Threat Modeling and Risk Assessment of an Integrated Enterprise Software Solution. Threat Modeling of Microsoft Passport Sign on Security Protocol

<body bgcolor="white"> <h1 align="left"><font face="Verdana" size="1"> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></h1> <h1 align="center"><font face="Verdana" size="1">Case Studies</font></h1> <h3 align="left"><font face="Verdana" size="1"><a target="content" href="TACSCaseStudy.htm">Risk Assessment of an Integrated Enterprise Billing Solution</a></font></h3> <blockquote> <p align="left"><font face="Verdana" size="1">Campton College, a private medical school, needed to replace an aging call accounting system, which frequently lost call records and lacked the capability to provide unified campus-wide telephony billing features. Campton wanted to create an integrated Web based call accounting system that would service student dorms and administrative departments. The institution contracted with TACS, a call accounting solution provider, to replace the old software and provide a modern, Web-based solution that would be cheaper to own and easier to use. Faced with a steep bill for information security, Campton contracted with <a target="_blank" href="http://www.software.co.il/"> Software Associates</a> in order to find a way to reduce risk as well as liability at the lowest possible cost. By using the PTA tools, Software Associates was able to demonstrate to Campton how to reduce risk from 250% to 50% at less than half the original InfoSec budget proposed by the vendor. <a target="content" href="TACSCaseStudy.htm">Read More ></a></font></p> </blockquote> <h3 align="left"><font face="Verdana" size="1"><a target="content" href="PassportCaseStudy.htm">Threat Modeling of Microsoft Passport Sign on Protocol</a></font></h3> <blockquote> <p align="left"><font face="Verdana" size="1">Passport is a protocol that enables users to sign onto many different merchants' Web pages by authenticating themselves only once to a common server. This is important because users tend to pick poor (guessable) user names and passwords and to repeat them at different sites. Passport is notable as it is being very widely deployed by Microsoft. In the following case study we examine the threat model of Passport single signon protocol based on the excellent paper "<a target="_blank" href="http://avirubin.com/passport.html">Risks of the Passport Single Signon Protocol</a>" by David P. Kormann and Aviel D. Rubin. The attached threat model database demonstrates how a classical protocol cryptanalysis article is turned into dynamic PTA threat model with calculative values. <a target="content" href="PassportCaseStudy.htm">Read More ></a></font></p> </blockquote> <h3 align="left"> <font face="Verdana" size="1"> <a target="content" href="CommentsFrameset.htm">PTA Professional Forum</a></font></h3> <blockquote> <p align="left"><font face="Verdana" size="1">The PTA Professional Forum contains several articles which demonstrate Information security experts approaches to utilizing Practical Threat Analysis in real life threat risk assessment cases. <a target="content" href="CommentsFrameset.htm">Read More ></a> on how to:</font></p> <ul> <li> <font face="Verdana" size="1">Use PTA for performing PCI DSS 1.1 compliance self assessments</font></li> <li> <font face="Verdana" size="1">Utilize a dedicated PTA library for building ISO 27001 threat models</font></li> <li> <font face="Verdana" size="1">Mitigate internal threats with PTA </font></li> <li> <font face="Verdana" size="1">Develop a risk reduction methodology for handling legacy software</font></li> <li> <font face="Verdana" size="1">Map PTA along with the chronology of the penetration testing process</font></li> <li> <font face="Verdana" size="1">Integrate PTA with the industry standard Nessus scanner</font></li> <li> <font face="Verdana" size="1">Adopt common vocabulary for Practical Threat Analysis sessions </font></li> </ul> </blockquote> <p align="left"><font face="Verdana" size="1">If you wish to publish your threat models considerations as well as share your experiences, ideas and insights with the members of the PTA users community please contact <a href="mailto:zeev@ptatechnologies.com?subject=to Zeev:Share My Experience">Zeev</a>.</font></p> <p align="center">  </p> <p align="center"> <font face="Verdana" size="1"> ***</font></p> <p align="center"> </p> <p align="center"><font face="Verdana" size="1"><b> <a target="content" href="PTA.htm">Threat Analysis Methodology in-depth</a>  </b>-<b>  <a target="content" href="ProductsFrameset.htm">Calculative Threat Analysis Software Tools</a></b><br> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></p> </body>