SCKIPT Guide
SCKIPT is an initiative created by Sergio Albea focus on detect possible User Behaviours which can put the security of our systems in risk. Nowadays, there are multiple scenarios where the security will rely on how the users interact with their manage systems. SCKIPT is oriented to list and provide possible measures to respond against the mentioned threats in scenarios where most of the possible activities by users are not blocked or limited. This model is not focused from the perspective of possible attacks by bad actors (of which there are multiple initiatives and models), it is focused on threats arising from possible actions by our users.
Security Awareness is a mandatory requirement to decrease the possible threats related to user behaviours but it will never remove the risk. SKIPT is oriented to list and provide possible measures to respond against the mentioned threats and it can be defined as:
S – Source -Types of services/objects/systems with which the user can interact (ex. Email)
C – Case Scenario – Types of behaviours cases by the users with the listedSource (ex. Open Email, Send Emails, Create Mailbox Rules)
KI – Known Interaction – Known Interaction with the mentioned Case Scenarios (ex. Open attachments, Send data,Forward Rules)
P – Possible Protection – How to Protect the mentioned Known Interactions (ex. Block risk file extensions, deny mailbox forwarding rules)
T – Threat – Threat associated to the reportedKnown Interactions (Files infected, Sensitive data shared, etc.)
Every case, is classified as a source (Email, Identities, Devices, Token, Password, and others) are marked as UB (Use Behaviour) and after it are classified by the different sub objects.
UB – Use Behaviour
C- Case (Scenario)
K – Known Interaction
P – Protection
T- Threat
You can identify the different Type of Sources on the left of the table to review the corresponding SCKIPT case. If you have a Protection from some of the possible KI (Known Interactions) it means that in somehow you can skip the corresponding Threats. For instance, the next example would represent a company that restrict Auto-Reply messages internally so the Threat related to send Auto-Reply messages externally would not apply:
SCKIPT User Behaviour Matrix | ||||
|---|---|---|---|---|
Source | Case Scenario | Known Interactions | Protection | Threats |
UB1. Email | UB1.C4 -Auto-Reply Messages | UB1.C4.K1 -Enable Auto-Reply Messages Externally | UB1.C4.K1.P1 – Restrict nternal-Only Auto-Replies – Monitor Auto-Reply-Replies | |