Threat Assessment Tools
When considering how various attackers might view your organization, it may be helpful to plot them on a matrix like this.
When considering multiple sources of risk, it may help to categorize and prioritize them based on the attributes of the attacker.
Security Content Automation Protocol (SCAP)
SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation, e.g. FISMA compliance.¹
The National VulnerabilityDatabase (NVD) is the U.S. government content repository for SCAP.²
The SCAP suite of specifications standardize the nomenclature and formats used by these automated vulnerability management, measurement, and policy compliance products.
Components of SCAP include:
Common Vulnerabilities and Exposures (CVE) - a naming system for describing security vulnerabilities
Common Configuration Enumeration (CCE) - a naming system for system configuration issues.
Common Vulnerability Scoring System (CVSS) - a standardized scoring system for describing the severity of security vulnerabilities.
Common Platform Enumeration (CPE) - a standardized method of describing and identifying classes of applications, operating systems, and hardware devices.
Extensible Configuration Checklist Description Format (XCCDF) - an XML format specifying security checklists, benchmarks and configuration documentation.
Open Vulnerability and Assessment Language (OVAL) - a language for describing security testing procedures
STRIDE is a model of threats developed by Praerit Garg and Loren Kohnfelder at Microsoft for identifying computer security threats.³
It provides a mnemonic for security threats in six categories (threatened attributes are in brackets). The threats are:
Spoofing of user identity (Authenticity)
Information disclosure / privacy breach or data leak (Confidentiality)
Denial of service (Availability)
Elevation of privilege (Authorization)
¹ Computer Security Division, Information TechnologyLaboratory.‘Security Content Automation Protocol | CSRC’.CSRC | NIST, 7 December 2016. https://csrc.nist.gov/projects/security-content-automation-protocol/.
² ‘Home | OpenSCAP Portal’. Accessed 5 September 2019. https://www.open-scap.org/.
³ ‘STRIDE (Security)’. In Wikipedia, 29 September 2019. https://en.wikipedia.org/w/index.php?title=STRIDE_(security)&oldid=918601029.