Threat ModelingPart 2 – STRIDE

Brad Andrews , CISSP, CSSLPNorth Texas Cyber Security Conference

2015

Long time in the tech field Wide range of jobs – Defense, Online,

Banking, Airlines, Doc-Com, Medical, etc. 20+ Years software development

experience 10+ in Information Security M.S. and B.S. in Computer Science from the

University of Illinois Active Certifications – CISSP, CSSLP, CISM

Who Am I?

Work for one of the largest providers of pharmacy software and services in the country

Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus

Carry out independent reading and research for my own company, RBA Communications

My Work

The views and opinions expressed in this session are mine and mine alone. They do

not necessarily represent the opinions of my employers or anyone associated with

anything!

My Opinions and Ideas Alone

Part 1 – Threat Modeling Overview Part 2 – Applying STRIDE to a System Part 3 – Applying DREAD to a System

Sessions Today

Types of Exploits / Motivations of Attacker A Guide, not a Firm Taxonomy

SpoofingTamperingRepudiation

Information DisclosureDenial of Service

Elevation of Privelege

What is STRIDE

Pretending to Be Something You are Not

Spoofing

Making Unauthorized Modifications

Tampering

Denying A Past ActionAvoiding Consequences

Repudiation

Unauthorized Data Exposure

Information Disclosure

Preventing Expected Access

Denial of Service

Unauthorized Rights

Elevation of Privilege

Be Involved Don’t Monopolize Work Together

Interactive Time

Find Risks for Chosen Systems

Note Some Risks

Questions?