Re: Campus threat models

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Brad,

I wish you luck in this search.  I find most shops dive right into risk
assessment processes without developing a comprehensive threat model,
which undermines the veracity of the assessment.  Nonetheless it is
common.

One thought to help you along in building your own threat model would be
the suggestion to use a complete governance model, namely COBIT version
3 or 4 (go for four if you can, it's the latest) and identify the
threats to each part of the lifecyle. (Simply imagine what things impair
the control objectives for each domain element, and you have your
threats identified!) Then you need to match lifecycle disciplines to
your various business units.  Due to the way COBIT is oriented, this
will be business objective based, much more sound viewpoint than simply
an IT limited scope.  You'll find health care, services, data delivery
(NASA, DoD contracts for certain, a lot of atmospheric stuff at CU)
requirements, health and safety monitoring and warning services (HVAC
sensors and stuff) and any number of things you will have never imagined
when you apply this to your campus.  Think of the campus as a
micro-community with all services and you will find most any-city will
be represented in some part somewhere, particularly in the research
areas.  Heck, housing will cover the entire cycle several times over.  

If you haven't been looking at NIST 800 series guidelines and documents
I'd suggest you give them a try - while not directly HE oriented, I'm
betting you'll find some good general templates, and given my previous
supposition that the campus is a micro-community, much will map directly
to your efforts.  NIST standards and guidelines seem like over-kill
sometime, but they can be quite revealing, and I can't imagine they
don't contain some threat modeling guidance that won't be helpful. 

You might want to look at some of the guidance out there by Disaster
Recovery oriented organizations regarding Business Impact Analysis.  I
find the stuff from the Canadian groups tends to be more lucid and
usable than what I've found in the US sites on this topic.  A threat
model that does not in some way begin to speak to impact may not be of
much use.

Finally, if you find some good models out there, get permission to share
them, I'm predicting this area to be poorly covered at present, but with
many interested participants heading down the right path.  Maybe you'll
be the first?

Best regards,

Jim

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
 

-----Original Message-----
From: Brad Judy [mailto:Brad.Judy () COLORADO EDU] 
Sent: Thursday, August 10, 2006 9:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Campus threat models

During the course of developing a risk assessment and management
practice on our campus, I have been working on a general, campus-level
threat model.  This is a broad, non-application specific threat model to
help people understand the overall threats to campus IT and the
associated risk.  I hope it could also serve as a template for
departments to expand upon for threats specific to their
services/processes.  

I didn't see any Educause docs specific to threat modeling and the
Educause risk assessment framework actually doesn't mention general
threat modeling (it does discuss threat analysis as a step in the
process in assessing risk to critical assets).  A lot of reading on the
topic of threat modeling is about application development and there are
some free tools out there with this focus, but much of it didn't see
very applicable to more general threat modeling.  

It seems that building a thought-out threat model removes guesswork and
supposition during discussions regarding security and can be a useful
guide in decision making.  Naturally, such documents need to be
regularly updated for changing services and threats.  

How many of you have developed this kind of threat model for your
campus?  If you have developed one, is it publicly available or can you
send a copy?  (I'm not looking for sensitive details, just how you
documented general, common threats.)

Thanks,

Brad Judy

IT Security Office
Information Technology Services
University of Colorado at Boulder