ACRP

DETERMINING THREATS,
VULNERABILITIES, AND THREAT
SCENARIOS
2

Overview
• Threat Overview
• Cyber Threats to ccTLDs
• Vulnerabilities
• Threat Scenarios
Identify Threats
Project Determine Critical
Initiation Assets & Processes Identify Impacts

Identify
Vulnerabilities

Train, Test &

Maintain Plan

Assess the Risk

Identify Mitigation
Develop Plan
Strategy

D-1
 Overview of threat analysis…

What keeps me
“Business Concern”
up at night?

“Power outages, floods, and other external events can keep us

from getting to the office. We wouldn’t be able to update the
zone file.”

“Staff could enter wrong data into the zone database.”

“There’s no physical security for the room where staff log on to the
database system. Anyone could wander in and see sensitive
registry information displayed on the workstations.”

Overview of threat analysis…

Critical Asset
• People
• Information
• Systems
• Facility What keeps me
up at night?
Threat
• Man-made
• Natural &
Environmental

Vulnerability
• Technical
• Design
• Procedural

Outcome (to the asset)

• Disclose
• Modify
• Lose
•
8
Interrupt

D-2
 • Events that cause a risk to become
Categories of Threats a loss
• Any potential danger that a
vulnerability will be exploited by a
threat agent
Threats

Natural & Man-made

Environmental

Deliberate Accidental System

Authorized

…also
Access

• Internal vs. External

Unauthorized
User 10

Threats

• Natural disasters
– Typhoon, tornado, flood, earthquake, tsunami, fire
• Deliberate destruction
– Terrorism, sabotage, war, theft, fraud, arson, labor
dispute
• Loss of utilities or services
– Power, gas, water, oil & petro, communications
• Equipment failure
– Internal power, HVAC, security systems, control
systems

11

D-3
Threats

• Information security
– Malware, cybercrime, IT system failure, system
misconfiguration, unpatched systems
• Other
– Epidemic, contamination, workplace violence,
political (nationalization)
• Non-emergency
– Health, safety, morale, mergers, negative
publicity, legal
12

Vulnerability … in a System Security Context

• A flaw or weakness in system security procedures,

design, implementation, or internal controls that, if
exercised (accidentally triggered or intentionally
exploited), would result in a security breach* or a
violation of the system’s security policy
Rittinghouse, et al.

* Breach = violation of security goal (destruction, interruption, modification, disclosure)

14

D-4
Sources for Vulnerability Information
Technical Vulnerabilities
• Hardware, software,
configurations
• Weaknesses that can
directly lead to
unauthorized action
Vulnerability Assessment
• Red Team, Blue Team, Pen-Test, Network
Scanning Tools
Historical Responses
• Case Studies, Real-world lessons learned

Design Vulnerabilities
• Network architecture and
configuration Exercises or Drills

Procedural & Administrative

Vulnerabilities Security Forums
• Normal business • Technical bulletins, “bubba net”, security
processes conferences, web & print resources
• Responses to incidents 15

Please bring up the:

Worksheet 4 – Threat /
Vulnerability / Impact

17

D-5
Worksheet 4 – Threat/Vulnerability/Impact

18

Worksheet 4 – Threat/Vulnerability/Impact
Create a WS4 for
each critical asset
highlighted in WS2

Depending on the
number of assets,
you may want to id a
cutoff point and
focus on the most
critical assets

19

D-6
 Worksheet 4 – Threat / Vulnerability

For each asset capture the

“what keeps me up at night”

What vulnerability could the

threat exploit

20

What happens when these converge?

Critical Asset
• People
• Information
• Systems
• Facility

Outcome (to the asset)

Threat • Disclose
• Man-made
• Natural & • Modify
Environmental • Lose
• Interrupt
Vulnerability
• Technical
• Design
• Procedural

21

D-7
 Preview of Outcome vs. Impact

“1st order effect” “2nd order effect”

… but this is the

impact to your
business.

… this is the
outcome to the
If this occurs … critical asset or
process ……

22

Worksheet 4 – Outcome Confidentiality

… a lesser form of “impact” • Disclose sensitive information

Information
Security
What is the outcome
Objectives
to the asset if the
Availability Integrity
vulnerability is
exploited • Lose important or sensitive information, • Modify important or sensitive
hardware, software information
• Interrupt access to important, software,
applications or services

23

D-8
 … but wait!
Critical Asset
• People
• Information
• Systems
• Facility

Outcome (to the asset)

Threat
• Man-made
“… what if I have
• Disclose
• Modify
• Natural &
Environmental
controls
• Lose
in place?”
• Interrupt
Vulnerability
• Technical
• Design
• Procedural

25

Worksheet 4 – Controls (affects Likelihood)

What are the

controls/safeguards protecting
the asset’s vulnerability from
being exploited or limiting the
negative impact

27

D-9
Where do controls factor into the process?
… they can reduce the
likelihood of a negative
impact

… they can limit or remove

vulnerabilities
At this point in the process, only consider controls
that are already in place –
not what you “should” or “could” do
(… those are “mitigation actions” – we’re not there yet!)
28

Business Impact Assessment

• At a minimum… a qualitative statement of

what would happen to your business if the
outcome to the critical asset “happens”
Asset
Confidentiality
• Disclose sensitive information

Impact
Information
Security
Objectives
… results in …
Availability Integrity

• Lose important or sensitive information, • Modify important or sensitive

hardware, software information
• Interrupt access to important, software,
applications or services

Business
30

D-10
 Worksheet 4 – Impact
Defined:
An action or process for mitigating a vulnerability or
otherwise limiting the impact from a realized vulnerability
Safeguard
Decreases or eliminates a negative impact
What is the impact to the
business if the asset is
affected?

31

Outcome vs. Impact

“1st order effect” “2nd order effect”

… but this is the

impact to your
business.

… this is the
outcome to the
If this occurs … critical asset or
process ……

Impact & likelihood consider controls

that may or may not be in place.
33

D-11
Threat Scenarios
Critical asset or process
+ Valid threat
+ Real vulnerability
+ Controls or lack of controls
+ Impact on the business
Threat Scenario
• … basis for analyzing risks and determining which response &
recovery plans should be developed and maintained
– Assumes general likelihood of occurring; sets stage for risk analysis

34

Questions?
• Do you understand…
– Concepts of threats, business concerns,
vulnerabilities, and threat scenarios
– A range of possible outcomes of threats to
ccTLD operations
– Cyber threats to ccTLD operations and
infrastructure
– Vulnerabilities of a ccTLD

36

D-12