Which types of components are related to the system of interest? From which types of hosts can the system of interest be legitimately accessed? Desktop machines? Home machines? Laptops? Cellular phones? Handheld devices? Others?
How could threat actors access the system of interest? Via the Internet? Via the internal network? Shared external networks? Wireless devices? Others?
Which types of components could a threat actor use to access the system of interest?
Which could serve as intermediate access points? Consider physical and network access to servers, networking components, security components, desktop workstations, home machines, laptops, storage devices, wireless components, and others.
What other systems could a threat actor use to access the system of interest?
Based on your answers to the above questions, which classes of components could be part of the threat scenarios?
By answering these questions, you are reviewing access paths for each system of interest.
Remember to refer to your network topology as needed. When you identify which classes of components could be part of the threat scenarios, record this information and the rationale for selecting each key component class.
In our example, the analysis team selected key classes of components for each system of interest. In performing this step, the members of the analysis team from the administrative and clinical parts of the organization described how they used the systems to access
information. The members of the team with information technology skills (remember that the team included three additional people with information technology skills for this workshop) reviewed the information about how systems are accessed in relation to the organization's network topology to identify the key classes of components. Figure 7-4 shows the key classes of components for PIDS and their rationale for selection; Figure 7-5 shows the network topology map used to identify the component classes. A check mark by a class in Figure 7-4 indicates that the team selected it as a key component class for PIDS. The team also recorded its reasons for selecting each class for PIDS.
Figure 7-4. Key Classes of Components
Figure 7-5. Access Paths and Key Classes of Components for PIDS
As the analysis team was reviewing the access paths for PIDS using the network topology (see Figure 7-5), the team members made some interesting observations. They noticed that several access paths relied upon components that were controlled by other organizations or by individuals, for example:
ABC Systems had access to MedSite's internal network via a connection that bypassed the firewall.
Staff with home machines could gain remote access to PIDS via the Internet and MedSite's Internet Service Provider.
Equipment used by ABC Systems, the Internet service provider, and home users could not be examined for technology vulnerabilities during the risk evaluation, because those components are not owned by MedSite. However, if any of those components have technology
vulnerabilities, information belonging to MedSite could be at risk. The analysis team checked to see if this presented any threats that had not been recorded on the human actors using
network access threat trees for applicable critical assets. They also recorded these observations as contextual notes on the appropriate threat trees. As they talked among themselves, the team members agreed that these were broad issues that had policy implications for the organization. The team members agreed to revisit the issues during process 8 when they develop risk mitigation plans and a protection strategy.
This concludes the first activity of process 5. In the next activity you select specific components from each key class to evaluate for technology vulnerabilities.
7.3 Identify Infrastructure Components to Examine
Recall that focus on the critical few is a guiding principle of this evaluation process. In this activity you follow that principle when you select specific components from each key class to examine for technology vulnerabilities.
One point that needs to be emphasized here is the difference between performing a vulnerability evaluation in the context of a risk evaluation and doing so in the context of an ongoing vulnerability management practice. During this activity your goal is to select enough components from each key class to enable you to gain an understanding of how vulnerable your computing infrastructure currently is.
By contrast, when you form your risk mitigation plans in process 8, you may decide that vulnerability management is a practice that your organization should undertake to mitigate your risks. (The catalog of practices in Appendix C presents more information about
vulnerability management.) As part of that ongoing vulnerability management practice, you periodically examine all components of your infrastructure. Your goal in vulnerability
management is continually to identify and then eliminate technology vulnerabilities in your computing infrastructure. In this activity you target your collection of vulnerability information.
Step 1: Select Specific Components
In this step you answer the following two questions:
Which specific component(s) in this class will we evaluate for vulnerabilities?
What is our rationale for selecting this specific component(s)?
Look at the key classes of components you identified for your critical assets. Review your organization's network topology diagram in relation to each key class of component for that critical asset. You must determine how many infrastructure components to evaluate from each class. You need to evaluate enough components from each class to get a sufficient
understanding of the vulnerability status of a "typical" component from the class. As you select specific components to evaluate, consider the following questions:
Is the infrastructure component typical of its class?
How accessible is the infrastructure component? Is it "owned" by another organization?
Is it a home machine?
How critical is the infrastructure component to business operations? Will you be interrupting business operations when you evaluate the component?
Will special permission or scheduling be required to evaluate the component?
When you select a specific component, you also need the Internet Protocol (IP) address and the host/domain name system (DNS) name (fully qualified domain name) for the device.
Remember to select one or more components in each key class. Once you have chosen
components from a class, you need some consistent way of identifying them. We suggest using components' IP addresses and host/DNS names. In larger organizations, IP addresses can change on a daily basis for many components, although this is not likely for servers, routers,
and firewalls. Recording the fully qualified domain name of the component helps to identify it more reliably than the IP address alone because of services like DHCP (dynamic host
configuration protocol), which change the IP address each time a machine boots. Record the IP addresses or fully qualified domain names as well as the rationale for selecting those devices.
You'll need to select infrastructure components from each key class for all critical assets. Keep in mind that some components will be important to more than one critical asset. As you select components to evaluate, look for any overlaps and redundancy across critical assets.