Week 3 CYBR650 Blog - Identifying Attacks

High Tech, Low Tech, or No Tech…There are countless paths to compromise
 There was a lot of great information on analyzing threats during this week’s readings. As I am also taking the Risk Management course, I have seen several different approaches to identifying threats, and multiple takes on how to threat model. Interestingly enough, one of the more interesting reads this week was from 1999. In a Schneir on Security article about modeling security threats, Bruce Shneir dropped a very interesting line. He said “in truth, unbreakable security is broken all the time, often in ways its designers never imagined.” That really is the name of the game. We obviously can’t imagine everything when it comes to threats, but that really should be the goal. No stone unturned, and no idea too farfetched.
Who are you securing your system from?
That article was about attack trees, which is a topic I find to be an excellent method to provoke brainstorming about “the art of the possible” when it comes to attacks. It isn’t the be-all end-all threat modeling method; however, it should definitely be a piece of the puzzle. It allows you to model for a specific attacker goal. I think this aids in exploring all ways to achieve that goal – provoking that critical brainstorming piece. Are there technical exploits? Are there users with access who could become compromised? Are there ways to completely circumvent security? Some examples of different attack trees you can create:
How do you protect your database from insider threat?
How do you protect the website from a hacker in another country?
How do you protect your website against compromise to business competitors?
For each one of these, an attack tree lets you create lines to all of the possible goals an enemy could hope to achieve against you. This takes some time, and more importantly, a strong sense of both your enemy’s motives and capabilities along with your own assets and defensive measures.
The Attack Tree “So What”
Ultimately threat modeling has to feed back into the risk management process somewhere. It is great to understand the different types of attacks and how they might be executed, but to provide useful feedback into the process the threat analysis should be able to identify some key metrics. Items such as most probable, most dangerous, most expensive and least expensive are different labels that can be given into the different nodes within an attack tree. Ultimately you want to be able to rack and stack these threats so you can assign the appropriate resources to countering the threat.
On a final note, I found multiple sources for software to help build out an attack tree. This might seem like a task that can be performed in PowerPoint or Visio, but would eventually prove inadequate as the tree and associated metadata grows. SecurITree by Amenaza is pay for license attack tree software that appears to be extremely robust. They have a Capabilities-based Attack Tree Threat Risk Analysis, which allows you to plan out protection based on the capabilities of your known adversaries.

Comments

Post a Comment

Popular posts from this blog

Week 5 CYBR 650 Blog

Image
Will Harry and Mae’s Diner Ever Listen to their Paid Consultants? This week in class we are working through the familiar (at least for Bellevue Cybersecurity students) Harry and Mae’s case study . This examines a franchise of diners, and depending on the class you are in, you examine it through the lens required…it could be risk management, secu re network design, or threat analysis. One item I got to thinking about this week is the individual franchises under a company like this, and how much leeway they have when deciding how to run their own infrastructure. This is especially important when the headquarters policies dictate an insecure implementation of the IT equipment, such as is the case with Harry and Mae's. In my specific experience with them, this will be the third time I have recommended basic security configurations without any visible action on their part. Point of Sale Security Certainly, a hot-topic over the last few years, point of sale devices a...
Read more

Week 7 CYBR 650 Blog

Week 7 Blog Its National Cybersecurity Awareness Month! October is designated as Cybersecurity Awareness Month , generally a time of the year for the Government to post some helpful guidelines for everyday people to read about how cyber security could impact their lives. Typically, these involve a good exposure of common threats and vulnerabilities to personnel without much direct cybersecurity knowledge. This year there are four themes for the four weeks of the month: Cybersecurity at home, careers in cybersecurity, workplace cybersecurity, and critical infrastructure cybersecurity.   More specifically, week 4, Oct. 22–26 will be about safeguarding the Nation’s Critical Infrastructure. When most read this they correctly assume this means energy, financial, and emergency systems or maybe centralized communications and transportation. Those are all considered critical infrastructure, and afforded enhanced protection resources through that designation. One item that many ma...
Read more

Finally Here!

Hello all, welcome to my blog covering the final course in the Bellevue Cybersecurity Master's program. This has been quite a journey, starting back in the Winter of 2014. I am fully aware that four years is kind of excessive to complete 12 classes, but I went through at a pace that allowed me to enjoy life and accomplish other goals at the same time. My original goal was to complete my MS degree before retiring from the Air Force. Well, I hit that retirement button yesterday, requesting a retirement date of next year. So pending the results of this course (and the concurrent Risk Management course), mission accomplished! A bit about me. I am 37 years old and currently residing in Anchorage, AK. I married my high school sweetheart 18 years ago, and we have three wonderful children. We love Alaska, and all of the amazing things that you can only do here. I have about a year left to enjoy it, before we retire and transition to civilian life in Colorado, my hometown. I love fishing,...
Read more