PTA Technologies - Practical Threat Analysis, Threat Modeling and Risk Assessment for Software Systems

<body bgcolor="white"> <h1 align="left"><font face="Verdana" size="1"> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></h1> <h1 align="center"><font face="Verdana" size="1">PTA Professional Edition FAQ and Support Issues </font> </h1> <p align="left"><font face="Verdana" size="1">Thanks to your feedback, we've released tens of usability improvements and bug fixes. If there is something about PTA that you think should work better or something you wish it had, drop us a line <a href="mailto:support@ptatechnologies.com">support@ptatechnologies.com</a>.</font></p> <p align="left"><b><font face="Verdana" size="1">Installation and First Time </font></b></p> <p align="left"><font face="Verdana" size="1"><a href="#latest PTA version">1. What is the latest PTA Professional Edition version?</a><br> <a href="#update PTA version">2. Should I update my PTA?</a><br> <a href="#current version and build number">3. How do I know the current version of PTA installed on my computer?</a><br> <a href="#download PTA trial">4. How to download and install PTA?</a><br> <a href="#minimal system requirements">5. What are the minimal hardware requirements?</a><br> <a href="#supported operating systems">6. What are the supported operating systems?</a><br> <a href="#languages">7. What languages are supported?</a><br> <a href="#invoke PTA">8. How to invoke PTA for the first time?</a><br> <a href="#open a PTA project">9. How to open a PTA project?</a><br> <a href="#get help on current PTA screen">10. How to get help on current PTA screen?</a><br> <a href="#learn more about using PTA">11. How to learn more about using PTA features?</a><br> <a href="#uninstall PTA">12. How to uninstall PTA?</a></font></p> <p align="left"><b><font face="Verdana" size="1">PTA Free Program</font></b></p> <p align="left"><font face="Verdana" size="1"> <a href="#extend the evaluation period">13. How to join PTA Free Program?</a><br> <a href="#join PTA free program">14. What is the scope of PTA Free Program?</a></font></p> <p align="left"><b><font face="Verdana" size="1">Usability and Methodology</font></b></p> <p align="left"><font face="Verdana" size="1"> <a href="#build your own security checklists">15. How to build your own PTA libraries of security entities checklists?</a><br> <a href="#relate to security standards">16. How does PTA relate to security standards and initiatives?</a><br> <a href="#translate into PTA terms">17. How to translate traditional risk assessment fields into PTA terms?</a><br> <a href="#install PTA sample project">18. How to install a sample PTA project?</a><br> <a href="#monetary value of the assets">19. Is the “monetary value of the assets” the only risk metric that can be entered and tracked in PTA?</a><br> <a href="#backup your data">20. How PTA saves your data?</a><br> <a href="#export threat model database entities">21. How to export PTA threat model entities?</a><br> <a href="#no historical data">22. How to assign assets dollar values and threats probabilities where there is little or no historical data? </a><br> <a href="#adjust the mitigation effectiveness">23. Can I adjust the mitigation effectiveness for individual countermeasures instead of having an aggregate value for the whole mitigation plan? </a><br> <a href="#contribution of the Attacker Type">24. What is the contribution of the Attacker Type entity to the threat model? </a><br> <a href="#two tips">25. Two practical tips for building threat models. </a><br> <a href="#risk value exceed">26. Can PTA Risk Value exceed system’s Total Assets Value? </a><br> <a href="#mitigating activities and the impact">27. How does the PTA model connect between mitigating activities and the impact they address? </a><br> <a href="#threat with more than one damage">28. What if a threat has more than one "Threat's Damage to Asset" value?</a><br> </font></p> <p align="center"><font face="Verdana" size="1"> </font></p> <p align="left"><b><font face="Verdana" size="1"><a name="latest PTA version"> </a>1. What is the latest PTA Professional Edition version?</font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1">Version 1.54 build 1205 - June 16, 2008. </font></p> </blockquote> <p align="left"><b><font face="Verdana" size="1"><a name="update PTA version"> </a>2. Should I update my PTA?</font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1">If PTA is already installed on your computer it is <b>most recommended</b>  to download a free <a target="main" href="NewsFrameset.htm?page=LatestUpdateFrameset.htm">cumulative update</a> for all PTA versions (3.9MB size; less than 1 minute download time; 30 seconds installation time). The update, which includes many usability improvements and bug fixes, will not conflict with your existing threat model projects.</font></p> </blockquote> <p align="left"><b><font face="Verdana" size="1"> <a name="current version and build number"></a>3. How do I know the current version of PTA installed on my computer?</font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1">Click the<i> </i><b>Help</b><i> </i>| <b>About</b> menu option in PTA main menu. The <i>About</i> dialog displays the current PTA version and build number.</font></p> </blockquote> <p align="left"><b><font face="Verdana" size="1"><a name="download PTA trial"> </a>4. How to download and install PTA?</font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1">You are invited to visit <a target="content" href="DownloadFrameset.htm">PTA Professional Edition Download Area</a> and download a full trial version of PTA Professional Edition. </font></p> <p align="left"><font face="Verdana" size="1">We hope the download process is simple - if you received a small notification window asking "<b>Do you want to run or save this file?</b>" then the download is successful and you're ready to install PTA Professional. You may choose the <b>Run</b> option to start installation immediately after downloading (preferred) or the <b>Save</b> option to save the installation file to your disk and install the software later by double clicking the self extracting 'PTAxxxx.exe' file. </font></p> <p align="left"><font face="Verdana" size="1">Installation is quick and straightforward - just make sure you are a member of the <b>Administrators</b> group on the local machine before you start. </font></p> <p align="left"><font face="Verdana" size="1">If you choose to run PTA on <b> Windows XP</b> simply locate and double click the self extracting 'PTAxxxx.exe' file. You can set the path of the installation folder according to your preferences.  </font></p> <p align="left"><font face="Verdana" size="1">If you choose to run PTA on<b> Windows Vista</b> then we advise you run installation process with elevated administrator permissions as follows:</font></p> <blockquote> <p align="left"><font face="Verdana" size="1">a) Choose the <b>Save</b> option described in the download section above to save the self extracting 'PTAxxxx.exe' file to your disk.<br> b)<b> </b>Right-click the 'PTAxxxx.exe' file and select the <b>Run as administrator</b> option from the context menu.</font></p> </blockquote> </blockquote> <p align="left"><b><font face="Verdana" size="1"> <a name="minimal system requirements"></a>5. What are the minimal hardware requirements?</font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1">Pentium III or higher with at least 70 Mega free disk space.</font></p> </blockquote> <p align="left"><b><font face="Verdana" size="1"> <a name="supported operating systems"></a>6. What are the supported operating systems?</font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1">Windows XP + SP2 or higher.</font></p> <p align="left"><font face="Verdana" size="1">Windows 2000 + SP4 + latest rollout updates.</font></p> <p align="left"><font face="Verdana" size="1">Windows Server 2003 + SP1 or higher.</font></p> <p align="left"><font face="Verdana" size="1">Windows Vista Ultimate.</font></p> <p align="left"><font face="Verdana" size="1">PTA is best viewed in 1280 * 1024 screen resolution with large font size (120 DPI). Also supported 1280 * 1024 screen resolution with normal font size (96 DPI) and 1024 * 768 screen resolution with normal font size (96 DPI).   </font></p> </blockquote> <p align="left"><b><font face="Verdana" size="1"><a name="languages"></a>7. What languages are supported?</font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1">Most of the user interface elements such as button titles, menu items etc. are in English. The text fields of the threat model entities e.g. names and descriptions of assets, vulnerabilities etc. can be in any left-to-right language. </font></p> <p align="left"><font face="Verdana" size="1">Important note for non-English Windows versions users:<br> <br> If, while running PTA analysis reports for the first time, you get error messages such as <span style="font-style: italic; background-color: #C0C0C0">"Error 3144: Syntax error in UPDATE or Error 3346..."</span> make sure to set the <b>Regional Options</b> in <b>Control Panel | Regional and Language Options</b> to <b>English</b></font></p> </blockquote> <p align="left"><b><font face="Verdana" size="1"><a name="invoke PTA"></a>8. How to invoke PTA for the first time?</font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1">Invoke PTA by clicking the <b> PTA "eye" icon</b> that resides on your computer Desktop or by clicking the Practical Threat Analysis<i> </i>entry in Windows task bar Programs menu (<b>Start</b> | <b>Programs</b> | <b>Practical Threat Analysis</b>). </font></p> <p align="left"><font face="Verdana" size="1">When you get the first <b>Security Warning</b> message which confirms that the PTA_Runtime.mde file was digitally signed by Eldan Software Systems - <b>check</b> the <span style="background-color: #C0C0C0"><i>"Always trust file from this publisher and open them automatically"</i></span> checkbox before you click the <b>Open</b> button</font></p> <p align="left"><font face="Verdana" size="1">Important notes for <b>Windows XP</b> users:</font></p> <blockquote> <p align="left"><font face="Verdana" size="1">a) If, while running PTA for the first time, you get the following message:<span style="background-color: #C0C0C0"> <i>"The expression you entered has a function name that Practical Threat Analysis can’t find</i>”</span> it means that your XP version is not updated. In order to run PTA you should upgrade your XP to SP2 with latest security updates. As an "off-the-record rescue" - open the following url and install the latest jet update for Windows XP: <a target="_blank" href="http://support.microsoft.com/kb/239114">http://support.microsoft.com/kb/239114</a></font></p> <p align="left"><font face="Verdana" size="1">b) If Microsoft Office 2003 is already installed on your computer, you may encounter difficulties caused by the existing MS Access security settings. The most common symptom is getting the following error message: <span style="font-style: italic; background-color: #C0C0C0">"cannot open ...\PTA_Runtime.mde due to security restrictions"</span>  <span style="font-style: italic; background-color: #C0C0C0">"Security settings restrict access to the file because it is not digitally signed"</span>  when trying to invoke PTA for the first time. This is a known issue in which, on several specific MS Office configurations, Access blocks the PTA application although it has a valid digital signature certificate issued by <i>VeriSign</i> to Eldan Software Systems. Read more on <a target="_blank" href="Documents/Access2003_MacroSecurity.pdf">MS Access Macro Security</a> issues or contact our <a href="mailto:support@ptatechnologies.com?subject=PTA problem">support</a> with the description of the problem you encounter and we'll get you through out of this.  </font></p> </blockquote> <p align="left"><font face="Verdana" size="1">Important notes for <b>Windows Vista </b>users:</font></p> <blockquote> <p align="left"><font face="Verdana" size="1">MS Access 2003 is not fully supported on Windows Vista so if you choose to run PTA on Vista then we advise you run PTA with elevated administrator permissions as follows:</font></p> <p align="left"><font face="Verdana" size="1">a) Be a member of the <b>Administrators</b> group on the local machine<br> b) Right-click the PTA "eye" icon and select the <b>Run as administrator</b> option from the context menu<br> <br> You can create a shortcut to PTA and select the option to <b>always run with elevated administrator permissions</b>. Using this shortcut would be the equivalent of the right-click method described above.<br>  </font></p> </blockquote> </blockquote> <p align="left"><font size="1" face="Verdana"><b><a name="open a PTA project"> </a>9. How to open a PTA project?</b></font></p> <blockquote> <p align="left"><font size="1" face="Verdana">When PTA starts, select a PTA database file (a .thm file) in the file browser dialog box that will open.<br> <br> If this is your first time using PTA, you are invited to open the CurrencyRates.thm sample database located in the \Samples\CurrencyRates folder.</font></p> </blockquote> <p align="left"><font face="Verdana" size="1"><b> <a name="get help on current PTA screen"></a>10. How to get help on current PTA screen?</b></font></p> <blockquote> <p align="left"><font face="Verdana" size="1">Clicking the question mark button at the PTA toolbar will open a context sensitive help window with help topics relevant to the currently opened screen.</font></p> </blockquote> <p align="left"><font face="Verdana" size="1"><b> <a name="learn more about using PTA"></a>11. How to learn more about using PTA features?</b></font></p> <blockquote> <p align="left"><font face="Verdana" size="1">You can learn more about using PTA Professional Edition by browsing the updated help file that comes with the installation of the tool.</font></p> </blockquote> <p align="left"><font face="Verdana" size="1"><b><a name="uninstall PTA"></a>12. How to uninstall PTA?</b></font></p> <blockquote> <p align="left"><font face="Verdana" size="1">Use Control Panel <i>Add Remove Programs</i> to remove Practical Threat Analysis. It is recommended to restart the computer after uninstall for a complete removal of the software files. </font></p> </blockquote> <p align="left"><font face="Verdana" size="1"><b> <a name="extend the evaluation period"></a>13. How to join PTA Free Program?</b></font></p> <blockquote> <p align="left"><font face="Verdana" size="1">PTA Professional Edition is free of charge for students, researchers, software developers and independent security consultants. You may <a href="mailto:sales@ptatechnologies.com?subject=I want to join PTA free program for students and independent security consultants"> submit your request to participate in PTA Free Program</a> by sending us an email with the following registration details:<br> <br> 1) First and Last Name:<br> 2) Address:<br> 3) Phone:<br> 4) Email:<br> 5) Organization / College / University:<br> 6) Job Title / Position / Academic Level:<br> 7) The area of your profession:<br> <br> In addition, please email us the “User Code 1” and “User Code 2” numbers as displayed in the “Registration” dialog box that will open when starting the <a target="content" href="DownloadFrameset.htm">trial version of PTA</a>. (Press the “Yes” button in the "PTA Evaluation" dialog when asked if you would like to purchase registration code).   </font></p> <p align="left"><font face="Verdana" size="1">As soon as we process your registration details and User Codes, we shall send you the unlock Registration Keys that enable you to extend the usage period of PTA.</font></p> </blockquote> <p align="left"><font face="Verdana" size="1"><b> <a name="join PTA free program"></a>14. What is the scope of PTA Free Program?</b></font></p> <blockquote> <p><font face="Verdana" size="1">As a member of the <a target="content" href="FreeProgramFrameset.htm">PTA Free Program</a> you may use, free-of-charge, a single instance of PTA Professional Edition for your own professional aims. There is no limit to the number of analysis projects you can support. If you wish to install PTA on several workstations in your company and use it as part of your organization / department workload or if you wish to install it at your clients' sites, you are invited to have a look at our <a target="content" href="QualifiedFrameset.htm">PTA Qualified Partner Program</a> for installing PTA Professional Edition on consultant office machines as well as on customers’ computers.  </font></p> </blockquote> <p align="left"><font face="Verdana" size="1"><b> <a name="build your own security checklists"></a>15. How to build your own PTA libraries of security entities checklists?</b></font></p> <blockquote> <p align="left"><font face="Verdana" size="1">You can experience with PTA libraries by building a threat model based on the sample ‘MS_Telecom.thl’ library which comes with the standard distribution of PTA Professional Edition as follows - click <b>File </b>|<b> New Project</b> to open a new (blank) PTA project, activate the <b>Tools </b>|<b> Load from Library</b> tool and open the MS_Telecom.thl library (which resides in the Samples\Libraries folder under PTA's installation root). The tool enables you to select the relevant entities from each of the pre-defined security checklists and load them into your threat model by clicking the ‘Load’ button.<br> <br> The open architecture of PTA enables you to easily build your own security checklists – all you have to do is enter the desired security entities into a PTA threat model and then save it as a library (a thl file). PTA automatically organizes the various entities in standalone lists that can be easily integrated into new or existing analysis projects using the ‘Load from Library’ tool. You have full control on the nature and the contents of the libraries - they can contain entities that reflect your specific best practices and knowledge as well as partial or full editions of industry standards.  </font></p> </blockquote> <p align="left"><font face="Verdana" size="1"><b> <a name="relate to security standards"></a>16. How does PTA relate to security standards and initiatives?</b></font></p> <blockquote> <p align="left"><font face="Verdana" size="1">How does PTA relate to ISO 17799, BS 7799, ISO 27001, SSE-CMM, Octave, FITSAF, FIPS 199, GAISP, COBIT, ITIL, NIST, ISF FIRM, IRAM, SPRINT, SARA, BIA, PCI DSS, NERC, FERC and others?<br> <br> PTA is intended to serve as a helping tool for a security analyst who wishes to apply his/her favorite methodology and not to dictate a ‘built in’ methodology. The open architecture and the flexibility of the data model are intended to entice the analyst to use the basic concepts of PTA in the way that suits him/her best.</font></p> <p align="left"><font face="Verdana" size="1">PTA complements existing standards, appraisal and compliance procedures by supplying means for converting the knowledge embedded in the security standards into actual assets and threats, relevant vulnerabilities and effective countermeasures and mitigation actions.<br> <br> The flexible mechanism of <a target="content" href="LibrariesFrameset.htm">Practical Threat Analysis pre-defined security entity libraries</a> facilitates the preparation of the checklists values that are in compliance with the various methodologies. Qualified security professionals are encouraged to prepare verified and credible libraries for marketplace domains where there is a need for a standardized baseline. A few sample threat models and libraries such as the <a target="content" href="DocumentsFrameset.htm">PTA packages for ISO 27001 and PCI DSS 1.1</a> are available for free download - feel free to use these packages base line for constructing your own customized threat models.  <br> <br>  </font></p> </blockquote> <p align="left"><b><font face="Verdana" size="1"> <a name="translate into PTA terms"></a>17. How to translate traditional risk assessment fields into PTA terms?</font></b></p> <blockquote> <p align="left"><font face="Verdana" size="1">In a nutshell, the mapping of the traditional risk analysis fields to PTA’s terms is as follows:<br> <br> Asset Value = Asset Value (annual)<br> Exposure Factor = Threat’s Level of Damage to a specific Asset<br> Single Loss Expectancy (SLE) = Threat’s Level of Damage to a specific Asset *<br> Asset Value<br> Annual Rate of Occurrence (ARO) = Threat’s Probability<br> Annual Loss Expectancy (ALE) = Threat’s Risk (in $ or in percents of total assets<br> value)<br> <br> For example: You have an asset of a computer that gets infected with a remote control virus. The exposure factor is 100% since the system must be rebuilt from scratch at the cost of 100$. The threat may happen 10 times a year. The capture of that threat in PTA is as follows:<br> <br> The Asset's Value = 100$ <br> The Threat’s Level of Damage to the specific Asset = 100%<br> The Threat’s Probability = 10 times a year.<br> The Threat’s Risk = 100$ * 100% * 10 = 1,000$ per year<br>   </font></p> </blockquote> <b><font face="Verdana" size="1"><a name="install PTA sample project"></a>18. How to install a sample PTA project?</font></b><font face="Verdana" size="1"></font></b></font><p></p> <blockquote> <p align="left"><font face="Verdana" size="1">Several PTA sample projects are available for downloading in the <a target="content" href="DocumentsFrameset.htm">Practical Threat Analysis Documents</a> page. Each sample is packed in a WinZip archive (for example CallAccountingCaseStudy.zip). The archive contains the sample threat model database (.thm or .thl file) and a few document files relevant to the project (.doc, .pdf, .txt, .bmp etc). After downloading the archive, please extract the files to a separate folder according to your convenience and than invoke PTA and open the .thm database using the <b>File </b>|<b> Open PTA Project</b> dialog.<br> <b><br> *</b>Note: to view the sample threat model you should have <a target="content" href="DownloadFrameset.htm">PTA Software Tool</a> installed on your computer.</font></p> </blockquote> <b><font face="Verdana" size="1"><a name="monetary value of the assets"></a>19. Is the “monetary value of the assets” the only risk metric that can be entered and tracked in PTA?</font></b><font face="Verdana" size="1"></font></b></font><p></p> <blockquote> <p align="left"><font face="Verdana" size="1">In the early stages of our study we were debating with ourselves on how to represent variables such as business reputation, loss of trust etc. In order to develop a robust quantitative method, we wanted to normalize the value of assets and cost of countermeasures in a common system of units that can be processed in order to produce a non-biased risk assessment and prioritized recommendations for mitigating threats based on cost-effectiveness, importance and efficiency.</font></p> <p align="left"><font face="Verdana" size="1">Consulting with insurance experts has convinced us that anything can and should be assigned monetary values. So we have decided to ask the analyst to express values of assets and derived losses and damages in real $ values (the system calculates the weighted annual monetary value from the one time fee and the recurring portion). </font></p> <p align="left"><font face="Verdana" size="1">Since PTA is meant to be a practical tool, therefore it keeps all metrics e.g. assets importance, damage levels, countermeasures implementation and risk values in financial units. This does not put any real methodological constraint since, at the end of the day, it is the seasoned analyst who has to interpret the meaning of the output figures, in a way which is consistent with the meaning attached to the input numbers. PTA dynamic calculative engine immediately reflects changes in the input values in a quantitative way and is well suited for the iterative assessment process suggested by most standards.  </font></p> <p align="left"><font face="Verdana" size="1">Actually, the analyst has a lot of freedom in interpreting what is the exact meaning of "monetary value of the assets" to him/her. After all, these are just numbers and we should be able, in principle, to express any quantitative risk metric using numbers.</font></p> </blockquote> <b><font face="Verdana" size="1"><a name="backup your data"></a>20. How PTA saves your data?</font></b><font face="Verdana" size="1"></font></b></font><p></p> <blockquote> <p align="left"><font face="Verdana" size="1">The <b>File | Save As</b> option enables you to save to disk a copy of your threat model database at any time. As of version 1.53, PTA implements a 'behind the scene' backup mechanism as follows: </font></p> <p align="left"><font face="Verdana" size="1">The latest threat model version is automatically saved to disk whenever you open a threat model project. The backup file is named as the threat model but with a 'bak' extension. In addition, PTA automatically saves a temporary version of your 'in-work' changes which is kept in a file with the same name as the currently opened threat model but with a '~hm' extension instead of 'thm'.<br> <br> Hope this information will help you manage your threat models repository safely. </font></p> </blockquote> <b><font face="Verdana" size="1"> <a name="export threat model database entities"></a>21. How to export PTA threat model entities?</font></b><font face="Verdana" size="1"></font></b></font><p></p> <blockquote> <p align="left"><font face="Verdana" size="1">The export option of the PTA Professional Edition is hiding in the product's reporting subsystem. You can invoke it by clicking the "Export Report" button in each of the report viewer toolbar (the button on the right side of the view ratio combo box). This feature enables you to save the report's content in several formats e.g. txt, xls, rtf etc.<br> <br> A more comprehensive way to extract and export data from PTA threat models is to open the thm/ thl threat model files with MS Access 2003. You will be able to retrieve and export the database content via the Access rich export functionality - you'll need of course to have Access 2003 (which is part of MS Office 2003) installed on your workstation. </font></p> </blockquote> <b><font face="Verdana" size="1"><a name="no historical data"></a>22. How to assign assets dollar values and threats probabilities where there is little or no historical data?</font></b><font face="Verdana" size="1"></font></b></font><p></p> <blockquote> <p align="left"><font face="Verdana" size="1">As discussed in the former question, measuring the value of assets in monetary values is one of the most important issues in PTA calculative foundation. The probability that a threat will materialize is presented in PTA by the traditional ARO parameter (Annual Rate of Occurrence) – which is actually (when no statistical/history data available) an estimation of how many times the analyst believes that the threat will become a real attack.<br> <br> So all in all, assigning dollar values and probabilities where there is little or no historical data is an educated guesswork.<br> <br> The good news are that the monetary values and the probabilities can be easily changed and the whole model is updated automatically to reflect the changes in risk levels and prioritized recommendations of mitigation plans. The analyst may establish the threat model and enter preliminary values of assets and probabilities and then refine them according to client's stake-holders feedback (CFO, legal consultants). Moreover - monetary values of assets may be changed by client's personnel to form a 'what-if' analysis. This may contribute to the degree of confidence a client might have in a particular estimate. Analysts are encouraged to install PTA at their clients’ sites – this enables them to send the threat analysis projects (thm files) to the clients and have their authentic feedback.<br>  </font></p> </blockquote> <b><font face="Verdana" size="1"><a name="adjust the mitigation effectiveness"> </a>23. Can I adjust the mitigation effectiveness for individual countermeasures instead of having an aggregate value for the whole mitigation plan?</font></b><font face="Verdana" size="1"></font></b></font><p> </p> <blockquote> <p align="left"><font face="Verdana" size="1">The PTA calculative model treats a threat mitigation set as a holistic solution which provides a given mitigation level only when all the countermeasures in the set are implemented. For example: if you mark countermeasures C1, C3 and C5 as the members of a specific threat mitigation plan (by checking the ‘In Mitigation Plan’ for the 3 countermeasures in the Threat Details screen) and then set the ‘Maximal Mitigation’ of the threat to 70%, you will see that the specific threat’s risk is reduced by 70% only when C1, C3 and C5 are marked as ‘Already Implemented’ in the appropriate Countermeasure Details screens. <br> <br> You may justifiably argue that in some cases the implementation of C1 solely may provide some substantive mitigation to the threat although less than the maximal mitigation. We support this situation in our Enterprise Edition where the analyst is able to define several mitigation planes for each threat and thus benefit from maximal flexibility in aggregating the countermeasures in a practical manner. The PTA Professional Edition enables the definition of one mitigation set for a specific threat so the analyst should be more selective. <br>  </font></p> </blockquote> <b><font face="Verdana" size="1"><a name="contribution of the Attacker Type"> </a>24. What is the contribution of the Attacker Type entity to the threat model?</font></b><font face="Verdana" size="1"></font></b></font><p> </p> <blockquote> <p align="left"><font face="Verdana" size="1">The Attacker Types as well as the Entry Points entities are not mandatory for the PTA threat model. They were designed to help the analyst in affirming the validity of the threat scenarios and do not impact the calculation. This is also true for the Tags and the Attached Documents entities which add descriptive fields and additional information to the threat entities. <br>  </font></p> </blockquote> <b><font face="Verdana" size="1"><a name="two tips"></a>25. Two practical tips for building threat models:</font></b><font face="Verdana" size="1"></font></b></font><p></p> <blockquote> <p align="left"><font face="Verdana" size="1">1. When initiating a new threat analysis project it may be productive to reuse the last project you did (or one of the sample projects) as a base line.<br> <br> 2. Keep it simple. The following recipe may look a little counter-intuitive but if you follow the data entry order it will save you grief.<br> <br> <u>First</u> - Define your assets, the ones that when damaged you’ll feel the blow e.g. “the availability of the company’s Web site – if the site is down we lose money”. <br> <br> <u>Then</u> - Define countermeasures as mitigating activities. Each countermeasure description should contain a verb e.g. “install and configure a firewall”. <br> <br> <u>Then</u> - Define vulnerabilities – those static weaknesses, limitations or defects in your system that are waiting to be exploited e.g. “the Web server is vulnerable to access from the Internet”. <br> <br> <u>Then</u> - Assign countermeasures to each vulnerability. The associated countermeasures should be those that reduce the chances that the vulnerability will be exploited.<br> <br> <u>Then</u> - Define threats as attack scenarios that damage assets and exploit vulnerabilities. It will be nice if the potential attackers and the attack entry points will be part of the threat description e.g. “a hacker damages the company’s Web site pages by exploiting the fact that the Web server is exposed to the Internet” <br> <br> <u>Repeat</u> the process until you're satisfied with the results <br> <br>  </font></p> </blockquote> <b><font face="Verdana" size="1"><a name="risk value exceed"></a>26. Can PTA Risk Value exceed system’s Total Assets Value?</font></b><font face="Verdana" size="1"></font></b></font><p></p> <blockquote> <p align="left"><font face="Verdana" size="1">System risk is calculated by summing the risk to each of the system’s assets. The value, presented in percents relative to the total value of all assets, can exceed 100%. It is clear that the actual damage to the system’s assets cannot exceed 100%; however, the risk level does not express the actual damage. It reflects the amount of effort that has to be invested in order to mitigate the threats to the system, and since neither the number of threats nor their severity is limited, the risk quantities are not limited to 100%.<br> <br> For the user’s convenience, a marker line indicating the 100% risk level was added to the system risk status history graph. <br>  </font></p> </blockquote> <b><font face="Verdana" size="1"><a name="mitigating activities and the impact"> </a>27. How does the PTA model connect between mitigating activities and the impact they address?</font></b><font face="Verdana" size="1"></font></b></font><p></p> <blockquote> <p align="left"><font face="Verdana" size="1">This question arose from a real life case description sent to us. The story goes like that: a risk of fire in the computer room and premises leads to a disruption of operation and loss of data. The fire may be caused by a vulnerability of fire hazards such as cardboard boxes and plastics that are not disposed off according to policy. One possible mitigation activity might be to assign a janitor to sweep the room daily and remove hazards - this is an obvious mitigation activity that reduces risk. Another mitigation activity might be to install an automatic fire-extinguisher. While this activity does not directly address a specific vulnerability, it surely has a mitigation value since it limits the impact of a fire in the computer-room. What is the PTA way to represent an activity that limits a possible damage to the asset itself rather then mitigate a specific vulnerability?<br> <br> The answer: the PTA threat model encourages analysts to breakdown risk entities into their component pieces. This is how the scenario above would work with PTA (we had enhanced the case story a little bit for didactic purposes…)<br> <br> <u>The threat:</u><br> <br> Computer room burns down accidentally due to fire hazards, and 1M Euro of hardware is destroyed.<br> <br> <u>Asset:</u> (damaged by the threat)<br> <br> 1. Computer room hardware value 1M Euro<br> <br> <u>Vulnerabilities:</u> (exploited by the threat)<br> <br> 1. Fire hazards such as cardboard boxes and plastics that are not disposed according to policy.<br> 2. There is no automated fire extinguisher system in the data center.<br> 3. Fire drills are not conducted regularly and equipment is not tested.<br> 4. No one is responsible for the fire brigade activities.<br> <br> <u>Countermeasures:</u> (associated with the vulnerabilities that were found to be productive in mitigating the threat and therefore are included in the threat’s mitigation plan)<br> <br> 1. Instruct janitor to sweep the room daily and remove hazards<br> 2. Install automated fire extinguisher system<br> 3. Conduct fire drills<br> 4. Appoint and train an ERT (Environmental Response Team)<br> <br> One more tip – use the PTA Threat Builder - click on <b>Tools</b> | <b>Threat Builder </b>- you will find that it's a great and much easier way to build threat models and relieves you of the necessity for keeping a picture of the data model in your mind... </font></p> <p align="left"> </p> </blockquote><b><font face="Verdana" size="1"> <a name="threat with more than one damage"></a>28. What if a threat has more than one "Threat's Damage to Asset" value?</font></b><font face="Verdana" size="1"></font></b></font><p></p> <blockquote> <p align="left"><font face="Verdana" size="1">As you all know, the basic PTA threat model enables a single threat to threaten more than one asset (actually the number of assets that can be threatened by a single threat is limited to 999 but as far as we know, no one has complained yet). Moreover – the model enables you to assign a particular level of damage that the threat might cause to each of the threatened assets. The data-entry field in the Threat Details screen is called Threat's Damage to Asset and it defined as follows:<br><br> </font><b><span style="font-family: Verdana"> <font size="1">Threat's Damage Level to Asset</font></span></b><span style="font-family: Verdana"><font size="1"> is the financial value of damage caused by one incident of a specific threat to a specific asset, expressed in percentage of the asset's value - if level is 100% the damage to the asset is maximal.</font></span></p> <p align="left"><font face="Verdana" size="1">So where is this question coming from? It has aroused in several cases when the preliminary threats identification process came up with scenarios where it seems that incidents of the same threat cause different damage. For example, an incident of a virus attack can destroy a precious asset such as data stored on disk while another incident of the same virus may have a somewhat less damaging impact like hurting the availability of the system for a short period of time. We were asked if in this case “the threat should be divided into two threats with different damage values or should the threat be assigned with a middle damage value which averages the Threat’s Damage to Asset value.”</font></p> <p align="left"><font face="Verdana" size="1">All in all, the official answer is:</font></p> <p align="left"><font face="Verdana" size="1">1. If you are sure that both attack scenarios cannot happen at the same time (e.g. when the virus attacks the precious data it does not affect the system’s availability and vice versa) it is better to divide the threat into two standalone threats, each of which has it own threatened asset (the precious data for one and the availability of the system for the other). In this way you can tune the level of the Threat Damage to Asset value separately for each type of incident.</font></p> <p align="left"><font face="Verdana" size="1">2. If you believe that both types of attack scenarios go together and that the virus attack will impact both assets, it is better to define one threat which threatens two assets and assign the particular level of damage the attack will cause to each of the assets.</font></p> <p align="left"><font face="Verdana" size="1">3. If you believe that both option 1 and option 2 may happen (life is quite complicated sometimes) you can define all possibilities (two standalone threats each with its own asset + one threat which threatens both assets) and tune the probabilities of each of the three threats according to you expectations.</font></p> <p align="left"><font face="Verdana" size="1">The bottom line: a threat is exclusively defined by the vulnerabilities it exploits and by the assets it threatens – so all available combinations are legitimate. <br> (thanks to <i>Pavel Khizhnyak</i> for his contribution to this discussion). </font></p> </blockquote> <p align="center"><font face="Verdana" size="1"> <b><br> </b>***</font></p> <p align="center"><font face="Verdana" size="1"> <a target="content" href="DownloadFrameset.htm"><b>Download PTA Professional Edition</b></a>  -   <a target="content" href="DocumentsFrameset.htm"><b>Practical Threat Modeling Documents</b></a><br> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a><b><br>  </b></font></p> </body>