Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference

2015

  Long time in the tech field

  Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical, etc.

  20+ Years software development experience

  10+ in Information Security

  M.S. and B.S. in Computer Science from the University of Illinois

  Active Certifications – CISSP, CSSLP, CISM

  Work for one of the largest providers of pharmacy software and services in the country

  Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus

  Carry out independent reading and research for my own company, RBA Communications

The views and opinions expressed in this session are mine and mine alone. They do

not necessarily represent the opinions of my employers or anyone associated with

anything!

  Part 1 – Threat Modeling Overview

  Part 2 – Applying STRIDE to a System

  Part 3 – Applying DREAD to a System

  A way to evaluate and rank risks

  Evaluate each risk / threat for:

Damage

Reproducibility

Exploitability

Affected Users

Discoverability Details from https://www.owasp.org/index.php/

Threat_Risk_Modeling

How much damage if it happens?

0 – None, 5 - Individual User Data,

10 – Complete System Destruction

How easy is it to reproduce?

0 – Almost Impossible, 5 – One or Two Steps / Authorized User, 10 – Web Browser and Address – No Auth

What is need to exploit the threat?

0 – Advanced Knowledge and Skills,

5 – Malware Exists on Internet or Easy Exploit

10 – Only a Web Browser

How many users will be impacted?

0 – None,

5 – Some Users, But Not All

10 – All Users

How easy to discover?

0 – Advanced Knowledge and Skills, 5 – Easy to Guess or Find by Monitoring,

9 – Details of Fault Public 10 – Details in URL

  Be Involved

  Don’t Monopolize

  Work Together

  Pick values for the risks from the previous sessions