Loading EN-304-620-1.md +56 −0 Original line number Diff line number Diff line Loading @@ -696,6 +696,62 @@ The mitigations that reduce risk by type are: - Activity exposure via unauthorised log access - Out-of-the-box configuration that necessarily requires modification to be secure ### C.4.x TH-UEVU: Unknown exploitable vulnerabilities Attacker may use unknown exploitable vulnerabilities in the product implementation to get unauthorized access to product assets. | Risk factors | Likelihood | Security profiles | |------------------------|------------|-------------------| | max(DAT, FUN, COM) = 2 | High | SP-3, SP-4 | | max(DAT, FUN, COM) = 1 | Medium | SP-2 | | max(DAT, FUN, COM) = 0 | Low | SP-1 | | Risk factors | Impact | Security profile | |-------------------|--------|------------------| | DAT = 2 & FUN = 2 | High | SP-3 | | all others | Medium | SP-2, SP-4 | | DAT = 0 & FUN = 0 | Low | SP-1 | Requirements that mitigate this threat: SSDD, NPII, LOGG Mitigations for Likelihood: * Medium to Low: SSCA, SCFS * High to Low: SSCA, (FZ95 or BTIN or IMSL), SCFS Mitigations for Impact: * Medium to Low: NPII-1, LOGG * High to Low: NPII-\*, LOGG ### C.4.x TH-KEVU: Known exploitable vulnerabilities Attacker may use known exploitable vulnerabilities in the product implementation to get unauthorized access to product assets. | Risk factors | Likelihood | Security profiles | |-----------------------------------|------------|-------------------| | max(DAT, FUN, COM) = 2 & ADM = 2 | High | SP-4 | | all others | Medium | SP-2 | | max(DAT, FUN, COM) = 0 or ADM = 0 | Low | SP-1, SP-3 | | Risk factors | Impact | Security profile | |-------------------|--------|------------------| | DAT = 2 & FUN = 2 | High | SP-3 | | all others | Medium | SP-2, SP-4 | | DAT = 0 & FUN = 0 | Low | SP-1 | Requirements that mitigate this threat: SSDD, NPII, LOGG, VULH All mitigations from TH-UEVU apply (using that requirement's risk formula), in addition to: Mitigations for Likelihood: * Medium to Low: (KEVD or KEVA or KEVT or SCAN), KEVM, (SUVP or SUAP or SUOE or SUAO), VULH * High to Low: KEVD, KEVA, (KEVT or SCAN), KEVM, (SUAP or SUAO), VULH **[TH-EPC]:** Attacker may gain access to an endpoint, exposing traffic, private network, or PII. | Risk factors | Likelihood | Loading Loading
EN-304-620-1.md +56 −0 Original line number Diff line number Diff line Loading @@ -696,6 +696,62 @@ The mitigations that reduce risk by type are: - Activity exposure via unauthorised log access - Out-of-the-box configuration that necessarily requires modification to be secure ### C.4.x TH-UEVU: Unknown exploitable vulnerabilities Attacker may use unknown exploitable vulnerabilities in the product implementation to get unauthorized access to product assets. | Risk factors | Likelihood | Security profiles | |------------------------|------------|-------------------| | max(DAT, FUN, COM) = 2 | High | SP-3, SP-4 | | max(DAT, FUN, COM) = 1 | Medium | SP-2 | | max(DAT, FUN, COM) = 0 | Low | SP-1 | | Risk factors | Impact | Security profile | |-------------------|--------|------------------| | DAT = 2 & FUN = 2 | High | SP-3 | | all others | Medium | SP-2, SP-4 | | DAT = 0 & FUN = 0 | Low | SP-1 | Requirements that mitigate this threat: SSDD, NPII, LOGG Mitigations for Likelihood: * Medium to Low: SSCA, SCFS * High to Low: SSCA, (FZ95 or BTIN or IMSL), SCFS Mitigations for Impact: * Medium to Low: NPII-1, LOGG * High to Low: NPII-\*, LOGG ### C.4.x TH-KEVU: Known exploitable vulnerabilities Attacker may use known exploitable vulnerabilities in the product implementation to get unauthorized access to product assets. | Risk factors | Likelihood | Security profiles | |-----------------------------------|------------|-------------------| | max(DAT, FUN, COM) = 2 & ADM = 2 | High | SP-4 | | all others | Medium | SP-2 | | max(DAT, FUN, COM) = 0 or ADM = 0 | Low | SP-1, SP-3 | | Risk factors | Impact | Security profile | |-------------------|--------|------------------| | DAT = 2 & FUN = 2 | High | SP-3 | | all others | Medium | SP-2, SP-4 | | DAT = 0 & FUN = 0 | Low | SP-1 | Requirements that mitigate this threat: SSDD, NPII, LOGG, VULH All mitigations from TH-UEVU apply (using that requirement's risk formula), in addition to: Mitigations for Likelihood: * Medium to Low: (KEVD or KEVA or KEVT or SCAN), KEVM, (SUVP or SUAP or SUOE or SUAO), VULH * High to Low: KEVD, KEVA, (KEVT or SCAN), KEVM, (SUAP or SUAO), VULH **[TH-EPC]:** Attacker may gain access to an endpoint, exposing traffic, private network, or PII. | Risk factors | Likelihood | Loading
