Information security of bank cashless payments. Part 4 - Overview of Threat Modeling Standards

What is the study about

In the previous publication of the cycle, we formed the basic requirements for the information security system of non-cash payments and said that the specific content of the protective measures will depend on the threat model.

To create a qualitative model of threats, it is necessary to take into account existing developments and practices on this issue.

In this article, we will conduct an express review of about 40 sources that describe the processes of threat modeling and information security risk management. Consider both GOSTs and documents of Russian regulators (FSTEC of Russia, the FSB of Russia, the Central Bank of the Russian Federation), and international practices.

Brief description of the threat modeling process

The end result of the threat modeling process should be a document - a threat model containing a list of significant (relevant) threats to information security for the protected object.

When modeling threats, the following are usually considered as protected objects:

• Information Systems;
• automated systems;
• objects of informatization;
• business processes.

By and large, the threat model does not have to be presented in the form of a list. It can be a tree (graph), a mind map or some other form of recording that allows specialists to conveniently work with it.

The specific composition of threats will depend on the properties of the protected object and the business processes implemented with its help. Accordingly, one of the initial data for modeling will be a description of the protected object.

If a certain hypothetical object is considered, then a typical (basic) threat model is formed . If a real object is considered, then a private threat model is formed .

When modeling threats, in addition to describing the protected object, specialists must have knowledge about the threats themselves.

In practice, this knowledge can be gleaned from:

• researchers' reports on detected vulnerabilities that can be used to implement threats;
• computer forensic reports on investigations of real computer attacks;
• reports of companies specializing in the field of information security, devoted to the analysis of the current situation in the field of computer security;
• media publications on computer crimes;
• data banks or threat catalogs that list threats grouped by one or another principle.

The initial stage of the modeling process will be the identification of threats , that is, the selection of the largest possible list of threats that can even theoretically affect the protected object.

In the implementation of this stage, nature plays a trick on information security specialists. The problem is that human memory is associative, and we cannot take and extract from it all the contents, for example, recall all possible threats.

In order to compile a list of all possible threats, various tricks are used that allow specialists to ask themselves specific questions or use the principles by which threats will be extracted from memory and recorded. Examples of such techniques include threat classifiers ,threat trees or patterns of typical computer attacks . We will talk about these methods below.

After forming a list of all possible threats, they begin to filter it, so that ultimately only significant (relevant) threats to the organization remain. The filtering process, as a rule, is carried out in several iterations, at each of which threats are rejected for one or another sign.

Begin with a sign of the availability of opportunities (resources) for violators to implement threats. To determine it, first form a special document - the model of the violatorin which they identify probable violators and determine their capabilities. Then, the previously received threats are correlated with the model of the intruder and discard all threats, the implementation of which goes beyond the capabilities of potential violators.

The next sign for filtering threats is a sign of insignificance of risk . At first, the organization determines the level of risk that it considers insignificant. Then it assesses the risk from the implementation of each threat and, if it is less than or equal to a given level, the threat is discarded.

Thus, after filtering is completed, a threat model will be obtained that contains significant (relevant) threats to information security.

Threat identification technique - “threat classifiers”

Most threats to information security can be grouped (classified) by one or another attribute. The resulting classification schemes can be used by specialists as questionnaires for their memory, from which they will extract threats.

Take, for example, the task of modeling threats to the security of personal data (PD) processed in personal data information systems (ISPD).

The FSTEC of Russia in 2008 issued a methodological document for this purpose - the Basic model of PD threats. This document contains many classification schemes, of which, as an example, we consider the only one - the classification of threats by “source of threat”.



A specialist, building a private threat model, can use this scheme and ask himself the question: “What threats to personal data will come from the actions of an internal intruder?” - and record the threat data. Then ask the following question: “And how can an external intruder attack personal data?” etc. A similar series of questions allows a specialist to describe all the threats he knows, without forgetting about anything.

Threat identification technique - “threat tree”

Using this technique, an information security specialist puts himself in the shoes of the intruder and begins to think how he would attack the protected object.

At the beginning, a high-level threat is formulated, which will be the root of the future tree.

Then the specialist begins to decompose this threat into low-level ones, the implementation of which can lead to the implementation of the threat in question. To do this, he may ask questions, how or due to what the threat under investigation can be realized.

The resulting threats are affiliated with the threat under consideration and are recorded in the tree as its descendants. Then they, in turn, are also decomposed, and so on until the required level of detail is achieved.

A similar approach has long been known in the art and is used to build fault trees, the formation of which is standardized in GOST R 51901.13-2005 (IEC 61025: 1990) Risk management. Fault tree analysis .

To illustrate the use of “threat trees”, we consider the formation of a threat model for an informatization object, which is an isolated computer that is not connected to a computer network. Suppose that important information is being processed at this facility, the security of which is required to be ensured.

We define the following as a high-level threat: violation of the security properties of the protected information.

Common security features are confidentiality, integrity, accessibility. Thus, child threats will be:

• violation of confidentiality of protected data;
• violation of the integrity of protected data;
• violation of the availability of protected data.

We decompose the threat of "violation of confidentiality of protected data."
Let us ask ourselves the question: “How can this threat be realized?” - and as an answer we write down the following options:

• disclosure of protected data by persons authorized to process it;
• unauthorized access to protected data by unauthorized persons;
• leakage of protected data through technical channels.

Similarly, we will act with the threat of "violation of the integrity of the protected data." It can be decomposed into:

• damage to protected data due to actions of persons authorized to process it;
• damage to protected data due to malicious code;
• damage to protected data due to failures and malfunctions of the computer on which they are processed.

The decomposition of the threat “violation of the availability of protected data” can be represented by the following threats:

• destruction of protected data due to exposure to malicious code (crypto-lockers);
• destruction of protected data due to failure of the hard drive of the computer on which it is stored;
• violation of the operating conditions of the object of informatization, making it impossible for staff to work with it.

As a result, we get the following tree:



As we can see, even such a primitive model that we just built is rather cumbersome when it is graphically displayed. Therefore, “threat trees” are mainly documented in the form of hierarchical lists.

Threat identification technique “typical attack patterns”

The basis of this technique is the idea that, when carrying out computer attacks, attackers each time perform a certain similar sequence of actions, which can be called a typical attack pattern.

One of the most well-known patterns of computer attacks at the moment is the kill chain template described by Lockheed Martin Corporation , which includes 7 stages:



Stage 1 . Reconnaissance - collecting data about the attacked object.
Stage 2 . Weaponization - the development of tools (malicious code) for an attack.
Stage 3 . Delivery - delivery of malicious code to the attacked object.
Stage 4. Penetration (Exploitation) - the use of any vulnerability of the node of the attacked object to run malicious code.
Stage 5 . Installation — installation of a hidden remote access system on a compromised node.
Stage 6 . Gaining control (C2) - the organization of a remote access channel for attackers to a compromised node.
Stage 7 . Actions - actions for which the attack was carried out.

The research organization MITRE , slightly changing the names of the stages, called this template - Cyber ​​Attack Lifecycle .



In addition, MITRE expanded the description of the various stages and formed a matrix of typical tactics of attackers at each stage. This matrix is ​​called ATT & CK . (clickable) Although the above matrix is ​​not universal, it still allows you to describe the actions taken by attackers in a large number of real attacks. From the point of view of threat modeling, a typical attack pattern can be considered as a classifier of threats, and a matrix of typical tactics can be considered as a significant fragment of a threat model. Only the last stage of the template will require clarification - “Actions”, then, for the sake of which the attack was carried out, well, the stages themselves can be supplemented by tactics not taken into account.

Documents of the FSTEC of Russia on the modeling of threats to personal data of 2008.

1. The basic model of threats PDN FSTEC, 2008
2. Methodology for determining the actual threats to PD 2008

Both documents are methodological, that is, non-binding, but disclosing how, in the opinion of the FSTEC of Russia, the task of modeling security threats to PD should be solved.

The basic model of PDN threats of FSTEC, 2008 contains unified initial data on security threats of PDNs processed in ISPD related:

• with the interception (removal) of PD on technical channels with the aim of copying or unlawful distribution;
• with unauthorized, including random, access to ISPDn for the purpose of modifying, copying, unlawful distribution of PDN or destructive effects on ISPD elements and PD processed in them using software and hardware-software tools for the purpose of destroying or blocking PD.

Defines a formal description of threats:

• leakage threat through technical channels: = <source of threat>, <environment for the distribution of personal data and effects / informative signal receiver / transmitter of the signal>, <media data>
• NSD threat: = <source of the threat>, <vulnerability of software or hardware>, <method of implementing the threat>, <target of impact>, <unauthorized access>.
• ISD threat in ISDN: = <source of threat>, <ISDN vulnerability>, <method for implementing the threat>, <target (program, protocol, data, etc.)>, <destructive action>.
• Denial of service threat: = <threat source>, <ISPD vulnerability>, <threat implementation method>, <impact object (PD carrier)>, <immediate threat realization result (buffer overflow, processing procedure blocking, processing loop) etc.)>;
• PMV threat in ISDN: = <class of the malicious program (with the environment specified)>, <source of the threat (malware carrier)>, <infection method>, <target of the attack (boot sector, file, etc.)>, < description of possible destructive actions>, <additional information about the threat (residency, propagation speed, polymorphism, etc.)>.

In the formal description of threats, the following abbreviations were used:
ISPDn - personal data information system.
NSD - unauthorized access.
PMV - software and mathematical impact (the introduction of malware).

The document gives classification signs of threats and vulnerabilities, malware. A small catalog of typical threats related to leaks through technical channels and unauthorized access is provided. A typical model of violators is given and their capabilities are determined.

Methodology for determining the actual threats to PD 2008defines an algorithm by which threats can be filtered based on the insignificance of risk. To this end, the methodology presents methods for determining the feasibility of implementing a threat (probability), an indicator of the danger of a threat (damage), and the rules for classifying a security threat as not relevant (having a slight risk).

Documents of the FSTEC of Russia on threat modeling in state information systems (GIS) and the threat database of the FSTEC of Russia.

1. Methodical document of FSTEC of Russia. Information security measures in state information systems (approved by the FSTEC of Russia on February 11, 2014)
2. Draft methodological document of the FSTEC of Russia. Methodology for identifying threats to information security in information systems
3. The threat database of the FSTEC of Russia (bdu.fstec.ru) .

Methodical document of FSTEC of Russia. Information security measures in state information systems (approved by the FSTEC of Russia on February 11, 2014) . Threats to information security (UBI) are determined by assessing the capabilities (potential, equipment and motivation) of external and internal violators, analyzing possible vulnerabilities in the information system, possible ways to implement threats to information security and the consequences of violating information security properties (confidentiality, integrity, accessibility).

Formal description of information security threat:
UBI: = [intruder’s capabilities; information system vulnerabilities; a way to implement the threat; consequences of the implementation of the threat].

Opportunities (potential) of violators are divided into three groups:

1. Intruder with basic potential.
2. Base Intruder Intruder
3. High Potential Intruder

An explanation of the capabilities of violators is given in the draft methodological document of the FSTEC of Russia. Methodology for identifying threats to information security in information systems .

Description and classification of vulnerabilities occurs using national standards:

• GOST R 56545-2015 Information security. Vulnerabilities in information systems. Vulnerability Description Rules
• GOST R 56546-2015 Information security. Vulnerabilities in information systems. Classification of vulnerabilities in information systems

Vulnerabilities themselves, methods of implementing threats and possible damage are listed in the database of these threats of the FSTEC of Russia .

Guidelines of the FSB of Russia on modeling threats to the security of personal data

1. “Methodological recommendations for the development of regulatory legal acts that define threats to the security of personal data relevant to the processing of personal data in personal data information systems operated in the course of the implementation of relevant activities” (approved by the Federal Security Service of Russia on March 31, 2015 N 149/7/2 / 6- 432) .

Methodical recommendations determine the main threats to PD, which can be neutralized only with the help of cryptographic information protection. These include:

1. the transfer of personal data through communication channels that are not protected from interception by the violator of the information transmitted through them or from unauthorized influences on this information (for example, when transmitting personal data through public information and telecommunication networks);
2. storage of personal data on information carriers, unauthorized access to which by the violator cannot be excluded using non-cryptographic methods and techniques.

The document also defines the classification of violators' capabilities:

N	Generalized attack source capabilities
1	The ability to independently create methods of attack, prepare and conduct attacks only outside the controlled area
2	The ability to independently create the methods of attacks, prepare and conduct attacks within the controlled zone, but without physical access to the hardware (hereinafter referred to as AS), which implements CPS and the environment of their functioning
3	The ability to independently create the methods of attacks, prepare and conduct attacks within the controlled zone with physical access to the speakers, which implemented cryptographic information protection systems and their functioning environment
4	The ability to attract specialists with experience in the development and analysis of CIPF (including specialists in the field of analysis of linear transmission signals and signals of secondary electromagnetic radiation and crosstalk interference)
5	The ability to attract specialists with experience in the development and analysis of cryptographic information protection systems (including specialists in the field of using undocumented capabilities of application software to implement attacks)
6	The ability to attract specialists with experience in the development and analysis of CIPF (including specialists in the field of using for the implementation of attacks the undocumented capabilities of the hardware and software components of the CIPF operating environment)

Bank of Russia Documents on Information Security Risks

1. Letter of the Central Bank of the Russian Federation dated December 7, 2007 No. 197-T “On Risks in Remote Banking”
2. Bank of Russia Ordinance No. 3889-U, dated December 10, 2015, “On Identifying Threats to the Security of Personal Data Actual in Processing Personal Data in Personal Data Information Systems”
3. Recommendations in the field of standardization of the Bank of Russia RS BR IBBS-2.2-2009. "Methodology for assessing the risks of information security breaches"

The letter of the Central Bank of the Russian Federation dated December 7, 2007 No. 197-T “On Risks in Remote Banking Services” contains a list of typical threats to remote banking systems and their customers, including:

• DoS / DDoS attacks against RBS servers.
• Theft of personal information of bank customers through phishing via e-mail.
• Theft of payment card details using skimming attacks and fake ATMs.
• Theft of customer access details to remote banking systems using social engineering and telephone fraud.

Bank of Russia Ordinance No. 3889-U, dated December 10, 2015, “On the identification of security threats to personal data relevant to the processing of personal data in personal data information systems” contains an industry-specific list of security threats to personal data, including the following threats:

• the threat of unauthorized access to personal data by persons authorized in the personal data information system, including during the creation, operation, maintenance and (or) repair, modernization, decommissioning of the personal data information system;
• the threat of exposure to malicious code external to the personal data information system;
• the threat of using social engineering methods to persons with authority in the personal data information system;
• threat of unauthorized access to alienated personal data carriers;
• threat of loss (loss) of personal data carriers, including portable personal computers of users of the personal data information system;
• the threat of unauthorized access to personal data by persons who do not have authority in the personal data information system, using vulnerabilities in the organization of personal data protection;
• the threat of unauthorized access to personal data by persons who do not have authority in the personal data information system, using vulnerabilities in the software of the personal data information system;
• the threat of unauthorized access to personal data by persons who do not have authority in the personal data information system, using vulnerabilities in ensuring the protection of network interaction and data transmission channels;
• the threat of unauthorized access to personal data by persons who do not have authority in the personal data information system, using vulnerabilities in protecting the computer networks of the personal data information system;
• the threat of unauthorized access to personal data by persons who do not have authority in the personal data information system, using vulnerabilities caused by non-compliance with the requirements for the operation of cryptographic information protection means.

Recommendations in the field of standardization of the Bank of Russia RS BR IBBS-2.2-2009. “Methodology for assessing the risks of infringement of information security” The

document proposes the following risk assessment
procedures : Procedure 1. Determining the list of types of information assets for which the procedures for assessing the risks of infringement of information security are performed (hereinafter - the scope of assessing the risks of infringement of information security).
Procedure 2. Determining the list of types of environmental objects corresponding to each of the types of information assets in the area of ​​IS violation risk assessment.
Procedure 3. Determining the sources of threats for each of the types of environmental objects defined as part of the procedure 2.
Procedure 4.Definition of ISS of information security threats in relation to the types of environmental objects defined in the framework of procedure 2.3.
Procedure 5. Determination of STF IS violation for the types of information assets of the area of ​​risk assessment of IS violation.
Procedure 6. Risk assessment of information security breach.

The degree of risk tolerance is proposed to be assessed using a “classic” table of risk assessment, taking into account the probability and possible damage.


Here SVR is the degree to which the threat can be realized, STP is the degree of severity of the consequences. The

recommendations also contain a small catalog of threats divided into classes.
Class 1. Sources of information security threats associated with adverse events of a natural, technogenic and social nature.
Class 2.Sources of IS threats related to the activities of terrorists and persons committing crimes and offenses
Class 3. Sources of IS threats related to the activities of suppliers / providers / partners
Class 4. Sources of IS threats related to failures, failures, destruction / damage of software and hardware
Class 5. Sources of IS threats related to the activities of internal IS violators.
Class 6. Sources of IS threats related to the activities of external IS violators.
Class 7. Sources of IS threats related to non-compliance supervisory and regulatory authorities, applicable law.

National standards of the Russian Federation (GOST)

1. ГОСТ Р 51275-2006. Защита информации. Объект информатизации. Факторы, воздействующие на информацию. Общие положения
2. ГОСТ Р ИСО/ТО 13569-2007. Финансовые услуги. Рекомендации по информационной безопасности
3. ГОСТ Р 56545-2015 Защита информации. Уязвимости информационных систем. Правила описания уязвимостей
4. ГОСТ Р 56546-2015 Защита информации. Уязвимости информационных систем. Классификация уязвимостей информационных систем
5. ГОСТ Р 53113.1-2008 Информационная технология (ИТ). Защита информационных технологий и автоматизированных систем от угроз информационной безопасности, реализуемых с использованием скрытых каналов. Часть 1. Общие положения
6. ГОСТ Р 52448-2005 Защита информации. Обеспечение безопасности сетей электросвязи. Общие положения
7. GOST R ISO / IEC 27005-2010. Information technology. Security methods and tools. Information Security Risk Management

GOST R 51275-2006. Protection of information. The object of informatization. Factors affecting information. General provisions
This GOST is ideologically related to GOST R 50922-2006 Information Security. The main terms and definitions , the methodological document "Special requirements and recommendations for the protection of confidential information (STR-K)" (CPD) and existing documents for the certification of objects of informatization. The document contains a classification of factors affecting information that can be interpreted as a threat to information security.

GOST R ISO / TO 13569-2007. Financial services. Information Security Recommendations
Appendix “C” of this standard contains an example of an assessment of information security risks for a financial institution. To this end, it is proposed to analyze among the main objects of harmful influences, including personnel, equipment, business applications, communication systems, software and operating systems. Damage from risks is assessed in the form of financial losses, reduced productivity, damage to reputation and as the resulting damage.



GOST R 56545-2015 Information security. Vulnerabilities in information systems. Vulnerability Description Rules and GOST R 56546-2015 Information Protection. Vulnerabilities in information systems. The classification of vulnerabilities in information systems serves to describe the vulnerabilities of information systems. Standards apply in conjunction with the fundamentalGOST R 50922-2006 Information Security. Key terms and definitions .

The standards provide a classification of vulnerabilities in information systems containing three classification attributes:

1. by area of ​​origin;
2. by types of IP deficiencies;
3. at the place of occurrence (manifestation).

It is proposed to describe the vulnerabilities themselves in the form of a passport containing the following sections:

1. The name of the vulnerability.
2. Vulnerability ID
3. Identifiers of other vulnerability description systems.
4. A brief description of the vulnerability.
5. Vulnerability class.
6. Name of software and its version.
7. Service (port), which (which) is used for the functioning of the software.
8. Software programming language.
9. Type of flaw.
10. Place of occurrence (manifestation) of vulnerability.
11. Flaw type identifier.
12. Name of the operating system and type of hardware platform.
13. Vulnerability Detection Date.
14. The author who published information about the identified vulnerability.
15. Method (rule) of vulnerability detection.

As the language of the rules for detecting vulnerabilities, the standards propose using OVAL .

GOST R 53113.1-2008 Information Technology (IT). Protection of information technologies and automated systems from threats to information security implemented using covert channels. Part 1. General provisions

The standard describes threats associated with covert channels, which are defined as communication channels that can be used to violate security policies that are not provided by the developer of information technology systems and automated systems.



GOST R 52448-2005 Information Security. Securing telecommunication networks. General Provisions
This document is a methodological document for telecom operators, contains a general scheme of actions for protecting communication networks:



It is proposed to use GOST R 51275-2006 as the basis for the threat modeling process . Protection of information. The object of informatization. Factors affecting information. General provisions . The standard provides a model of alleged violators.

A distinctive feature of this document is that in addition to the classical properties of information security, such as confidentiality, integrity, accessibility, the standard also considers accountability.

Under accountability, the standard defines a property that provides unambiguous tracking of actions in the network of any object. Violation of accountability - denial of actions on the network (for example, participation in a perfect communication session) or forgery (for example, the creation of information and claims that were allegedly received from another object or sent to another object).

GOST R ISO / IEC 27005-2010. Information technology. Security methods and tools. Information Security Risk Management

This standard is part of a group of information security standards, often referred to as ISO 27K . The document focuses on management procedures for managing information security risks.



Appendix C provides examples of typical threats, while Appendix D presents typical vulnerabilities.

NIST Special Publications

1. NIST SP 800-30. Guide for Conducting Risk Assessments
2. NIST SP 800-39. Managing Information Security Risk

NIST SP 800-30. Guide for Conducting Risk Assessments The
document is focused on risk management issues at the organization’s management level.


NIST SP 800-39. Managing Information Security Risk This
document describes an enterprise-level information security risk management methodology. The main goal of the methodology is to connect the information security system with the mission and goals of the organization

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)

OCTAVE is an information security risk management methodology whose main purpose is to ensure that the goals of information protection processes are consistent with the goals and objectives of the organization. The methodology consists of 8 main steps:

1. Identification of risk measurement criteria (Establish Risk Measurement Criteria).
2. Development of profiles of information assets (Develop an Information Asset Profile).
3. Identification of places of storage / processing / transfer of information assets (Identify Information Asset Containers).
4. Identification of groups of high-level threats to information security (Identify Areas of Concern)
5. Identify Threat Scenarios
6. Identification of information security risks (Identify Risks)
7. Information Security Risk Analysis (Analyze Risks)
8. Select Mitigation Approach

To identify threats in step 5, the threat tree methodology is used.

Trike Methodology

Trike is based on a risk-based approach to building information security and is designed to conduct information security audits and build threat models.

Distinctive features of this methodology are:

• its initial focus on the use of specialized software for building threat models;
• the use of “attack trees” to describe security threats;
• use of typical attack libraries.

Microsoft Threat Modeling Techniques and Publications

Microsoft uses the Security Development Lifecycle methodology to develop secure software . This methodology is an extension to the "classic" - cascade model of software development ("waterfall") , which introduces additional steps related to security. At the “Design” stage, it is proposed to model threats .



It is proposed to use several approaches to identify threats:

• STRIDE methodology;
• use of threat classifiers;
• Using threat trees and attack patterns.

The STRIDE methodology is a classification scheme for describing attacks, depending on the type of exploits used to implement them or the motivation of the attacker.

STRIDE is an acronym from the first letters:

• S poofing Identity - "substitution of personality." The intruder pretends to be a legitimate user (for example, stole a username / password) and performs malicious actions on his behalf.
• T ampering with Data - "fake data." An intruder falsifies data that is accessible to him when running a Web application. These can be cookies, HTTP request elements, etc.
• R epudiation - "refusal of transactions." An intruder can refuse transactions when a sufficient audit of user actions is not conducted on the side of the Web application.
• I nformation Disclosure - "disclosure of sensitive information." The violator tries to disclose the personal data of other users, authentication information, etc.
• D enial of Service - denial of service.
• E levation of Privilege - “privilege escalation”.

After identifying the threats, the SDL offers to evaluate the risks they generate. For this, the DREAD technique can be used .

The name of the DREAD methodology is also an acronym for the first letters of the categories by which risk is assessed:

• D amage Potential - what damage will be done if the threat is realized?
• R eproducibility - how easy is it to implement a threat?
• E xploitability - what is required in order to carry out an attack?
• A ffected Users - how many users can suffer from an attack?
• D iscoverability - how simple can an attacker detect a threat?

The risk itself is evaluated by the formula:

Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5 ,

where the value of the constituent elements varies from 0 to 10. For example, the Damage Potential value can be defined as:

• 0 = no damage;
• 5 = damage will be only to some part of the system or to a limited amount of data;
• 10 = the whole system will suffer or all data will be destroyed.

Threat Catalogs

1. OWASP Top10
   Describes the main threats to Web applications.
   
2. OWASP Testing project
   Содержит рекомендации по тестированию безопасности Web-приложений.
3. WASC Threat Classification
   Еще один источник, содержащий описание типовых атак на Web-приложения.
   
4. Bluetooth Threat Taxonomy
   Содержит данные по уязвимостям протокола Bluetooth.
   
5. ENISA Threat Landscape
   Ежегодный отчет агентства по кибербезопасности Евросоюза, содержащий сведения об основных угрозах.
   
6. ENISA Threat Taxonomy
   Еще один документ агентства по кибербезопасности ЕС, содержащий классификацию и описание основных угроз информационной безопасности.
7. BSI Threat catalogue
   Каталог федерального агентства по информационной безопасности Германии, содержащий описание преимущественно угроз физического уровня (пожаров, краж, ионизирующей радиации и т. д.).
   
8. Open Threat Taxonomy
   Проект с открытым исходным кодом, включающий в себя ПО и различные классификационные схемы в JSON формате, используемые для обмена данными об угрозах информационной безопасности.
   
9. US DoD Comprehensive Military Unmanned Aerial Vehicle smart device ground control station threat model
   Документ Министерства обороны США, содержащий модель угроз наземным станциям управления беспилотными летательными аппаратами.
   
10. VoIP Security and Privacy Threat Taxonomy
    Документ, содержащий описание угроз VoIP.
    
11. Mobile Threat Catalogue
    Информационный ресурс NIST, включающий в себя обширный каталог угроз, связанных с применением мобильных устройств и технологий.
12. ATT&CK
    Матрица техник и тактик, применяемых реальными нарушителями при взломах информационных систем.
    
13. Рекомендации в области стандартизации Банка России РС БР ИББС-2.2-2009. «Методика оценки рисков нарушения информационной безопасности»
    Документ Банка России по управлению рисками, содержащий в приложении описание типовых угроз.
    
14. Банк данных угроз безопасности информации ФСТЭК России
    Основной каталог угроз и уязвимостей ФСТЭК России. Используется для моделирования угроз в государственных и муниципальных информационных системах.
    
15. GOST R 51275-2006. Protection of information. The object of informatization. Factors affecting information. General Provisions of the
    Standard describing typical threats to information security. Much attention is paid to threats associated with information leaks through technical channels.
    
16. Basic model of threats PDN FSTEC, 2008. A
    document of the FSTEC of Russia containing classification schemes for typical threats to the security of personal data, as well as a description of a small number of the most probable threats.