Performing threat risk modeling using the Microsoft Threat Modeling Process
Trike Trike is a threat modeling framework with similarities to the Microsoft threat modeling processes. Trike differs because it uses a risk based approach with distinct implementation, threat, and risk models, instead of using the STRIDE/DREAD aggregated threat model (attacks, threats, and weaknesses). Trike’s goals are: With assistance from the system stakeholders, to ensure that the risk this system entails to each asset is acceptable to all stakeholders. Be able to tell whether we have done this. Communicate what we’ve done and its effects to the stakeholders. Empower stakeholders to understand and reduce the risks to them and other stakeholders implied by their actions within their domains.
The approach have three layers for the security model as is presented in the following picture. Not all the security models use the layered approach. The model is particularized depending of the magnitude of the organization that will implement it –For corporate level –For small and medium business Both of the models support the layered approach
References http://www.us-cert.gov/cas/tips/ST04-015.html http://www.csoonline.com/article/515614/ddos-attacks-are-back-and-bigger-than-before- William Stallings, Cryptography and Network Security, Fourth Edition, 2005, Prentice Hall Mirkovic, J., and Relher, P. "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms." ACM SIGCOMM Computer Communications Review, April 2004. http://searchsecurity.techtarget.com/magazineContent/Information-Security-magazine-online-October-2011 http://staff.washington.edu/dittrich/misc/ddos/ NIST – Risk Management Guide for Information Technology Systems http://www.gao.gov/special.pubs/ai00033.pdf http://en.wikipedia.org/wiki/Risk_management http://en.wikipedia.org/wiki/Risk_assessment http://www.sandia.gov/ram http://www.carnet.hr/CUC/cuc2004/program/radovi/a5_baca/a5_full.pdf Jelena Mirkovic, ven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall, 2005 http://cr.yp.to/syncookies.html http://cr.yp.to/syncookies.html http://www.ietf.org/rfc/rfc2267.txt http://en.wikipedia.org/wiki/Client_Puzzle_Protocol http://www.managementlink.com/index.php/help-and-information/business-glossaries/Network-Security- Glossary-10/M/Malformed-packet-attack-8152/http://www.managementlink.com/index.php/help-and-information/business-glossaries/Network-Security- Glossary-10/M/Malformed-packet-attack-8152/ http://www.cert.org/octave/ http://www.ietf.org/rfc/rfc2196.txt www.cisco.com/go/safe/ www.commoncriteria.nl/ https://www.owasp.org http://www.first.org/cvss