PTA - Practical Threat Analysis Methodology and Risk Assessment Tools for Security Experts

<body> <h1 align="center"><font face="Verdana" size="1">PTA Technologies Site Map</font></h1> <h1></h1> <p align="center"><b><font face="Verdana" size="1"> <a target="_top" href="default.htm">Welcome to PTA - Practical Threat Analysis</a> </font></b></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="LatestUpdate.htm">Latest PTA Professional Edition Updates</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="FreeProgram.htm">PTA Free Program for Security Consultants </a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="Qualified.htm">PTA Qualified Partners Directory</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="Comments.htm">Share your Experience with Practical Threat Analysis</a></font></p> <p align="center"><b><font face="Verdana" size="1"> <a target="content" href="Company.htm">PTA Technologies - the Company</a></font></b></p> <p align="center"><font size="1" face="Verdana"> <a target="content" href="Contact.htm">Contact Information </a> </font></p> <p align="center"><b><font face="Verdana" size="1"> <a target="content" href="News.htm">News</a> </font></b></p> <p align="center"><b><font face="Verdana" size="1"> <a target="content" href="Products.htm">Practical Threat Analysis Software Technology and Tools</a> </font></b></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="PTAPro.htm">PTA Professional Edition for Security Consultants and TRA Analysts</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="PTAEnterprise.htm">PTA for Managing Enterprise Risks</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="Libraries.htm">Security Entity Libraries</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="PTAReports.htm">PTA Analytic Reports</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="PTAforOEM.htm">PTA Solutions for Security Consultants</a></font></p> <p align="center"><b><font face="Verdana" size="1"> <a target="content" href="Welcome.htm">PTA - Practical Threat Analysis Methodology</a> </font></b></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="DetailedLeaflet.htm">What is Practical Threat Analysis?</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="PTAInANutshell.htm">Practical Threat Analysis in a Nutshell</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="PTA.htm">Practical Threat Analysis Methodology in Depth</a></font></p> <p align="center"><b><font face="Verdana" size="1"> <a target="content" href="Documents.htm">Practical Threat Analysis Documents</a> </font></b></p> <p align="center"><b><font face="Verdana" size="1"> <a target="content" href="DownloadResult.htm">Download Practical Threat Analysis PTA Professional Tool</a> </font></b></p> <p align="center"><b><font face="Verdana" size="1"> <a target="content" href="CaseStudies.htm">Practical Threat Analysis Case Studies</a> </font></b></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="TACSCaseStudy.htm">Threat Risk Assessment of Enterprise Call Accounting and Billing System</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="PassportCaseStudy.htm">Threat Analysis of Microsoft Passport Security Protocol</a></font></p> <p align="center"><b><font face="Verdana" size="1"> <a target="content" href="Support.htm">Support PTA Users</a> </font></b></p> <p align="center"><b><font face="Verdana" size="1"> <a target="content" href="Links.htm">Links to Additional Security Resources</a> </font></b></p> <p align="center"><font face="Verdana" size="1">***</font></p> <p align="center"><b><font face="Verdana" size="1">List of Site Pages:</font></b></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/SiteMap.htm">Site Map - www.ptatechnologies.com</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="CommentsFrameset.htm">Comments - Share your Experience: </a> <a href="http://www.ptatechnologies.com/Comments.htm">1) Risk Reduction Methodology for Legacy Software 2) Penetration Testing with Practical Threat Analysis 3) Mitigating Internal Threats with PTA 4) PTA package for PCI DSS 1.1 compliance and ISO 27001 5) Vocabulary for Risk Analysis sessions and more...</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/TACSCaseStudy.htm">TACS Case Study (part 1) - Threat risk assessment of real-life enterprise IT system : a call accounting solution</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/TACSCaseStudy2.htm">TACS Case Study (part 2) - T</a></font><a href="http://www.ptatechnologies.com/TACSCaseStudy2.htm"><font face="Verdana" size="1">hreat analysis done with PTA <br> demonstrates how to reduce risk from 250% to 50% at less than half the original InfoSec budget</font></a></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/PassportCaseStudy.htm">Passport Case Study - Practical threat analysis of Passport Single Sign-On security protocol cryptanalysis</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/PTAInANutshell.htm">PTA in a Nutshell - Threat modeling methodology: system vulnerabilities + system assets + security threats + effective countermeasures</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/DetailedLeaflet.htm">Detailed Leaflet - PTA tool for calculating countermeasures mitigation effectiveness and assessing risks and threats in IT systems</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/PTAPro.htm">PTA Pro -  The PTA Professional Edition risk analysis tool for IT security experts and Information Security consultants</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/PTAEnterprise.htm">PTA Enterprise - Platform for threat risk assessment and risk management of enterprise information systems </a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/PTA.htm">PTA - Practical threat analysis methodology (part 1): Identify assets and vulnerabilities, reveal threat scenarios and prioritize countermeasures and controls</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/PTA2.htm">PTA 2 - Practical threat analysis methodology (part 2) employed in the risk assessment process</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/PTA3.htm">PTA 3 - Practical threat analysis methodology (part 3) employed in the risk assessment process</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/PTA3.htm">PTA 4 - Practical threat analysis methodology (part 4) employed in the risk assessment process</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/Libraries.htm">Libraries - PTA plug in libraries for security standards: ISO 17799 , BS7799, ISO 27001 and PCI DSS with common vulnerabilities and countermeasures for easy threat modeling</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/PTAforOEM.htm">PTA for OEM - Partnership with security consultants and security solutions providers: integrating PTA technology with security products and services to provide a total security management solution</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/Company.htm">Company - PTA Technologies: the creators of Practical Threat Analysis calculative methodology and suite of software tools</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/News.htm">News - Partnership with security consulting groups and security service providers</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/Products.htm">Products - PTA Tools is a suite of software tools for applying quantitative threat risk analysis and threat modeling</a> </font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/Documents.htm">Documents - Threat modeling documents and freeware security entity libraries: how to perform threat analysis and risk assessment of complex IT systems</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/CaseStudies.htm">Case Studies - Risk assessment case studies: PTA helps in reducing risk at the most cost-effective way</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/Links.htm">Links - security analyst resources and best practices</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/Support.htm">Support - PTA support, installation and threat model frequently asked questions</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/DownloadResult.htm">Download Results -Download trial version of the Practical Threat Analysis Professional Edition</a></font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="http://www.ptatechnologies.com/Qualified.htm"> Qualified - PTA Qualified Partners Directory: list of PTA security experts groups and Information Security consulting firms world-wide</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/PTAReports.htm">PTA Reports - Reporting system for presenting threat model information, analyzing threat analysis results and finding the most cost-effective mitigation plan</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/FreeProgram.htm">Free Program - PTA is free for security consultants, security analysts, researchers and students</a></font></p> <p align="center"><font face="Verdana" size="1"> <a href="http://www.ptatechnologies.com/Welcome.htm">Welcome - Welcome to PTA: Practical Threat Analysis home</a></font></p> <p align="center"><font face="Verdana" size="1">***</font></p> <h1 align="center"><font face="Verdana" size="1">The PTA Methodology in a Nutshell</font></h1> <h3 align="center"><font face="Verdana" size="1">What is Practical Threat Analysis ?</font></h3> <p align="left"><font face="Verdana" size="1">Read the <a target="content" href="PTA.htm">Practical Threat Analysis in-depth</a> article for a detailed description of the PTA methodology. </font></p> <h3 align="left"><font face="Verdana" size="1">A Calculative Threat Modeling Methodology</font></h3> <p align="left"><font face="Verdana" size="1">PTA (Practical Threat Analysis) is a calculative threat analysis and threat modeling methodology which enables effective management of operational and security risks in complex systems. It provides an easy way to maintain dynamic threat models capable of reacting to changes in the system's assets and vulnerabilities. With PTA an analyst can maintain a growing database of threats, create documentation for security reviews and produce reports showing the importance of various threats and the priorities of the corresponding countermeasures. </font></p> <p><font face="Verdana" size="1">PTA automatically recalculates threats and countermeasures priorities and provides decision makers with updated mitigation plan that reflects changes in threat realities. Countermeasure's priorities are a function of the system's assets values, level of potential damage, threats probabilities and degrees of mitigation provided by countermeasures. </font></p> <p><font face="Verdana" size="1">The recommended mitigation plan is composed of the countermeasures that are the most cost-effective against the identified threats.</font></p> <h3 align="left"><font face="Verdana" size="1">The PTA Threat Model</font></h3> <p><font face="Verdana" size="1">The scheme below describes the interrelations between a threat and the assets, vulnerabilities and countermeasures. </font></p> <p align="left"><font face="Verdana" size="1">In a nutshell:</font></p> <ul> <li> <p align="left"><font face="Verdana" size="1"><b>Threats</b> exploit <b>Vulnerabilities</b> and damage <b>Assets</b>.</font></p> </li> <li> <p align="left"><font face="Verdana" size="1"><b>Countermeasures</b> mitigate <b>Vulnerabilities</b> and therefore might mitigate <b>Threats</b>.</font></p> </li> </ul> <p><font face="Verdana" size="1"> See the <a target="content" href="PTA.htm">Practical Threat Analysis in-depth</a> page for a detailed description of the PTA Threat Model and the definitions of Entry Points, Attacker Types and Security Entity Tags.</font></p> <h3 align="left"><font face="Verdana" size="1">The Practical Threat Analysis Process</font></h3> <p align="left"><font face="Verdana" size="1">In the following we present an abbreviated description of the PTA threat modeling steps.</font></p> <h4 align="left"><font face="Verdana" size="1">1. Identifying Assets</font></h4> <blockquote> <p><font face="Verdana" size="1">Mapping of system asset's financial values and potential losses due to damages. Asset's values are the basis for calculating threats, risks and countermeasures priorities.</font></p> </blockquote> <h4 align="left"><font face="Verdana" size="1">2. Identifying Vulnerabilities</font></h4> <blockquote> <p><font face="Verdana" size="1">Identifying potential system vulnerabilities requires knowledge of the system's functionality, architecture, business and operational procedures and types of users. This is a continuous iterative task coupled with the step of identifying threats (step 4).</font></p> </blockquote> <h4 align="left"><font face="Verdana" size="1">3. Defining Countermeasures</font></h4> <blockquote> <p><font face="Verdana" size="1">Defining the countermeasures relevant to system vulnerabilities. The countermeasure's cost-effectiveness is calculated according to its estimated implementation cost.</font></p> </blockquote> <h4 align="left"><font face="Verdana" size="1">4. Building Threat Scenarios and Mitigation Plans</font></h4> <blockquote> <p><font face="Verdana" size="1">Composing the potential threats scenarios and identifying the various threat's elements and parameters as follows: </font></p> </blockquote> <ul> <li><font face="Verdana" size="1">Entering a short description of the threat scenario. </font></li> <li><font face="Verdana" size="1">Identifying the threatened assets and the level of potential damage.</font></li> <li><font face="Verdana" size="1">Setting the threat's probability. The threat's risk level is automatically calculated based on the total damage that may be caused by the threat and the threat's probability.</font></li> <li><font face="Verdana" size="1">Identifying system's vulnerabilities exploited by the threat. Identification of system's vulnerabilities automatically populates a list of proposed countermeasures.</font></li> <li><font face="Verdana" size="1">Deciding on the actual mitigation plan by selecting the most effective combination of countermeasures. </font></li> </ul> <h3 align="left"><font face="Verdana" size="1">Starting with Predefined Vulnerabilities and Threats</font></h3> <p><font face="Verdana" size="1">The threat analysis process can start with predefined entities of assets, vulnerabilities and countermeasures typical to the system being analyzed. Read more on PTA libraries concept in <a target="content" href="LibrariesFrameset.htm">Common Vulnerabilities, Countermeasures and Threats Libraries</a>. </font></p> <h3 align="left"><font face="Verdana" size="1">Reviewing the Threat Analysis Results</font></h3> <p><font face="Verdana" size="1">Reviewing the threat analysis results can help improve the threat model and refine the model entities parameters. For a detailed description of the analysis results see the <a target="content" href="PTAReportsFrameset.htm">Threat Analysis Results and Reports</a> page. The basic analysis outcomes are described below.   </font></p> <ul> <li><font face="Verdana" size="1">List of threats, their risk and potential damage to assets when threats materialize.</font></li> <li><font face="Verdana" size="1">List of assets and the financial risk that threatens them. </font></li> <li><font face="Verdana" size="1">List of countermeasures, their overall mitigation effect and cost-effectiveness relative to their contribution to system risk reduction.</font></li> <li><font face="Verdana" size="1">The maximal financial risk to the system, the final risk to the system (after all mitigation plans were implemented) and the current level of system risk according to the status of countermeasure's implementation.</font></li> <li><font face="Verdana" size="1">The optimized mitigation plan which is composed of the countermeasures that are the most cost-effective against the identified threats</font></li> </ul> <p><font face="Verdana" size="1">The analyst is encouraged to examine how the model behaves in response to changes in parameters and to run various "what if" scenarios that might provide additional insight on the system's realities.</font></p> <p> </p> <font face="Verdana" size="1"> <p align="center"><b><a target="content" href="QualifiedFrameset.htm">PTA Qualified Partners Directory</a></b><br> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></p> </font> <p> </p> <p align="center"> </p> <p align="center"> </p> <p align="center"><font face="Verdana" size="1"><br> </font></p> <p align="center"> <font size="1" face="Verdana"><br> <br> <br>  </font></font></p> <p align="center"></p> <p align="center"> </p> </body>