Step 2.2: Threat, Attack and Vulnerability Scenarios

[Jul 17, 2008 14:02] The feature in Xpressions that notifies a user by email when they receive a voice mail is currently not working. Siemens is aware of the problem and is working on it. This does not affect any other aspect of Xpressions.

This section guides you in thinking of these vulnerabilities in the context of potential threats and the likelihood these threats will occur. Once these connections are well understood, you will be ready to move on to development of a security plan (Step 2.3).

Completion of the previous section of risk assessment questions (Step 2.1) provided a sense of current vulnerabilities. Addressing all these vulnerabilities may not be practical, however; and a way to hone in on the most vital ones to address is needed.

Below is a template for a threat-based risk assessment. It provides a checklist of strategies to deal with common threats. The information collected during this process can be plugged into and expanded upon to create (or update) your security plan (Step 2.3), identifying which strategies are already in place, which ones need to be implemented and which ones are either unnecessary or unjustifiable.

In this template, threats, attacks and vulnerabilities are roughly sorted from most common to least common, which is also, fortunately, roughly least dire to most dire. Strategies to deal with the more dire threats at the end of matrix may require subsuming the strategies identified for the less dire circumstances. In those cases, feel free to refer to strategies identified previously (e.g., “see strategies for 2.B. above”) rather than duplicating information.

Hint: In most cases, your department’s desktops can be treated as a single item for purposes of this analysis, unless some of them uniquely host a mission-critical function.

Note: Do not forget paper-based data when determining which data to protect. Also, paper can serve as a backup for electronically-based data or vice-versa, assuming they are not co-located.

(A copy of this template, as well as all the other templates required to complete your department’s report on the ITS-RM process, is available in Word format here and Adobe PDF format here.)

Unit Name: ___________________    Sub-Unit Name: ___________________           

Threat, Attack and Vulnerability Scenarios

In priority order, categorize each of the assets identified in Step 1 by threat; most assets are vulnerable to multiple threats. Then identify strategies that your department currently follows or plans to follow to address these threats.

Potential Threat, Attack or Vulnerability

Department’s Identified Assets Affected

Department’s Identified Strategies

Available Resources

1. System Software

A. Automated or user-initiated network-aware attacks (viruses, worms, trojan horses, peer-to-peer)

Consider these assets:

  • Destroyed files
  • Exposed data
  • Lost productivity
  • Lost machine control
  • Lost IT staff time to rebuild machines
  

B. Malicious system misuse

Consider these assets:

  • Ownership of shared resources (e.g. Web sites, research data)
  • Any resource with a password
  • Exposed data
    

C. Unmanaged (uncontrolled) software installation (“unknown” items installed along with intended items; untested or unstable programs that interfere with supported applications)

Consider these assets:

  • System reliability
  • Lost productivity
  

2. Data Integrity, Confidentiality and Availability

A. Compromise, theft and/or disclosure of databases (due to outsider cyberattack or malicious or accidental insider actions)

Consider these assets:

  • Research databases
  • Grants
  • Reputation
  • Reproduction time
  • Effect on publishing (past, present, future)
  • Graduate student work
  • Financial, student, health, social security numbers and/or personnel information
  
  • Prevention: see 1.B. above
  • Periodically compare electronic data to paper (or off-line) data (e.g. backup)
  • Store data encrypted
  • Back up frequently
  • Use encrypted network data transport (SecureCRT, SecureFX, ssh; VPN)
  • Move to ITC’s more secure network or HS/CS’s secure clinical subnet
  • Regular staff training on legal requirements
  • Remove data from (or destroy) hardware and media prior to reuse or disposal
  • De-identify (anonymize) protected data used in research projects
  • ___________________
  • ___________________
  • ___________________

B. Data loss

Consider these assets:

  • Any resource with electronic data storage
  

3. Staffing

A. People critical to support of IT equipment/ services not available (due to illness, weather, etc.)

Consider these assets:

  • IT staff
  
  • Cross-training
  • Remote access
  • Documentation of procedures and practices
  • Common procedures across departments with partnerships for mutual backfill
  • Escrowed passwords
  • ___________________
  • ___________________
  • ___________________
  

B. Untrained services administrators (system, database, Web, etc.)

Consider these assets:

  • Servers
  • IT staff
  
  • Hire appropriately
  • Provide thorough administrator training
  • Security training
  • Provide time for knowledge and skills maintenance
  • Provide time for on-going systems maintenance
  • Remote access restrictions
  • Strict access controls
  • Least privilege principal
  • Back up frequently
  • Have ITC (HS/CS) manage or host services Win | Unix
  • ___________________
  • ___________________
  

4. Older and Specialized Hardware and Software

A. Non-replaceable equipment (no longer manufactured); operating systems no longer supported by vendor

Consider these assets:

  • Assets more than 3 years old
  • Specialty, unique systems
  
  • Fund technology migration in coordination with vendors’ product end of life schedule
  • Interim manual procedures
  • Contingency plan for parts
  • Contingency plan for emergency migration
  • ___________________
  • ___________________

B. “Black box” devices (non-upgradeable systems, often with unchangeable passwords)

Consider these assets:

  • Specialized devices with Web interfaces (e.g. facilities control modules)
  • Non-computer “intelligent” devices on network; web-enabled appliances
  • Engineering devices
  
  • Procurement contracts allowing for replacement as needed
  • Voluntary MAC registration
  • Mandatory MAC registration when it is available
  • Remove device from general network
  • ___________________
  • ___________________
  

5. Equipment and/or Service Unavailability

A. Unavailability of departmental IT equipment/services (due to damage from burst waterpipes, power failure, hard drive failure, confiscation by law enforcement for cybercrime investigation, denial of service attack, need to rebuild OS, human error, theft, etc.) – consider short and long term scenarios

Consider these assets:

  • All assets identified in Step 1
  
  • Back up frequently
  • Test backups
  • Partnerships with other departments (instead of redundant equipment)
  • Service contracts
  • Parts on hand
  • Off-site backup, documentation
  • Interim manual procedures
  • Have ITC (HS/CS) manage or host services Win | Unix
  • ___________________
  • ___________________
  • ___________________

B. Unavailability of central IT equipment/services or voice communication services (due to network failure, equipment failure, denial of service attack, telecom overloads, etc.) – consider short and long term scenarios

Consider these assets:

  • All assets identified in Step 1
  
  • Partnerships with other departments
  • Interim manual procedures
  • ___________________
  • ___________________
  • ___________________

6. Loss of Facilities

A. Short term – building intact, but no access (due to structural problems, biological or chemical contamination, etc.)

B. Long term – building completely or substantially destroyed (due to fire, earthquake, missile attack, etc.)

Consider these assets:

  • All assets identified in Step 1
  • Paper copies of procedures, policies and plans
  • Local backups
  • Local software media and licenses
  • Loss of people
  
  • Back up frequently
  • Test backups
  • Partnerships with other departments
  • Redundant equipment
  • Alternate space plans
  • Vendor contracts for hosting services, replacing equipment
  • Interim manual procedures
  • Off-site backup, media, licenses and documentation
  • Have ITC (HS/CS) manage or host services Win | Unix
  • ___________________
  • ___________________
  • ___________________

7. Other:___________________

Consider these assets:

  • ___________________
  • ___________________
  
  • ___________________
  • ___________________
  • ___________________
  

Prepared by: Technical contact

          Name:   __________________________
     Signature:   __________________________
             Title:   __________________________
            Date:   __________________________

Approved by: Unit head

            Name:  __________________________
      Signature: __________________________
              Title: __________________________
              Date: __________________________

 

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.