Category Archives: Risk Management

MSI Launches New Threat Modeling Offering & Process

Posted on by
Reply

Yesterday, we were proud to announce a new service offering and process from MSI. This is a new approach to threat modeling that allows organizations to proactively model their threat exposures and the changes in their risk posture, before an infrastructure change is made, a new business operation is launched, a new application is deployed or other IT risk impacts occur.

Using our HoneyPoint technology, organizations can effectively model new business processes, applications or infrastructure changes and then deploy the emulated services in their real world risk environments. Now, for the first time ever, organizations can establish real-world threat models and risk conditions BEFORE they invest in application development, new products or make changes to their firewalls and other security tools.

Even more impressive is that the process generates real-world risk metrics that include frequency of interaction with services, frequency of interaction with various controls, frequency of interaction with emulated vulnerabilities, human attackers versus automated tools, insight into attacker capabilities, focus and intent! No longer will organizations be forced to guess at their threat models, now they can establish them with defendable, real world values!

Much of the data created by this process can be plugged directly into existing risk management systems, risk assessment tools and methodologies. Real-world values can be established for many of the variables and other metrics, that in the past have been decided by “estimation”.

Truly, if RISK = THREAT X VULNERABILITY, then this new process can establish that THREAT variable for you, even before typical security tools like scanners, code reviews and penetration testing have a rough implementation to work against to measure VULNERABILITY. Our new process can be used to model threats, even before a single line of real code has been written – while the project is still in the decision or concept phases!

We presented this material at the local ISSA chapter meeting yesterday. The slides are available here:

Threat Modeling Slides

Give us a call and schedule a time to discuss this new capability with an engineer. If your organization is ready to add some maturity and true insight into its risk management and risk assessment processes, then this just might be what you have been waiting for.

New MSI Tool for Analyzing Your Security Program

Posted on by
Reply

MSI is proud to release a new tool to help security managers analyze the overall balance, maturity and capability of their security program. The new tool is a simple matrix based around quantifying the amount of controls, efforts and processes you are employing.

Using the tool as brainstorming aid is also possible. Security engineers have told us that the process works for them to analyze particular applications and other security undertakings. Simply build out the matrix on paper or in your chosen office product and it should help you clarify where your security initiative stands.

Effective, mature security programs should be well rounded in the matrix and should be well balanced between all of the cells. They also tend to balance out between strategic and tactical approaches.

Feel free to give us feedback on this project and let us know if we can answer any questions you may have.

You can obtain the relevant file here.

SecurityProgramAnalysis.pdf

It is licensed under Creative Commons. Check out the PDF for details.

Hardware Hacking Gets All Too Real

Posted on by
Reply

Hardware and wireless hacking have combined in a pretty scary way. This article talks about security researchers that have found ways to monitor, attack and exploit the most popular of pacemakers used today. According to the article, the attackers were able to gain remote access to the data and control system of the device. Once they tapped into it, they were able to siphon off health-related information and even cause the pacemaker to apply voltage or shutdown – essentially killing the human host of the device.

flatline.jpeg

It really doesn’t get more scary than that. While the odds of such an attack occurring in real life against a specific person are very slim, it is simply another side effect of the integration of technology into our daily lives. As I have written about many times before, the integration of technology into so many aspects of our lives is a powerful thing. On one hand, it frees us up to do other work, makes our lives easier, more healthy, perhaps even longer than life would have been otherwise. However, many vendors simply fail to realize the implications of the risks that are inherent in their products. They fail to comprehend the basic methodologies of attackers and certainly fail to grasp how the combination of technologies in many of their products can create new forms of risk for the consumer.

I am quite sure that the company who created the pacemaker was truly interested in advancing the art of healthcare and extending the human life. They simply wanted to make things better and saw how adding remote management and monitoring to their device would allow patients to be diagnosed and the device operation modified without the need for surgery. That is quite an honorable thing and is sure to make patients lives easier and even reduce the rate of death since patients would no longer undergo the stressful and dangerous operations that used to be needed to make changes to the implanted pacemakers. These are very noble ideas indeed.

Unfortunately, the creators of the heart system were so focused on saving lives and so focused on medical technology, that they seem to have missed the idea of securing their pacemaker against improper access. This is certainly understandable, given that they are a medical company and not an IT firm, where such risks have been more public in their discussion. The problem is, in many cases today, there is essentially no difference between IT and other industries, since many of the same technologies are present in both.

Again, there is little to truly be immediately concerned about here. While the attack is possible, it does require technical knowledge and the vendors will undoubtably work on improving the product. However, upgrading existing users is unlikely. But, unless you happen to be a high profile target, you are obviously much safer with the device than without it. The big lesson here and the one I hope vendors, consumers and the public are learning is that we must add risk management and security testing processes to any device with a critical role, regardless of industry. Today, there are simply too many technologies that can impact our daily lives to continue to ignore their risks.