| Identifier | Admin_Err_Commit |
| Descriptive Name | Administrative errors of commission |
| Description | An administrator commits errors that directly compromise organizational security objectives or change the technical security policy enforced by the system or application. |
| Selection Guidance | Examples of possible administrator errors include entry of erroneous data, erroneous software executions, and careless use of output devices. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Adm_Err_Crypto - Accidental mismanagement of cryptographic functions
Admin_Err_AC_Policy - Administrator error modifies access control or information flow policy
Admin_Err_Audit - Administrator error changes audit behavior
Admin_Err_Authentic - Administrator error modifies authentication enforcement
Admin_Err_Info - Administrator error makes information unavailable
Admin_Err_Resource - Administrator error makes resource unavailable
Admin_Err_Sys_Entry - Administrator error modifies entry policy
Admin_Err_User_Attr - Administrator error modifies user security attributes  |
| Identifier | Admin_Err_Omit |
| Descriptive Name | Administrative errors of omission |
| Description | The system administrator fails to perform some function essential to security. |
| Selection Guidance | This threat is especially important in systems where administration of security functions is largely manual, and in organizations where system administrators are not well trained or have other responsibilities that are not related to security.
For example, the system administrator does not update system configurations or user account information to reflect current policies, assigned privileges, or user authorizations. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Adm_Err_Crypto - Accidental mismanagement of cryptographic functions
Adm_Misconfig_User - User privileges and/or authorizations are not updated upon reassignment
Admin_Err_Omit_Trap - Back door left open
Admin_Err_Update - Administrator fails to update security configuration |
| Identifier | Admin_Hostile_Modify |
| Descriptive Name | Hostile administrator modification of user or system data |
| Description | An administrator maliciously obstructs organizational security objectives or modifies the system's configuration to allow security violations to occur. |
| Selection Guidance | This threat is relevant in environments where not all administrators are fully trustworthy and/or are able to make mistakes that could jeopardize security.
Security violations include both direct abuse of privilege (e.g. deleting user files) and administrative actions that allow violations of the intended security policy (e.g., incorrectly changing user attributes). |
| Coverage Rationale | The detailed attacks are based on an enumeration of security services from part 2 of the CC. If the PP includes additional security services, then the coverage is incomplete. In the likely case that the PP does not include all security functions from Part 2 of the CC, some attacks will be irrelevant and should be ignored. |
| Editorial | Separation. This attack is unique in the fact that administrators have very open ability to effect most or any thing within the TSC. Therefore different and unique safeguards may be necessary to automate security functions to prevent the possible administrator's attacks.
Attacks may be grouped in various ways. The following grouping is a synthesis from the TnC material and the resulting new taxonomy.
Availability
Unauthorized Modification of TSF Data
User Security Attributes set to Obstruct Legitimate User ...
Confidentiality
System Administrator Steals User Data
Integrity
Modification of Audit Data and Attributes
Destruction or Modification of Audit Data
Security Protection
Inappropriate Modification of Audit Attributes
Modification of Audit Data and Attributes
Modification of TSF Code or Data
Destruction or modification of Audit Data -- done
Unauthorized Modification of TSF Data
of object security attributes -- sort of done |
Implementing Detailed Attacks
Adm_Hstl_Audit_Dstr - Destruction or modification of audit data
Adm_Hstl_Mod_Data_AC - Administrator maliciously modifies or deletes data access control attributes
Adm_Hstl_Mod_DataAps - Administrator modifies or destroys user data or applications
Adm_Hstl_Mod_IFC - The administrator maliciously modifies information flow control.
Adm_Hstl_Mod_SEP - Administrator maliciously modifies system entry parameters
Adm_Hstl_Mod_TSFCode - Administrator maliciously modifies security-critical code
Adm_Hstl_Mod_USB - Administrator maliciously modifies user/subject bindings
Adm_Hstl_Mod_UsrAttr - Administrator maliciously modifies user attributes and/or roles |
| Identifier | Admin_UserPriv |
| Descriptive Name | Administrator violates user privacy policy |
| Description | An administrator learns the identity (or other privacy related information) of user(s) in violation of user privacy policy. Privacy-related information is sensitive information associated with the identity of a user. |
| Selection Guidance | |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Admin_UserPriv_Agg - Administrator aggregates privacy information
Admin_UserPriv_Col - Administrator reads collected user privacy information
Admin_UserPriv_Gen - Administrator reads system generated privacy information |
| Identifier | Component_Failure |
| Descriptive Name | A critical system component fails |
| Description | Failure of one or more system components results in the loss of system-critical functionality. |
| Selection Guidance | This threat is relevant when there are components that may fail due to hardware and/or software imperfections and when the availability of system functionality is important. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Ext_Crypto_Failure - Failure of external crypto support functions
Hardware_Flaw - System hardware fails during system operation
Phys_CompFail_Res - Resource depletion failure
Software_Flaw - System use uncovers an intrinsic software flaw in a critical system component
TSF_Err_Conf_Crypto - Accidental release of cryptographic assets due to TSF flaw or malfunction |
| Identifier | Dev_Flawed_Code |
| Descriptive Name | Software containing security-related flaws |
| Description | A system or applications developer delivers code that does not perform according to specifications or contains security flaws. |
| Selection Guidance | An important special case of this threat is when the security flaws prevent the system's security mechanism (TSF) from adequately protecting itself. |
| Coverage Rationale | |
| Editorial | Note that component-flaws are treated separately. |
Implementing Detailed Attacks
Dev_FC_Attr_Interp - Inconsistent interpretation of audit data attributes
Dev_FC_Buff_Not_Clr - Buffers not cleared by the system
Dev_FC_Ctrl_Data - Incorrect modification of control data
Dev_FC_Data_Export - System data incorrectly exchanged
Dev_FC_Recovery - Non-secure recovery
Dev_FC_Replication - Inaccurate system-data replication
Dev_FC_Self_Protect - System modification by unauthorized source
Dev_FC_Trap_Door - Malicious developer creates secret trapdoor in system
Ext_Crypto_Failure - Failure of external crypto support functions |
| Identifier | Failure_DS_Comp |
| Descriptive Name | Failure of a distributed system component |
| Description | Failure of a component that is part of a distributed system will cause other parts of the distributed system to malfunction or provide unreliable results. |
| Selection Guidance | |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Failure_DS_Comm - Communications function failure |
| Identifier | Hack_AC |
| Descriptive Name | Hacker undetected system access |
| Description | A hacker gains undetected access to a system due to missing, weak and/or incorrectly implemented access control causing potential violations of integrity, confidentiality, or availability. |
| Selection Guidance | Improper access can be gained via several methods. One example is a weak password mechanism that allows unintended system access. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Hack_AC_Code_Vul - Hacker gains access through a vulnerability in code
Hack_AC_Weak - Weak system access control mechanism or system access control implementation |
| Identifier | Hack_Avl_Resource |
| Descriptive Name | Hacker attempts resource denial of service |
| Description | A hacker executes commands, sends data, or performs other operations that make system resources unavailable to system users. Resources that may be denied to users include bandwidth, processor time, memory, and data storage. |
| Selection Guidance | One example of this threat is denial of service caused by hacker actions that disrupt the system's ability to manage its resources. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Hack_Comm_Overload - Hacker causes overload of communication resources
Hack_Prcsr_Overload - Hacker causes system task overload resulting in denial of service
Hack_Stg_Overload - Hacker activities cause storage overload |
| Identifier | Hack_Comm_Eavesdrop |
| Descriptive Name | Hacker eavesdrops on user data communications |
| Description | Hacker obtains user data by eavesdropping on communications lines. |
| Selection Guidance | This threat is relevant when the system must exchange user data with a remote system, and the confidentiality of that data is important. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Hack_CommEaves_Eman - The communication mechanism emanates data
Hack_CommEaves_Intrc - Outsider intercepts user communications
Hack_CommEaves_Tap - An outsider taps a communications line |
| Identifier | Hack_Crypto |
| Descriptive Name | Cryptoanalysis for theft of information |
| Description | A hacker performs cryptoanalysis on encrypted data in order to recover message content. |
| Selection Guidance | |
| Coverage Rationale | |
| Editorial | This threat could easily be broadened to include cryptoanalysis used for other purposes, e.g., to discover a signature key that allows forgery. |
Implementing Detailed Attacks
Hack_Crypto_ChsnCy - Chosen ciphertext cryptoanalysis
Hack_Crypto_ChsnPln - Chosen plaintext cryptoanalysis
Hack_Crypto_ChsnTxt - Chosen text cryptoanalysis
Hack_Crypto_Cypher - Ciphertext-only cryptoanalysis
Hack_Crypto_PlnTxt - Known plaintext cryptoanalysis
Hack_Phys_Cnf_Eman - Hacker collects information via emanations analysis |
| Identifier | Hack_Masq |
| Descriptive Name | Hacker masquerading as a legitimate user or as system process |
| Description | A hacker masquerades as an authorized user to perform operations that will be attributed to the authorized user or a system process. |
| Selection Guidance | Masquerade normally involves concealment of identity through false pretenses. It often involves gaining access to a system under a false identity. This threat differs from a hostile insider's abuse of privilege in which a legitimate user takes unfair advantage of system weaknesses. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Hack_Masq_Hijack - A hacker assumes the identity of an authorized user
Hack_Masq_Uwkstn - A user assumes the identity of an authorized user
Hack_Masq_Wauth - Masquerading due to weak authentication |
| Identifier | Hack_Msg_Data |
| Descriptive Name | Message content modification |
| Description | A hacker modifies information intercepted from a communication link between two unsuspecting entities before passing it on, thereby deceiving the intended recipient. |
| Selection Guidance | The communication link may be between two unrelated systems, between two parts of a distributed system, or between two users of a single system. The consequence of this threat is that the receiver will be receiving information other than that which was intended by the sender, namely information provided by the hacker. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Hack_MsgData_RcvTSF - Modification of security-critical data in transit from a remote trusted site
Hack_MsgData_RcvUsr - Modification of user data in transit from a remote site
Hack_MsgData_SndTSF - Modification of security-critical data in transit to a remote site
Hack_MsgData_SndUsr - Modification of user data in transit to a remote site |
| Identifier | Hack_Phys |
| Descriptive Name | Exploitation of vulnerabilities in the physical environment of the system |
| Description | A hacker physically interacts with the system to exploit vulnerabilities in the physical environment, resulting in arbitrary security compromises. |
| Selection Guidance | The security compromises could include loss of availability, confidentiality, integrity, and/or security protection. For example, a hacker physically damages the IT system. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Hack_Phys_Avl_Eman - Emissions interference
Hack_Phys_Cnf_Eman - Hacker collects information via emanations analysis
Hack_Phys_Crypto - Physical attack on cryptographic assets
Hack_Phys_Damage - Hacker physically attacks the system |
| Identifier | Hack_Social_Engineer |
| Descriptive Name | Social engineering |
| Description | A hacker uses social engineering techniques to gain information about system entry, system use, system design, or system operation. |
| Selection Guidance | This threat always exploits non-IT vulnerabilities, possibly in conjunction with IT vulnerabilities. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Hack_SocEng_Password - Social engineering to steal password
Hack_SocEng_SysInfo - Hacker uses social engineering to learn system information |
| Identifier | Malicious_Code |
| Descriptive Name | Malicious code exploitation |
| Description | An authorized user, IT system, or hacker downloads and executes malicious code, which causes abnormal processes that violate the integrity, availability, or confidentiality of system assets. |
| Selection Guidance | |
| Coverage Rationale | An authorized user, IT system, or hacker downloads an object either deliberately or accidentally. The user does this primarily in order to gain assets that will assist in their job performance. The IT system may do this to meet informational requirements. The hacker may do this in an effort to satisfy destructive goals. The malicious code is then executed via a trigger mechanism. The trigger mechanism can be executed automatically after download, manually by the hacker, or unknowingly by the authorized user. The results of the attack affect the target system or any other system that the target system can influence. |
| Editorial | Separation. This attack is unique in the fact that administrators have very open ability to effect most or any thing within the TSC. Therefore different and unique safeguards may be necessary to automate security functions to prevent the possible administrator's attacks.
Attacks may be grouped in various ways. The following grouping is a synthesis from the TnC material and the resulting new taxonomy.
Availability
Unauthorized Modification of TSF Data
User Security Attributes set to Obstruct Legitimate User ...
Confidentiality
System Administrator Steals User Data
Integrity
Modification of Audit Data and Attributes
Destruction or Modification of Audit Data
Security Protection
Inappropriate Modification of Audit Attributes
Modification of Audit Data and Attributes
Modification of TSF Code or Data
Destruction or modification of Audit Data -- done
Unauthorized Modification of TSF Data
of object security attributes -- sort of done |
Implementing Detailed Attacks
Mal_Code_Hack_Downld - Malicious code perpetrator dissemination
Mal_Code_Hack_Exe - Malicious code perpetrator execution
Mal_Code_IT_Download - Malicious code accidental IT download
Mal_Code_IT_Exe - Malicious code IT execution
Mal_Code_Usr_Downld - Malicious code accidental user download
Mal_Code_Usr_Exe - Malicious code user execution |
| Identifier | Power_Disrupt |
| Descriptive Name | Unexpected disruption of system or component power |
| Description | A human or environmental agent disrupts power causing the system to lose information or security protection. |
| Selection Guidance | |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Power_Disrupt_Reset - Unexpected power reset |
| Identifier | Repudiate_Receive |
| Descriptive Name | Recipient denies receiving information |
| Description | The recipient of a message denies receiving the message, to avoid accountability for receiving the message or to avoid obligations incurred as a result of receiving the message. |
| Selection Guidance | |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Repudiate_Rcvr_Int - Denial of having received data from another local user
Repudiate_Rcvr_Local - Denial of having received information from a remote user
Repudiate_Rcvr_Rem - Denial of having received information by a remote user |
| Identifier | Repudiate_Send |
| Descriptive Name | Sender denies sending information |
| Description | The sender of a message denies sending the message to avoid accountability for sending the message or to avoid obligations incurred as a result of sending the message. |
| Selection Guidance | |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Repudiate_Send_Int - Denial of having sent information to another local user
Repudiate_Send_Local - Denial of having sent information to a remote user
Repudiate_Send_Rem - Denial of having sent data by a remote user |
| Identifier | Repudiate_Transact |
| Descriptive Name | A participant denies performing a transaction |
| Description | A participant in a transaction denies participation in the transaction to avoid accountability for the transaction or for resulting obligations. |
| Selection Guidance | |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Repudiate_Trans_Loc - Circumvent non-repudiation in a transaction involving a user and a local system
Repudiate_Trans_Uloc - Circumvent non-repudiation in a transaction involving a local user and a remote system
Repudiate_Trans_Urem - Circumvent non-repudiation in a transaction involving a remote user and a local system |
| Identifier | Spoofing |
| Descriptive Name | Legitimate system services are spoofed |
| Description | An attacker tricks users into interacting with spurious system services. |
| Selection Guidance | The attack method may involve writing software to spoof users or modifying message protocol information in transit. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Hack_Spoof_Login - Login program replicated to capture authentication data
Hack_Spoof_MsgHdr - Attacker modifies protocol headers |
| Identifier | User_Abuse_Conf |
| Descriptive Name | Hostile user acts cause confidentiality breaches |
| Description | A user collects sensitive or proprietary information and removes it from the system. |
| Selection Guidance | Examples include the following:
* placing confidential information on a removable disk
* transmitting data outside the organization. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
User_Abuse_Conf_Disk - User smuggles data using removable media
User_Abuse_Conf_Steg - Steganographic data smuggling |
| Identifier | User_Collect |
| Descriptive Name | User abuses authorization to collect data |
| Description | User abuses granted authorizations to improperly collect sensitive or security-critical data. |
| Selection Guidance | An example of sensitive data is proprietary information. An example of security-critical data is user authentication data. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
User_Collect_Browse - User collects data by browsing
User_Collect_Deceive - User collects authentication data by deception
User_Collect_Deduce - User collects data by deduction
User_Collect_Eaves - User collects data by eavesdropping
User_Collect_Residue - User collects residual data |
| Identifier | User_Err_Conf |
| Descriptive Name | User errors cause confidentiality breaches |
| Description | A user commits errors that cause information to be delivered to the wrong place or wrong person. |
| Selection Guidance | This threat is a concern in any system that holds sensitive or classified information and has human users (including administrators). User errors include entry of erroneous data, erroneous software execution, and careless use of output devices. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Hack_Ext_CryptoAsset - Accidental or deliberate mishandling of cryptographic assets external to the TOE
User_Err_Conf_Class - Under-classification of data sensitivity on export
User_Err_Conf_Crypto - Accidental release of cryptographic assets due to user error
User_Err_Conf_Exp - Confidentiality violation of export control policy |
| Identifier | User_Err_Inaccess |
| Descriptive Name | User error makes data inaccessible |
| Description | A user accidentally deletes user data or changes system data rendering user data inaccessible. |
| Selection Guidance | |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
User_Err_Delete - User error deletes data
User_Err_Mod_Attr - User error modifying attributes availability
User_Err_Set_Attr - User error setting attributes availability |
| Identifier | User_Err_Integrity |
| Descriptive Name | User errors cause integrity breaches |
| Description | A user commits errors that induce erroneous actions by the system and/or erroneous statements its users. |
| Selection Guidance | This threat is a concern in any system that produces content-critical information and has human users (including administrators). User errors include entry of erroneous data, erroneous software execution (e.g., using uncertified software), and poor choices in the selection of available input data. |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
Hack_Ext_CryptoAsset - Accidental or deliberate mishandling of cryptographic assets external to the TOE
User_Err_AttrXpt - Falsification of information quality in data export
User_Err_Data_Export - User accidentally releases incorrect information
User_Modify_Data - User improperly modifies user data |
| Identifier | User_Err_Slf_Protect |
| Descriptive Name | User errors undermine the system's security features |
| Description | A user commits errors that cause the system or one of its applications to undermine the system's security features. |
| Selection Guidance | User errors include entry of erroneous data (including security data), as well as erroneous software execution (e.g., running a program with incorrect privilege settings). |
| Coverage Rationale | |
| Editorial | |
Implementing Detailed Attacks
User_Err_MsngAttrXpt - Failure to provide object security attributes in data export
User_Err_Object_Attr - Incorrectly set object attributes |
| Identifier | User_Misuse_Avl_Resc |
| Descriptive Name | User's misuse causes denial of service |
| Description | A user's unauthorized use of resources causes an undue burden on an affected resource. |
| Selection Guidance | Improper use by a user is normally deliberate even though the attack results are generally accidental. A user simply uses the capabilities of the TOE beyond set usage guidelines, possibly without understanding the attack ramifications.
Both this threat and T.User_Err_Inaccess deal with non-malicious loss of availability. This threat has been scoped to system resource availability. By contrast, T.User_Err_Inaccess includes threats to user file availability. |
| Coverage Rationale | |
| Editorial | Threat Source: The threat source would be a accidental human being that either is not following policy in efforts to complete action they feel are in the organization's best interest.
Attack Method: The attack method is to create multiple processes or data files in quantities that puts an undue strain on the systems or communication resources.
Results: The results are primarily reduction or denial in availability of resources to legitimate users and applications.
Separation:
Therefore, to scope this threat, the user's attitude in relation to the attack results is generally accidental in nature, their sophistication level as a threat agent is low, and their primary role is that of an application user even though they may have local administrative privileges. Even though the user may have administrative privileges, to further scope this threat, administrative attacks will be left out and described in either the malicious or accidental administrator threats.
It is worth keeping the threats T.User_Misuse_Avl_Resc and T.User_Err_Inaccess separate because the countermeasures are distinct. |
Implementing Detailed Attacks
User_Comm_Overload - User's unauthorized use causes overload of communication resources
User_ErrAvl_AudExhst - Denial of service due to exhausted audit storage
User_Obst_Res_Use - User obstructs legitimate use of resources.
User_Prcsr_Overload - User's unauthorized actions over-task the system causing processor overload
User_Stg_Overload - User's unauthorized actions cause storage overload |
| Identifier | User_Modify |
| Descriptive Name | User abuses authorization to modify data |
| Description | A user abuses granted authorizations to improperly change or destroy sensitive or security-critical data. |
| Selection Guidance | An example of sensitive data is proprietary information. An example of security-critical data is user authentication data. |
| Coverage Rationale | |
| Editorial | Source: Authorized user
Method: modify
Effect: loss of integrity, loss of availability, loss of security protection |
Implementing Detailed Attacks
User_Modify_Audit - User modifies audit trail
User_Modify_Auth - User improperly modifies authentication data
User_Modify_Data - User improperly modifies user data
User_Modify_TSFData - User improperly modifies TSF data |
| Identifier | User_Send |
| Descriptive Name | User abuses authorization to send data |
| Description | A user abuses granted authorizations to improperly send sensitive or security-critical data. |
| Selection Guidance | An example of sensitive data is proprietary information. An example of security-critical data is user authentication data. |
| Coverage Rationale | |
| Editorial | Source: Authorized user
Method: send
Effect: loss of confidentiality, loss of integrity |
Implementing Detailed Attacks
User_Abuse_Conf_Steg - Steganographic data smuggling
User_Send_Conf - User sends data violating confidentiality
User_Send_Integrity - User sends data violating integrity |