Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Book Review: Threat Modeling: Designing For Security

samzenpus posted about 8 months ago | from the read-all-about-it dept.

Books 32

benrothke writes "When it comes to measuring and communicating threats, perhaps the most ineffective example in recent memory was the Homeland Security Advisory System; which was a color-coded terrorism threat advisory scale. The system was rushed into use and its output of colors was not clear or intuitive. What exactly was the difference between levels such as high, guarded and elevated? From a threat perspective, which color was more severe — yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented 'little practical information' to the public. While the DHS has never really provided meaningful threat levels, in Threat Modeling: Designing for Security, author Adam Shostack has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts." Read below for the rest of Ben's review.Rather than letting clueless Washington bureaucrats define threats, the book details a formal system in which you can understand and particularize the unique threats your organizations faces.

In the introduction, Shostack sums up his approach in four questions:
1. What are you building?
2. What can go wrong with it once it's built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?

The remaining 600 densely packed pages provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software or services, such as cloud computing.

While the term threat modeling may seem overly complex, the book notes that anyone can learn to threat model. Threat modeling is simply using models to find security problems. The book notes that using a model means abstracting away a lot of the details to provide a look at the bigger picture, rather than the specific item, or piece of software code.

An important point the book makes is that there is more than one way to model threats. People often place too much emphasis on the specifics of how to model, rather than focusing on what provides them the most benefit. Ultimately, the best model for your organization is the one that helps you determine what the main threats are. Finally, the point is not just to find the threats; the key is to address them and fix them.

The beauty of the book is that it focuses on gaining empirical data around threats for your organization. Rather than simply taking an approach based on Gartner, USA Today or industry best practices.

While the author states a few times that threat modeling is not necessarily a complex endeavor, it nonetheless does take time. He writes that threat modeling requires involvement from many players from different departments in an organization to provide meaningful input. Without broad input, the threat model will be lacking, and the output will be incomplete.

For those organizations that are willing to put the time and effort into threat modeling, the benefits will be remarkable. At the outset, they will have confidence that they understand the threats their organization is facing, likely spend less on hardware and software, and will be better protected.

Chapter 18 quotes programmer Henry Spencer who observed that "those who do not understand Unix are condemned to reinvent it, poorly". Shostack writes that the same applies to threat modeling. The point he is making is that there are ways to fail at threat modeling. The first is simply not trying. The chapter then goes on into other approaches which can get in the way of an effective threat modeling program.

Why should you threat model for your IT and other technology environments? It should be self-evident from an architecture perspective. When an architect is designing an edifice, they first must understand their environment and requirements. A residence for a couple in Manhattan will be entirely different from the design for a residence for a family in Wyoming. But far too many IT architects take a monolithic approach to threats and that's precisely the point the book is attempting to obviate.

As noted, threat modeling is not overly complex. But even if it was indeed complex, it is far too important not to be done. The message of the book is that organizations need to stop chasing vague threats and industry notions of what threats are, and customize things so they deal with their threats.

For those that still think the topic is complex, the book references Elevation of Privilege (EoP), an easy way to get started threat modeling. EoP is a card game that developers, architects or security teams can play to easily understand the rudiments of threat modeling.

Risk modeling is so important that it must be seen as an essential part of a formal and mature information security program. Having firewalls, IDS, DLP and myriad other infosec appliances can be deceptive in thinking they provide protection. But if they are deployed in an organization that has not defined the threats these devices are expected to address, they only serve the purpose of giving an aura of infosec protection, and not real protection itself.

Amazon has over 800 Disney World guide books. Anyone who is going to invest their time and money to spend a few days at Disney World knows they have to do their research in order to get the most out of their visit.

There are only a handful of books on this topic and Threat Modeling: Designing for Security is perhaps the finest of them. No tourist would be so naïve to go to Disney World uninformed. And conversely, no one should go into the IT world without adequate threat information.

Threat modeling provides compelling benefits in the ability to make better information security decisions, better focus on often limited resources, all while designing a model to protect against current and future threats.

For those serious about the topic, Threat Modeling: Designing for Security will be one of the most rewarding information security books they could hope for.

Reviewed by Ben Rothke.

You can purchase Threat Modeling: Designing for Security from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.

Sorry! There are no comments related to the filter you selected.

now, if someone could handle the weather warnings (1)

turkeydance (1266624) | about 8 months ago | (#46389617)

so many people are confused with the NOAA watch/warning designations. green/yellow/red (just like wildfire danger postings) should be used.

Re:now, if someone could handle the weather warnin (-1)

jc42 (318812) | about 8 months ago | (#46389677)

so many people are confused with the NOAA watch/warning designations.

Maybe because they haven't heard the fairly simple definition of those terms. In weather jargon, "watch" means that the event has been actually been seen and reported somewhere. A "warning" means that conditions are right for an event to happen, but it hasn't yet been actually reported. That's a fairly simple distinction that most people should easily understand.

But the people talking to the public would need to occasionally repeat the definitions, or people won't have any idea what they mean. After all, this is really a case of "technical jargon", since the "actually observed/reported" isn't inherently a part of the definition of the common English words "watch" and "warn(ing)".

Re:now, if someone could handle the weather warnin (-1)

Anonymous Coward | about 8 months ago | (#46389759)

Wow, defending a decision made by two racists in 1948? That's disgusting how you Republicans do that. They didn't want the poor and minorities to understand the actual seriousness of the situation. A group of white men working for the US Weather Bureau banned both government and private weather forecasters from using the word tornado. The terms warning versus watch make no sense, and that is exactly how CONservatives want it to be.

Re:now, if someone could handle the weather warnin (0)

Anonymous Coward | about 8 months ago | (#46389895)

:::Wow, defending a decision made by two racists in 1948

who are the racists?

Re:now, if someone could handle the weather warnin (1)

jc42 (318812) | about 8 months ago | (#46389903)

Huh? That doesn't make much sense. The weather forecasts that I follow usually use the phrases "tornado watch" and "tornado warning", explicitly saying "tornado" if that's what the forecast predicts. In other situations, they say things like "hurricane watch/warning" or "blizzard watch/warning", etc., with whatever is predicted as the adjective. I don't think I've ever head the watch/warning terms used without specifying the type of event. I've even heard them engage in a bit of self-parody by saying things like "warm, sunny day watch/warning". Last summer I heard one weekend described with a "backyard barbecue warning", with advice to lay in a good supply of burgers, brats and beer for the duration of the weather event (which I did, and emailed friends to tell them where they could take cover for an afternoon). So who were these two "racists", and how does that connect with watches/warnings of serious weather events? Historically-curious readers want to know ...

Re:now, if someone could handle the weather warnin (0)

Anonymous Coward | about 8 months ago | (#46404949)

> The weather forecasts that I follow usually use the phrases "tornado watch" and "tornado warning",

It was banned by a group of old white men that didn't want to give the minorities and the poor any warning as to when a tornado was headed their way:

http://www.spc.noaa.gov/faq/tornado/#Forecasting

This is the perfect example of what happens when you let Republicans make the rules.

Re:now, if someone could handle the weather warnin (4, Informative)

wjcofkc (964165) | about 8 months ago | (#46389819)

In weather jargon, "watch" means that the event has been actually been seen and reported somewhere. A "warning" means that conditions are right for an event to happen, but it hasn't yet been actually reported.

The irony is, you have it completely backwards. From AccuWeather [accuweather.com] (and any other source):

"Watches, like severe thunderstorm watches and tornado watches, which are two of the most common types, are issued when weather conditions are conducive for the event to occur,"

"Warnings are different. A warning is issued when the weather event is happening now," Pigott said. "In terms of flooding, for instance, a flood warning means a river has spilled over or flash flooding is occurring."

"Basically, a watch means atmospheric conditions are right for it to happen. Warnings mean it's actually happening," Pigott said.

Re:now, if someone could handle the weather warnin (1)

MrBingoBoingo (3481277) | about 8 months ago | (#46390583)

Right, in weather watches alert to favorable contitions for adverse incidents and warning alert that shit is imminent or going down at the moment. It's why in the midwest large portions of states may be covered under a Tornado watch, but the actual warnings are much more sparse. The difference between a weather warning and a "Terrorism warning" though is that generally the weather makes no special effort to conceal its intentions.

Re:now, if someone could handle the weather warnin (1)

Anonymous Coward | about 8 months ago | (#46389881)

And, by the way, your homepage sucks too.

Re:now, if someone could handle the weather warnin (-1)

Anonymous Coward | about 8 months ago | (#46389721)

Isn't that the entire point of using the words watch and warning? They know they don't make sense but they keep spouting that nonsense. If they cared about the public, they would have fixed those terms years ago. Instead, those people sitting in safe government buildings making announcements simply don't give a damn. Two white men created that system in 1948. They represent the worst of white privilege. Until 1950, the government even banned employees from using the word tornado since they didn't believe us peons had the right to know (citation http://www.spc.noaa.gov/faq/tornado/#Forecasting). The whites that run this country have long hated us and banning the word tornado to describe tornadoes shows just how far they'll go to fuck us over. I had a class on the physics of the weather, and 90% of the class was racist BS like this.

Re:now, if someone could handle the weather warnin (1)

Steve_Ussler (2941703) | about 8 months ago | (#46389769)

That is why people go to weather.com...for a clearer understanding of the data.

Re:now, if someone could handle the weather warnin (1)

the_skywise (189793) | about 8 months ago | (#46389809)

Hmmm... on the flip side, maybe they should start naming terrorist threats like they're doing with storms now.

We're currently under Yellow Threat Level Stephanie and remind you that Yellow Threat Level's Roberta, Quistis, Patricia, Otto, Norm, Mannheim, Lenny, Keith, Jennifer (not to be confused with Gennifer), Ichabod, Henry, Gennifer, Frank, Esther, David, Cato, Benedict, Arnold are all still in effect!

Thank you for your cooperation.

Re:now, if someone could handle the weather warnin (0)

Anonymous Coward | about 8 months ago | (#46390965)

They are actually redesigning their 7-day forecast web pages to include watches in yellow and warnings in red, in addition to the pictures that are already present to indicate the type of weather.

Re:now, if someone could handle the weather warnin (0)

Anonymous Coward | about 8 months ago | (#46392729)

Sorry of watches are red,
warning are blue,
if it snows...
nature loves you?

Re:now, if someone could handle the weather warnin (1)

Hognoxious (631665) | about 8 months ago | (#46391809)

Don't panic! Don't Panic!

[brandishes bayonet] They don't like it up 'em, you know!

Re:now, if someone could handle the weather warnin (0)

Anonymous Coward | about 8 months ago | (#46392677)

:::so many people are confused with the NOAA watch/warning designations

What average guy on the street knows what NOAA is...let alone deals with them?

Re:now, if someone could handle the weather warnin (0)

Anonymous Coward | about 8 months ago | (#46395193)

Ask the folks at Apple to design a user centric system...that would work!

Secuity by Obscurity (2)

freeschwag (134804) | about 8 months ago | (#46389737)

We are strictly forbidden from transmitting or showing any sign or color of our "threat level" with the idea that the enemy won't know our preparedness. However, a slight oversight in this policy means...no one inside the fence knows what's going on either. :/

Color blind? (1)

msauve (701917) | about 8 months ago | (#46389821)

"which color was more severe - yellow or orange? "

Huh? Didn't the author learn ROYGBIV in school? Isn't the order immediately obvious (orange is a combination of red and yellow, so it sits between them).

Red is universally stop/danger, green go/safe. What possible argument can be made for reversing orange and yellow from their natural order?

If you want to be critical, pick green/blue, which are bass-ackwards on the DHS scale.

Re:Color blind? (1)

iggymanz (596061) | about 8 months ago | (#46390823)

and blue means guarded, how does that fit into your stupid rant?

Re:Color blind? (1)

Steve_Ussler (2941703) | about 8 months ago | (#46391013)

What % of the population do you think really knows that?

Re:Color blind? (0)

Anonymous Coward | about 8 months ago | (#46391067)

What about people who are color blind?

From: http://www.color-blindness.com/2006/04/28/colorblind-population/

The figures above basically show the following important facts about red-green color blindness:

        Roughly 8% of men and 0.5% of women are affected. Therefore chances that your neighbour or one of your classmates is colorblind are very high.

Re:Color blind? (0)

Anonymous Coward | about 8 months ago | (#46391509)

That's why you put it in a table with numbered rows and columns. And we use colors for those who can't read.

I've used this management risk matrix [lucidmanager.org] ever since I found it.

Thanks LucidManager!

Re:Color blind? (1)

Steve_Ussler (2941703) | about 8 months ago | (#46391665)

that is a great table....but way, way, way too complex for the average person to digest.

Devil's advocate: What does threat level help? (2)

mlts (1038732) | about 8 months ago | (#46389901)

I'll go out on a limb here, and ask that what does this general threat level help? I can understand having some type of alert is there is some imminent danger... but too much of the message, "be alert... but we can't tell what to watch out for, other than suspicious stuff..." starts to be like crying wolf... and when the wolf does come, people are so jaded by the messages, that few notice or care about the henhouse door left ajar.

For military outposts and such, a DEFCON system makes plenty of sense. However, for the general public, does an alert system make sense, especially when the nature of the threat cannot be communicated?

I can understand "business as usual" and "oh crap, there are enemy boots on the ground about to do something", but the second level needs to be used very rarely, as a lot of the populace wouldn't know what to do in the first place.

The whole system needs to be re-engineered, with appropriate groups having their level of readiness set, but for the general public? Urgent, more urgent, super-urgent, OMG-urgent, etc... just creates fatigue, and it becomes a laughingstock.

Re:Devil's advocate: What does threat level help? (1)

jbmartin6 (1232050) | about 8 months ago | (#46390303)

It makes perfect sense if you postulate that the purpose is not to protect or inform the public, but to generate fear.

Re:Devil's advocate: What does threat level help? (1)

Livius (318358) | about 8 months ago | (#46391441)

Not merely generate fear, but manufacture it industrially.

Re:Devil's advocate: What does threat level help? (1)

Steve_Ussler (2941703) | about 8 months ago | (#46391597)

that is precisely why Bruce Schenier rails against the TSA. He says they use 'security theatre' and fear. and accomplish very little.

Re:Devil's advocate: What does threat level help? (0)

Anonymous Coward | about 8 months ago | (#46394073)

i am scared already!!!

Is there a For Dummies version? (1)

Steve_Ussler (2941703) | about 8 months ago | (#46390533)

Is there a For Dummies version of this book? 600 pages of threat modeling? What CISSP can do that? We need a 40 pages for dummies version! All said in jest.....

The misuse of threat levels (0)

Anonymous Coward | about 8 months ago | (#46391647)

The color system should have been perfectly fine if the various level corresponded various processes and actions, depending of the characteristics and ready-made risk analysis of the individual systems and targets under protection. The general public would probably have needed some well publicized guidance of applying such "positivist" metric in practice.

Re:The misuse of threat levels (0)

Anonymous Coward | about 8 months ago | (#46394051)

Say what???????

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?