|Email weblog link|
Anyway, as we were getting ready I started thinking about the threats our fake tree might face. Like someone coming along and pinching it. Or pinching only the top portion which plugs into the lower part. In other words, I was threat modelling i.e. evaluating the realistic risks our tree might face so we could decide how to mitigate these risks. Here's the approach we finally decided upon:
1. We filled a strong plastic bag with a bucked of soil and several bricks, inserted the bottom portion of the tree's trunk in this bag, and duct-taped the top of the bag around the trunk. Then we inserted the bag into the big ceramic pot and tightly wedged another half dozen bricks on top of the bag. This provided the tree with a sturdy base to help it stand up, but it also made the tree much heavier to reduce the likelihood that someone would pull the entire tree out of the pot to pinch it. The bricks wedged on top of the bag also meant it would take someone maybe a minute longer to steal the tree and thieves generally try to work as fast as possible, so this added another layer of defense.
2. We duct-taped the top portion's trunk to the bottom portion's trunk where they plugged into each other. This was designed to prevent someone from defacing our tree by pinching the top and leaving the remainder. Also, we used about a dozen short pieces of duct tape to do this rather than one long piece, making it more time-consuming to try to remove the tape.
3. Finally we put a string of Christmas lights on the tree and used a heavy staple to anchor one end of the string to the wood railing beside our door so no one could steal the lights.
Threat modelling is an important first step in protecting your network, systems and custom applications from attack. So why don't more administrators and developers follow this approach in securing their networks/systems/apps? Unfortunately the methodical thinking involved in threat modelling takes work, and work takes time and time is money. As a result network admins often fall back upon the "security tweaks" approach of trying to secure their network by implementing some lengthy security configuration guide (see the above link to my recent article on WindowsDevCenter for a discussion concerning the topic of security configuration guides).
But the only network protection steps that are truly effective are those that deter real threats and mitigate real risks, and threat modelling is the way to identify those threats and determine those risks.
Which leaves me with two questions to ask you readers:
1. Which books/sites/articles have you found useful for learning how to do threat modelling for network protection?
2. Should I plug in the string of lights for my Christmas tree? If I do, it makes our porch brighter and thieves love darkness. But if I do, it also makes our tree more visible especially at night when the bad guys are afoot.
Hmmm, damned if you do and damned if you don't...
Showing messages 1 through 1 of 1.
Artificial Christmas Trees
2005-10-24 18:30:24 christmas_trees [View]
|Showing messages 1 through 1 of 1.|
Return to weblogs.oreilly.com.