Hi, folks. In this video I want to talk to you about something called a threat tree. Now here's the motivation behind this. If I were to ask you to tell me what you think the security issues are in some system, let's say we're walking in a data center together. It's your first day on the job, you're the security expert, and they want you to look at the data center and list out what you think all the issues are. That's pretty typical sort of request that you might get. A lot of you I'm sure are kind of mulling over the possibility of a career in cyber security. [LAUGH] I would say there's probably a 50-50 shot that if you go into cyber, at some point you're going to be dragged into some situation and someone's going to say hey, what are the security issues here? You're the expert, tell me. It happens all the time. What generally follows is a process that I call structured brainstorming. That's where you and a colleague, you go, well, there's a problem over here and problem over there and what else? A problem over here. And then as time progresses, you start running out of things that you can find. So you have problem, problem then problem then another problem. [LAUGH] Then you can’t think of any more, so you say this is what we found. And it’s this brainstorming that, in my mind, gives a lot of security assessments a bad reputation. Here's why. You have no idea if you got them all, [LAUGH] right? You don't know if you did. If you had three other smart people with you, then maybe you fine more. So how does that methodology find issues? And, again, issues might be vulnerabilities, places for a fix, you get the point. It's this idea of trying, in an unstructured way, to come up with these brainstormed ideas of what you think the security issues are in a system. That's a terrible way to do the engineering. It's not something that you see in any other branch of engineering. In other branches, you're building models, you're using quantitative methods to derive things. You don't build a bridge by brainstorming. It doesn't work that way. So a technique that security engineers have come up with, it's admittedly not perfect, but it improves that structured brainstorming process somewhat. Here's the technique. The technique is called a threat tree, where what we try to do is categorize issues in a complete, or provably complete, manner for as many hierarchical decompositions as is possible. So for example, if we were looking for potential threats to a system, would you agree, and you probably do, because I'm sure you saw in an earlier video we introduced the CIA model. So would you agree that if I said all possible threats are either confidentiality, integrity, availability. With the caveat, of course, that we said that in some cases fraud, set aside fraud, let's use the CIA model. We could say the first level of our threat tree is that the issues are either going to be confidentiality, integrity, or denial of service. Now if I can make that claim, then I can posit that that's complete, [LAUGH] right? I've got a complete understanding that they fall into three categories. Isn't that cool? Now if I could do it again. If you said hm for each of those three, I could say, potentially, that if my assets are, say, hardware, software and information, well, then I've got three possibilities for the first three possibilities. So it's either confidentiality of hardware, software, info. Or it's integrity of hardware, software, info. Or it's denial of service to hardware, software, info. And now I've got nine categories of things that are much more specific, right? It's not this broad hey, what are the threats? And everybody brainstorms. Now I've got some guidance, I can take it another level. Let's say I say maybe I'm looking for problems that involve insiders, outsiders, or a combined. So now I've got nine leaf nodes with three possibilities. I now have 27 categories of things that guide me through a more structured process, like integrity threats to hardware by insiders. Okay, now I can do structured brain storming on that. And maybe I can take it ten levels deep, and I maybe have 1000 nodes that I'm actually looking at. You decide, you're the engineer, and you figure out what makes sense. This is an improved way of trying to make sense of cyber security issues. Look, cyber security is about lists and groups and sets and categories. That's what it's about. It’s about coming up with a set of potential problems and then having solutions to those problems. That’s what we do all the time. I’m sure a lot of you who maybe have dabbled a little bit in cyber hacking and so on and so forth, you understand the power of keeping track of vulnerabilities. And tracking lists and having categories of vulnerabilities and knowing what the different attributes are, what systems they apply to and how long they've been in place and which patches apply. It's a very taxonomy-oriented kind of discipline, this business of doing cyber security in a practical setting. So you can see how a threat tree can provide some hierarchical ordering and some structure through that decomposition to maintaining completeness as we try and keep track of issues on a system. So think through that process, maybe for additional thinking as you go off and ponder this lecture. Try and think through how you might categorize virtually anything in your life, in terms of a stepwise decomposition where you maintain completeness as long as you possibly can. And then you can do some sort of brainstorming at the bottom. So I hope this has been a helpful introduction to one of the tools that we find very useful in doing system security engineering, thanks.
