Your SlideShare is downloading. ×
O-ISM3 Incident Taxonomy v1.0
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

O-ISM3 Incident Taxonomy v1.0

472
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
472
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. O-ISM3 Incident Taxonomy v1.0 Authored by: Vicente Aceituno Mail: learn@inovement.es Phone:+34 668 862 242 COPYRIGHT NOTICE: Version 1.0: 18 th of July 2014 This Report is copyrighted by Inovement Europe. This is an informational document, and it doesn't represent legal or professional advice from Inovement, the authors or reviewers of this document. This document is offered as is without any warranty of completeness, accuracy or timeliness. Inovement, the authors and reviewers of this document disclaim any implied warranty or liability.
  • 2. Introduction For effective communication information security professionals use a rich vocabulary with very specific and sometimes even personal meaning. Risk assessment methods use a model of the organization, a model of the information systems, threat taxonomy, vulnerability taxonomy, control taxonomy and a way to combine them to reach a Risk figure. Unfortunately, a common agreement on the classes of threats that exists and the controls that can mitigate them is not available. Using O-ISM3 concepts and definitions, it is possible to classify threats depending on who is the agent of the threat (accidents, errors, attacks) what is the object of the attack (repositories, messages, services, sessions, interfaces, channels) and what are the consequences of the attack. As threat to instructions and credentials can lead to more serious consequences, instructions and credentials that are stored in repositories or messages are mentioned explicitly. Threats can be classed as well depending on the mechanism of the attack, error or accident. As often effective protection can be established against attacks whatever the mechanism used, this taxonomy is not using mechanism as a classification criterion. O-ISM3's components of Information Systems Information Systems are complex and have various tangible and intangible components. The components can be classed at the chosen level of abstraction according to structural and transactional features. Structural Features– the various assets from which an information system may be built:  Repositories: Any temporary or permanent storage of information, including RAM, databases, file systems and any kind of portable media;  Interfaces: Any input/output device, such as screens, printers and fax;  Channels: Physical or logical pathways for the flow of messages, including buses, LAN networks, etc. A Network is a dynamic set of channels;  Borders define the limits of the system. Physical devices can host one or many logical components. Structural objects exist in every logical and physical level. The table below contains examples of each type of structural asset: Repository Interface Channel Payroll Database Web-based interface HTTPS Database Replica System call TCP File system Monitor, keyboard and mouse Frame relay PVC Hard drive Connector Cable
  • 3. Transactional Features – the various assets from which an information system produces actual results:  Services. Any value provider in an information system, including services provided by BIOS, operating systems and applications. A service can collaborate with other services or lower level services to complete a task that provides value, like accessing information from a repository;  Messages. Any meaningful information exchanged between two services or a user and an interface.  Sessions. A temporary relationship of trust between services. The establishment of this relationship can require the exchange of credentials. Transactional assets are dynamic, such as running processes and moving messages. Static assets such as mail or program files stored in a repository are not considered either a message or a service. Transactional objects exist in every logical and physical level. The table below contains examples of each type of transactional asset: Service Message Bank Account Transfer from another account SOAP API Interface SOAP Call Port TCP Packet Ethernet Port Ethernet Packet
  • 4. Request types generated by information systems and users Records in a log contain a series of events. Events are requests that can have a successful or failed result. Using the O-ISM3 system model, it is possible to create a comprehensive list f request types, as follows: Resources Initiate Finalize Freeze Unfreeze Query State Change State Repository create delete block unblock read write Message send listen retain forward read write Credential create delete block unblock read write Instruction send listen retain forward read write Service start stop pause resume read write Channel open close hold release read write Interface connect disconnect interrupt continue read write Session login logout suspend resume read write  Note: The request “listen” can be understood as well as “receive” or “detect”, but for simplicity, only the word “listen” is used.  Note: If the repository is RAM “block” and “unblock” are equivalent to “allocate” and “free”. Incident Taxonomy There are three types of incidents depending on the agent:  If the agent is a force of nature, the incident is an Accident, for example a natural flood due to rain.  If the agent is people, but there is no intention to harm, the incident is an Error.  If the agent is people, with an intention to do harm, the incident is an Attack. Agents can be Corporate Raiders, Hackers, Professional Criminals, Spies, Terrorist or Vandals that work for a feeling of accomplishment, political gain, financial gain, knowledge gain or status gain. The following table lists the different types of combinations between user, action requested, object of the action, result of the action. Certain combinations will result in an incident; some will not, for example, deleting an expired repository is not considered an incident.
  • 5. User Action Requested Resource (Expired or Valid) Action Result Type of Incident Owns the user account and has Access Rights to perform the Action on the Resource create send create send repository message credential instruction Failure or Success, but not logged when required Unavailability Unavailability Owns the user account and has Access Rights to perform the Action on the Resource start open connect login service channel interface session Failure or Success, but not logged when required Unavailability Unavailability Owns the user account and has Access Rights to perform the Action on the Resource delete listen delete listen Expired repository Expired message Expired credential Expired instruction Failure Unavailability Owns the user account and has Access Rights to perform the Action on the Resource delete listen delete listen Valid repository Valid message Valid credential Valid instruction Failure No Owns the user account and has Access Rights to perform the Action on the Resource stop close disconnect logout Expired service Expired channel Expired interface Expired session Failure Unavailability Owns the user account and has Access Rights to perform the Action on the Resource stop close disconnect logout Valid service Valid channel Valid interface Valid session Failure No Owns the user account and has Access Rights to perform the Action on the Resource block retain block retain repository message credential instruction Failure or Success, but not logged when required Unavailability Owns the user account and has Access Rights to perform the Action on the Resource pause hold interrupt suspend service channel interface session Failure or Success, but not logged when required Unavailability Owns the user account and has Access Rights to perform the Action on the Resource unblock forward unblock forward repository message credential instruction, Failure or Success, but not logged when required Unavailability Owns the user account and has Access Rights to perform the Action on the Resource resume release continue resume service channel interface session Failure or Success, but not logged when required Unavailability Owns the user account and has Access Rights to perform the Action on the Resource read read read read repository message credential instruction, Failure or Success, but not logged when required Unavailability Owns the user account and has Access Rights to perform the Action on the Resource read read read read service channel interface session Failure or Success, but not logged when required Unavailability Owns the user account and has Access Rights to perform the Action on the Resource write write write write Valid repository Valid message Valid credential Valid instruction, Failure or Success, but not logged when required No Error Owns the user account and has Access Rights to perform the Action on the Resource write write write write Valid service Valid channel Valid interface Valid session Failure or Success, but not logged when required No Error Owns the user account and has Access Rights to perform the Action on the Resource write write write write Expired repository Expired message Expired credential Expired instruction, Failure or Success, but not logged when required Unavailability No Owns the user account and has Access Rights to perform the Action on the Resource write write write write Expired service Expired channel Expired interface Expired session Failure or Success, but not logged when required Unavailability No Owns the user account and has Access Rights to perform the Action on the Resource create send create send repository message credential instruction Success, logged if required No
  • 6. Owns the user account and has Access Rights to perform the Action on the Resource start open connect login service channel interface session Success, logged if required No Owns the user account and has Access Rights to perform the Action on the Resource delete listen delete listen Expired repository Expired message Expired credential Expired instruction Success, logged if required No Owns the user account and has Access Rights to perform the Action on the Resource delete listen delete listen Valid repository Valid message Valid credential Valid instruction Success, or Partial success Error Owns the user account and has Access Rights to perform the Action on the Resource stop close disconnect logout Expired service Expired channel Expired interface Expired session Success, logged if required No Owns the user account and has Access Rights to perform the Action on the Resource stop close disconnect logout Valid service Valid channel Valid interface Valid session Success, logged if required Error Does not own the user account and/or doesn’t have Access Rights to access the resource read read read read repository message credential instruction Success, logged if required Intrusion Does not own the user account and/or doesn’t have Access Rights to access the resource read read read read service channel interface session Success, logged if required Intrusion Does not own the user account and/or doesn’t have Access Rights to access the resource read read read read repository message credential instruction Failure or Success, but not logged when required No Does not own the user account and/or doesn’t have Access Rights to access the resource read read read read service channel interface session Failure or Success, but not logged when required No Any Any repository, message, credential or instruction Success, logged if required Unauthorized Use after access Any Any service channel interface session Success, logged if required Unauthorized Use after access Any Any repository, message, credential or instruction Any, not logged when required Lack of evidence of Use Any Any service channel interface session Any, not logged when required Lack of evidence of Use Any Any repository, message, credential or instruction Underperformance in terms of rate of accesses or speed of response. Unavailability Any Any service channel interface session Underperformance in terms of rate of accesses or speed of response. Unavailability Any Any repository, message, credential or instruction Failure due to obsolete systems or formats Obsolescence Any Any service channel interface session Failure due to obsolete systems or formats Obsolescence Any Any repository, message, credential or instruction Failure due to information no longer valid Inaccuracy of information Any Any service channel interface session Failure due to information no longer valid Inaccuracy of information