Threat summary

Simple chart with classification of different InfoSec threats.

Misdirection:

  • Spoofing,
  • Pharming,
  • XSS,
  • poisoning (arp,dns)
Social trust:

  • Phishing,
  • Social engineering,
  • Social network attacks,
Vulnerability:

  • SQl inject,
  • code injection,
  • path traversal,
  • buffer overflow,
Snooping:

  • Replay attacks,
  • Sniffing,
  • Keylogging,
  • Session Hijacking,
  • TEMPEST
Password attacks:

  • Dictionary,
  • Brute force,
  • Rainbow(hash) tables,
  • Shoulder surfing
Escalation:

  • Authentication
  • Bypass,
  • Pivoting,
  • Heuristic commits
Malware:

  • Rootkits,
  • Trojans,
  • Worms,
  • Spyware
Malicious actions:

  • DoS,
  • DDoS,
  • Virus,
  • Scare/Ransomware
Mitigations:

  • Hardening,
  • Secure boot,
  • threat Scanning

What control activities to verify?

During the validation of control activities you should attempt to make security easier on users and more difficult for attackers. 

Activities to verify may include (not limited to):

  • Prevention (2FA, least privilege, reduce deniability, …)
  • Delay (strong encryption, layering, …)
  • Detect (monitor, detect change, audit, automate, …)
  • Compliance (implementation of corporate policy and standards, including configuration best practices)
  • Recover (verify the ability to reset to the last known good state)

NOTE: validation of control activities is not considered an audit. Auditors should also be evaluated by watching the watcher & comply with segregation of duties. Example: auditors should NOT define the governing policy or have the ability to implement change.