Professional Documents
Culture Documents
Objectives:
Understand and apply the recommended guidance for threat modeling concepts and
methodologies through your daily practice as an information security professional.
External Resources:
The calculation always produces a number between 0 and 10; the higher the number,
the more serious the risk.
P.A.S.T.A. - Process for Attack Simulation and Threat Analysis (PASTA). A seven-step
process for aligning business objectives and technical requirements, taking into
account compliance issues and business analysis. Provides a dynamic threat
identification, enumeration, and scoring process. Once the threat model is
completed security subject matter experts develop a detailed analysis of the
identified threats. Finally, appropriate security controls can be enumerated.
Trike - Threat models are used to satisfy the security auditing process. Threat
models are based on a “requirements model.” The requirements model establishes the
stakeholder-defined “acceptable” level of risk assigned to each asset class.
Analysis of the requirements model yields a threat model form which threats are
enumerated and assigned risk values. The completed threat model is used to
construct a risk model based on asset, roles, actions, and calculated risk exposure.
VAST - Visual, Agile, and Simple Threat modeling. Focuses on the necessity of
scaling the threat modeling process across the infrastructure and entire SDLC, and
integrating it seamlessly into an Agile software development methodology. The
methodology seeks to provide actionable outputs for the unique needs of various
stakeholders: application architects and developers, cybersecurity personnel, and
senior executives.
AS/NZS 4360:2004 Risk Management - the world’s first formal standard for
documenting and managing risk.
1. Establish Context: Establish the risk domain, i.e., which assets/systems are
important?
2. Identify the Risks: Within the risk domain, what specific risks are apparent?
3. Analyze the Risks: Look at the risks and determine if there are any supporting
controls in place.
5. Treat the Risks: Describe the method to treat the risks so that risks selected
by the business will be mitigated.
Note: AS/NZS 4360 assumes that risk will be managed by an operational risk group,
and that the organization has adequate skills and risk management resources in
house to identify, analyze, and treat the risks.