Information Asset Attributes

June 2, 2009

As discussed in the previous post, it is a common approach for Industry Standard Risk Methodologies to categorise the threat type prior to assigning a value.  The threat type provides a level of context around the value that will be assigned to it and is far easier than exhaustively evaluating every possible threat (although this may be required for some).

The categories used by A Simple Security Risk Assessment are the attributes of Information Assets[1] that are affected by a successful exploitation of a vulnerability in the related code by an attacker, or alternatively, the Information Asset attributes that are affected by an accidental misconfiguration of the setting.

Examples have been included below based on the STRIDE method to help describe the technical risk.

Confidentiality

• The property that information is not made available or disclosed to unauthorized individuals, entities, or processes[1]
  • Information disclosure[2] – An attacker is able to expose personal, classified or otherwise sensitive information resulting in a loss of confidence and damage to reputational/brand.
  • Information leakage – The operation of Information Assets incidentally reveals information useful to an attacker, providing grounds for deeper reconnaissance, or attack.
  • Elevation of privilege[2] – An attacker exploits a vulnerability to be able to gain unauthorised privileges that facilitate information leakage and/or information disclosure.

Integrity

• The property of safeguarding the accuracy and completeness of assets[1]
  • Tampering with Data[2] – A system relies on data received from a user without performing any validation; data that should only come from a trusted/authoritative source.
  • Elevation of Privilege[2] – An attacker exploits a vulnerability to be able to gain unauthorised privileges that facilitate tampering with data.

Availability

• The property of being accessible and usable upon demand by an authorized entity[1]
  • Denial of Service[2] – Lack of validation by a system resulting in an unexpected error either reducing performance or rendering the Information Asset unavailable for operation.
  • Elevation of Privilege[2] ^– An attacker exploits a vulnerability to be able to gain unauthorised privileges that facilitate a denial of service (e.g. system shutdown).

Accountability (Non-repudiation)

• System accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it[3]
  • Spoofing Identity[2] – A system does not correctly perform identification and/or authentication and allows a user to masquerade as a user other than them.
  • Repudiation[2] – A lack of an audit trail in the system allows authorised users to dispute actions performed by them (e.g. create, update, and delete transactions).
  • Elevation of Privilege[2] ^– An attacker exploits a vulnerability to be able to gain unauthorised privileges that facilitate spoofing of identity and/or non-repudiation.

Summary

The Technical Risk evaluations discussed in the next post may be applied to each individual Information Asset attribute or across the attributes as a whole.  The former approach is more detailed and may perhaps add clarity to the precise technical risk but comes at the cost of adding complexity so a single likelihood/impact determination is recommended for A Simple Security Risk Assessment.

A Simple Security Risk Assessment

This article is part of a five part series on A Simple Security Risk Assessment:

1. Evaluating Industry Standard Risk Methodologies
2. Categorising Threats by Information Asset attributes
3. Assessing Technical Risk
4. Assessing Business Risk
5. Calculating Overall Risk

---

[1] ISO 27001

[2] STRIDE

[3] NIST SP 800-30