5.3.2. Threats and Hazards
Analysis of the definitions used throughout cybersecurity publications demonstrates a certain confusion in the definitions of threat and risk. In order to build a common vocabulary and provide guidance to the threat identification process in system assurance, we can draw some insights from a related body of knowledge developed within the safety community over the last five decades. The safety community has developed several systematic architecture-driven methods of identifying risks related to the safety of systems [
Clifton 2005]. Architecture-driven methods focus at the concept of a
location within one of the system
views (as described in
Chapter 4) as the basis for a systematic and repeatable system analysis.
System safety is concerned with the prevention of a safety accident, or mishap, which is defined as “an unplanned event or series of events resulting in death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment” [
MIL-STD-882D]. System safety is built on the premise that mishaps are not random events; instead they are deterministic and controllable events that are the results of a unique set of
conditions (i.e., hazards), which are predictable when properly analyzed. A hazard is a potential condition that can result in a mishap or an accident, given that the hazard occurs. A hazard is the precursor to a mishap; a hazard defines a
potential event (i.e., a mishap), while a mishap is the
occurred event.
In order to build architecture-driven identification of hazards, system safety considers a hazard as an
aggregate entity that involves several basic discernable
components (see
Figure 3). The components of a hazard define the necessary conditions for a mishap and the end outcome or effect of the mishap. In system safety, a hazard is comprised of the following three basic components [
Clifton 2005]:
1. Hazardous element (HE). This is the basic hazardous resource creating the impetus for the hazard, such as a hazardous energy source such as explosives being used in the system.
2. Initiating mechanism (IM). This is the trigger or initiator event(s) causing the hazard to occur. The IM causes actualization or transformation of the hazard from a dormant state to an active mishap state.
3. Target and Threat (T/T). This is the person or thing that is vulnerable to injury and/or damage, and it describes the severity of the mishap event. This is the mishap outcome and the expected consequential damage and loss.
The elements are necessary and sufficient to result in a mishap, which is useful in determining the hazard mitigation:
• When one of these components is removed, the hazard is eliminated.
• When the probability of the IM component is reduced, the mishap probability is reduced.
• When the element in the HE side or the T/T side of the triangle is reduced, the mishap severity is reduced.
Hazards can be described by the so-called hazard statements, based on the elements of the hazard triangle. Consider the following hazard statement: “Worker is electrocuted by touching exposed contacts in electrical panel containing high voltage.”
In this example all three hazard components are present and can be clearly identified as the elements of the system of interest (see
Figure 4). In this particular example there are actually two IMs involved. The T/T defines the mishap outcome, while the combined HE and T/T define the mishap
severity. The HE and IM are the hazard causal factors that define the mishap
probability. If the high-voltage component can be removed from the system, the hazard is eliminated. If the voltage can be reduced to a lower, less harmful level, then the mishap severity is reduced.
The causal factors of hazards are the specific items responsible for how a unique hazard exists in a system. Hazards in system safety are unavoidable, in part because hazardous elements must be used in the system, in the same way that security threats are unavoidable because attackers have access to the system through the same channels as used by the legitimate users. Hazards also result from inadequate safety and security considerations—either poor or insufficient design or incorrect implementation of a good design, resulting from the unmitigated effect of hardware failures, human errors, software glitches, or sneak paths.
Once a potential harmful event is identified, risk is a fairly straightforward concept, where risk is defined as Risk = Probability × Severity
The mishap probability factor is the probability of the hazard components occurring and transforming into the mishap. The mishap severity factor is the overall consequence of the mishap, usually in terms of loss resulting from the mishap (i.e., the undesired outcome). Both probability and severity can be defined and assessed in either qualitative or quantitative terms. Time is factored into the risk concept through the probability calculation of an undesired event, as the duration window of “exposure” during which one of the IM exists. For example, the risk of an adversary obtaining sensitive information from a 1-minute unencrypted communication may be considered smaller than the risk of a 1-hour unencrypted communication.
Hazards and mishaps are linked by risk. The three basic hazard components define both the hazard and the mishap. The three basic hazard components can be further decomposed into major hazard
causal factor categories, which are: (1) hardware, (2) software, (3) humans, (4) interfaces, (5) functions, and (6) the environment. Finally, the causal factor categories are refined even further into the actual specific detailed
causes, such as a hardware component failure mode (see
Figure 5).
In the area of system security, the mishaps are security incidents resulting in the loss of confidentiality, integrity, and/or availability of the assets. Some researchers explicitly add subversion of a system node as a separate incident type. The counterpart of the T/T component is Asset/Injury. A notable difference is that in the area of system security there is no explicit hazardous element. Instead, a typical source of security incidents is the malicious action of the threat agent. On the other hand, security assessment methodologies often consider natural hazards as one of the sources of threats, together with the action of intentional attackers. This demonstrates how close the two models are. Lightning is the source of high voltage (the HE component), which can cause loss of a server equipment (the T/T component). On the other hand, a hacker is the source of “attack capability” (hazardous element?) that can cause subversion of a system node running an unhardened version of Windows (asset and injury). The initiation mechanisms are practically identical between the safety and security areas, as they provide a cause and effect link between the hazardous element (or the threat agent) to the target and injury. The concept of an initiation mechanism is quite close to the concept of “vulnerability” that is used in system security, although there are some important differences that we will point out later. Several authors already made arguments for combined safety and security assurance, and the term security hazard has been used in several publications.
Note that both a safety hazard and a security threat are deterministic entities (like a mini system, consisting of a unique set of identifiable components that are traceable to the elements of the system of interest). Hazard components either exist or they do not. A mishap, on the other hand, has a certain probability of occurring, based on the probability of the initiating mechanisms, such as human error, component failures, or timing errors. The HE component has a probability of 1 of occurring, since it must be present in order for the hazard to exist.
On the other hand, in system security it is more difficult to determine the probability of the malicious actions by the attacker, and there is less statistical correlation with past historic data because attacker actions are not random and evolving.
One of the potential causes of ambiguity in the definitions of “security threat” in cybersecurity is the complex nature of both the causes and consequences of an elementary injury to an asset. This makes “security threat” a complex collection of interrelated facts, and different authors focus on different parts of this phenomenon. The complexity of the security threat can be described using a small number of elementary discernable concepts. The key is to identify an elementary “undesired event” associated with an asset—an “injury” to a specific asset. An “event” is a
discernable concept because it is traceable to one or more statements in the code. Then a “security threat” becomes a discernable assembly of a threat agent, an entry point, an asset, and an injury. (Application of the BORO methodology, outlined in
Chapter 9, shows that a “threat” is a
tuple—a relationship between several noun concepts.) Multiple “events” can be identified as the
causes of the “injury.” Similarly, an injury event may cause further damage by causing additional injuries to other assets. Multiple attack scenarios can be associated with the same threat: An attack scenario can be described as a
path through the causal graph. Finally, at least one of the causal events must be associated with the
entry point of the threat.
This discernable interpretation is consistent with the terminology defined at the beginning of this chapter based on [
ISO 13335]. Yet the more conservative definitions are discernable and can be traced to existing system facts, enabling the systematic recognition of threats and causal analysis of the security posture. The rest of this section provides the details of this discernable vocabulary.
Figure 6 provides the necessary illustration.
5.3.3. Defining discernable vocabulary for injury and impact
Information security is about protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:
1. Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information;
2. Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
3. Availability, which means ensuring timely and reliable access to and use of information.
Certain events result in injury, such as “unauthorized use, disclosure, disruption, modification, or destruction of information and information systems.”
injury |
Definition: | the damage that results from the compromise of assets |
Note: | Injury is elementary damage that can be traced to system |
Note: | in non cyber scenarios a physical access to the asset may be the prerequisite of injuries to the asset |
Concept type: | noun concept |
Synonym: | harm |
Note: | impact is non elementary, cumulative damage |
injurytargetsasset |
Concept type: | verb concept |
injurytargetsasset category |
Concept type: | verb concept |
Note: | This results in generic injury checklists |
threat event |
Definition: | the event that results in compromise to assets |
Synonym: | undesired event |
Note: | threat event is an elementary event that can be traced to system |
Note: | impact is a collection of threat events associated with a given initial threat event |
threat eventcausesinjurytoasset |
Concept type: | verb concept |
threat eventcausesthreat event |
Concept type: | verb concept |
threat eventhasimpact |
Definition: | the state of affairs that injuriescaused bythreat event collectively comprise impact |
|
Enumeration of possible injuries is an example of generic cybersecurity content that is exchanged in the OMG Assurance Ecosystem.
Chapter 9 provides more details on the transformation of well-defined vocabularies of noun and verb concepts into standard information exchange protocols. Here are some examples in which we describe pairs of injury/asset category.
Injuries related to confidentiality: disclosure of information assets, which can be further subdivided into disclosure of data at rest, disclosure of data in motion, disclosure of data in use, and disclosure of data in facilities (“dumpster diving”) and equipment (recovering sensitive information from a disposed hard drive or from a stolen laptop).
Injuries related to integrity:
• Tampering with equipment, facilities;
• Tampering with information assets;
• Tampering with service;
• Subversion of a system node.
Injuries related to availability: partial or full loss of equipment, service, information asset, facility, personnel illustrates impact statements. It shows several exemplary injuries/asset category pairs (solid lines) and then uses the dotted lines to show some impacts, portraying possible causal relationships between injuries.
The relationships shown in
Figure 7 can be verbalized as follows:
• Disclosure of information causes tampering with information (e.g., when user login credentials are compromised).
• Tampering with equipment causes tampering with information (e.g., due to malfunction).
• Tampering with equipment causes disclosure of information (e.g., a telephone bug).
• Tampering with equipment causes tampering with service (both a distortion and subversion).
• Tampering with information causes distortion of service (a fancy way to say “garbage in–garbage out”).
• Subversion of service causes disclosure of information (e.g., a typical spybot scenario, when a trojan installs a keylogger and exports sensitive information, such as financial account information and credentials).
• Subversion of service causes subversion of service (i.e., further service, subverting other computers on the network).
• Subversion of service causes loss (of service, information).
• Loss of information causes tampering with service (e.g., when records are deleted).
• Loss of service causes tampering with service (e.g., when a protection mechanism is disabled).
• Loss of equipment causes disclosure of information (e.g., from a stolen usb stick).
• Loss of equipment causes loss of service.