Brad Andrews, a cybersecurity expert with over 20 years of software development and a decade in information security, presented at the North Texas Cyber Security Conference 2015. The session focused on threat modeling, specifically the STRIDE and DREAD methodologies, and discussed various types of exploits and attacker motivations. Andrews emphasized collaboration and risk identification in security practices.

1. Brad Andrews , CISSP, CSSLP
North Texas Cyber Security Conference
2015

2.  Long time in the tech field
 Wide range of jobs – Defense, Online,
Banking, Airlines, Doc-Com, Medical, etc.
 20+ Years software development experience
 10+ in Information Security
 M.S. and B.S. in Computer Science from the
University of Illinois
 Active Certifications – CISSP, CSSLP, CISM

3.  Work for one of the largest providers of
pharmacy software and services in the
country
 Serve as Lead Faculty-Area Chair and for
Information Systems Security for the
University of Phoenix Online Campus
 Carry out independent reading and research
for my own company, RBA Communications

4. The views and opinions expressed in this
session are mine and mine alone. They do
not necessarily represent the opinions of my
employers or anyone associated with
anything!

5.  Part 1 – Threat Modeling Overview
 Part 2 – Applying STRIDE to a System
 Part 3 – Applying DREAD to a System

6.  Types of Exploits / Motivations of Attacker
 A Guide, not a Firm Taxonomy
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privelege

7. Pretending to Be Something You are Not

8. Making Unauthorized Modifications

9. Denying A Past Action
Avoiding Consequences

10. Unauthorized Data Exposure

11. Preventing Expected Access

12. Unauthorized Rights

13.  Be Involved
 Don’t Monopolize
 Work Together

14.  Find Risks for Chosen Systems