Threat

Threats exploit asset vulnerabilities and create impact. The interactions between assets, threats, and vulnerabilities are analysed during risk management.

It is impossible for an organisation to completely exclude the existence of threats. In terms of security, we therefore generally apply EBIOSv2.

EBIOSv2

EBIOS: Expression of Needs and Identification of Security Objectives (Expression des Besoins et Identification des Objectifs de Sécurité).

Threats by Groups

EBIOSv2 [1] offers a list of generic Threatening Agents (e.g. threats):

PHYSICAL DAMAGE

Fire (SME: see Fire)
Water damage
Pollution
Major disaster
Destruction of equipment or supports (SME: see Computer or communication equipment broken down)
Dust, corrosion, frost

NATURAL EVENTS

Climatic phenomenon
Seismic phenomenon
Volcanic phenomenon
Meteorological phenomenon
Flood

LOSS OF ESSENTIAL SERVICES

Air conditioning failure
Energy Power Loss (SME: see Power Failure)
Loss of telecommunication (SME: see Unavailable network access, Interruption of communications and Discontinuity of service providers)

DISTRIBUTION DUE TO RADIATION

Electromagnetic radiation
Thermal radiation
Electromagnetic pulses (EMI)

COMPROMISING INFORMATION

Interception of compromising spurious signals
Remote spying (SME: see Interception of communication and Spam/Phishing and Measures against malicious code)
Passive listening (SME: see Listening to wireless networks)
Theft of media or documents (SME: see Robbery and Penetration in premises)
Theft of equipment (SME: see Robbery and Penetration in premises)
Recovery of recycled or discarded media (SME: see Recovery of media)
Disclosure (SME: see Social engineering/Inadequate communication)
Information without guarantee of origin
Equipment trapping
Software trapping (SME: see Measures against malicious codes)
Geolocation

TECHNICAL FAILURES

Hardware failure (SME: see Computer or communication equipment broken down and Damage to equipment during transport))
Equipment malfunction (SME: Insertion or removal of equipment)
Information system saturation
Software malfunction
Attack on the maintainability of the information system (SME: see Unusable backups, Impossible administration and Inappropriate software environment)

UNAUTHORISED ACTIONS

Illegal use of equipment (SME: see Abuse of organisation resources)
Fraudulent copying of software (SME: see Use of unauthorised software)

Threat Qualification

EBIOSv2 threats can be classified according to:

THEIR ORIGIN

E: Environmental - all incidents that are not caused by human actions
D: Deliberate - for all deliberate actions targeting assets
A: Accidental - used for all human actions that can accidentally damage assets

THEIR ATTACK

D: Availability
I: Integrity
C: Confidentiality

THEIR TYPE

N: Natural
H: Human
E: Environmental

Vulnerabilities/Threats/Assets Link

This section refers to the generic vulnerabilities of the EBIOS v2 document - Section 4 - Tools (Assessment).

We can identify:

Security Goals

Section 2 Generic security objectives of the EBIOS v2 document - Section 5 - Tools (Processing) [4] proposes for each of the 7 types of high-level entities/assets a list of generic security objectives effectively addressing the identified generic vulnerabilities previously.

Section 3.2 Requirements from ISO 17799 of the same EBIOS v2 document - Section 5 - Tools (Processing) [5] proposes safety requirements related to each of the clauses of ISO/IEC 17799: 2000 (and not the version of the standard published in 2005 ISO/IEC 27002: 2005).

EBIOS 2010

EBIOS 2010 [6] offers a different presentation from version 2, both in terms of the presentation of threats and the overall approach.

EBIOS 2010 is divided into the following areas:

TYPES OF SUPPORT GOODS

SYS - IT and telephony systems
ORG - Organisations
LOC - Premises

IMPACTS

Impacts on the operation
Human impacts
Impacts on property
Other impacts

SOURCES OF THREATS

Human sources
- Malicious deliberate
  - Internal (human) source
    - Weak capacities
    - Important capacities
    - Unlimited capacities
  - External (human) source
    - Low capacities
    - Important capacities
    - Unlimited capacities
- Accidental without intention to harm
  - Internal (human) source
    - Low capacities
    - Important capacities
    - Unlimited capacities
  - External (human) source
    - Low capacities
    - Important capacities
    - Unlimited capacities
  - Non-human sources

MEHARI Threats by Threat Group

Natural disasters
- Fire
- Water damage
- Natural disasters
Industrial disasters
- Fire
- Water damage
- Industrial disasters
- Mechanical pollution
- Electromagnetic pollution
- Physical or logical failure
- Power cut
- Inadequate temperature and/or humidity conditions
- Communication services failure
- Interruption of other essential services and supplies
- Degradation of information storage media
- Electromagnetic emanations
Unintended errors and failures
- User errors
- Administrator errors
- Control errors (log)
- Configuration errors
- Organizational deficiencies
- Diffusion of harmful software
- Redirection errors
- Sequence errors
- Information leaks
- Information alteration
Introduction of false information
- Information degradation
- Information destruction
- Disclosure of information
- Program vulnerabilities (software)
- Maintenance/program update errors (software)
- Equipment maintenance/updating errors
- System collapse caused by resource depletion
- Loss of equipment
- Staff unavailability
Deliberate attacks
- Configuration manipulation
- Beating user identity
- Abuse of access privileges
- Unintended use
- Diffusion of harmful software
- Message redirection
- Sequence alteration
- Unauthorised access
- Traffic analysis
- Repudiation
- Information interception (listening)
- Modification of information
- Introduction of false information
- Information corruption
- Disclosure of information
- Program manipulation
- Refusal of service
- Theft of equipment
- Destructive attack
- Enemy occupation
- Staff unavailability
- Extortion
- Social engineering