attack trees security
play

Attack Trees, Security modelling for Agile Teams Michael - PowerPoint PPT Presentation

Mar 28, 2023 •108 likes •770 views

Attack Trees, Security modelling for Agile Teams Michael Brunton-Spall @bruntonspall Michael Brunton-Spall He/His/Him Independent Cybersecurity Consultant Michael Brunton-Spall @bruntonspall Why Security Matters Michael Brunton-Spall

  1. Attack Trees, Security modelling for Agile Teams Michael Brunton-Spall @bruntonspall

  2. Michael Brunton-Spall He/His/Him Independent Cybersecurity Consultant Michael Brunton-Spall @bruntonspall

  3. Why Security Matters Michael Brunton-Spall @bruntonspall

  4. Michael Brunton-Spall @bruntonspall 05/03/2018 4

  5. Michael Brunton-Spall @bruntonspall 05/03/2018 5

  6. Michael Brunton-Spall @bruntonspall 05/03/2018 6

  7. Michael Brunton-Spall @bruntonspall 05/03/2018 7

  8. Criminal users on the internet Michael Brunton-Spall @bruntonspall

  9. Michael Brunton-Spall @bruntonspall

  10. Michael Brunton-Spall @bruntonspall

  11. Advanced Persistent Threats Michael Brunton-Spall @bruntonspall

  12. Michael Brunton-Spall @bruntonspall

  13. Michael Brunton-Spall @bruntonspall

  14. Security is not compliance Michael Brunton-Spall @bruntonspall

  15. Certification Accreditation PCI ISO27001 Michael Brunton-Spall @bruntonspall

  16. Michael Brunton-Spall @bruntonspall 05/03/2018 18

  17. Michael Brunton-Spall @bruntonspall 05/03/2018 19

  18. Agile principles Michael Brunton-Spall @bruntonspall

  19. In Individuals and in interactions over processes and tools Work rking soft ftware over comprehensive documentation Customers collaboration over contract negotiation Responding to change over following a plan Michael Brunton-Spall @bruntonspall

  20. Risk methodologies Michael Brunton-Spall @bruntonspall

  21. Component based Michael Brunton-Spall @bruntonspall

  22. IS1, ISO27005, NIST SP-800-30 Michael Brunton-Spall @bruntonspall

  23. System based Michael Brunton-Spall @bruntonspall

  24. TOGAF, SABSA, Attack Trees Michael Brunton-Spall @bruntonspall

  25. Component Pro’s Thorough, Exhaustive, Objective Michael Brunton-Spall @bruntonspall

  26. Systemic – Pro’s Subjective, Holistic, Interaction focused Michael Brunton-Spall @bruntonspall

  27. Simple Systems – A bike Michael Brunton-Spall @bruntonspall

  28. Complicated systems – A car Michael Brunton-Spall @bruntonspall

  29. Complex Systems - Traffic Michael Brunton-Spall @bruntonspall

  30. We don’t solve motorway congestion by assuring tires Michael Brunton-Spall @bruntonspall

  31. Attack trees Michael Brunton-Spall @bruntonspall

  32. Business needs System Scope Threats Attack Tree Workshop Michael Brunton-Spall @bruntonspall

  33. Understand the business Michael Brunton-Spall @bruntonspall

  34. Work out what’s in scope Michael Brunton-Spall @bruntonspall

  35. Understand the threats Michael Brunton-Spall @bruntonspall

  36. The Workshop Michael Brunton-Spall @bruntonspall

  37. Who are the attackers? Michael Brunton-Spall @bruntonspall

  38. What do they want? Michael Brunton-Spall @bruntonspall

  39. How will they get it? Michael Brunton-Spall @bruntonspall

  40. Workshop the attacks Michael Brunton-Spall @bruntonspall 05/03/2018 42

  41. Build trees Michael Brunton-Spall @bruntonspall 05/03/2018 43

  42. Breadth first Michael Brunton-Spall @bruntonspall

  43. Understand impact of attacks Michael Brunton-Spall @bruntonspall

  44. Ranking 1-6, often order of magnitude increase Michael Brunton-Spall @bruntonspall

  45. Cost to the attacker Michael Brunton-Spall @bruntonspall

  46. Complexity of the attack Michael Brunton-Spall @bruntonspall

  47. Consequences on the attacker Michael Brunton-Spall @bruntonspall

  48. Reward to the attacker Michael Brunton-Spall @bruntonspall

  49. Damage to the organisation Michael Brunton-Spall @bruntonspall

  50. How often can it be repeated Michael Brunton-Spall @bruntonspall

  51. Michael Brunton-Spall @bruntonspall 05/03/2018 53

  52. Post workshop Michael Brunton-Spall @bruntonspall

  53. Determine countermeasures Michael Brunton-Spall @bruntonspall

  54. In place and planned Michael Brunton-Spall @bruntonspall

  55. Planned countermeasures go on the backlog Michael Brunton-Spall @bruntonspall

  56. Repeat as needed Michael Brunton-Spall @bruntonspall

  57. Fitting into the agile cycle Michael Brunton-Spall @bruntonspall

  58. Workshop with whole team* Michael Brunton-Spall @bruntonspall

  59. Visible outputs for walls Michael Brunton-Spall @bruntonspall

  60. Threat Actor Personas Michael Brunton-Spall @bruntonspall

  61. Misuse cases Michael Brunton-Spall @bruntonspall

  62. Record decisions against stories Michael Brunton-Spall @bruntonspall

  63. Record deferred security debt Michael Brunton-Spall @bruntonspall

  64. Product Owner is in control Michael Brunton-Spall @bruntonspall

  65. Attack Trees: System based risk methodology, for the whole team, iteratively updated Michael Brunton-Spall @bruntonspall

  66. Any questions? @bruntonspall michael@brunton-spall.co.uk Michael Brunton-Spall @bruntonspall

Recommend

Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Attack Graphs Systems and Internet Infrastructure Security (SIIS)

1.06k views • 60 slides
Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i .

Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i .

Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i . i o FARSIGHT SECURITY DISCUSSION POINTS Attack Trends A Historical View Attack Vectors in Recent Years Evolution of Mitigation

634 views • 29 slides
Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
Assisted Generation of Attack Trees : the ATSyRAprototype Sophie Pinchinat joint work with

Assisted Generation of Attack Trees : the ATSyRAprototype Sophie Pinchinat joint work with

Assisted Generation of Attack Trees : the ATSyRAprototype Sophie Pinchinat joint work with Mathieu Acher and Didier Vojtisek Universit e de Rennes 1 GraMSec, 13 July 2015 Outline Introductory example 1 Goal decomposition High-level

798 views • 32 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun & profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack surface Recent vulnerabilities Security response Defensive technologies Next steps Introduction Security nerd, recovering

790 views • 39 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Todays Agenda 1. Cache side channel attack Speed Gap Between CPU and

535 views • 42 slides
Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
( ( ) ) ( ) ( ) = = Work = h log t n B- B -Trees Trees B B- -Trees

( ( ) ) ( ) ( ) = = Work = h log t n B- B -Trees Trees B B- -Trees

B- B -Trees Trees B B- -Trees Trees Search for key R ( ( ) ) ( ) ( ) = = Work = h log t n B- B -Trees Trees B B- -Trees Trees Each Disk-Read or Disk-Write = one Basic unit of work O(1) Typical Node x

287 views • 4 slides
Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim,

Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim,

Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim, Simon Rehwald, Antoine Scemama, Florian Andres, Alexander Pretschner Technische Universitt Mnchen Department of Informatics Chair of Software

512 views • 24 slides
Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure Petrucci 2 Teofil Sidoruk 1 1 Institute of Computer Science, Polish Academy of Sciences 2 LIPN, CNRS UMR 7030, Universit e Sorbonne Paris Nord LAMAS

388 views • 23 slides
Id Identify fy a Phishing Attack CWU Information Security Services Id Identify fy a Phishing

Id Identify fy a Phishing Attack CWU Information Security Services Id Identify fy a Phishing

Id Identify fy a Phishing Attack CWU Information Security Services Id Identify fy a Phishing Attack An email address that tries to disguise itself as legitimate Outlook Team <msOutlook@outlook.com> Confirm Acount Details Hello

108 views • 7 slides
AFIIA 2017 Cyber Attack Demonstration Overview of Information Security Information Security

AFIIA 2017 Cyber Attack Demonstration Overview of Information Security Information Security

5/30/2017 Presentation Outline Cyber Security - Safeguarding your IT Environment Cyber Attack Demonstration Overview of Information Security Situational Analysis of Current Attacks Wednesday, May 17, 2017 @ AFIIA Conference, 2017

498 views • 5 slides
THE PAST, PRESENT & FUTURE OF ENTERPRISE SECURITY THE GOLDEN AGE OF ATTACK AUTOMATION

THE PAST, PRESENT & FUTURE OF ENTERPRISE SECURITY THE GOLDEN AGE OF ATTACK AUTOMATION

THE PAST, PRESENT & FUTURE OF ENTERPRISE SECURITY THE GOLDEN AGE OF ATTACK AUTOMATION Marcello Salvati - @byt3bl33d3r - https://github.com/byt3bl33d3r - Lead researcher @coalfirelabs - Years of experience building open source security

657 views • 38 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler Federal Office for Information Security (BSI), Germany Lausanne, September 7, 2009 Outline r Introduction and Motivation r The Attack r Basic attack

514 views • 25 slides
Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and

Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and

Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and defense at host machines Applications written in C and C++ Violations of memory safety Web security now Attacking web services

830 views • 37 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

ATTACK & & ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and

577 views • 28 slides

More recommend