Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

May 30, 2005

US DoD threat analysis

The US Department of Defense clearly faces some serious information security risks. According to this presentation about security policies by ex-military man and honeynet security guru Lance Spitzner, the DoD recognizes seven levels of threat. “T1: Inadvertent or accidental events e.g. tripping over the power cord. T2: Passive, casual adversary with minimal resources who is willing to take little risk e.g. listening. T3: Adversary with minimal resources who is willing to take significant risk e.g. unsophisticated hackers. T4: Sophisticated adversary with moderate resources who is willing to take little risk e.g. organized crime, sophisticated hackers, international corporations. T5: Sophisticated adversary with moderate resources who is willing to take significant risk e.g. international terrorists. T6: Extremely sophisticated adversary with abundant resources who is willing to take little risk e.g. well-funded national laboratory, nation-state, and international corporation. T7: Extremely sophisticated adversary with abundant resources who is willing to take extreme risk e.g. nation-states in time of crisis.” Another way of looking at this is as a maturity model for information security. Is your organization ready to face threats at level T4 or T5? Can you afford to address T6?
More risk management resources