THREATS
Developing a Threat Profile - Understand who may be interested in your data
THREAT ACTOR | MOTIVATIONS |
---|---|
Nation States | Competitive intelligence |
Organized Crime | Cyberespionage |
Lone Hackers | Financial Gain |
Hacktivists | Reputational Impact |
Competitors | Competitors |
Former Employees | Attacker reputation-building |
Internal
External
Developing a Threat Profile
Los métodos de modelado de amenazas se utilizan para crear:
- Una abstracción del sistema
- Un perfil de los atacantes potenciales, incluidos sus objetivos y métodos
- Un catálogo de las amenazas potenciales que pueden surgir
THREAT | PROPERTY VIOLATED | THREAT DEFINITION |
---|---|---|
Spoofing identify | Authentication | Pretending to be something or someone other than yourself. |
Tampering with data | Integrity | Modifying something on disk, network, memory, or elsewhere |
Repudiation | Nod-repudiation | Claiming that you didn’t do something or were not responsible, can be honest or false |
Information disclosure | Confidentiality | Providing information to someone not authorized to access it |
Denial of service | Availability | Exhausting resources needed to provide service |
Elevation of privilege | Authorization | Allowing someone to do something they are not authorized to do |
Identifying Assets and Threat Profile
¿Cómo sabemos si el cliente necesita este servicio?
- Absence of dedicated security personnel
- Security risks are not documented
- The relationship between business and security objectives are not clearly understood
- Future security needs are not documented
- Incosistent decision making regarding security
- Security risk management procedures not documented
- Application or system security requirements are not documented
- Threat analysis is not consistently used as part of the development lifecycle
- A procedure is not documented to apply security standards to application or systems
- The desired/required security posture of a system is not documented
- Application or system security requirements are not documented
- Security risk managemente process is not standardized
- Security practices are not integrated with projects, release, change, or IT operations processes
- Security SAST, DAST, RAST, IAS technologies are not in place
- Security policies and standars are not documented
- Security documentation has not been reviewed in more than 12 months
- A documentation review schedule does not exist
- There is no methodology to define policies and standards as they relate do business needs
- A penetration test is not required by some regulatory body
- A penetration test has bot been conducted in over a year
- Penetration tests are not required as a part of the testing phase of the SDLC for critical and highly sensitive systems
- Practices are not in place to ensure security requirements are implemented as designed (traceability)
Security Tech Stack - Defense in depth and layered levels of security can be complex and costly
Security Technology Considerations
- Do I have multiple vendors supplying the same capabilities?
- Am I building a defense in depth security?
- Are solution providers listening to my needs/requirements?
Security Technology Categories: examples
- Endpoint or Antivirus software
- Cloud Email Security or Advanced Threat Protection
- Authentication and password security
- Biometrics
- Encryption
- Firewalls (hardware or software)
- Intrusion detection systems (IDS)
- Logging and auditing
- Multi-factor authentication
- Vulnerability scanners
- Security Awareness Training
- Virtual private network (VPN)
- Intrusion Protection Systems (IPS)
Cyber Security Strategy - Modelos de Servicio
ETAPAS DE ESTRATEGIA DE CYBER SECURITY
E1
Nivel mínimo de seguridad
- Recomendaciones
- Aplicación
- Infraestructura
- Monitoreo
- QuickHits
- Revisión técnica
E2
Seguridad Preventiva
- Oficina de seguridad en sitio
- Indicadores de seguridad
- Diagnóstico de vulnerabilidades
- Compliance
- Leyes de protección de datos
- PIA (Privacy Impact Analysis)
E3
Seguridad Activa
- Monitoreo (SOC)
- Protección perimetral
- Protección en aplicaciones y BD
- Protección de cuentas privilegiadas
- Detección de incidentes de seguridad
E4
Seguridad Proactiva
- Threat hunting
- Threat intelligence
- Respuesta de incidentes