Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

O-ISM3 Threat Taxonomy v1.0

1,971 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

O-ISM3 Threat Taxonomy v1.0

  1. 1. O-ISM3 Threat Taxonomy v1.0 Inovement - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL LICENSE 2013, SOME RIGHTS RESERVED.
  2. 2. O-ISM3 THREAT TAXONOMY V1.0CONTACT INFORMATIONCalle Loeches, 1, 2E28008 Madrid SpainMail: learn@inovement.esPhone:+34 668 862 242LEGAL DISCLAIMERThis is an informational document, and it doesnt represent legal or professional advice from the ISM3 Consortium, theauthors or reviewers of this document. This document is offered as is without any warranty of completeness, accuracyor timeliness. Inovement, the authors and reviewers of this document disclaim any implied warranty or liability.LICENSE AND COPYRIGHT This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License. To view a copy of this license, visit http://creativecommons.org/licenses/by- nd/3.0/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.Any copyrighted material mentioned in this document is property of their respective owners.2 Inovement - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2013, SOME RIGHTS RESERVED.
  3. 3. THREAT TAXONOMY V1.0Table of Contents1 Introduction...................................................................................................................................................................... 42 Threat Taxonomy............................................................................................................................................................. 5ISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2007, SOME RIGHTS RESERVED. 3
  4. 4. O-ISM3 THREAT TAXONOMY V1.01 IntroductionFor effective communication information security professionals use a rich vocabulary with very specific andsometimes even personal meaning.Risk assessment methods use a model of the organization, a threat taxonomy, a vulnerability taxonomy, acontrol taxonomy and a way to combine them to reach a Risk figure. Unfortunately, a common agreement onthe classes of threats that exists and the controls that can mitigate them is not available.Using O-ISM3 concepts and definitions, it is possible to classify threats depending on who is the agent of thethreat (accidents, errors, attacks) what is the object of the attack (repositories, messages, services, sessions,interfaces, channels) and what are the effects of the attack. As threat to instructions and credentials can leadto more serious consequences, instructions and credentials, that are stored in repositories or messages arementioned explicitly.Threats can be classed as well depending on the mechanism of the attack, error or accident. As ofteneffective protection can be established against attacks whatever the mechanism used, this taxonomy is notusing mechanism as a classification criterion.4 Inovement - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2013, SOME RIGHTS RESERVED.
  5. 5. THREAT TAXONOMY V1.02 Threat Taxonomy Type of Losses / Effect Asset / Object Agent / Agent Gains Incident Subject Accident Failure to destroy expired information or repository message credential instruction Forces of Not applicable systems nature Destruction of valid information repository message credential instruction Corruption of valid information repository message credential instruction Loss of valid information repository message credential instruction Aging of information repository message credential instruction Unauthorized access, eavesdropping, repository message credential instruction theft and disclosure of information Improper use of authorized access to repository message credential instruction information or systems Improper recording of access to repository message credential instruction information Failure to stop systems at will service channel interface session Destruction of valid systems service channel interface session Corruption of valid systems service channel interface session Loss of valid systems service channel interface session Unauthorized access, eavesdropping, service channel interface session theft and disclosure of channels Failure of authorized access service channel interface session Underperformance or Interruption of service channel interface session valid system services Improper use of authorized access service channel interface session Improper recording of use of systems service channel interface session Outdated systems service channel interface session Error Failure to destroy expired information or repository message credential instruction People Not applicable systems Destruction of valid information repository message credential instruction Corruption of valid information repository message credential instruction Loss of valid information repository message credential instruction Aging of information repository message credential instruction Unauthorized access, eavesdropping, repository message credential instruction theft and disclosure of information Improper use of authorized access to repository message credential instruction information or systems Improper recording of access to repository message credential instruction information Failure to stop systems at will repository message credential instruction Destruction of valid systems service channel interface session Corruption of valid systems service channel interface session Loss of valid systems service channel interface session Unauthorized access, eavesdropping, service channel interface session theft and disclosure of channelsISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2007, SOME RIGHTS RESERVED. 5
  6. 6. O-ISM3 THREAT TAXONOMY V1.0 Type of Losses / Effect Asset / Object Agent / Agent Gains Incident Subject Failure of authorized access service channel interface session Underperformance or Interruption of service channel interface session valid system services Improper use of authorized access service channel interface session Improper recording of use of systems service channel interface session Outdated systems service channel interface session Attack Failure to destroy expired information or repository message credential instruction Corporate Feeling of systems Raiders accomplishment Destruction of valid information repository message credential instruction Hackers Political Gain Corruption of valid information repository message credential instruction Professional Financial Gain Criminals Theft of valid information repository message credential instruction Knowledge Gain Spies Aging of information repository message credential instruction Status Gain Terrorists Unauthorized access, eavesdropping, repository message credential instruction theft and disclosure of information Vandals Improper use of authorized access to repository message credential instruction information or systems Improper recording of access to repository message credential instruction information Failure to stop systems at will repository message credential instruction Destruction of valid systems service channel interface session Corruption of valid systems service channel interface session Theft of valid systems service channel interface session Unauthorized access, eavesdropping, service channel interface session theft and disclosure of channels Failure of authorized access service channel interface session Underperformance or Interruption of service channel interface session valid system services Improper use of authorized access service channel interface session Improper recording of use of systems service channel interface session Outdated systems service channel interface session6 Inovement - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2013, SOME RIGHTS RESERVED.

×