The recent announcement leading to the demise of IS1/2 will leave a vacuum. However for many in Local Government and elsewhere who haven't been using IS1/2, will bring the opportunity to look a a set of threat modelling tools. A good starting point is: https://www.owasp.org/index.php/Threat_Risk_Modeling
You'll discover the Microsoft Secure Development Lifecycle (MSDL) which is free and fully documented with supporting tools. The OWASP page also links to a. Umber of other resources.
A good model to use is STRIDE: Spoofing Identity / Tampering with Data / Repudiation / Information disclosure / Denial of service / Elevation of privilege.
This works well with DREAD: Damage potential / Reproducability / Exploitability / Affected Users / Discoverability.
When you mix these with Attack Trees and the Cyber Kill chain you start to get an holistic view of what is going on.
We next need to consider Adversaries (those wishing to attack us) and Adversities, those risks and threats we're faced with. Risks can be threats or hazards. It is often difficult to think like an attacker, so use an approach like De Bonos Six Hats, which can then give yup different perspectives on things.
Attack profiling, needs a structured approach. Tools like mind maps can help with the process.
The big challenge is going to be transferring all of this thinking into an Agile development environment.
I have written an article The 10 A's of Cyber Security, which explains these elements in context.
You'll discover the Microsoft Secure Development Lifecycle (MSDL) which is free and fully documented with supporting tools. The OWASP page also links to a. Umber of other resources.
A good model to use is STRIDE: Spoofing Identity / Tampering with Data / Repudiation / Information disclosure / Denial of service / Elevation of privilege.
This works well with DREAD: Damage potential / Reproducability / Exploitability / Affected Users / Discoverability.
When you mix these with Attack Trees and the Cyber Kill chain you start to get an holistic view of what is going on.
We next need to consider Adversaries (those wishing to attack us) and Adversities, those risks and threats we're faced with. Risks can be threats or hazards. It is often difficult to think like an attacker, so use an approach like De Bonos Six Hats, which can then give yup different perspectives on things.
Attack profiling, needs a structured approach. Tools like mind maps can help with the process.
The big challenge is going to be transferring all of this thinking into an Agile development environment.
I have written an article The 10 A's of Cyber Security, which explains these elements in context.
No comments:
Post a Comment