Threat Assessment
Summary
This objective uses a variety of activities to identify possible attackers and gather background information about the capability of those attackers to threaten the organization. This consists of identifying a particular attacker's history of carrying out specific threats, their capability to carry out those threats currently, and proof that the threat has intent to leverage resources against the target.
Purpose
Checking the assumptions both of the organization and of the auditor by researching the current threats will ensure that an auditor is basing their work on accurate assessments of the conditions the organization faces and that they are making informed operational security considerations. With greater ownership of the process the staff provides an opportunity to explore their threat landscape and become more engaged in addressing the threats identified when the audit is complete. By engaging with as many staff as possible the auditor is providing a framework for staff to explore threat identification processes when the auditor is gone.
The Flow Of Information
Guiding Questions
- Who are potential adversaries for the organization?
- Do these threat actors have a history of attacks? Against whom?
- What types of organizations have they targeted?
- Does the threat actor have the means to leverage widespread threats against, or will they have to prioritize their targets? Is the organization a priority threat target?
- Do they have the desire and ability to conduct an attack?
Approaches
- Open Source Threat Research: Identify possible adversaries and threats using publicly available reports, news, and databases.
- Threat Mapping: Facilitate group activities where staff identify possible adversaries and the threats that they have/can leverage against the group.
Outputs
- A host driven threat-matrix including the following:
- Adversaries (threat actors) with capabilities and willingness
- Impacts of attacks against critical processes, ranked by severity
- Likelihood of each (based on adversaries)
- Latest general cyber-security threats
- Identify existing in/formal security practices that the participants use to address risks.
Operational Security
- Data generated in this component is highly sensitive - in addition to standard practices of saving only in encrypted containers and destroying physical copy versions (stickies, etc.) ans using VPNs/Tor to conduct research, also take note of the physical location where you are conducting any exercises to prevent eavesdropping/viewing.
Preparation
- Threat Identification works best grounded against mapped out organizational processes or a data/asset map. See the Process Mapping and Data Assessment methods for exercises to generate these.
Resources
Threat Assessment Activities
- Guide: "Threat Assessment: Chapter 2.5 p. 38" (Operational Security Management in Violent Environments (Revised Edition))
Example text for introducing threats - Integrated Security
Written exercise: Threats assessment - Integrated Security
- manual: Establishing the threat level of direct attacks (targeting) (Protection Manual for Human Rights Defenders)
Threat Modeling Resources (General)
Book: "Threat Modeling: Designing for Security" (Adam Shostack)
Website: "An Introduction to Threat Modeling" (Surveillance Self-Defense)
Article: "Security for Journalists, Part Two: Threat Modeling" (Jonathan Stray)
Guide: "Managing Information Security Risk: Organization, Mission, and Information System View" (NIST)
Guide: "Guide for Conducting Risk Assessments" (NIST)
Activity: "Threat Model Activity" (Tow Center )
Threat research by focus area
- Human Rights
- Transparency 1
- Public Service Delivery
- Health
- Free Media and Information
- Threatened Voices: Tracking suppression of online free speech.
- IREX’s Media Sustainability Index (MSI) provides in-depth analyses of the conditions for independent media in 80 countries across the world.
- Freedom House's "Freedom on the Net" index, assessing the degree of internet and digital media freedom around the world.
- Freedom House's "Freedom of the Press" index assess' global media freedom.
- ARTICLE 19 freedom of expression and freedom of information news by region.
- Open Society Foundation - Mapping digital media
- Press Freedom Index (RSF)
- Climate Issues
- Gender Issues
- Poverty Alleviation
- Community Building
- Peace promotion
- Agricultural Development
- Entrepreneurship
- Water, Sanitation
- Transportation
- Disaster Relief
Threat research by method
General Threats by Region
Database: "The Aid Worker Security Database (AWSD) records major incidents of violence against aid workers, with incident reports from 1997 through the present." (The Aid Worker Security Database (AWSD))
*Platform:* "The HumanitarianResponse.info platform is provided to the humanitairan community as a means to aid in coordination of operational information and related activities." (Humanitarian Response)
Organization: "ReliefWeb has been the leading source for reliable and timely humanitarian information on global crises and disasters since 1996." (ReliefWeb)
Legal Threats by Region
Monitor: "CNL's NGO Law Monitor provides up-to-date information on legal issues affecting not-for-profit, non-governmental organizations (NGOs) around the world." (NGO Law Monitor)
Survey: ["This is a survey of existing and proposed laws and regulations on cryptography - systems used for protecting information against unauthorized access."(http://www.cryptolaw.org/)] (The Crypto Law Survey)
List: "Who publishes Transparency Reports? - a list of transparency reports from Google, Facebook, and other popular websites. Cross-check with Alexa for locally popular services" (James Losey)
Article: "Legal Issues in Penetration Testing" (Security Current)
Wiki Page: ["Anti-circumvention: Laws and Treaties"(https://en.wikipedia.org/wiki/Anti-circumvention)] (Wikipedia)
Guide: "Encryption and International Travel" (Princeton University)
List: "National Cyber Security Policy and Legal Documents" (NATO Cooperative Cyber Defence Centre of Excellence)
Technical Threats
Country Profiles: "Current cybersecurity landscape based on the five pillars of the Global Cybersecurity Agenda namely Legal Measures, Technical Measures, Organisation Measures, Capacity Building and Cooperation." ( Global Cybersecurity Index (GCI))
Reports: Privacy International's in-depth country reports and submissions to the United Nations. (Privacy International)
Organization: "The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, Canada focusing on advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security." (The Citizen Lab)
Database: "International Cyber Developments Review (INCYDER)" (NATO Cooperative Cyber Defence Centre of Excellence)
Guide: "This handbook sets out an overview of the key privacy and data protection laws and regulations across 72 different jurisdictions, and offers a primer to businesses as they consider this complex area of compliance." (Data Protection Laws of the World - DLA PIPER)
Reports: "Country Reports" (Open Network Inititiative)
Reports: "Regional Overviews" (Open Network Inititiative)
Portal: "Country Level Information security threats" (The ISC Project)
Targeted Malware
- Reports: "APWG Phishing Attack Trends Reports" (Anti-Phishing Working Group)
Censorship and Surveillance Reports
Map: "Cyber-Censorship Map" (Alkasir)
Dashboard: "At-A-Glance Web-Blockage Dashboard" (Herdict )
Travel Threats
List: "Foreign travel advice" (GOV.UK)
List: "Travel Advice" (Australian Government)
Alerts: "Travel Alerts & Warnings" (US Department of State)
List: "List of airlines banned within the EU" (European Commission)
List: "A list of aircraft operators that have that have suffered an accident, serious incident or hijacking." (Aviation Safety Network)
Map: "A global display of Terrorism and Other Suspicious Events" (Global Incident Map)
Activities
undefined
The ISC Project completes evaluations of information security threats in a broad range of countries. The resulting comprehensive written assessments describe each country’s digital security situation through consideration of four main categories: online surveillance, online attacks, online censorship, and user profile/access.↩
EISF distributes frequent analysis and summaries of issues relevant to humanitarian security risk management.↩
