View
3
Download
0
Category
Preview:
Citation preview
Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference
2015
Long time in the tech field
Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical, etc.
20+ Years software development experience
10+ in Information Security
M.S. and B.S. in Computer Science from the University of Illinois
Active Certifications – CISSP, CSSLP, CISM
Work for one of the largest providers of pharmacy software and services in the country
Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus
Carry out independent reading and research for my own company, RBA Communications
The views and opinions expressed in this session are mine and mine alone. They do
not necessarily represent the opinions of my employers or anyone associated with
anything!
Part 1 – Threat Modeling Overview
Part 2 – Applying STRIDE to a System
Part 3 – Applying DREAD to a System
A way to evaluate and rank risks
Evaluate each risk / threat for:
Damage
Reproducibility
Exploitability
Affected Users
Discoverability Details from https://www.owasp.org/index.php/
Threat_Risk_Modeling
How much damage if it happens?
0 – None, 5 - Individual User Data,
10 – Complete System Destruction
How easy is it to reproduce?
0 – Almost Impossible, 5 – One or Two Steps / Authorized User, 10 – Web Browser and Address – No Auth
What is need to exploit the threat?
0 – Advanced Knowledge and Skills,
5 – Malware Exists on Internet or Easy Exploit
10 – Only a Web Browser
How many users will be impacted?
0 – None,
5 – Some Users, But Not All
10 – All Users
How easy to discover?
0 – Advanced Knowledge and Skills, 5 – Easy to Guess or Find by Monitoring,
9 – Details of Fault Public 10 – Details in URL
Be Involved
Don’t Monopolize
Work Together
Pick values for the risks from the previous sessions
Recommended