Threat Catalogue
THREAT CATALOG use case: What natural and man-made threats affect control execution? (e.g., if the threat materializes, will the control function as expected?)
Definition of Threat |
|---|
noun A person or thing likely to cause damage or danger. |
verb To indicate impending damage or danger. |
Logical Threats
Category: Intentional
Sub-Category: Conflict
Struggle resulting from incompatible or opposing needs, drives, wishes, or external or internal demands.
| ID | Threat | Description |
|---|---|---|
| LIC1 | Sabotage | Deliberate actions aimed to cause disruption or damage to information and/or IT assets for financial or personal gain. |
| LIC2 | Terrorism | The use of violence as a means to create terror among masses of people; or fear to achieve a financial, political, religious, or ideological aim. |
| LIC3 | Vandalism | Deliberate destruction or damage to information and/or IT assets, but not for personal gain. |
| LIC4 | Warfare | Damage to assets, facilities, and employees due to war or armed conflict. |
Sub-Category: Misappropriation
Dishonestly or unfairly taking for one's own use.
| ID | Threat | Description |
|---|---|---|
| LIM1 | Embezzlement | To appropriate something, such as property, entrusted to one's care fraudulently to one's own use. A form of theft through fraud. |
| LIM2 | Extortion | The act of obtaining money, property, or services from an organization through coercion. A form of theft through use of force or intimidation to obtain compliance. |
| LIM3 | Fraud | Deliberate deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. |
| LIM4 | Theft | The act of logically stealing and/or removing property with intent to deprive the rightful owner of it. |
Sub-Category: Nefarious
Flagrant breaching of time-honored laws and traditions of conduct.
| ID | Threat | Description |
|---|---|---|
| LIN1 | Abuse of Authorizations | Using authorized access to perform illegitimate actions. |
| LIN2 | Address Space Hijacking | The illegitimate takeover of groups of IP addresses. |
| LIN3 | Alteration of Software | Unauthorized modifications to code or configuration data, attacking its integrity. |
| LIN4 | Anonymous Proxies | Access of websites through chains of HTTP proxies (obfuscation), bypassing the security mechanism(s). |
| LIN5 | Autonomous System Hijacking | Overtaking, by the attacker, the ownership of a whole autonomous system and its prefixes, despite origin validation. |
| LIN6 | Brute Force | Unauthorized access via systematically checking all possible keys or passwords until the correct one is found. |
| LIN7 | Code Injections | Exploiting bugs, design flaws, or configuration oversights in an operating system or software application to gain elevated access to resources. |
| LIN8 | Command Injection | Execution of arbitrary commands on the host operating system via a vulnerable application. This attack differs from Code Injection, in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which executes system commands, without the necessity of injecting code. Also known as "Remote Command Execution." |
| LIN9 | Compromised Credentials | An account/ID/username has been used or accessed by an unauthorized means. |
| LIN10 | Denial of Service | Service unavailability due to a massive number of requests for services from a single point. |
| LIN11 | Distributed Denial of Service | Service unavailability due to a massive number of requests for access to network services from multiple malicious clients. |
| LIN12 | DNS Spoofing | Domain name server cache poisoning or spoofing to divert traffic to malicious servers. |
| LIN13 | Drive By Download | A compromised website that has a user unintentionally download malware. |
| LIN14 | Elevated Privileges | Roles or permissions with more than the normal level of access that, if compromised, could allow a person to exploit the systems for personal gain or illicit purpose. |
| LIN15 | Emission Attacks | Spying on information through capturing emanations from operational equipment. |
| LIN16 | HTML Script Injection | A type of injection in which malicious scripts are injected into otherwise benign and trusted websites. |
| LIN17 | Information Sharing | The deliberate sharing of information with unauthorized entities, such as emailing sensitive information or file transfers. |
| LIN18 | IP Spoofing | IP spoofing is a method of attack under which incorrect IP addresses are used to disguise the attackers’ identity to the system being attacked. |
| LIN19 | LDAP Injection | To exploit web-based applications that construct LDAP statements based on user input. |
| LIN20 | MAC Spoofing | An attacker can change the Media Access Control (MAC) address of their device and send Ethernet frames in the network segment with a different ID, which can result in the possible circumvention of security mechanisms which are based solely on the use of a MAC address. |
| LIN21 | Malicious Code Execution | Injection of malicious code to extend the functionality of an application or information system without having to execute commands. |
| LIN22 | Man in the Middle | A type of eavesdropping attack that occurs when a malicious actor inserts himself as a relay/proxy into a communication session between people or systems. |
| LIN23 | Manipulation of an Encryption Module | Modification of an encryption module in order to read secret keys, change keys, or change security parameters. |
| LIN24 | Manipulation of Data | The modification of data with the intent to cause loss of integrity. |
| LIN25 | Masquerade/Pretexting | Lying or deceiving to pretend to be someone one is not. |
| LIN26 | Message Replay | Threat in which a valid data transmission is maliciously or fraudulently repeated or delayed. |
| LIN27 | Misuse of Audit Tools | The malicious use of network scanning tools to discover open and possibly unused ports, protocols, and services as well as vulnerabilities. |
| LIN28 | Network Intrusion | Unauthorized access to a network. |
| LIN29 | Network Sniffing | Identifying information about a network to find security weaknesses. |
| LIN30 | Phishing | An email fraud method in which the perpetrator sends out legitimate-looking emails in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy websites. |
| LIN31 | Quid Pro Quo | The attacker promises to provide a benefit or service in the return of vital access or details. |
| LIN32 | Ransomware | Infection of a computer system or device by malware that restricts access to the system and information while demanding that the user pays a ransom to remove the restriction. |
| LIN33 | Remote Access Trojan (RAT) | Remote administration capabilities, allowing an attacker to control the victim's computer. |
| LIN34 | Repudiation of Actions | Intentional data manipulation to repudiate action. |
| LIN35 | Reverse Engineering (RE) | The process by which a man-made object is deconstructed to reveal its design, architecture, or to extract knowledge from the object. |
| LIN36 | Rogue Access Points | Unauthorized access via unmanaged access points to an organization's managed network. |
| LIN37 | Rogue Certificates | Use of rogue certificates that are valid certificates, by a legitimate certificate authority, which are untrustworthy. |
| LIN38 | Rogue Security Software | Malicious software that misleads users about their computer's security in order to manipulate them. |
| LIN39 | Rootkits | A set of software tools that enable an unauthorized user to gain control of a computer system without being detected. |
| LIN40 | Routing Table Manipulation | Routing network packets to IP addresses not intended by sender via unauthorized manipulation of routing table. |
| LIN41 | Search Engine Poisoning | Deliberate manipulation of search engine indexes to direct a user to malicious content on falsified sites. |
| LIN42 | Server-Side Includes (SSI) Injection | Allows the exploitation of a web application by injecting scripts into HTML pages or executing arbitrary codes remotely. |
| LIN43 | SPAM | Receiving unsolicited, undesired, or illegal email messages. |
| LIN44 | Spear Phishing | Phishing while tailoring the email to a specific audience. |
| LIN45 | Spyware | Software that aims to gather information about a person or organization without their knowledge. |
| LIN46 | SQL Injection | Takes advantage of the syntax of SQL to inject commands that can read or modify a database, or compromise the meaning of the original query. |
| LIN47 | Trojan | Any malicious computer program which misleads users of its true intent. |
| LIN48 | Unacceptable Use | Not abiding by the rules defined as acceptable by the governing or owning entity. |
| LIN49 | Unauthorized Access | Attaining logical access without permission or approval. |
| LIN50 | Unauthorized Encryption | Use of an unauthorized (insecure) encryption module that can lead to a false sense of protection for the data that the encryption was meant to provide. |
| LIN51 | Unauthorized Software Installation | The intentional installation of unmanaged or unauthorized software. |
| LIN52 | Virus | A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use email programs to spread itself to other computers, or even erase everything on a hard disk. |
| LIN53 | Vishing | A form of fraud using voice over internet protocol in which individuals are tricked into revealing unauthorized access to sensitive information. |
| LIN54 | War Driving | The act of locating and possibly exploiting wireless networks. Example: Access Point Mapping. |
| LIN55 | Watering Holes | Malware residing on the websites which a group often uses. |
| LIN56 | Web Spoofing | Web spoofing occurs when an attacker forges an existing website (i.e., an attacker designs a fake website in such a way that it looks like the website of a known organization). The attacker attempts to draw users to the website with the objective of launching further attacks. |
| LIN57 | Whaling | A form of spear phishing that targets senior management, executives, or prominent individuals in order to gain access to sensitive information. |
| LIN58 | Wire Tapping | The surreptitious electronic monitoring of Internet-based communications. |
| LIN59 | Worms | Self-propagating, standalone malicious software. |
Category: Unintentional
Sub-Category: Failure
Unexpected system degradation or failure.
| ID | Threat | Description |
|---|---|---|
| LUF1 | Third-Party Services | Failure or disruption of third-party services required for proper operation of information systems. Example: Resources or Supporting Systems. |
| LUF2 | Database Systems | A database failure that may result in systems or applications not being available, which can have a significant impact on business operations, resulting in financial loss or potential brand damage. |
| LUF3 | Network Bandwidth | When the bandwidth of the network is insufficient, the transmission rate in the network (and eventually the availability in the network) will be severely limited to the organization's users, resulting in potential business disruptions. |
| LUF4 | Network Routing | The process of selecting a path for traffic in a network, or between or across multiple networks. |
| LUF5 | Software/Code | The failure of programs and other operations used by a computer. |
| LUF6 | Storage | The retention of retrievable data on a computer or other electronic system; memory. |
| LUF7 | Virtual Parts & Components | The failure/malfunction of virtual parts and components of IT hardware (e.g. motherboard, CPU, RAM, video card, hard drive, power supply). Failure of Virtual IT. |
Sub-Category: Human
Human oriented errors or mistakes.
| ID | Threat | Description |
|---|---|---|
| LUH1 | Data Sharing/Leakage | Unintentional distribution of covered information to an unauthorized entity by an employee or employees. |
| LUH2 | Improper Data Modification | Changing of data and records (information) stored in devices and storage media. |
| LUH3 | Misclassifying of Data | Inappropriate/inadequate labeling or classifying of Data media. |
| LUH4 | Mishandling of Passwords | Unintentional mishandling of passwords, leading to leakage of covered information. |
Sub-Category: Misuse
Use in the wrong way or for the wrong purpose.
| ID | Threat | Description | |
|---|---|---|---|
| 1 | LUM1 | Certificate Integrity Loss | Loss of integrity of certificates used for authorization services. |
| 2 | LUM2 | Compromised Credentials | An account/ID/username has been used or accessed by an unauthorized means. |
| 3 | LUM3 | Data Remanence | Storage media that retains stored information in a retrievable/intact manner longer than desired (failure to totally erase). |
| 4 | LUM4 | Data Storage Media Loss | The loss of data via the loss of a data storage medium |
| 5 | LUM5 | Database Integrity Loss | Loss of the integrity or consistency of a database that may result in the data being incorrect or in a corrupt state and, as a result, may not be accessed or processed correctly. |
| 6 | LUM6 | Elevated Privileges | Roles or permissions thaty, if misused, could allow a person to exploit the systems for his or her own gain or purpose. |
| 7 | LUM7 | Improperly Designing Information Systems | Loss due to improper IT asset or business processes design (inadequate specifications of IT products, inadequate usability, insecure interfaces, policy/procedure flows, design errors, and changes). |
| 8 | LUM8 | Improperly Designing Network Infrastructure | Depending on the requirements defined by the organization, a poorly-planned network infrastructure may impact the confidentiality of data and the integrity of the network, which may lead to unauthorized disclosure of sensitive information to unauthorized users. |
| 9 | LUM9 | Inappropriate/Inadequate Key Management | Management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto shredding (destruction), and replacement of keys. |
| 10 | LUM10 | Insufficiently or Inadequately Following Release Procedures | Inadequate testing of new systems may result in possible errors in the hardware or software undetected, may remain undetected, or may result in significant disruption to IT operations or systems. |
| 11 | LUM11 | Lack of (or Insufficient) Logging | Lack of or insufficient logging may prevent the organization from determining whether security specifications were violated or whether attacks were attempted. Additionally, organizations may not be able to assess whether logged information can be used for error analysis in the event of damage, and for determining the causes of the damge, or for integrity tests. |
| 12 | LUM12 | Loss Due to Unauthorized Storage | Loss of records by improper/unauthorized use of storage devices. |
| 13 | LUM13 | Misuse of Audit Tools | The malicious use of network scanning tools to discover open and possibly unused ports, protocols, and services, as well as vulnerabilities. |
| 14 | LUM14 | Mobile Device Applications Data Leakage | Leaking covered information as a result of using mobile device applications. |
| 15 | LUM15 | System Configuration Errors | Information leak/sharing/damage caused by misuse of information assets (lack of awareness of application features) or wrong/improper information assets configuration or management. |
| 16 | LUM16 | Unacceptable Use | A violation of the set of rules applied by senior management or the asset/resource owner of a network, website, or service, that restrict the ways in which the network, website, or system may be used and sets guidelines as to how it should be used. |
| 17 | LUM17 | Unmanaged Data | Does not allow for prescription of information protection. |
| 18 | LUM18 | Web Applications Data Leakage | Leakage of covered information when using web applications. |
Organizational Threats
Category: Compliance
Sub-Category: Contractual
Entities or individuals seeking money or another specific performance rather than criminal sanctions due to non-compliance of a legal contract.
| ID | Threat | Description |
|---|---|---|
| OCC1 | Civil | The process of resolving a legal dispute between two or more parties (individuals or business entities) who seek compensation for damages incurred or specific performances that were not delivered. |
Sub-Category: Regulatory
Laws that govern the conduct of an entity, individual, or organization and often include penalties for violations.
| ID | Threat | Description |
|---|---|---|
| OCR1 | Administrative | Specifically deals with the administrative agency's decision-making capabilities, as they carry out laws passed by state and federal legislatures. Differs from regular civil and criminal courts, and their authority is limited to making administrative decisions. |
| OCR2 | Civil | The process of resolving a legal dispute between two or more parties (individuals or business entities) who seek compensation for damages incurred or specific performances that were not delivered. |
| OCR3 | Criminal | Going to trial in a criminal court to either prosecute or defend oneself in a criminal matter. |
Sub-Category: Statutory
Law enacted by legislation to govern entities.
| ID | Threat | Description |
|---|---|---|
| OCS1 | Civil | The process of resolving a legal dispute between two or more parties (individuals or business entities) who seek compensation for damages incurred or specific performances that were not delivered. |
| OCS2 | Criminal | Going to trial in a criminal court to either prosecute or defend oneself in a criminal matter. |
Physical Threats
Category: Force Majeure
Sub-Category: Climatological
A major adverse event resulting from natural processes of the climate/temperature (e.g., extreme temperature, drought).
| ID | Threat | Description |
|---|---|---|
| PFC1 | Drought | Prolonged period of abnormally low rainfall and a shortage of water, causing damage to assets. |
Sub-Category: Environmental
Local conditions relating to the natural world.
| ID | Threat | Description |
|---|---|---|
| PFE1 | Humidity | Water vapor in the air that can collect as condensation, causing water damage to assets. |
| PFE2 | Contaminants | The collection of tiny foreign particles that can have an adverse effect on assets. |
| PFE3 | Corrosion | Chemical (i.e., gaseous or liquid) contaminants, causing corrosion of assets. |
Sub-Category: Geological
A major adverse event resulting from natural processes of the Earth (e.g., earthquake).
| ID | Threat | Description |
|---|---|---|
| PFG1 | Avalanche | A mass of snow, ice, and rocks falling rapidly down a mountainside, damaging structures or assets in its path. |
| PFG2 | Earthquake | Sudden movement of a block of the Earth’s crust along a geological fault and associated ground shaking with the potential to damage assets. |
| PFG3 | Landslide | The sliding down of a mass of earth or rock from a mountain or cliff, damaging structures or assets in its path. |
| PFG4 | Sinkhole | A large hole that suddenly appears in the ground when the surface of the ground is no longer supported, causing damage to anything resting on that surface. |
| PFG5 | Volcano | Damage of assets caused by eruption and lava. |
| PFG6 | Wildfires | An uncontrolled or non-prescribed combustion of burning vegetation in a natural setting with the potential to damage or disrupt. |
Sub-Category: Hydrological
A major adverse event resulting from natural processes of the water (e.g., flooding).
| ID | Threat | Description |
|---|---|---|
| PFH1 | Erosion | Eroding of a surface by water, causing damage to structures and assets on the surface. |
| PFH2 | Flood | An overflowing of a large amount of water beyond its normal confines, especially over what is normally dry land causing damage to assets in the flood path. |
| PFH3 | Tsunami | Damage from a long, high sea wave caused by a underwater earthquake, landslide, or other disturbance. |
Sub-Category: Meteorological
A major adverse event resulting from natural processes of the weather (e.g., tornado, hurricane).
| ID | Threat | Description |
|---|---|---|
| PFM1 | Blizzard | Severe snowstorm with high winds and low visibility that can cause damage or accessibility issues. |
| PFM2 | Cyclonic Storms | Rapid circulation of air around a low pressure center with destructive surrounding weather, causing damage and accessibility issues. |
| PFM3 | Hailstorm | A storm that produces hail which reaches the surface, causing damage. |
| PFM4 | Heat Waves | A prolonged period of abnormally hot weather that can impact people and electronic systems. |
| PFM5 | Ice Storm | A storm of freezing rain which can damage assets. |
| PFM6 | Lightning | Damage of assets caused by a lightning strike (electrical overvoltage). |
Category: Intentional
Sub-Category: Conflict
Struggle resulting from incompatible or opposing needs, drives, wishes, or external or internal demands.
| ID | Threat | Description |
|---|---|---|
| PIC1 | Arson | Intentionally setting fire to assets, causing damage. |
| PIC2 | Large Events | Disruption leading to adverse operations (i.e., demonstrations, riots, strikes, and protests). |
| PIC3 | Sabotage | Deliberately destroy, damage, or obstruct (something), especially for political or military advantage. |
| PIC4 | Terrorism | The use of intentionally indiscriminate violence as a means to create terror among masses of people; or fear to achieve a financial, political, religiousy, or ideological aim through physical violence. |
| PIC5 | Vandalism | Action involving deliberate destruction of or damage to property. |
| PIC6 | Warfare | Damage to assets, facilities, and employees due to physical war or armed conflict (e.g., bombing). |
Sub-Category: Misappropriation
Dishonestly or unfairly taking for one's own use.
| ID | Threat | Description |
|---|---|---|
| PIM1 | Embezzlement | To appropriate something, such as property entrusted to one's care, fraudulently to one's own use. A form of theft through fraud. |
| PIM2 | Extortion | The act of obtaining money, property, or services from an organization through coercion. A form of theft through use of force or intimidation to obtain compliance. |
| PIM3 | Fraud | Deliberate deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. A form of theft through deception. |
| PIM4 | Theft | The act of physically stealing, taking, and removing property with intent to deprive the rightful owner of it. |
Sub-Category: Nefarious
Flagrant breaching of time-honored laws and traditions of conduct.
| ID | Threat | Description |
|---|---|---|
| PIN1 | Abuse of Authority | An employee that applies their authority incorrectly, or oversteps their level of authority. |
| PIN2 | Dumpster Diving | Searching through discarded assets with the intent of personal gain and/or damage. |
| PIN3 | Information Sharing | The deliberate sharing of non-public information with unauthorized entities, such as physically giving sensitive documents. |
| PIN4 | Manipulation of Hardware | Unauthorized changes to hardware devices, such as removing memory or hard drive. |
| PIN5 | Masquerade/Pretexting | Lying or deceiving to pretend to be someone one is not. |
| PIN6 | Quid Pro Quo | The attacker promises to provide a benefit or service in the return of vital access or details. |
| PIN7 | Reverse Engineering (RE) | The process by which a man-made object is deconstructed to reveal its design, architecture, or to extract knowledge from the object. |
| PIN8 | Rogue Hardware | Manipulation due to unauthorized hardware. |
| PIN9 | Tailgating | Unauthorized access by someone else's means of access at their time of entry. |
| PIN10 | Unacceptable Use | Not abiding by the rules defined as acceptable by the governing or owning entity. |
| PIN11 | Unauthorized Access | Attaining physical access without permission or approval. |
Category: Unintentional
Sub-Category: Failure
Unexpected system degradation or failure.
| ID | Threat | Description | |
|---|---|---|---|
| 1 | PUF1 | Third-Party Services | Failure or disruption of third-party services required for proper operation of information systems. Example: Supplies or resources. |
| 2 | PUF2 | Cable | Failure of communications links due to problems with cable networks (e.g., Copper & Fiber). |
| 3 | PUF3 | Cross-talk | A special form of line impairment, caused by currents and voltages of signals transmitted over adjacent lines. This may result in the disclosure of sensitive information. |
| 4 | PUF4 | Electric Power | Power failure with the potential to cause asset damage or unavailability. |
| 5 | PUF5 | Equipment Fire | Unexpected combustion of electronic equipment. |
| 6 | PUF6 | Heating, Ventilation, and Air Conditioning (HVAC) | Failure to maintain atmospheric conditions for assets. |
| 7 | PUF7 | IT Hardware | Failure or malfunction of parts and components of IT hardware (e.g., motherboard, CPU, RAM, video card, hard drive, power supply). |
| 8 | PUF8 | Plumbing | Failure of facility plumbing, including gas and water systems. |
| 9 | PUF9 | Voltage | Fluctuations in the supply voltage that can result in malfunctions and damage to IT systems. |
| 10 | PUF10 | Wireless | Failure of communications links due to problems with wireless networks (e.g., radio and RF). |
Sub-Category: Human
Human oriented errors or mistakes.
| ID | Threat | Description | |
|---|---|---|---|
| 1 | PUH1 | Absence of Personnel | Unavailability of key personnel, their competencies/skills, and knowledge. |
| 2 | PUH2 | Accidental Damage | Sudden damage as a result of an unexpected and non-deliberate action. |
| 3 | PUH3 | Accidental Fire | Fire unintentionally set by a human. |
| 4 | PUH4 | Loss of IT Assets | Accidently or unintentionally losing any physical IT asset. |
| 5 | PUH5 | Mishandling of Passwords | Unintentional mishandling of passwords, leading to leakage of covered information. |
| 6 | PUH6 | Unintentional Information Sharing | Accidental verbal disclosure of sensitive information by unauthorized individuals overhearing. |
Sub-Category: Misuse
Use in the wrong way or for the wrong purpose.
| ID | Threat | Description | |
|---|---|---|---|
| 1 | PUM1 | Configuration Errors | Loss of information due to errors in installation or system configuration. |
| 2 | PUM2 | Improperly Designing Information Systems | Loss due to improper IT asset or business processes design (inadequate specifications of IT products, inadequate usability, insecure interfaces, policy/procedure flows, design errors, and changes). |
| 3 | PUM3 | Improperly Designing Network Infrastructure | Depending on the requirements defined by the organization, a poorly planned network infrastructure may impact the confidentiality of data and the integrity of the network, which may lead to unauthorized disclosure of sensitive information to unauthorized users. |
| 4 | PUM4 | Manipulation of Hardware | Unauthorized changes to hardware devices such as removing memory or hard drive. |
| 5 | PUM5 | Rogue Hardware | Manipulation due to unauthorized hardware. |
| 6 | PUM6 | Tailgating | Unauthorized access by convenience or courtesy. |
| 7 | PUM7 | Unacceptable Use | A set of rules applied by senior management and/or the owner of the equipment, information, and etc. may be used and sets guidelines as to how it should be used. |