The CISO Evolution: Business Knowledge for Cybersecurity Executives by Matthew K. Sharp & Kyriakos P. Lambros

Author:Matthew K. Sharp & Kyriakos P. Lambros [Sharp, Matthew K. & Lambros, Kyriakos P.]
Language: eng
Format: epub
ISBN: 9781119782490
Publisher: Wiley
Published: 2022-01-10T00:00:00+00:00

An example STRIDE threat model can be found at https://www.logicworks.com/blog/2020/02/security-risks-in-public-cloud/. However, no matter which method you use, it is vital to consider them in the context of the threat actors (e.g., script kiddies versus nation-states) and their impact as the result of their actions.

IDENTIFYING POTENTIAL ATTACK SCENARIOS

Now that we understand how to identify threats, we need to determine how they can exploit our environment's weaknesses. Again, a threat cannot become a risk unless there is a weakness that the threat can exploit. That is where our traditional understanding of vulnerabilities come in. As we mentioned earlier, vulnerabilities may exist in areas such as business continuity, training, utilities, supply chain, and physical access, so it is essential to understand vulnerabilities across more than just the traditional Common Vulnerabilities and Exposures (CVEs) that an automated scanner can identify. On the flipside, a vulnerability is not a risk unless a threat is willing to exploit it.

Here is another example of why understanding business context is essential. Attack scenarios will differ for your type and size of organization. A Fintech startup will have vastly differing attack scenarios than a nuclear power plant. Take the time to identify the attack scenarios that attackers are most likely to use in your environment.

You can use many methods to identify attack scenarios for your organization, but our preferred method is to directly look at the organization. No data is more relevant than looking at yourself in the mirror. The three primary approaches to do so are penetration testing, red teaming, and threat hunting. No matter which method you use, the Mitre ATT&CK™ framework (https://attack.mitre.org) is a great resource for identifying attack scenarios for many environments, including on-premise enterprise, cloud, and industrial control systems. Figure 7.1 highlights the similarities and differences between each.

A penetration test (pentest) “is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.”7 A penetration test aims to find and exploit as many vulnerabilities as possible that can lead to a compromise. Of the three approaches we describe, this is more of a “spray and pray” approach vs. a more targeted approach. Pentests typically only focus on compromising a vulnerable application or service to gain access to the network. A goal is usually defined, but the pentest team is generally not concerned with remaining hidden. This approach is akin to a burglar testing all of the windows and doors to a home in broad daylight. The organization's security operations team may or may not know the pentest is occurring, so security defenses and controls can be tested, to an extent.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.