Page 160 - Kaleidoscope Academic Conference Proceedings 2021
P. 160
2021 ITU Kaleidoscope Academic Conference
Illustrated in Figure 12, there are 3 vulnerability expression
model types, each with increasing precision as follows:
The Value Asset Type Vulnerability Expression
(Figure 12 Top) is intended to represent Value Assets
at more general level by “types,” for example,
databases and servers. This provides the basis to
analyze threat types to value asset types. For example,
threats to structure databases or even threats to Oracle
databases as a type.
The Value Asset Vulnerability Expression (Figure 12
Middle) is intended to represent actual value assets at a
more specific characterization compared to value asset
types. For example, Oracle database version xxx.xx.
This provides the basis to analyze specific threats to
Figure 11 – Security control expression symmetry
specific value assets unique to a specific environment
implementation.
Asset symmetry: There is no IT asset difference between a
Security Asset and Value Asset as they both are represented The Value Asset Component Vulnerability
by “people, process, and technology” that deliver security Expression (Figure 12 Bottom) is intended to represent
and business value, respectively. The IT asset difference the value asset in its elemental form of software, data,
being in the purpose of the application, nature of data and or host component.
type of host.
Once these expressions are captured end-to-end and from
Control symmetry: There is no difference between Internal right-to-left (Target: threat to, Policy of, Security of,
Control and External Control actors as they are both Compliance of) they represent persistent vulnerability
statements defining Security Value to be delivered to some mitigating knowledge at different levels of precision that can
Value Creation. The distinction is External Controls in a capture, made available and easily consumed.
framework originate from authoritative sources and should
not be altered while Internal Controls are intended to be
customized to the target. This symmetry enables the adoption Defining both Value Asset and Security Asset by its base
generic components of Software, Data, and Host (Figure 13
and customization of the vast knowledge contained in bottom), value asset vulnerability can now be differentiated
External Control frameworks for internal application. The by Software, Data, or Host vulnerabilities. Assets have no
use distinction is assigned as a “tense” prefixing the Security
Control Expression as – “Committed To” (Internal), “Should contextual awareness as to whether they are performing a
value creation function or a security value function.
Do” (Standards) and “Shall Do” (Regulations).
3.3 Security vulnerability expression models
The actual attack occurs, and therefore must be modeled and
addressed at a much greater level of environment-specific
detail and therefore precision. Namely, at the specific threat
exploit – to unique vulnerability – and specific mitigating
countermeasure level. The singular anchor of all security
vulnerability expression models is the Value Asset and its
vulnerabilities. The expression model (Figure 9) can be
adapted to increasing levels of precision by increasing the
target level of detail. The more general the target definition,
the more general and objective-like the model and resulting
outcome. The more specific the target definition, the closer
one arrives at a modeling of potential vulnerability and their Figure 12 – Vulnerability expression models
countermeasures. The target must ultimately be defined to
the “singular” target component vulnerability (Software, The ability to start out more general and qualitative and
Data, Host) level to determine which appropriate evolve naturally to more specific and quantitative, and to
countermeasures are required. have it connected through inheritance, is a significant
improvement in the ability to measure at higher precision
levels and to aggregate results for automatically reporting
purposes.
– 98 –