Problem solve Get help with specific problems with your technologies, process and projects.

Know your threat model

Before you can protect yourself, you must know what to protect yourself from.

Security is a nightmare these days, no doubt about that. You have to have good security in place. But what are you securing yourself against? The answer is to develop a model of the threat you face, which is the subject of this tip. It comes to us via InformIT, from Jon Lasser, the author of Think UNIX, published by Que.


Your threat model describes what you're worried about. You can derive this from the answers to three basic questions: What's at risk? Who are you afraid of? What can they touch? If you can answer these three questions, you're well on your way to securing your systems.

What's at risk? Most people need to protect three basic things: availability, data and image. Availability is obvious -- you probably need to keep your Web site available and keep adequate bandwidth. It is most often at risk from denial-of-service attacks, but anything that might crash or block your availability is worth worrying about.

For data, you need to protect both integrity and confidentiality. Data integrity means that the data you have has not been altered by unauthorized parties: When your Web page is replaced with hundreds of pornographic .GIFs, the integrity of your data has been violated. Confidentiality means that only authorized parties have access to the data: When the selfsame hackers copy down your users' credit card numbers, the confidentiality of your data has been violated.

When vandals have replaced your home page with obscene messages, something besides your data integrity has been violated as well -- your organizational image has been damaged. If your ISP is the laughingstock of the Internet, that has real-world consequences.

Who are you afraid of? Consider the four basic classes of security threats, in order of how hard they are to guard against: "crackers," opportunistic attackers who hack sites whose security has been found to be inadequate, usually through automated scanning techniques; competitors who have targeted your site or your customers' sites for attacks; employees, who attack from inside; and "the Government," a.k.a. omnipotent attacks. If you think they can read your mind, your system's probably up for grabs too.

What can they touch? Crackers and competitors most often have access to external services, so anything you can do to harden your outer shell protects against these attacks. Employees have access to your internal services as well: If you depend upon any software to run your business, can you protect it from your employees? Also, what about your infrastructure? Buildings, phone lines, Net connections and so on can all be attacked as part of a denial-of-service attack. If you're hosting an online securities-trading company, it might be worth somebody's time and effort to truly bring down your site.


To read more of this tip, click over to InformIT. Registration is required, but it's free.

Related book

Think UNIX
By Jon Lasser
Unix has a reputation for being cryptic and difficult to learn, but it doesn't need to be that way. Think UNIX takes an analogous approach to that of a grammar book. Rather than teaching individual words or phrases like most books, Think UNIX teaches the set of logical structures to be learned. Myriad examples help you learn individual commands, and practice problems at the end of difficult sections help you learn the practical side of Unix. Strong attention is paid to learning how to read "man pages," the standard documentation on all Unix systems, including Linux. While most books simply tell you that man pages exist and spend some time teaching how to use the man command, none spend any significant amount of space teaching how to use the content of the man pages. Even if you are lost at the Unix command prompt, you can learn subsystems that are specific to the Unix flavor.

This was last published in December 2000

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.