Test Prioritization in Security Risk Testing
|
|
- Shanon Bradley
- 8 years ago
- Views:
Transcription
1 Test Prioritization in Security Risk Testing 36. GI-TAV June, Leipzig - Deutschland Michael Berger, Fraunhofer-Fokus-Institut RASEN
2 IT SECURITY RISK ASSESSMENT AND TESTING RASEN
3 IT security risk definition The Potential that a threat will exploit a vulnerability of an asset or group of assets and thereby cause harm to the organization (Source ISO 27000) Risk = Likelihood * Consequence RASEN
4 Risk assessement (ISO / 2009) Risk identification: identifying sources of risk, areas of impacts, events, their causes and their potential consequences Risk analysis: comprehend the nature of risk and to determine the level of risk Risk evaluation: comparing the results of risk estimation with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable Risk treatment: modify risk by avoidance or mitigations RASEN
5 Dynamic test process (DRAFT ISO ) Test planning: determine test strategy, resource planning Test design : deriving the test cases and test procedures. Test implementation: realizing the executable test scripts. Test execution: running the test procedure resulting from the test design and implementation phases. Test reporting: managing the test incidents and the test results. RASEN
6 Optimizing security testing activities Security testing Test planning Test design Test implementation Test execution Security risk assessment Risk-based security test identification Risk-based security test selection & prioritisation Test reporting RASEN
7 Optimizing security risk assessment Security risk assessment Test-based risk identification (identifying new risk factors) Test-based reassessment of risk values (e.g. probabilities) Security testing Establishing context Risk identification Risk analysis Risk evaluation Risk treatment RASEN
8 Risk-based security testing goals Providing arguments by experiments Risk assessment Test reporting Test planning & test design Test execution Provide arguments for the absence of potential vulnerabilities. Provide arguments for the functional correctness of treatment scenarios and countermeasures. Discover unknown risk factors (i.e. vulnerabilities) Provide feedback for reassessing risk values RASEN
9 SECURITY RISK ANALYSIS WITH CORAS RASEN
10 Model-based security risk assessment The CORAS approach Source: Developed by Scandinavian research organisation SINTEF CORAS consists of Method for risk analysis Language for risk modeling Tool for editing diagrams Model-driven RASEN
11 Model-based security risk assessment The CORAS approach Vulnerability Treatment scenario Unwanted incident Consequence Threat (agent) Threat scenario Likelihood Asset Source: RASEN
12 Risk evaluation Risk = rv (Likelihood, Consequence) P(X)= 0,055 RASEN
13 Model-based security risk assessment CORAS example (HBGary hack) RASEN
14 TEST PATTERN AND PRIORITY RASEN
15 Risk-based security testing Qualitative approach: Risk-based test identification What should be tested? Starting point: Vulnerabilities Threat scenarios Treatment scenarios Quantitative approach: Risk-based test selection & prioritisation How much/intensive should be tested? Starting point: Test objective specification Test scenario specification Likelihood and consequence values RASEN
16 Risk-based security test identification Security Test Pattern Security test pattern consists of: Mandatory attributes, i.e. id and name parameters for test assessment Descriptions and procedures for manually testing Parameters for automatically testing (stimulation and observation) RASEN
17 Risk-based security test identification Decomposing the overall scenario Stimulus: Do different kind of SQL injections TP: Detection of vulnerability to data structure attacks Observation: Access to data base possible RASEN
18 Security test prioritization Calculating overall risk contribution of items TP: Detection of vulnerability to data structure attacks TP: Software configuration and update checks high TP: Cryptographic strength tests with rainbow tables low RASEN
19 Security test prioritization Calculating overall risk contribution of items The potential that a threat will exploit a vulnerability of an asset or group of assets and thereby cause harm to the organization (Source ISO 27000) Testing to find an argument for the absence of potential vulnerabilities. Calculate and rate the risks (probability of unwanted incidents * consequence). Identify the vulnerabilities with the highest impact to the most critical risks. Additional issues to be considered: Impact of the vulnerability to the probability success probability of the threat scenario Efforts needed to sufficiently test for a vulnerability Quality of tests and test coverage TP: Detection of vulnerability to data structure attacks RASEN
20 Contact Fraunhofer Institute for Open Communication Systems FOKUS Kaiserin-Augusta-Allee Berlin, Germany Tel. +49 (30) Fax +49 (30) Innovation Center for Cost-Effective Systems Quality Prof. Dr.-Ing. Ina Schieferdecker Tel. +49 (30) Jürgen Großmann Tel. +49 (30) RASEN
Combining Security Risk Assessment and Security Testing based on Standards
Jürgen Großmann (FhG Fokus) Fredrik Seehusen (SINTEF ICT) Combining Security Risk Assessment and Security Testing based on Standards 3 rd RISK Workshop at OMG TC in Berlin, 2015-06-16 3 rd RISK Workshop
More informationRisk Assessment and Security Testing Johannes Viehmann 2015 of Large Scale Networked Systems with RACOMAT
Risk Assessment and Security Testing Johannes Viehmann 2015 of Large Scale Networked Systems with RACOMAT Overview Risk Assessment and Security Testing of Large Scale Networked Systems with RACOMAT Table
More informationCombining Security Risk Assessment and Security Testing based on Standards
Jürgen Großmann (FhG Fokus) Combining Security Risk Assessment and Security Testing based on Standards SASSI Workshop Berlin, 2015-09-16 1 Getting guidance that match! Source: https://www.flickr.com/photos/maerskline/8432240103/in/photostream/
More informationDeliverable D5.1.1 Baseline Methodologies for Legal, Compositional, and Continuous Risk Assessment and Security Testing
Deliverable D5.1.1 Baseline Methodologies for Legal, Compositional, and Continuous Risk Assessment and Security Testing RASEN - 316853 Project title: RASEN Project number: 316853 Call identifier: Objective:
More informationTest Management Tool for Risk-based Security Testing
Test Management Tool for Risk-based Security Testing Michael Berger (Fraunhofer FOKUS) Michael.berger@fokus.fraunhofer.de Outline Introduction to traceability Test Management Tool requirement and concept
More informationCombining Security Risk Assessment and Security Testing Based on Standards
Combining Security Risk Assessment and Security Testing Based on Standards Jürgen Großmann 1(&) and Fredrik Seehusen 2 1 Fraunhofer FOKUS, Berlin, Germany juergen.grossmann@fokus.fraunhofer.de 2 SINTEF
More informationThreat Modeling. Deepak Manohar
Threat Modeling Deepak Manohar Outline Motivation Past Security Approaches Common problems with past security approaches Adversary s perspective Vs Defender s perspective Why defender s perspective? Threat
More informationSecurity Analysis Part I: Basics
Security Analysis Part I: Basics Ketil Stølen, SINTEF & UiO October 2, 2015 1 Objectives for Lectures on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for
More informationXavier Catholic College Risk Management - Policy & Procedure
Xavier Catholic College Risk Management Policy 18 March 2013 Sourced from CSOHS Online. Source CSO Broken Bay 2012 Page 1 Risk Management Policy (Draft) PURPOSE Risk management is the culture, processes
More informationETSI GUIDE Methods for Testing & Specification; Risk-based Security Assessment and Testing Methodologies
Final draft EG 203 251 V1.1.1 (2015-11) GUIDE Methods for Testing & Specification; Risk-based Security Assessment and Testing Methodologies 2 Final draft EG 203 251 V1.1.1 (2015-11) Reference DEG/MTS-203251
More informationInformation technology Security techniques Information security management systems Overview and vocabulary
INTERNATIONAL STANDARD ISO/IEC 27000 Third edition 2014-01-15 Information technology Security techniques Information security management systems Overview and vocabulary Technologies de l information Techniques
More informationESKISP6055.01 Manage security testing
Overview This standard covers the competencies concerning with managing security testing activities. Including managing resources activities and deliverables. This includes planning, conducting and reporting
More informationEntire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com
Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationRisk-driven Security Testing versus Test-driven Security Risk Analysis
Risk-driven Security Testing versus Test-driven Security Risk Analysis Gencer Erdogan 1,2 Supervised by: Ketil Stølen 1,2 1 Department of Informatics, University of Oslo, PO Box 1080 Blindern, N-0316 Oslo,
More informationSecurity-as-a-Service (Sec-aaS) Framework. Service Introduction
Security-as-a-Service (Sec-aaS) Framework Service Introduction Need of Information Security Program In current high-tech environment, we are getting more dependent on information systems. This dependency
More informationNETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER
A C a s e s t u d y o n h o w Z e n Q h a s h e l p e d a L e a d i n g K - 1 2 E d u c a t i o n & L e a r n i n g S o l u t i o n s P r o v i d e r i n U S g a u g e c a p a c i t y o f t h e i r f l
More informationAPPLICATION THREAT MODELING
APPLICATION THREAT MODELING APPENDIX PROCESS FOR ATTACK SIMULATION AND THREAT ANALYSIS Marco M. Morana WILEY Copyrighted material Not for distribution 1 2 Contents Appendix process for attack simulation
More informationProject Risk Management
Project Risk Management Study Notes PMI, PMP, CAPM, PMBOK, PM Network and the PMI Registered Education Provider logo are registered marks of the Project Management Institute, Inc. Points to Note Risk Management
More informationA Structured Comparison of Security Standards
A Structured Comparison of Security Standards Kristian Beckers 1, Isabelle Côté 3, Stefan Fenz 2, Denis Hatebur 1,3, and Maritta Heisel 1 1 paluno - The Ruhr Institute for Software Technology - University
More informationGuide to Vulnerability Management for Small Companies
University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationInformation Security Policy. Chapter 11. Business Continuity
Information Security Policy Chapter 11 Business Continuity Author: Policy & Strategy Team Version: 0.5 Date: July 2008 Version 0.5 Page 1 of 6 Document Control Information Document ID Document title Sefton
More informationA Practical Approach to Threat Modeling
A Practical Approach to Threat Modeling Tom Olzak March 2006 Today s security management efforts are based on risk management principles. In other words, security resources are applied to vulnerabilities
More informationThreat Modeling: The Art of Identifying, Assessing, and Mitigating security threats
Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Mohamed Ali Saleh Abomhara University of Agder mohamed.abomhara@uia.no Winter School in Information Security, Finse May
More informationEU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015
EU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015 Aristotelis Tzafalias Trust and Security Unit H.4 DG Connect European Commission Trust and Security: One Mission
More informationAN AGILE IT SECURITY MODEL FOR PROJECT RISK ASSESSMENT
AN AGILE IT SECURITY MODEL FOR PROJECT RISK ASSESSMENT Damien Hutchinson, Heath Maddern, Jason Wells School of Information Technology, Deakin University drh@deakin.edu.au, hmma@deakin.edu.au, wells@deakin.edu.au
More informationWeb Application security testing: who tests the test?
Web Application security testing: who tests the test? Ainārs Galvāns Application Penetration Tester www.exigenservices.lv About myself Functional testing Leading test group Reporting to client Performance
More informationBusiness Continuity Planning (BCP) 101
2011/EPWG/WKSP/004 Intro 1 Business Continuity Planning (BCP) 101 Submitted by: Business Continuity Management Institute Workshop on Private Sector Emergency Preparedness Sendai, Japan 1-3 August 2011
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationThreat Management: Incident Handling. Incident Response Plan
In order to meet the requirements of VCCS Security Standards 13.1 Reporting Information Security Events, and 13.2 Management of Information Security Incidents, SVCC drafted an (IRP). Incident handling
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationInformation Security Organizations trends are becoming increasingly reliant upon information technology in
DATASHEET PENETRATION TESTING SERVICE Sales Inquiries: sales@spentera.com Visit us: http://www.spentera.com Protect Your Business. Get Your Service Quotations Today! Copyright 2011. PT. Spentera. All Rights
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationThe Cyber Threat Profiler
Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationESKISP6054.01 Conduct security testing, under supervision
Overview This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to
More informationHow small and medium-sized enterprises can formulate an information security management system
How small and medium-sized enterprises can formulate an information security management system Royal Holloway Information Security Thesis Series Information security for SMEs Vadim Gordas, MSc (RHUL) and
More informationESKISP6064.03 Conducts vulnerability assessment under supervision
Conducts vulnerability assessment under supervision Overview This standard covers the competencies required to conduct vulnerability assessments under supervision. This includes following processes for
More informationImplementing a Quantitative Risk- Based Approach to Cyber Security
Implementing a Quantitative Risk- Based Approach to Cyber Security SESSION ID: STR-W01 Scott Borg U.S. Cyber Consequences Unit scott.borg@usccu.us The main problem to overcome: the statistical techniques
More informationSecurity Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014
Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationThe CORAS method for security risk analysis
The CORAS method for security risk analysis ESSCaSS 2008 NODES Tutorial 28/8-08 Heidi E. I. Dahl SINTEF Norwegian research group with 2000 employees from 55 different countries More than 90 percent of
More informationInformation Services IT Security Policies B. Business continuity management and planning
Information Services IT Security Policies B. Business continuity management and planning Version 1 Date created: 28th May 2009 Approved by Directorate: 2nd July 2009 Review date: 1st July 2010 Primary
More informationWeb Application Security Considerations
Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute
More informationThe Influence of Software Vulnerabilities on Business Risks 1
The Influence of Software Vulnerabilities on Business Risks 1 Four sources of risk relevant for evaluating the influence of software vulnerabilities on business risks Authors Hilbrand Kramer, MSc (Royal
More informationISSN: 2321-7782 (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies
ISSN: 2321-7782 (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies Research Article / Survey Paper / Case Study Available online
More informationCompliance Risk Management IT Governance Assurance
Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems
More informationSecurity Testing and Vulnerability Management Process. e-governance
Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationESKISP6053.01 Assist security testing, under supervision
Overview This standard covers the competencies required to assist security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to
More informationOverview TECHIS60241. Carry out risk assessment and management activities
Overview Information in all its forms is a vital component of the digital environment in which we live and work. The protection of information in its physical form is well understood but the protection
More informationISO 27000 Information Security Management Systems Foundation
ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality
More informationRISK ASSESSMENT GUIDELINES
RISK ASSESSMENT GUIDELINES A Risk Assessment is a business tool used to gauge risks to the business and to assist in safeguarding against that risk by developing countermeasures and mitigation strategies.
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationDeliverable D4.1.1 Baseline for Compositional Risk-Based Security Testing
Deliverable D4.1.1 Baseline for Compositional Risk-Based Security Testing RASEN - 316853 Project title: RASEN Project number: 316853 Call identifier: Objective: Funding scheme: FP7-ICT-2011-8 ICT-8-1.4
More informationA structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000
A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 Contents Executive summary Introduction Acknowledgements Part 1: Risk, risk management and ISO 31000 1 Nature
More informationUoB Risk Assessment Methodology
[Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment
More informationSecurity Engineering Best Practices. Arca Systems, Inc. 8229 Boone Blvd., Suite 750 Vienna, VA 22182 703-734-5611 ferraiolo@arca.com.
Tutorial: Instructor: Topics: Biography: Security Engineering Best Practices Karen Ferraiolo, Arca Systems, Inc. 8229 Boone Blvd., Suite 750 Vienna, VA 22182 703-734-5611 ferraiolo@arca.com This tutorial
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationPRIORITIZING CYBERSECURITY
April 2016 PRIORITIZING CYBERSECURITY Five Investor Questions for Portfolio Company Boards Foreword As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies
More informationInformation Technology Risk Management
Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT
More informationPenetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box
Penetration Testing Penetration Testing Types Black Box oless productive, more difficult White Box oopen, team supported, typically internal osource available Gray Box (Grey Box) omixture of the two Methods
More informationSecurity Vulnerability Assessment
Security Vulnerability Assessment Deter, Detect, Delay, Respond the elements for minimizing your operational risk. A detailed SVA assists you to understand how best to do so. Security Vulnerability Assessment
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationModel-Based Fuzzing for Security Testing
Model-Based Fuzzing for Security Testing Ina Schieferdecker, Jürgen Großmann, Martin Schneider Fraunhofer FOKUS 21 April 2012, Montreal, Canada My Testing Context Research and Teaching at FU Berlin Applied
More informationPrivacy & Security Crash Course: How Do I Do a Risk Assessment?
Privacy & Security Crash Course: How Do I Do a Risk Assessment? June 16, 2015 2015 Epstein Becker & Green, P.C. All Rights Reserved. ebglaw.com Upcoming Webinars Privacy & Security Crash Course Series
More informationComputer Security Lecture 13
Computer Security Lecture 13 Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden Security Management
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationHow To Perform An External Security Vulnerability Assessment Of An External Computer System
External Vulnerability Assessment -Executive Summary- Prepared for: ABC ORGANIZATION On March 9, 2008 Prepared by: AOS Security Solutions 1 of 5 Table of Contents Executive Summary... 3 Immediate Focus
More informationStrategic Risk Management for School Board Trustees
Strategic Management for School Board Trustees A Management Process Framework May, 2012 Table of Contents Introduction Page I. Purpose....................................... 3 II. Applicability and Scope............................
More informationCommittees Date: Subject: Public Report of: For Information Summary
Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security
More informationOverview TECHIS60441. Carry out security testing activities
Overview Information, services and systems can be attacked in various ways. Understanding the technical and social perspectives, how attacks work, the technologies and approaches used are key to being
More informationCompTIA Security+ (Exam SY0-410)
CompTIA Security+ (Exam SY0-410) Length: Location: Language(s): Audience(s): Level: Vendor: Type: Delivery Method: 5 Days 182, Broadway, Newmarket, Auckland English, Entry Level IT Professionals Intermediate
More informationa Medical Device Privacy Consortium White Paper
a Medical Device Privacy Consortium White Paper Introduction The Medical Device Privacy Consortium (MDPC) is a group of leading companies addressing health privacy and security issues affecting the medical
More informationRisk Management Policy
Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012
More informationIT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies
IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document
More informationCYBER SECURITY FOUNDATION - OUTLINE
CYBER SECURITY FOUNDATION - OUTLINE Cyber security - Foundation - Outline Document Administration Copyright: QT&C Group Ltd, 2014 Document version: 0.2 Author: N R Landman (MD and Principal Consultant)
More informationCyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen
Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or
More informationProposal for CEPIS Activities. Bernhard M. Hämmerli
Proposal for CEPIS Activities Bernhard M. Hämmerli PISA ICT Study 09.04.2014 Scenario / Proposal Quite difficult curriculum discussions in many countries, e.g. in CH: Informatics at schools is very hard
More informationMWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May 2010. Contents
Contents MWR InfoSecurity Security Advisory BT Home Hub SSID Script Injection Vulnerability 10 th May 2010 2010-05-10 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationTaking Information Security Risk Management Beyond Smoke & Mirrors
Taking Information Security Risk Management Beyond Smoke & Mirrors Evan Wheeler Omgeo Session ID: GRC-107 Insert presenter logo here on slide master. See hidden slide 4 for directions Session Classification:
More informationOffice of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS)
Office of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS) PSCR Public Safety Broadband Stakeholder Conference June 4 th, 2014 Alex Kreilein Technology Policy Strategist Office
More informationIndustrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk
Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Cyber Security Risk With Today s Cyber Threats, How Secure is Your Control System? Today, industrial organizations are faced
More information16) INFORMATION SECURITY INCIDENT MANAGEMENT
Ing. Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security CHFI: Computer Hacking Forensic Investigator CISA CEH: Certified Ethical Hacker ondrej@sevecek.com www.sevecek.com 16) INFORMATION
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationHow to Develop Cloud Applications Based on Web App Security Lessons
Applications Based on Before moving applications to the public cloud, it is important to implement security practices and techniques. This expert E-Guide provides guidance on how to develop secure applications
More informationNIST National Institute of Standards and Technology
NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are
More informationwhite SECURITY TESTING WHITE PAPER
white SECURITY TESTING WHITE PAPER Contents: Introduction...3 The Need for Security Testing...4 Security Scorecards...5 Test Approach... 11 Framework... 16 Project Initiation Process... 17 Conclusion...
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationThe research area of SET group is software engineering, and model-based software engineering in particular:
Introduction The research area of SET group is software engineering, and model-based software engineering in particular: Given the high-tech software-intensive industry in the Eindhoven region, we consider
More informationCyber Essentials Scheme
Cyber Essentials Scheme Assurance Framework January 2015 December 2013 Contents Introduction... 3 Change from June 2014 version... 3 Overview... 4 Stage Definitions... 5 Stage 1 Cyber Essentials: verified
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
More informationIG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY
IG MATURITY MODEL FOR FY 2015 FISMA 1 Ad-hoc 1.1 program is not formalized and activities are performed in a reactive manner resulting in an adhoc program that does not meet 2 requirements for a defined
More informationPCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com
PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in
More informationITIL and Business Continuity (Service Perspective)
(Service Perspective) Hepix 2012 Conference Prague, 23-27 April 2012 Patricia Méndez Lorenzo, Mats Moller On behalf of the (IT&GS) Service Management team Outlook ITIL Principles Risk Management in ITIL
More information