New versus old asset/threat models

1. New versus old asset/threat models Brian Smithson Ricoh Americas Corporation IEEE P2600

2. What are our choices? • Adapt the old asset/threat model to the new FPP organization • P2600 std would need some rework because of decision to use some OSPs, fixing some poorly defined assets and threats , filling some holes, and dividing up some threats that cross FPP TOE boundaries. • FPP would require major rework – models, assets, threats, and objectives • Apply the new asset/threat model to the P2600 std. • P2600 std would require major rework – aligning asset definitions, replacing threats, dealing with threats that are outside of the PP scope, adjusting or discarding “vector” descriptions, rationalizing “risk ratings” (or adopting the “informal security requirements” approach), and aligning mitigation strategies • FPP for OpEnv A is nearly done; would still need to agree on informal security requirements for B,C,D and then derive FPPs • Decouple the P2600 and FPP and use different models I think this is a very bad idea, but we could do it IEEE P2600

3. New model pro Generic data-oriented model Symmetrical threats Consistent, traceable nomenclature Divisible by function Old model con Originated with anecdotal threats, then was made to fit a model; may limit scope or imply implementation Assumes asset valuation on behalf of others; not credible Some inconsistencies between asset, threat, objective definitions Functional crossover, requires major rework to FPP and some rework to P2600 New model con Abstract and unfamiliar; may require some worked examples for understanding Major rework to P2600 Old model pro Great deal of investment Captures practical experience Good fit with P2600 “best practices” and “mitigation techniques” Threat vector model is useful New/old model pros/cons IEEE P2600

4. New (27a) versus Old (24b) PP Assets 27a does not have an asset for resident digital components Threats has no equivalent for T.EA.DOS T.DOC.STORED.DIS does not cover user docs that are not deleted (i.e. it does not yet have an O.PROTECT) P.COMMS.NO_BRIDGE does not cover access to internal data or firmware Objectives No O.GENIUNE No OE.NET_MANAGE No O.PROTECT (yet?) Old (24b) versus New (27a) PP Assets 24b mgmt data doesn’t distinguish secrets from non-secrets Threats T.UD.ACC threats poorly defined Objectives No OE to require support for secure communications I&A/ACCESS cover all assets, not just IT-controlled assets O.NETWORK specifies confidentiality of disclosable data FAXONLY only covers fax, not other bridgable interfaces OE.TRAIN assumes same training for users as for administrators Comparing the old and new PPs • http://grouper.ieee.org/groups/2600/presentations/WashingtonDC2007/fpp-pp24-compare-27a.xls (note that there are three tabs) IEEE P2600

5. T.DOS.NET.CONNECT T.DOS.NET.CRAFT T.DOS.NET.FLOOD T.DOS.PRT.CRASH T.DOS.PRT.DELETE T.DOS.PRT.CHANNEL T.DOS.PRT.PRIORTY T.DOS.FAX.HOOK T.DOS.FAX.LOOP T.DOS.FAX.TRAIN T.DOS.FAX.VOLUME T.DOS.PHY.ALTER T.DOS.PHY.INTERFERE T.RESOURCE.SUPPLIES T.RESOURCE.EXHAUST T.UD.PHY.INPUT T.UD.PHY.CAMERA T.UD.PHY.EM T.UD.ANALYZE T.TSF.SALVAGE T.EA.DOS T.DOS.<service>.<attack> T.CONSUMMABLES.THEFT T.CONSUMMABLES.EXHAUST T.DOC.INPUT.DIS (in PP but ignored) Needs redefinition anyway T.DOC.EM.DIS? T.DOC.STORED.ANALYZE? T.SEC.STORED.ANALYZE? Why not call this another T.DOS? Possible mapping of non-PP threats to new model See http://grouper.ieee.org/groups/2600/presentations/WashingtonDC2007/fpp-p2600-compare-27a.xls IEEE P2600

6. Possible way to retain practicalknowledge of old model but use new model • Apply new model to P2600 • Use the threat vector model to show practical examples of threats • Threat vector examples flow nicely into best practices and mitigation techniques • Abstract threats are (appropriately) dealt with in the FPP IEEE P2600