Add this page to your book 
Remove this page from your book 
Manage book (
Help Threat modelling
With a systematic analysis of the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker, defenders can focus on what is most important to protect. It's systematic, and like penetration testing, a dance.
Low-hanging fruit
The over-familiar low hanging fruit, picked, washed and presented in a simplified yet beautiful structured attack.
Featuring the basics of hack to learn, as in …
De-anonymisation
De-anonymisation alias re-identification. More and more governments and industries depend on it. The adversaries, possible attack vectors, the attacks, threats, assistive technologies, the possible uses, and if and where possible, what we can do.
E2EE
Most E2EE systems are secure against only the weakest passive adversaries, breakable not by cryptanalysis of underlying cryptographic algorithms but by flawed system designs and security assumptions. Unencrypted metadata and …
Vulnerable endpoints
Unsecured endpoints are susceptible to infected applications, Man-in-the-Middle attacks, data exfiltration and leveraging and more.
Endpoints remain one of the primary attack targets.
Search engines
The least investigated threat model. We must be… increasingly on the alert to prevent “them” from taking over mineshaft space and knocking us out in superior numbers when we emerge! We must not allow …
Denial of service
A Denial of Service attack aims to exhaust the resources at the disposal of a server, most often the ones linked to the network. The phenomenon amplified terribly over the last few years.
Network attacks
Motivated by greed, industrial espionage, politics, terrorism, racism, and criminal pay-offs, network attacks are launched every hour of every day, and evolve at an astounding pace.
Access attacks
Understanding how authentication mechanisms work to verify the identity of a user, service, or application, in order to circumvent that particular mechanism, also gives clues for best defence.
Tools, methods, ways
With a systematic analysis of the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker, defenders can focus on what is most important to protect. It's systematic, and like penetration testing, a dance. Though pigeonholed into these stances, and though many assistive tools exist, the best results come from using all of them, ones own mind, and including experienced other perspectives.
Adversary-centric
Studying the history and past interactions of adversaries showing what they may take as their next move.
Quick and dirty
Identifying, enumerating, and prioritising potential threats from a hypothetical attacker's point of view for finding the low hanging fruit.
Asset-centric
Using attack trees and attack graphs for visually illustrating patterns and vulnerabilities by which an asset can be attacked.
Software-centric
Secure software is the result of security aware software development processes where security is built in. With security in mind …