Repeat after me: Model your security threats first

Roger A. Grimes

If you haven't seen this hilarious fake consulting video, you need to check it out. It's full of enough nonsensical business jargon to fill a year's worth of "Dilbert" cartoons. More to the point, it shows the customer and other business partners ignoring the expert's advice.

It's so, so true.

Here's the real-life version I suffer through all the time:

Customer: What can we do to stop hackers from breaking in so easily?
Me: You need to figure out the most likely threats to your environment and defend against those first. Do you know what are your most common threats?
Customer: No. But what if we install smart cards and use intelligent intrusion detection?
Me: Well, we can do that, but it probably won't give you the best bang for the buck. In fact, nearly all of my customers already have smart cards and intelligent intrusion detection, and hackers still break in at will. It would be better if we first understood your real and most likely threats before beginning to implement solutions.
Customer: Hm, interesting. I agree. But can you help us install smart cards and advanced firewalls for now? 
Me: (silence) Yes.
Customer: And you guarantee that this will stop us from being hacked?
Me: (silence)

Most of my customers simply don't understand the biggest and most likely threats to their environment. If you don't understand the threats, how can you begin to discuss and plan the right defenses? There's not a doubt in my mind that this is the single biggest problem in computer security.

That said, allow me to bring your attention to a new book by Adam Shostack: "Threat Modeling: Designing for Security." It's easily the best and most comprehensive book on building a security model based on the attacks most likely to be launched against your organization. I've known and respected Adam's work for a long time -- as a blogger, a privacy advocate, and a co-founder of the Common Vulnerabilities and Exposures organization.

Adam and I don't always see eye to eye. We both agree healthy debate is good and brings about a better solution. Even in disagreement, I respect his thoughtful insight and expertise. But I can't disagree about the usefulness of his book. If you are interested in learning about computer security or threat modeling, this is the book to have.

The book does a great job of covering different types of threat models and strategies. But it goes further in many ways than previous books on the subject. For one, there's a whole chapter on the human factor and its effects on security. We all know that we humans are the weakest links in any computer security strategy, but for some reason no one addresses that head-on. The book discusses how to "model" people and fit them into the threat-modeling process.

1  2  Next Page