THREATS
Developing a Threat Profile – Understand who may be interested in your data
| THREAT ACTOR | MOTIVATIONS |
|---|---|
| Nation States | Competitive intelligence |
| Organized Crime | Cyberespionage |
| Lone Hackers | Financial Gain |
| Hacktivists | Reputational Impact |
| Competitors | Competitors |
| Former Employees | Attacker reputation-building |
Internal
External
Developing a Threat Profile
Los métodos de modelado de amenazas se utilizan para crear:
- A system abstraction
- A profile of potential attackers, including their goals and methods
- A catalog of potential threats that may arise
| THREAT | PROPERTY VIOLATED | THREAT DEFINITION |
|---|---|---|
| Spoofing identify | Authentication | Pretending to be something or someone other than yourself. |
| Tampering with data | Integrity | Modifying something on disk, network, memory, or elsewhere |
| Repudiation | Nod-repudiation | Claiming that you didn’t do something or were not responsible, can be honest or false |
| Information disclosure | Confidentiality | Providing information to someone not authorized to access it |
| Denial of service | Availability | Exhausting resources needed to provide service |
| Elevation of privilege | Authorization | Allowing someone to do something they are not authorized to do |
Identifying Assets and Threat Profile
How do we know if the client needs this service?
Security program assessment and strategy
- Absence of dedicated security personnel
- Security risks are not documented
- The relationship between business and security objectives are not clearly understood
- Future security needs are not documented
- Incosistent decision making regarding security
- Security risk management procedures not documented
Security requirements docs and analysis
- Application or system security requirements are not documented
- Threat analysis is not consistently used as part of the development lifecycle
- A procedure is not documented to apply security standards to application or systems
- The desired/required security posture of a system is not documented
Security development lifecycle assessment
- Application or system security requirements are not documented
- Security risk managemente process is not standardized
- Security practices are not integrated with projects, release, change, or IT operations processes
- Security SAST, DAST, RAST, IAS technologies are not in place
Security policy and standards develompment and review
- Security policies and standars are not documented
- Security documentation has not been reviewed in more than 12 months
- A documentation review schedule does not exist
- There is no methodology to define policies and standards as they relate do business needs
Security penetration testing
- A penetration test is not required by some regulatory body
- A penetration test has bot been conducted in over a year
- Penetration tests are not required as a part of the testing phase of the SDLC for critical and highly sensitive systems
- Practices are not in place to ensure security requirements are implemented as designed (traceability)
Security Tech Stack – Defense in depth and layered levels of security can be complex and costly
Security Technology Considerations
- Do I have multiple vendors supplying the same capabilities?
- Am I building a defense in depth security?
- Are solution providers listening to my needs/requirements?
Security Technology Categories: examples
- Endpoint or Antivirus software
- Cloud Email Security or Advanced Threat Protection
- Authentication and password security
- Biometrics
- Encryption
- Firewalls (hardware or software)
- Intrusion detection systems (IDS)
- Logging and auditing
- Multi-factor authentication
- Vulnerability scanners
- Security Awareness Training
- Virtual private network (VPN)
- Intrusion Protection Systems (IPS)
Cyber Security Strategy: Service Models
CYBER SECURITY STRATEGY STAGES
E1
Minimum security level
- Recommendations
- Application
- Infrastructure
- Monitoring
- QuickHits
- Technical review
E2
Preventive Security
- On-site security office
- Safety indicators
- Vulnerability diagnosis
- Compliance
- Data protection laws
- PIA (Privacy Impact Analysis)
E3
Active Safety
- Monitoring (SOC)
- Perimeter protection
- Protection in applications and DB
- Protection of privileged accounts
- Security incident detection
E4
Proactive Security
- Threat hunting
- Threat intelligence
- Incident response