Exploring F.A.I.R. – Threats – Part 1

by kriggins on March 9, 2009

in Uncategorized

In the last post in our series, we spent some time looking at the definition of asset. In the post previous to that, we described the system we are assessing and a presented a diagram that shows the system and its architecture.

In this post, we are going to start the discussion about threats, but first, a little more information about our scenario.

Phil, in a comment on the last post in this series, said the following.

I suggest that you create a data flow diagram (DFD) and then map out how the data flows.

After saying a) I don't know how and b) we don't need one (not in those exact words :)), I got to thinking about it a bit more and decided he was right. A data flow diagram will be helpful. So a quick study of DFDs later, here is my feeble attempt at providing one for us to use.

Oblivia Tax Rate System Data Flow Diagram (DFD)

Oblivia Tax Rate System Data Flow Diagram (DFD)

You will probably quickly see where we will be focusing our time during our assessment.

Anyway, let's talk about threats. First, from the Introduction to FAIR: Risk Landscape Components:

As I [Jack Jones] mentioned in the Bald Tire section, threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur.

Fairly straight forward. Basically, we are looking for those things that, when they apply force against our asset, can cause damage or loss. Well, even in the simplistic scenario we are looking at, that list is as long as my arm. If that's the case, how to know which threats we should focus on?

Funny you should ask. Jack goes on to talk about threat communities, "Subsets of the overall threat agent population that share key characteristics [or traits]", and threat characteristics which are used to profile threat communities. We will take a deeper look at both in the next post of this series.

As always, I am really interested in your thoughts. I read and take to heart every one that is left, so please join the conversation!

-Kevin

Reblog this post [with Zemanta]

{ 3 comments… read them below or add one }

Bonvillain May 27, 2009 at 8:04 pm

I actually haven’t created tons of DFD’s myself, but there were other use-cases at play in that architecture diagram that seem to be applicable if relating them to a risk analysis such as FAIR and ultimately to the threat analysis that it looks like you are about to perform.
Maybe Phil can advise if you would want to document such things, or if the DFD is just intended to be applicable to intended web app functionality, vs. comprehensively diagram all possible use-cases. Regardless, as related by the swiss-cheese firewall policy, those remote users are just using Telnet, FTP and getting direct access to the database to perform their remote management in the absence of a dedicated solution. Seems like you may want to include those components in the DFD as well as they are certainly applicable to the threat analysis and ultimate loss event frequency right?

Hope you are continuing this series. I am just starting to do some research on FAIR and am enjoying the posts.

Reply

kriggins May 27, 2009 at 8:16 pm

Thanks for the input and thoughts on the DFD’s. My intent was to use the DFD to show simple intended application use cases at this point. I could extend that, but probably won’t at this point.

The series will continue. I gave a talk on FAIR at Secure360 this month and that sucked up all the free time I had in preparation 🙂 Of course, I will be able to use some of that info as we go forward with this series.

I hope to get back to it in the next couple weeks as some other obligations settle down.

Thanks for reading!

-Kevin

Reply

Sandra March 9, 2017 at 6:27 am

இவைகளை எல்லாà®®் சிà®°ித்துக்கொண்டே à®®0#3006;à®°்க்குப்/ரசிக்க&#3&09;à®®் மக்களுக்குà®®் இதில் பங்கு உண்டு… இன்னக்கி தண்ணிய போட்டுட்டு என்ன சலம்புà®°ாà®°்னு பாப்போà®®் வாடா… என்னுà®®் மனோபாவம்…

Reply

Leave a Comment

Previous post:

Next post: