This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
THREATS
Developing a Threat Profile - Understand who may be interested in your data
THREAT ACTOR | MOTIVATIONS |
|---|---|
Nation States | Competitive intelligence |
Organized Crime | Cyberespionage |
Lone Hackers | Financial Gain |
Hacktivists | Reputational Impact |
Competitors | Competitors |
Former Employees | Attacker reputation-building |
Internal
External
Developing a Threat Profile
Los métodos de modelado de amenazas se utilizan para crear:
- A system abstraction
- A profile of potential attackers, including their goals and methods
- A catalog of potential threats that may arise
THREAT | PROPERTY VIOLATED | THREAT DEFINITION |
|---|---|---|
Spoofing identify | Authentication | Pretending to be something or someone other than yourself. |
Tampering with data | Integrity | Modifying something on disk, network, memory, or elsewhere |
Repudiation | Nod-repudiation | Claiming that you didn’t do something or were not responsible, can be honest or false |
Information disclosure | Confidentiality | Providing information to someone not authorized to access it |
Denial of service | Availability | Exhausting resources needed to provide service |
Elevation of privilege | Authorization | Allowing someone to do something they are not authorized to do |
Identifying Assets and Threat Profile
How do we know if the client needs this service?
Security program assessment and strategy
- Absence of dedicated security personnel
- Security risks are not documented
- The relationship between business and security objectives are not clearly understood
- Future security needs are not documented
- Incosistent decision making regarding security
- Security risk management procedures not documented
Security requirements docs and analysis
- Application or system security requirements are not documented
- Threat analysis is not consistently used as part of the development lifecycle
- A procedure is not documented to apply security standards to application or systems
- The desired/required security posture of a system is not documented
Security development lifecycle assessment
- Application or system security requirements are not documented
- Security risk managemente process is not standardized
- Security practices are not integrated with projects, release, change, or IT operations processes
- Security SAST, DAST, RAST, IAS technologies are not in place
Security policy and standards develompment and review
- Security policies and standars are not documented
- Security documentation has not been reviewed in more than 12 months
- A documentation review schedule does not exist
- There is no methodology to define policies and standards as they relate do business needs
Security penetration testing
- A penetration test is not required by some regulatory body
- A penetration test has bot been conducted in over a year
- Penetration tests are not required as a part of the testing phase of the SDLC for critical and highly sensitive systems
- Practices are not in place to ensure security requirements are implemented as designed (traceability)
Security Tech Stack - Defense in depth and layered levels of security can be complex and costly
Security Technology Considerations
- Do I have multiple vendors supplying the same capabilities?
- Am I building a defense in depth security?
- Are solution providers listening to my needs/requirements?
Security Technology Categories: examples
- Endpoint or Antivirus software
- Cloud Email Security or Advanced Threat Protection
- Authentication and password security
- Biometrics
- Encryption
- Firewalls (hardware or software)
- Intrusion detection systems (IDS)
- Logging and auditing
- Multi-factor authentication
- Vulnerability scanners
- Security Awareness Training
- Virtual private network (VPN)
- Intrusion Protection Systems (IPS)
Cyber Security Strategy: Service Models
CYBER SECURITY STRATEGY STAGES
E1
Minimum security level
- Recommendations
- Application
- Infrastructure
- Monitoring
- QuickHits
- Technical review
E2
Preventive Security
- On-site security office
- Safety indicators
- Vulnerability diagnosis
- Compliance
- Data protection laws
- PIA (Privacy Impact Analysis)
E3
Active Safety
- Monitoring (SOC)
- Perimeter protection
- Protection in applications and DB
- Protection of privileged accounts
- Security incident detection
E4
Proactive Security
- Threat hunting
- Threat intelligence
- Incident response
Related solutions
