...THREAT MODELING AND ITS USAGE IN MITIGATING SECURITY THREATS IN AN APPLICATION Thesis Submitted in partial fulfillment of the requirements for the degree of MASTER OF TECHNOLOGY in COMPUTER SCIENCE & ENGINEERING - INFORMATION SECURITY by EBENEZER JANGAM (07IS02F) DEPARTMENT OF COMPUTER ENGINEERING NATIONAL INSTITUTE OF TECHNOLOGY KARNATAKA SURATHKAL, MANGALORE-575025 JULY, 2009 Dedicated To My Family, Brothers & Suraksha Group Members DECLARATION I hereby declare that the Report of the P.G Project Work entitled "THREAT MODELING AND ITS USAGE IN MITIGATING SECURITY THREATS IN AN APPLICATION" which is being submitted to the National Institute of Technology Karnataka, Surathkal, in partial fulfillment of the requirements for the award of the Degree of Master of Technology in Computer Science & Engineering - Information Security in the Department of Computer Engineering, is a bonafide report of the work carried out by me. The material contained in this report has not been submitted to any University or Institution for the award of any degree. ……………………………………………………………………………….. (Register Number, Name & Signature of the Student) Department of Computer Engineering Place: NITK, SURATHKAL Date: ............................ CERTIFICATE This is to certify that the P.G Project Work Report entitled " THREAT MODELING AND ITS USAGE IN MITIGATING SECURITY THREATS IN AN APPLICATION" submitted by Ebenezer Jangam (Register Number:07IS02F)...
Words: 18945 - Pages: 76
...different counter-measures in the event of any type of risk, threat, and/or vulnerabilities against the organizations daily operations and sensitive information. By combining both hardware devices and software applications will boost the effectiveness of security and preventing unauthorized access and effectively repulsing attacks. | Authority/Ownership | * Any information and sensitive contents contained in this document has been planned and developed by DLA Logistics Information Service and in which is the rightful owner of this document. All materials contained within this document is considered CLASSIFIED and is also copyrighted by DLA Logistics Information Service (DLIS). Any wrongful use of such material and/or reference to this document without the rightful expressed and written consent of the owner(s) may result in criminal prosecution. | Sections contained in DLIS Risk Management Plan | * Risk Management Overview * Planning and Implementation of Risk Management * Key Personnel Roles * Risk Assessment Plan * System Analysis and Characterization * Threat Identifications * Vulnerability Identifications * Control Analysis and Planning * Organization Impact Analysis * Risk Assessment and Determination * Control Recommendations * Collected Results * Risk Mitigation Plan * Mitigation Options and Solutions * Mitigation Strategies * Control Implementations *...
Words: 4166 - Pages: 17
...logical access controls to protect medication and funds maintained on the premises and personally identifiable information and protected health information of our customers. The immediate supervisor has tasked us with identifying inherent risks associated with this pharmacy and establishing physical and logical access control methods that will mitigate all risks identified. There are few basic things to be cognizant of as we carry out this task. Security is easiest to define by breaking it into pieces. An information system consists of the hardware, operating system, and application software that work together to collect, process, and store data for individuals and organizations. Information systems security is the collection of activities that protect the information system and the data stored in (Kim & Solomon 2012). We should also be aware of what we are up against. Cyberspace brings new threats to people and organizations. People need to protect their privacy. Businesses and organizations are responsible for protecting both their intellectual property and any personal or private data they handle. Various laws require organizations to use security controls to protect private and confidential data. Recent U.S. laws related to information security include the following: Federal Information Security Management Act (FISMA) which requires federal civilian agencies to provide security controls over resources that support federal operations; Sarbanes-Oxley Act (SOX) which requires...
Words: 3283 - Pages: 14
...Investigators LLP From: xxx Date: xxx Re: Cyber Security Analysis This memorandum has been written to outline the current threats facing the XYZ Private Investigation LLP and possible mitigation steps for them. The Cyber Security Analysis was requested and approved by John Smith and the areas reviewed were the production server, client workstations and the web server. Each of these areas were carefully looked at, in some cases employee follow-ups were made to prior complaints and a derivative of the top five threats were documented. The first area of concern is the production server used on a daily basis by your organization and contains vital information to your organization, as well as confidential and personal information about your clients. This server would be an attacker’s main target as it is the central location for data that could prove to be fruitful to an attacker. This area of concern was examined and the top five threats identified were virus protection, backdoor vulnerabilities, system updates and/or patching, physical security and logical security. Production Server The production server is generally a server that runs many crucial services for the daily operations of the network to include active directory and domain name services to name a few. Therefore by not having antivirus software on this system it can be a potential hazard to not only the services, by the data being stored here. Antivirus software today helps protect systems again malicious attacks...
Words: 2014 - Pages: 9
...District Master Plan for the Chabot College campus new construction and building improvements. To develop the Security Master Plan, CATALYST has first performed numerous site surveys and interviews, analyzed crime index data, reviewed the relevant technologies, and assessed the campus physical environment to define the risks and vulnerabilities that need to be addressed for a long-term vision of campus security. From this goal set, CATALYST has developed the guidelines and recommendations for the District to standardize the approach and cost of physical security on their campuses. The Security Master Plan will include the topic sections listed in the outline following. The primary intent of the Security Master Plan is to define security mitigation standards that integrate efficiently with new building construction and building improvements, saving upgrade costs today by planning for the campus of tomorrow. By first prioritizing the identified campus risks, and then using a multi-faceted approach from the key areas of physical environment, security staffing, and feasible technology, CATALYST will present a clear security philosophy to guide the selection and implementation of campus security upgrades. The Security Master Plan will be developed to address long-term system compatibility, communication...
Words: 1345 - Pages: 6
...identifying vulnerabilities and threats to information resources used by a company in reaching business objectives and deciding what measures to take in reducing risk to an acceptable level. An effectual risk management process is an essential component of a successful IT security program. The paramount goal of an organization's risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. With that in mind, the risk management process should not be treated primarily as a technical function by IT experts, but rather as an essential management function of the organization. The objective of performing risk management is to enable the organization to accomplish its mission(s) (1) by better securing the IT systems that store, process, or transmit organizational information; (2) by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and (3) by assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management . “Effective risk management begins with a clear understanding of the organization's appetite for risk2. This drives all risk management efforts and impacts future investments in technology. Risk management encompasses four key elements: Risk identification, risk mitigation, risk acceptance, and risk analysis. When these elements are evaluated...
Words: 3059 - Pages: 13
... There are a myriad of potential threats and vulnerabilities that leave a system open to malicious attack, anytime you have a computer network that connects to the internet there is a potential for malicious attack so it is important that you know the vulnerabilities of a system to protect it from potential threats and malicious attacks. “A vulnerability is any weakness in a system that makes it possible for a threat to cause harm.” (Kim & Solomon, 2012, p. 96). There are several common vulnerabilities that exist within the seven domains of an IT infrastructure for example there is the lack of awareness or concern for security policy vulnerability in the User Domain as well as intentional malicious activity ( Kim & Solomon, 2012). Within the Workstation Domain there exists unauthorized user access, weakness in installed software, and malicious software introduced vulnerabilities, unauthorized network access, transmitting private data unencrypted, spreading malicious software, exposure and unauthorized access of internal resources to the public, introduction of malicious software, loss of productivity due to internet access, denial of service attacks, brute-force attacks on access and private data are all examples of vulnerabilities within the seven domains of IT infrastructure which are User, Workstation, LAN, LAN-to WAN, WAN, Remote Access, and System/Application Domains (Kim & Solomon, 2012). Threats can cause great harm or damage to computer systems through...
Words: 705 - Pages: 3
...Risk Management Principles CMGT/430 INTRODUCTION Riordan Manufacturing is a company that is commited to handling their business in an ethical and logical manner. In order to provide the proper risk management plan for the company there needs to be a conference with all of management and stakeholders to get an oversight on the company and what it needs for mitigation control and risk management. The company needs to reconsider getting input from internal auditors, external auditors and outsources. Management will also need to get all of the department heads and key people together to discuss all of the initial assessments of the risk management capabilities and how effective it can be on the network/system. This assessment will be able to decide rather to have or continue with a more in tune risk management plan. There is also the need to discuss how to make the plan stronger for the company and how the analysts should focus on the risk management mitigation for Riordan manufacturing. Risk Management Principles Riordan Manufacturing is a corporation that is consistent of many different businesses. This new plan that needs to be implemented will help each business to deal with and handle their everyday risks and teach them how to make the proper decisions on what can or could be done. In order for this new plan to be implemented, eack business will have to be able to weigh out the risks with the strategies and be able to know and choose the proper decision when responding...
Words: 1084 - Pages: 5
...Risk Prioritization and Mitigation Project Plan Definition White Hat Inc will develop a risk prioritization and mitigation plan per instructions in the RFP. White Hat Inc will define risks as their priority to the company in terms of their impact on the company. White Hat will also help to define mitigation plans to resolve these risks. We will use several factors to prioritize risk and place each risk into one of three categories High, Medium and Low. To determine what category each risk will be placed we will use the following set of questions and definitions: • Define the Risk • Impact of the Risk on Physical or network aspect of the business • Cost of the Risk • Impact on Compliance • Recovery time and cost of lost business Throughout our audit we will generate several reports on the current status of IT security for The State. To Prioritize Risks for The State faces we will review these reports that include: • IT Security Compliance and Governance Gap Analysis • Data Privacy Legal Requirements and Compliance Requirements • Security Assessment • Data Privacy Security Gap • Security Assessment and Risk Identification • Qualitative Risk Assessment Definition of Risk Categories: • High- exploit of vulnerability that has a high cost to the organization's mission and reputation. This could also entail a risk of death or injury to humans. • Medium- exploit of a vulnerability where the cost of a resource would cause notable loss to the organization's mission...
Words: 590 - Pages: 3
...more susceptible to these threats because computers have become more interconnected and, thus, more interdependent and accessible to a larger number of individuals. In addition, the number of individuals with computer skills is increasing, and intrusion, or “hacking,” techniques are becoming more widely known via the Internet and other media. Arisk assessment is not about creating huge amounts of paperwork , but rather about identifying sensible measures to control the risks in your workplace. You are probably already taking steps to protect your employees, but your risk assessment will help you decide whether you have covered all you need to. Think about how accidents and ill health could happen and concentrate on real risks – those that are most likely and which will cause the most harm. For some risks, other regulations require particular control measures. Your assessment can help you identify where you need to look at certain risks and these particular control measures in more detail. These control measures do not have to be assessed separately but can be considered as part of, or an extension of, your overall risk assessment. Although all elements of the risk management cycle are important, risk assessments provide the foundation for other elements of the cycle. In particular, risk assessments provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies. Since risks and threats change over time, it is important...
Words: 3691 - Pages: 15
...<Project Name> Risk Management Plan <Insert Project Logo here> <Month, Year> Health and Human Services Agency, Office of Systems Integration | Revision History Revision History | Revision/WorkSite # | Date of Release | Owner | Summary of Changes | SID Docs #3164v4 | 06/23/2004 | SID - PMO | Initial Release | OSIAdmin 3283 | 08/29/2008 | OSI - PMO | Major revisions made. Incorporated tailoring guide information into this template | Remove template revision history and insert Project Risk Management Plan revision history. Approvals Name | Role | Date | | | | Insert Project Approvals here. Template Instructions: This template is color coded to differentiate between boilerplate language, instructions, sample language, and hyperlinks. In consideration of those reviewing a black and white hard copy of this document we have also differentiated these sections of the document using various fonts and styles. Details are described below. Please remove the template instructions when the document is finalized. Standard boilerplate language has been developed for this management plan. This language is identified in black Arial font and will not be modified without the prior approval of the OSI Project Management Office (PMO). If the project has identified a business need to modify the standard boilerplate language, the request must be communicated to the PMO for review. Instructions for using this template are provided in purple Arial font...
Words: 10663 - Pages: 43
...our networks on a daily basis. DLIS we must ensure that we implement all necessary preventative security measures as well as policies and procedures. We must do this by first of all ensuring that we have really good antivirus software installed on all of our systems and ensuring that it is always up to date. The next thing is extensively configuring our firewalls making it more difficult for our networks to be hacked. Another thing is data encryption which is very vital in securing all important data for our company and clients especially when we are performing data transmission over the networks. The last thing I want to mention which will be part of policies and procedure is implementing various password and logon policies and procedures for security purposes as well. As I stated the purpose of the development of this plan is to reduce the risk of threats and vulnerabilities on our networks. This is vital because threats and vulnerabilities definitely present risk(s) to any important company and client data. We also must ensure that all DLIS employees are thoroughly trained on all policies and procedures concerning possible risks, threats, and vulnerabilities that could occur. Another thing that we must always consider DLIS that a threat is always present and is never completely removed! However with these policies and procedures in place it will definitely...
Words: 2058 - Pages: 9
...Risk Management Plan Project Name: IS305 Project Manager: Paul Bettinger Date: October 1, 2013 RISK management PLAN INTRODUCTION 2 PURPOSE AND SCOPE 2 RISK MANAGEMENT PLANNING 3 RISK MANAGEMENT ASSIGNMENTS 6 RISK MANAGEMENT TIMELINE 7 MITIGATION PLAN Introduction 8 Cosiderations 8 Prioritizing 9 Cost benefit analysis 10 Implementation 11 Follow-up 11 Buisness impact analysis Introduction 12 Scope 12 PURPOSE AND objectives 13 Steps of bia 13 final review 15 BUSINESS CONTINUITY PLAN Introduction 16 oBJECTIVES 16 BCP PLANNING 17 PLAN UPDATES AND TRAINING 21 computer incident response team Introduction 22 Purpose 22 elements of the plan 23 incident handling process 23 cirt members 23 detection 24 containment 24 recovery and review 24 cirt policies 25 FINAL THOUGHT RISK MANAGEMENT PLAN INTRODUCTION A risk management plan is a process for identifying, assessing, and prioritizing risks that could cause the company a loss. Identifying these risks, threats and vulnerabilities and taking action to prevent or control them now and in the future. Creating a risk management consists of measuring and prioritizing risks involved and taking actions to reduce any loss the company may encounter. Being that indirectly we work with the Department of Defense, which as you knows is a department of the United States Government dealing with national security, a well-developed risk management plan is of the upmost importance. Without updating...
Words: 5009 - Pages: 21
...Committees June 2015 INSIDER THREATS DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems GAO-15-544 June 2015 INSIDER THREATS DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems Highlights of GAO-15-544, a report to congressional committees. Why GAO Did This Study What GAO Found Since 2010, the United States has suffered grave damage to national security and an increased risk to the lives of U.S. personnel due to unauthorized disclosures of classified information by individuals with authorized access to defense information systems. Congress and the President have issued requirements for structural reforms and a new program to address insider threats. The Department of Defense (DOD) components GAO selected for review have begun implementing insider-threat programs that incorporate the six minimum standards called for in Executive Order 13587 to protect classified information and systems. For example, the components have begun to provide insider-threat awareness training to all personnel with security clearances. In addition, the components have incorporated some of the actions associated with a framework of key elements that GAO developed from a White House report, an executive order, DOD guidance and reports, national security systems guidance, and leading practices recommended by the National Insider Threat Task Force. However, the components...
Words: 17616 - Pages: 71
...Edgar Pavon-Hernandez American Military University Case Study Phase I Defining risk to an organization means identifying which assets are susceptible to a threat. This threat can cause damage to a company or can be costly. The most important aspect is to mitigate risk to keep tangible and intangible costs low. For example Amazon.com is an online shopping website. Because it is a website its revenue is from online orders. In the following sentences I will go over a few things which can be potential risk to the site. A risk to the company, Amazon.com, could be a hacker gaining unauthorized access to the websites server. The hacker could then begin attacking other servers within the site. If the main server as well as back up servers were to become infected and be brought offline. Another example could be a disgruntle employee who sells personal information which includes names, date of birth, credit card numbers as well as email addresses and passwords. Both of the above mentioned risks can cause the company damage in loss of revenue, which would be a tangible cost. But on the more serious side, the site would lose customers. This is the intangible costs. Because loyalty is an aspect of customers that cannot be bought or sold. Regaining lost customers due to a risk becoming a threat causes the site to have to take different measures to attempt to regain the lost customers. Another area that is susceptible to risk is the shipping department. Protecting the...
Words: 1450 - Pages: 6
