'Attack Trees' Help Model Potential Security Flaws

Our most prolific reader, Anonymous Coward, writes "Here is an article by Bruce Schneier of Counterpane Internet Security from Dr. Dobb's Journal that describes a way to 'model threats against computer systems'." This is Bruce Schneir at his best. Many of the thoughts in this article aren't about cryptography but about other ways intruders might defeat your security measures, and about how to determine what kind of attacks you might expect to face.

A good model

[friedo]

This is a good model of explaining security threats. For example, look at an operating system like win98 (I'm not just MS bashing 'cause this is slashdot, I'm making an actual point.) By integrating browsers and such so closely into the operating system, Win98 effectively adds opportunities for more leaf nodes. Take the following example: On a UNIX system, you need at least the root password to take ove rthe entire machine. A regular user's password is nice if you need to telnet in. There are a few ways to do this, such as social engineering, getting a root shell via a buggy network daemon, or guessing. Now look at Windows. There are more ways into the system, so there are more branches. You could get an administrator password by the methods mentioned above. Or you might find a bug in a web browser or email program running under an administrative account. By Microsoft "seemlessly integrating" software with their OS, they've created a situation where there are more nodes closer to the root of the tree. In a better security model, you would want as few nodes close to the root as possible, so that any viable points of attack would have to circumvent numerous obsticles to be successful.

No startling new thoughts, just my own musings. If you can't tell, I found the article pretty interesting, and I've never thought about a hierarchical method of analyzing security risks.