How to use pre-existing threat catalogue to determine if a certain system is vulnerable?

Question

There are many risk assessment guidelines such NIST800-30 and ISO 27005 that provide a catalogue of known threats as reference. Using a qualitative approach, I selected one threat events catalogue and I tried to select the threats that are applicable to my use case.

To my understanding, by studying the system design specifications, I can compile a list of threats that may affect the system. However, I want to be more deterministic in my approach and say if the system is vulnerable to my compiled threats or not.

My approach is to look at the current security controls deployed on the system, and by analysing these controls I can say "System is vulnerable to threat X, Y and Z". I know I kind of have an answer to my question, but maybe there is a more methodological / organized approach? Having a list of known threats, how can I determine if a system is vulnerable or not?

PS: I am more interested on a qualitative approach, I know a vulnerability tool can make life easier.

Answer 1

You are asking about a pure risk assessment methodology. And it's quite simple at a high level.

• what are the inherent, relevant risks in the context (vulnerabilities matched with threats)?
• what controls are in place to address those risks?
• how effective are those controls against those risks?
• what's left that is unaddressed?

Threat catalogues are meant to help inspire thoughts to come up with a list of relevant risks in context. They are not meant to be a complete list.

Vulnerability tools look at technical risks that are discoverable through technical analysis. There is a whole universe of risk that is outside of technical vulnerabilities.