February 22, 2005

Guerrilla Threat Modelling

Peter Torr has done it again. He has written an EXCELLENT article on writing a practical threat model... getting rid of the cruft of useless theory and applying real-world experience to how to get it done. If you are part of a team that needs a no nonsense approach to threat modeling, you should read his article on "Guerrilla Threat Modelling". Well worth the investment in time.

Peter, a suggestion. Follow up this article with another one actually writing attack trees. Then I can point people to your two articles instead of constantly having to explain this to them. :)

Posted by SilverStr at February 22, 2005 10:04 PM | TrackBack
Comments

print('Thanks Dana!')

var entry = new BlogEntry("Threat Trees")
thingsToDo.push(entry)

print(thingsToDo.length) // integer overflow

Posted by: Peter Torr at February 22, 2005 10:46 PM

I found an interesting link about money and security. This web always posts excellents documents.


Source: http://www.infosecwriters.com/text_resources/pdf/ROISI.pdf

Abstract
Much is said on the importance of investing in information security (Potter 2004; Ernst & Young 2003), but little is known on the extent and effectiveness of such sucurity programmes. A model that analyses the mechanics of an information security programme is presented and will serve as the founding work of future research in this area. The model attempts to put an upper-bound on the amount that should be sprent on an information security programme and estimates the amount an attacker is likely to spend to break into a system depending on the information assets at stake of the organisation in question.

Posted by: javier cao avellaneda at February 23, 2005 08:20 AM