Business Process Analysis

00:00

Hello and welcome to another penetration. Testing, execution Standard discussion. Today we're looking at the other side of the coin business process analysis. We just recently looked at business asset analysis,

00:12

and so we're going to jump into looking at business assets and time in the particular process pieces to give us an overall picture

00:20

of how the organization works and critical processes within that, so is a quick disclaimer. Pee Test videos do cover tools and techniques that could be used for system hacking. Any tools discussed or used during our demonstrations should be researched and understood by the user.

00:37

Please research your laws and regulations within your given area to ensure that the use of these tools or techniques

00:43

it does not land you in any trouble with the law. So let's go ahead and look at our objectives for today's particular discussion.

00:52

So we're going to look at what is business process analysis defining that and discussing it. We're going to look at and discuss technical infrastructure, supporting processes, information, asset supporting processes, human assets, supporting processes and third party integration and or usage of by process. So,

01:11

essentially, how does 1/3 party plug into our overall business and the

01:15

core processes that we need to function and operate.

01:19

So let's jump to our first slide on business process analysis and what that is. So in the business process analysis, we differentiate between critical business processes and non critical process is so for each category, the analysis is the same and consider the same elements. The main difference in is, as in waiting

01:40

the threat

01:41

from a critical business process or against a critical business process that is a sign with, as

01:48

opposed to a non critical one. So in this case, critical processes could be considered paywall processes shipping process sauce making process if you've got a secret sauce that you're making invoicing process, and the reason for that is

02:01

is if we can't invoice, we can't,

02:05

you know, get paid. If we can't get paid,

02:07

we can't do payroll. If payroll doesn't function, we can't pay people. We can't pay people. We can't make sauce if we can't make sauce, we can't do invoicing and do payroll. And if we can't make you know if we can't ship, we can't ship the sauce. We can't do the invoice and you can see where that would get convoluted and complicated.

02:24

And so one of my recommendations

02:28

as you look at the system

02:30

are you identifying asset? Let's just say it's asset A

02:32

and you're working on these different areas and identifying how they connect to system a map out. You know, there's payroll and invoicing tied to system A. And as you continue to look at these different areas within business process analysis, technical infrastructure, et cetera,

02:52

build you kind of a Web, or if you've got a tool that you use multi go.

02:55

You could just use that to kind of lay everything out our physio or there's open source components to that as well.

03:02

However, you want to map things out and lay things out for easy reference, I would definitely do so. Don't try to memorize everything and keep everything in your mind

03:12

now. Technical infrastructure supporting process. So when we're looking at that,

03:17

they're supported by infrastructure. Usually, business processes are and so this is things like computers, networks, processing, power PCs. Whatever the case may be, there's something that's tied into a critical business process. Somewhere. All of those elements have to be identified and map,

03:36

and that mapping should be clear

03:38

to be used later in the process when translating the threat model to the vulnerability, mapping and exploitation etcetera. So

03:45

when we're looking at per se payroll processing, we say that Workstation A, B and C provide payroll processing and server X Y Z is the primary payroll server.

03:58

So when we start to look a vulnerability analysis and exploitation routes and we're doing our overall threat modeling and we're scoring this particular system

04:08

or these systems, their level of criticality is elevated because they're tied to a particular process. That is, is that you know, if it were impacted or not available, it could impact the organization in a huge manner. And so we take all those things into account when we look at technical

04:28

infrastructure

04:30

now, information assets, unlike technical infrastructure information assets, are existing knowledge bases in the organization that are used to either reference or support critical business processes. And so such assets are usually identified in the business process already

04:47

and should be mapped alongside technical infrastructure

04:51

within your threat modeling exercise.

04:56

Now, human assets are essentially the people that make up the critical business processes, and so

05:05

when we're looking at any individuals within the organization kind of sticking with the payroll process. We need the payroll specialist

05:16

to make sure that the payroll process works

05:19

Okay, so if we don't have another resource trained

05:23

in the organization, cross trained or whatever the case may be to process payroll once a week once every other week, once a month. Whatever the case may be,

05:32

then that human element is critical

05:36

to the payroll process. And if that human element were impacted in some manner, then it could adversely affect the payroll process. So we have to note that

05:46

now,

05:47

third party integrations or tools like human assets supporting the process there could be third party involvement with the business process as well. And so it could be tricky to map out. But we should have both the human element, the technical element, the knowledge element

06:05

and then the cloud element, essentially, in this case

06:10

for this. So let's say that the system the work station we identified A is critical.

06:16

We've got

06:17

knowledge, information or documentation that's critical.

06:21

We've got the human element

06:25

that's critical, and then all of this information in the business

06:30

ties up to

06:31

a cloud based system or sad solution

06:35

that then allows payroll, toe happen and process.

06:40

So all of that is taken into consideration when we do our threat modeling, and we're mapping out risks to the organization and looking for potential attack vectors for things that are in scope with respect to critical systems.

06:53

So let's do a quick check on Lori.

06:56

Which of the following

06:58

is technical infrastructure

07:00

With respect to our, you know, when we're mapping out a process or something of that nature? Which of the following is considered technical infrastructure?

07:09

All right, well, if you need more time, please pause the video and take a moment to look. So the payroll specialist is a human asset and is not considered technical infrastructure. The says provider is considered third party,

07:26

so a workstation used for payroll could be considered technical infrastructure in an over all process or when we're evaluating technical infrastructure. That work station is considered a part of that. Members could be network

07:41

components. It could be the network itself. It could be processing power. It could be a state of workstation and server

07:46

that all falls into technical infrastructure. Within this business process. Analysis

07:53

now in summary, we discussed what business process analysis is. We look at some different areas such as technical infrastructure, information assets, human assets and third party integration or tools all coming together to support

08:11

business processes. And so each of these areas has to be considered when we're mapping out business processes. And when we're putting those processes against business assets

08:22

to build our overall threat model threat map or do a risk assessment, whatever the case may be there.