5. SACON
Sensitivity: Confidential
What is security architecture?
• A Security Architecture is a cohesive security design, which
addresses the requirements (e.g. authentication, authorisation,
etc.) – and in particular the risks of a particular
environment/scenario, and specifies what security controls are to
be applied where.
• Security architecture is a unified security design that addresses the
necessities and potential risks involved in a certain scenario or
environment. It also specifies when and where to apply security
controls. The design process is generally reproducible.
• Traditionally, security architecture consists of some preventive,
detective and corrective controls that are implemented to protect
the enterprise infrastructure and applications..
28. SACON
Sensitivity: Confidential
Threat agent Risk assessment
1. What is the purpose of TARA?
2. Why should my organisation incorporate TARA?
3. What are the primary benefits of TARA?
• Greatly distilling the cloud of potential attacks, down to a manageable list of likely attacks
• Improving the quality of risk and control evaluations, to better understand the value of security investments
• Communicating risks and recommendations to management and non-security audiences
TARA is highly customizable by the user and can help provide relevant information necessary for management to make good security
decisions.
4. Is TARA a tool, application, device, or checklist?
• TARA is a way of analysing risks (risk of loss) based upon the relationship between attacker’s capability and desire to cause loss, the
applicable vulnerabilities, controls, and the residual exposures. The method can be incorporated into risk analysis tools,
applications, and processes.
5. How can I use TARA to communicate risks to non-security audiences?
• TARA results in an easily understandable story of risk. Even non-security audiences have readily embraced the outputs of TARA as it
helps them to understand the sometimes vast and complex world of security risks.
•
38. SACON
Sensitivity: Confidential
Threat agent Risk assessment
• Privileged insider threat profile
Factor Value
Motive Personal or financial gain
Primary intent Steal corporate IP
Sponsorship Acts individually
Preferred general target characteristics Valuable corporate IP and customer data
Preferred targets Systems where they have privileged access
Capability Technically proficient
Personal risk tolerance Low. They do not want to be caught
Concern for collateral damage High