PTA Technologies Site Map
Welcome to PTA - Practical Threat Analysis
Latest PTA Professional
Edition Updates
PTA Free Program for Security
Consultants
PTA Qualified Partners
Directory
Share your Experience with
Practical Threat Analysis
PTA Technologies - the Company
Contact Information
News
Practical Threat Analysis Software
Technology and Tools
PTA Professional Edition for
Security Consultants and TRA Analysts
PTA for Managing Enterprise
Risks
Security Entity Libraries
PTA Analytic Reports
PTA Solutions for Security
Consultants
PTA - Practical Threat Analysis
Methodology
What is Practical Threat Analysis?
Practical Threat Analysis in a Nutshell
Practical Threat Analysis Methodology in
Depth
Practical Threat
Analysis Documents
Download Practical Threat
Analysis PTA Professional Tool
Practical Threat Analysis Case
Studies
Threat Risk Assessment of Enterprise Call Accounting and
Billing System
Threat Analysis of Microsoft Passport Security
Protocol
Support PTA Users
Links to Additional
Security Resources
***
List of Site Pages:
Site Map - www.ptatechnologies.com
Comments - Share your Experience:
1) Risk Reduction Methodology for Legacy Software
2) Penetration Testing with Practical Threat Analysis 3) Mitigating Internal
Threats with PTA 4) PTA package for PCI DSS 1.1 compliance and ISO 27001 5)
Vocabulary for Risk Analysis sessions and more...
TACS Case Study (part 1)
- Threat risk assessment of real-life
enterprise IT system : a call accounting solution
TACS Case Study (part 2)
- Threat
analysis done with PTA
demonstrates how to reduce risk from 250% to 50% at less than half the
original InfoSec budget
Passport Case
Study - Practical threat analysis of Passport
Single Sign-On security protocol cryptanalysis
PTA in a
Nutshell - Threat modeling methodology: system vulnerabilities
+ system assets + security threats + effective countermeasures
Detailed
Leaflet - PTA tool for calculating countermeasures
mitigation effectiveness and assessing risks and threats in IT systems
PTA Pro - The PTA
Professional Edition risk analysis tool for IT security experts and
Information Security consultants
PTA Enterprise -
Platform for threat risk assessment and risk management
of enterprise information systems
PTA - Practical threat analysis methodology (part 1): Identify assets
and vulnerabilities, reveal threat scenarios and prioritize countermeasures
and controls
PTA 2 - Practical threat analysis methodology (part 2)
employed in the risk assessment process
PTA 3 - Practical threat analysis methodology (part 3)
employed in the risk assessment process
PTA 4 - Practical threat analysis
methodology (part 4)
employed in the risk assessment process
Libraries - PTA plug
in libraries for security standards: ISO 17799 ,
BS7799, ISO 27001 and PCI DSS with common vulnerabilities and countermeasures for easy
threat modeling
PTA for OEM -
Partnership with security consultants and security solutions
providers: integrating PTA technology with security products and services to
provide a total security management solution
Company - PTA Technologies: the creators of Practical Threat Analysis
calculative methodology and suite of software tools
News - Partnership with security consulting
groups and
security service providers
Products - PTA Tools
is a suite of software tools for applying quantitative
threat risk analysis and threat modeling
Documents - Threat modeling documents
and freeware security entity libraries: how to perform threat analysis
and risk assessment of complex IT systems
Case Studies - Risk assessment case studies: PTA helps
in reducing risk at the most cost-effective way
Links - security analyst resources and best practices
Support - PTA support, installation
and threat model frequently asked questions
Download Results
-Download trial version of the Practical Threat Analysis Professional Edition
Qualified - PTA Qualified Partners Directory: list of PTA security experts
groups and Information Security consulting firms world-wide
PTA Reports -
Reporting system for presenting threat model information, analyzing threat analysis results and finding the
most cost-effective mitigation plan
Free Program - PTA
is free for security consultants, security analysts, researchers and students
Welcome - Welcome to
PTA: Practical Threat Analysis home
***
The PTA Methodology in a Nutshell
What is Practical Threat Analysis ?
Read the
Practical Threat Analysis in-depth
article
for a detailed description of the PTA methodology.
A Calculative Threat Modeling Methodology
PTA (Practical Threat
Analysis) is a calculative threat
analysis and threat modeling methodology which enables effective management of
operational and security risks in complex systems. It
provides an easy way to maintain dynamic threat models capable of
reacting to changes in the system's assets and vulnerabilities. With PTA
an analyst can maintain a growing database of threats, create
documentation for security reviews and produce reports showing the
importance of various threats and the priorities of the corresponding
countermeasures.
PTA automatically recalculates threats
and countermeasures priorities and provides decision makers with updated
mitigation plan that reflects changes in threat realities.
Countermeasure's priorities are a function of the system's assets
values, level of potential damage, threats probabilities and degrees of
mitigation provided by countermeasures.
The recommended mitigation plan is
composed of the countermeasures that are the most cost-effective against
the identified threats.
The PTA Threat Model
The scheme below describes the
interrelations between a threat and the assets, vulnerabilities and
countermeasures.
In a nutshell:
See the
Practical Threat Analysis in-depth
page for a detailed description of the PTA Threat Model and the
definitions of Entry Points, Attacker Types and Security Entity Tags.
The Practical Threat Analysis Process
In the following we
present an abbreviated description of the PTA threat modeling steps.
1. Identifying Assets
Mapping of system asset's financial
values and potential losses due to damages. Asset's values are the
basis for calculating threats, risks and countermeasures priorities.
2. Identifying Vulnerabilities
Identifying potential system
vulnerabilities requires knowledge of the system's functionality,
architecture, business and operational procedures and types of
users. This is a continuous iterative task coupled with the step of
identifying threats (step 4).
3. Defining Countermeasures
Defining the countermeasures
relevant to system vulnerabilities. The countermeasure's
cost-effectiveness is calculated according to its estimated
implementation cost.
4. Building Threat Scenarios and Mitigation Plans
Composing the potential threats
scenarios and identifying the various threat's elements and
parameters as follows:
- Entering a short description of the threat
scenario.
- Identifying the threatened assets and the level of
potential damage.
- Setting the threat's probability.
The threat's risk level is automatically calculated based on the total
damage that may be caused by the threat and the threat's
probability.
- Identifying system's vulnerabilities exploited
by the threat. Identification of system's vulnerabilities
automatically populates a list of proposed countermeasures.
- Deciding on the actual mitigation
plan by selecting the most effective combination of countermeasures.
Starting with Predefined Vulnerabilities
and Threats
The threat analysis process can start
with predefined entities of assets, vulnerabilities and countermeasures
typical to the system being analyzed. Read more on PTA libraries concept
in Common Vulnerabilities,
Countermeasures and Threats Libraries.
Reviewing the Threat Analysis
Results
Reviewing the threat analysis results
can help improve the threat model and refine the model entities
parameters. For a detailed description of the analysis results see the
Threat Analysis Results and Reports
page. The basic analysis outcomes are described below.
- List of threats, their risk and
potential damage to assets when threats materialize.
- List of assets and the financial
risk that threatens them.
- List of countermeasures, their
overall mitigation effect and cost-effectiveness relative to their
contribution to system risk reduction.
- The maximal financial risk to the
system, the final risk to the system (after all mitigation plans
were implemented) and the current level of system risk according to
the status of countermeasure's implementation.
- The optimized mitigation plan
which is composed of the countermeasures that are the most
cost-effective against the identified threats
The analyst is encouraged to examine how
the model behaves in response to changes in parameters and to run
various "what if" scenarios that might provide additional insight on the
system's realities.
PTA
Qualified Partners Directory
Home Page