threat modeling part 2 - stride
TRANSCRIPT
Threat ModelingPart 2 – STRIDE
Brad Andrews , CISSP, CSSLPNorth Texas Cyber Security Conference
2015
Long time in the tech field Wide range of jobs – Defense, Online,
Banking, Airlines, Doc-Com, Medical, etc. 20+ Years software development
experience 10+ in Information Security M.S. and B.S. in Computer Science from the
University of Illinois Active Certifications – CISSP, CSSLP, CISM
Who Am I?
Work for one of the largest providers of pharmacy software and services in the country
Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus
Carry out independent reading and research for my own company, RBA Communications
My Work
The views and opinions expressed in this session are mine and mine alone. They do
not necessarily represent the opinions of my employers or anyone associated with
anything!
My Opinions and Ideas Alone
Part 1 – Threat Modeling Overview Part 2 – Applying STRIDE to a System Part 3 – Applying DREAD to a System
Sessions Today
Types of Exploits / Motivations of Attacker A Guide, not a Firm Taxonomy
SpoofingTamperingRepudiation
Information DisclosureDenial of Service
Elevation of Privelege
What is STRIDE
Pretending to Be Something You are Not
Spoofing
Making Unauthorized Modifications
Tampering
Denying A Past ActionAvoiding Consequences
Repudiation
Unauthorized Data Exposure
Information Disclosure
Preventing Expected Access
Denial of Service
Unauthorized Rights
Elevation of Privilege
Be Involved Don’t Monopolize Work Together
Interactive Time
Find Risks for Chosen Systems
Note Some Risks
Questions?