Security Threat Landscape Hierarchy Visual Representation
Driven by digitalization, information sharing has been experiencing exponential growth in the past few years. In turn, one’s eagerness to better prepare and protect depends on the ability to change the attitude from “need to know” to “need to share”. Digital technologies, most notably Artificial Intelligence (AI), have shaped decision-making, everyday communication, life, and work, hence highlighting the importance of maintaining the online economy and ensuring its prosperity.
The threat landscape is continuously changing and evolving to address the evolution of the IT environment from software to IoT, via services and cloud computing. Providing an up-to-date overview of the current state of the art on threats and cybersecurity is critical to provide a picture of the status of cybersecurity and evaluate new trends in cybersecurity focusing on emerging threats and evolving attacks. CONCORDIA cybersecurity threat analysis is inspired by the different research domains and considers the following domains: (i) network-centric, (ii) system/software-centric, (iii) application/data-centric, (iv) user-centric, v) device-centric security.
Network-centric security refers to the transportation of data as well as to the networking and the security issues associated with it. Topics range from DDoS protection, Software-Defined Networking (SDN), ad hoc networks to encrypted traffic analysis, 5G. System-centric security centers around cloud and virtualized environments, while IoT/Device-centric security centers around modern systems such as the Internet of Things (IoT)/edge and corresponding devices, both targeting topics such as middleware, secure OS, and security by design, Malware analysis, systems security validation, detection of zero-days, and recognizing service dependencies are specifically addressed. Data-centric security addresses issues concerned with management, analysis, protection, and visualization of data at all layers of a given system/environment, focusing on modern Big Data environments. Application-centric security addresses issues related to the security of applications, like modern services and their management. User-centric security addresses issues like privacy, social networks, fake news and identity management. The above domains apply to any environments ranging from traditional distributed IT systems to devices that produce raw data, such as embedded systems, sensors, IoT devices, drones, and the associated security-centric issues, such as IoT security, via service-based systems, such as, service-oriented architecture, cloud, microservices.
The cybersecurity threat reporting below follows well-known standards in the field from the main standardization bodies such as ISO and NIST. Our methodology to identify threats follows the definitions in the last version of ISO 27001 presented in 2013. We consider a classification based on the identification of assets and threats. Please notice that the newer revision of ISO 27001 presented in 2013 allows identifying risks using any methodology. In addition, in the process of developing on evolving threats and emerging attacks, our work will base on two additional ISO standards that have a strong connection with ISO/IEC 27001:2013: ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls and ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management.
To improve the rigorousness and soundness of our approach, we also consider relevant NIST standards such as: i) NIST SP 800-53 Rev. 4 NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, ii) NIST SPECIAL PUBLICATION 1800-5 IT Asset Management, enhancing visibility for security analysts, which leads to better asset utilization and security.
Threat reporting is usually based on three pillars as follows.
For instance, a digital repository can be considered as an asset. Examples of relevant threats and vulnerabilities are then listed as follows.
As another example, an asset can be a human resource, for example, a system administrator.
In the following of this section, for each of the 6 domains of interest, we analyze assets and threats, reporting on some recent attacks. For the sake of readability, we will not discuss specific vulnerabilities at the basis of identified attacks. Also, to make our discussion consistent, where possible, we will refer to the threat group/threat nomenclature proposed by the ENISA threat taxonomy.
This section attempts to provide a cybersecurity threat map that summarizes the mapping between identified threat groups, threats, and the domains network, system, device/IoT, data, application, user, which will be then detailed in the following sections. The given overview provides such a mapping and specifies the threat numbering format. As an example, threat T2 “Denial of Service” in threat group TG4 “Nefarious Activity/Abuse” of domain D1 “Device/IoT” is referenced in the text as T1.4.2.
Cybersecurity threat map for Device/IoT-Centric Security can be summarized as follows:
Cybersecurity threat map for Network-Centric Security can be summarized as follows:
Cybersecurity threat map for System-Centric Security can be summarized as follows:
Cybersecurity threat map for Data-Centric Security can be summarized as follows:
Cybersecurity threat map for Application-Centric Security can be summarized as follows:
Cybersecurity threat map for User-Centric Security can be summarized as follows:
From the given overview, it emerges that threats groups are quite horizontal to the different domains. Some differences still exist due to the peculiarities of each area. Also, threats in the area of data and users are cross-domain due to the fact that often data represent the target of an attack, while users are often seen both as a target and as a threat agent.
 ISO/IEC 27001 Edition 2013 https://www.iso.org/standard/54534.html
 ISO/IEC 27001 Edition 2005 https://www.iso.org/standard/42103.html
 Guide for Conducting Risk Assessments, NIST SP 800-30, September 2012 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
 See https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/at_download/file