- Treat threat and adversary data with the utmost security.
- Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
- Ensure that any digital recordings of this process are kept secure and encrypted.
- Consider who has physical and visual access to the room where this process takes place, and if the room can be secured if this activity may span long/overnight breaks.
Also review the Threat Identification exercises below to tailor these to best meet your information gathering needs based on your interactions with the organization.
Threat Brainstorming (15 minutes)
Split participants into small groups. This grouping is particularly valuable for larger organizations, but even for small ones, having multiple separate groups helps reveal shared concerns around the threats the staff face. For a group that is too small to group, have each staff member brainstorm by themselves.
Have each group or staff member quickly write down any possible "threat" they or the organization face. Some examples ("kidnapping," "website hacked") can help seed this activity.
If you have multiple colors of stickies, having them categorize threats by "physical," "digital," or "other/both" will be useful to show their inter-relation.
Keep reminding participants of the time remaining to keep them brainstorming rather than discussing threat details or arguing over whether a threat is physical or digital.
Threat Clustering and Discussion
After the brainstorming (or other exercises to generate or present a list of concerns), gather and cluster the stickies on a wall, revealing duplicate concerns across the groups and thematic areas of concern.
As clusters become clear, ask if any events similar to this threat have already happened to the organization? What was the impact? Has it happened more than once? Regularly? Mark these threats.
Note: Some of these threats may be traumatic experiences, consider skipping public discussion of historical occurrence if many of the threats from the brainstorm (or from one person/group in particular) are particularly intense.
Select one of the threats that emerged as a concern from the clustering to place at the center of a "bow-tie" like drawing on a whiteboard or flip-chart paper.
Begin asking what other threats identified could come as a result of this threat, supplanting the responses from the participants with additional threats. For example, a hacked website could lead to loss of trust by funders or partners. "Chain reactions" can be illustrated as lines of events (loss of trust by funders could lead to a loss of funding). Do the same for what threats could lead to the "central" threat - a confiscation of a device could lead to email hacking, for example. Some threats can be both potential causes and secondary effects.
Close out this with a discussion of how every threat is potentially connected to both digital and physical impacts.
Threat Analysis Worksheet
The auditor should be able to modify and complete a worksheet like the below at the end of this process. Particularly advanced organizations may be able to fill this out as a survey.
Calculative Impact Identification
|1. Accidental destruction, modification, disclosure of confidential information|
|2. Ignorance: inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge|
|3. Workload: Too many or too few system administrators, highly pressured users|
|4. Users may inadvertently give information on security weaknesses to attackers|
|5. Incorrect system configuration|
|6. Inadequate security policy|
|7. Dishonesty: Fraud, theft, selling of confidential information|
|8. Attackers may use telephone to impersonate employees to persuade users/administrators to give user name/passwords, etc|
|1. Unauthorized use of “logged-in” computers|
|2. Installation of unauthorized software or hardware|
|3. Denial of service, due to Website traffic, large PING packets, etc.|
|4. Malware in programs, documents, e-mail attachments, etc|
|IDENTIFICATION AUTHORIZATION THREATS|
|1. Attack software masquerading as normal programs (Trojan horses)|
|2. Attack hardware masquerading as normal commercial hardware|
|3. External attackers masquerading as valid users|
|4. Internal attackers masquerading as valid users|
|1. Telephone eavesdropping (via telephone bugs, inductive sensors, or service providers|
|2. Electromagnetic eavesdropping|
|3. Rubbish eavesdropping (analyzing waste for confidential documents, etc.)|
|4. Planted bugs in the building|
|1. Deliberate damage of information by external source|
|2. Deliberate damage of information by internal sources|
|3. Deliberate modification of information|
|ACCESS CONTROL THREATS|
|1. Password cracking (access to password files, use of default/weak passwords, etc)|
|2. External access to password files, and sniffing of the networks|
|3. Unsecured maintenance of online services, developer backdoors|
|4. Bugs in network software which can open unknown/unexpected security holes (holes can be exploited from externally to gain access)|
|5. Unauthorized physical access to system|
|1. Failure to comply with legal requirements|
|2. Liability for acts of internal users or attackers who abuse the system to perpetrate unlawful acts (ie, incitement to racism, gambling, money laundering, distribution of pornographic or violent material)|
|3. Liability for damages if an internal user attacks other sites|
|RELIABILITY OF SERVICE THREATS|
|1. Major natural disasters, fire, water, earthquake, floods, power outages, etc|
|2. Minor natural disasters, of short duration, or causing little damage|
|3. Equipment failure from defective hardware, cabling, or communications system.|
|4 Denial of Service due to network abuse: Misuse of routing protocols to confuse and mislead systems|
|5. Downloading of malicious Applets, Active X controls, macros, PostScript files, etc through the browsers|
|6. Sabotage: Physical destruction of network interface devices, cables|
Risk = Impact * Likelihood
|Impact is negligible =1||Unlikely to occur =0|
|Effect is minor, major organization operations are not affected=2||Likely to occur less than once per year =1|
|Organization operations are unavailable for a certain amount of time, costs are incurred. Public/customer confidence is minimally affected =3||Likely to occur once per year =2|
|Significant loss of operations, significant impact on public/customer confidence =4||likely to occur once per month =3|
|Effect is disastrous, systems are down for an extended period of time, rebuilding and replacement of systems is required =5||Likely to occur once per week =4|
|Effect is catastrophic, critical systems are completely down for an extended period; data is lost or irreparably corrupted; public and customers are totally affected =6||Likely to occur daily =5|