Author Archives: Christopher Carlson

Design Defense in Depth

Defense in depth is the application of multiple layers of controls are to defend against threats. Many security controls are applicable to a variety of assets and numerous threats. In some cases, the controls applied to one layer of defense may be redundant (e.g. belt and suspenders). In other cases, the controls may have complementary characteristics.

The following figure illustrates layers of defense, protecting the assets identified at the bottom.

Layers of Controls

Layers will be discussed in the following posts:

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

 

Vocabulary – Vulnerability

Introduction

Dictionary defines: vulnerability – open to attack, harm, or damage

CIS RAM defines: vulnerability – A weakness that could permit a threat to compromise the security of information assets.

Not simple.

ISO/IEC 27000 defines: vulnerability – weakness of an asset or control that can be exploited by one or more threats

Not simple

PCI DSS defines: vulnerability – Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.

Not simple

CNSS defines: vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited.

Not simple and relies on specialized terms

O-TTPS defines: Vulnerability – A weakness in the design, implementation, or operation of an asset, artifact, system, or network that can be exploited.

Not simple and relies on specialized terms

CVE defines a vulnerability – A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.

Not simple and relies on specialized terms

EAS defines: vulnerability – A weakness in system security procedures, design, implementation, internal controls, etc. that could be accidentally triggered or intentionally exploited and could result in a violation of the system’s security policy

Not simple and relies on specialized terms

ISACA defines: vulnerability – A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

Not simple and relies on specialized terms

NIST 800-53 defines: vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Not simple and relies on specialized terms

OWASP describes: vulnerability – a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.

Not simple and relies on specialized terms

STIX defines: vulnerability – a mistake in software that can be directly used by a hacker to gain access to a system or network

Not simple and relies on specialized terms

FAIR defines: vulnerability – The probability that a threat event will become a loss event (which occurs when a threat agent acts against an asset)

Describes how to measure vulnerability rather than defining what it is.

SDL defines: threat – an attacker’s objective

This definition is related to definitions of vulnerability rather than threat, assuming the reader understand that “objective” refers to the vulnerability the attacker seeks to exploit.

Vocabulary – Threat

Introduction

Dictionary defines: threat – someone or something that could cause trouble, harm, etc.

  • Note that the definition has a subject and an object

FAIR defines: threat – Anything that is capable of acting in a manner resulting in harm to an asset and/or organization

  • Slightly more specific than the dictionary

ISACA defines: threat – Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.

  • Slightly more specific than FAIR

ESA defines: threat – the potential for a “threat source” to exploit (intentionally) or trigger (accidental) a specific vulnerability.

  • Complicated by use of threat source and specialized term vulnerability. Lacks an object.

O-TTPS defines: Threat – The intention and capability of an adversary to undertake actions that would be detrimental through disruption of processes or subversion of knowledge.

  • Complicated by thoroughly describing the nature of a threat.

CIS defines: threat – A potential or foreseeable event that could compromise the security of information assets.

  • Complicated by suggestion that threats should be foreseeable and extraneous description of harm

CNSS defines: threat – Any circumstance or event with the potential to adversely impact an IS through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

  • Complicated definition.

ISO/IEC 27000 defines: threat – potential cause of an unwanted incident, which can result in harm to a system or organization

  • Complicated by ambiguous word incident.

NIST 800-53 defines: threat – Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

  • Overly specific for a definition.

OWASP contains a Category: threat – A threat that plague a product. While known threats are identified based on signatures, files copied onto the hard drive upon installation, registry keys, protocol analysis and others.

  • Circular and uses specialized terms and concepts.

PCI DSS defines: threat – Condition or activity that has the potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization

  • Overly specific for a definition

STIX defines: threat actors – actual individuals, groups, or organizations believed to be operating with malicious intent.

  • Identifies a who but no what.

SDL defines: threat – an attacker’s objective

  • Identifies a what but no who.

Vocabulary – Risk

Introduction

Dictionary defines: risk – possibility of loss

FAIR defines: risk – the probable frequency and probable magnitude of future loss.

More complete than the dictionary

COBIT and ISACA defines: risk – the combination of the probability of an event and its consequence

The term “event” is ambiguous introducing complexity

O-TTPS defines: Risk – An event or condition that has a potentially negative impact and the possibility that such an event will occur and adversely affect an entity’s assets and artifacts, activities, and operations.

Complete but verbose.

OWASP defines: risk – Risk is the possibility of a negative or undesirable occurrence. There are two independent parts of risk: Impact and Likelihood.

Relies on context for specialized terms.

CIS defines: risk – an estimation of the likelihood that a threat will create an undesirable impact.

Relies on context for specialized terms.

CNSS defines: risk – possibility that a particular threat will adversely impact an IS by exploiting a particular vulnerability

Relies on context for specialized terms

NIST CSF and 800-53 defines: risk – a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Not simple. Relies on context for specialized terms

PCI DSS defines: risk assessment – Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.

Not simple. Provides a description rather than a definition.

ESA defines: IT-related risk – the net mission/business impact (probability of occurrence combined with impact) from a particular thereat source exploiting, or triggering, a particular information technology vulnerability.

Not simple. Relies on context for specialized terms

ISO 27000 defines: risk – effect of uncertainty on objectives

Unclear by choice of defining terms.

Vocabulary – Policy

Introduction

Dictionary defines: policy – a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body

COBIT defines: policy – Overall intention and direction as formally expressed by management

A good definition

ISO/IEC 27000 defines: policy – intentions and direction of an organization as formally expressed by its top management

A good definition almost identical to COBIT

ISACA defines: policy – 1. Generally, a document that records a high-level principle or course of action that has been decided on. 2. Overall intention and direction as formally expressed by management.

Not simple.

ESA defines: policy – A broad statement authorizing a course of action to enforce the organization’s guiding principles for a particular control domain.

Relies on specialized terms

NIST 800-53 defines: Information Security Policy – Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.

Provides examples of policy rather than a definition, with specialized actions listed

O-TTPS defines: Framework – a set of best practices identified by a cross-industry forum which, if used by a technology vendor, may allow a government or commercial enterprise customer to consider the vendor’s products as more secure and trusted.

Verbose description rather than a definition.