• Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact

Logs somewhere cold

Exploring Information Security - Change Log - February 22-29, 2024

March 1, 2024

This is a log of changes to the site over the last week.

New pages:

Zero Trust - Deep Dive - Getting deeper into Zero Trust

Podcast posts:

What cybersecurity tools every organization should have - Hacker Historian Mubix joins me to discuss useful tools for security

Blog posts:
Impressions from the 2024 Palmetto Cybersecurity Summit - Thoughts from last weeks conference

7 Tips and Best Practices for Threat Modeling - Some of the tips and best practices I do to make threat modeling efficient and effective

Leveraging AI to Prepare for an Interview - My experience and some ideas around using AI to prepare for an interview

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!


In Website Tags website, change log, AI, Threat Modeling, Zero Trust
Comment

This way to BSides Nashville - From BSides Nashville 2016.

Threat Modeling at BSides Nashville 2024

February 20, 2024

I’m excited to announce that I will be speaking at BSides Nashville May 11, 2024. I will presenting my threat modeling talk which I’ve been blogging about the past couple of weeks. I’ll link the blog posts to the talk and pictures for past BSides events below. I’ve been going to BSides Nashville since it started in 2014. The first few years I attended I lived in Columbia, SC, which meant a seven hour drive to attend the conference. In 2016 I moved to Nashville and now consider it my home BSides conference.

It’s a really great event with a lot of great speakers and great spot. It’s also Nashville so getting into some fun (or trouble) is right around the corner. Prior to the pandemic they used to sell out 300 tickets very quickly. Post-pandemic they’ve struggled to get back to those number but so has every other local user group and conference. I’m expecting this year to be a big year for conference attendance not only for myself but the community. I believe people are ready to get back out there. More importantly the job market is influx and a lot of people are looking for jobs. The best way to do that is to get out and network with people at local user groups and conferences. If you’re planning to attend reach out and we can meet in person!

Threat modeling blog posts:

  • Why Threat Modeling is Important

  • What is Threat Modeling?

  • Basics of Threat Modeling

  • Methodologies and Approaches for Threat Modeling

  • Threat Modeling Risk Management

BSides Nashville Pictures:

NashBsides8.JPG
BSides Nashville 2014

Bsides Nashville, TN, May 17, 2014.

BSidesNash_Panorama1.jpg
BSides Nashville 2015

BSides Nashville, TN, April 11, 2015.

DSC_2691.jpg
BSides Nashville 2016

BSides Nashville, TN, April 16, 2016

BSides Nashville 2017

Nashville, TN, April 22, 2017

BSides Nashville 2018

Nashville, TN, April 14, 2018

BSides Nashville 2019

Nashville, TN, April 13, 2019

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Experiences, Media Tags Threat Modeling, BSides Nashville
Comment

Explore threat modeling risk management - Created with help from ChatGPT

Threat modeling risk management

February 15, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

In this post I want to talk about rating and prioritizing the discovered threats from a threat modeling session. We’ll get into the different methodologies and talk about some of the nuances of them.

Methodologies for Risk Management

Created with help from ChatGPT

DREAD

DREAD, an acronym for Damage, Reproducibility, Exploitability, Affected users, and Discoverability, is a risk assessment model used to prioritize threats. Although its use has declined due to its subjective nature and lack of business context alignment, some organizations may still find it useful for quick, high-level risk assessments.

This is what I use for threat modeling. If you read Adam Shostack’s book he calls it obsolete and recommends SDL Bug Bar. The reason is that the different categories can be a bit ambiguous, lack granularity, and context. I think it’s great for getting started and keeps threat modeling simple. As threat modeling matures there may be a need to mature the risk management and switch to something that provides more scaleability.

Using DREAD we would rate the threat by each theat on a 1-3 scale. This allowed for prioritizing low, medium, and high. The final number will help prioritize the threats discovered for follow up. Again, when dealing with other groups it’s important to keep the bar to entry low. As the program matures and people get a better idea on threat modeling advancing to something a bit more technical can be useful.

SDL Bug Bar

The Security Development Lifecycle (SDL) Bug Bar is a concept and a set of criteria used within Microsoft's SDL framework to classify and prioritize the handling of software bugs based on their security implications. The "bug bar" establishes a baseline for the security severity that a bug must meet or exceed to be considered a priority for fix before software can be released. It helps teams make consistent, informed decisions about which security vulnerabilities to fix and when to fix them.

There’s not really a lot available online for implementing the Bug Bar. There are some blog posts and the SDL Bug Bar PDF which doesn’t exactly give instructions on how to implement. It can be loaded as a template into other Microsoft tooling so that can be helpful and will help with streamlining some of the threat modeling process. Leave a comment below if you’ve had experience implementing the SDL Bug Bar.

OWASP Risk Rating Methodology

The Open Web Application Security Project (OWASP) offers a risk rating methodology that considers factors such as threat agents, attack vectors, technical impact, and business impact to prioritize vulnerabilities. This methodology is particularly useful for web application security and can be adapted to fit an organization's specific needs. This has more in-depth math and expanded categories for rating a threat. This could be another option for maturity.

CVSS (Common Vulnerability Scoring System)

CVSS provides an open framework for rating the severity of security vulnerabilities in software. It offers a standardized way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS scores can help organizations prioritize their response and remediation efforts based on the potential impact of each vulnerability. This is one of the standards for vulnerabilities.

FAIR (Factor Analysis of Information Risk)

FAIR is a quantitative risk analysis methodology that helps organizations understand, analyze, and quantify information risk in financial terms. FAIR differs from other models by focusing on the financial impact of risks, making it particularly useful for making informed, data-driven decisions about cybersecurity investments and risk management strategies. This methodology was created by Jack Jones with the intent of providing risk in financial terms for organization.

TARA (Threat Agent Risk Assessment)

TARA identifies potential threat agents and evaluates the risks they pose to an organization's critical assets. This methodology is useful for organizations that want to focus on the most likely sources of threats and tailor their defenses accordingly. Intel created TARA as part of its comprehensive security and risk management strategy to identify, assess, and prioritize risks based on the potential impact of various threat agents. This methodology was created by the Department of Defense (DoD) in 2010. It uses built in attacks to assist in the risk assessment process.

Summary

There are multiple options for rating and prioritizing the threats identified in a threat modeling session. I like DREAD because it’s simple but that might not be feasible for larger organizations. If you’re a Microsoft shop the SDL Bug Bar may be a better fit. OWASP Risk Rating Methodology is also another option. If you really want to go deep CVSS or another framework may be the best option. FAIR and TARA are two methodologies that look to provide specific context to risk management. FAIR from a financial standpoint and TARA has a DoD lean. Choosing the best risk management methodology will depend on the organization and it’s needs. Try multiple and see what works best for your organization.

Next we’ll get into tools and resources for threat modeling.

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Experiences, Advice Tags Threat Modeling, Risk
Comment

Latest PoDCASTS

Featured
Sep 9, 2025
The Winding Path to CISO: Rob Fuller's Leadership Journey
Sep 9, 2025
Sep 9, 2025
Sep 2, 2025
Kate Johnson's Winding Path to a Director Role in Cybersecurity
Sep 2, 2025
Sep 2, 2025
Aug 26, 2025
LIVE: Unraveling the SharePoint Zero-Day Exploit (CVE-2025-53770)
Aug 26, 2025
Aug 26, 2025
Aug 19, 2025
How to Launch Your Own Cybersecurity Podcast
Aug 19, 2025
Aug 19, 2025
Aug 12, 2025
How BSides St Louis Can Help Take The Next Step in Cybersecurity
Aug 12, 2025
Aug 12, 2025
Aug 5, 2025
[RERELEASE] What it's like in the SECTF sound booth
Aug 5, 2025
Aug 5, 2025
Jul 29, 2025
[RERELEASE] How to network in information security - part 2
Jul 29, 2025
Jul 29, 2025
Jul 22, 2025
[RERELEASE] How to network in information security - part 1
Jul 22, 2025
Jul 22, 2025
Jul 15, 2025
[RERELEASE] What are BEC attacks?
Jul 15, 2025
Jul 15, 2025
Jul 8, 2025
[RERELEASE] How to crack passwords
Jul 8, 2025
Jul 8, 2025

Powered by Squarespace