Home Page

PTA Professional Edition FAQ and Support Issues

Thanks to your feedback, we've released tens of usability improvements and bug fixes. If there is something about PTA that you think should work better or something you wish it had, drop us a line support@ptatechnologies.com.

Installation and First Time

1. What is the latest PTA Professional Edition version?
2. Should I update my PTA?
3. How do I know the current version of PTA installed on my computer?
4. How to download and install PTA?
5. What are the minimal hardware requirements?
6. What are the supported operating systems?
7. What languages are supported?
8. How to invoke PTA for the first time?
9. How to open a PTA project?
10. How to get help on current PTA screen?
11. How to learn more about using PTA features?
12. How to uninstall PTA?

PTA Free Program

13. How to join PTA Free Program?
14. What is the scope of PTA Free Program?

Usability and Methodology

15. How to build your own PTA libraries of security entities checklists?
16. How does PTA relate to security standards and initiatives?
17. How to translate traditional risk assessment fields into PTA terms?
18. How to install a sample PTA project?
19. Is the “monetary value of the assets” the only risk metric that can be entered and tracked in PTA?
20. How PTA saves your data?
21. How to export PTA threat model entities?
22. How to assign assets dollar values and threats probabilities where there is little or no historical data?
23. Can I adjust the mitigation effectiveness for individual countermeasures instead of having an aggregate value for the whole mitigation plan?
24. What is the contribution of the Attacker Type entity to the threat model?
25. Two practical tips for building threat models.
26. Can PTA Risk Value exceed system’s Total Assets Value?
27. How does the PTA model connect between mitigating activities and the impact they address?
28. What if a threat has more than one "Threat's Damage to Asset" value?

1. What is the latest PTA Professional Edition version?

Version 1.54 build 1205 - June 16, 2008.

2. Should I update my PTA?

If PTA is already installed on your computer it is most recommended  to download a free cumulative update for all PTA versions (3.9MB size; less than 1 minute download time; 30 seconds installation time). The update, which includes many usability improvements and bug fixes, will not conflict with your existing threat model projects.

3. How do I know the current version of PTA installed on my computer?

Click the Help | About menu option in PTA main menu. The About dialog displays the current PTA version and build number.

4. How to download and install PTA?

You are invited to visit PTA Professional Edition Download Area and download a full trial version of PTA Professional Edition.

We hope the download process is simple - if you received a small notification window asking "Do you want to run or save this file?" then the download is successful and you're ready to install PTA Professional. You may choose the Run option to start installation immediately after downloading (preferred) or the Save option to save the installation file to your disk and install the software later by double clicking the self extracting 'PTAxxxx.exe' file.

Installation is quick and straightforward - just make sure you are a member of the Administrators group on the local machine before you start.

If you choose to run PTA on Windows XP simply locate and double click the self extracting 'PTAxxxx.exe' file. You can set the path of the installation folder according to your preferences. 

If you choose to run PTA on Windows Vista then we advise you run installation process with elevated administrator permissions as follows:

a) Choose the Save option described in the download section above to save the self extracting 'PTAxxxx.exe' file to your disk.
b) Right-click the 'PTAxxxx.exe' file and select the Run as administrator option from the context menu.

5. What are the minimal hardware requirements?

Pentium III or higher with at least 70 Mega free disk space.

6. What are the supported operating systems?

Windows XP + SP2 or higher.

Windows 2000 + SP4 + latest rollout updates.

Windows Server 2003 + SP1 or higher.

Windows Vista Ultimate.

PTA is best viewed in 1280 * 1024 screen resolution with large font size (120 DPI). Also supported 1280 * 1024 screen resolution with normal font size (96 DPI) and 1024 * 768 screen resolution with normal font size (96 DPI).  

7. What languages are supported?

Most of the user interface elements such as button titles, menu items etc. are in English. The text fields of the threat model entities e.g. names and descriptions of assets, vulnerabilities etc. can be in any left-to-right language.

Important note for non-English Windows versions users:

If, while running PTA analysis reports for the first time, you get error messages such as "Error 3144: Syntax error in UPDATE or Error 3346..." make sure to set the Regional Options in Control Panel | Regional and Language Options to English

8. How to invoke PTA for the first time?

Invoke PTA by clicking the PTA "eye" icon that resides on your computer Desktop or by clicking the Practical Threat Analysis entry in Windows task bar Programs menu (Start | Programs | Practical Threat Analysis).

When you get the first Security Warning message which confirms that the PTA_Runtime.mde file was digitally signed by Eldan Software Systems - check the "Always trust file from this publisher and open them automatically" checkbox before you click the Open button

Important notes for Windows XP users:

a) If, while running PTA for the first time, you get the following message: "The expression you entered has a function name that Practical Threat Analysis can’t find” it means that your XP version is not updated. In order to run PTA you should upgrade your XP to SP2 with latest security updates. As an "off-the-record rescue" - open the following url and install the latest jet update for Windows XP: http://support.microsoft.com/kb/239114

b) If Microsoft Office 2003 is already installed on your computer, you may encounter difficulties caused by the existing MS Access security settings. The most common symptom is getting the following error message: "cannot open ...\PTA_Runtime.mde due to security restrictions"  "Security settings restrict access to the file because it is not digitally signed"  when trying to invoke PTA for the first time. This is a known issue in which, on several specific MS Office configurations, Access blocks the PTA application although it has a valid digital signature certificate issued by VeriSign to Eldan Software Systems. Read more on MS Access Macro Security issues or contact our support with the description of the problem you encounter and we'll get you through out of this. 

Important notes for Windows Vista users:

MS Access 2003 is not fully supported on Windows Vista so if you choose to run PTA on Vista then we advise you run PTA with elevated administrator permissions as follows:

a) Be a member of the Administrators group on the local machine
b) Right-click the PTA "eye" icon and select the Run as administrator option from the context menu

You can create a shortcut to PTA and select the option to always run with elevated administrator permissions. Using this shortcut would be the equivalent of the right-click method described above.
 

9. How to open a PTA project?

When PTA starts, select a PTA database file (a .thm file) in the file browser dialog box that will open.

If this is your first time using PTA, you are invited to open the CurrencyRates.thm sample database located in the \Samples\CurrencyRates folder.

10. How to get help on current PTA screen?

Clicking the question mark button at the PTA toolbar will open a context sensitive help window with help topics relevant to the currently opened screen.

11. How to learn more about using PTA features?

You can learn more about using PTA Professional Edition by browsing the updated help file that comes with the installation of the tool.

12. How to uninstall PTA?

Use Control Panel Add Remove Programs to remove Practical Threat Analysis. It is recommended to restart the computer after uninstall for a complete removal of the software files.

13. How to join PTA Free Program?

PTA Professional Edition is free of charge for students, researchers, software developers and independent security consultants. You may submit your request to participate in PTA Free Program by sending us an email with the following registration details:

1) First and Last Name:
2) Address:
3) Phone:
4) Email:
5) Organization / College / University:
6) Job Title / Position / Academic Level:
7) The area of your profession:

In addition, please email us the “User Code 1” and “User Code 2” numbers as displayed in the “Registration” dialog box that will open when starting the trial version of PTA. (Press the “Yes” button in the "PTA Evaluation" dialog when asked if you would like to purchase registration code).  

As soon as we process your registration details and User Codes, we shall send you the unlock Registration Keys that enable you to extend the usage period of PTA.

14. What is the scope of PTA Free Program?

As a member of the PTA Free Program you may use, free-of-charge, a single instance of PTA Professional Edition for your own professional aims. There is no limit to the number of analysis projects you can support. If you wish to install PTA on several workstations in your company and use it as part of your organization / department workload or if you wish to install it at your clients' sites, you are invited to have a look at our PTA Qualified Partner Program for installing PTA Professional Edition on consultant office machines as well as on customers’ computers. 

15. How to build your own PTA libraries of security entities checklists?

You can experience with PTA libraries by building a threat model based on the sample ‘MS_Telecom.thl’ library which comes with the standard distribution of PTA Professional Edition as follows - click File | New Project to open a new (blank) PTA project, activate the Tools | Load from Library tool and open the MS_Telecom.thl library (which resides in the Samples\Libraries folder under PTA's installation root). The tool enables you to select the relevant entities from each of the pre-defined security checklists and load them into your threat model by clicking the ‘Load’ button.

The open architecture of PTA enables you to easily build your own security checklists – all you have to do is enter the desired security entities into a PTA threat model and then save it as a library (a thl file). PTA automatically organizes the various entities in standalone lists that can be easily integrated into new or existing analysis projects using the ‘Load from Library’ tool. You have full control on the nature and the contents of the libraries - they can contain entities that reflect your specific best practices and knowledge as well as partial or full editions of industry standards. 

16. How does PTA relate to security standards and initiatives?

How does PTA relate to ISO 17799, BS 7799, ISO 27001, SSE-CMM, Octave, FITSAF, FIPS 199, GAISP, COBIT, ITIL, NIST, ISF FIRM, IRAM, SPRINT, SARA, BIA, PCI DSS, NERC, FERC and others?

PTA is intended to serve as a helping tool for a security analyst who wishes to apply his/her favorite methodology and not to dictate a ‘built in’ methodology. The open architecture and the flexibility of the data model are intended to entice the analyst to use the basic concepts of PTA in the way that suits him/her best.

PTA complements existing standards, appraisal and compliance procedures by supplying means for converting the knowledge embedded in the security standards into actual assets and threats, relevant vulnerabilities and effective countermeasures and mitigation actions.

The flexible mechanism of Practical Threat Analysis pre-defined security entity libraries facilitates the preparation of the checklists values that are in compliance with the various methodologies. Qualified security professionals are encouraged to prepare verified and credible libraries for marketplace domains where there is a need for a standardized baseline. A few sample threat models and libraries such as the PTA packages for ISO 27001 and PCI DSS 1.1 are available for free download - feel free to use these packages base line for constructing your own customized threat models. 

 

17. How to translate traditional risk assessment fields into PTA terms?

In a nutshell, the mapping of the traditional risk analysis fields to PTA’s terms is as follows:

Asset Value = Asset Value (annual)
Exposure Factor = Threat’s Level of Damage to a specific Asset
Single Loss Expectancy (SLE) = Threat’s Level of Damage to a specific Asset *
Asset Value
Annual Rate of Occurrence (ARO) = Threat’s Probability
Annual Loss Expectancy (ALE) = Threat’s Risk (in $ or in percents of total assets
value)

For example: You have an asset of a computer that gets infected with a remote control virus. The exposure factor is 100% since the system must be rebuilt from scratch at the cost of 100$. The threat may happen 10 times a year. The capture of that threat in PTA is as follows:

The Asset's Value = 100$
The Threat’s Level of Damage to the specific Asset = 100%
The Threat’s Probability = 10 times a year.
The Threat’s Risk = 100$ * 100% * 10 = 1,000$ per year
 

Several PTA sample projects are available for downloading in the Practical Threat Analysis Documents page. Each sample is packed in a WinZip archive (for example CallAccountingCaseStudy.zip). The archive contains the sample threat model database (.thm or .thl file) and a few document files relevant to the project (.doc, .pdf, .txt, .bmp etc). After downloading the archive, please extract the files to a separate folder according to your convenience and than invoke PTA and open the .thm database using the File | Open PTA Project dialog.

*Note: to view the sample threat model you should have PTA Software Tool installed on your computer.

In the early stages of our study we were debating with ourselves on how to represent variables such as business reputation, loss of trust etc. In order to develop a robust quantitative method, we wanted to normalize the value of assets and cost of countermeasures in a common system of units that can be processed in order to produce a non-biased risk assessment and prioritized recommendations for mitigating threats based on cost-effectiveness, importance and efficiency.

Consulting with insurance experts has convinced us that anything can and should be assigned monetary values. So we have decided to ask the analyst to express values of assets and derived losses and damages in real $ values (the system calculates the weighted annual monetary value from the one time fee and the recurring portion).

Since PTA is meant to be a practical tool, therefore it keeps all metrics e.g. assets importance, damage levels, countermeasures implementation and risk values in financial units. This does not put any real methodological constraint since, at the end of the day, it is the seasoned analyst who has to interpret the meaning of the output figures, in a way which is consistent with the meaning attached to the input numbers. PTA dynamic calculative engine immediately reflects changes in the input values in a quantitative way and is well suited for the iterative assessment process suggested by most standards. 

Actually, the analyst has a lot of freedom in interpreting what is the exact meaning of "monetary value of the assets" to him/her. After all, these are just numbers and we should be able, in principle, to express any quantitative risk metric using numbers.

The File | Save As option enables you to save to disk a copy of your threat model database at any time. As of version 1.53, PTA implements a 'behind the scene' backup mechanism as follows:

The latest threat model version is automatically saved to disk whenever you open a threat model project. The backup file is named as the threat model but with a 'bak' extension. In addition, PTA automatically saves a temporary version of your 'in-work' changes which is kept in a file with the same name as the currently opened threat model but with a '~hm' extension instead of 'thm'.

Hope this information will help you manage your threat models repository safely.

The export option of the PTA Professional Edition is hiding in the product's reporting subsystem. You can invoke it by clicking the "Export Report" button in each of the report viewer toolbar (the button on the right side of the view ratio combo box). This feature enables you to save the report's content in several formats e.g. txt, xls, rtf etc.

A more comprehensive way to extract and export data from PTA threat models is to open the thm/ thl threat model files with MS Access 2003. You will be able to retrieve and export the database content via the Access rich export functionality - you'll need of course to have Access 2003 (which is part of MS Office 2003) installed on your workstation.

As discussed in the former question, measuring the value of assets in monetary values is one of the most important issues in PTA calculative foundation. The probability that a threat will materialize is presented in PTA by the traditional ARO parameter (Annual Rate of Occurrence) – which is actually (when no statistical/history data available) an estimation of how many times the analyst believes that the threat will become a real attack.

So all in all, assigning dollar values and probabilities where there is little or no historical data is an educated guesswork.

The good news are that the monetary values and the probabilities can be easily changed and the whole model is updated automatically to reflect the changes in risk levels and prioritized recommendations of mitigation plans. The analyst may establish the threat model and enter preliminary values of assets and probabilities and then refine them according to client's stake-holders feedback (CFO, legal consultants). Moreover - monetary values of assets may be changed by client's personnel to form a 'what-if' analysis. This may contribute to the degree of confidence a client might have in a particular estimate. Analysts are encouraged to install PTA at their clients’ sites – this enables them to send the threat analysis projects (thm files) to the clients and have their authentic feedback.
 

The PTA calculative model treats a threat mitigation set as a holistic solution which provides a given mitigation level only when all the countermeasures in the set are implemented. For example: if you mark countermeasures C1, C3 and C5 as the members of a specific threat mitigation plan (by checking the ‘In Mitigation Plan’ for the 3 countermeasures in the Threat Details screen) and then set the ‘Maximal Mitigation’ of the threat to 70%, you will see that the specific threat’s risk is reduced by 70% only when C1, C3 and C5 are marked as ‘Already Implemented’ in the appropriate Countermeasure Details screens.

You may justifiably argue that in some cases the implementation of C1 solely may provide some substantive mitigation to the threat although less than the maximal mitigation. We support this situation in our Enterprise Edition where the analyst is able to define several mitigation planes for each threat and thus benefit from maximal flexibility in aggregating the countermeasures in a practical manner. The PTA Professional Edition enables the definition of one mitigation set for a specific threat so the analyst should be more selective.
 

The Attacker Types as well as the Entry Points entities are not mandatory for the PTA threat model. They were designed to help the analyst in affirming the validity of the threat scenarios and do not impact the calculation. This is also true for the Tags and the Attached Documents entities which add descriptive fields and additional information to the threat entities.
 

1. When initiating a new threat analysis project it may be productive to reuse the last project you did (or one of the sample projects) as a base line.

2. Keep it simple. The following recipe may look a little counter-intuitive but if you follow the data entry order it will save you grief.

First - Define your assets, the ones that when damaged you’ll feel the blow e.g. “the availability of the company’s Web site – if the site is down we lose money”.

Then - Define countermeasures as mitigating activities. Each countermeasure description should contain a verb e.g. “install and configure a firewall”.

Then - Define vulnerabilities – those static weaknesses, limitations or defects in your system that are waiting to be exploited e.g. “the Web server is vulnerable to access from the Internet”.

Then - Assign countermeasures to each vulnerability. The associated countermeasures should be those that reduce the chances that the vulnerability will be exploited.

Then - Define threats as attack scenarios that damage assets and exploit vulnerabilities. It will be nice if the potential attackers and the attack entry points will be part of the threat description e.g. “a hacker damages the company’s Web site pages by exploiting the fact that the Web server is exposed to the Internet”

Repeat the process until you're satisfied with the results

 

System risk is calculated by summing the risk to each of the system’s assets. The value, presented in percents relative to the total value of all assets, can exceed 100%. It is clear that the actual damage to the system’s assets cannot exceed 100%; however, the risk level does not express the actual damage. It reflects the amount of effort that has to be invested in order to mitigate the threats to the system, and since neither the number of threats nor their severity is limited, the risk quantities are not limited to 100%.

For the user’s convenience, a marker line indicating the 100% risk level was added to the system risk status history graph.
 

This question arose from a real life case description sent to us. The story goes like that: a risk of fire in the computer room and premises leads to a disruption of operation and loss of data. The fire may be caused by a vulnerability of fire hazards such as cardboard boxes and plastics that are not disposed off according to policy. One possible mitigation activity might be to assign a janitor to sweep the room daily and remove hazards - this is an obvious mitigation activity that reduces risk. Another mitigation activity might be to install an automatic fire-extinguisher. While this activity does not directly address a specific vulnerability, it surely has a mitigation value since it limits the impact of a fire in the computer-room. What is the PTA way to represent an activity that limits a possible damage to the asset itself rather then mitigate a specific vulnerability?

The answer: the PTA threat model encourages analysts to breakdown risk entities into their component pieces. This is how the scenario above would work with PTA (we had enhanced the case story a little bit for didactic purposes…)

The threat:

Computer room burns down accidentally due to fire hazards, and 1M Euro of hardware is destroyed.

Asset: (damaged by the threat)

1. Computer room hardware value 1M Euro

Vulnerabilities: (exploited by the threat)

1. Fire hazards such as cardboard boxes and plastics that are not disposed according to policy.
2. There is no automated fire extinguisher system in the data center.
3. Fire drills are not conducted regularly and equipment is not tested.
4. No one is responsible for the fire brigade activities.

Countermeasures: (associated with the vulnerabilities that were found to be productive in mitigating the threat and therefore are included in the threat’s mitigation plan)

1. Instruct janitor to sweep the room daily and remove hazards
2. Install automated fire extinguisher system
3. Conduct fire drills
4. Appoint and train an ERT (Environmental Response Team)

One more tip – use the PTA Threat Builder - click on Tools | Threat Builder - you will find that it's a great and much easier way to build threat models and relieves you of the necessity for keeping a picture of the data model in your mind...

 

As you all know, the basic PTA threat model enables a single threat to threaten more than one asset (actually the number of assets that can be threatened by a single threat is limited to 999 but as far as we know, no one has complained yet).

Moreover – the model enables you to assign a particular level of damage that the threat might cause to each of the threatened assets. The data-entry field in the Threat Details screen is called Threat's Damage to Asset and it defined as follows:

Threat's Damage Level to Asset is the financial value of damage caused by one incident of a specific threat to a specific asset, expressed in percentage of the asset's value - if level is 100% the damage to the asset is maximal.

So where is this question coming from? It has aroused in several cases when the preliminary threats identification process came up with scenarios where it seems that incidents of the same threat cause different damage. For example, an incident of a virus attack can destroy a precious asset such as data stored on disk while another incident of the same virus may have a somewhat less damaging impact like hurting the availability of the system for a short period of time. We were asked if in this case “the threat should be divided into two threats with different damage values or should the threat be assigned with a middle damage value which averages the Threat’s Damage to Asset value.”

All in all, the official answer is:

1. If you are sure that both attack scenarios cannot happen at the same time (e.g. when the virus attacks the precious data it does not affect the system’s availability and vice versa) it is better to divide the threat into two standalone threats, each of which has it own threatened asset (the precious data for one and the availability of the system for the other). In this way you can tune the level of the Threat Damage to Asset value separately for each type of incident.

2. If you believe that both types of attack scenarios go together and that the virus attack will impact both assets, it is better to define one threat which threatens two assets and assign the particular level of damage the attack will cause to each of the assets.

3. If you believe that both option 1 and option 2 may happen (life is quite complicated sometimes) you can define all possibilities (two standalone threats each with its own asset + one threat which threatens both assets) and tune the probabilities of each of the three threats according to you expectations.

The bottom line: a threat is exclusively defined by the vulnerabilities it exploits and by the assets it threatens – so all available combinations are legitimate.
(thanks to Pavel Khizhnyak for his contribution to this discussion).

***

Download PTA Professional Edition  -   Practical Threat Modeling Documents
Home Page