OpenSecurityArchitecture.org

[Tobias]

I am currently drafting the a suggestion for an OSA threat model.
Anyone out there that would like to contribute?

I have started with a comparison of existing threat catalogs (see attachment).

Comparison of Existing Threat Catalogues.pdf.zip

(14.23 KiB) Downloaded 162 times

cheers
Tobias

[Pekka]

Check this out:
http://taosecurity.blogspot.com/2007/06 ... model.html

http://www.agilemodeling.com/artifacts/ ... tModel.htm

http://en.wikipedia.org/wiki/Threat_model

[rcaudle]

Take a look at Intel's Threat Agent Library.

http://www.intel.com/it/pdf/threat-agent-library.pdf

They describe a threat as having seven (7) attributes:

Access
Outcome
Limits
Resources
Skills
Objective
Visibility

[Tobias]

Appreciate the link.
A fresh and interesting approach to the topic.

Do you have experience with this threat library?

[phaedrus]

Interesting El Reg article on security threats that delivers a few data points for common threat categories.

http://www.theregister.co.uk/2009/02/25 ... y_threats/

[spinoza]

I really like the approach taken so far- most impressed. The threat classification appeals intuitively as a solid and straightforward approach to ensure we get good coverage.

I am not convinced that any of the existing catalogs meet our needs as they are either not available to the public with the right license terms or are too complex.

I suggest that we simply create a table with the permutations in the classification and start to list threats inside each category. That way we can capture the top 80% very quickly and can gradually improve over a few releases.

We should aim to keep as simple as possible and I could imagine that we could get a solid coverage with 40-50 threats. As part of the exercise we should consider how each control in 800-53 addresses the threat. This could be captured in the table and would evidence the quality of the proposed threat catalog.

[VinceW]

I was wondering.... as the latest post in this topic is some while ago...

• what's the status of the catalog
• what's the direction of the threat catalog going to be?
• Any help needed?

Best,
VinceW

[Tobias]

Vince,

Sorry it took a while to answer your posting.... somehow completely overlooked it.

Anyway you asked what the status of the threat catalog is. The latest discussions are reflected in the corresponding article:
http://www.opensecurityarchitecture.org ... _catalogue

We found that the best possible help would be to elaborate first on the structuring that a catalog could have.

Then setting up a full threat-catalog could be an significant amount of work.
Personally I believe a well structured catalogue would have somewhere between 50 and 150 threats listed.
Best would probably be to aim for a coverage that satisfies also the landscape: http://www.opensecurityarchitecture.org ... -landscape

Do you have structured threat catalogue data that you could provide?
Any contribution is welcome.

Cheers
Tobias

[VinceW]

No problem on the answering time... (although there are site-mechanisms to keep you informed on new or updated forum topics )

Anyway you asked what the status of the threat catalog is. The latest discussions are reflected in the corresponding article:
http://www.opensecurityarchitecture.org ... _catalogue

Yeah I've already read that (and the corresponding doc's) pretty good work was done on that.

We found that the best possible help would be to elaborate first on the structuring that a catalog could have.

That's a good start... talk, think before coding Any progress on this front....

Then setting up a full threat-catalog could be an significant amount of work.
Personally I believe a well structured catalog would have somewhere between 50 and 150 threats listed.
Best would probably be to aim for a coverage that satisfies also the landscape: http://www.opensecurityarchitecture.org ... -landscape

It's going to be some work, yes. The type of work it's gonna be, is also depending on the way you want to input the data. As an opensource solutions it would be very nice if the community could provide input, discussion about those contributions and rate the contributions. With a process like this you can lower the amount of time an admin is updating data, raise the community input, raise the acceptation level of the community .
Also with a sound rating/scoring logic, the 50-150 most important threats are floating to the surface. I'm willing to provide effort, time and serverspace on this to create and facilitate such.

Do you have structured threat catalogue data that you could provide?

Not at hand at the moment, because a sound catalog should match it's purpose. Until the purpose and scope of this catalog isn't defined, all the catalogs are nice reference material, but not proof for a 1-on-1 import.

I would like to see a discussion started on the scope and function on the threat list first ...

I also would like to bring in the perspective of Information Security (http://en.wikipedia.org/wiki/Information_security), I believe a Information orientated risk assessment approach could be a major benefit in building an OSA threat catalog.

Further more a quote from: IT Baseline Protection Catalogs

Threat catalogs
The threat catalogs, in connection with the component catalogs, go into more detail about potential threats to IT systems. These threat catalogs follow the general layout in layers. "Force majeure", "organizational deficiencies", "spurious human action", "technical failure", and "premeditated acts" layers are distinguished. According to the BSI, the knowledge collected in these catalogs is not necessary to establishment of baseline protection. It does, however, demand an understanding of the measures as well as management vigilance. Individual threat sources are described in a short text. Finally, examples of damages that can be triggered by these threat sources are given.

Further reading material:

• http://vote.nist.gov/threats/Jonesthreattalk.pdf
• http://msdn.microsoft.com/en-us/library/ms998404.aspx
• http://en.wikipedia.org/wiki/Risk_management
• http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.98.5693&rep=rep1&type=pdf

Best,
VinceW

[Tobias]

I would like to see a discussion started on the scope and function on the threat list first ...

In OSA the purpose of a threat list can be:

• starting point to model a pattern
• a documentation point to what extent a pattern-design is resistant against certain threats
• (post-design) check list to verify whether the proposed list of controls (for a pattern) is not just an extract of a baseline but an effective countermeasure to likely threats

Earlier in the discussion it was proposed that we could go with Intel's 7 characteristics of a threat. I would boil that down to 3 or 4, for example:

• Access, Resources, Limits and Skills
• Objective (=desired outcome)
• Visibility (potentially leave this away to simplify)
• Classification (i.e. position in the 3D structure that is proposed here: http://www.opensecurityarchitecture.org ... _catalogue )

Any other suggestions on purpose and threat description?

[phaedrus]

Latest work published here:

http://www.opensecurityarchitecture.org ... _catalogue

[datadink]

I noticed in your spreadsheet that BSI is listed as being current as of 2004. If you go to the https://www.bsi.bund.de/cln_183/DE/Themen/weitereThemen/ITGrundschutzKataloge/Inhalt/Gefaehrdungskataloge/gefaehrdungskataloge_node.html site and use your browsers translation function you can see their 2009 version.

[Tobias]

Thanks for the feedback.
I will update the comparison sheet later today!

Cheers
Tobias