Difference between revisions of "Threat Model"
Mattsenate (talk | contribs) (creates page) |
(→Models) |
||
(3 intermediate revisions by one other user not shown) | |||
Line 18: | Line 18: | ||
<blockquote> | <blockquote> | ||
'As defined in Newman's book Design Guidelines for Creating Defensible Space, defensible space is "a residential environment whose physical characteristics—building layout and site plan—function to allow inhabitants themselves to become key agents in ensuring their security." He goes on to explain that a housing development is only defensible if residents intend to adopt this role, which is defined by good design: "Defensible space therefore is a sociophysical phenomenon," says Newman. Both society and physical elements are parts of a successful defensible space.' | |||
</blockquote> | </blockquote> | ||
[http://criminology.fsu.edu/crimtheory/newman.htm This article by Melissa Remy] on the subject of Defensible Space helps provide some context. | |||
==Resources== | |||
===Guides, Documents, References=== | |||
* Open Source Security Testing Methodology Manual (OSSTMM) http://www.isecom.org/mirror/OSSTMM.3.pdf | |||
* https://www.owasp.org/index.php/OWASP_Security_Principles_Project | |||
** https://github.com/OWASP/Security-Principles | |||
* https://www.owasp.org/index.php/Category:Principle | |||
* https://www.owasp.org/index.php/Cheat_Sheets | |||
* https://www.owasp.org/index.php/Threat_Modeling_Cheat_Sheet | |||
===Tools, Concepts=== | |||
* [https://en.wikipedia.org/wiki/Honeypot_(computing) Honeypot] | |||
==Models== | |||
===General building access=== | |||
A threat model for the Omni Collective building usage, generally, as an asset. (Use an asset-focused model?) | |||
===Sleepers=== | |||
A threat model for people who need a place to sleep and will try to (Use both attacker-focused and system-focused models?) | |||
===Muggers=== | |||
The danger to people being robbed on the street for their phones/laptops between BART/transit and the Omni building as word spreads. | |||
===Unwanted Graffiti and Tagging=== | |||
Strategies for preventing and responding to events. |
Latest revision as of 04:28, 12 June 2014
In order to benefit from creative thinking inspired by the security community and hacker culture, it can be useful to apply knowledge gained from the study of security for both physical and information systems to the Omni Collective's assets, services, member-groups, and their larger social/physical contexts.
Namely, a Threat Model:
"... is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats exploit these vulnerabilities in order to cause damage to the assets, and appropriate security countermeasures exist that mitigate the threats."
One may want to use "compromise" assets instead of "damage" to be more clear, but ultimately the compromise depends entirely on what exactly the assets are anyhow. This implies that the idea of a threat model in the abstract is not too useful, but that assessing security methodologically with concrete/real facts and situations to create thread models is a good way to be aware of vulnerabilities and implement countermeasures where appropriate.
For the Omni Collective, note that rather than emphasizing physical security, instead, we can accept the affordances and limitations of design generally by approaching security through the wider field of Environmental Design, namely:
"the applied arts and sciences dealing with creating the human-designed environment ... [including] architecture, geography, urban planning, landscape architecture, and interior design."
Consider, for instance, Oscar Newman's theory of Defensible space:
'As defined in Newman's book Design Guidelines for Creating Defensible Space, defensible space is "a residential environment whose physical characteristics—building layout and site plan—function to allow inhabitants themselves to become key agents in ensuring their security." He goes on to explain that a housing development is only defensible if residents intend to adopt this role, which is defined by good design: "Defensible space therefore is a sociophysical phenomenon," says Newman. Both society and physical elements are parts of a successful defensible space.'
This article by Melissa Remy on the subject of Defensible Space helps provide some context.
Resources
Guides, Documents, References
- Open Source Security Testing Methodology Manual (OSSTMM) http://www.isecom.org/mirror/OSSTMM.3.pdf
- https://www.owasp.org/index.php/OWASP_Security_Principles_Project
- https://www.owasp.org/index.php/Category:Principle
- https://www.owasp.org/index.php/Cheat_Sheets
- https://www.owasp.org/index.php/Threat_Modeling_Cheat_Sheet
Tools, Concepts
Models
General building access
A threat model for the Omni Collective building usage, generally, as an asset. (Use an asset-focused model?)
Sleepers
A threat model for people who need a place to sleep and will try to (Use both attacker-focused and system-focused models?)
Muggers
The danger to people being robbed on the street for their phones/laptops between BART/transit and the Omni building as word spreads.
Unwanted Graffiti and Tagging
Strategies for preventing and responding to events.