Campton College, a private medical school, needed to replace an aging call accounting system, which frequently lost call records and lacked the capability to provide unified campus-wide telephony billing features. Campton wanted to create an integrated Web based call accounting system that would service student dorms and administrative departments. The institution contracted with TACS, a call accounting solution provider, to replace the old software and provide a modern, Web-based solution that would be cheaper to own and easier to use. Faced with a steep bill for information security, Campton contracted with Software Associates in order to find a way to reduce risk as well as liability at the lowest possible cost. By using the PTA tools, Software Associates was able to demonstrate to Campton how to reduce risk from 250% to 50% at less than half the original InfoSec budget proposed by the vendor. Read More >
Passport is a protocol that enables users to sign onto many different merchants' Web pages by authenticating themselves only once to a common server. This is important because users tend to pick poor (guessable) user names and passwords and to repeat them at different sites. Passport is notable as it is being very widely deployed by Microsoft. In the following case study we examine the threat model of Passport single signon protocol based on the excellent paper "Risks of the Passport Single Signon Protocol" by David P. Kormann and Aviel D. Rubin. The attached threat model database demonstrates how a classical protocol cryptanalysis article is turned into dynamic PTA threat model with calculative values. Read More >
The PTA Professional Forum contains several articles which demonstrate Information Security experts approaches to utilizing Practical Threat Analysis in real life threat risk assessment cases. Read More > on how to:
- Use PTA for performing PCI DSS 1.1 compliance self assessments
- Utilize a dedicated PTA library for building ISO 27001 threat models
- Mitigate internal threats with PTA
- Develop a risk reduction methodology for handling legacy software
- Map PTA along with the chronology of the penetration testing process
- Integrate PTA with the industry standard Nessus scanner
- Adopt common vocabulary for Practical Threat Analysis sessions
If you wish to publish your threat models considerations as well as share your experiences, ideas and insights with the members of the PTA users community please contact Zeev.
***
Threat Analysis Methodology in-depth
- Calculative Threat
Analysis Software Tools
Home Page