More on this book
Community
Kindle Notes & Highlights
by
Mike Chapple
Started reading
February 12, 2020
Standards define compulsory requirements for the homogenous use of hardware, software, technology, and security controls. They provide a course of action by which technology and procedures are uniformly implemented throughout an organization.
baseline defines a minimum level of security that every system throughout the organization must meet. A baseline is a more operationally focused form of a standard.
guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed.
Focused on Assets This method uses asset valuation results and attempts to identify threats to the valuable assets.
Focused on Attackers Some organizations are able to identify potential attackers and can identify the threats they represent based on the attacker’s goals.
Focused on Software If an organization develops software, it can consider potential threats against the software.
Microsoft developed a threat categorization scheme known as the STRIDE threat model. STRIDE is often used in relation to assessing threats against applications or operating systems.
Process for Attack Simulation and Threat Analysis (PASTA) is a seven-stage (Figure 1.7) threat modeling methodology.
Trike provides a method of performing a security audit in a reliable and repeatable procedure. It also provides a consistent framework for communication and collaboration among security workers. Trike is used to craft an assessment of an acceptable level of risk for each class of asset that is then used to determine appropriate risk response actions.
Visual, Agile, and Simple Threat (VAST) is a threat modeling concept based on Agile project management and programming principles. The goal of VAST is to integrate threat and risk management into an Agile programming environment on a scalable basis.
Reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements.
Damage potential:
Reproducibility:
Exploitability:
Affected users:
Discoverability:
Third-Party Audit Having an independent third-party auditor, as defined by the American Institute of Certified Public Accountants (AICPA), can provide an unbiased review of an entity’s security infrastructure, based on Service Organization Control (SOC) (SOC) reports.
The SOC1 audit focuses on a description of security mechanisms to assess their suitability. The SOC2 audit focuses on implemented security controls in relation to availability, security, integrity, privacy, and confidentiality.
Data classification is the primary means by which data is protected based on its secrecy, sensitivity, or confidentiality. Because some data items need more security than others, it is inefficient to treat all data the same when designing and implementing a security system. If everything is secured at a low security level, sensitive data is easily accessible, but securing everything at a high security level is too expensive and restricts access to unclassified, noncritical data. Data classification is used to determine how much effort, money, and resources are allocated to protect the data and
...more
