Cloud Computing Security

Assignment – 2

Threat Modelling for

Security operations Centre of Org M/S ABC

(NOTE: SOC, wherever implemented, always constitutes a part of the overall IT structure of any
organization. In order to create a comprehensive and all-encompassing threat modelling report, an
assumption has been made regarding the network architecture of the organization (fig 1). Moreover, in
order to give the report a realistic touch an imaginary firm by the name M/S ABC has been considered.)

1. Introduction. In modern technological era which is represented by revolutions in IT, more and
more organizations become heavily dependent on data and information processing platforms to
sustain their operations. In this backdrop, the security of such data and information platforms
has assumed prime importance, and this security can only be ensured and implemented, by
carrying out an elaborate threat modelling of the IT architecture under consideration. Firm M/S
ABC contacted NUST – IS Department and requested that a threat model of their overall IT
architecture in general and their SOC in particular be evaluated. This report carries out detailed
threat modelling of the firm M/S ABC, taking a holistic view of the overall IT architecture of the
firm and maintaining an acute focus on their SOC facility.
2. Sequence
a. Methodology of Threat Modelling
(1) Overview of different methodologies.
(2) Selected methodology- Reasons for using NIST 800-30
(3) Brief description – NIST 800-30
b. Threat Model Report
(1) Overview of IT Infra under Evaluation
(a) IT Infra diagram
(b) Infra of SOC
(2) Step 1 – System Characterization
(a) Enumeration of Assets
(b) Identification of Critical Assets
 (c) Identification of actors
(d) Identification of Attackers
(3) Step 2 – Threat Identification
(a) Identification of Threats
(b) Threat – Asset Mapping
(c) Threat vector Diagram (attack scenarios)
(4) Step 3 – Vulnerability Identification
(a) Identification of security requirements
(b) Identification of vulnerabilities
(5) Step 4 – Control Analysis
(a) Enumeration of existing security controls
(b) Identification of lacking controls
(6) Step 5 - Likelihood Determination - Rating of attacks based on Step 2, 3 and 4
(7) Step 6 – Impact Analysis - Threat impact matrix
(8) Step 7 – Risk determination - Risk Level Matrix

(9) Step 8 – Control recommendation

(a) Mitigation Strategies
(b) Control Matrix
(10)Step 9 – Result documentation
c. Conclusion
3. Methodology of Threat Modelling
a. Overview of Different methodologies. Various threat modelling techniques exist within the
industry of IT security, which can be efficiently used to obtain a holistic view of the security
posture of any organization and help them plan their defenses accordingly. A summary of
these techniques along with their brief characteristics is as per table 1. In addition to the
methods mentioned in table – 1 there is another method of threat modelling known as NIST
Standard 800-30. IT is a complete mechanism provided by NIST in order to carry out risk
assessment of IT infrastructures.
 Table-1
(Source: https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-
methods.html)
b. Selected Methodology. The methodology selected for this threat modeling report is based
on NIST standard 800-30. The reason for selecting this particular method is, that NIST 800-
30 deals with the risk assessment and risk management of IT systems as a whole.
 Contemporary mechanisms of threat modelling such as STRIDE, LINDUNN, PASTA e.t.c deal
with threat modelling for software development cycle only. Whereas certain methods such
as OCTAVE deal with the risk management of entire organization including its processes,
people as well as technology. Since the platform under consideration for this activity is an IT
infrastructure only, consisting of a SOC, therefore NIST 800-30 which focuses itself on the
risk assessment of IT systems, is the most appropriate choice.
c. Brief Description – NIST 800-30 . The subject standard is designed to carry out a
comprehensive risk assessment and threat modelling of IT systems/ infrastructure and
consists of following nine steps: -
(1) Step 1 System Characterization
(2) Step 2 Threat Identification
(3) Step 3 Vulnerability Identification
(4) Step 4 Control Analysis
(5) Step 5 Likelihood Determination
(6) Step 6 Impact Analysis
(7) Step 7 Risk Determination
(8) Step 8 Control Recommendations
(9) Step 9 Results Documentation

After carrying out the above mentioned nine steps, an organization can obtain a holistic
view of the threats being faced by its IT systems along with a consolidated view of the
existing controls and further mitigation strategies can be ascertained.

4. Threat Modelling - Overview of IT Infrastructure under Evaluation

a. IT Infrastructure Diagram. The IT infrastructure which houses the SOC of M/S ABC is
depicted in Figure1. Since the SOC under consideration forms a part of the infrastructure
given in
 Figure 1, therefore in order to carry out a comprehensive threat modelling of the concerned
SOC, it would be imperative to consider the underlying IT infrastructure also, during the
subject activity.

b. Infrastructure of SOC
(1) The structure of SOC which exists within the overall IT infrastructure of M/S ABC, is as
per figure 2 as follows:-

CIRT PENTEST
SIEM
SIEM

FORENSICS AUDIT

Figure 2: Structure of SOC

(2) The subject SOC consists of five components namely SIEM, CIRT, Pentest, Forensics and
Audit. All these components are operated through supporting software applications
 housed within the overall IT systems shown in figure 1. However, the overall SOC is a
combination of people, processes and technology.
(3) Any threat modelling which has to be carried out for SOC, will necessarily have to take
into consideration the underlying IT infrastructure over which the SOC supporting
applications are housed. Therefore, for the purpose of this report assets from both SOC
and its underlying IT infrastructure are considered
5. Step 1 – System Characterization
a. Enumeration of Assets. A comprehensive list of assets present, within the IT setup of M/S
ABC as well as it’s SOC infrastructure, is as per table 2. In order to facilitate a better
understanding of the readers, the assets have been classified into different categories
basing on their functionality and the levels on which they operate. This categorization will
also facilitate in accurately identifying the threats posed to the infrastructure as a whole.

Sno Category Asset

Edge/ client side switches
Aggregation switches
1. Perimeter firewalls
Networks Core firewall
LBR (load balancer)
Connectivity switches
Passive/ physical network
End client terminals
Hardware Application servers
2.
Systems Storage/ SAN
Database servers
Windows/Linux
Applications/ Database management system
SIEM software (component of SOC)
3. OS (Operating
Forensic application (component of SOC)
Systems) Pentest software platforms (component of SOC)
CIRT software platform (component of SOC)
Administrators
End users (insiders)
4. Personells
End users (outsiders)
Technical maintenance staff (technicians)

Table 2: Enumeration of Assets

b. Identification of Critical Assets . Although all assets mentioned in table 2 are important and
their compromise can affect the overall functionality of organizational SOC, however a
specific group from within these assets is critical to the operations of SOC. With this
backdrop, the assets have been numbered according to their criticality as 1(most critical), 2
(nominally critical), 3(least critical). The same is shown in table 3 as follows:-

Sno Category Asset Criticality Grading

Edge/ client side switches 3 (least critical)
Aggregation switches 1 (most critical)
1. Perimeter firewalls 2 (nominally critical)
Networks Core firewall 1 (most critical)
LBR (load balancer) 1 (most critical)
Connectivity switches 3 (least critical)
Passive/ physical network 3 (least critical)
End client terminals 2 (nominally critical)
Hardware Application servers 2( nominally critical)
2.
Systems Storage/ SAN 1 (most critical)
Database servers 1 (most critical)
Windows/Linux 2 (nominally critical)
Database management system 1 (most critical)
SIEM software (component of SOC) 1 (most critical)
Applications/ Forensic application (component of 2 (nominally

3. OS (Operating SOC) critrical)

Pentest software platforms 1 (most critical)
Systems)
(component of SOC)
CIRT software platform (component of 1 (most critical)
SOC)
Administrators 1(most critical)
End users (insiders) 2(nominally critical)
4. Personells End users (outsiders) 3(least critical)
Technical maintenance staff 1(most critical)
(technicians)

Table 3: Identification of Critical Assets

c. Identification of Actors. All those personells who can become threat actors are enumerated
in table 4, keeping in mind the overall architecture and their roles within it.
 Sno Actors Role
1. Administrators Custodian of the IT setup
2. Technicians Technically maintaining the
setup
3. End user (insider employees) User of IT facilities
4. End user (outsiders) User if public IT facilities
5. Hackers/ attackers Currently has no internal
role within the org.
however strives to breach
the internal mechanisms

Table 4: Identification of Actors

d. Identification of Attackers. Basing on the shortlisted actors given in table 4, all possible
attackers (internal/ external) who can either intentionally or unintentionally cause harm to
the IT infrastructure as a whole and SOC in particular, have been listed down in table 5

Sno Attackers
1. Hackers/ crackers
2. Computer criminals
3. Terrorists
4. Industrial spies
5. Disgruntled employees

Table 4: Attackers

6. Step 2 – Threat Identification

a. Identification of Threats. Various threats can be posed to the system under consideration.
These threats can be executed at any of the layers of TCP/IP or OSI model. However, in
order to maintain a comprehensive record, all possible threats are enumerated in table 5
and have been classified according to the layer at which can operate.
 Sno Layer of Operation Threat
1. Networks Sniffing of information (man-in-the-middle)
Denial of service
Misconfiguration
Unauthorized access
Escalation of privileges
2. Applications / systems Data leakage
Unauthorized access
Escalation of privileges
Misconfiguration
Hacking (backdoors/ viruses/ server side attacks)
3. Hardware Physical damage
Power outage
Theft
4. Human resource Misuse of privileges
Escalation of privileges
Unauthorized access

Table 5 – Identification of Threats

b. Threat Asset Mapping. The threats enumerated in table 5 have been mapped to the assets
enumerated in table 1 according to the layers on which the assets operate and have been
categorized. The subject threat-asset mapping is as per table 6 as follows:-

Sno Category Asset Criticality Grading Threats Mapped

Aggregation switches 1
Edge/ client side (most critical) Unauthorized
3 (least critical) access,
Unauthorized access,
1. escalation of privileges,
switches escalation of privileges,
Networks
misconfiguration,
misconfiguration,
Denial of service
Denial of service
Perimeter firewalls 2 (nominally Unauthorized access,
critical) escalation of privileges,
misconfiguration,
Denial of service
Core firewall 1 (most critical) Unauthorized access,
escalation of privileges,
misconfiguration,
Denial of service
LBR (load balancer) 1 (most critical) Unauthorized access,
 escalation of privileges,
misconfiguration,
Denial of service
Connectivity switches 3 (least critical) Unauthorized access,
escalation of privileges,
misconfiguration,
Denial of service
Passive/ physical 3 (least critical) Unauthorized access,
network tapping of physical
network,
Sniffing of information
2. Hardware End client terminals 2 (nominally Unauthorized access,
Systems critical) Data leakage,
Escalation of privileges,
Hacking
(viruses/worms/backdoors),
Power outages,
Physical damage,
Theft
Application servers 2( nominally Unauthorized access,
critical) Data leakage,
Escalation of privileges,
Hacking
(viruses/worms/backdoors),
Power outages,
Physical damage
Storage/ SAN 1 (most critical) Unauthorized access,
Data leakage,
Loss of Data
Hacking,
Escalation of privileges,
Power outages,
Misconfiguration,
 Power outages
Database servers 1 (most critical) Unauthorized access,
Escalation of Priviliges,
Hacking,
Loss of Data,
Misconfiguration,
Power outages,
Data leakage
3. Applications/ Windows/Linux 2 (nominally Hacking (viruses/
OS (Operating critical) backdoors/ server side
Systems) attacks)
Unauthorized access,
Escalation of privileges,
Misconfiguration,
Data leakage
Database 1 (most critical) Hacking (server side
management system attacks)
Unauthorized access,
Escalation of privileges,
Misconfiguration,
Data leakage
SIEM software 1 (most critical) Hacking (server side
(component of SOC) attacks)
Unauthorized access,
Escalation of privileges,
Misconfiguration,
Data leakage
Forensic application 2 (nominally Hacking (server side
(component of SOC) critrical) attacks)
Unauthorized access,
Escalation of privileges,
Misconfiguration,
Data leakage
Pentest software 1 (most critical) Hacking (server side
 platforms (component attacks)
of SOC) Unauthorized access,
Escalation of privileges,
Misconfiguration,
Data leakage
CIRT software platform 1 (most critical) Hacking (server side
(component of SOC) attacks)
Unauthorized access,
Escalation of privileges,
Misconfiguration,
Data leakage
Administrators 1(most critical) Unauthorized access,
Misuse of Privileges
End users (insiders) 2(nominally critical) Unauthorized access,
Escalation of privileges,
Hacking
4. Personells
End users (outsiders) 3(least critical) Unauthorized access,
Hacking
Technical maintenance 1(most critical) Unauthorized access,
staff (technicians) Escalation of privileges,
Hacking

Table 6: Threat Asset Mapping

c. Threat Vector Diagram. In order to obtain a clear understanding of how these threats can
be executed on the given IT architecture a detailed enumeration of threats and their
corresponding threat actions is given as per table 7. To further clarify the probable locations
of execution of these threat actions a detailed threat vector diagram is given in fig 3, which
consist of each threat action marked on the diagram at the locations at which it can occur.
 Sno Layer of Threat Threat Actions
Operation
1. Networks Sniffing of information (man-in- Man in the middle
the-middle) attack,
Impersonation,
IP/ MAC/ DHCP spoofing
Denial of service Session starvation
attack,
Ping flood
Misconfiguration Human negligence
Unauthorized access Password cracking,
Backdoors, viruses,
worms, Trojans,
Key logging,
Attachment of
unauthorized devices
Escalation of privileges Access Token
Manipulation,
Bypassing user access
control,
DLL search order
hijacking,
Accessing shared folders
2. Applications / Data leakage Phishing,
systems Web application attacks,
Viruses/ worms/
Trojans/ backdoors
Unauthorized access Password cracking,
Backdoors, viruses,
worms, Trojans,
Key logging,
Escalation of privileges Access Token
Manipulation,
Bypassing user access
control,
DLL search order
hijacking,
Accessing shared folders
Misconfiguration Human negligence
Hacking (backdoors/ viruses/ Application/ web based
server side attacks) attacks,
Phishing
3. Hardware Physical damage Lack of physical access
Table 7 – Threats and Corresponding Threat Actors
The corresponding threat vector diagram is as per fig 3 as follows: -

Unauthorized access,
Data leakage,
Escalation of privileges,
Hacking
(viruses/worms/backdoors),
Power outages,
Physical damage,
Theft

Sniffing of Unauthorized access,

Information, Data leakage,
Unauthorized Escalation of privileges,
access, Hacking (viruses/worms/backdoors),
tapping of physical Power outages,
network, Physical damage

Unauthorized
access,
Misuse of Privileges

Unauthorized access,
escalation of
privileges,
misconfiguration,

Figure 3: Threat Vector Diagram

7. Step 3 – Vulnerability Identification

a. Identification of Security Requirements. In order to assure fool proof security and ascertain
what all vulnerabilities are present in the current architecture it is a pre-requisite to clearly
determine the security requirements of the organization basing on the business goals to be
achieved viz-a-viz the IT infrastructure in use. After detailed interaction with all the stake
 holders of M/S ABC and a carefully of the existing IT architecture, following security
requirements have been shortlisted for the organization: -
(1) Prevent unauthorized access of information.
(2) Data to be accessible on need to know basis.
(3) Duties shall be segregated between individuals to prevent misuse of authority or
information access.
(4) Physical access to sensitive assets be restricted.
(5) Defense against cyber/ industrial espionage in all forms.
(6) Prevention of power related outages and threats.
(7) Increase employee awareness against cyber threats.
(8) Outage of services to be prevented.
(9) Data security to be ensured.
(10)Physical security of assets to be ensured.
(11)Attachment of external/ illegal devices to be prevented.
b. Identification of Vulnerabilities. Basing on the above mentioned security requirements and
after careful scrutiny of the existing IT architecture, comprehensive data regarding
vulnerabilities present in the current infrastructure, design and procedures, has been
identified and is presented in table 8 below. For the purpose of understanding and clarity
the vulnerabilities have been mentioned against each category of evaluated asset.

Sno Category Vulnerabilities

No access control mechanism
No password complexity implementation
1. No configuration management and uniformity
Networks No change management
No mechanism in place to counter network level attacks
No VLAN segregation of tfc
No encryption mechanism from end user location to data centre
Hardening of systems not in place
Open and uncontrolled usage of USBs
Hardware Unchecked availability of shared drives
2.
Systems Additional unused physical ports not disabled
No change management mechanism implemented
No central time synchronization mechanism exists
3. Applications/ Access control no timplemented
OS not updated
OS
Central anti-virus control and update mechanism not in place
(Operating No Data leakage prevention mechanism in place
 Secure application development process not followed for customized
in house applications
Systems) BAN List not implemented in application database interface
No automatic patch management mechanism exists
Weak user awareness
Segregation of duties not implemented
4. Personells
No authentication mechanism in place
Password complexity mechanism not implemented

Table 8: Identification of Vulnerabilities

8. Step 4 – Control Analysis

a. Enumeration of Existing controls. The impact of threats and vulnerabilities identified above
can be fairly ascertained, once a comprehensive audit of the existing controls present within
the architecture is carried out. Furthermore, the subject activity, when read in conjunction
with the vulnerabilities identified in table 8 above, will identify the controls which are
lacking within the IT architecture as a whole and SOC tentacles in particular. Existing
controls present within the IT setup as well as SOC are enumerated in table 9 below. They
have been categorized as per each asset identified in table 2 above.

Sno Category Asset Existing Controls

Edge/ client side switches Client end connectivity
Aggregation switches
secured through MPLS
Perimeter firewalls
1. Core firewall VLANs,
Networks LBR (load balancer) Eqpt placed in secure
Connectivity switches
Passive/ physical network physical cabinets,
Redundant power available
within (Data Centre only)
End client terminals Local, standalone anti-virus
placed on each terminal
Hardware Application servers Local, standalone anti-virus
2.
Systems placed on each terminal
Storage/ SAN Zoning implemented on SAN
Database servers No controls implemented
3. Applications/ Windows/Linux Local, standalone anti-virus
OS (Operating placed on each terminal
Database management system No controls implemented
 SIEM software (component of SOC) Manual access control
Forensic application (component of Manual access control
SOC)
Pentest software platforms Manual access control
Systems)
(component of SOC)
CIRT software platform (component of Manual access control
SOC)
Administrators Separate administration
servers provided
End users (insiders) Periodic physical checks
4. Personells carried out
End users (outsiders) No controls implemented
Technical maintenance staff No controls implemented
(technicians)

Table 9: Existing Controls

b. Lacking Controls. An asset wise list of lacking controls is presented as per table 10 below: -

Sno Category Asset Lacking Controls

1. Networks Edge/ client side switches - No VLAN segregation
implemented,
Aggregation switches
- No central configuration
management mechanism,
Perimeter firewalls
- No change management
Core firewall mechanism,
- No counter mechanism in
LBR (load balancer) place for network based
attacks,
Connectivity switches
- No zones created at

Passive/ physical network firewalls.

 - No encryption
mechanism for data in
transit

2. Hardware End client terminals - No central anti-virus in place,

Systems - No USB controls,
- No updation mechanism of
OS,
- No two factor authentication
Application servers - No central anti-virus in place,
- No USB controls,
- No updation mechanism of
OS,
- No two factor authentication,
- No patch management
- No time synchronization
mechansim
Storage/ SAN - No separatenetwork
gateway for SAN
- No access restrcitions
placed on SAN
- No change management
- No encryption for Data at
rest
- No central backup
mechansim
Database servers - No access control
- No segregation of network
gateway
- No encryption
- No monitoring of
databases
- No central backup
 mechanism
Windows/Linux - No central anti-virus in place,
- No USB controls,
- No updation mechanism of
OS,
- No two factor authentication,
- No patch management
Database management system - No password complexity
implemented
- No monitoring of Database
SIEM software (component of SOC) - No central access control
- No time synchronization
Applications/ mechanism
3. OS (Operating - No backup for log Data
Systems) Forensic application (component of - No central access control
SOC) - No time synchronization
mechanism
- No backup for log Data
Pentest software platforms - No central access control
(component of SOC) - No time synchronization
mechanism
- No backup for log Data
CIRT software platform (component of - No central access control
SOC) - No time synchronization
mechanism
- No backup for log Data
4. Personells Administrators - No password complexity
mechansim in place
- No monitoring of
administrators
- No segregation of duties.
End users (insiders) - No awareness training
conducted
- No password complexity
 mechansim
- No access control
mechanism
End users (outsiders) - No DMZ for external users
created
- No segregation of network
for external users
Technical maintenance staff - No password complexity
(technicians) mechansim in place
- No monitoring of
administrators
- No segregation of duties.
- No biometric access check
placed within Data centre

Table 10 – Identification of Lacking Controls

9. Step 5 – Likelihood Determination . Taking into consideration the threats enumerated in step 2,
the vulnerabilities identified in step 3 and the existing/ lacking controls shortlisted in step 4, a
likelihood matrix has been ascertained in table 12, which depicts how likely it is for a threat to
be executed in the given circumstances. The threats at each asset and its corresponding
category have been considered and the probability of the occurrence of a threat has been
qualitatively categorized into HIGH, MEDIUM and LOW and the description of each is as follows:-

Table Likelihood Definition

High The threat-source is highly likely to be executed given to acute presence of
11:
vulnerabilities, and controls to prevent the vulnerability from being exercised are
ineffective.
Medium The threat-source is likely to be executed, but controls are in place that may impede
successful exercise of the vulnerability.
Low The threat is unlikely to be executed since controls are in place to prevent, or at least
significantly impede, the vulnerability from being exercised.
N/A The threat under consideration is not applicable on the particular asset due to its type,
location or placement within the overall architecture
Definition of Likelihood Parameters
 Resulting likelihood matrix is as follows:-

Sno Layer of Assets Threat Likelihood

Operation

Power outage
Escalation of privileges

Theft

Misuse of privileges
Denial of service

Data Leakage

Physical damage
Hacking
Unauthorized access
Sniffing of information

Edge/ client side switches High High Misconfiguration

High High High Low Medi High High High N/A
um
Aggregation switches Medi High High Medi Medi Low Low Low Medi Low N/A
um um um um
1. Networks Perimeter firewalls Low Medi High High Low Low Low Low Low Low N/A
um
Core firewall Low High High High Low High Low Low Low Low N/A
LBR (load balancer) Low High High High High Low Low Low Low Low N/A
Connectivity switches High Low High High High Low Low Low Low Low N/A
Passive/ physical network High Low N/A High N/A High N/A High N/A High N/A
Windows/Linux N/A Low High High High High High Low Low Low N/A
Database management N/A High High High High High High Low Low Low N/A
system
SIEM software (component of N/A High Medi High Low Medi Low Low Low Low N/A
SOC) um um
Applications /
2. Forensic application N/A Low Medi High Low Medi Low Low Low Low N/A
systems
(component of SOC) um um
Pentest software platforms N/A Low Medi High Low Medi Low Low Low Low N/A
(component of SOC) um um
CIRT software platform N/A Low Medi High Low Medi Low Low Low Low N/A
(component of SOC) um um
End client terminals N/A Low High High High High High High High High N/A
Application servers N/A High High High High High High Low Low Low N/A
3. Hardware
Storage/ SAN N/A High High High Low High High Low Low Low N/A
Database servers N/A High High High High High High Low Low Low N/A
Administrators N/A N/A N/A High High N/A High N/A N/A N/A High
End users (insiders) N/A N/A N/A High High N/A High N/A N/A N/A High
Human
4. End users (outsiders) N/A N/A N/A High High N/A High N/A N/A N/A N/A
resource Technical maintenance staff N/A N/A N/A HIgh HIgh N/A HIgh N/A N/A N/A High
(technicians)

Table 12: Threat Likelihood Matrix

 10. Step 6 - Impact Analysis (Threat Impact Matrix). Considering the data being handled at various
asset categories, their placement within the overall architecture of IT, their functionality and the
vulnerabilities existing within the infrastructure, we determine as to what impact each threat is
going to have on the overall confidentiality, integrity and availability of every asset category. The
impact factor has also been classified into HIGH, MEDIUM and LOW having following
descriptions: -

Impact Definition
Table High Execution of threat (1) may result in costly loss of major tangible assets or
resources; (2) may significantly violate an organization’s mission, reputation, or
13: interest; or (3) may result in human death or serious injury.
Execution of threat (1) may result in the costly loss of tangible assets or
Medium resources; (2) may violate an organization’s mission, reputation, or interest; or
(3) may result in human injury.
Low Exercise of threat (1) may result in the loss of some tangible assets or resources
or (2) may noticeably affect an organization’s mission, reputation, or interest.

Definition of Impact Factor Classification

The resulting threat impact matrix is as per table 14 below: -

Sno Layer of Impact Domains Threat Impact Matirx

 Operation

Power outage
Escalation of privileges

Theft

Misuse of privileges
Denial of service

Data Leakage

Physical damage
Hacking
Unauthorized access
Sniffing of information

Misconfiguration
Confidentiality High High High High High Low Medi High High High N/A
um
Integrity Medi High High Medi Medi Low Low Low Medi Low N/A
1. Networks
um um um um
Availability Low Medi High High Low Low Low Low Low Low N/A
um
Confidentiality N/A Low High High High High High Low Low Low N/A
Applications / Integrity N/A High High High High High High Low Low Low N/A
2. Availability N/A High Medi High Low Medi Low Low Low Low N/A
systems
um um
Confidentiality N/A Low High High High High High High High High N/A
3. Hardware Integrity N/A High High High High High High Low Low Low N/A
Availability N/A High High High Low High High Low Low Low N/A
Human Confidentiality N/A N/A N/A High High N/A High N/A N/A N/A High
4. Integrity N/A N/A N/A High High N/A High N/A N/A N/A High
resource Availability N/A N/A N/A High High N/A High N/A N/A N/A N/A

Table 14: Threat Impact Matrix

11. Step 7 – Risk Determination – Risk Level Matrix . The over risk for each category of assets has
been calculated by multiplying the likelihood by the corresponding impact value. Since the
likelihood and impact factors have been described qualitatively, therefore in order to determine
the risk they have been given values as per table 15 below. The likelihood has been given a
probability value of 1.o for HIGH, 0.5 for MEDIUM and 0.1 for LOW. Similarly, the threat impact
has been given a value of 100 for HIGH, 50 for MEDIUM and 10 for LOW.

Impact
Likelihood
High (100) Medium(50) Low(10)
High (1.0) High Medium Low
(100X1)=100 (50 X 1)=50 (10x1)=10
Medium (0.5) Medium Medium Low
(100X0.5)=50 (50X0.5)=25 (10X0.5)=5
Low (0.1) Low Low Low
 (100X0.1)=10 (50X0.1)=5 (10X0.1)=1
Table 15: 3x3 Risk Level Matrix

After carrying out the necessary calculations at the backend the following overall risk levels have
been determined for each category of assets as per table 16 below: -

Sno Layer of Risk Level

Operation

Unauthorized access

Theft

Misuse of privileges

Overall Risk for Subject Category

Denial of service

Physical damage

Power outage
Hacking
Escalation of privileges
Sniffing of information

Misconfiguration

1. Networks Data Leakage

Medium Medium High High Medium Low Medium Low Low Low N/A Medium

Applications /
2. N/A Medium High High High High High Low Low Low N/A High
systems

3. Hardware N/A Medium High High High High High Low Low Low N/A High

4. Human resource N/A N/A N/A High High N/A High N/A N/A N/A High High

Table 16: Risk Matrix of the System

12. Step 8 – Control Recommendations

a. Mitigation Strategies and Resulting Control Matrix . Keeping in view the threats,
vulnerabilities, existing controls available, likelihood of each threat, the impact it will have
on the system and the overall associated risks, certain critical controls have been suggested
for each asset considered in table 2. The controls when implemented will formulate the
overall mitigation strategy for minimizing the risks to the IT architecture in general and the
SOC in particular. The resulting control matrix is given at table 17 below: -
 Sno Category Asset Recommended Controls
Edge/ client side switches - Encryption of data in
transit
Aggregation switches
- Implementation of
802.1x/ NAC
Perimeter firewalls
- Implementation of
1. service based VLANS
Core firewall
Networks
- IP segregation based on
LBR (load balancer) services
- Creation of service based
Connectivity switches
gateways at core firewall

Passive/ physical network

2. Hardware End client terminals - Central anti-virus server

Systems - Centrally implemented USB
controls
- Implementation of patch
management
- Two factor authentication
Application servers - Central anti-virus server
- Central USB controls,
- Patch management
- Two factor authentication,
- NTP server
Storage/ SAN - Creation of service based
gateways at core firewall
- Access control for SAN
- Implementation of change
management procedure
- Encryption for Data at rest
- Central backup
mechanism
Database servers - Access control
 implementation
- Creation of service based
gateways at core firewall
- Encryption
- Database monitoring
mechanism
- Central backup
mechanism
Windows/Linux - Central anti-virus
- Central USB controls,
- Patch management
- Two factor authentication
Database management system - Password complexity
- Monitoring mechanism for
Database
SIEM software (component of SOC) - Central access control
Applications/ - NTP server
3. OS (Operating - Backup for log data
Systems) Forensic application (component of - Central access control
SOC) - NTP server
- Backup for log data
Pentest software platforms - Central access control
(component of SOC) - NTP server
- Backup for log data
CIRT software platform (component of - Central access control
SOC) - NTP server
- Backup for log data
4. Personells Administrators - Password complexity
enforcement
- Monitoring mechanism for
administrators
- Implementation of
segregation of duties
End users (insiders) - User awareness trainings
 - Password complexity
enforcement
- Central access control
mechanism (Active
directory)
End users (outsiders) - DMZ for external users
- Segregation of network for
external users
Technical maintenance staff - Password complexity
(technicians) enforcement
- Monitoring mechanism
- Implementation of
segregation of duties.
- Biometric access
mechanism enforcement
within Data centre

Table 17: Control Matrix

13. Step 9 – Documentation . The threat modelling report presented herewith, constitutes a
comprehensive and all-encompassing document for the subject activity.
14. Conclusion. The threat modelling exercise carried out by NUST-IS Department for the IT
infrastructure of M/S ABC and its SOC facility, has highlighted certain glaring loopholes within
the overall security of the system. An extensive effort has been made to take into consideration
maximum aspects of information security threat modelling procedures and evaluate the system
from all possible angles. The overall standing of the system is at critical level. Correspondingly
appropriate controls have been suggested, which if implemented will greatly contribute in
mitigating highlighted threats and will provide the overall IT infrastructure the strength needed
to operate safely.