2 cissp ® Official Study Guide Eighth Edition

Threat Modeling Approaches

Download 19,3 Mb.

Pdf ko'rish

bet	598/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 594 595 596 597 598 599 600 601 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Threat Modeling Approaches
There’s an almost infinite possibility of threats, so it’s difficult to use a structured approach
to identify relevant threats. Instead, many organizations use one or more of the following
three approaches to identify threats:
Focused on Assets
This method uses asset valuation results and attempts to identify
threats to the valuable assets. Personnel evaluate specific assets to determine their suscep-
tibility to attacks. If the asset hosts data, personnel evaluate the access controls to identify
threats that can bypass authentication or authorization mechanisms.
Focused on Attackers
Some organizations identify potential attackers and identify the
threats they represent based on the attacker’s goals. For example, a government is often
able to identify potential attackers and recognize what the attackers want to achieve.
They can then use this knowledge to identify and protect their relevant assets. This is
becoming increasingly more difficult, though, with so many APTs sponsored by foreign
nation states.
Focused on Software
If an organization develops software, it can consider potential
threats against the software. While organizations didn’t commonly develop their own
software years ago, it’s common to do so today. Specifically, most organizations have a
web presence, and many create their own websites. Fancy websites attract more traffic,
but they also require more sophisticated programming and present additional threats.
Chapter 21, “Malicious Code and Application Attacks,” covers application attacks and
web application security.
Identifying Vulnerabilities
After identifying valuable assets and potential threats, an organization will perform
vulner-
ability analysis
. In other words, it attempts to discover weaknesses in these systems against

Understanding Access Control Attacks
641
potential threats. In the context of access control, vulnerability analysis attempts to identify
the strengths and weaknesses of the different access control mechanisms and the potential
of a threat to exploit a weakness.
Vulnerability analysis is an ongoing process and can include both technical and admin-
istrative steps. In larger organizations, specific individuals may be doing vulnerability
analysis as a full-time job. They regularly perform vulnerability scans, looking for a wide
variety of vulnerabilities, and report the results. In smaller organizations, a network
administrator may run vulnerability scans on a periodic basis, such as once a week or
once a month.
A risk analysis will often include a vulnerability analysis by evaluating systems and the
environment against known threats and vulnerabilities, followed by a penetration test to
exploit vulnerabilities. Chapter 16, “Managing Security Operations,” provides more details
on using vulnerability scans and vulnerability assessments as part of overall vulnerability
management.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 594 595 596 597 598 599 600 601 ... 881