Dana Eppdescribes a Threat Modeling talk he recently heard presented by Dan Seller of Microsoft.
One key idea from the talk is that DREAD is dead, according to Dan. If you don't know, DREAD was a way to assign ratings to threats, but this has proven to be too subjective when you have both security experts and business types in the same room trying to decide what rating to give a particular threat.
Now, Microsoft is using something different. According to Dana:
They are using the Microsoft Security Response Center Security Bulletin Severity Rating System . Instead of having a rating system between 0 and 10 where most stuff is ranked as either a 1 or a 10 anyways, it is now broken down into 1 of 4 categories:
- Critical: A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
- Important: A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
- Moderate: Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
- Low: A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.
Dana mentions this information came from Dan's slide deck. The slide deck is probably very similar to what I presented on Threat Modeling recently here and here, as I borrowed some slides and ideas from the talk Michael Howard (with due credit, of course) gave at PDC 2005. In that talk, Michael mentioned DREAD presented the same simple formula.
I especially like this new model as well, as it gets to the heart of what and how security threats should be viewed by your business/company.