Are You Performing Threat Analysis Activities? You should be!

An organization without a structured, well-defined, and understood approach to conducting a threat analysis is potentially wasting time and money and potentially operating with more risk than necessary. First, it’s important to level-set on the definition of a threat. While there are a few sources that provide definitions1,2,3, they all converge on the same idea – a threat is a circumstance or event that has the potential for negative impact to the system or organization. Conducting a threat analysis is often conflated with a risk analysis – they are not the same things. Performing a threat analysis early in any

Read more

Single Points of Failure and Defense in Depth

What do airplanes and the New York Stock Exchange have in common? Redundancy! During one of my first lessons to get my pilot’s license, I remember, as part of the pre-takeoff activities, checking the magnetos to ensure they were working. The magneto exists to ensure the engine keeps running in case of an electrical system failure. Moreover, in virtually all piston-engine airplanes, there are actually two magnetos to further protect against engine outages. Needless to say, this is a great idea! As for the New York Stock Exchange (NYSE), it’s important, as you might imagine, to have multiple redundant systems

Read more

Comprehensive Attack Surface Analysis

The attack surface for an organization includes anything that an adversary can leverage to conduct an attack against you or your organization. Understanding this surface is critically important to being able to proactively protect yourself from cyber-attacks. Still, this activity is not conducted often, or at least not conducted in a comprehensive and holistic manner. What exactly does it mean to conduct an attack surface analysis? OWASP states that an “attack surface analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities.” While OWASP is focused on web applications, this is

Read more

Beyond Traditional Security Assessments

Security assessments these days predominantly involve a combination of scanners such as NMAP or Nessus followed up with some manual testing using tools such as BURP or Metasploit. These assessments are set up to be quick turnaround and thus it’s often not possible to spend significant amounts of time understanding the target device, application, or network. Herein lies the problem. While this approach provides quick assurance against vulnerabilities that are “low-hanging fruit,” the reality is these assessments provide a false sense of security. Many security assessments, frequently launched under the banner of a “penetration test” regardless of level of rigor

Read more