attack trees security
play

Attack Trees, Security modelling for Agile Teams Michael - PowerPoint PPT Presentation

Mar 28, 2023 •108 likes •770 views

Attack Trees, Security modelling for Agile Teams Michael Brunton-Spall @bruntonspall Michael Brunton-Spall He/His/Him Independent Cybersecurity Consultant Michael Brunton-Spall @bruntonspall Why Security Matters Michael Brunton-Spall

  1. Attack Trees, Security modelling for Agile Teams Michael Brunton-Spall @bruntonspall

  2. Michael Brunton-Spall He/His/Him Independent Cybersecurity Consultant Michael Brunton-Spall @bruntonspall

  3. Why Security Matters Michael Brunton-Spall @bruntonspall

  4. Michael Brunton-Spall @bruntonspall 05/03/2018 4

  5. Michael Brunton-Spall @bruntonspall 05/03/2018 5

  6. Michael Brunton-Spall @bruntonspall 05/03/2018 6

  7. Michael Brunton-Spall @bruntonspall 05/03/2018 7

  8. Criminal users on the internet Michael Brunton-Spall @bruntonspall

  9. Michael Brunton-Spall @bruntonspall

  10. Michael Brunton-Spall @bruntonspall

  11. Advanced Persistent Threats Michael Brunton-Spall @bruntonspall

  12. Michael Brunton-Spall @bruntonspall

  13. Michael Brunton-Spall @bruntonspall

  14. Security is not compliance Michael Brunton-Spall @bruntonspall

  15. Certification Accreditation PCI ISO27001 Michael Brunton-Spall @bruntonspall

  16. Michael Brunton-Spall @bruntonspall 05/03/2018 18

  17. Michael Brunton-Spall @bruntonspall 05/03/2018 19

  18. Agile principles Michael Brunton-Spall @bruntonspall

  19. In Individuals and in interactions over processes and tools Work rking soft ftware over comprehensive documentation Customers collaboration over contract negotiation Responding to change over following a plan Michael Brunton-Spall @bruntonspall

  20. Risk methodologies Michael Brunton-Spall @bruntonspall

  21. Component based Michael Brunton-Spall @bruntonspall

  22. IS1, ISO27005, NIST SP-800-30 Michael Brunton-Spall @bruntonspall

  23. System based Michael Brunton-Spall @bruntonspall

  24. TOGAF, SABSA, Attack Trees Michael Brunton-Spall @bruntonspall

  25. Component Pro’s Thorough, Exhaustive, Objective Michael Brunton-Spall @bruntonspall

  26. Systemic – Pro’s Subjective, Holistic, Interaction focused Michael Brunton-Spall @bruntonspall

  27. Simple Systems – A bike Michael Brunton-Spall @bruntonspall

  28. Complicated systems – A car Michael Brunton-Spall @bruntonspall

  29. Complex Systems - Traffic Michael Brunton-Spall @bruntonspall

  30. We don’t solve motorway congestion by assuring tires Michael Brunton-Spall @bruntonspall

  31. Attack trees Michael Brunton-Spall @bruntonspall

  32. Business needs System Scope Threats Attack Tree Workshop Michael Brunton-Spall @bruntonspall

  33. Understand the business Michael Brunton-Spall @bruntonspall

  34. Work out what’s in scope Michael Brunton-Spall @bruntonspall

  35. Understand the threats Michael Brunton-Spall @bruntonspall

  36. The Workshop Michael Brunton-Spall @bruntonspall

  37. Who are the attackers? Michael Brunton-Spall @bruntonspall

  38. What do they want? Michael Brunton-Spall @bruntonspall

  39. How will they get it? Michael Brunton-Spall @bruntonspall

  40. Workshop the attacks Michael Brunton-Spall @bruntonspall 05/03/2018 42

  41. Build trees Michael Brunton-Spall @bruntonspall 05/03/2018 43

  42. Breadth first Michael Brunton-Spall @bruntonspall

  43. Understand impact of attacks Michael Brunton-Spall @bruntonspall

  44. Ranking 1-6, often order of magnitude increase Michael Brunton-Spall @bruntonspall

  45. Cost to the attacker Michael Brunton-Spall @bruntonspall

  46. Complexity of the attack Michael Brunton-Spall @bruntonspall

  47. Consequences on the attacker Michael Brunton-Spall @bruntonspall

  48. Reward to the attacker Michael Brunton-Spall @bruntonspall

  49. Damage to the organisation Michael Brunton-Spall @bruntonspall

  50. How often can it be repeated Michael Brunton-Spall @bruntonspall

  51. Michael Brunton-Spall @bruntonspall 05/03/2018 53

  52. Post workshop Michael Brunton-Spall @bruntonspall

  53. Determine countermeasures Michael Brunton-Spall @bruntonspall

  54. In place and planned Michael Brunton-Spall @bruntonspall

  55. Planned countermeasures go on the backlog Michael Brunton-Spall @bruntonspall

  56. Repeat as needed Michael Brunton-Spall @bruntonspall

  57. Fitting into the agile cycle Michael Brunton-Spall @bruntonspall

  58. Workshop with whole team* Michael Brunton-Spall @bruntonspall

  59. Visible outputs for walls Michael Brunton-Spall @bruntonspall

  60. Threat Actor Personas Michael Brunton-Spall @bruntonspall

  61. Misuse cases Michael Brunton-Spall @bruntonspall

  62. Record decisions against stories Michael Brunton-Spall @bruntonspall

  63. Record deferred security debt Michael Brunton-Spall @bruntonspall

  64. Product Owner is in control Michael Brunton-Spall @bruntonspall

  65. Attack Trees: System based risk methodology, for the whole team, iteratively updated Michael Brunton-Spall @bruntonspall

  66. Any questions? @bruntonspall michael@brunton-spall.co.uk Michael Brunton-Spall @bruntonspall

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Attack Graphs Systems and Internet Infrastructure Security (SIIS)

1.06k views • 60 slides
Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i .

Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i .

Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i . i o FARSIGHT SECURITY DISCUSSION POINTS Attack Trends A Historical View Attack Vectors in Recent Years Evolution of Mitigation

634 views • 29 slides
Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
Assisted Generation of Attack Trees : the ATSyRAprototype Sophie Pinchinat joint work with

Assisted Generation of Attack Trees : the ATSyRAprototype Sophie Pinchinat joint work with

Assisted Generation of Attack Trees : the ATSyRAprototype Sophie Pinchinat joint work with Mathieu Acher and Didier Vojtisek Universit e de Rennes 1 GraMSec, 13 July 2015 Outline Introductory example 1 Goal decomposition High-level

798 views • 32 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun & profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack surface Recent vulnerabilities Security response Defensive technologies Next steps Introduction Security nerd, recovering

790 views • 39 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Todays Agenda 1. Cache side channel attack Speed Gap Between CPU and

535 views • 42 slides
Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
( ( ) ) ( ) ( ) = = Work = h log t n B- B -Trees Trees B B- -Trees

( ( ) ) ( ) ( ) = = Work = h log t n B- B -Trees Trees B B- -Trees

B- B -Trees Trees B B- -Trees Trees Search for key R ( ( ) ) ( ) ( ) = = Work = h log t n B- B -Trees Trees B B- -Trees Trees Each Disk-Read or Disk-Write = one Basic unit of work O(1) Typical Node x

287 views • 4 slides
Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim,

Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim,

Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim, Simon Rehwald, Antoine Scemama, Florian Andres, Alexander Pretschner Technische Universitt Mnchen Department of Informatics Chair of Software

512 views • 24 slides
Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure Petrucci 2 Teofil Sidoruk 1 1 Institute of Computer Science, Polish Academy of Sciences 2 LIPN, CNRS UMR 7030, Universit e Sorbonne Paris Nord LAMAS

388 views • 23 slides
@futomi futomi.hatano http://newphoria.co.jp/ Screen Everywhere T elevision at home Washstand

@futomi futomi.hatano http://newphoria.co.jp/ Screen Everywhere T elevision at home Washstand

@futomi futomi.hatano http://newphoria.co.jp/ Screen Everywhere T elevision at home Washstand at home Motorway/ In-car devices Bus stop Shopping centre School http://www.w3.org/community/websignage/ We hope that you will be joining

452 views • 17 slides
Motorway Marketing- What can we learn? Adam Oldfield Founder of Force24 (2010 - present) 20

Motorway Marketing- What can we learn? Adam Oldfield Founder of Force24 (2010 - present) 20

Motorway Marketing- What can we learn? Adam Oldfield Founder of Force24 (2010 - present) 20 years + supporting marketing departments With 4000 users and counting. 2020 has already been a big year, with the team announcing it had reached

584 views • 21 slides
Institute for Information Transmission Problems Russian Academy of Sciences 1 ETAP

Institute for Information Transmission Problems Russian Academy of Sciences 1 ETAP

Experiments on human incremental parsing Leonid Mityushin Leonid Iomdin Laboratory of Computational Linguistics Institute for Information Transmission Problems Russian Academy of Sciences 1 ETAP multilingual multifunctional

636 views • 36 slides
Discrete probability CS 330 : Discrete structures : do un ) the extent to which an event is likely

Discrete probability CS 330 : Discrete structures : do un ) the extent to which an event is likely

Discrete probability CS 330 : Discrete structures : do un ) the extent to which an event is likely " probability " to occur , measured by the ratio of the favorable cases to the whole number of ) cases possible ( New Oxford American

689 views • 64 slides
Traffic Switch onto TG Alignment November 2020 Mackays Crossing Stage 1: Southbound on TG,

Traffic Switch onto TG Alignment November 2020 Mackays Crossing Stage 1: Southbound on TG,

Traffic Switch onto TG Alignment November 2020 Mackays Crossing Stage 1: Southbound on TG, Northbound stays as is TG Northbound onramp Future TG Motorway Traffic Switch onto TG Alignment November 2020 Mackays Crossing Stage 2: Switch

49 views • 4 slides
Webinar: A63 Castle Street Improvement Scheme, Hull James Leeming, Senior Project Manager,

Webinar: A63 Castle Street Improvement Scheme, Hull James Leeming, Senior Project Manager,

Webinar: A63 Castle Street Improvement Scheme, Hull James Leeming, Senior Project Manager, Highways England Sonam Norbu, Structures Lead, Arup Adriaan Van Den Berg, Highways Lead, Arup Cameras and microphones off please until q&a! A63

460 views • 26 slides
NEW HOMES Gerald Kells, Strategic Policy and Campaigns Advisor 1. Numbers Matter Gerald Kells,

NEW HOMES Gerald Kells, Strategic Policy and Campaigns Advisor 1. Numbers Matter Gerald Kells,

TRANSPORT FOR NEW HOMES Gerald Kells, Strategic Policy and Campaigns Advisor 1. Numbers Matter Gerald Kells, Strategic Policy and Campaigns Advisor 300,000 Gerald Kells, Strategic Policy and Campaigns Advisor Demand: Black Country Plan

361 views • 20 slides
Another Excursion Trail Ridge Road provides spectacular view of the majestic scenery of RMNP.

Another Excursion Trail Ridge Road provides spectacular view of the majestic scenery of RMNP.

Another Excursion Trail Ridge Road provides spectacular view of the majestic scenery of RMNP. It is the highest continuous motorway in the United States, with more than eight miles lying above 11,000' and a maximum elevation of 12,183

910 views • 71 slides

More recommend