Slashdot Mirror
Book Review: Threat Modeling: Designing For Security
benrothke writes "When it comes to measuring and communicating threats, perhaps the most ineffective example in recent memory was the Homeland Security Advisory System; which was a color-coded terrorism threat advisory scale. The system was rushed into use and its output of colors was not clear or intuitive. What exactly was the difference between levels such as high, guarded and elevated? From a threat perspective, which color was more severe — yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented 'little practical information' to the public. While the DHS has never really provided meaningful threat levels, in Threat Modeling: Designing for Security, author Adam Shostack has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts." Read below for the rest of Ben's review.
Threat Modeling: Designing for Security
author
Adam Shostack
pages
624
publisher
Wiley
rating
10/10
reviewer
Ben Rothke
ISBN
978-1118809990
summary
Invaluable guide to create a formal threat modeling program
Rather than letting clueless Washington bureaucrats define threats, the book details a formal system in which you can understand and particularize the unique threats your organizations faces.
In the introduction, Shostack sums up his approach in four questions:
1. What are you building?
2. What can go wrong with it once it's built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?
The remaining 600 densely packed pages provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software or services, such as cloud computing.
While the term threat modeling may seem overly complex, the book notes that anyone can learn to threat model. Threat modeling is simply using models to find security problems. The book notes that using a model means abstracting away a lot of the details to provide a look at the bigger picture, rather than the specific item, or piece of software code.
An important point the book makes is that there is more than one way to model threats. People often place too much emphasis on the specifics of how to model, rather than focusing on what provides them the most benefit. Ultimately, the best model for your organization is the one that helps you determine what the main threats are. Finally, the point is not just to find the threats; the key is to address them and fix them.
The beauty of the book is that it focuses on gaining empirical data around threats for your organization. Rather than simply taking an approach based on Gartner, USA Today or industry best practices.
While the author states a few times that threat modeling is not necessarily a complex endeavor, it nonetheless does take time. He writes that threat modeling requires involvement from many players from different departments in an organization to provide meaningful input. Without broad input, the threat model will be lacking, and the output will be incomplete.
For those organizations that are willing to put the time and effort into threat modeling, the benefits will be remarkable. At the outset, they will have confidence that they understand the threats their organization is facing, likely spend less on hardware and software, and will be better protected.
Chapter 18 quotes programmer Henry Spencer who observed that "those who do not understand Unix are condemned to reinvent it, poorly". Shostack writes that the same applies to threat modeling. The point he is making is that there are ways to fail at threat modeling. The first is simply not trying. The chapter then goes on into other approaches which can get in the way of an effective threat modeling program.
Why should you threat model for your IT and other technology environments? It should be self-evident from an architecture perspective. When an architect is designing an edifice, they first must understand their environment and requirements. A residence for a couple in Manhattan will be entirely different from the design for a residence for a family in Wyoming. But far too many IT architects take a monolithic approach to threats and that's precisely the point the book is attempting to obviate.
As noted, threat modeling is not overly complex. But even if it was indeed complex, it is far too important not to be done. The message of the book is that organizations need to stop chasing vague threats and industry notions of what threats are, and customize things so they deal with their threats.
For those that still think the topic is complex, the book references Elevation of Privilege (EoP), an easy way to get started threat modeling. EoP is a card game that developers, architects or security teams can play to easily understand the rudiments of threat modeling.
Risk modeling is so important that it must be seen as an essential part of a formal and mature information security program. Having firewalls, IDS, DLP and myriad other infosec appliances can be deceptive in thinking they provide protection. But if they are deployed in an organization that has not defined the threats these devices are expected to address, they only serve the purpose of giving an aura of infosec protection, and not real protection itself.
Amazon has over 800 Disney World guide books. Anyone who is going to invest their time and money to spend a few days at Disney World knows they have to do their research in order to get the most out of their visit.
There are only a handful of books on this topic and Threat Modeling: Designing for Security is perhaps the finest of them. No tourist would be so naïve to go to Disney World uninformed. And conversely, no one should go into the IT world without adequate threat information.
Threat modeling provides compelling benefits in the ability to make better information security decisions, better focus on often limited resources, all while designing a model to protect against current and future threats.
For those serious about the topic, Threat Modeling: Designing for Security will be one of the most rewarding information security books they could hope for.
Reviewed by Ben Rothke.
You can purchase Threat Modeling: Designing for Security from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.
In the introduction, Shostack sums up his approach in four questions:
1. What are you building?
2. What can go wrong with it once it's built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?
The remaining 600 densely packed pages provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software or services, such as cloud computing.
While the term threat modeling may seem overly complex, the book notes that anyone can learn to threat model. Threat modeling is simply using models to find security problems. The book notes that using a model means abstracting away a lot of the details to provide a look at the bigger picture, rather than the specific item, or piece of software code.
An important point the book makes is that there is more than one way to model threats. People often place too much emphasis on the specifics of how to model, rather than focusing on what provides them the most benefit. Ultimately, the best model for your organization is the one that helps you determine what the main threats are. Finally, the point is not just to find the threats; the key is to address them and fix them.
The beauty of the book is that it focuses on gaining empirical data around threats for your organization. Rather than simply taking an approach based on Gartner, USA Today or industry best practices.
While the author states a few times that threat modeling is not necessarily a complex endeavor, it nonetheless does take time. He writes that threat modeling requires involvement from many players from different departments in an organization to provide meaningful input. Without broad input, the threat model will be lacking, and the output will be incomplete.
For those organizations that are willing to put the time and effort into threat modeling, the benefits will be remarkable. At the outset, they will have confidence that they understand the threats their organization is facing, likely spend less on hardware and software, and will be better protected.
Chapter 18 quotes programmer Henry Spencer who observed that "those who do not understand Unix are condemned to reinvent it, poorly". Shostack writes that the same applies to threat modeling. The point he is making is that there are ways to fail at threat modeling. The first is simply not trying. The chapter then goes on into other approaches which can get in the way of an effective threat modeling program.
Why should you threat model for your IT and other technology environments? It should be self-evident from an architecture perspective. When an architect is designing an edifice, they first must understand their environment and requirements. A residence for a couple in Manhattan will be entirely different from the design for a residence for a family in Wyoming. But far too many IT architects take a monolithic approach to threats and that's precisely the point the book is attempting to obviate.
As noted, threat modeling is not overly complex. But even if it was indeed complex, it is far too important not to be done. The message of the book is that organizations need to stop chasing vague threats and industry notions of what threats are, and customize things so they deal with their threats.
For those that still think the topic is complex, the book references Elevation of Privilege (EoP), an easy way to get started threat modeling. EoP is a card game that developers, architects or security teams can play to easily understand the rudiments of threat modeling.
Risk modeling is so important that it must be seen as an essential part of a formal and mature information security program. Having firewalls, IDS, DLP and myriad other infosec appliances can be deceptive in thinking they provide protection. But if they are deployed in an organization that has not defined the threats these devices are expected to address, they only serve the purpose of giving an aura of infosec protection, and not real protection itself.
Amazon has over 800 Disney World guide books. Anyone who is going to invest their time and money to spend a few days at Disney World knows they have to do their research in order to get the most out of their visit.
There are only a handful of books on this topic and Threat Modeling: Designing for Security is perhaps the finest of them. No tourist would be so naïve to go to Disney World uninformed. And conversely, no one should go into the IT world without adequate threat information.
Threat modeling provides compelling benefits in the ability to make better information security decisions, better focus on often limited resources, all while designing a model to protect against current and future threats.
For those serious about the topic, Threat Modeling: Designing for Security will be one of the most rewarding information security books they could hope for.
Reviewed by Ben Rothke.
You can purchase Threat Modeling: Designing for Security from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.
so many people are confused with the NOAA watch/warning designations. green/yellow/red (just like wildfire danger postings) should be used.
We are strictly forbidden from transmitting or showing any sign or color of our "threat level" with the idea that the enemy won't know our preparedness. However, a slight oversight in this policy means...no one inside the fence knows what's going on either. :/
Tweet, tweet, all id10t's out of the gene pool, open swim is over.
That is why people go to weather.com...for a clearer understanding of the data.
Hmmm... on the flip side, maybe they should start naming terrorist threats like they're doing with storms now.
We're currently under Yellow Threat Level Stephanie and remind you that Yellow Threat Level's Roberta, Quistis, Patricia, Otto, Norm, Mannheim, Lenny, Keith, Jennifer (not to be confused with Gennifer), Ichabod, Henry, Gennifer, Frank, Esther, David, Cato, Benedict, Arnold are all still in effect!
Thank you for your cooperation.
The irony is, you have it completely backwards. From AccuWeather (and any other source):
"Watches, like severe thunderstorm watches and tornado watches, which are two of the most common types, are issued when weather conditions are conducive for the event to occur,"
"Warnings are different. A warning is issued when the weather event is happening now," Pigott said. "In terms of flooding, for instance, a flood warning means a river has spilled over or flash flooding is occurring."
"Basically, a watch means atmospheric conditions are right for it to happen. Warnings mean it's actually happening," Pigott said.
Brought to you by Carl's Junior.
"which color was more severe - yellow or orange? "
Huh? Didn't the author learn ROYGBIV in school? Isn't the order immediately obvious (orange is a combination of red and yellow, so it sits between them).
Red is universally stop/danger, green go/safe. What possible argument can be made for reversing orange and yellow from their natural order?
If you want to be critical, pick green/blue, which are bass-ackwards on the DHS scale.
"National Security is the chief cause of national insecurity." - Celine's First Law
And, by the way, your homepage sucks too.
:::Wow, defending a decision made by two racists in 1948
who are the racists?
I'll go out on a limb here, and ask that what does this general threat level help? I can understand having some type of alert is there is some imminent danger... but too much of the message, "be alert... but we can't tell what to watch out for, other than suspicious stuff..." starts to be like crying wolf... and when the wolf does come, people are so jaded by the messages, that few notice or care about the henhouse door left ajar.
For military outposts and such, a DEFCON system makes plenty of sense. However, for the general public, does an alert system make sense, especially when the nature of the threat cannot be communicated?
I can understand "business as usual" and "oh crap, there are enemy boots on the ground about to do something", but the second level needs to be used very rarely, as a lot of the populace wouldn't know what to do in the first place.
The whole system needs to be re-engineered, with appropriate groups having their level of readiness set, but for the general public? Urgent, more urgent, super-urgent, OMG-urgent, etc... just creates fatigue, and it becomes a laughingstock.
Huh? That doesn't make much sense. The weather forecasts that I follow usually use the phrases "tornado watch" and "tornado warning", explicitly saying "tornado" if that's what the forecast predicts. In other situations, they say things like "hurricane watch/warning" or "blizzard watch/warning", etc., with whatever is predicted as the adjective. I don't think I've ever head the watch/warning terms used without specifying the type of event. I've even heard them engage in a bit of self-parody by saying things like "warm, sunny day watch/warning". Last summer I heard one weekend described with a "backyard barbecue warning", with advice to lay in a good supply of burgers, brats and beer for the duration of the weather event (which I did, and emailed friends to tell them where they could take cover for an afternoon). So who were these two "racists", and how does that connect with watches/warnings of serious weather events? Historically-curious readers want to know ...
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
It makes perfect sense if you postulate that the purpose is not to protect or inform the public, but to generate fear.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Is there a For Dummies version of this book? 600 pages of threat modeling? What CISSP can do that? We need a 40 pages for dummies version! All said in jest.....
Right, in weather watches alert to favorable contitions for adverse incidents and warning alert that shit is imminent or going down at the moment. It's why in the midwest large portions of states may be covered under a Tornado watch, but the actual warnings are much more sparse. The difference between a weather warning and a "Terrorism warning" though is that generally the weather makes no special effort to conceal its intentions.
They are actually redesigning their 7-day forecast web pages to include watches in yellow and warnings in red, in addition to the pictures that are already present to indicate the type of weather.
Not merely generate fear, but manufacture it industrially.
that is precisely why Bruce Schenier rails against the TSA. He says they use 'security theatre' and fear. and accomplish very little.
The color system should have been perfectly fine if the various level corresponded various processes and actions, depending of the characteristics and ready-made risk analysis of the individual systems and targets under protection. The general public would probably have needed some well publicized guidance of applying such "positivist" metric in practice.
Don't panic! Don't Panic!
[brandishes bayonet] They don't like it up 'em, you know!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
:::so many people are confused with the NOAA watch/warning designations
What average guy on the street knows what NOAA is...let alone deals with them?
Sorry of watches are red,
warning are blue,
if it snows...
nature loves you?
i am scared already!!!
Ask the folks at Apple to design a user centric system...that would work!
> The weather forecasts that I follow usually use the phrases "tornado watch" and "tornado warning",
It was banned by a group of old white men that didn't want to give the minorities and the poor any warning as to when a tornado was headed their way:
http://www.spc.noaa.gov/faq/tornado/#Forecasting
This is the perfect example of what happens when you let Republicans make the rules.