A methodology of threat modeling developed by Microsoft for security threats of six categories:
- Information disclosure
- Denial of service (DoS)
- Elevation of privilege
Process for Attack Simulation and Threat Analysis
PASTA is a risk-centric methodology. Once the process of threat modeling, PASTA brings a detailed analysis of identified threats. The following figure lists the seven-steps of PASTA methodology:
An open source threat modeling methodology and tool. Threat models are based on a “requirements model” that yields a threat model form, and threats are enumerated and then assigned risk values.
Visual, Agile, & Simple Threat (VSAT)
There are two types of threat models:
- Application threat models
- Operational threat models
This Methodology is very useful and powerful for organizations that need thousands of threat models.
The pillars of a scalable process, automation, integration, and collaboration are foundational to VAST.
Minimum Security Requirements
Before accessing services, agreeing or initiating any process with a third party, the organization must evaluate he/ she in every way. The three main ones are:
- The third-party assessor must be certified in Information Security Management System (in accordance to ISO/IEC 27001: 2005).
- Third parties should be willing to comply with the organization’s security policies & procedures.
- Third parties should have certified personnel in information security areas.
Following are the key components of Third-Party Risk Management (TPRM) Framework:
- Planning & processes definition
- Segmentation & Screening
- Security & Permissions
- Risk Mitigation
- Continuous Monitoring
- Reports & Dashboard
- Centralized Repository
- Alert & Notification
Security Awareness, Education & Training
Security awareness is usually an unnoticed factor in an information security program so users can become the weakest link in an information security program.
The three main components of a good security awareness program are:
- A general awareness program
- Formal training
General Awareness Program
Awareness programs may include the following elements:
- Indoctrination and orientation: At this stage, employees and contractors are formally informed about the organization’s security policies, must read and sign the agreement on non-disclosure of information, and must finally attend a briefing with employees of the Security and IT Team.
- Presentations: Lectures, video presentations, and interactive Computer-Based Training (CBTs).
- Printed materials: Security posters, corporate newsletters, and periodic bulletins.
Formal training programs may include:
- Classroom training: Instructor-led.
- On-the-job training: Usually one-on-one mentoring with a peer or immediate supervisor.
- Technical or vendor training: Training on a specific product or technology provided by a third party.
Apprenticeship or qualification programs: Formal probationary status or qualification standards.
An education program may include:
- Continuing education requirements: Continuing Education Units (CEUs) are becoming popular for maintaining high-level technical or professional certifications such as the CISSP.
- Formal education or degree requirements: Many companies offer tuition assistance or scholarships.
- Certificate programs: Many colleges and universities offer adult education programs that have classes about current and relevant subjects for working professionals.