Welcome

Skeeter Spray is a blog for the common Information Security Professional. Why Skeeter Spray? See Post #1

Tuesday, August 6, 2013

Threat Modeling and Security Assessments



Over the last several months, in creating a threat evaluation model / process and performing a security evaluation, I have come to several conclusions.

In creating a threat model, you must create a process that is repeatable, yet has some flexibility in it to meet different situations.  For example, evaluating threats and vulnerabilities against an operating system, such as what patches are missing, and what risk they bring to the current environment is different than evaluating a process for password management.  The threat model has to have some flexibility to ensure both cases are able to utilize the process.

The security evaluation of another company’s enterprise is more difficult that evaluating your own.    In my enterprise I know how management see risks in certain areas and I can gauge what the remediation effort will be based on the experience of working in my enterprise.  However, when evaluating another enterprise, is more difficult to know everything that may affect the risk score and remediation efforts.

Overall, the exercise was very good and a good bit of knowledge was gained.

Until next time…
~Skeeter