Embed Size (px)
DESCRIPTION
Citation preview
O-ISM3 Incident Taxonomy v1.0
Authored by: Vicente Aceituno Mail: [email protected] Phone:+34 668 862 242 COPYRIGHT NOTICE: Version 1.0: 18th of July 2014
This Report is copyrighted by Inovement Europe.
This is an informational document, and it doesn't represent legal or professional advice from Inovement, the authors or reviewers of this document. This document is offered as is without any warranty of completeness, accuracy or timeliness. Inovement, the authors and reviewers of this document disclaim any implied warranty or liability.
Introduction
For effective communication information security professionals use a rich vocabulary with very specific and sometimes even personal meaning.
Risk assessment methods use a model of the organization, a model of the information systems, threat taxonomy, vulnerability taxonomy, control taxonomy and a way to combine them to reach a Risk figure. Unfortunately, a common agreement on the classes of threats that exists and the controls that can mitigate them is not available.
Using O-ISM3 concepts and definitions, it is possible to classify threats depending on who is the agent of the threat (accidents, errors, attacks) what is the object of the attack (repositories, messages, services, sessions, interfaces, channels) and what are the consequences of the attack. As threat to instructions and credentials can lead to more serious consequences, instructions and credentials that are stored in repositories or messages are mentioned explicitly.
Threats can be classed as well depending on the mechanism of the attack, error or accident. As often effective protection can be established against attacks whatever the mechanism used, this taxonomy is not using mechanism as a classification criterion.
O-ISM3's components of Information Systems Information Systems are complex and have various tangible and intangible components. The components can be classed at the chosen level of abstraction according to structural and transactional features.
Structural Features– the various assets from which an information system may be built:
Repositories: Any temporary or permanent storage of information, including RAM, databases, file systems and any kind of portable media;
Interfaces: Any input/output device, such as screens, printers and fax; Channels: Physical or logical pathways for the flow of messages, including
buses, LAN networks, etc. A Network is a dynamic set of channels; Borders define the limits of the system.
Physical devices can host one or many logical components. Structural objects exist in every logical and physical level. The table below contains examples of each type of structural asset:
Repository Interface Channel
Payroll Database Web-based interface HTTPS
Database Replica System call TCP
File system Monitor, keyboard and mouse Frame relay PVC
Hard drive Connector Cable
Transactional Features – the various assets from which an information system produces actual results:
Services. Any value provider in an information system, including services provided by BIOS, operating systems and applications. A service can collaborate with other services or lower level services to complete a task that provides value, like accessing information from a repository;
Messages. Any meaningful information exchanged between two services or a user and an interface.
Sessions. A temporary relationship of trust between services. The establishment of this relationship can require the exchange of credentials.
Transactional assets are dynamic, such as running processes and moving messages. Static assets such as mail or program files stored in a repository are not considered either a message or a service. Transactional objects exist in every logical and physical level. The table below contains examples of each type of transactional asset:
Service Message
Bank Account Transfer from another account
SOAP API Interface SOAP Call
Port TCP Packet
Ethernet Port Ethernet Packet
Request types generated by information systems and users
Records in a log contain a series of events. Events are requests that can have a successful or failed result. Using the O-ISM3 system model, it is possible to create a comprehensive list f request types, as follows:
Resources Initiate Finalize Freeze Unfreeze Query
State
Change
State
Repository create delete block unblock read write
Message send listen retain forward read write
Credential create delete block unblock read write
Instruction send listen retain forward read write
Service start stop pause resume read write
Channel open close hold release read write
Interface connect disconnect interrupt continue read write
Session login logout suspend resume read write
Note: The request “listen” can be understood as well as “receive” or “detect”, but for simplicity, only the word “listen” is used.
Note: If the repository is RAM “block” and “unblock” are equivalent to “allocate” and “free”.
Incident Taxonomy There are three types of incidents depending on the agent:
If the agent is a force of nature, the incident is an Accident, for example a natural flood due to rain.
If the agent is people, but there is no intention to harm, the incident is an Error.
If the agent is people, with an intention to do harm, the incident is an Attack. Agents can be Corporate Raiders, Hackers, Professional Criminals, Spies, Terrorist or Vandals that work for a feeling of accomplishment, political gain, financial gain, knowledge gain or status gain.
The following table lists the different types of combinations between user, action requested, object of the action, result of the action. Certain combinations will result in an incident; some will not, for example, deleting an expired repository is not considered an incident.
User Action
Requested Resource (Expired or Valid)
Action Result
Type of Incident
Owns the user account and has Access Rights to perform the Action on the Resource
create send create send
repository message credential instruction
Failure or Success, but not logged when required
Unavailability Unavailability
Owns the user account and has Access Rights to perform the Action on the Resource
start open connect login
service channel interface session
Failure or Success, but not logged when required
Unavailability Unavailability
Owns the user account and has Access Rights to perform the Action on the Resource
delete listen delete listen
Expired repository Expired message Expired credential Expired instruction
Failure Unavailability
Owns the user account and has Access Rights to perform the Action on the Resource
delete listen delete listen
Valid repository Valid message Valid credential Valid instruction
Failure
No
Owns the user account and has Access Rights to perform the Action on the Resource
stop close disconnect logout
Expired service Expired channel Expired interface Expired session
Failure Unavailability
Owns the user account and has Access Rights to perform the Action on the Resource
stop close disconnect logout
Valid service Valid channel Valid interface Valid session
Failure No
Owns the user account and has Access Rights to perform the Action on the Resource
block retain block retain
repository message credential instruction
Failure or Success, but not logged when required
Unavailability
Owns the user account and has Access Rights to perform the Action on the Resource
pause hold interrupt suspend
service channel interface session
Failure or Success, but not logged when required
Unavailability
Owns the user account and has Access Rights to perform the Action on the Resource
unblock forward unblock forward
repository message credential instruction,
Failure or Success, but not logged when required
Unavailability
Owns the user account and has Access Rights to perform the Action on the Resource
resume release continue resume
service channel interface session
Failure or Success, but not logged when required
Unavailability
Owns the user account and has Access Rights to perform the Action on the Resource
read read read read
repository message credential instruction,
Failure or Success, but not logged when required
Unavailability
Owns the user account and has Access Rights to perform the Action on the Resource
read read read read
service channel interface session
Failure or Success, but not logged when required
Unavailability
Owns the user account and has Access Rights to perform the Action on the Resource
write write write write
Valid repository Valid message Valid credential Valid instruction,
Failure or Success, but not logged when required
No Error
Owns the user account and has Access Rights to perform the Action on the Resource
write write write write
Valid service Valid channel Valid interface Valid session
Failure or Success, but not logged when required
No Error
Owns the user account and has Access Rights to perform the Action on the Resource
write write write write
Expired repository Expired message Expired credential Expired instruction,
Failure or Success, but not logged when required
Unavailability No
Owns the user account and has Access Rights to perform the Action on the Resource
write write write write
Expired service Expired channel Expired interface Expired session
Failure or Success, but not logged when required
Unavailability No
Owns the user account and has Access Rights to perform the Action on the Resource
create send create send
repository message credential instruction
Success, logged if required
No
Owns the user account and has Access Rights to perform the Action on the Resource
start open connect login
service channel interface session
Success, logged if required
No
Owns the user account and has Access Rights to perform the Action on the Resource
delete listen delete listen
Expired repository Expired message Expired credential Expired instruction
Success, logged if required
No
Owns the user account and has Access Rights to perform the Action on the Resource
delete listen delete listen
Valid repository Valid message Valid credential Valid instruction
Success, or Partial success
Error
Owns the user account and has Access Rights to perform the Action on the Resource
stop close disconnect logout
Expired service Expired channel Expired interface Expired session
Success, logged if required
No
Owns the user account and has Access Rights to perform the Action on the Resource
stop close disconnect logout
Valid service Valid channel Valid interface Valid session
Success, logged if required
Error
Does not own the user account and/or doesn’t have Access Rights to access the resource
read read read read
repository message credential instruction
Success, logged if required
Intrusion
Does not own the user account and/or doesn’t have Access Rights to access the resource
read read read read
service channel interface session
Success, logged if required
Intrusion
Does not own the user account and/or doesn’t have Access Rights to access the resource
read read read read
repository message credential instruction
Failure or Success, but not logged when required
No
Does not own the user account and/or doesn’t have Access Rights to access the resource
read read read read
service channel interface session
Failure or Success, but not logged when required
No
Any Any repository, message, credential or instruction
Success, logged if required
Unauthorized Use after access
Any Any service channel interface session
Success, logged if required
Unauthorized Use after access
Any Any repository, message, credential or instruction
Any, not logged when required
Lack of evidence of Use
Any Any service channel interface session
Any, not logged when required
Lack of evidence of Use
Any Any repository, message, credential or instruction
Underperformance in terms of rate of accesses or speed of response.
Unavailability
Any Any service channel interface session
Underperformance in terms of rate of accesses or speed of response.
Unavailability
Any Any
repository, message, credential or instruction
Failure due to obsolete systems or formats
Obsolescence
Any Any service channel interface session
Failure due to obsolete systems or formats
Obsolescence
Any Any
repository, message, credential or instruction
Failure due to information no longer valid
Inaccuracy of information
Any Any service channel interface session
Failure due to information no longer valid
Inaccuracy of information
