NIST SP800-30 Risk Assessment Methodology
1 Step 1 - Prepare for risk assessment
1.1 1-1 -- Identify purpose
1.1.1.1 Establish a baseline assessment of risk
1.1.1.2 Identifying threats and vulnerabilities, impacts, and other risk factors
1.1.2.1 Recommending alternative risk responses
1.1.2.2 Updating a risk assessment based on:
1.1.2.2.1 Ongoing determinations of effectiveness of security controls
1.1.2.2.2 Changes to information systems
1.1.2.2.3 Changes to mission or business processes
1.1.2.2.4 Results from compliance verification activities
1.2 1-2 -- Identify scope
1.2.1 Organizational applicability
1.2.1.1 Providers of "The DNS"
1.2.1.1.2 Root server operators
1.2.1.1.3 TLD server operators
1.2.1.1.4 "TLD-like" 3rd-level operators (eg. 3rd-level ccTLD operators)
1.2.1.2 Providers of lower levels of the DNS hierarchy
1.2.1.3 Consumers of the DNS
1.2.2.1 Tier 1 -- relevant for an extended period (since governance processes can be time-consuming)
1.2.2.2 Tier 2 -- somewhere in between
1.2.2.3 Tier 3 -- can be as short is until the next release of underlying technology
1.2.3 Architecture and technology
1.2.3.1.1 Root servers and associated infrastructure
1.2.3.1.2 TLD servers and associated infrastructure
1.3 1-3 -- Identify assumptions and constraints
1.3.1.1.1 Broad (eg all sources, adversarial and non-adversarial)
1.3.1.1.2 Narrow (eg one specific threat source)
1.3.1.2 Table D-2 provides a sample taxonomy that can be considered
1.3.1.2.1.1.1 Individuals, groups, organizations or states that seek to exploit the organization's dependence on cyber resources
1.3.1.2.1.2 Characteristics
1.3.1.2.1.3.1.3 Trusted Insider
1.3.1.2.1.3.1.4 Privileged Insider
1.3.1.2.1.3.2.2 Established
1.3.1.2.1.3.2.3 Organization
1.3.1.2.1.3.2.4 Nation-state
1.3.1.2.2.1.1 Erroneous actions taken by individuals in the course of executing their everyday responsibilities
1.3.1.2.2.2 Characteristics
1.3.1.2.2.2.1 Range of effects
1.3.1.2.2.3.1 Ordinary users
1.3.1.2.2.3.2 Privileged users
1.3.1.2.3.1.1 Failures of equipment, environmental controls or software due to aging, resource depletion or other circumstances which exceed expected operating parameters
1.3.1.2.3.2 Characteristics
1.3.1.2.3.2.1 Range of effects
1.3.1.2.3.3.1 IT Equipment
1.3.1.2.3.3.1.2 Processing
1.3.1.2.3.3.1.3 Communications
1.3.1.2.3.3.1.6 Controller
1.3.1.2.3.3.2 Environmental
1.3.1.2.3.3.2.1 Temperature/humidity controls
1.3.1.2.3.3.2.2 Power supply
1.3.1.2.3.3.3.1 Operating system
1.3.1.2.3.3.3.2 Networking
1.3.1.2.3.3.3.3 General-purpose applications
1.3.1.2.3.3.3.4 Mission-specific applications
1.3.1.2.4.1.1 Natural disasters and failures of critical infrastructures on which the organization depends, but which are outside the control of the organization
1.3.1.2.4.1.1.1 Note: Natural and man-made disasters can also be characterized in terms of their severity and/or duration. However, because the threat source and the threat event are strongly identified, severity and duration can be included in the description of the threat event (eg Category 5 hurricane causes extensive damage to the facilities housing mission-critical systems, making those systems unavailable for three weeks).
1.3.1.2.4.2 Characteristics
1.3.1.2.4.2.1 Range of effects
1.3.1.2.4.3.1 Natural or man-made disaster
1.3.1.2.4.3.1.2 Flood/Tsunami
1.3.1.2.4.3.1.3 Windstorm/tornado
1.3.1.2.4.3.1.4 Hurricane
1.3.1.2.4.3.1.5 Earthquake
1.3.1.2.4.3.2 Unusual natural event (eg sunspots)
1.3.1.2.4.3.3 Infrastructure failure/outage
1.3.1.2.4.3.3.1 Telecommunications
1.3.1.3 Task 2-1 has additional guidance for identifying threat sources
1.3.2.1 Determine level of detail
1.3.2.1.1 General (eg phishing, DDOS)
1.3.2.1.2 More descriptive (tactics, techniques, procedures)
1.3.2.1.2.1 Maybe drill down into one or two? eg. DDOs?
1.3.2.1.3 Specific (names of systems, technologies, organizations, roles or locations)
1.3.2.2 What representative set of events to use as a starting point to identify specific threat events -- see Tables E-2 and E-3 for a sample taxonomy
1.3.2.2.1 Table E-2 -- Adversarial threat events (giant list -- we need to radically thin this one)
1.3.2.2.1.1 Access sensitive information through network sniffing.
1.3.2.2.1.1.1 Adversary gains access to the exposed wired or wireless data channels that organizations (or organizational personnel) use to transmit information, and intercept communications. Adversary actions might include, for example, targeting public kiosks or hotel networking connections.
1.3.2.2.1.2 Adapt cyber attacks based on detailed surveillance.
1.3.2.2.1.2.1 Adversary adapts attacks in response to surveillance of organizations and the protective measures that organizations employ.
1.3.2.2.1.3 Exploit recently discovered vulnerabilities.
1.3.2.2.1.3.1 Adversary exploits recently discovered vulnerabilities in organizational information systems in an attempt to attack the systems before mitigation measures are available or in place.
1.3.2.2.1.4 Employ brute force login attempts/password guessing.
1.3.2.2.1.4.1 Adversary attempts to gain access to organizational information systems by random or systematic guessing of passwords, possibly supported by password cracking utilities.
1.3.2.2.1.5 Cause degradation or denial of attacker selected services or capabilities.
1.3.2.2.1.5.1 Adversary launches attacks specifically intended to impede the ability of organizations to function.
1.3.2.2.1.6 Cause deterioration/destruction of critical information system components and functions.
1.3.2.2.1.6.1 Adversary attempts to destroy or deteriorate critical information system components for purposes of impeding or eliminating the ability of organizations to carry out missions or business functions. Detection of this action is not a concern.
1.3.2.2.1.7 Combine internal and external attacks across multiple information systems and information technologies to achieve a breach or compromise.
1.3.2.2.1.7.1 Adversary combines attacks that require both physical presence within organizations and cyber methods to achieve success. Physical components may be as simple as convincing maintenance personnel to leave doors or cabinets open.
1.3.2.2.1.8 Compromise critical information systems via physical access by outsiders.
1.3.2.2.1.8.1 Adversary without authorized access to organizational information systems, attempts to physically gain access to the systems.
1.3.2.2.1.9 Compromise mission critical information.
1.3.2.2.1.9.1 Adversary takes action to compromise the integrity of mission critical information, thus preventing/impeding ability of organizations to which information is supplied, from carrying out operations.
1.3.2.2.1.10 Compromise information systems or devices used externally and reintroduce into the enterprise.
1.3.2.2.1.10.1 Adversary manages to install malware on information systems or devices while the systems/devices are external to organizations for purposes of subsequently infecting organizations when reconnected.
1.3.2.2.1.11 Compromise design, manufacture, and/or distribution of information system components (including hardware, software, and firmware) organizations are known to use.
1.3.2.2.1.11.1 Adversary is able to compromise the design, manufacturing, and/or distribution of critical information system components at selected suppliers.
1.3.2.2.1.12 Conduct reconnaissance, surveillance, and target acquisition of targeted organizations.
1.3.2.2.1.12.1 Adversary uses various means (e.g., scanning, physical observation) to examine and assess organizations and ascertain points of vulnerability.
1.3.2.2.1.13 Conduct phishing attacks.
1.3.2.2.1.13.1 Adversary attempts to acquire sensitive information such as usernames, passwords, or SSNs, by pretending to be communications from a legitimate/trustworthy source. Typical attacks occur via email, instant messaging, or comparable means; commonly directing users to Web sites that appear to be legitimate sites, while actually stealing the entered information.
1.3.2.2.1.14 Continuous, adaptive and changing cyber attacks based on detailed surveillance of organizations.
1.3.2.2.1.14.1 Adversary attacks continually change in response to surveillance of organizations and protective measures that organizations take.
1.3.2.2.1.15 Coordinating cyber attacks on organizations using external (outsider), internal (insider), and supply chain (supplier) attack vectors.
1.3.2.2.1.15.1 Adversary employs continuous, coordinated attacks, potentially using all three attack vectors for the purpose of impeding organizational operations.
1.3.2.2.1.16 Create and operate false front organizations that operate within the critical life cycle path to inject malicious information system components into the supply chain.
1.3.2.2.1.16.1 Adversary creates the appearance of legitimate suppliers that then inject corrupted/malicious information system components into the supply chain of organizations.
1.3.2.2.1.17 Deliver known malware to internal organizational information systems (e.g., virus via email).
1.3.2.2.1.17.1 Adversary uses common delivery mechanisms (e.g., email) to install/insert known malware (e. g., malware whose existence is known) into organizational information systems.
1.3.2.2.1.18 Deliver modified malware to internal organizational information systems.
1.3.2.2.1.18.1 Adversary uses more sophisticated means (e.g., Web traffic, instant messaging, FTP) to deliver malware and possibly modifications of known malware to gain access to internal organizational information systems.
1.3.2.2.1.19 Devise attacks specifically based on deployed information technology environment.
1.3.2.2.1.19.1 Adversary develops attacks, using known and unknown attacks that are designed to take advantage of adversary knowledge of the information technology infrastructure.
1.3.2.2.1.20 Discovering and accessing sensitive data/information stored on publicly accessible information systems.
1.3.2.2.1.20.1 Adversary attempts to scan or mine information on publically accessible servers and Web pages of organizations with the intent of finding information that is sensitive (i.e., not approved for public release).
1.3.2.2.1.21 Distributed Denial of Service (DDoS) attack.
1.3.2.2.1.21.1 Adversary uses multiple compromised information systems to attack a single target, thereby causing denial of service for users of the targeted information systems.
1.3.2.2.1.22 Exploit known vulnerabilities in mobile systems (e.g., laptops, PDAs, smart phones).
1.3.2.2.1.22.1 Adversary takes advantage of fact that transportable information systems are outside physical protection of organizations and logical protection of corporate firewalls, and compromises the systems based on known vulnerabilities to gather information from those systems.
1.3.2.2.1.23 Exploiting vulnerabilities in information systems timed with organizational mission/business operations tempo.
1.3.2.2.1.23.1 Adversary launches attacks on organizations in a time and manner consistent with organizational needs to conduct mission/business operations.
1.3.2.2.1.24 Externally placed adversary sniffing and intercepting of wireless network traffic.
1.3.2.2.1.24.1 Adversary strategically in position to intercept wireless communications of organizations.
1.3.2.2.1.25 Hijacking information system sessions of data traffic between the organization and external entities.
1.3.2.2.1.25.1 Adversary takes control of (hijacks) already established, legitimate information system sessions between organizations and external entities (e.g., users connecting from off-site locations).
1.3.2.2.1.26 Injecting false but believable data/information into organizational information systems.
1.3.2.2.1.26.1 Adversary injects false but believable data into organizational information systems. This action by the adversary may impede the ability of organizations to carry out missions/business functions correctly and/or undercut the credibility other entities may place in the information or services provided by organizations.
1.3.2.2.1.27 Insert subverted individuals into privileged positions in organizations.
1.3.2.2.1.27.1 Adversary has individuals in privileged positions within organizations that are willing and able to carry out actions to cause harm to organizational missions/business functions. Subverted individuals may be active supporters of adversary, supporting adversary (albeit under duress), or unknowingly supporting adversary (e.g., false flag). Adversary may target privileged functions to gain access to sensitive information (e.g., user accounts, system files, etc.) and may leverage access to one privileged capability to get to another capability.
1.3.2.2.1.28 Counterfeit/Spoofed Web site.
1.3.2.2.1.28.1 Adversary creates duplicates of legitimate Web sites and directs users to counterfeit sites to gather information.
1.3.2.2.1.29 Deliver targeted Trojan for control of internal systems and exfiltration of data.
1.3.2.2.1.29.1 Adversary manages to install software containing Trojan horses that are specifically designed to take control of internal organizational information systems, identify sensitive information, exfiltrate the information back to adversary, and conceal these actions.
1.3.2.2.1.30 Employ open source discovery of organizational information useful for future cyber attacks.
1.3.2.2.1.30.1 Adversary mines publically accessible information with the goal of discerning information about information systems, users, or organizational personnel that the adversary can subsequently employ in support of an attack.
1.3.2.2.1.31 Exploit vulnerabilities on internal organizational information systems.
1.3.2.2.1.31.1 Adversary searches for known vulnerabilities in organizational internal information systems and exploits those vulnerabilities.
1.3.2.2.1.32 Inserting malicious code into organizational information systems to facilitate exfiltration of data/information.
1.3.2.2.1.32.1 Adversary successfully implants malware into internal organizational information systems, where the malware over time identifies and then successfully exfiltrates valuable information.
1.3.2.2.1.33 Installing general-purpose sniffers on organization- controlled information systems or networks.
1.3.2.2.1.33.1 Adversary manages to install sniffing software onto internal organizational information systems or networks.
1.3.2.2.1.34 Leverage traffic/data movement allowed across perimeter (e.g., email communications, removable storage) to compromise internal information systems (e.g., using open ports to exfiltrate information).
1.3.2.2.1.34.1 Adversary makes use of permitted information flows (e.g., email communications) to facilitate compromises to internal information systems (e.g., phishing attacks to direct users to go to Web sites containing malware) which allows adversary to obtain and exfiltrate sensitive information through perimeters.
1.3.2.2.1.35 Insert subverted individuals into the organizations.
1.3.2.2.1.35.1 Adversary has individuals in place within organizations that are willing and able to carry out actions to cause harm to organizational missions/business functions. Subverted individuals may be active supporters of adversary, supporting adversary (albeit under duress), or unknowingly supporting adversary (e.g., false flag).
1.3.2.2.1.36 Insert counterfeited hardware into the supply chain.
1.3.2.2.1.36.1 Adversary intercepts hardware from legitimate suppliers. Adversary modifies the hardware or replaces it with faulty or otherwise modified hardware.
1.3.2.2.1.37 Inserting malicious code into organizational information systems and information system components (e.g., commercial information technology products) known to be used by organizations.
1.3.2.2.1.37.1 Adversary inserts malware into information systems specifically targeted to the hardware, software, and firmware used by organizations (resulting from the reconnaissance of organizations by adversary).
1.3.2.2.1.38 Inserting specialized, non-detectable, malicious code into organizational information systems based on system configurations.
1.3.2.2.1.38.1 Adversary launches multiple, potentially changing attacks specifically targeting critical information system components based on reconnaissance and placement within organizational information systems.
1.3.2.2.1.39 Insider-based session hijacking.
1.3.2.2.1.39.1 Adversary places an entity within organizations in order to gain access to organizational information systems or networks for the express purpose of taking control (hijacking) an already established, legitimate session either between organizations and external entities (e.g., users connecting from remote locations) or between two locations within internal networks.
1.3.2.2.1.40 Installing persistent and targeted sniffers on organizational information systems and networks.
1.3.2.2.1.40.1 Adversary places within the internal organizational information systems or networks software designed to (over a continuous period of time) collect (sniff) network traffic.
1.3.2.2.1.41 Intercept/decrypt weak or unencrypted communication traffic and protocols.
1.3.2.2.1.41.1 Adversary takes advantage of communications that are either unencrypted or use weak encryption (e.g., encryption containing publically known flaws), targets those communications, and gains access to transmitted information and channels.
1.3.2.2.1.42 Jamming wireless communications.
1.3.2.2.1.42.1 Adversary takes measures to interfere with the wireless communications so as to impede or prevent communications from reaching intended recipients.
1.3.2.2.1.43 Malicious activity using unauthorized ports, protocols, and services.
1.3.2.2.1.43.1 Adversary conducts attacks using ports, protocols, and services for ingress and egress that are not authorized for use by organizations.
1.3.2.2.1.44 Malicious creation, deletion, and/or modification of files on publicly accessible information systems (e.g., Web defacement).
1.3.2.2.1.44.1 Adversary vandalizes, or otherwise makes unauthorized changes to organizational Web sites or files on Web sites.
1.3.2.2.1.45 Mapping and scanning organization-controlled (internal) networks and information systems from within (inside) organizations.
1.3.2.2.1.45.1 Adversary installs malware inside perimeter that allows the adversary to scan network to identify targets of opportunity. Because the scanning does not cross the perimeter, it is not detected by externally placed intrusion detection systems.
1.3.2.2.1.46 Mishandling of critical and/or sensitive information by authorized users.
1.3.2.2.1.46.1 Authorized users inadvertently expose critical/sensitive information.
1.3.2.2.1.47 Multistage attacks (e.g., hopping).
1.3.2.2.1.47.1 Adversary moves attack location from one compromised information system to other information systems making identification of source difficult.
1.3.2.2.1.48 Network traffic modification (man in the middle) attacks by externally placed adversary.
1.3.2.2.1.48.1 Adversary intercepts/eavesdrops on sessions between organizations and external entities. Adversary then relays messages between the organizations and external entities, making them believe that they are talking directly to each other over a private connection, when in fact the entire communication is controlled by the adversary.
1.3.2.2.1.49 Network traffic modification (man in the middle) attacks by internally placed adversary.
1.3.2.2.1.49.1 Adversary operating within the infrastructure of organizations intercepts and corrupts data sessions.
1.3.2.2.1.50 Non-target specific insertion of malware into downloadable software and/or into commercial information technology products.
1.3.2.2.1.50.1 Adversary corrupts or inserts malware into common freeware, shareware, or commercial information technology products. Adversary is not targeting specific organizations in this attack, simply looking for entry points into internal organizational information systems.
1.3.2.2.1.51 Operate across organizations to acquire specific information or achieve desired outcome.
1.3.2.2.1.51.1 Adversary does not limit planning to the targeting of one organization. Adversary observes multiple organizations to acquire necessary information on targets of interest.
1.3.2.2.1.52 Opportunistically stealing or scavenging information systems/components.
1.3.2.2.1.52.1 Adversary takes advantage of opportunities (due to advantageous positioning) to steal information systems or components (e. g., laptop computers or data storage media) that are left unattended outside of the physical perimeters of organizations.
1.3.2.2.1.53 Perimeter network reconnaissance/scanning.
1.3.2.2.1.53.1 Adversary uses commercial or free software to scan organizational perimeters with the goal of obtaining information that provides the adversary with a better understanding of the information technology infrastructure and facilitates the ability of the adversary to launch successful attacks.
1.3.2.2.1.54 Pollution of critical data.
1.3.2.2.1.54.1 Adversary implants corrupted and incorrect data in the critical data that organizations use to cause organizations to take suboptimal actions or to subsequently disbelieve reliable inputs.
1.3.2.2.1.55 Poorly configured or unauthorized information systems exposed to the Internet.
1.3.2.2.1.55.1 Adversary gains access through the Internet, to information systems that are not authorized for such access or that do not meet the specified configuration requirements of organizations.
1.3.2.2.1.56 Salting the physical perimeter of organizations with removable media containing malware.
1.3.2.2.1.56.1 Adversary places removable media (e.g., flash drives) containing malware in locations external to the physical perimeters of organizations but where employees are likely to find and install on organizational information systems.
1.3.2.2.1.57 Simple Denial of Service (DoS) Attack.
1.3.2.2.1.57.1 Adversary attempts to make an Internet-accessible resource unavailable to intended users, or prevent the resource from functioning efficiently or at all, temporarily or indefinitely.
1.3.2.2.1.58 Social engineering by insiders within organizations to convince other insiders to take harmful actions.
1.3.2.2.1.58.1 Internally placed adversaries take actions (e.g., using email, phone) so that individuals within organizations reveal critical/sensitive information (e.g., personally identifiable information).
1.3.2.2.1.59 Social engineering by outsiders to convince insiders to take armful actions.
1.3.2.2.1.59.1 Externally placed adversaries take actions (using email, phone) with the intent of persuading or otherwise tricking individuals within organizations into revealing critical/sensitive information (e.g., personally identifiable information).
1.3.2.2.1.60 Spear phishing attack.
1.3.2.2.1.60.1 Adversary employs phishing attacks targeted at high-value targets (e.g., senior leaders/executives).
1.3.2.2.1.61 Spill sensitive information.
1.3.2.2.1.61.1 Adversary contaminates organizational information systems (including devices and networks) by placing on the systems or sending to/over the systems, information of a classification/sensitivity which the systems have not been authorized to handle. The information is exposed to individuals that are not authorized access to such information, and the information system, device, or network is unavailable while the spill is investigated and mitigated.
1.3.2.2.1.62 Spread attacks across organizations from existing footholds.
1.3.2.2.1.62.1 Adversary builds upon existing footholds within organizations and works to extend the footholds to other parts of organizations including organizational infrastructure. Adversary places itself in positions to further undermine the ability for organizations to carry out missions/business functions.
1.3.2.2.1.63 Successfully compromise software of critical information systems within organizations.
1.3.2.2.1.63.1 Adversary inserts malware or otherwise corrupts critical internal organizational information systems.
1.3.2.2.1.64 Tailgate authorized staff to gain access to organizational facilities.
1.3.2.2.1.64.1 Adversary follows authorized individuals into secure/controlled locations with the goal of gaining access to facilities, circumventing physical security checks.
1.3.2.2.1.65 Tailored zero-day attacks on organizational information systems.
1.3.2.2.1.65.1 Adversary employs attacks that exploit as yet unpublicized vulnerabilities. Zero-day attacks are based on adversary insight into the information systems and applications used by organizations as well as adversary reconnaissance of organizations.
1.3.2.2.1.66 Tamper with critical organizational information system components and inject the components into the systems.
1.3.2.2.1.66.1 Adversary replaces, though supply chain, subverted insider, or some combination thereof, critical information system components with modified or corrupted components that operate in such a manner as to severely disrupt organizational missions/business functions or operations.
1.3.2.2.1.67 Targeting and compromising home computers (including personal digital assistants and smart phones) of critical employees within organizations.
1.3.2.2.1.67.1 Adversary targets key employees of organizations outside the security perimeters established by organizations by placing malware in the personally owned information systems and devices of individuals (e.g., laptop/notebook computers, personal digital assistants, smart phones). The intent is to take advantage of any instances where employees use personal information systems or devices to convey critical/sensitive information.
1.3.2.2.1.68 Targeting and exploiting critical hardware, software, or firmware (both commercial off-the-shelf and custom information systems and components).
1.3.2.2.1.68.1 Adversary targets and attempts to compromise the operation of software (e.g., through malware injections) that performs critical functions for organizations. This is largely accomplished as supply chain attacks.
1.3.2.2.1.69 Unauthorized internal information system access by insiders.
1.3.2.2.1.69.1 Adversary is an individual who has authorized access to organizational information systems, but gains (or attempts to gain) access that exceeds authorization.
1.3.2.2.1.70 Undermine the ability of organizations to detect attacks.
1.3.2.2.1.70.1 Adversary takes actions to inhibit the effectiveness of the intrusion detection systems or auditing capabilities within organizations.
1.3.2.2.1.71 Use remote information system connections of authorized users as bridge to gain unauthorized access to internal networks (i.e., split tunneling).
1.3.2.2.1.71.1 Adversary takes advantage of external information systems (e.g., laptop computers at remote locations) that are simultaneously connected securely to organizations and to nonsecure remote connections gaining unauthorized access to organizations via nonsecure, open channels.
1.3.2.2.1.72 Using postal service or other commercial delivery services to insert malicious scanning devices (e.g., wireless sniffers) inside facilities.
1.3.2.2.1.72.1 Adversary uses courier service to deliver to organizational mailrooms a device that is able to scan wireless communications accessible from within the mailrooms and then wirelessly transmit information back to adversary.
1.3.2.2.1.73 Zero-day attacks (non-targeted).
1.3.2.2.1.73.1 Adversary employs attacks that exploit as yet unpublicized vulnerabilities. Attacks are not based on any adversary insights into specific vulnerabilities of organizations.
1.3.2.2.2 Table E-3 -- Non-adversarial threat events (opposite problem -- the list is too thin -- we need to expand)
1.3.2.2.2.1 Threat source - accidental ordinary user
1.3.2.2.2.1.1 Threat event - spill sensitive information
1.3.2.2.2.1.1.1 Description - Authorized user erroneously contaminates a device, information system, or network by placing on it or sending to it information of a classification/sensitivity which it has not been authorized to handle. The information is exposed to access by unauthorized individuals, and as a result, the device, system, or network is unavailable while the spill is investigated and mitigated.
1.3.2.2.2.2 Threat source - Accidental Privileged User or Administrator
1.3.2.2.2.2.1 Threat event - Mishandling of critical and/or sensitive information by authorized users
1.3.2.2.2.2.1.1 Description - Authorized privileged user inadvertently exposes critical/sensitive information.
1.3.2.2.2.3 Threat source - Communication
1.3.2.2.2.3.1 Threat event - Communications contention
1.3.2.2.2.3.1.1 Description - Degraded communications performance due to contention.
1.3.2.2.2.4 Threat source - Earthquake
1.3.2.2.2.4.1 Threat event - Earthquake at primary facility
1.3.2.2.2.4.1.1 Description - Earthquake of organization-defined magnitude at primary facility makes facility inoperable.
1.3.2.2.2.5 Threat source - Fire
1.3.2.2.2.5.1 Threat event - Fire at primary facility
1.3.2.2.2.5.1.1 Description - Fire (not due to adversarial activity) at primary facility makes facility inoperable.
1.3.2.2.2.6 Threat source - Processing
1.3.2.2.2.6.1 Threat event - Resource depletion
1.3.2.2.2.6.1.1 Description - Degraded processing performance due to resource depletion.
1.3.2.2.2.7 Threat source - Storage
1.3.2.2.2.7.1 Threat event - disk error
1.3.2.2.2.7.1.1 Description - Corrupted storage due to a disk error.
1.3.2.2.2.8 Threat source - Storage
1.3.2.2.2.8.1 Threat event - pervasive disk error
1.3.2.2.2.8.1.1 Description - Multiple disk errors due to aging of a set of devices all acquired at the same time, from the same supplier.
1.3.2.2.3 Our "threats and vulnerabilities" work fits here -- but we may want to revise our taxonomy a bit
1.3.2.3 What degree of confirmation is needed for threat events to be considered relevant to the risk assessment?
1.3.2.3.1 Only those that have been observed, or
1.3.2.3.2 All possible threat events
1.3.3 Vulnerabilities and predisposing conditions
1.3.3.1 Determine types of vulnerabilities to be considered
1.3.3.1.1 Vulnerabilities of information systems (hardware, software, firmware, internal controls, security procedures)
1.3.3.1.2 Environmental vulnerabilities (Organization governance, external relationships, mission/business processes, enterprise architecture, information security architecture)
1.3.3.1.3 Our "threats and vulnerabilities" work fits here -- but we may want to revise our taxonomy a bit
1.3.3.2 Determine level of detail in vulnerability descriptions to be used
1.3.3.3 Determine types of predisposing conditions to be considered
1.3.3.3.1 Table F-4 -- representative samples
1.3.3.3.1.1 Information related
1.3.3.3.1.1.1 Description:
1.3.3.3.1.1.1.1 Needs to handle information (as it is created, transmitted, stored, processed, and/or displayed) in a specific manner, due to its sensitivity (or lack of sensitivity), legal or regulatory requirements, and/or contractual or other organizational agreements.
1.3.3.3.1.1.2.1 - Classified National Security Information
1.3.3.3.1.1.2.2 - Compartments
1.3.3.3.1.1.2.3 - Controlled Unclassified Information
1.3.3.3.1.1.2.4 - Personally Identifiable Information
1.3.3.3.1.1.2.5 - Special Access Programs
1.3.3.3.1.1.2.6 - Agreement-Determined (eg proprietary)
1.3.3.3.1.2.1 Description
1.3.3.3.1.2.1.1 Needs to use technologies in specific ways.
1.3.3.3.1.2.2.1 - Architectural
1.3.3.3.1.2.2.1.1 - Compliance with technical standards
1.3.3.3.1.2.2.1.2 - Use of specific products or product lines
1.3.3.3.1.2.2.1.3 - Solutions for and/or approaches to user-based collaboration and information sharing
1.3.3.3.1.2.2.1.4 - Allocation of specific security functionality to common controls
1.3.3.3.1.2.2.2 - Functional
1.3.3.3.1.2.2.2.1 - Networked multiuser
1.3.3.3.1.2.2.2.2 - Single-user
1.3.3.3.1.2.2.2.3 - Stand-alone / nonnetworked
1.3.3.3.1.2.2.2.4 - Restricted functionality (e.g., communications, sensors, embedded controllers)
1.3.3.3.1.3 Operational / Environmental
1.3.3.3.1.3.1 Description:
1.3.3.3.1.3.1.1 Ability to rely upon physical, procedural, and personnel controls provided by the operational environment.
1.3.3.3.1.3.2.1 - Mobility
1.3.3.3.1.3.2.1.1 - Fixed-site (specify location)
1.3.3.3.1.3.2.1.2 - Semi-mobile
1.3.3.3.1.3.2.1.2.1 - Land-based (e.g., van)
1.3.3.3.1.3.2.1.2.2 - Airborne
1.3.3.3.1.3.2.1.2.3 - Sea-based
1.3.3.3.1.3.2.1.2.4 - Space-based
1.3.3.3.1.3.2.1.3 - Mobile (e.g., handheld device)
1.3.3.3.1.3.2.2 - Population with physical and/or logical access to components of the information system, mission/business process, EA segment
1.3.3.3.1.3.2.2.1 - Size of population
1.3.3.3.1.3.2.2.2 - Clearance/vetting of population
1.3.3.3.2 I don't "get" this section yet -- more reading required -- Mikey
1.3.4.1 Determine Potential adverse impacts
1.3.4.1.2 Other organizations
1.3.4.1.3 Nations and the world
1.3.4.1.4 Table H-2 -- Representative samples
1.3.4.1.4.1 Harm to operations
1.3.4.1.4.1.1 Inability to perform current missions/business functions
1.3.4.1.4.1.1.1 In a sufficient and timely manner
1.3.4.1.4.1.1.2 With sufficient confidence and/or correctness
1.3.4.1.4.1.1.3 Within planned resource constraints
1.3.4.1.4.1.2 Inability to restore missions/business functions
1.3.4.1.4.1.2.1 In a sufficiently timely manner
1.3.4.1.4.1.2.2 With sufficient confidence or correctness
1.3.4.1.4.1.2.3 Within planned resource constraints
1.3.4.1.4.1.3 Harms (eg financial costs, sanctions) due to noncompliance
1.3.4.1.4.1.3.1 With applicable laws or regulations
1.3.4.1.4.1.3.2 With requirements in contracts or agreements
1.3.4.1.4.1.4 Direct financial costs
1.3.4.1.4.1.5 Relational harms
1.3.4.1.4.1.5.1 Damage to trust relationships
1.3.4.1.4.1.5.2 Damage to image or reputation (and thus future trust relationships)
1.3.4.1.4.2 Harm to assets
1.3.4.1.4.2.1 Physical facilities
1.3.4.1.4.2.2 Information systems or networks
1.3.4.1.4.2.3 Information technology or equipment
1.3.4.1.4.2.4 Component parts or supplies
1.3.4.1.4.2.5 Information assets
1.3.4.1.4.2.6 Intellectual property
1.3.4.1.4.3 Harm to individuals
1.3.4.1.4.3.1 Identity theft
1.3.4.1.4.3.2 Loss of personally identifiable information
1.3.4.1.4.3.3 Injury or loss of life
1.3.4.1.4.3.4 Damage to image or reputation
1.3.4.1.4.3.5 Physical or psychological mistreatment
1.3.4.1.4.4 Harms to other organizations
1.3.4.1.4.4.1 Harms due to noncompliance
1.3.4.1.4.4.1.1 With laws or regulations
1.3.4.1.4.4.1.2 With requirements in contracts or agreements
1.3.4.1.4.4.2 Direct financial costs
1.3.4.1.4.4.3 Relational harms
1.3.4.1.4.4.3.1 Damage to trust relationships
1.3.4.1.4.4.3.2 Damage to image or reputation (and thus future trust relationships)
1.3.4.1.4.5 Harm to nations and the world
1.3.4.1.4.5.1 Damage to or incapacitation of a critical infrastructure sector
1.3.4.1.4.5.2 Loss of governmental continuity of operations
1.3.4.1.4.5.3 Relational harms
1.3.4.1.4.5.3.1 Damage to trust relationships between governments or regions
1.3.4.1.4.5.3.2 Damage to governmental or regional reputation
1.3.4.1.4.5.4 Damage to ability to meet national or global objectives
1.3.5 Risk tolerance and uncertainty
1.3.5.1 Determine the levels of risk are acceptable
1.3.5.1.1.1 Assume worst-case, vs
1.3.5.1.1.2 Assume that unobserved events are unlikely
1.3.5.2 Determine the types of risks are acceptable
1.3.5.3 Determine the the degree of risk-uncertainty that is acceptable
1.3.6.1 Determine degree of detail (or in what form) threats are analyzed -- the level of granularity to describe threat events and threat scenarios
1.3.6.1.1.1 Maybe we choose to do some of these...
1.3.6.1.2 Pairings of threat events and threat sources
1.3.6.1.2.1 Some of these...
1.3.6.1.3 Detailed threat scenario/attack-tree
1.3.6.1.3.1 And one or two of these?
1.3.6.1.4 NOTE: In general, organizations can be expected to require more detail for highly critical mission/business functions, common infrastructures, or shared services on which multiple missions or business functions depend (as common points of failure), and information systems with high criticality or sensitivity.
1.4 1-4 -- Identify information sources
1.4.1.3 Monitoring results
1.4.2.1 Cross-community organizations
1.4.2.1.2 Information sharing and analysis centers (ISACs) for critical infrastructure sectors
1.4.2.1.3 Research and NGO's
1.5 1-5 -- Define risk model
1.5.1 LOL -- the people writing the NIST document must have gotten tired -- this section basically says "and then a miracle occurs" when they describe this. I'll keep reading.
2 Step 2 - Conduct risk assessment
2.1 2-1 -- Identify threat sources
2.1.1 Provide threat source inputs
2.1.1.1 Threat information sources (from Task 1-4)
2.1.1.2 Taxonomy of threat sources (tailored version of Table D-2)
2.1.1.2.1 Table D-2 -- Taxonomy of threat sources
2.1.1.2.1.1.1 Description
2.1.1.2.1.1.1.1 Individuals, groups, organizations or states that seek to exploit the organization's dependence on cyber resources
2.1.1.2.1.1.2 Characteristics
2.1.1.2.1.1.2.1 Capability
2.1.1.2.1.1.2.3 Targeting
2.1.1.2.1.1.3.1 Individual
2.1.1.2.1.1.3.1.1 Outsider
2.1.1.2.1.1.3.1.2 Insider
2.1.1.2.1.1.3.1.3 Trusted Insider
2.1.1.2.1.1.3.1.4 Privileged Insider
2.1.1.2.1.1.3.2.2 Established
2.1.1.2.1.1.3.2.3 Organization
2.1.1.2.1.1.3.2.4 Nation-state
2.1.1.2.1.2.1 Description
2.1.1.2.1.2.1.1 Erroneous actions taken by individuals in the course of executing their everyday responsibilities
2.1.1.2.1.2.2 Characteristics
2.1.1.2.1.2.2.1 Range of effects
2.1.1.2.1.2.3.1 Ordinary users
2.1.1.2.1.2.3.2 Privileged users
2.1.1.2.1.3.1 Description
2.1.1.2.1.3.1.1 Failures of equipment, environmental controls or software due to aging, resource depletion or other circumstances which exceed expected operating parameters
2.1.1.2.1.3.2 Characteristics
2.1.1.2.1.3.2.1 Range of effects
2.1.1.2.1.3.3.1 IT Equipment
2.1.1.2.1.3.3.1.1 Storage
2.1.1.2.1.3.3.1.2 Processing
2.1.1.2.1.3.3.1.3 Communications
2.1.1.2.1.3.3.1.4 Display
2.1.1.2.1.3.3.1.6 Controller
2.1.1.2.1.3.3.2 Environmental
2.1.1.2.1.3.3.2.1 Temperature/humidity controls
2.1.1.2.1.3.3.2.2 Power supply
2.1.1.2.1.3.3.3.1 Operating system
2.1.1.2.1.3.3.3.2 Networking
2.1.1.2.1.3.3.3.3 General-purpose applications
2.1.1.2.1.3.3.3.4 Mission-specific applications
2.1.1.2.1.4 Environmental
2.1.1.2.1.4.1 Description
2.1.1.2.1.4.1.1 Natural disasters and failures of critical infrastructures on which the organization depends, but which are outside the control of the organization
2.1.1.2.1.4.1.1.1 Note: Natural and man-made disasters can also be characterized in terms of their severity and/or duration. However, because the threat source and the threat event are strongly identified, severity and duration can be included in the description of the threat event (eg Category 5 hurricane causes extensive damage to the facilities housing mission-critical systems, making those systems unavailable for three weeks).
2.1.1.2.1.4.2 Characteristics
2.1.1.2.1.4.2.1 Range of effects
2.1.1.2.1.4.3.1 Natural or man-made disaster
2.1.1.2.1.4.3.1.2 Flood/Tsunami
2.1.1.2.1.4.3.1.3 Windstorm/tornado
2.1.1.2.1.4.3.1.4 Hurricane
2.1.1.2.1.4.3.1.5 Earthquake
2.1.1.2.1.4.3.1.6 Bombing
2.1.1.2.1.4.3.1.7 Overrun
2.1.1.2.1.4.3.2 Unusual natural event (eg sunspots)
2.1.1.2.1.4.3.3 Infrastructure failure/outage
2.1.1.2.1.4.3.3.1 Telecommunications
2.1.1.3 Characterization of adversarial and non-adversarial threat sources
2.1.1.3.1 Adversary capability, intent and targeting (tailored versions of Tables D-3, D-4, D-5)
2.1.1.3.1.1 Table D-3 -- Adversary capability
2.1.1.3.1.1.1 The adversary has a very sophisticated level of expertise, is well-resourced, and can generate opportunities to support multiple successful, continuous, and coordinated attacks.
2.1.1.3.1.1.2 The adversary has a sophisticated level of expertise, with significant resources and opportunities to support multiple successful coordinated attacks.
2.1.1.3.1.1.3 The adversary has moderate resources, expertise, and opportunities to support multiple successful attacks.
2.1.1.3.1.1.4 The adversary has limited resources, expertise, and opportunities to support a successful attack.
2.1.1.3.1.1.5 The adversary has very limited resources, expertise, and opportunities to support a successful attack.
2.1.1.3.1.2 Table D-4 -- Adversary intent
2.1.1.3.1.2.1 The adversary seeks to undermine, severely impede, or destroy a core mission or business function, program, or enterprise by exploiting a presence in the organization’s information systems or infrastructure. The adversary is concerned about disclosure of tradecraft only to the extent that it would impede its ability to complete stated goals.
2.1.1.3.1.2.2 The adversary seeks to undermine/impede critical aspects of a core mission or business function, program, or enterprise, or place itself in a position to do so in the future, by maintaining a presence in the organization’s information systems or infrastructure. The adversary is very concerned about minimizing attack detection/disclosure of tradecraft, particularly while preparing for future attacks.
2.1.1.3.1.2.3 The adversary seeks to obtain or modify specific critical or sensitive information or usurp/disrupt the organization’s cyber resources by establishing a foothold in the organization’s information systems or infrastructure. The adversary is concerned about minimizing attack detection/disclosure of tradecraft, particularly when carrying out attacks over long time periods. The adversary is willing to impede aspects of the organization’s mission/business functions to achieve these ends.
2.1.1.3.1.2.4 The adversary actively seeks to obtain critical or sensitive information or to usurp/disrupt the organization’s cyber resources, and does so without concern about attack detection/disclosure of tradecraft.
2.1.1.3.1.2.5 The adversary seeks to usurp, disrupt, or deface the organization’s cyber resources, and does so without concern about attack detection/disclosure of tradecraft.
2.1.1.3.1.3 Table D-5 -- Adversary targeting
2.1.1.3.1.3.1 The adversary analyzes information obtained via reconnaissance and attacks to target persistently a specific organization, enterprise, program, mission or business function, focusing on specific high-value or mission-critical information, resources, supply flows, or functions; specific employees or positions; supporting infrastructure providers/suppliers; or partnering organizations.
2.1.1.3.1.3.2 The adversary analyzes information obtained via reconnaissance to target persistently a specific organization, enterprise, program, mission or business function, focusing on specific high-value or mission-critical information, resources, supply flows, or functions, specific employees supporting those functions, or key positions.
2.1.1.3.1.3.3 The adversary analyzes publicly available information to target persistently specific high-value organizations (and key positions, such as Chief Information Officer), programs, or information.
2.1.1.3.1.3.4 The adversary uses publicly available information to target a class of high-value organizations or information, and seeks targets of opportunity within that class.
2.1.1.3.1.3.5 The adversary may or may not target any specific organizations or classes of organizations.
2.1.1.3.2 Range of effects of non-adversarial threat sources (tailored version of Table D-6)
2.1.1.3.2.1 Table D-6 -- Range of effects
2.1.1.3.2.1.1 The effects of the error, accident, or act of nature are sweeping, involving almost all of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments, common infrastructure, or support services; Tier 1: organization/governance structure].
2.1.1.3.2.1.2 The effects of the error, accident, or act of nature are extensive, involving most of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments, common infrastructure, or support services; Tier 1: organization/governance structure], including many critical resources.
2.1.1.3.2.1.3 The effects of the error, accident, or act of nature are wide-ranging, involving a significant portion of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments, common infrastructure, or support services; Tier 1: organization/governance structure], including some critical resources.
2.1.1.3.2.1.4 The effects of the error, accident, or act of nature are limited, involving some of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments, common infrastructure, or support services; Tier 1: organization/governance structure], but involving no critical resources.
2.1.1.3.2.1.5 The effects of the error, accident, or act of nature are minimal, involving few if any of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments, common infrastructure, or support services; Tier 1: organization/governance structure], and involving no critical resources.
2.1.2 Use (and tailor) Table D-2 to identify threat sources, updating Tables D-7 and D8 (adversarial and non-adversarial threat sources respectively)
2.1.2.1 Table D-7 -- Adversarial threat sources
2.1.2.1.1.1 Identifier (defined by us)
2.1.2.1.1.2 Threat source (Task 1-4 and Table D-2)
2.1.2.1.1.3 Source of information
2.1.2.1.1.4 In scope? (yes/no)
2.1.2.1.1.5 Capability (tailored Table D-3)
2.1.2.1.1.6 Intent (tailored Table D-4)
2.1.2.1.1.7 Targeting (tailored Table D-5)
2.1.2.2 Table D-8 -- Non-adversarial threat sources
2.1.2.2.1.1 Identifier (defined by us)
2.1.2.2.1.2 Threat source (Task 1-4 and Table D-2)
2.1.2.2.1.3 Source of information
2.1.2.2.1.4 In scope? (yes/no)
2.1.2.2.1.5 Range of effects (tailored Table D-6)
2.2 2-2 Identify threat events
2.3 2-3 -- Identify vulnerabilities and predisposing conditions
2.4 2-4 -- Determine likelihood
2.5 2-5 -- Determine impact
2.6 2-6 -- Determine risk
3 Step 3 - Maintain risk assessment
3.1 3-1 -- Monitor risk factors
3.2 3-2 -- Update risk assessment