Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech...
Transcript of Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech...
![Page 1: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/1.jpg)
Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference
2015
![Page 2: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/2.jpg)
Long time in the tech field
Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical, etc.
20+ Years software development experience
10+ in Information Security
M.S. and B.S. in Computer Science from the University of Illinois
Active Certifications – CISSP, CSSLP, CISM
![Page 3: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/3.jpg)
Work for one of the largest providers of pharmacy software and services in the country
Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus
Carry out independent reading and research for my own company, RBA Communications
![Page 4: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/4.jpg)
The views and opinions expressed in this session are mine and mine alone. They do
not necessarily represent the opinions of my employers or anyone associated with
anything!
![Page 5: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/5.jpg)
Part 1 – Threat Modeling Overview
Part 2 – Applying STRIDE to a System
Part 3 – Applying DREAD to a System
![Page 6: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/6.jpg)
A way to evaluate and rank risks
Evaluate each risk / threat for:
Damage
Reproducibility
Exploitability
Affected Users
Discoverability Details from https://www.owasp.org/index.php/
Threat_Risk_Modeling
![Page 7: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/7.jpg)
How much damage if it happens?
0 – None, 5 - Individual User Data,
10 – Complete System Destruction
![Page 8: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/8.jpg)
How easy is it to reproduce?
0 – Almost Impossible, 5 – One or Two Steps / Authorized User, 10 – Web Browser and Address – No Auth
![Page 9: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/9.jpg)
What is need to exploit the threat?
0 – Advanced Knowledge and Skills,
5 – Malware Exists on Internet or Easy Exploit
10 – Only a Web Browser
![Page 10: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/10.jpg)
How many users will be impacted?
0 – None,
5 – Some Users, But Not All
10 – All Users
![Page 11: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/11.jpg)
How easy to discover?
0 – Advanced Knowledge and Skills, 5 – Easy to Guess or Find by Monitoring,
9 – Details of Fault Public 10 – Details in URL
![Page 12: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/12.jpg)
Be Involved
Don’t Monopolize
Work Together
![Page 13: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/13.jpg)
Pick values for the risks from the previous sessions
![Page 14: Brad Andrews, CISSP, CSSLP North Texas Cyber Security … · 2016-07-10 · Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical,](https://reader035.fdocuments.in/reader035/viewer/2022080718/5f785f8239112c664b169456/html5/thumbnails/14.jpg)