One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8367976 |
| Date de publication | 2023-08-09 10:00:00 (vue: 2023-08-09 18:06:33) |
| Titre | Attention à l'écart (d'interprétation): une autre raison pour laquelle la modélisation des menaces est importante Mind the (Interpretation) gap: Another reason why threat modeling is important |
| Texte | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Where do vulnerabilities fit with respect to security standards and guidelines? Was it a coverage issue or an interpretation and implementation issue? Where does a product, environment, organization, or business vertical fail the most in terms of standards requirements? These questions are usually left unanswered because of the gap between standards or regulations on the one hand, and requirements interpretation and implementation, on the other. Certified products and environments often suffer from security issues that were supposed to be covered by the requirements of the standard. In [1], for instance, the authors give examples of vulnerable products that were IEC 62443 certified. In [2], SANS discusses the case of PCI-certified companies and why they are still being breached. This “interpretation gap,” whether it manifests in the implementation of requirements or in the assessment process, hinders security and leads to the fact that being compliant is not necessarily the same as being secure. Admittedly, the interpretation of guidelines and requirements in standards, which have a descriptive approach in general, is not an easy task. Requirements can be rather generic and wide open to interpretation depending on the context, resources, the current threat landscape, the underlying technologies, etc. Specific requirements might also lead to conflicting interpretations depending on the type of stakeholder, which will inevitably affect the implementation side. Threat modeling is one way to avoid shortcomings (or even possible shortcuts) in the implementation of standards, and the organization\'s own security policies. Think of threat modeling as an enforcement mechanism for the proper implementation of requirements. The reason this is the case is simple; threat modeling thinks of the requirements in terms of relevant threats to the system, and determines mitigations to reduce or completely avoid the associated risks. Consequently, each requirement is mapped to a set of threats and mitigations that covers relevant use cases under specific conditions or context, e.g., what are the trust boundaries, protocols and technologies under use or consideration, third-party interactions, dataflows, data storage, etc. This is becoming a must-have nowadays since, when it comes to technical requirements, the concern about their interpretation still persists even when companies have been audited against them. In the following, the presented data analysis makes the link between disclosed vulnerabilities in Industrial Control Systems (ICS) and the technical requirements reported in the ‘gold standard’ of standards in this area, namely the IEC 62443. It shows the difficulty of satisfying the requirements in broad terms and the need for more specific context and processes. CISA ICS advisories’ mapping The analysis of CISA ICS advisories data, representing close to 2,5K advisories released between 2010 and mid-2023 [3], reveals the extent of the challenge an implementer or an assessor is faced with. Table 1 presents the top weaknesses and the associated count of advisories as well as IEC 62443 requirements’ mapping. Affected sectors, the CVSS severity distribution, and top weaknesses per sector are also reported; in Figures 1 and 2, and Table 2. Table 1. Top weaknesses in CISA’s ICS advisories and their IEC 62443 mapping. Weakness Name |
| Envoyé | Oui |
| Condensat | “improper “input “interpretation “memory “validate ‘gold 101 115 119 120 121 122 12340 125 128 137 139 145 147 149 158 159 175 185 200 2010 2023 205 257 266 284 287 306 319 352 400 427 522 62443 787 798 able about abstraction access accurate achieve actor addition address admittedly adopt adversary advisories advisories’ affect affected against agriculture all allows along also analysis analyze another any anything application approach appropriate architects are area article assessment assessor associated assumptions at&t at iriusrisk audited authentication authenticator author authorization authors automatically avoid based because become becoming been being believe better between blog both boundaries bounds breached broad buffer business can case cases categories; certified challenge chance checking chemical cisa cisa’s classic clear cleartext close coded com comes command commercial companies complete completely complexity compliant concern conditions confidentiality conflicting consequently consideration considered consumption content context control control” copy corner count counter coverage covered covers credentials critical cross csrf current cvss cwe data dataflows daunting define defined definition denial dependencies depending deployment description descriptive determines developers device different difficulty directory disallow disclosed disclosure discusses distribution does during each easy element elements eleven encapsulates endorse energy enforcement enhancements environment environments error errors” especially essential etc even events/cybersecurity examples exposure extent extremely faced facilities fact fail failures fall falling figure figures fit flush following food forgery foundational four fr1 fr2 fr4 framework from function gap gap: gas general generating generation generic give given gov/news government granularity guest guidelines guiding hand handling hard have health healthcare heap helpful high highlights hinders how however html html https://arxiv https://cwe https://www human iac ics identification identifier identify iec implementation implementer important impossible improper including incorrect increased industrial inevitably information injection input inputs inputs” instance insufficiently integrity intelligence interactions interesting interpretation interpretations involved issue issues its kind landscape lead leading leads left level levels limitation link low main makes management manifests manufacturing map mapped mapping maps measures mechanism mechanisms meet memory mid might mind missing misused mitigations mitre model modeling more most must name namely necessarily necessary need needed needs; neutralization not nowadays number often oil one open operations order org/data/definitions/1019 org/data/definitions/1218 org/data/definitions/284 org/pdf/2303 org/white organization other ought out overflow own page papers/36497/ party path pathname pci pdf per persists policies positions possible post potential potentially practice predictable presented presents prevent process processes product products professionals proper properties protected protection protocols provided public questions quite rather read real reason reduce references regulations relate related released relevant reported reported; reports representing request requirement requirements requirements’ requirements; researcher resource resources respect responsibility restricted restriction revealing reveals risk risks said same sans satisfying scripting search sector sectors secure security sensitive service set setup severity shortcomings shortcuts shows side simple; since site size software solely special specific speed sql sr/cr stack stakeholder standard standard’ standards storage straightforward; strength subject suffer supposed surface system systems table tailored target task technical technologies technology terms them then these think thinks third threat threats tools top transmission transportation traversal tre |
| Tags | Tool Vulnerability Threat Industrial Prediction |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.