[Ach] 30C3 talk "The Internet (Doesn't) need another security guide"
a.mirbach at me.com
Wed Jan 15 08:27:38 CET 2014
>From that point of view i agree with you, but i still think it's a very complex topic for this document.
Maybe we should write another document with a focus on security management where the idea of a threat model fits in perfectly.
Mit freundlichen Grüßen
Zum Römersprudel 101
+49 160 94980084
On 14 Jan, 2014,at 09:36 PM, arne renkema-padmos <arne.renkema-padmos at cased.de> wrote:
On 14/01/14 11:06, Andreas Mirbach wrote:
2. Threat modelling: Eva mentioned that most guides first focus on a threat
model. We don't really do that so much in ours.
Are we missing something here?
I Don't think that we need a Threat model because it shrinks the focus onto this
model. Everything else is left out.
I Think we should provide an overall preventive security configuration and not
how to defend specific threats. (Maybe there can be smaller document with
different threats that can be referenced)
From what I understood the problem wasn't so much that they do / don't
include a threat model, but that they don't include the concept of
threat modelling, and determining what advice is and is not relevant in
the readers context. AFAIK, these guides start off with a specific
threat model, and don't discuss the concept of threat modelling.
There was also some talk about how persecuted groups generally tend to
have a good model of the threats that they are up against. How this maps
to security technology is another matter, and what's missing from any
guides. I guess administrators must also have quite some experience with
different kinds of threats, which is what a threat modelling section
could build on.
CASED, TU Darmstadt
Ach mailing list
Ach at lists.cert.at
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ach