Over the last several months, in creating a threat
evaluation model / process and performing a security evaluation, I have come to
several conclusions.
In creating a threat model, you must create a process
that is repeatable, yet has some flexibility in it to meet different
situations. For example, evaluating
threats and vulnerabilities against an operating system, such as what patches
are missing, and what risk they bring to the current environment is different
than evaluating a process for password management. The threat model has to have some flexibility
to ensure both cases are able to utilize the process.
The security evaluation of another company’s enterprise
is more difficult that evaluating your own.
In my enterprise I know how management see risks in certain areas and I
can gauge what the remediation effort will be based on the experience of
working in my enterprise. However, when
evaluating another enterprise, is more difficult to know everything that may affect
the risk score and remediation efforts.
Overall, the exercise was very good and a good bit of
knowledge was gained.
Until next time…
~Skeeter
