Estimates

We provide Estimates for:
 

Security Systems
Wired & Wireless Network Systems

Telecommunications Providers

Structured Cabling

CATV / GO-95 Compliance / System Design

Commercial Telephony Systems

Audio / Video & Teleconferencing

All Major Low Voltage Construction Projects

Call 1 800 980 2323 ext 212 for all communications, network, audio, video and security project estimates


Pratt Security Systems Estimates are based on the following:

Perform security analysis of system requirements and design (threat modeling)


Overview

Purpose:

  • Assess likely security risks in a timely and cost-effective manner by analyzing the requirements and design.
  • Identify and document high-level security threats.
  • Identify inadequate or improper security requirements.
  • Assess the security impact of non-security requirements.

Develop an understanding of the required system

Before performing a security analysis, one must understand what is to be built. This task should involve reviewing all existing information on the proposed site. If other documentation and architectural documentation exists, we review that material as well.

Review non-security requirements
For requirements that are not explicitly aimed at security, determine whether there are any security implications that are not properly addressed in the security requirements. This is best done by tracing resources that are relevant to a requirement through a data-flow diagram of the system and assessing the impact on each security component.
When there are security implications, identify the affected resource(s) and security component(s), and look to see if there is a requirement explicitly addressing the issue.


Assess completeness of security requirements

Ensure that each resource (or, preferably, capability) has adequate requirements addressing each security component. A best practice here is to create a correlation matrix, where requirements are on one axis and security component on capabilities (or resources) are on another axis. The matrix should also denote completeness of requirements, particularly whether the security component is adequately addressed. As threats are identified in the system that are not addressed in the requirements by compensating controls, this documents what gaps there are in the requirements.
 

Identify threats on assets/capabilities  

Iterate through the assets and/or capabilities. For each security service on each capability, identify all potential security threats on the capability, documenting each threat uniquely in the threat model.
In an ideal world, one would identify all possible security threats under the assumption of no compensating controls. The purpose is to demonstrate which threats were considered, and which controls mitigate those threats.  
Identifying security threats is a structured activity that requires some creativity since many systems have unique requirements that introduce unique threats. One looks at each security component and ask: "If I were a violator, how could I possibly try to exploit this security system?". Any answer constitutes a threat.
Many threats are obvious from the security service. For example, confidentiality implemented using encryption has several well-known threats - e.g., breaking the cipher, stealing keying material, or leveraging a protocol fault.  
This question of how to subvert security systems on a resource needs to be addressed through the lifetime of the resource, from data creation to long-term storage. Assess the question at each trust boundary, at the input points to the program, and at data storage points.

Determine level of risk

Use threat trees to model the decision-making process of a violator. Look particularly for ways that multiple conditions can be used together to create additional threats.
This is best done by using violator trees. Violator trees should represent all known risks against a resource (which is the root of the tree), the relationships between multiple risks (particularly, can risks be combined to result in a bigger risk), and then should characterize the likelihood of risk and the impact of risk on the business to make decisions possible.

Risk assessment can be done using a standard risk formula for expected cost analysis:

  • Identify all possible security vulnerabilities from the start.
  • Recommend hardware / software solutions.
  • Train existing personnel for product use.
  • Implement strategies to keep ahead of potential threats.

For free security analysis call:  1800 980 2323 ext. 212

Website by LM Designing Home | Services | Estimates | Company