The first article on a new series on how to create Threat Modeling Templates for Microsoft Threat Modeling Tool 2016. It shows hot to create a new Template.

Continue Reading...

A new version of the Threats Manager is out!

It is not complete, yet: I have planned some features to be there, but they are not ready, yet. Nevertheless, I decided to publish this new version because it includes a much needed feature: the ability to show for each Threat Type its priority, to guide you in mitigating the most severe issues first.

Even if the new version is not complete and does not contain everything I want to put in, if you are using the Threats Manager I recommend you to install the new version.

As usual, the installation can be performed in-place.

Threats Manager v1.5 BETA can be downloaded from here.

Two Factors Authentication is a way to authenticate a user with an application. The name derives from the adoption of two of the three different types of authentication, that is with something you know (like a password), something you have (like a phone) or something you are (like your fingerprint or retina map).

In the old days, it was common to use only a protection based on passwords, but they have demonstrated to have multiple drawbacks: first of all, good passwords tend to be difficult to remember; typical passwords tend to be repeated for different services, therefore multiple services are compromised after the first compromission; finally, passwords tend to be related to culture, meaning that people that share the same culture will choose similar passwords. All those pitfalls are well known to hackers, who rely on them for performing massive attacks to passwords.

Nowadays, passwords are considered insecure and therefore they should not be used as the one and only authentication method, but for the least important services. Many Security Experts are declaring that passwords have lost most of not all their usefulness, and that should be replaced with something else, soon.

A better solution than using passwords alone, is to associate them to another authentication factor. The easiest and most common ones are based on something you have, and what is more common than the cellphones? That means at least SMSs: this is the reason why one of the first ways to do two factor authentication, have been by using SMSs.

Well, even that must be considered something of the past: very recently, the NIST (the U.S. National Institute of Standards and Technology), has declared SMSs to be insecure (see:

What to use, then? The various Tokens are mostly safe, even if some attacks have been registered in the past (see:–securid-customers-may-be-vulnerable.html). Another option is to use one of the various Apps that are so common nowadays, something like Google Authenticator or the Microsoft Account App: provided that they are implemented securely, that the phone is secure (that is, not rooted or jailbroken), that updates are installed regularly and that both the O.S. and the App are updated regularly by their developers or makers. On some platforms, not every device is treated the same: some receive updates fast and others would not receive them at all!

So, there are many factors that impact the security of an authentication solution, but really the most important factor you should consider is: how much risk you would accept? Even the worst authentication solution has its place for some very specific implementation, if who uses it accepts the risk knowingly.

For the moment, this is enough, but the analysis of the various authentication method could be a good topic for another article.


A new version of the Threats Manager has been just released. It addresses some bugs and introduces some usage improvements.
You can see the complete list of the fixes and download the archive from here.


What is the last thing that you have broken just to verify if it could have been broken? A phone? A car, perhaps? Or the new TV set of your neighbor?

Well, breaking thing definitely is not something that people normally do. Incidents happen, surely, but good people simply do not break things for the thrill of doing that.

Good people do not do that, but bad people definitely do. They break things not only because it can be done, but because much can be gained in the process.

So, intentions are really important: are you breaking things to obtain unwarranted advantages, or are you doing that to help who make those things to improve how they are built? The first are simply robbers, while the second are doing a service to all of us, makers and users alike.

In software security, we refer to the good “breakers” as White Hat hackers, while the bad “breakers” are Black Hat hackers. And yes, you guessed well: there are Gray Hat hackers too.

This is a very simplistic description of the world of the hacking. You could find various types of hackers everywhere: for example, do you recall that time when as a boy or a girl you opened that toy to understand how it worked? Well, you have been an hacker without knowing anything about that!

Now, I think that clearly White Hat hacking is a good thing for everyone if done ethically, and for that reason it should be encouraged. It is not easy to be a White Hat hacker: it requires both a broad and deep knowledge of technology, processes and of human behavior.

If the White Hat hackers would not do their job, applications and systems will remain unprotected and Black Hat hackers will have much easier access to your data.

That said, why someone would want to punish White Hat hackers?

The big surprise I hinted at the end of my Restarting article is out!

It is a new tool, which complements the workflow of Microsoft Threat Modeling Tool 2016, by providing features specifically designed to optimize the Mitigation experience.

The improvements in efficiency can be really huge, depending on the complexity of the model (the higher the better!), on the template and on the maturity of the organization: an estimation done with the standard template implies the possibility to optimize for 60% or more!

I have done everything I could to provide you with the best possible solution, given my limited resources: this is a project I have developed in my spare time. So, please, any costructive feedback would be much appreciated.

The details have been collected in a specific page, called The Threats Manager Tool, which can be accessed also from the menu at the top of my Blog site.

And the best thing is… that it is entirely free!


It is very interesting to understand how attackers work, and sometimes it is also scary to see how unprepared we are. This in an unbalanced war, which we are losing.

Ransomware is on the rise, and it is more and more dangerous. But it is not the only problem. Many of my customers are totally unprepared, yet they say that they have not been compromised in the past, but for a couple of well known incidents. No wonder, considering that their detection controls are in some cases totally ineffective.

Sometimes customers have no clue of where their assets are or how they can be exploited. The most absurd thing to see is that many organizations have VIPs that are not tolerant toward the limitations imposed for Security reasons, and they have the power to require exemption: as a result, sometimes those who have the highest value for an organization are the least protected!

Attackers already know all this and understand your business better than you. They are going to find your weakest spots and to hit them, hard. Many are not able to see that coming and even less to respond properly.

FireEye’s incident response business further reports the mean “dwell time” for breaches in EMEA is 469 days, versus 146 globally.


In other words, in EMEA the time an attacker on average remains undetected in a victim’s system, is more than 3 times higher than the World average!

We have to change this and soon, and it all starts from adopting a more active stance toward Security. It is not a cost: it is a necessity!

David Ferbrache from KPMG describes the situation very well, and SC Magazine has an article about it that can be both alarming and illuminating: