Forum

Notifications
Clear all
2 Posts
1 Users
0 Likes
19.6 K Views
Posts: 108
Topic starter
(@taichi)
Member
Joined: 4 years ago

1. OSA -  Threat Cataloger Overview

http://www.opensecurityarchitecture.org/cms/library/threat_catalogue

2. ENISA - European Union Agency for CyberSecurity - Threat Taxonomy

https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view

 

Threat number High Level Threats Threats Threat details
1 Physical attack (deliberate/ intentional)    
2   Fraud  
3   Fraud by employees
4 Sabotage  
5 Vandalism  
6 Theft (devices, storage media and documents)  
7   Theft of mobile devices (smartphones/ tablets)
8 Theft of fixed hardware 
9 Theft of documents
10 Theft of backups
11 Information leakage/sharing  
12 Unauthorized physical access / Unauthorised entry to premises  
13 Coercion, extortion or corruption  
14 Damage from the warfare  
15 Terrorists attack  
16 Unintentional damage / loss of information or IT assets    
17   Information leakage/sharing due to human error  
 
18
19   Accidental leaks/sharing of data by employees
  Leaks of data via mobile applications
20
21 Leaks of data via Web applications
22 Leaks of information transferred by network
23 Erroneous use or administration of devices and systems  
24   Loss of information due to  maintenance errs / operators errors
25 Loss of information due to  configuration/ installation error
26 Increasing recover time
27   Loss of information due to  user errors
28 Using information from an unreliable source  
29 Unintentional change of data in an information system  
30 Inadequate design and planning or improperly adaptation  
31 Damage caused by a third party   
32   Security failure by third party
33 Damages resulting from penetration testing  
34 Loss of information in the cloud  
35 Loss of (integrity of) sensitive information  
36   Loss of integrity of certificates
37 Loss of devices, storage media and documents  
38   Loss of devices/ mobile devices
39 Loss of storage media 
40 Loss of documentation of IT Infrastructure
41 Destruction of records  
42   Infection of removable media
43 Abuse of storage 
44 Disaster (natural, environmental)    
45   Disaster (natural earthquakes, floods, landslides, tsunamis, heavy rains, heavy snowfalls, heavy winds)  
46 Fire  
47 Pollution, dust, corrosion  
48 Thunder stroke  
49 Water  
50 Explosion  
51 Dangerous radiation leak  
52 Unfavorable climatic conditions  
53   Lost of data or accessibility of IT infrastructure in result of extensive humidity
54 Lost of data or accessibility of IT infrastructure in result of extensive temperature
55 Major events in the environment  
56 Threats from space / Electromagnetic storm  
57 Wildlife  
58 Failures/ Malfunction    
59   Failure of devices or systems  
60   Failure of defective data media
61 Hardware failure
62 Failure of applications and services
63 Failure of parts of devices (connectors, plug in)
64 Failure or disruption of communication links (communication networks)  
65   Failure of cable networks
66 Failure of wireless networks
67 Failure of mobile networks
68  
69 Failure or disruption of main supply  
70   Failure or disruption of the power supply
71 Failure of cooling infrastructure
72 Failure or disruption of service providers (supply chain)  
73 Malfunction of equipment (devices or systems)  
74 Outages    
75   Loss of resources  
76   Loss of electricity
77 Cooling outages
78 Absence of personnel  
79 Strike  
80 Loss of support services  
81 Internet outage  
82 Network outage  
83   Outage of cable networks
84 Outage of wireless networks
85 Outages of mobile networks
86 Eavesdropping/ Interception/ Hijacking    
87   War driving  
88 Intercepting compromising emissions  
89 Interception of information  
90   Corporate Espionage
91 Nation state espionage
92 Information leakage due to unsecured Wi-Fi, rogue access points
93 Interfering radiation  
94 Replay of messages  
95 Network Reconnaissance, Network traffic manipulation and Information gathering  
96 Man in the middle/ Session hijacking   
97 Nefarious Activity/ Abuse    
98   Identity theft (Identity Fraud/ Account)   
99   Credentials stealing trojans
100 Receive of unsolicited E-mail   
101   SPAM
102 Unsolicited infected e-mails
103 Denial of service  
104   Distributed Denial of network service (DDoS) (network layer attack i.e. Protocol exploitation / Malformed packets / Flooding / Spoofing)
105 Distributed Denial of application service (DDoS) (application layer attack i.e. Ping of Death / XDoS / WinNuke / HTTP Floods)
106 Distributed DoS (DDoS) to both network and application services (amplification/reflection methods i.e. NTP/ DNS /…/ BitTorrent)
107 Malicious code/ software/ activity  
    Abuse of resources
108 Search Engine Poisoning
109 Exploitation of fake trust of social media
110 Worms/ Trojans
111 Rootkits
112 Mobile malware
 
113
114
115 Infected trusted mobile apps
116 Elevation of privileges
117 Web application attacks / injection attacks (Code injection: SQL, XSS)
118 Spyware or deceptive adware
119 Viruses
120 Rogue security software/  Rogueware/ Scareware
121  
 
 
 
 
122   Exploits/Exploit Kits
 
 
 
 
123 Social Engineering  
124   Phishing attacks
125 Spear phishing attacks
126 Abuse of Information Leakage  
127   Leakage affecting mobile privacy and mobile applications
128 Leakage affecting web privacy and web applications
129 Leakage affecting network traffic
130 Leakage affecting cloud computing
131 Generation and use of rogue certificates  
132   Loss of (integrity of) sensitive information
133 Man in the middle/ Session hijacking 
134 Social Engineering / signed malware (e.g. install fake trust OS updates – signed malware)
135 Fake SSL certificates
136 Manipulation of hardware and software  
137   Anonymous proxies
138 Abuse of computing power of cloud to launch attacks (cybercrime as a service)
  Abuse of vulnerabilities, 0-day vulnerabilities
 
139
140 Access of web sites through chains of HTTP Proxies (Obfuscation)
141 Access to device software
142 Alternation of software
143 Rogue hardware
144 Manipulation of information  
145   Repudiation of actions
146 Address Space hijacking (IP prefixes)
Routing table manipulation
147 DNS poisoning / DNS spoofing / DNS Manipulations 
148 Falsification of record
149 AS hijacking
150 AS manipulation
151 Falsification of configurations
152 Misuse of audit tools  
153 Misuse of information/ information systems (including mobile apps)  
154 Unauthorized activities  
155   Unauthorized use or administration of devices and systems
156   Unauthorized use of software
157   Unauthorized access to the information systems / networks (IMPI Protocol / DNS Register Hijacking)
158   Network Intrusion
159   Unauthorized changes of records
160 Unauthorized installation of software  
161   Web based attacks (Drive-by download / malicious URLs / Browser based attacks)
162 Compromising confidential information (data breaches)  
163 Hoax  
164   False rumor and/or a fake warning
165 Remote activity (execution)  
166   Remote Command Execution
167 Remote Access Tool (RAT)
168 Botnets / Remote activity 
169 Targeted attacks (APTs etc.)  
170   Mobile malware
171 Spear phishing attacks
172 Installation of sophisticated and targeted malware
173 Watering Hole attacks
174 Failed of bussines process  
175 Brute force  
176 Abuse of authorizations  
177 Legal    
178   Violation of laws or regulations / Breach of legislation  
179 Failure to meet contractual requirements  
180   Failure to meet contractual requirements by third party
181 Unauthorized use of IPR protected resources  
182   Illegal usage of File Sharing services
183 Abuse of personal data  
184 Judiciary decisions/court orders  

 

 

 

 

 

 

 

 

 

 

Topic Tags
1 Reply
Posts: 108
Topic starter
(@taichi)
Member
Joined: 4 years ago

3. HITRUST - Threat Catalogue Download

https://hitrustalliance.net/threat-catalogue-download/

ID Type Category Sub-Category Threat Description
  Logical Threats Intentional Conflict   Struggle resulting from incompatible or opposing needs, drives, wishes, or external or internal demands.
LIC1 Logical Threats Intentional Conflict Sabotage Deliberate actions aimed to cause disruption or damage to information and/or IT assets for financial or personal gain. 
LIC2 Logical Threats Intentional Conflict Terrorism The use of violence as a means to create terror among masses of people; or fear to achieve a financial, political, religious or ideological aim.
LIC3 Logical Threats Intentional Conflict Vandalism Deliberate destruction or damage to information and/or IT assets but, not for personal gain.
LIC4 Logical Threats Intentional Conflict Warfare Damage to assets, facilities, and employees due to war or armed conflict.
  Logical Threats Intentional Misappropriation   Dishonestly or unfairly taking for one's own use.
LIM1 Logical Threats Intentional Misappropriation Embezzlement To appropriate something, such as property entrusted to one's care fraudulently to one's own use. A form of theft through fraud. 
LIM2 Logical Threats Intentional Misappropriation Extortion The act of obtaining money, property, or services from an organization through coercion.  A form of theft through use of force or intimidation to obtain compliance. 
LIM3 Logical Threats Intentional Misappropriation Fraud Deliberate deception to secure unfair or unlawful gain, or to deprive a victim of a legal right.
LIM4 Logical Threats Intentional Misappropriation Theft The act of logically stealing and/or removing of the property with intent to deprive the rightful owner of it.
  Logical Threats Intentional Nefarious   Flagrant breaching of time-honored laws and traditions of conduct.
LIN1 Logical Threats Intentional Nefarious Abuse of authorizations Using authorized access to perform illegitimate actions.
LIN2 Logical Threats Intentional Nefarious Address Space hijacking The illegitimate takeover of groups of IP addresses.
LIN3 Logical Threats Intentional Nefarious Alteration of software Unauthorized modifications to code or configuration data, attacking its integrity.
LIN4 Logical Threats Intentional Nefarious Anonymous proxies Access of web sites through chains of HTTP proxies (obfuscation), bypassing the security mechanism(s). 
LIN5 Logical Threats Intentional Nefarious Autonomous System hijacking Overtaking, by the attacker, the ownership of a whole autonomous system and its prefixes despite origin validation
LIN6 Logical Threats Intentional Nefarious Brute force Unauthorized access via systematically checking all possible keys or passwords until the correct one is found.
LIN7 Logical Threats Intentional Nefarious Code Injections Exploiting a bugs, design flaws or configuration oversights in an operating system or software application to gain elevated access to resources.
LIN8 Logical Threats Intentional Nefarious Command injection Execution of arbitrary commands on the host operating system via a vulnerable application. This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code. Also know as "Remote Command Execution"
LIN9 Logical Threats Intentional Nefarious Compromised Credentials An account/id/username has been used or accessed by a non authorized means
LIN10 Logical Threats Intentional Nefarious Denial of Service Service unavailability due to a massive number of requests for services from a single point.
LIN11 Logical Threats Intentional Nefarious Distributed Denial of Service Service unavailability due to a massive number of requests for access to network services from multiple malicious clients.
LIN12 Logical Threats Intentional Nefarious DNS Spoofing Domain name server cache poising or spoofing to divert traffic to malicious servers.
LIN13 Logical Threats Intentional Nefarious Drive By Download A compromised website that has a user unintentionally download malware.
LIN14 Logical Threats Intentional Nefarious Elevated Privileges Roles or permissions with more than the normal level of access that if compromised could allow a person to exploit the systems for personal gain or illicit purpose.
LIN15 Logical Threats Intentional Nefarious Emission Attacks Spying on information through capturing emanations from operational equipment.
LIN16 Logical Threats Intentional Nefarious HTML script injection A type of injection in which malicious scripts are injected into otherwise benign and trusted websites
LIN17 Logical Threats Intentional Nefarious Information Sharing The deliberate sharing of information with unauthorized entities; such as emailing sensitive information or file transfers.
LIN18 Logical Threats Intentional Nefarious IP Spoofing IP spoofing is a method of attack under which incorrect IP addresses are used to disguise the attackers’ identity to the system being attacked.
LIN19 Logical Threats Intentional Nefarious LDAP Injection to exploit web based applications that construct LDAP statements based on user input.
LIN20 Logical Threats Intentional Nefarious MAC Spoofing An attacker can change the Media Access Control (MAC) address of his device and send Ethernet frames in the network segment with a different ID, which can result in the possible circumvention of security mechanisms which are based solely on the use of a MAC address. 
LIN21 Logical Threats Intentional Nefarious Malicious Code Execution Injection of malicious code to extend the functionality of an application or information system without having to execute commands.
LIN22 Logical Threats Intentional Nefarious Man in the Middle A type of eavesdropping attack that occurs when a malicious actor inserts himself as a relay/proxy into a communication session between people or systems.
LIN23 Logical Threats Intentional Nefarious Manipulation of an encryption module Modification of an encryption module in order to read secret keys, change keys, or change security parameters. 
LIN24 Logical Threats Intentional Nefarious Manipulation of data  The modification of data with the intent to cause loss of integrity.
LIN25 Logical Threats Intentional Nefarious Masquerade/Pretexting Lying or decieving to pretend to be someone one is not. 
LIN26 Logical Threats Intentional Nefarious Message Replay Threat in which a valid data transmission is maliciously or fraudulently repeated or delayed.
LIN27 Logical Threats Intentional Nefarious Misuse of audit tools The malicious use of network scanning tools to discover open and possibly unused ports, protocols, and services as well as vulnerabilities.
LIN28 Logical Threats Intentional Nefarious Network Intrusion Unauthorized access to network.
LIN29 Logical Threats Intentional Nefarious Network Sniffing Identifying information about a network to find security weaknesses.
LIN30 Logical Threats Intentional Nefarious Phishing An email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy websites. 
LIN31 Logical Threats Intentional Nefarious Quid Pro Quo  The attacker promises to provide a benefit or service in the return of vital access or details.
LIN32 Logical Threats Intentional Nefarious Ransomware Infection of a computer system or device by malware that restricts access to the system and information while demanding that the user pays a ransom to remove the restriction.
LIN33 Logical Threats Intentional Nefarious Remote Access Trojan (RAT) Remote administration capabilities allowing an attacker to control the victim's computer.
LIN34 Logical Threats Intentional Nefarious Repudiation of actions Intentional data manipulation to repudiate action.
LIN35 Logical Threats Intentional Nefarious Reverse Engineering (RE) The process by which a man-made object is deconstructed to reveal its design, architecture, or to extract knowledge from the object.
LIN36 Logical Threats Intentional Nefarious Rogue Access Points Unauthorized access via unmanaged access points to an organizations managed network.
LIN37 Logical Threats Intentional Nefarious Rogue certificates Use of rogue certificates that are valid certificates by a legitimate certificate authority which are untrustworthy.
LIN38 Logical Threats Intentional Nefarious Rogue security software Malicious software that misleads users about their computers security in order to manipulate them.
LIN39 Logical Threats Intentional Nefarious Rootkits A set of software tools that enable an unauthorized user to gain control of a computer system without being detected.
LIN40 Logical Threats Intentional Nefarious Routing table manipulation Routing network packets to IP addresses not intended by sender via unauthorized manipulation of routing table.
LIN41 Logical Threats Intentional Nefarious Search Engine Poisoning Deliberate manipulation of search engine indexes to direct a user to malicious content on falsified sites. 
LIN42 Logical Threats Intentional Nefarious Server-Side Includes (SSI) Injection allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely.
LIN43 Logical Threats Intentional Nefarious SPAM Receiving unsolicited, undesired, or illegal email messages.
LIN44 Logical Threats Intentional Nefarious Spear phishing Phishing while tailoring the email to a specific audience.
LIN45 Logical Threats Intentional Nefarious Spyware Software that aims to gather information about a person or organization without their knowledge
LIN46 Logical Threats Intentional Nefarious SQL injection Takes advantage of the syntax of SQL to inject commands that can read or modify a database, or compromise the meaning of the original query
LIN47 Logical Threats Intentional Nefarious Trojan Any malicious computer program which misleads users of its true intent.
LIN48 Logical Threats Intentional Nefarious Unacceptable Use Not abiding by the rules defined as acceptable by the governing or owning entity.  
LIN49 Logical Threats Intentional Nefarious Unauthorized Access Attaining logical access without permission or approval.
LIN50 Logical Threats Intentional Nefarious Unauthorized encryption Use of an unauthorized (insecure) encryption module can lead to a false sense of protection the encryption was meant to protect.
LIN51 Logical Threats Intentional Nefarious Unauthorized software installation The intentional installation of unmanaged or unauthorized software.
LIN52 Logical Threats Intentional Nefarious Virus A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. 
LIN53 Logical Threats Intentional Nefarious Vishing A form of fraud using voice over internet protocol in which individuals are tricked into revealing unauthorized access to sensitive information.
LIN54 Logical Threats Intentional Nefarious War Driving The act of locating and possibly exploiting wireless networks; example access point mapping
LIN55 Logical Threats Intentional Nefarious Watering Holes Malware residing on the websites which a group often uses.
LIN56 Logical Threats Intentional Nefarious Web Spoofing Web spoofing occurs when an attacker forges an existing website (i.e., an attacker designs a fake website in such a way that it looks like the website of a known organization) The attacker attempts to draw users to the website with the objective of launching further attacks.
LIN57 Logical Threats Intentional Nefarious Whaling A form of spear phishing that targets senior management, executives, or prominent individuals in order to gain access to sensitive information. 
LIN58 Logical Threats Intentional Nefarious Wire Tapping The surreptitious electronic monitoring of Internet-based communications.
LIN59 Logical Threats Intentional Nefarious Worms Self propagating standalone malicious software 
  Logical Threats Unintentional Failure   Unexpected system degredation or failure.
LUF1 Logical Threats Unintentional Failure 3rd Party Services Failure or disruption of third party services required for proper operation of information systems. Example: Resources Or Supporting systems
LUF2 Logical Threats Unintentional Failure Database Systems A database failure which may result in systems or applications not being available, which can have a significant impact to business operations resulting in financial loss or potential brand damage.
LUF3 Logical Threats Unintentional Failure Network Bandwidth When the bandwidth of the network is insufficient, the transmission rate in the network and eventually the availability in the network will be severely limited to the organization's users resulting in potential business disruptions.
LUF4 Logical Threats Unintentional Failure Network Routing The process of selecting a path for traffic in a network, or between or across multiple networks.
LUF5 Logical Threats Unintentional Failure Software\Code The failure of programs and other operations used by a computer
LUF6 Logical Threats Unintentional Failure Storage The retention of retrievable data on a computer or other electronic system; memory.
LUF7 Logical Threats Unintentional Failure Virtual Parts & Components The failure/malfunction of Virtual parts and components of IT hardware (e.g. motherboard, CPU, RAM, video card, hard drive, power supply).  Failure of Virtual IT.
  Logical Threats Unintentional Human   Human oriented errors or mistakes.
LUH1 Logical Threats Unintentional Human Data Sharing/Leakage Unintentional distribution of covered information to an unauthorized entity by an employee or employees
LUH2 Logical Threats Unintentional Human Improper Data Modification Changing of data and records (information) stored in devices and storage media.
LUH3 Logical Threats Unintentional Human Misclassifying of Data Inappropriate/ inadequate labeling or classifying of media
LUH4 Logical Threats Unintentional Human Mishandling of Passwords  Unintentional mishandling of passwords leading to leakage of covered information.
  Logical Threats Unintentional Misuse   Use in the wrong way or for the wrong purpose.
LUM1 Logical Threats Unintentional Misuse Certificate Integrity Loss Loss of integrity of certificates used for authorization services.
LUM2 Logical Threats Unintentional Misuse Compromised Credentials An account/id/username has been used or accessed by a non authorized means
LUM3 Logical Threats Unintentional Misuse Data Remanence storage media that retains stored information in a retrievable/intact manner longer than desired (failure to totally erase)
LUM4 Logical Threats Unintentional Misuse Data Storage Media Loss Loss of a data-storage medium.
LUM5 Logical Threats Unintentional Misuse Database Integrity Loss Loss of the integrity or consistency of a database may result in the data being incorrect or in a corrupt state and as a result may not be accessed or processed correctly. 
LUM6 Logical Threats Unintentional Misuse Elevated Privileges Roles or permissions that if misused could allow a person to exploit the  systems for his or her own gain or purpose.
LUM7 Logical Threats Unintentional Misuse Improperly Designing Information Systems Loss due to improper IT asset or business processes design (inadequate specifications of IT products, inadequate usability, insecure interfaces, policy/procedure flows, design errors, and changes).
LUM8 Logical Threats Unintentional Misuse Improperly Designing Network Infrastructure Depending on the requirements defined by the organization, a poorly planned network infrastructure may impact the confidentiality of data and the integrity of the network, which may lead to unauthorized disclosure of sensitive information to unauthorized users. 
LUM9 Logical Threats Unintentional Misuse Inappropriate/ inadequate key management Management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys.
LUM10 Logical Threats Unintentional Misuse Insufficiently or Inadequately following Release Procedures Inadequate testing on new systems may result in possible errors in the hardware or software or that they may remain undetected or may result in significant disruption to IT operations or systems.
LUM11 Logical Threats Unintentional Misuse Lack of or insufficient logging Lack of or insufficient logging may prevent the organization from determining whether security specifications were violated or whether attacks were attempted. Additionally, organizations may not be able to assess whether logged information can be used for error analysis in the event of damage and for determining the causes or for integrity tests
LUM12 Logical Threats Unintentional Misuse Loss due to Unauthorized Storage Loss of records by improper/unauthorized use of storage devices.
LUM13 Logical Threats Unintentional Misuse Misuse of audit tools The malicious use of network scanning tools to discover open and possibly unused ports, protocols, and services as well as vulnerabilities.
LUM14 Logical Threats Unintentional Misuse Mobile Device Applications data leakage Leaking covered information as a result of using mobile device applications.
LUM15 Logical Threats Unintentional Misuse System Configuration Errors Information leak / sharing / damage caused by misuse of information assets (lack of awareness of application features) or wrong / improper information assets configuration or management. 
LUM16 Logical Threats Unintentional Misuse Unacceptable Use A violation of the set of rules applied by senior management or the asset/resource owner of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used.
LUM17 Logical Threats Unintentional Misuse Unmanaged data  Does not allow for prescription of information protection.  
LUM18 Logical Threats Unintentional Misuse Web Applications data leakage Leakage of covered information  when using web applications.
  Organizational Threats Compliance Contractual   Entities or individuals seeking money or another specific performance rather than criminal sanctions due to non-compliance of a legal contract.
OCC1 Organizational Compliance Contractual Civil The process of resolving a legal dispute between two or more parties (individuals or business entities) who seek compensation for damages incurred or specific performances that were not delivered.
  Organizational Threats Compliance Regulatory   Laws that govern the conduct of an entity or individual or organization and often include penalties for violations.
OCR1 Organizational Compliance Regulatory Administrative Specifically deals with the such administrative agencies’ decision-making capabilities, as they carry out laws passed by state and federal legislatures. Differ from regular civil and criminal courts, and their authority is limited to making administrative decisions
OCR2 Organizational Compliance Regulatory Civil The process of resolving a legal dispute between two or more parties (individuals or business entities) who seek compensation for damages incurred or specific performances that were not delivered.
OCR3 Organizational Compliance Regulatory Criminal Of going to trial in a criminal court to either prosecute or defend oneself in a criminal matter.
  Organizational Threats Compliance Statutory    Law enacted by legislation to govern entities.
OCS1 Organizational Compliance Statutory  Civil The process of resolving a legal dispute between two or more parties (individuals or business entities) who seek compensation for damages incurred or specific performances that were not delivered.
OCS2 Organizational Compliance Statutory  Criminal Of going to trial in a criminal court to either prosecute or defend oneself in a criminal matter.
  Physical Threats Force majeure Climatological    A major adverse event resulting from natural processes of the climate/temperature (e.g. extreme temperature, drought) A major adverse event resulting from natural processes of the climate/temperature (e.g. extreme temperature, drought)
PFC1 Physical Threats Force majeure Climatological Drought Prolonged period of abnormally low rainfall, and a shortage of water causing damage to assets.
  Physical Threats Force majeure Environmental   Local conditions relating to the natural world.
PFE1 Physical Threats Force majeure Environmental Humidity Water vapor in the air that can collect as condensation causing water damage to assets.
PFE2 Physical Threats Force majeure Environmental Contaminants The collection of tiny foreign particles that can have an adverse effect on assets.
PFE3 Physical Threats Force majeure Environmental Corrosion Chemical (i.e. gaseous or liquid) contaminants causing corrosion of assets.
  Physical Threats Force majeure Geological    A major adverse event resulting from natural processes of the Earth (e.g. earthquake)
PFG1 Physical Threats Force majeure Geological Avalanche A mass of snow, ice, and rocks falling rapidly down a mountainside damaging structures or assets in its path.
PFG2 Physical Threats Force majeure Geological Earthquake Sudden movement of a block of the Earth’s crust along a geological fault and associated ground shaking with the potential to damage assets.
PFG3 Physical Threats Force majeure Geological Landslide The sliding down of a mass of earth or rock from a mountain or cliff damaging structures or assets in its path.
PFG4 Physical Threats Force majeure Geological Sinkhole A large hole that suddenly appears in the ground when the surface of the ground is no longer supported causing damage to anything resting on that surface.
PFG5 Physical Threats Force majeure Geological Volcano Damage of asset caused by eruption and lava. 
PFG6 Physical Threats Force majeure Geological Wildfires An uncontrolled or non-prescribed combustion of burning vegetation in a natural setting with the potential to damage or disrupt.
  Physical Threats Force majeure Hydrological    A major adverse event resulting from natural processes of the water (e.g. flooding)
PFH1 Physical Threats Force majeure Hydrological Erosion Eroding of a surface by water causing damage to structures and assets on the surface.
PFH2 Physical Threats Force majeure Hydrological Flood An overflowing of a large amount of water beyond its normal confines, especially over what is normally dry land causing damage to assets in the flood path.
PFH3 Physical Threats Force majeure Hydrological Tsunami Damage from a long high sea wave caused by a underwater earthquake, landslide or other disturbance. 
  Physical Threats Force majeure Meteorological    A major adverse event resulting from natural processes of the weather (e.g. tornado, hurricane)
PFM1 Physical Threats Force majeure Meteorological Blizzard Severe snowstorm with high winds and low visibility that can cause damage or accessibility issues. 
PFM2 Physical Threats Force majeure Meteorological Cyclonic Storms Rapid circulation of air around a low pressure center with destructive surrounding weather causing damage and accessibility issues.
PFM3 Physical Threats Force majeure Meteorological Hailstorm A storm that produces hail which reaches the surface causing damage.
PFM4 Physical Threats Force majeure Meteorological Heat Waves A prolonged period of abnormally hot weather that can impact people and electronic systems.
PFM5 Physical Threats Force majeure Meteorological Ice Storm A storm of freezing rain which can damage assets.
PFM6 Physical Threats Force majeure Meteorological Lightning Damage of asset caused by a lightning strike (electrical overvoltage).
  Physical Threats Intentional Conflict   Struggle resulting from incompatible or opposing needs, drives, wishes, or external or internal demands.
PIC1 Physical Threats Intentional Conflict Arson Intentionally setting fire to assets causing damage.
PIC2 Physical Threats Intentional Conflict Large Events Disruption leading to adverse operations (i.e., demonstrations, riots, strikes, and protests). 
PIC3 Physical Threats Intentional Conflict Sabotage Deliberately destroy, damage, or obstruct (something), especially for political or military advantage.
PIC4 Physical Threats Intentional Conflict Terrorism The use of intentionally indiscriminate violence as a means to create terror among masses of people; or fear to achieve a financial, political, religious or ideological aim through physical violence
PIC5 Physical Threats Intentional Conflict Vandalism Action involving deliberate destruction of or damage to property.
PIC6 Physical Threats Intentional Conflict Warfare Damage to assets, facilities, and employees due to physical war or armed conflict. (e.g. bombing)
  Physical Threats Intentional Misappropriation   Dishonestly or unfairly taking for one's own use.
PIM1 Physical Threats Intentional Misappropriation Embezzlement To appropriate something, such as property entrusted to one's care fraudulently to one's own use. A form of theft through fraud. 
PIM2 Physical Threats Intentional Misappropriation Extortion The act of obtaining money, property, or services from an organization through coercion.  A form of theft through use of force or intimidation to obtain compliance. 
PIM3 Physical Threats Intentional Misappropriation Fraud Deliberate deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. A form of theft through deception.
PIM4 Physical Threats Intentional Misappropriation Theft The act of physically stealing, taking and removing of the property with intent to deprive the rightful owner of it.
  Physical Threats Intentional Nefarious   Flagrant breaching of time-honored laws and traditions of conduct.
PIN1 Physical Threats Intentional Nefarious Abuse of Authority An employee that applies their authority incorrectly, or oversteps their level of authority.
PIN2 Physical Threats Intentional Nefarious Dumpster Diving Searching through discarded assets with the intent of personal gain and/or damage.
PIN3 Physical Threats Intentional Nefarious Information Sharing The deliberate sharing of non-public information with unauthorized entities; such as physically giving sensitive documents.  
PIN4 Physical Threats Intentional Nefarious Manipulation of Hardware Unauthorized changes of hardware devices such as removing memory or hard drive. 
PIN5 Physical Threats Intentional Nefarious Masquerade/Pretexting Lying or decieving to pretend to be someone one is not. 
PIN6 Physical Threats Intentional Nefarious Quid Pro Quo  The attacker promises to provide a benefit or service in the return of vital access or details.
PIN7 Physical Threats Intentional Nefarious Reverse Engineering (RE) The process by which a man-made object is deconstructed to reveal its design, architecture, or to extract knowledge from the object.
PIN8 Physical Threats Intentional Nefarious Rogue hardware Manipulation due to unauthorized hardware
PIN9 Physical Threats Intentional Nefarious Tailgating Unauthorized access by someone else's means of access at their time of entry.
PIN10 Physical Threats Intentional Nefarious Unacceptable Use Not abiding by the rules defined as acceptable by the governing or owning entity.  
PIN11 Physical Threats Intentional Nefarious Unauthorized Access Attaining physical access without premission or approval.
  Physical Threats Unintentional Failure   Unexpected system degredation or failure.
PUF1 Physical Threats Unintentional Failure 3rd Party Services Failure or disruption of third party services required for proper operation of information systems. Example: Supplies or resources
PUF2 Physical Threats Unintentional Failure Cable Failure of communications links due to problems with cable networks.  e.g. Copper & Fiber
PUF3 Physical Threats Unintentional Failure Cross-talk a special form of line impairment, caused by currents and voltages of signals transmitted over adjacent lines. This may result in the disclosure of sensitive information. 
PUF4 Physical Threats Unintentional Failure Electric Power Power failure with the potential to cause asset damage or unavailability. 
PUF5 Physical Threats Unintentional Failure Equipment Fire Unexpected combustion of electronic equipment.
PUF6 Physical Threats Unintentional Failure Heating, ventilation, and air conditioning (HVAC) Failure to maintain atmospheric conditions for assets.
PUF7 Physical Threats Unintentional Failure IT hardware Failure or malfunction of parts and components of IT hardware (e.g. motherboard, CPU, RAM, video card, hard drive, power supply).  
PUF8 Physical Threats Unintentional Failure Plumbing Failure of facility plumbing including gas and water systems. 
PUF9 Physical Threats Unintentional Failure Voltage Fluctuations in the supply voltage can result in malfunctions and damage to IT systems. 
PUF10 Physical Threats Unintentional Failure Wireless Failure of communications links due to problems with wireless networks. e.g. radio/RF
  Physical Threats Unintentional Human   Human oriented errors or mistakes.
PUH1 Physical Threats Unintentional Human Absence of personnel Unavailability of key personnel, their competencies/skills, and knowledge.
PUH2 Physical Threats Unintentional Human Accidental Damage Sudden damage as a result of an unexpected and non-deliberate action.
PUH3 Physical Threats Unintentional Human Accidental fire Fire unintentionally set by a human.
PUH4 Physical Threats Unintentional Human Loss of IT assets Accidently or unintentionally losing any physical IT Asset
PUH5 Physical Threats Unintentional Human Mishandling of Passwords  Unintentional mishandling of passwords leading to leakage of covered information.
PUH6 Physical Threats Unintentional Human Unintentional Information Sharing Accidental verbal disclosure of sensitive information by unauthorized individuals overhearing.
  Physical Threats Unintentional Misuse   Use in the wrong way or for the wrong purpose.
PUM1 Physical Threats Unintentional Misuse Configuration Errors Loss of information due to errors in installation or system configuration.
PUM2 Physical Threats Unintentional Misuse Improperly Designing Information Systems  Loss due to improper IT asset or business processes design (inadequate specifications of IT products, inadequate usability, insecure interfaces, policy/procedure flows, design errors, and changes).
PUM3 Physical Threats Unintentional Misuse Improperly Designing Network Infrastructure Depending on the requirements defined by the organization, a poorly planned network infrastructure may impact the confidentiality of data and the integrity of the network, which may lead to unauthorized disclosure of sensitive information to unauthorized users. 
PUM4 Physical Threats Unintentional Misuse Manipulation of Hardware Unauthorized changes of hardware devices such as removing memory or hard drive. 
PUM5 Physical Threats Unintentional Misuse Rogue hardware Manipulation due to unauthorized hardware
PUM6 Physical Threats Unintentional Misuse Tailgating Unauthorized access by convienence or courtesy.
PUM7 Physical Threats Unintentional Misuse Unacceptable Use A set of rules applied by senior management and/or the owner of the equipment, information, and etc. may be used and sets guidelines as to how it should be used.
Reply
Share: