemented. Attacker Type is a class of attackers. Attacker types such as insiders, hackers and competitors differentiated by their motivation, qualification, available tools and accessibility to the attacked system’s resources. Attacker is a person (or group of people) that may perform the steps of a specific threat scenario and attack the system’s assets. Attackers are usually mapped to one or more class of attacker types. Entry Point is a "door", (either in the system itself or in the human operation associated with it) through which an attacker may penetrate the system. Such points are the Web site, IVR service, SMS server, CRM representatives called by customers over the phone etc. Several entry points may be used for materializing a specific threat. Tag is a free-text descriptive attribute associated with the threat model entities (assets, threats, vulnerabilities and countermeasures). Tags help the analyst classify the various model entities and improve their comprehensibility. Attached Document contains additional unstructured information relevant to the threat analysis entities and process. For example: security notes, standards specifications, development ideas, design schemes etc. Documents can be associated with specific model entities at any step of the threat analysis process.
***
Next (part 3): The PTA Threat Model and
Risk Analysis Process
Check the Practical Threat Analysis Documents Area
|