Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference 2015.

Similar presentations


Presentation on theme: "Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference 2015."— Presentation transcript:

1 Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference 2015

2  Long time in the tech field  Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical, etc.  20+ Years software development experience  10+ in Information Security  M.S. and B.S. in Computer Science from the University of Illinois  Active Certifications – CISSP, CSSLP, CISM

3  Work for one of the largest providers of pharmacy software and services in the country  Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus  Carry out independent reading and research for my own company, RBA Communications

4 The views and opinions expressed in this session are mine and mine alone. They do not necessarily represent the opinions of my employers or anyone associated with anything!

5  Part 1 – Threat Modeling Overview  Part 2 – Applying STRIDE to a System  Part 3 – Applying DREAD to a System

6  A way to evaluate and rank risks  Evaluate each risk / threat for: Damage Reproducibility Exploitability Affected Users Discoverability Details from https://www.owasp.org/index.php/Threat_Risk_Modeling

7 How much damage if it happens? 0 – None, 5 - Individual User Data, 10 – Complete System Destruction

8 How easy is it to reproduce? 0 – Almost Impossible, 5 – One or Two Steps / Authorized User, 10 – Web Browser and Address – No Auth

9 What is need to exploit the threat? 0 – Advanced Knowledge and Skills, 5 – Malware Exists on Internet or Easy Exploit 10 – Only a Web Browser

10 How many users will be impacted? 0 – None, 5 – Some Users, But Not All 10 – All Users

11 How easy to discover? 0 – Advanced Knowledge and Skills, 5 – Easy to Guess or Find by Monitoring, 9 – Details of Fault Public 10 – Details in URL

12  Be Involved  Don’t Monopolize  Work Together

13  Pick values for the risks from the previous sessions

14


Download ppt "Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference 2015."

Similar presentations


Ads by Google