So my Threat Modeling book came in today from [I’ve only preordered it for ages] and even before I’ve started reading it I’m doing a bit of “threat modeling/risk analysis” here at the office today. 

Internet Explorer.  Unless you’ve been living under a rock, you’ll know that IE has a bit of issues lately.  Per newsreports, one of the web sites that was unpatched for 04-011 and thus was vulnerable to being overtaken and used in the browser attack was Kelley Blue Book.  That sort of hit a little too close to home.  Since that would be a business site that I would consider “trustworthy” I’d probably be adding that to a trusted zone if I needed it to work. 

First and foremost as administrator I need to ensure that the firms data remains secure.  If I can’t control what is going on on my workstations, I’m not controlling my network.  My workstations are where my vulnerabilties are.  Jeff Middleton just said it yesterday.  Security isn’t about following a
“readers digest how to” book, it’s about *administration and control.*

So I made a risk analysis.  I know that I don’t have my entire office running as user because either the applications I run won’t support it, or in my role as network enabler, I’m unwilling to push my office workers into a “painful” and loss of productivity position.  So I’ve done things like running with IE in high security, adjusting the Trusted site zone to be no lower than medium.  I have certain positions locked down, but not my IT workers who aren’t ready for a lack of control.

Today I decided to roll out XP sp2 to my higher risk workstations [like mine].  I know that I’m going to have to work something out around’s patch progam that needs outbound NetBIOS connections [and inbound return responses], but right now I’ve not been seriously hampered by running a firewall inside my firewall.

Off to check out the Threat Modeling book….

UPDATE – another mitigation alternative is to run this IE registry tool here from eEye. This “kills“ the adodb bit.

Closing the adodb issue closes the possiblity for this latest zero vulnerability from running, as it requires it to run. Microsoft has not considered the fact that the adodb issue allowing code to be run in the “My Computer” zone to be a security problem, however multiple issues of this have been made.


2 Responses to Threat Modeling and Risk Analysis….

  1. Kevin Weilbacher says:

    Susan — just had a good laugh. Did you notice that when you go to your Amazon link, under the section of what ocustomers interested in Threat Modeling may also be interested in, we find this:

    Customers interested in Threat Modeling (DV-Professional) may also be interested in:

    Modeling Talent Sought

    Job opportunities for all ages now available thru agencies nationwide!

    Models and Actors

    Top agents looking for models & actors. Real World Melissa hosting

    Looking for Models

    Join the premier online marketplace We build your webpage for $9.95

  2. Shai Levanon says:

    Hi Susan,

    I invite you to visit and download a free version of our PTA (Practical Threat Analysis) tool.

    PTA is a calculative threat modeling methodology and software tool for maintaining dynamic database of threat models and assessing systems’ risks.

    PTA calculates threats and countermeasures priorities and produces the most effective risk reduction policy which reflects the latest changes in system assets and vulnerabilities.

    Countermeasures’ priorities are expressed as a function of the system’s assets values, degrees of damage, threats probabilities and degrees of mitigation provided by countermeasures to the threats.

    The software is available for free for students, researchers and independent software developers and can be downloaded from our site.

    Keep on doing your great SBS mission


    Shai Levanon