|
Threat modeling addresses two distinct, but related, topics in computer security: * The first is a description of the security issues and resources the designer cares about. This is often represented as a Data Flow Diagram (DPD) that shows the potential attack points from outside the system. * The second includes in, Threat modeling the development of attack trees, which are descriptions of a set of computer security aspects. That is, when looking at a piece of software (or any computer system), one can define a threat model by defining a set of to consider.〔(Threat modeling, abuse cases, data classification ) BSIMM, the Building Security In Maturity Model〕 It is often useful to define many separate threat models for one computer system. Each model defines a narrow set of possible attacks to focus on. A threat model can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. More recently, threat modeling has become an integral part of Microsoft's SDL (Security Development Lifecycle) process.〔http://msdn.microsoft.com/msdnmag/issues/05/11/SDL/〕 A 2015 report, the "DoD Comprehensive Military Unmanned Aerial Vehicle Smart Device Control Station Threat Model"〔() DoD Comprehensive Military Unmanned Aerial Vehicle Smart Device Control Station Threat Model, 〕 emphasizes a holistic approach to Threat Modelling and the need for a full analysis of the threats modelled. Most organizations will need to take the more cost-effective approach of targeting those issues and resources of most importance to them. In any case the threat model by itself will not change the security of the organization until an analysis of the threats leads to mitigations of those most likely to harm the organization or the resources that it wants to protect. Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats exploit these vulnerabilities in order to cause damage to the assets, and appropriate security countermeasures exist that mitigate the threats. ==Approaches to threat modeling== There are at least three general approaches to threat modeling: ;Attacker-centric :Attacker-centric threat modeling starts with an attacker, and evaluates their goals, and how they might achieve them. Attacker's motivations are often considered, for example, "The NSA wants to read this email," or "Jon wants to copy this DVD and share it with his friends." This approach usually starts from either entry points or assets. ;Software-centric :Software-centric threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric') starts from the design of the system, and attempts to step through a model of the system, looking for types of attacks against each element of the model. This approach is used in threat modeling in Microsoft's Security Development Lifecycle. ;Asset-centric :Asset-centric threat modeling involves starting from assets entrusted to a system, such as a collection of sensitive personal information. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Threat model」の詳細全文を読む スポンサード リンク
|