Misbehaviours
Untrusted, potentially malicious agents gained admin privileges on a host, when the host is in a specific location and/or connected to a specific subnet. |
|
Untrusted, potentially malicious agents gained access to a host, with user rights (possibly associated with a specific process), when the host is in a specific location and/or connected to a specific subnet. |
|
Exposure of software vulnerabilities to exploitation by attackers in some context. |
Forging or alteration of data (which may be embedded in an IoT device) in a way designed to induce false behaviour in other assets consuming the data. |
|
Disclosure of data (which may be embedded in an IoT device) to unauthorised parties, or a state where prevention or detection of such a disclosure cannot be ensured. |
|
Alteration or corruption of data (which may be embedded in an IoT device) such that its use will produce incorrect outputs or outcomes, but which may or may not be malicious and designed to subvert assets consuming the data. |
|
Represents a state in which a data asset is somewhat out of date, or a process or human has outdated or (temporarily) unavailable inputs. |
An adverse behaviour of stored or flowing copies of data, signifying that the copy is not available in an encrypted form. Considered as an adverse effect as it means confidentiality could be breached without compromising a decryption key, and used to model side effects of encryption controls. |
|
An adverse behaviour of stored or flowing copies of data, signifying that the copy is not available in an unencrypted form. Considered an adverse effect because it can lead to loss of availability for the data if a legitimate user or process lacks a suitable decryption key, and used to model side effects of encryption controls. |
Signifies that the physical process controlled by the Controller has been halted by physical means. |
Untrusted, potentially malicious agents gained user rights in some system context. |
|
Discovery by potential attackers of one or more vulnerabilities in software associated with the affected host or process. |
|
Insertion of a back door into a host operating system or other software stored and running on a host. |
|
The total load on a Data Centre. |
|
The asset is being used or requested more than allowed or expected. |
|
Insertion into the asset of malicious, self-propagating software. |
|
Untrusted, potentially malicious agents can control the provisining of or allocation of resources to the asset. |
|
Deterioration in the quality and/or integrity of software engineering used to implement the asset, such that it will contain more software vulnerabilities likely to be discovered by an attacker. |
|
Untrusted, potentially malicious agents can contorl routing within the abstract or logical subnet. |
|
Deterioration in the quality and/or integrity of software engineering used to implement the asset, such that it will contain more functional software bugs that cause errors or crashes without external provocation. |
|
Modelling artefact, corresponding to the trustworthiness attribute DefaultTW, which is already set by default to the lowest trustworthiness level. |
|
Untrusted, potentially malicious agents gained admin rights in some system context. |
|
Reduction in the capacity of a Data Centre to handle demands placed on it by automatically provisioned for hosts and processes. |
|
Engagement by an asset in the system, which is usually desirable, but means the asset is open to attack, abuse or misuse (and hence it is modelled as a potential threat consequence). |
|
Untrusted, potentially malicious agents have access to the abstract or logical network subnet, i.e. they can access a connected host that may or may not be part of the modelled system. |
Applies to a network communication route, i.e. the Interface between a Host and a Subnet, or a Logical Segment representing a route between two Subnets, signifying that by default, messages will be allowed to flow. |
|
Signifies that bandwidth used by message flows through an interface cannot be restricted based on their source and/or destination addresses. |
|
Applies to a network or communication channel, signifying that messages in that network or channel can be intercepted and read via passive snooping or via a man-in-the-middle attack. |
|
The connection from a device to a subnet is really with a spoofed subnet. This means a malicious party is routing between the device and the subnet with which it is supposed to be connected. |
Untrusted, potentially malicious agents have or could have physical access to the space. |
|
The physical boundary and means of access control to a private space has been compromised. |
The authentication credentials of a client accessing a service are no longer secure and reliable, i.e. the client could can be impersonated to the service. This does not necessarily mean an attacker can access the service, only that they have access to client credentials. |
|
The client is influenced by a malicious actor who is able to induce the client to send malicious requests to its service. |
|
Referring to a client-service relationship, representing inability of the client to authenticate with the service. |
|
Untrustworthy users are able to send messages to a service from the direction of a specific client. This relates to any message so it includes messages sent anonymously, prior to authentication. It is not related to which users can access the service. Consequently, a high likelihood is not in itself a cause for concern, so the impact level should never be raised for this behaviour. |
|
A malicious actor is able to access the related service and authenticate as the related client. This means the attacker is able to send requests to the service, and either the attacker has access to client credentials or the service fails to authenticate before allowing access. |
|
There is a loss of connectivity between processes. |
|
A malicious actor is able to send messages via a reverse proxy to a related service. The service is exposed to malicious requests, but not directly from an attacker. |
|
The service accessed by a client is controlled by a malicious actor, usually (but not always) caused by the service being hacked by an external attacker. |
|
Applies to a communication route, i.e. the Interface between a Host and a Subnet, or a Logical Segment representing a route between two Subnets. Signifies that exceptions do exist allowing client-service connections and communications to tunnel through a default deny routing policy. |
|
The service accessed by a client is an imposter. |
Model of device theft and reconnection of stolen devices. |
|
Untrusted, potentially malicious agents gained control of a device or process running on it after the device has been removed by theft from the system. |
The Stakeholder (usually a Human) is no longer willing to fulfil their role in the system. NOT YET USED IN ANY THREAT. |
|
The device, process or human is liable to make errors with an unacceptable frequency or extent. Caused by internal failings including lack of expertise, software bugs, etc., by using forged, corrupt or inaccurate information as input, or by a dependency on some other asset that is not reliable. |
|
Erosion of competence in a Human, caused by changes in themselves, their role or the technology they use to carry out that role within the system. |
|
Effect of external influences on a Human that introduce or foster motives or desires to cause adverse effects. |
|
Being undermined in a way that causes a lapse in judgement regarding security risks in a Human, leaving them more open to being deceived into taking inappropriate actions. |
|
The asset cannot (or will not) carry out its function within the system, failing to interact with other assets as expected. |
Discovery by potential attackers of a vulnerability whose exploitation would allow an attacker user level access. |
|
Discovery by potential attackers of a vulnerability that can be accessed from a remote network. |
|
Discovery by potential attackers of a vulnerability that can be accessed from a local shell or via physical access. |
|
Discovery by potential attackers of a vulnerability that can be accessed only from the local network, requiring access to either the broadcast or collision domain of the vulnerable software. |
|
Discovery by potential attackers of a vulnerability whose exploitation would allow an attacker to inject queries that will be passed to a trusting back-end process. |
|
Discovery by potential attackers of a vulnerability whose exploitation would allow insertion of self-propagating malware. |
|
Discovery by potential attackers of a vulnerability whose exploitation would allow data to be altered. |
|
Discovery by potential attackers of a vulnerability whose exploitation would compromise data confidentiality. |
|
Discovery by potential attackers of a vulnerability that can be accessed without authentication. |
|
Discovery by potential attackers of a vulnerability whose exploitation would compromise asset availability. |
|
Discovery by potential attackers of a vulnerability whose exploitation would allow an attacker to take control. |
|
Discovery by potential attackers of a vulnerability in a service whose exploitation would allow injection of malicious scripts into a client process. |