In this article
Threat Modeling and the CISSP
- Control Frameworks
- Due Care vs. Due Diligence
- Security Governance Principals
- Security Personnel
- Threat Modeling
- Vendor, Consultant and Contractor Security
In this article
Today, many organizations face unprecedented cyber and insider threats to data and information that is being stored, processed and transmitted. Because of these threats, companies are approaching cyber security making it a necessary concept for the CISSP candidate.
Even companies that place great emphasis on securing their business processes can become the victim of cybercrime. Compliance with narrowly focused standards may not be sufficient to prevent or detect a sophisticated cyber-attack.
Where do we start when tasked to protect everything?
Before we can complete our strategy, we need to understand the components of how to address risk in our environment:
Threat modeling is a structured approach to identifying, quantifying, and addressing threats. It allows system security staff to communicate the potential damage of security flaws and prioritize remediation efforts.
In threat modeling, we cover the three main elements:
In an organization, there are different threats that are addressed to different layers of an organization framework and environment. The three main layers of a threat target are:
Who Do Threat Models and When
Ideally, threat models are created during system design before any deployment. In practice, threat models are often created for existing systems, making it part of maintenance. System designers with security experience are best equipped to identify the threats.
In this step, we identify the assets that what are the potential assets that are valuable to the organization:
In this process, we describe the architecture on which the valuable asset is being processed. It may include the software framework, version, and other architectural details.
In this step, we break down the application regarding its process. All the sub-processes that are running the application.
In this step, we list down the threat in a descriptive way, so that it can be reviewed to process further.
In this step we categorize the threat in predefined classes that are:
In this step we rate the severity of the threat based on a scale developed by Microsoft:
A Corporation has a data collection web application that allows users to login in and enter or change personal data.
The following information was collected on the application:
Microsoft Threat Reporting Template:
Categorizing Threats with STRIDE:
A standardize short form created by Microsoft to help categorize threats.
Rating Threats with DREAD:
A standardize short form created by Microsoft to rate the severity of a threat. Each quality is rated based on a scale developed for each project. For most projects, a scale of 1– 3 is sufficient 3 is sufficient.
Threat modeling helps organizations to prioritize their processes with respect to threats and effective response. It is carried out through the complete life cycle of the process from initialization to the deployment and also remains under consideration in the maintenance process. As far as CISSP training is concerned, the candidate must know all the processes of threat modeling and should also know how to mitigate the threats in the most effective manner using threat modeling technique.