Your SlideShare is downloading. ×
0
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Threat Profiling For Cyber Security and information security programs
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Threat Profiling For Cyber Security and information security programs

5,695

Published on

Threat Profiling For Cyber Security and information security programs

Threat Profiling For Cyber Security and information security programs

Published in: Business, Technology
6 Comments
12 Likes
Statistics
Notes
No Downloads
Views
Total Views
5,695
On Slideshare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
208
Comments
6
Likes
12
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Created by; Mark E.S. Bernard, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT, ISO 27001 Lead Auditor
  • 2. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Threats can come from anywhere, internally, externally, Employees, Contractors, Partners, Service Providers, the Cloud, Robots, and even Nature.
  • 3. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Threat Agents Human Non- Human Acts of Nature Deliberate Accidental Threats can come from anywhere, but generally fall under three categories Human, Non-human, and Nature. Threats can also be deliberate or accidental.
  • 4. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Threat Profiling should always begin by understanding the organization’s. I generally group these assets into six categories - people, information, software, hardware, telecommunications and facilities. Threat Profiling needs to quantify assets, attack vectors like physical access, threat sources /actors, motivation and potential impacts.
  • 5. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Threat profiling needs to quantify the goals and outcomes of a threat against organizational assets to understand the potential attack vectors and counter them.
  • 6. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Threat profiling helps the organization to prepare by planning, training and developing risk mitigating strategies including counter measurers to prevent successfully attacks that negatively impact the organization.
  • 7. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Threat Description : Description of the threat or vulnerability including details as described within the Security Management System and its asset inventory – Threats are accessed against five unique pieces of criteria to determine “is it a real threat?” these including: •Knowledge /Intelligence: What knowledge does the threat agent have about the target? •Skill: What skills are required to exploit the matching vulnerability? •Resource: How many individuals need to be involved in the exploit? •Capability: Does the threat agent have access to people and/or technology to be successful? •Motive: What rational would drive the exploitation? Asset at Risk : Data, Information or Knowledge in digital or hardcopy, Intellectual Property, Intellectual Capital, Software, and Hardware that maintains a value to the organization (information in electronic or physical form, information systems, a group of people with unique expertise). Attack Vector : Who or what that maintains the ability to circumvent the security perimeter will also be contingent upon the channels that are available and the strength of each security layer. Threat Agents can leverage attack vectors from inside or outside the organization.
  • 8. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Threat Description : Asset(s) at Risk : Attack Vector :Threat Source : Human, Non-human, Nature. TCP/IP or OSI - Transportation Layer Security (TLS) 64 kb bytes of information traversing telecommunication lines or wireless On April 7, 2014, it was announced that OpenSSL 1.0.2-beta, as well as all versions of OpenSSL in the 1.0.1 series before 1.0.1g had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat. Its CVE number is CVE- 2014-0160. Existing Risk Mitigating Controls: Threat /Risk Rating :
  • 9. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The assessment and quantification of Threats will be used in determining a risk rating to the organization. In the example below we used a simple yet effective three scale rating system – high, medium and low to assess five key elements associated with threats. The assessment of this threat was rated as 67%. The threat rating can be used in conjunction with a pre-established and management approved risk appetite to determine if immediate corrective action should be taken or if the threat can be prioritized for follow up preventive action to be taken at a later date.
  • 10. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Attack Vector : Who or what that maintains the ability to circumvent the security perimeter will also be contingent upon the vulnerabilities that are available in addition to the strength of each security layer. Threat Agents can leverage attack vectors from inside or outside the organization. The attack vector maybe contingent on how effectively we manage vulnerabilities which can be assessed based on the following criteria: Consequence: a).Lost Confidentiality – Exploitation of this vulnerability will result in sensitive or classified data, information or knowledge disclosure to unauthorized persons? b).Lost Availability - Exploitation of this vulnerability will result in the inability to access data, information or knowledge? c).Lost Integrity - Exploitation of this vulnerability will result in the corruption or destruction of data, information or knowledge? Impact: a).Severity - Exploitation of this vulnerability will result in legal action, unplanned expenses, financial losses or damage to the organizations reputation? b). Exposure - Exploitation of this vulnerability may exceed current insurance coverage or risk mitigating controls managed by our security program?
  • 11. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** This step of the threat profile assessment is used to determine a vulnerability rating that will be combined with the Threat rating. In the example below we utilize a simple yet effective three scale rating system – high, medium and low to assess five key elements which contribute to every vulnerability. This example has assessed the organizations vulnerability at 67%. The vulnerability rating is combined with the threat rating and control effectiveness to determine if immediate corrective action should be taken or if the vulnerability can be remediated and prioritized as a preventive action to be completed at a later date.
  • 12. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Existing Control Effectiveness is crucial to ensuring that unnecessary controls are not imposed leading to negative impacts to the organization such as agility, resilience. This can drive up operational costs and unplanned expenses. There are literally thousands of threats to most organizations. Organizations with higher value assets maintain higher risks. Most organization have already invested time and effort in the adoption and design of risk mitigating controls which needs to be leveraged. The scale for assessing these controls is based on a proven capability and maturity model. Evidence may also be gathered from previous assessments and testing of these controls to further refine the threat profiling process. • Fully Matured level 5 = business process documented, improved, and reported on to Executive or BoD. • Implemented and managed level 4 = business process documented and reported on to Executive or BoD. • Implemented level 3 = business process documented only. • Partly implemented level 2 = business process documented only. • Non-existent level 1 = business process executed thru tacit knowledge otherwise know as tribal knowledge.
  • 13. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 14. Threat Description : Asset(s) at Risk : Attack Vector :Threat Source : *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Human, Non-human, Nature. TCP/IP or OSI - Transportation Layer Security (TLS) 64 kb bytes of information traversing telecommunication lines or wireless On April 7, 2014, it was announced that OpenSSL 1.0.2-beta, as well as all versions of OpenSSL in the 1.0.1 series before 1.0.1g had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat. Its CVE number is CVE- 2014-0160. Implemented and managed level 4Existing Risk Mitigating Controls: Threat /Risk Rating :
  • 15. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Skype; Mark_E_S_Bernard Twitter; @Security_KM LinkedIn; http://ca.linkedin.com/in/markesbernard

×