North Texas Chapter of the ISSA, profile picture
Uploaded byNorth Texas Chapter of the ISSA
PPTX, PDF1,889 views

NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews

The document features a presentation by Brad Andrews at the North Texas Cyber Security Conference 2015, detailing his extensive experience in technology and information security. It outlines key parts of threat modeling, specifically applying STRIDE and DREAD frameworks for evaluating risks based on various criteria such as damage, reproducibility, and discoverability. Andrews emphasizes collaboration and participation in discussions on risk evaluation.

Embed presentation

Downloaded 76 times
Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference 2015
 Long time in the tech field  Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical, etc.  20+ Years software development experience  10+ in Information Security  M.S. and B.S. in Computer Science from the University of Illinois  Active Certifications – CISSP, CSSLP, CISM
 Work for one of the largest providers of pharmacy software and services in the country  Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus  Carry out independent reading and research for my own company, RBA Communications
The views and opinions expressed in this session are mine and mine alone. They do not necessarily represent the opinions of my employers or anyone associated with anything!
 Part 1 – Threat Modeling Overview  Part 2 – Applying STRIDE to a System  Part 3 – Applying DREAD to a System
 A way to evaluate and rank risks  Evaluate each risk / threat for: Damage Reproducibility Exploitability Affected Users Discoverability Details from https://www.owasp.org/index.php/Threat_Risk_Modeling
How much damage if it happens? 0 – None, 5 - Individual User Data, 10 – Complete System Destruction
How easy is it to reproduce? 0 – Almost Impossible, 5 – One or Two Steps / Authorized User, 10 – Web Browser and Address – No Auth
What is need to exploit the threat? 0 – Advanced Knowledge and Skills, 5 – Malware Exists on Internet or Easy Exploit 10 – Only a Web Browser
How many users will be impacted? 0 – None, 5 – Some Users, But Not All 10 – All Users
How easy to discover? 0 – Advanced Knowledge and Skills, 5 – Easy to Guess or Find by Monitoring, 9 – Details of Fault Public 10 – Details in URL
 Be Involved  Don’t Monopolize  Work Together
 Pick values for the risks from the previous sessions
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews

More Related Content

PPTX
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
byNorth Texas Chapter of the ISSA
 
PPTX
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
byNorth Texas Chapter of the ISSA
 
PPTX
A Brief Introduction to Penetration Testing
byEC-Council
 
PPT
Executive Information Security Training
byAngela Samuels
 
PPTX
Threat Modelling And Threat Response
byVivek Jindaniya
 
PPTX
Network Security for Employees
byOPSWAT
 
PPTX
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
byNorth Texas Chapter of the ISSA
 
PPTX
BSidesTO 2016 - Incident Tracking
byJudy Nowak, OSCP, GCIH, CISSP
 
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
byNorth Texas Chapter of the ISSA
 
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
byNorth Texas Chapter of the ISSA
 
A Brief Introduction to Penetration Testing
byEC-Council
 
Executive Information Security Training
byAngela Samuels
 
Threat Modelling And Threat Response
byVivek Jindaniya
 
Network Security for Employees
byOPSWAT
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
byNorth Texas Chapter of the ISSA
 
BSidesTO 2016 - Incident Tracking
byJudy Nowak, OSCP, GCIH, CISSP
 

What's hot

PDF
Anatomy of a cyber attack
byMark Silver
 
PDF
Customer information security awareness training
byAbdalrhmanTHassan
 
PDF
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
byEC-Council
 
PDF
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
byAujas
 
PDF
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
bycentralohioissa
 
PDF
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
byLancope, Inc.
 
PPTX
Petya Ransomware
bySiemplify
 
PDF
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
byEC-Council
 
PPTX
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
byOutpost24
 
PPTX
Are Your IT Systems Secure?
byNex-Tech
 
PDF
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
bySarah Vanier
 
PDF
Cybersecurity Series - Cyber Defense for Internal Auditors
byJim Kaplan CIA CFE
 
PDF
Security Firm Program - Corporate College
byWorkSmart Integrated Marketing
 
PPTX
Proatively Engaged: Questions Executives Should Ask Their Security Teams
byFireEye, Inc.
 
PDF
IT security in 2021: Why Ransomware Is Still The Biggest Threat
byETech 7
 
PPTX
Skills that make network security training easy
byEC-Council
 
PPTX
Secure Data Workflow
byOPSWAT
 
PPT
Module0&1 intro-foundations-b
byBbAOC
 
PDF
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
byEC-Council
 
PDF
Incident Response: How To Prepare
byResilient Systems
 
Anatomy of a cyber attack
byMark Silver
 
Customer information security awareness training
byAbdalrhmanTHassan
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
byEC-Council
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
byAujas
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
bycentralohioissa
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
byLancope, Inc.
 
Petya Ransomware
bySiemplify
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
byEC-Council
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
byOutpost24
 
Are Your IT Systems Secure?
byNex-Tech
 
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
bySarah Vanier
 
Cybersecurity Series - Cyber Defense for Internal Auditors
byJim Kaplan CIA CFE
 
Security Firm Program - Corporate College
byWorkSmart Integrated Marketing
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
byFireEye, Inc.
 
IT security in 2021: Why Ransomware Is Still The Biggest Threat
byETech 7
 
Skills that make network security training easy
byEC-Council
 
Secure Data Workflow
byOPSWAT
 
Module0&1 intro-foundations-b
byBbAOC
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
byEC-Council
 
Incident Response: How To Prepare
byResilient Systems
 

Similar to NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews

PPTX
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PPT
Application Threat Modeling
byMarco Morana
 
PDF
Application Threat Modeling In Risk Management
byMel Drews
 
PPTX
Threat Modeling And Analysis
byLalit Kale
 
PPTX
Cyber Week 8.pptx.......................
bysalmannawaz6566504
 
PDF
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
PDF
Application Threat Modeling
byPriyanka Aash
 
PDF
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
PPTX
Threat Modeling-modélisation_de_menaces.pptx
bytuxbambi
 
PPTX
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
PDF
OWASP based Threat Modeling Framework
byChaitanya Bhatt
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
PPTX
Architecting for Security Resilience
byJoel Aleburu
 
PPTX
Understanding the security_organization
byDan Morrill
 
PPTX
Injecting Threat Modeling into the SDLC by Susan Bradley
byQA or the Highway
 
PDF
System Security Beyond the Libraries
byEoin Woods
 
PDF
Threat_Modelling.pdf
byMarlboroAbyad
 
PDF
Robert Hurlbut - Threat Modeling for Secure Software Design
bycentralohioissa
 
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Application Threat Modeling
byMarco Morana
 
Application Threat Modeling In Risk Management
byMel Drews
 
Threat Modeling And Analysis
byLalit Kale
 
Cyber Week 8.pptx.......................
bysalmannawaz6566504
 
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
Application Threat Modeling
byPriyanka Aash
 
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
Threat Modeling-modélisation_de_menaces.pptx
bytuxbambi
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
OWASP based Threat Modeling Framework
byChaitanya Bhatt
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
Architecting for Security Resilience
byJoel Aleburu
 
Understanding the security_organization
byDan Morrill
 
Injecting Threat Modeling into the SDLC by Susan Bradley
byQA or the Highway
 
System Security Beyond the Libraries
byEoin Woods
 
Threat_Modelling.pdf
byMarlboroAbyad
 
Robert Hurlbut - Threat Modeling for Secure Software Design
bycentralohioissa
 

More from North Texas Chapter of the ISSA

PDF
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
byNorth Texas Chapter of the ISSA
 
PDF
Ntxissacsc5 gold 4 beyond detection and prevension remediation
byNorth Texas Chapter of the ISSA
 
PDF
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 yellow 7 protecting the cloud with cep
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 purple 5-insider threat-_andy_thompson
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 gold 1 mimecast e mail resiliency
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
byNorth Texas Chapter of the ISSA
 
PPTX
Purple seven-ntxissacsc5 walcutt
byNorth Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
byNorth Texas Chapter of the ISSA
 
PDF
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
byNorth Texas Chapter of the ISSA
 
Purple seven-ntxissacsc5 walcutt
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
byNorth Texas Chapter of the ISSA
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
byNorth Texas Chapter of the ISSA
 

Recently uploaded

PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
PPTX
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
PPTX
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PPTX
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
PPTX
Anti-DDoS Service Introduction(Customer Version) - 2025(1).pptx
bybunhongkruy
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PPTX
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
PPTX
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
PDF
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
PDF
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
PDF
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
Anti-DDoS Service Introduction(Customer Version) - 2025(1).pptx
bybunhongkruy
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 

NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews

  • 1.
    Brad Andrews, CISSP,CSSLP North Texas Cyber Security Conference 2015
  • 2.
     Long timein the tech field  Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical, etc.  20+ Years software development experience  10+ in Information Security  M.S. and B.S. in Computer Science from the University of Illinois  Active Certifications – CISSP, CSSLP, CISM
  • 3.
     Work forone of the largest providers of pharmacy software and services in the country  Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus  Carry out independent reading and research for my own company, RBA Communications
  • 4.
    The views andopinions expressed in this session are mine and mine alone. They do not necessarily represent the opinions of my employers or anyone associated with anything!
  • 5.
     Part 1– Threat Modeling Overview  Part 2 – Applying STRIDE to a System  Part 3 – Applying DREAD to a System
  • 6.
     A wayto evaluate and rank risks  Evaluate each risk / threat for: Damage Reproducibility Exploitability Affected Users Discoverability Details from https://www.owasp.org/index.php/Threat_Risk_Modeling
  • 7.
    How much damageif it happens? 0 – None, 5 - Individual User Data, 10 – Complete System Destruction
  • 8.
    How easy isit to reproduce? 0 – Almost Impossible, 5 – One or Two Steps / Authorized User, 10 – Web Browser and Address – No Auth
  • 9.
    What is needto exploit the threat? 0 – Advanced Knowledge and Skills, 5 – Malware Exists on Internet or Easy Exploit 10 – Only a Web Browser
  • 10.
    How many userswill be impacted? 0 – None, 5 – Some Users, But Not All 10 – All Users
  • 11.
    How easy todiscover? 0 – Advanced Knowledge and Skills, 5 – Easy to Guess or Find by Monitoring, 9 – Details of Fault Public 10 – Details in URL
  • 12.
     Be Involved Don’t Monopolize  Work Together
  • 13.
     Pick valuesfor the risks from the previous sessions