In our previous post, we discussed the process of risk assessment assisted with Microsoft Threat Analysis and Modeling. While that post was purely theoretical, we are following up with a sample risk assessment of an IT service - Exchange 2007 infrastructure.
The Assessment is based on the prototype design of Microsoft Exchange Infrastructure, and all Exchange roles are treated as separate component/server. An Active Directory domain controller is added to the infrastructure since Exchange is integrated with it. Also, we added a Mailbox database role, just as an example that we can dissect the roles to the depth that we need.
The analysis contains the following components. Add them to the appropriate container within the MS TAM
- Exchange Admins - all administrators of the infrastructure
- Exchange Users - users of all Exchange services
- Exchange OWA Users - users of Online Web Access (webmail users)
- External mail users - users of other mail servers on the internet
- Mailbox Server with Mailbox Server Service Role
- Hub Transport Server with Hub Transport Service Role
- Edge Transport Server with Edge Transport Service Role
- Client Access Server with Client Access Service Role
- Mailbox Database with Mailbox Database Service Role
- AD Domain Controller with Domain Controller Service Role
- External Mail Servers
The data processed within this infrastructure is the following
- E-mail message - the main target, the incoming and outgoing e-mail messages.
- Exchange address - your e-mail address
- Exchange Configuration - All Exchange Roles Configuration - Stored within Domain Controller
- Login Credentials - username/password
We have limited the use cases to the most basic and essential activities within this infrastructure. For each use case you will need to include the necessary calls to make it functional.
- Receive External E-mail
- Read E-mail Via POP3 /IMAP/OWA
- Send E-mail To Exchange User
- Exchange Admins Manages Exchange Accounts
- Send E-mail to External Address
- Component utilizes Power Supply - The component is susceptible to power failures
- Component utilizes Communication Links - The component is dependent on functional LAN/WAN links to perform it's function
- Component utilizes Disk Capacity - The component stores data, and relies on disk storage, thus it can lose data of the disk fails, or it's capacity is filled.
- Component is a Physical Object - Component is a Physical Object and can be physically accessed, stolen or tampered with, or ultimately, it can fail
After setting up these elements, you click the Tools->Generate Threats. Choose Generate Threats based on all of your calls, and use Intelligent Append.
The resulting set of risks can be confusing, since they are autogenerated and have generic names. You will need to read through them, and possibly merge one or more into one, since they can be addressing the same risk.
After you have finished the filtering, you need to define Probablity and Impact of the risk, and select the Risk Response as well as countermeasures from the offered set. This task is very time consuming and often difficult. You should always employ the assistance of a subject matter expert which can give you valuable input.
When you do this for every risk, you have finished the risk assessment The Report As we pointed out in the previous post, the most useful report template for risk analysis does not exist in the predefined reports, but can be downloaded here.
The final risk analysis report for this infrastructure can be downloaded here.
Also, you may benefit from the Comprehensive Report, which is included in the templates of MS TAM.
We hope that this example will help you to in the everyday use of MS TAM as a risk assessment tool.
We are also publishing the entire ACE Threat Model file of this example for download and use.
Please do not hesitate to contact Shortinfosec if you have any questions or issues
Talkback and comments are most welcome
Risk Assessment with Microsoft Threat Assessment & Modeling
Reduce Risks in Projects with 'Deal Breakers'
Tutorial - Secure Web Based Job Application
Information Risks when Branching Software Versions