Practical Threat Analysis and Risk Management

Threat analysis won't make you sleep any better at night, but it will help ensure that the right things keep you awake.

The whole point of threat analysis is to try to determine what level of defenses are called for against the various things to which your systems seem vulnerable.

There are three general means of mitigating risk. Defenses can be categorized as means of reducing an asset's value to attackers mitigating specific vulnerabilities and neutralizing or preventing attacks.

Reducing an asset's value may seem like an unlikely goal, but the key is to reduce that asset's value to attackers, not to its rightful owners/users. The best example of this is encryption: all of the attacks described in the examples earlier in this article would be made irrelevant largely by proper use of e-mail encryption software.

If stolen e-mail is effectively encrypted, it can't be read easily by thieves. If it's digitally signed (also a function of e-mail encryption software), it can't be tampered with without the recipient's knowledge, regardless of whether it's encrypted too. A physical world example is dye-bombs: a bank robber who opens a bag of money only to see himself and his loot sprayed with permanent dye will have some difficulty spending that money. Asset-devaluation techniques like these don't stop attacks, but they have the potential to make them unrewarding and pointless.

Another strategy to defend information assets is to eliminate or mitigate vulnerabilities. Software patches are a good example of this: every single sendmail bug over the years has resulted in its developers distributing a patch that addresses that particular bug.

An even better example of mitigating software vulnerabilities is defensive coding. By running your source code through filters that parse, for say, improper bounds checking, you can help insure that your software isn't vulnerable to buffer-overflow attacks. This is far more useful than releasing the code without such checking and simply waiting for the bug reports to trickle back to you.

The defensive approach we tend to focus on the most (not that we should) is heading off attackers before they reach vulnerable systems. The most obvious example is firewalling; firewalls exist to stymie attackers. No firewall yet designed has any intelligence about specific vulnerabilities of the hosts it protects or of the value of data on those hosts. A firewall's function is to mediate all connections between trusted and untrusted hosts and minimize the number of attacks that succeed in reaching their intended targets.

Access control mechanisms such as username/password schemes, authentication tokens and smart cards also fall into this category since their purpose is to distinguish between trusted users and untrusted users (i.e., potential attackers). Note, however, that authentication mechanisms also can be used to mitigate specific vulnerabilities (e.g., using SecurID tokens to add a layer of authentication to a web application with inadequate access controls).

Good-bye for Now

And with that, I bid you adieu for the next couple of months. Due to the demands of a book on Linux security I'm writing for O'Reilly & Associates, the Paranoid Penguin temporarily will be covered by others. Have no fear; they'll maintain the high level of paranoia and vigilance you've come to expect here. See you again in the April 2001 issue.


Mick Bauer ( is a network security consultant in the Twin Cities area. He's been a Linux devotee since 1995 and an OpenBSD zealot since 1997, and enjoys getting these cutting-edge OSes to run on obsolete junk.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Practical Threat Analysis Latest Version - Jan 2008

Zeev Solomonic's picture

I would like to inform you that on January 2008 we released an updated version of Practical Threat Analysis (PTA) Professional Edition tool (1.54 - build 1204). The latest version includes usability enhancements which we hope will increase productivity when building large threat models via the data entry screens. In addition, as of build 1202, PTA Ptofessional can run on Windows Vista Ultimate 32 and 64 bit versions.

PTA Professional Edition is avalilable for free download - I invite you to review the latest version's new features and download the updated software from the following link:

You are also invited to have a look at the updated versions of the PTA for PCI DSS and ISO 27001 freeware security libraries that can be downloaded from the following url:

On this month we are celebrating the third year of the PTA Free Program initiative which enables students, academic researches and independent security consultants to use PTA free-of-charge for their professional missions. Let me take this opportunity to wish you success in your ongoing threat analysis projects and a continuing fruitful use of PTA. We are happy that the Practical Threat Analysis methodology and tool has been found productive by many thousands of professionals world-wide and became the de-facto standard for calculative risk assessment projects.

Feel free to introduce PTA to your professional colleagues and do not hesitate to contact us when the usage period is about to end - we will be happy to send you renewal keys !

Yours Sincerely,

Zeev Solomonik

R&D - PTA Technologies

PTA - Practical Threat Analysis quantitative method

Zeev's picture

Dear colleagues,

I would like to inform you that on November 19, 2005 we released an updated version of PTA Professional (1.51 - build 1190) with major usability improvements. The latest version supports the popular ROSI (Return On Security Investment) quantitative criterion for comparing security solutions.

You are invited to review the latest version's new features and download a free copy of the software from the following link:

PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.

PTA is free-of-charge for students, researchers, software developers and independent security consultants. Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community.

I'll be happy to have your comments and answer your questions on any issue.


Zeev Solomonik
Chief Technology Officer
PTA Technologies

Practical threat analysis tool for software systems

Adi Amir's picture

I ran into and downloaded a version of PTA (Practical Threat Analysis) tool that implements a calculative threat modeling methodology. They have a free program for students and independent software developers.

The tool enhances Mick Bauer’s ideas. It calculates threats and countermeasures priorities and produces the most effective risk reduction policy which reflects changes in system assets and vulnerabilities. Countermeasures’ priorities are expressed as a function of the system’s assets values, degrees of damage, threats probabilities and degrees of mitigation provided by countermeasures to the threats.

I have found it very productive to explicitly define the contribution of each countermeasure to the mitigation of a threat. They also have a very productive feature that let me mark those countermeasures that are already implemented and see their quantitative affect on reducing the system risk.

I hope this may help someone

Adi Amir