Sunday 3 November 2019

Threat Analysis Template Speadsheet - Free

The world out there is complex. All too often, things are made very complicated - sometimes for very good reasons, but sometimes it feels like the twisty little passages are there because some people just like having lots of twisty little passages...

In a probably vain attempt to try to reduce the entropy of the universe, here's a quick and simple attempt to produce something which I have searched for and failed to find on the Interweb: a simple Threat Analysis Template spreadsheet that isn't tied to a vast workflow and methodology where you need ample supplies of commitment, time and resources. Instead, there's a single page with 8 steps, a cut-down ranking system (1-4, where you can usually ignore 1 and 2), and some built-in guidance as to what you need to do at each of the steps, with examples.


This isn't intended as a replacement for Microsoft's excellent SDLC, or ETSI's amazingly detailed TVRA, or the <insert appropriate adjective here> OWASP Application Threat Modelling (ATM) (or any other approach!) - it's a quick and dirty, simple and easy-to-use, 'get you started' starter example intended to at least get you walking along the yellow brick road, with no Toto or other companion required (and stumbling, crawling, or indeed, most other methods of progress-making along a path are all okay as well!). Moving to any more sophisticated methodology ought to be reasonably straight-froward from this initial point, when and if you want to move onwards and upwards.

To use it, you will need to gather relevant experts, make sure that their bosses are not in the room, and display the spreadsheet on a projector or a shared piece of paper (A3 is good!). Then just work from left to right, thinking about the topic. First identify the 'Asset' that you are protecting, and assigning a ranking number (1-4) as appropriate - in this case you are answering the question: how important is the Asset? Then take the highest ranked Assets, and get the experts to think about how someone might steal them, stop them working, break them, get them to do something they weren't meant to do, etc. When the experts come up with a way (and they may well do so!) for something bad to happen to that precious Asset, then assign that a ranking number as well, and look at the ranking numbers: if the Asset is ranked 1 or 2, and the Threat is 1 or 2 (that's a 'low value' Asset and a 'not very worrying' Threat) then you probably don't need to do anything else, but if you get 3s or 4s then you need to move across to the right and start describing what the vulnerability is that makes the Threat viable...  And so on across the spreadsheet columns.

Probably the most important column is the last one, where you assign Actions to people to do something about the Threat(s) that have been identified. The best way to get things to happen is to make sure that people know what they have to do, when they have to have finished, and to know that someone will chase them up about it if they haven't bothered to do anything about it. You may be able to figure out a number of motivational techniques to encourage completion.

Getting the spreadsheet template.


You can get the spreadsheet here. There's a 'download' icon disguised as a tray with an arrow pointing down into it (at the top right hand side of the screen), that you need to click on, and then things will happen with your electronic digital calculating thingy box.

Download the Spreadsheet

Did I mention that the spreadsheet is free?

---

Here's a link to click on if you find my writing informative, useful, or even mildly amusing in places:







NULLCON 12, Berlin, April 2022

Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!).  The NULLCON 2022 b...