Repeat after me: Model your security threats first

Organizations often deploy defenses before they know which attacks will nail them. A new book helps security pros model those threats and design defenses

If you haven't seen this hilarious fake consulting video, you need to check it out. It's full of enough nonsensical business jargon to fill a year's worth of "Dilbert" cartoons. More to the point, it shows the customer and other business partners ignoring the expert's advice.

It's so, so true.

[ It's time to take another look at security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Here's the real-life version I suffer through all the time:

Customer: What can we do to stop hackers from breaking in so easily?

Me: You need to figure out the most likely threats to your environment and defend against those first. Do you know what are your most common threats?

Customer: No. But what if we install smart cards and use intelligent intrusion detection?

Me: Well, we can do that, but it probably won't give you the best bang for the buck. In fact, nearly all of my customers already have smart cards and intelligent intrusion detection, and hackers still break in at will. It would be better if we first understood your real and most likely threats before beginning to implement solutions.

Customer: Hm, interesting. I agree. But can you help us install smart cards and advanced firewalls for now?

Me: (silence) Yes.

Customer: And you guarantee that this will stop us from being hacked?

Me: (silence)

Most of my customers simply don't understand the biggest and most likely threats to their environment. If you don't understand the threats, how can you begin to discuss and plan the right defenses? There's not a doubt in my mind that this is the single biggest problem in computer security.

That said, allow me to bring your attention to a new book by Adam Shostack: "Threat Modeling: Designing for Security." It's easily the best and most comprehensive book on building a security model based on the attacks most likely to be launched against your organization. I've known and respected Adam's work for a long time -- as a blogger, a privacy advocate, and a co-founder of the Common Vulnerabilities and Exposures organization.

Adam and I don't always see eye to eye. We both agree healthy debate is good and brings about a better solution. Even in disagreement, I respect his thoughtful insight and expertise. But I can't disagree about the usefulness of his book. If you are interested in learning about computer security or threat modeling, this is the book to have.

The book does a great job of covering different types of threat models and strategies. But it goes further in many ways than previous books on the subject. For one, there's a whole chapter on the human factor and its effects on security. We all know that we humans are the weakest links in any computer security strategy, but for some reason no one addresses that head-on. The book discusses how to "model" people and fit them into the threat-modeling process.

You'll also find discussions about cloud threats, privacy exploits, and identity lifecycles. If you're in charge of threat modeling at your company, you're no doubt actively worrying about all three topics.

Clearly, Adam has been there and done that -- not just at a defender-versus-attacker tactical level, but in trying to implement threat modeling at an enterprise level. It's easy to model threats to a single program or process, but it's a lot harder to make it a part of an organization's DNA. The book helps by offering chapters dedicated to the success of enterprise implementations, including strategies, tools, and politics.

Most security professionals have a shortlist of people whom they admire as extraordinary teachers of computer security best practices, one that includes such luminaries as Bruce Schneier, Brian Krebs (who is having a movie made about him now), and Stephen Northcutt (of SANS). Add Adam Shostack's name to your list. He gets it right.

This story, "Repeat after me: Model your security threats first," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at For the latest business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful cybersecurity companies