CISSP: Domain 1 - Security and Risk Management - Module 4
Understand and Apply Threat Modelling

This course concludes the final module of Domain 1 of the CISSP, covering security and risk management. It covers topics that include the identification of threats, diagramming potential attacks, performing reduction analysis, and also examines technologies and processes to remediate the threats.

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • Threat modeling and how to apply these modes within your environment
  • How to integrate security risk considerations into acquisitions strategy and practice
  • How to establish and manage security education, training, and awareness within your organization

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Welcome back to the Cloud Academy's presentation of the CISSP Review Seminar which starts section 10 of domain one. And we're going to discuss understanding and applying threat modeling. 

In this module, we're going to explore these subjects: Identification of Threats, Diagramming Potential Attacks, Performing Reduction Analysis, and then examining Technologies and Processes to Remediate the Threats. One source of threat that we all know is very, very common is the human source. 

The scenario that we have before us is we create a position, with that we create a job description for the proper person who will occupy that position, and then we will publicize that through various means. Social media, newspapers, online, and so on. People will respond, they'll supply us with resumes and professional bios, and from all of this, we're going to examine all of the content that we've been given. From our perspective, we are simply looking for the very best match to what we believe we need for the given position. And through this, we're going to ask people to supply us with a great deal of information about themselves, and we're going to seek independent verification of their identity, their experience claims, and so on. So we align them with the job description, that eliminates the potential for people to claim literally anything. We want to get contact references so that we can verify their claims of experience and skills. As we go through and further and further refine the process, for those candidates that we feel are developing into high-probability candidates, we're going to do some additional screening. We might go through some background investigations, national name check through the FBI, credit history, check their LinkedIn page or their social media pages, the public facing ones at least. And as we get closer and closer to making a final selection, we may indulge in confidentiality agreements and other sorts of things so that the individual, and this is particularly important if the position that they're applying for is quite sensitive, then we want to to go through the process even deeper to make sure that we verify their claims and their identity so that we know exactly who we're getting and what they're able to do and have done. 

Looking at the kinds of attacks that can come from a human source, the ones that are most common are the ones that involve social engineering. So over the next few slides, we're going to examine social engineering attacks and forms, pretexting, phishing, baiting, and tailgating type, so that we understand how they're being done, what the progress of the attack is, what the goal is that they seek, and the various methods that the attacker is using to succeed in his effort. 

In general, social engineering involves the manipulation of one person by another. The attacker uses human interaction in various forms of techniques to obtain or compromise information about an organization or its computer systems. And this will involve various forms of contact, discussion, manipulation, in order to succeed at reaching the goal that they intend, which for our purposes, we're going to assume is some form of information within that company that we can then exploit for financial gain. 

One form is the pretexting attack. In this, the attacker will create a scenario, which is the pretext, and then they will engage the victim by sending an e-mail, text message, or other form of contact that engages their interest in some way. It encourages them to perform various actions that they might not otherwise do, except that the scenario, of course, tempts them to do this by what it's suggesting might be the reward at the other end, or the lack of harm that might be there, or the engagement of their trust so that the individual will indeed react and do the action that the attacker desires. Phishing is of course one form of this. 

Phishing is, as the name suggests, putting out some form of hook to get the person's interest and get them to either click on a link, or download a file, or take some other action that will result in some form of compromise, either of credentials or of a drive-by download so that the attacker can then proceed to his next step. 

A baiting attack is one that has been experienced by many organizations. In these cases, there is typically some form of, as the name indicates, some form of bait that the individual is then going to see and make use of in some way. For example, one well-known case involved the distribution of USB drives already contaminated with some form of malware spread throughout the parking lot, even to the point of having been wrapped in its original shrink wrap container looking very much like it had dropped out of someone's briefcase or purse or a shopping bag, so that it again had the physical look of being fresh, pristine, and harmless. This, of course, did not prove to be the case because when the person thinking they had found a USB stick unused by anyone, thought to themself probably, "Oh, this is really nice. "I now have some free memory that I can use." Other cases are when some form of game program has been downloaded that appears to be again harmless or even an add-on to the computer. In other words, something attractive that the individual picking up the USB stick or the DVD disk will then load at their computer out of curiosity to find what's on it. In all these cases, the device that they load in, either appears innocent or harmless, or brand new, or in some way harmless, to the individual and their computer. 

A tailgating attack is very much what the name indicates. Someone walking through a door, holding the door as a gentleman for a lady would, and then that person walks through and the individual thinks what, nothing? Or that the individual walking up looking like they belong there. Well, obviously, if they look like they belong there, they must belong there. But this take advantage of a situation where a number of people will show up at a door requiring some form of combination or a card swipe for the first person to get in. And then, again, acting as a gentleman, holding the door for his presumed co-workers to go in the door. One example might be an individual shows up carrying boxes and the individual that is in front of them is someone that they have waited for, probably somewhere out of sight, and the individual who keys the door opens it. This person then approaches carrying the boxes, appearing to be under the weight of quite a burden, and the individual holding the door offers help, the individual carrying the boxes seeking to tailgate and go through says, "No, no, I've got it. "Just hold the door for me, please." And you walk in, and you set the boxes down, and you might even be wearing a lanyard or other sort of badge that conveniently is turned with its back instead of the face of the card showing. And the person will automatically assume, oh well, it's just turned around because he's bringing in the boxes and it just got twisted, if they they anything at all. And so the tailgater walks down some hallway, mostly to get away from the individual who let them in, and then disappear off to do whatever they intend to do. So with so many different attempts taking advantage of the better nature of human beings, we need to find proper ways, effective ways, that don't stimulate paranoia so much as they stimulate caution and being mindful of the situations that they could face. 

We want to establish a framework of trust on an individual employee or personal level through various means. We want to identify which data is sensitive to social engineering and breakdowns in systems security through which an attacker might exploit an individual and gain access to that. We want to establish proper security protocols, policies and procedures for handling this kind of information, employing various techniques that we've known for many years, dual control, two-man rule, split knowledge, and others. Without question, we must train our employees in these security protocols, especially those relevant to their position and then periodically measure them, interview them, to ensure that they maintain awareness of these things and practice them on a regular basis. 

We should of course employee a waste management service to make sure that anything that goes out the door or the backdoor towards the dumpster is properly processed through a shredding service of some sort. It's a well-known fact that the famous hacker Keven Mitnick learned most of what he did, that he used to exploit Verizon telephone systems, from service manuals and technology manuals that had been disposed of undamaged, undestroyed, in the company's dumpsters. And so using a waste management service to shred paper waste is simply a prudent measure. And then, as with all of these programmatic steps, we want to review them periodically to make sure that we are achieving the results that we desire to make this program as effective as we require. Now, some NIST guides, and as we began earlier talking about NIST guides, we will continue to speak of them throughout this course. 

Here we have a list of various guides that can help us either technologically or in response to incidents, examine these threats, and respond positively to them. Just a few examples. The special publication 800-40 of 2013, a "Guide to Enterprise Patch Management Technologies" can help us figure out the priorities and the process to ensure that this process is carried out in a safe and controlled manner. We have the NIST 800-52 of 2014, for selection and use of the TLS technology for secure transmission of data. Others include the "Computer Security Incident Handling Guide", 800-61 of 2012, the "Secure Domain Name Services Deployment Guide", 800-81 of 2013, and down to the OWASP, the "Open Web Application Security Project Developers Guide" of 2014. 

These guides possess a great deal of information that can help us in various aspects of building these frameworks and ensuring that the steps that they outline, having been carefully been vetted by NIST or by OWASP, can be effectively implemented so that our organization can get the benefit of these processes and have a more secure environment for us.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics