O'Reilly logo

Threat Modeling: Designing for Security by Adam Shostack

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Appendix A

Helpful Tools

This appendix provides you with a set of lists containing common answers to “What's your threat model?” and “What are your assets?”

Common Answers to “What's Your Threat Model?”

The question “What's your threat model?” can help you quickly express who or what you're worried about. Some typical answers include the following:

  • Someone with user-level access to the machine
  • Someone with admin-level access to the machine
  • Someone with physical access to a machine or site

Network Attackers

Attackers that are in a good position to attack via the network include the following:

  • Eve or Mallory
    • Using available software
    • Creating new software
  • Your ISP
  • Your cloud provider, or someone who has compromised them
  • The coffee shop or hotel network
  • The Mukhbarat or the NSA
  • A compromised switch or router
  • The node at the other end of a connection
  • A trusted node that's been compromised

Physical Attackers

This section considers those physically attacking a technical system, not those attacking people. Examples include the following:

  • Possession of a machine for unlimited time
    • A thief who has stolen the machine
    • Police or border agents who seize the machine
  • Time-limited but physically unconstrained access
    • For five minutes
    • For an hour
    • The janitor*
    • Hotel maids*
  • Physically constrained access to a machine
    • Can insert a USB key (“Can I just plug my phone in to recharge?”)
    • Physical, in-line keyloggers
    • Access via Bluetooth or other radio protocols
  • Ninjas
  • Pirates (the kind ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required