As we progress through our threat models with the corresponding assignments, I have come to realize that we are only scratching the surface of threat modeling. The Harry and Mae's case study has so many unknown variables that would normally be addressed in a real environment, and consequently gets left out of the assignments. Some of the known variables are generic descriptions, and we have to make assumptions in order to give a proper analysis.
In any case, I feel threat modeling requires much more time to solicit information, document the environment, investigate specific threats and vulnerabilities, calculate the risks, provide more detailed recommendations, and identify metrics for defining success. As students (most of us with full-time jobs), we have limited time to completely cover all aspects, and I have noticed some scope shrinkage in order to demonstrate that we understand the basic concept of the assignments.
It seems that a comprehensive threat analysis would require a diverse team of security consultants working with the in-house network engineers, system admins, and project managers over a span of weeks to encompass everything that would benefit from a security makeover. As a result, I have a much deeper appreciation for the opportunity to learn this process, and for the experts who carry this out on a daily basis.
No comments:
Post a Comment