1 Potential Assets and Threats to Be Analyzed the network architecture and design where security can reasonably and effectively be implemented. A threat analysis typically consists of identifying the assets to be protected, as well as identifying and evaluating possible threats. Assets may include, but are not restricted to: • User hardware (workstationsPCs) • Servers • Specialized devices • Network devices (hubs, switches, routers, OAM&P) • Software (OS, utilities, client programs) • Services (applications, IP services) • Data (local, stored, archived, databases, data intransit) And threats may include, but are not restricted to: • Unauthorized access to data • Unauthorized disclosure of information • Denial of service • Theft of data • Corruption of data • Viruses, worms, Trojan horses • Physical damage One method to gather data about security and privacy for your environment is to list the threats and assets on a worksheet. This threat analysis worksheet can then be distributed to users, administration, and management, even as part of the requirements analysis process, to gather information about potential security problems. 364 CHAPTER 9 Security and Privacy Architecture Effect Likelihood Network Devices User Hardware Servers Software Services Data Unauthorized Access Unauthorized Disclosure Denial of Service Theft Corruption Viruses Physical Damage BA BC BB AD AC BB AD BB BB BB BD BC BB BC CB CC BB BD CC BB CC AB AB BB AB AB BB DD BC BC BB CC DD BC DD AB AB DD AB AB DD DD Effect: Likelihood: A: Destructive B: Disabling C: Disruptive D: No Impact A: Certain B: Likely C: Unlikely D: Impossible FIGURE 9.2 An Example of a Threat Analysis Worksheet for a Specific Organization An example of such a worksheet is presented in Figure 9.2. The results shown in this worksheet were determined during the requirements analysis process and are specific to a particular organization. Depending on the organization, the results of a threat analysis can be quite different from those shown in Figure 9.2. For example, a threat analysis can consist of the information and assets that need to be protected, in terms of confidentiality, integrity, and availability. This analysis can be combined with lists of threats that are currently out there, as well as potential vulnerabilities. Threat analyses are by their nature subjective. One of the ways to minimize the degree of subjectivity is to involve representatives from various groups of the organization to participate in the analysis process. This helps to get many different perspectives into the analysis. It is also recommended that you review your threat analysis periodically, such as annually, to identify changes in your environment. As an organization grows and changes, and as the outside world changes, the degrees and types of threats to that organization will also change.