Threat Modeling the Enterprise
نویسندگان
چکیده
Current threat modeling methodologies and tools are biased toward systems under development. While, organizations whose IT portfolio is made up of a large number of legacy systems, that run on fundamentally different and incongruous platforms and with little or no documentation, are left with few options. Rational, objective analysis of threats to assets and exploitable vulnerabilities requires, the portfolio to be represented in a consistent and understandable way based on a systematic, prescriptive, collaborative process that is usable but not burdensome. This paper describes a way to represent an IT portfolio from a security perspective using UML deployment diagrams and, subsequently, a process for threat modeling within that portfolio. To accomplish this, the UML deployment diagram was extended, a template created, and a process defined.
منابع مشابه
TDDC03 Projects, Spring 2006 A Comparison of Attack Trees Threat Modeling and OCTAVE
Avoidance and discovery of security vulnerabilities in information systems and managing enterprises requires awareness of typical risks and a good understanding of vulnerabilities and threats and their exploitations. Various methods for characterizing, identifying and managing threats have been presented. Bruce Schneier has invented the Attack Trees, Microsoft call their method Threat Modeling ...
متن کاملA Formal Methodology for Modeling Threats to Enterprise Assets
Enterprises usually execute business processes with the help of Information Technology (IT) services which, in turn, are realized by IT assets. Enterprise IT assets contain vulnerabilities that can be exploited by threats to cause harm to business processes and breach security of information assets. Hence, detection of threats is crucial for ensuring business continuity and protection of enterp...
متن کاملData Loss Prevention Management and Control: Inside Activity Incident Monitoring, Identification, and Tracking in Healthcare Enterprise Environments
As healthcare data are pushed online, consumers have raised big concerns on the breach of their personal information. Law and regulations have placed businesses and organizations under obligations to take actions to prevent data breach. Among various threats, insider threats have been identified as a major threat on data loss. Thus, effective mechanisms to control insider threats on data loss a...
متن کاملValue-driven Security Agreements in Extended Enterprises
Today organizations are highly interconnected in business networks called extended enterprises. This is mostly facilitated by outsourcing and by new economic models based on pay-as-you-go billing; all supported by IT-as-a-service. Although outsourcing has been around for some time, what is now new is the fact that organizations are increasingly outsourcing critical business processes, engaging ...
متن کاملThreat Modeling the Cloud Computing, Mobile Device Toting, Consumerized Enterprise - an overview of considerations
A megatrend triad comprised of cloud computing, converged mobile devices, and consumerization presents complex challenges to organizations trying to identify, assess, and mitigate risk. Cloud computing offers elastic just-in-time services without infrastructure overhead. However, visibility and control are compromised. Converged mobile devices offer integrated computing power and connectivity. ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2008