Practical Threat Analysis - a calculative Threat Modeling methodology and a Risk Assessment tool for Security Experts

<body bgcolor="white"> <h1 align="left"><font face="Verdana" size="1"> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></h1> <h1 align="center"><font size="1" face="Verdana">PTA Professional Forum</font></h1> <p align="left"><font face="Verdana" size="1">PTA is free-of-charge for individuals and can be downloaded, installed and operated within minutes. We believe that high availability of a calculative practical threat analysis tool will have a positive impact on the numerous systems which are responsible for the quality of our life by enabling analysts and developers to provide safer systems.</font></p> <p align="left"><font face="Verdana" size="1">We invite our professional users to write about their practical threat models as well as share their experiences, ideas and insights with the members of the security community worldwide. If you wish to contribute to this forum please email me directly - <a href="mailto:zeev@ptatechnologies.com?subject=to Zeev:Share My Experience">Zeev</a>.</font></p> <p align="left"> </p> <blockquote> <p><font face="Verdana" size="1"> <a href="#Self diagnose your threat models">Self-diagnose your Threat Models</a><br> <a href="#Threat Management the bigger picture">Threat Management - the Bigger Picture</a><br> <a href="#Useful vocabulary for Practical Threat Analysis">Useful vocabulary for Practical Threat Analysis sessions</a><br> <a href="#PTA Package for PCI DSS 1.1">PTA package for PCI DSS 1.1 compliance</a><br> <a href="#PTA library for ISO 27001">PTA library for ISO 27001</a><br> <a href="#Mitigating Internal Threats">Mitigating Internal Threats with PTA</a><br> <a href="#Risk Reduction Methodology">A Risk Reduction Methodology for Legacy Software</a><br> <a href="#Penetration Testing Process">Map PTA Along With the Chronology of the Penetration Testing Process</a><br> <a href="#Penetration Testing with PTA">Integrating PTA with the Nessus scanning tool</a></font></p> <p></p> <blockquote> <blockquote> <p align="center"><font face="Verdana" size="1">***</font></p> </blockquote> </blockquote> </blockquote> <p><b><font face="Verdana" size="1"><a name="Self diagnose your threat models">Self-diagnose your Threat Models</a></font></b></p> <blockquote> <p><font face="Verdana" size="1">(Using the new Model Completeness report for self-diagnosing PTA threat model consistency)</font></p> <p><font face="Verdana" size="1">From: Adi Amir - <a target="_blank" href="http://www.inteligraph.com">InteliGraph</a> <br> </p> <p><font face="Verdana"><u>Introduction</u><br><br>A common issue in maintaining large scale PTA projects is the constant need to monitor and assure the threat models’ internal completeness and consistency. As we all know, the building of a new threat model typically starts by using existing template models or entity libraries which are relevant to the analyzed domain but are not fully adapted to the specific system. <br><br>The PTA Professional Edition data entry and import features enable the analyst to enter partial entities data in order to quickly construct a preliminary model and have first results. This is the main reason why a substantive portion of the model’s life cycle maintenance effort is invested in removing irrelevant entities, adding additional entities, crystallizing the interrelations between the entities and tuning their parameters in order to get the best match of the model to the specific analyzed system realities. The ongoing model improvement process is involved with continuous data collection, what-if analysis and research updates which are essential for the accuracy of the risk assessment results and the prioritized mitigation plans recommended by the analyst. </font></p> <p><font face="Verdana">Read More: </font> <a href="http://www.ptatechnologies.com/comments.htm"> http://www.ptatechnologies.com/comments.htm</a></p> </font> <font face="Verdana" size="1"> <blockquote> <blockquote> <blockquote> <p align="center">***</p> </blockquote> </blockquote> </blockquote> </blockquote> <p align="left"><b><a name="Threat Management the bigger picture">Threat Management - the Bigger Picture</a></b></p> <blockquote> <p align="left"><br>From: Rocky Heckman - <a target="_blank" href="http://www.attackpatterns.org">Attack Patterns</a> <br></p> <p>(Quoted from Rocky's post in <a target="_blank" href="http://blogs.msdn.com/threatmodeling/archive/2008/05/29/threat-management-the-bigger-picture.aspx?CommentPosted=true#commentmessage"> Microsoft Application Threat Modeling Blog</a>)<font face="Verdana"><br><br> Threat Modeling is one those ‘sciences’ that is just now starting to gel into something that can be implemented in a semi-automated fashion. With TAM/e, we have a good approach to threat modeling that is both easy on the development team, and fairly comprehensive (perhaps too much so). However there are still two very different camps on the subject within Microsoft, and a few more outside.  </font></p> <p><span lang="EN">There have been a lot of advances in groups such as PTA (Practical Threat Analysis <a style="color: blue; text-decoration: underline; text-underline: single" target="_blank" href="http://www.ptatechnologies.com/"> http://www.ptatechnologies.com/</a> ) as well as a push to formalize Attack Patterns (yours truly <a style="color: blue; text-decoration: underline; text-underline: single" target="_blank" href="http://en.wikipedia.org/wiki/Attack_patterns"> http://en.wikipedia.org/wiki/Attack_patterns</a> and <a style="color: blue; text-decoration: underline; text-underline: single" href="http://www.attackpatterns.org/"> http://www.attackpatterns.org/</a> , Mitre / Homeland Security <a style="color: blue; text-decoration: underline; text-underline: single" target="_blank" href="http://capec.mitre.org/"> http://capec.mitre.org/</a> , and some commissioned work by Cigital <a style="color: blue; text-decoration: underline; text-underline: single" target="_blank" href="https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack.html"> https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack.html</a> ) into something that can be used to assist not only Threat Modeling, but attack activity classification as well.</span><font face="Verdana">  </font></p> <p><font face="Verdana">Read More: </font> <a href="http://www.ptatechnologies.com/comments.htm"> http://www.ptatechnologies.com/comments.htm</a></p> </font> <blockquote> <blockquote> <p align="center"><font face="Verdana" size="1">***</font></p> </blockquote> </blockquote> </blockquote> <p align="left"><b><font face="Verdana" size="1"> <a name="Useful vocabulary for Practical Threat Analysis">Useful vocabulary for Practical Threat Analysis sessions</a></font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1"><br>From: Paul Varner - <a target="_blank" href="http://www.inteligraph.com">InteliGraph</a> <br> </p> <p><font face="Verdana"><u>Introduction</u><br><br>Since some of the terms frequently used within the scope of the risk assessment process are not tightly defined, I thought it might be productive to provide PTA analysts with a short list of practical definitions. In the following you can find several definitions of terms I have found applicable to the majority of my PTA threat risk assessment and threat modeling projects. </font></p> <p><font face="Verdana">Read More: </font> <a href="http://www.ptatechnologies.com/comments.htm"> http://www.ptatechnologies.com/comments.htm</a><font face="Verdana"><br><br> </font></p> </font> <blockquote> <p align="center"><font face="Verdana" size="1">***</font></p> </blockquote> </blockquote> <p align="left"><b><font face="Verdana" size="1"> <a name="PTA Package for PCI DSS 1.1">PTA Package for PCI DSS 1.1 compliance</a></font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1">(Using Practical Threat Analysis to attain PCI DSS 1.1 compliance)<br><br>From: Y. Avital - <a target="_blank" href="http://www.opensolutions.co.il">Open Solutions</a> <br></p> <p><font face="Verdana"><u>Introduction</u><br><br>The PCI Data Security Standard version 1.1 (Aka PCI DSS 1.1) combines best practices from the card associations on how to protect customers' payment card data. The question is how merchants can use the PCI DSS effectively to reduce their data assets breach risk.</font></p> <p><font face="Verdana">In this article, we show how PTA can help take the pain out of the threat risk assessment (TRA) planning and the controls implementation process and reduce cost of the security investment. <br><br>The PCI DSS specifications tells retailers all they need to do to be secure, without telling them where to start and how to prioritize controls against threats. The standard does not consider how to balance the value of retailer payment data assets against the cost of implementing the security controls specified in the standard. <br><br>It is obvious that the objective should not be "compliance for compliance sake". Used properly, PCI DSS can be an effective way of reducing the merchant's operational risk of handling payment card data. The free <a target="_blank" href="Documents/PCI_DSS_1_1.zip">PTA PCI 1.1 package</a>, which accompanies this article, includes a practical threat model and a library that have been used in several real-life PCI assessment projects and were found to be productive in shortening risk assessment timetables and constructing risk mitigation programs for Level 2, 3 and 4 merchants.</font></p> <p><font face="Verdana">Read More: </font> <a href="http://www.ptatechnologies.com/comments.htm"> http://www.ptatechnologies.com/comments.htm</a></p> </font> </blockquote> <font face="Verdana" size="1"> <blockquote> <blockquote> <p align="center">***</p> </font> <font face="Verdana" size="2"> </blockquote> </blockquote> <font face="Verdana" size="1"> <p align="left"><b><a name="PTA library for ISO 27001">PTA library for ISO 27001</a></b></p> <blockquote> <p>(Risk assessment with the PTA ISO 27001 Library)</p> <p>From: Eli Moran & Maciej Lewandowski  <a target="_blank" href="http://www.controlpolicy.com">Control Policy Group</a>  <br><br><br><u>Introduction:</u></p> <p>The ISO 27001 library is a full PTA threat model implementation of the ISO 27001 compliance check list for the ISO 27001 standard. The library is available for free download, licensed from the Control Policy Group under the Creative Commons Attribution License. <br><br><u>Plain certification vs. identifying the appropriate risk reduction controls <br></u><br>The ISO 27001 certification process can be simple or involved but, at the end of the day, there are always far more controls (countermeasures) to be implemented than resources for applying them. Organizations, large and small, find themselves coping with long and confusing check lists of controls. You can implement the entire check list of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase (i.e. get the most for your security investment dollar) with a set of controls optimized for your specific business risk. <br><br>We all know that additional security controls do not necessarily reduce risk. Modifying existing infrastructure (e.g. firewalls and proxies) and installing layers of security products is not a free lunch and often increase the total system risk and cost of ownership, as a result of the interaction between the elements. <br><br>The combination of PTA threat model and its calculative methods with the ISO 27001 check list enables us to create a quantitative risk model and construct an economically justified set of countermeasures that reduces risk according to the specific customer’s business and state. Moreover, we were able to execute a moderate implementation plan of countermeasures according to customer’s budget instead of an “all-or-nothing” checklist implementation that may cost fortune and badly affect the competitiveness of the business.<br><br><font face="Verdana">Read More: </font> <a href="http://www.ptatechnologies.com/comments.htm"> http://www.ptatechnologies.com/comments.htm</a></p> <p>Read more on <a target="_blank" href="http://www.controlpolicy.com/automatingiso27001implementations">Risk assessment with the PTA ISO 27001 library</a>. <br><br><a target="_blank" href="Documents/PTA_ISO27001_Library.zip">Download a free copy of the PTA ISO 27001 library</a> and let us know what you think!</p> <p>(revised: September 2007) <br> </p> </font></font><font face="Verdana" size="1"> <blockquote> <p align="center">***</p></font> </blockquote> </blockquote><font face="Verdana" size="1"> <p align="left"><b> <a name="Mitigating Internal Threats">Mitigating Internal Threats with PTA</a></b></p> <blockquote> <p>(Producing financial justification for extrusion prevention)</p> <p>From: Y. Avital - <a target="_blank" href="http://www.opensolutions.co.il">Open Solutions</a>  - Specialists in controlling unauthorized disclosure.<br> <br> <br> <u>Introduction:</u></p> <p>After 3 years of a growing wave of data breach events, ranging from Bank of America and ChoicePoint to the Israeli Trojan, there is growing awareness to the importance of mitigating internally-launched threats. However, as practioners in this field will attest and as recent studies show, the majority of organizations are not allocating people and technology resources to reduce extrusion risk. </p> <p>We believe that the reason for this is that there is no accepted, practical methodology for end users to assess internal threats and vulnerabilities and generate a financial justification for a decision-making manager. In contrast, the security industry has well-developed indicators for anti-virus, spyware, exploits and software vulnerabilities to external threats. </p> <p>Daily indicators and advisories are published by vendors such as McAfee and industry consortia such as CVE (Mitre) and SANS. While compliance may be a driver for some industries, there are always many different, often non-technical ways to comply with GLBH, California SB1386 and PCI data security without purchasing a $300K system from Vontu or a $65K EPS appliance from Fidelis Security Systems. <br> <br> <font face="Verdana">Read More: </font> <a href="http://www.ptatechnologies.com/comments.htm"> http://www.ptatechnologies.com/comments.htm</a></p> <p> <br> Click here to download the <a target="_blank" href="Documents/InternalThreats.zip">Practical Threat Analysis Threat Model</a> (zipped) used in the study. <br> <br>  </p> <blockquote> <p align="center">***</p> </blockquote> </blockquote> <p align="left"><b> <a name="Risk Reduction Methodology">A Risk Reduction Methodology for Legacy Software</a></b></p> <blockquote> <p>From: Dan Lieberman  <a target="_blank" href="http://www.software.co.il">Software Associates</a> <br> <br> Security breaches continue to garner headlines as conventional information security tools fail to halt attacks on customer data and intellectual property. <br> <br> The alternative is an approach based on the notion that buggy software is insecure software. The Carnegie Mellon Software Engineering Institute (SEI) reports that 90 percent of all software vulnerabilities are due to well-known defect types (for example using a hard coded server password or writing temporary work files with world read privileges). All of the SANS Top 20 Internet Security vulnerabilities are the result of “poor coding, testing and sloppy software engineering. <br> <br> Why isn't software quality better? Let’s examine commitment to quality at three levels in an organization: end-users, development managers and top executives. <br> <br> - Users are conditioned to accept unreliable software on their desktop and development managers are inclined to accept faulty software as a tradeoff to meeting a development schedule. <br> <br> - Executives, while committed to quality of their own products and services, do not find security breaches sufficient reason to become security leaders with their enterprise systems because they usually receive conflicting proposals for new information security initiatives with weak or missing financial justifications. Moreover, in most cases the recommended security initiatives often disrupt the business. <br> <br> <font face="Verdana">Read More: </font> <a href="http://www.ptatechnologies.com/comments.htm"> http://www.ptatechnologies.com/comments.htm</a></p> <p align="center"><br> ***</p> </blockquote> <p align="left"><b> <a name="Penetration Testing Process">Map PTA Along With the Chronology of the Penetration Testing Process</a></b></p> <blockquote> <p>From: skillz  <a target="_blank" href="http://www.secguru.com">SecGuru</a>   <br> <br> What I understand by going through your article and using PTA, most of the process is manual that is:<br> <br> Security Analyst does the scan -> Defines Assets and assign financial values (fixed and recurring) -> List vulnerabilities for those assets -> associate threats (level, chances) due to those vulnerabilities -> and countermeasures to mitigate that threat.<br> <br> Now let me try to map these steps along with the chronology of a pentest. This is just a gist of typical pentest which people do out there, enlisting everything in detail is obviously out of scope.<br> <br> The analyst either receives a list of servers/subnets/domains that needs to be tested. This basically defines the realm of assets which he will attack during the test. Pentest scans as jotted down in most of the books, starts with reconnaissance, dns xfers, port scans etc..etc.. At this stage analyst gathers more information about the target assets, yet unable to determine the financial value, predict criticality or threat level.<br> <br> <font face="Verdana">Read More: </font> <a href="http://www.ptatechnologies.com/comments.htm"> http://www.ptatechnologies.com/comments.htm</a></p> <p align="center">***</p> </blockquote> <p align="left"><b> <a name="Penetration Testing with PTA">Integrating PTA with Nessus - the industry standard tool for scanning </a> </b></p> <blockquote> <p><br> From: skillz  <a target="_blank" href="http://www.secguru.com">SecGuru</a>   <br>  </p> <p>...IMHO, the industry standard tool for scanning is Nessus (*) and I have seen many security auditors just using that as their primary source of vulnerability information. However, like every scanner Nessus too produces a lot of false positives and it requires manual checking too. Most of the scanner now output their findings using xml which can be easily played around with.<br> <br> If you are aware of what Nessus scripts are being used to discover asset features (e.g. OS, Applications running on it etc... ) then you can easily write a script which goes through the xml and brings out that information for you from only those selected plug-ins, as you said in the form of CSV.<br> <br> Once you have that information, another script can create list of vulnerabilities per host like this :<br> <br> [host A] = [vuln1],[vuln2],[vuln3]<br> <br> After that is created you will have to remove false positives from this list. OR ... you can mark the false positives in the scanner's GUI and then export results out in xml, so that you know everything is clean :-) either ways you can get the list of vulnerability per host.<br> <br> <a target="_blank" href="http://www.secguru.com/web_security_threat_classification"> http://www.secguru.com/web_security_threat_classification</a><br> <br> <font face="Verdana">Read More: </font> <a href="http://www.ptatechnologies.com/comments.htm"> http://www.ptatechnologies.com/comments.htm</a></p> </font><font face="Verdana" size="2"> <p align="center"> </p> </blockquote> </font> <blockquote> <font face="Verdana" size="2"> <font face="Verdana" size="1"> <p align="center">***</p> </font> <p align="center"> </p> </blockquote> <font face="Verdana" size="1"> <p align="center"><b><a target="content" href="Qualified.htm">PTA Qualified Partners Directory</a></b><br> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></p> </font> </font> </body>