Fix numbering of headings

* Likelihood: ROUT-1, CONF-\*, AUTH-\*, IPV6-\*, CRYPT-\*

* Impact: ROUT-2, ROUT-3, NUTI-\*, DNSL-\*, EISO, TRAF-\*, NPII-\*

### C.4.x TH-UEVU: Unknown exploitable vulnerabilities

### C.4.3 TH-UEVU: Unknown exploitable vulnerabilities

Attacker may use unknown exploitable vulnerabilities in the product implementation to get unauthorized access to product assets.

* High to Low: NPII-\*, LOGG-\*

### C.4.x TH-KEVU: Known exploitable vulnerabilities

### C.4.4 TH-KEVU: Known exploitable vulnerabilities

Attacker may use known exploitable vulnerabilities in the product implementation to get unauthorized access to product assets.

* High to Low: KEVD, KEVA, (KEVT or SCAN), KEVM, (SUAP or SUAO), VULH

### C.4.x TH-UEAC: Unauthorized endpoint access

### C.4.5 TH-UEAC: Unauthorized endpoint access

Attacker may gain unauthorized access to an endpoint in a manner not under control of the product, exposing product assets.

* High to Low: AUTH-3, AUTH-4, AUTH-5, NPII-1, NPII-2, NPII-4

### C.4.x TH-RDOS: Denial of service on remote data processing

### C.4.6 TH-RDOS: Denial of service on remote data processing

Attacker launches denial of service attack on remote data processing solution.

* High to Low: FDRP, LMEM, FAIR

### C.4.x TH-MITM: Machine-in-the-middle

### C.4.7 TH-MITM: Machine-in-the-middle

Attacker attempts to read or modify traffic by capturing and relaying activity to and from endpoints.

* High to Low: LOGG-\*, NPII-2

### C.4.x TH-LEAK: Sensitive data leaks

### C.4.8 TH-LEAK: Sensitive data leaks

Attacker reads sensitive data sent outside the VPN connection by the product.

* High to Low: NPII-\*, LOGG-\*

### C.4.x TH-PLAN: Transmitting sensitive data in the clear

### C.4.9 TH-PLAN: Transmitting sensitive data in the clear

Attacker may read sensitive data transmitted without encryption.

* High to Low: CRYPT-\*, SCDL-\*, ROUT-\*, AUTH-\*

### C.4.x TH-UNAA: Unauthorized authentication

### C.4.10 TH-UNAA: Unauthorized authentication

Attacker may attempt to authenticate in an unauthorized manner to get access to product assets.

* High to Low: NPII-\*, AUTH-3, AUTH-4, AUTH-5, LOGG-\*

### C.4.x TH-LDEL: Attacker removes evidence of compromise

### C.4.11 TH-LDEL: Attacker removes evidence of compromise

Attacker may remove evidence of compromise from the endpoint.

* High to Low: NPII-\*

#### C.4.3.4 TH-CONF: Access to assets via configuration errors

### C.4.12 TH-CONF: Access to assets via configuration errors

Attacker may use configuration errors to get unauthorized access to the product assets.

* High to Low: NPII-\*, AUTH-3, AUTH-4, AUTH-5, LOGG-\*, CDST

### C.4.x TH-META: Data leaks due to metadata and traffic analysis

### C.4.13 TH-META: Data leaks due to metadata and traffic analysis

Attacker may use user metadata such as IP addresses and traffic analysis to gain confidential data.

* High to Low: TODO

### C.4.x TH-RDPS: RDPS compromise and isolation

### C.4.14 TH-RDPS: RDPS compromise and isolation

Attacker may use compromise or isolation errors in remote data processing system to gain access to product assets.

* High to Low: TODO

### C.5.2 Mapping of use cases to risk factors and security profiles

### C.5 Mapping of use cases to risk factors and security profiles

| Use case | Description                 | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM | SP   |

|----------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|------|

Security profiles are an informative resource to the assessor. Each security profile is associated with a collection of levels of risk factors. Security profiles will be mapped to specific mitigations for each security requirements necessary to treat the risk.

### C.6.1 Mapping of security profiles to risk factors

### C.6.2 Mapping of security profiles to risk factors

| Security profile | Description                 | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM |

|------------------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|