Use new threat assessment for masquerading server

### 5.3.1 Wired network interface risk mitigation sets

SP-WD-1: SCFS, SUDC, (SUVP or SUOE), DJST, (NTFY or WDOG), LOGG

SP-WD-1: SCFS, SUDC, (SUVP or SUAP or SUOE or SUAO), DJST, (NTFY or WDOG), LOGG

SP-WD-2: (KEVD or KEVA or KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-1, PDDI-4, SUDC, (SUVP or SUOE), CDST, DCTX, DJST, NTFY, WDOG, JSTY, LOGG, VULH

SP-WD-2: (KEVD or KEVA or KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-1, PDDI-4, SUDC, (SUVP or SUAP or SUOE or SUAO), AUTH, CDST, DCTX, DJST, NTFY, WDOG, JSTY, LOGG, VULH

SP-WD-3: (KEVD or KEVA or KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-1, PDDI-4, SUDC, (SUVP or SUOE), CDST, DCTX, DJST, (NTFY or WDOG), JSTY, LOGG, VULH

SP-WD-3: (KEVD or KEVA or KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-1, PDDI-4, SUDC, (SUVP or SUAP or SUOE or SUAO), AUTH, CDST, DCTX, DJST, (NTFY or WDOG), JSTY, LOGG, VULH

SP-WD-4: (KEVD or KEVA or KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-\*, SUDC, (SUVP or SUOE), CDST, DCTX, DJST, NTFY, WDOG, JSTY, LOGG, VULH

SP-WD-4: (KEVD or KEVA or KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-\*, SUDC, (SUVP or SUAP or SUOE or SUAO), AUTH, CDST, DCTX, DJST, NTFY, WDOG, JSTY, LOGG, VULH

### 5.3.2 Wireless network interface risk mitigation sets

SP-WL-1: (KEVD or KEVA or KEVT or SCAN), SCFS, SSCA, IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-1, SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, DJST, (NTFY or WDOG), JSTY, LOGG, (RSET or INST or DELE), SDRF, VULH

SP-WL-1: (KEVD or KEVA or KEVT or SCAN), SCFS, SSCA, IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-1, SUDC, (SUVP or SUAP or SUOE or SUAO), AUTH, CDST, CDTX, IDST, DCTX, DJST, (NTFY or WDOG), JSTY, LOGG, (RSET or INST or DELE), SDRF, VULH

SP-WL-2: KEVD, KEVA, (KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-1, PDDI-4, SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, DJST, (NTFY or WDOG), JSTY, LOGG, (RSET or INST or DELE), SDRF, VULH

SP-WL-2: AUTH, KEVD, KEVA, (KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-1, PDDI-4, SUDC, (SUAP or SUAO), AUTH, CDST, CDTX, IDST, DCTX, DJST, (NTFY or WDOG), JSTY, LOGG, (RSET or INST or DELE), SDRF, VULH

SP-WL-3: KEVD, KEVA, (KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-\*, SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, DJST, (NTFY or WDOG), JSTY, LOGG, (RSET or INST or DELE), SDRF, VULH

SP-WL-3: AUTH, KEVD, KEVA, (KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-\*, SUDC, (SUAP or SUAO), AUTH, CDST, CDTX, IDST, DCTX, DJST, (NTFY or WDOG), JSTY, LOGG, (RSET or INST or DELE), SDRF, VULH

### 5.3.3 Virtual network interface risk mitigation sets

SP-VI-1: (KEVD or KEVA or KEVT or SCAN), SCFS, IMSL or (MSAF-\*, MZRO-\*), SUDC, (SUVP or SUOE), CDST, IDST, DCTX, DJST, (NTFY or WDOG), JSTY, LOGG, SDRF, VULH

SP-VI-1: (KEVD or KEVA or KEVT or SCAN), SCFS, IMSL or (MSAF-\*, MZRO-\*), SUDC, (SUVP or SUAP or SUOE or SUAO), CDST, IDST, DCTX, DJST, (NTFY or WDOG), JSTY, LOGG, SDRF, VULH

SP-VI-2: KEVD, KEVA, (KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-1, PDDI-3, PDDI-4, SUDC, (SUVP or SUOE), CDST, IDST, DCST, DCTX, DJST, NTFY, WDOG, JSTY, LOGG, (RSET or INST or DELE), SDRF, SDTR, VULH

SP-VI-2: AUTH, KEVD, KEVA, (KEVT or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF-\*, MZRO-\*), ADEF, DPAH, PDDI-1, PDDI-3, PDDI-4, SUDC, (SUAP or SUAO), AUTH, CDST, IDST, DCST, DCTX, DJST, NTFY, WDOG, JSTY, LOGG, (RSET or INST or DELE), SDRF, SDTR, VULH

# 6 Conformity Assessment

Requirements that mitigate this threat: NKEV, LMII, LMAS, LOGG, VULH

All mitigations from TH-KEVU apply, plus

All mitigations from TH-KEVU apply, plus:

Mitigations for Likelihood:

* High to Low: VULH

**[TH-MQSE]:** Attacker may masquerade as an authorized server to get unauthorized access to product assets.

#### C.4.3.9 TH-MQSE: Masquerading authorized server

| Risk factors        | Likelihood |

|---------------------|------------|

| NET > 1 & COM > 1   | High       |

| NET = 1 or COM = 1  | Medium     |

| NET = 0 and COM = 0 | Low        |

Attacker may masquerade as an authorized server to get unauthorized access to product assets.

| Risk factors                     | Impact |

|----------------------------------|--------|

| max(SYS, SDS, SDT, FUN, DOS) = 2 | High   |

| max(SYS, SDS, SDT, FUN, DOS) = 1 | Medium |

| max(SYS, SDS, SDT, FUN, DOS) = 0 | Low    |

| Risk factors       | Likelihood | Security profiles |

|--------------------|------------|-------------------|

| NET = 0 or COM = 0 | Low        | WD-1, VI-1        |

| all others         | Medium     | WD-2, WD-3, WD-4  |

| NET = 2 & COM = 2  | High       | WL-2, WL-3, VI-2  |

| Risk factors                     | Impact | Security profiles      |

|----------------------------------|--------|------------------------|

| max(SYS, SDS, SDT, FUN, DOS) = 0 | Low    | none                   |

| max(SYS, SDS, SDT, FUN, DOS) = 1 | Medium | WD-1, WD-3, VI-1       |

| max(SYS, SDS, SDT, FUN, DOS) = 2 | High   | WD-2, WD-4, WL-\* VI-2 |

Requirements that mitigate this threat: CDTX, IDTX, AUTH, SCUD, LOGG

Mitigations for Likelihood:

* Medium to Low: AUTH, SUDC, (SUVP or SUAP or SUOE or SUAO), CDTX, IDTX

* High to Low: AUTH, SUDC, (SUAP or SUAO), CDTX, IDTX

Mitigations for Impact:

* Medium to Low: LOGG

* High to Low: LOGG

Requirements: CDTX, IDTX, SCUD, LOGG

**[TH-AHHS]:** Attacker may use unauthorized access to the product to harm the host system.