Dec 02, 2011
Protect your organization’s data - Armies of junior analysts working for the large accounting firms who have never seen or experienced a fraudulent event and are unfamiliar with the your business operation are not a reasonable replacement for careful risk analysis by the business done by people who are familiar with the business.
A new article by Danny Lieberman presents the 10 major steps to protecting your organization’s privacy data and intellectual property.
Feb 08, 2011
The Threat Surface of Mobile Devices - A software security assessment of a life science software application deployed on a mobile device needs to look beyond the malware and spyware and data breach attacks on the device. Mobile Android tablets or iPads running electronic medical records applications are usually deployed in uncontrolled, complex and highly vulnerable environments such as enterprise IT networks in hospitals. The software security issues are much more severe than those of a single tablet: a combination of network vulnerabilities, application software vulnerabilities, malicious attackers superimposed on the large, complex threat surface of an enterprise IT network.
This short article analyses the mobile device security challenges in a real life case study and shows that the key vulnerabilities of mobile devices are similar to traditional IT security vulnerabilities even if the threat surface is dramatically different!
Sep 14, 2010
Practical Threat Analysis of Medical Device - What is more important – patient safety or the health of the enterprise hospital Windows network? What is more important – writing secure code or installing an anti-virus? This article in the Israeli Software blog presents a PTA threat analysis which was performed on a network of Windows-based embedded medical devices used for patient monitoring. The system helps hospital staff prevent crisis situations through ongoing supervision of patient status, early detection of warning signs, and alert notifications of changes in patient condition. The resulted threat model is available for free download here.
Apr 05, 2010
The Tao of GRC for CISOs and CSOs - This article in infosec island introduces a practical approach that will help the CISOs/CSOs in any sized business unit successfully improve compliance and reduce information value at risk. The 3 principles of the "GRC 2.0" approach presented by Danny Lieberman are :
1. Adopt a standard language of GRC
2. Learn to speak the language fluently
3. Go green – recycle your risk and compliance
Sep 02, 2009
Free Online Security Best Practices Workshops - Register now for online security best practices workshops. Modern security tools are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.
The Control Policy Group presents a series of 6 free online workshops starting Sep 3, 2009 at 15:00GMT. In the first workshop, "Using data security metrics and a value-based approach", you will learn how to measure how well your security tools reduce Value at Risk in dollars (or in Euro) and how well they will do 3 years from now.
Jun 04, 2009
Credit Union tech-talk InfoSecurity Conference - Leonard Jacobs, the CEO of Netsecuris and a veteran PTA Qualified Partner, will present the role of Practical Threat Analysis in the process of mapping system assets, methodically identifying system vulnerabilities, carefully assessing the risk of discovered threats, and systematically defining an effective risk mitigation plan that is specifically tailored to your credit union.
This session (Thursday from 1:30 PM to 2:30 PM Pacific time) will show you how one credit union successfully tackled this daunting risk management issue – both easily and affordably. Contact Marina Radinovsky if you want more information on how to attend the 2009 CU InfoSecurity Conference.
Feb 18, 2009
"Caught in the Web: Best Practices for Effective Web App Security Assessments" - free webcast hosted by Shon Harris of Logical Security, with Wayne Burke and Benjamin Böck of SecureIA, will cover using practical threat analysis to identify where your organization is exposed.
You’ll also learn how to connect technical issues identified during testing with underlying business risks – enabling you to effectively communicate and leverage the benefits of proactive, real-world security testing throughout your organization. Register here.
Sep 04, 2008
ISSA Journal's toolsmith covers PTA – an article by Russ McRee reviews the PTA methodology and risk assessment tool. Russ uses PTA for mapping the MSDN Cheat Sheet: Web Application Security Frame items into a comprehensive and useful PTA security library which is then used for conducting a PTA threat analysis of a simple Web application.
The Web application PTA threat model and the Web application security library used are available for free download (with the courtesy of HolisticInfoSec). The article pdf is available here.
Aug 27, 2008
PTA Technologies is happy to announce the launch of the free PTA Qualified Partner Program.
The PTA Qualified Partner Program enables security consulting companies to install PTA on several workstations in their offices as well as at their clients' sites. The program enables risk experts to showcase their business and their capabilities. Consultants and end-users alike will be able to find world-class know-how and unique PTA-based risk assessment offerings from qualified partners on the PTA Qualified Partner directory.
Contact Marina Radinovsky for more details on how to join the PTA Qualified Partner Program.
Dec 18, 2007
The free PTA for PCI DSS 1.1 package is not just another checklist to keep the compliance policy at bay, it is a great way for any merchant to perform risk assessment of their systems and protect customer payment card data. The package contains a baseline threat model, a PTA library and all the relevant PCI standard documentation organized as PTA Professional Edition attached documents.
The threat model is intended for use in self-assessments by PCI risk assessors. The library can also be used by Practical Threat Analysis professionals in order to integrate PCI DSS entities into their existing threat models and create an integrated risk model for the entire enterprise. Download the free PCI DSS 1.1 package and learn how to self assess the risk to your business here: Using Practical Threat Analysis to attain PCI DSS 1.1 compliance.
*Note: to use Practical Threat Analysis freeware threat models or libraries you should have the PTA Professional Edition Risk Assessment tool installed on your computer.
May 17, 2007
The PTA for ISO 27001 package provides a systematic and extremely efficient means for performing ISO 27001 risk assessment and certification audits. The library enables a risk analyst to construct an economically-justified, cost-effective set of countermeasures that reduces risk in the customers’ business environment. Any sized firm can execute a "gentle" implementation plan of controls that fits their budget instead of an all-or-nothing checklist implementation (revised: September 2007).
Read how the Control Policy Group introduces the new freeware library for performing ISO 27001 risk assessment audits, automating ISO 27001 implementations and transforming compliance knowledge and data into effective mitigation actions.
Dec 08, 2006
The article Enterprise Software Risk Reduction with Practical Threat Analysis introduces a risk assessment scheme which embeds the PTA methodology and technology for mitigation of defects in enterprise legacy systems.
Reduction of defects in enterprise legacy systems can be a highly effective approach for reducing operational risk. The new scheme employs standard software vulnerability classifications and quantitative evaluation of how well removing defects reduces risk. The output of the process is financial justification for an effective risk mitigation plan. The plan includes the most cost-effective countermeasures that reduce the risk level to a minimum at a given capital and variable cost.
Mar 13, 2006
Extrusion Prevention Seminar - learn how to assess the risks in your operation and defend your corporate brand from cyber threats.
Today's most devastating attacks on the corporate brand are launched from within the company, by intruders who have compromised your PC’s and servers as well as trusted insiders with permissions to access your marketing plans and customer lists.Combining Fidelis outgoing content monitoring technology with the Practical Threat Analysis risk assessment scheme and calculative methods, enables planning and prioritization of countermeasures using actual ‘in-vivo’ data acquired from the company’s IT, networking and applications activities. The solution enables business management to quickly evaluate cyber and trusted-insider threats.
Feb 12, 2006
PTA Free Program for Security Consultants enables security consultants to use the PTA Professional Edition Risk Assessment tool in their risk analysis missions and add value to their service proposition. Experts can use the software to store and maintain their client’s threat database and to provide their customers with additional services such as security knowledge management, operational consulting and continuous optimization of countermeasures.
Nov 22, 2005
PTA Technologies has initiated a free program for students, researchers, software developers and security analysts. The program is intended to enhance the source base of PTA expertise and Practical Threat analysis threat models and make them available to the wide community of engineers and security analysts world-wide. As a member of PTA Free Program you may use, free-of-charge, a single instance of PTA Professional Edition Risk Assessment tool for your professional aims.
You may submit your request to participate in PTA Free Program by sending us an email with the following registration details:
1) First and Last Name:
2) Address:
3) Phone:
4) Email:
5) Organization / College / University:
6) Job Title / Position / Academic Level:
7) The area of your profession:
In addition, please email us the “User Code 1” and “User Code 2” numbers as displayed in the “Registration” dialog box that will open when starting the trial version of PTA Professional Edition. (Press the “Yes” button in the dialog that asks if you would like to purchase registration code).
As soon as we process your registration details, we shall send you the unlock Registration Keys that enable you to extend the usage period of PTA. Read more on PTA Free Program initiative.
Jan 20, 2005
The first published article on Practical Threat Analysis for the Software Industry in www.SecurityDocs.com presents the PTA calculative threat modeling and risk assessment methodology: the terminology, definitions and the detailed steps of the analysis process - you are invited to post your comments.
Click here for an extended and updated version of the article.
***
Practical Threat Analysis in Depth - Practical Threat Analysis Case Studies
Home Page