Practical_Risk_Analysis_and_Threat_Modeling_v.1.0

Practical_Risk_Analysis_and_Threat_Modeling_v.1.0 -...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Practical Risk Analysis and Threat Mode Step 1: Make A List of What You Are Trying To Protect For This Project Step 2: Draw A Diagram and Add Notes Step 3: Make A List of Your Adversaries and What They Want Step 4: Brainstorm Threats From These Adversaries Step 5: Estimate Probability and Potential Damage Step 6: Brainstorm Countermeasures and Their Issues Step 7: Plan, Test, Pilot, Monitor, Troubleshoot, and Repeat Types of Threats Denial of Service: How can I crash the server? Run the CPUs near 100% Authentication: How can I log on as a legitimate user? Sniff credentials Elevation of Privilege: If I can authenticate as a regular user, how do I execute Disclosure: How do I trick the server into revealing the information I Tampering: How do I make and save changes to my target database Malware Installation: How do I get malware of my choice running on the serve Stealth and Repudiation: How do I edit or delete log data after my attack? How c Social Engineering: And for all categories of attack, how do I use Social Eng Potential Damage Legal Damage: How bad would the legal liability be if the attack succeed Reputation Damage: How bad would the damage be to image and trust? Productivity Damage: How bad would the damage be for user productivity? Probability of Threat Discoverability: How easy would it be to find the vulnerability or targets? Exploitability: How easy is the attack in terms of skills and resources n Stealthiness: How difficult would it be for IT to detect the attack? Repeatability: How easy would it be to successfully repeat the attack a
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This spreadsheet is intended to help consolidate your notes when performing an informal risk analysis and remediation project. It goes with an explanatory article found here: http://blogs.sans.org/windows-security/ ? Consume all the free hard drive space? Consume free memory? Prevent legitimate users from conn s off the wire? Highjack a user's existing session? Trick the server into using a less secure authenticatio e commands with elevated privileges? Even if I cannot authenticate, how do I run commands with standa I want in plaintext form? How do I get the server to reveal the location of the data I want? How do I crack e, file, encryption key, registry value, session, or other data structure? How do I make the change so tha er? How do I upload files or trick the server into downloading files of my choice? How do I construct a s can I hide my packets/commands/data from inspection by firewalls, IDS/IPS sensors, or security staff who gineering (SE) tricks to make the attacks work or be even more effective? SE is often both forgotten and
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This document was uploaded on 12/05/2009.

Page1 / 19

Practical_Risk_Analysis_and_Threat_Modeling_v.1.0 -...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online