Security

Definition

Security

the quality factor representing the degree to which a system or component prevents, detects, reacts, and adapts to malicious harm to valuable assets caused by attackers

Attacker

The role played by a person or tool when performing an attack or probe

Malicious Harm

Unauthorized harm caused by an attack

Valuable Asset

those assets that are valuable to legitimate stakeholders of the system, whereby:

• The valuable assets can be:
  • People (e.g., developers, users, and the public),
  • Tangible property (e.g., the system and its components, material, facilities, personal property, commercial property, and civic property),
  • Intangible property (e.g., money and reputation),
  • The environment, and
  • Services provided by the system.
• The system is responsible for protecting the valuable assets from harm.
• The harm must be considered significant to at least one of the legitimate stakeholders of the system.

Classification

As illustrated in the preceding figure, Security is part of the following inheritance hierarchy:

• Type: Concrete
• Superclass: Defensibility
• Subclasses:
  • Communications Security (COMSEC), which is the degree to which communications are protected from attack.
  • Computer Security (COMPUSEC), which is the degree to which computers are protected from attack.
  • Emissions Security (EMSEC or Tempest), which is the degree to which systems do not emit radiation that is subject to attack.
  • Information Security (INFOSEC), which is the degree to which stored and manipulated data are protected from attack.
  • Network Security (NETSEC), which is the degree to which networks are protected from attack.
  • Operations Security (OPSEC), which is the degree to which operations are protected from attack.
  • Personal Security (PERSEC), which is the degree to which personnel are protected from attack.
  • Physical Security (PHYSEC), which is the degree to which systems, datacenters, and other facilities are protected from physical attack.

Responsibilities

The typical responsibilities of Security are to:

• Model the degree to which a system or component prevents, detects, reacts, and adapts to malicious harm to valuable assets caused by attackers.
• Support the analysis and specification of security requirements.

Subfactors

As a kind of defensibility, security can be decomposed into the following two hierarchies of security subfactors:

• Defensibility Problem Subfactors.
  Defensibility problem subfactors represent the kinds of problems from which defensibility (including security) is intended to defend systems:
  • Harm.
    Harm (a.k.a., loss) is any significant negative consequence to a valuable asset:
    • Malicious Harm.
      Malicious harm is harm to valuable assets resulting from unauthorized probing or attack by malicious attackers.
  • Incidents.
    An incident is any unplanned, unintended, unauthorized, (but not necessarily unexpected) event or series of related events that could cause unintentional harm to one or more valuable assets:
    • Security Incidents.
      Security incidents are incidents that could cause malicious harm to one or more valuable assets:
      • Probes are security incidents that are not intended by the attacker to cause malicious harm to valuable assets, but rather to make it easier for later attacks to succeed (e.g., by providing the attacker with useful information).
      • Attacks are security incidents intended by an attacker to cause malicious harm to valuable assets:
        • Successful attacks are attacks that succeed in causing malicious harm to one or more assets.
        • Unsuccessful attacks are attacks that do not succeed in causing malicious harm to one or more assets.
  • Dangers.
    Dangers are one or more conditions, situations, or states of a system that in conjunction with conditions in the environment of the system can cause or contribute to the occurrence of one or more related incidents:
    • Threats.
      Threats are dangers that can cause security incidents (e.g., the existance of viruses and malicious attackers with means, motives, opportunities).
  • Risks.
    Risk is the magnitude of the potential harm to a valuable asset occurring due to a danger. A typical conservative measure of risk is the sum (over all dangers) of the products of (1) probability that the danger will cause harm multiplied by (2) the largest credible negative impact of the harm on the asset (i.e., its criticality, severity, or damage). Using the mathematics of conditional probabilities, the probability that a danger will cause harm can be calculated (estimated) as the products of the following terms: (A) the probability that the system-internal dangerous conditions exist multiplied by (B) the probability that the system-external dangerous conditions exist given that the system-internal dangerous conditions exist multiplied by (C) the probability that an incident will occur given that the danger exists multiplied by (D) the probability that the incident will cause the harm given that the incident occurs.
    • Security Risks.
      Security risks are the risks due to threats resulting in attacks causing malicious harm to valuable assets.
• Defensibility Solution Subfactors.
  Defensibility solution subfactors represent the kinds of solutions that defensibility (including security) is intended to provide:
  • Protection.
    Protection is the defensibility subfactor representing the degree to which a system or component prevents [malicious] harm, dangers [threats], [security] incidents, and [security] risks.
  • Detection.
    Detection is the defensibility subfactor representing the degree to which a system or component detects the occurrence of [malicious] harm, dangers [threats], [security] incidents, and [security] risks.
  • Reaction.
    Reaction is the defensibility subfactor representing the degree to which a system or component responds to the occurrence of [malicious] harm, dangers [threats], [security] incidents, and [security] risks. In addition to the common defensibility reaction subfactors, it includes:
    • Prosecution
  • Adaptation.
    Adaptation is the defensibility subfactor representing the degree to which a system or component modifies itself as the result of the occurrence of [malicious] harm, dangers [threats], [security] incidents, and [security] risks to avoid them in the future. In addition to the common defensibility reaction subfactors, it includes:
    • Countermeasure Improvement

The following figure illustrates the decomposition of defensibility and therefore security into the following two hierarchies of subfactors:

The following figure illustrates some of the different kinds of harm to valuable assets:

The following figure illustrates some of the different kinds of incidents:

The following figure illustrates some of the different kinds of dangers:

The following figure illustrates some of the different kinds of risk:

Measures

Security is typically measured in terms of:

• Percentage of sensitive data encrypted

Mechanisms

Typical mechanisms for achieving security include:

• Biometrics
• Digital Signature
• Encryption/Decryption
• Firewall
• Password
• User Identification

Guidelines

The following guidelines have been found to be useful when producing security quality subfactors:

• The term “malicious” is used intentionally to clearly differentiate safety from security and thereby avoid an unnecessary overlap in the taxonomy of quality factors. Thus, safety deals with accidents, whereas security deals with attacks. However, accidents (safety) can result in security vulnerabilities that can be exploited by attacks, at which time their consequences fall within the realm of security. Similarly, attacks may cause safety hazards that in turn may cause accidents
• Malicious Harm.
  Examples of malicious harm includes:
  • Unauthorized access of private data and messages
  • Unauthorized modification (i.e., corruption, lack of integrity of, vandalism):
    • Data (e.g., deletion, location, and change such as alteration of file content, change of file permission, and web page defacement)
    • Hardware (due to tampering)
    • Software (by inserting back doors, viruses, and trojan horses)
    • Personnel (physical attack or corruption due to bribary or extortion)
  • Unauthorized use of systems to:
    • Perform work
    • Perpetrate attacks on third parties (e.g., Denial of Service attacks)
    • Store data (e.g., private files and illegal copies of music, movie files, and software)
  • Theft of:
    • Data
    • Hardware
    • Software
    • Services
    • Money
• Threats.
  Examples of threat [types] include the existance of:
  • Malicious attackers with means, motives, opportunities
  • Viruses and worms
  • Trojan horses
  • Readily available cracking tools
• Security Incidents.
  Examples of security incident [types] include:
  • Denial of Service (DOS) attacks:
    • Jamming attacks
    • SYN flooding attacks
    • Distributed Denial of Service (DDOS) attacks
  • Phishing attacks
  • Session hijacking attacks
  • Repudiation
  • Man-in-the-middle attacks
  • Virus and worm attacks
  • Probes:
    • Automated scans
    • Ping/portscan
    • Social engineering
    • Targeted scans across whole, or large part of, IP range
    • Traceroute
    • Unauthorised password resets
    • Unexpected inquiries into network capabilities/vulnerabilities
• For security subfactor-specific guidelines, see their associated guidelines sections.