Question

An important part of many federal information security regulations, such as the Gramm-Leach-Bliley Act, is to identify and assess threats against information systems. Define and explain the following concepts associated with this process: threats, threat assessment, threat analysis, threat risk, and threat probability.

Answer 1

Solved!

1.

THREATS-In Information Security threats can be many like Software attacks, theft of intellectual property, identity theft, theft of equipment or information, sabotage, and information extortion.

Threat can be anything that can take advantage of a vulnerability to breach security and negatively alter, erase, harm object or objects of interest.

Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that malware, virus, worms, bots are all same things. But they are not same, only similarity is that they all are malicious software that behave differently.

Malware is a combination of 2 terms- Malicious and Software. So Malware basically means malicious software that can be an intrusive program code or a anything that is designed to perform malicious operations on system.
Types of The Threats of Information System Security
1.11.1 Unauthorized Access (Hacker and Cracker)
One of the most common security risks in relation to computerized information systems is the danger of unauthorized access to confidential data
2.11.2 Computer Viruses
Computer virus is a kind of nasty software written deliberately to enter a computer without the user’s permission or knowledge ,with an ability to duplicate itself ,thus continuing to spread .
3.11.3 Theft
The loss of important hardware, software or data can have significant effects on an organization’s effectiveness .
4.11.4 Sabotage
With regard to information systems , damage may be on purpose or accidental and carried out an individual basis or as an act of industrial sabotage .

2.

THREAT ASSESSMENT-A threat assessment is an evaluation of events that can adversely affect operations and/or specific assets. Historical information is a primary source for threat assessments, including past criminal and terrorist events.
A threat assessment is a tool used by law enforcement, government, industry, and most security professionals. These can be very detailed and comprehensive written documents, or simply an awareness of the potential threats faced in various situations. Security guards can utilize this information at the beginning of their duty.

A comprehensive threat assessment considers actual, inherent, and potential threats.

1.
Actual Threats
a.
The crime history against an asset or at a facility where the asset is located. Actual threats are a quantitative element of a threat assessment.

b.
Relevant crimes on the premises (three to five years prior to the date of the incident).

c.
Relevant crimes in the immediate vicinity of the facility (three to five years prior to the date of the incident).

2.
Inherent Threats

Threats that exist by virtue of the inherent nature or characteristics of the facility or nature of the operation. For example, certain types of facilities or assets may be a crime magnet or prone to loss, damage, or destruction (e.g., assaults among patrons in nightclubs, infant abductions from hospital nurseries, etc.).

3.
Potential Threats

Threats which exist by virtue of vulnerabilities around the asset or weaknesses in the security program which produce opportunities for crime to occur.

3.

THREAT ANALYSIS-Threat analysis is a process in which the knowledge of internal and external information vulnerabilities pertinent to a particular organization is matched against real-world cyber attacks. With respect to cyber security, this threat-oriented approach to combating cyber attacks represents a smooth transition from a state of reactive security to a state of proactive one. Moreover, the desired result of a threat assessment is to give best practices on how to maximize the protective instruments with respect to availability, confidentiality and integrity, without turning back to usability and functionality condition.

Components of Threat Analysis as a Process:
a.)

Scope
Scope gives info on what is included and what is not in the analysis. In terms of cyber security, items under consideration are those that must be protected. Although they need to be identified in the first place, the level of sensitivity of what is being guarded should be defined as well by analysis drafters.

b.)

Data Collection
In every respectable organization there are some sort of policies and procedures. Those need to be identified for compliance purposes. In reality, almost one-fourth of the defensive capabilities corporations have in place fail to meet the minimum security standards. In the opinion of Art Gilliland, a senior vice president of security products unit of Hewlett-Packard, “[t]he reason for that is that they were often pushing to meet a policy – checkboxing for compliance.”

c.)

Threat/Vulnerability Analysis of Acceptable Risks
Here we test what is being gathered to determine the level of current exposure — most of all — whether the current defences are solid enough to neutralize information threats in terms of availability, confidentiality and integrity. This part should include as well an evaluation of whether the existing procedures, policies and security measures are adequate. Vulnerability analysis also encompasses penetration testing, which in turn seeks to acquire something valuable from the adversary’s arsenal like a classified document, code or password.

d.)

Mitigation & Anticipation
When all previous steps are completed, a competent security analyst can use this corpus of threat data to arrange in groups activity patterns of close similarity, attribute each pattern to specific threat actors, promptly implement mitigation measures, and anticipate the emergence of similar cyber attacks in the future.

4.THREAT RISK-

The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.
Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk.

Accurately assessing threats and identifying vulnerabilities is critical to understanding the risk to assets.

5.THREAT PROBABILITY-

A threat occurrence is a possibility – nothing more, nothing less. The CSO can believe that a certain threat does in fact exist but cannot be sure of it, yet believe the threat will impact the organization but cannot be sure of that either. The CSO can believe that should the threat occur the company will experience loss of some type.

Estimating the probability of occurrence has no reliance on mathematical models, equations, or formulas. Precise numerical quantification is never possible when the factors under examination are influenced in the main by human behavior. A good deal of the analytical input comes from knowing the current nature of a threat, tapping into one’s base of experience, and applying old-fashioned common sense.