Threat modeling: A critical, yet underused, element of cybersecurity risk analysis
The staff at Motherboard recently updated its Guide to Not Getting Hacked to include more suggestions on how to avoid getting into digital hot water. Interestingly, threat modeling, a topic not often discussed, is brought up several times in the guide.
The Electronic Frontier Foundation (EFF) defines a threat model as (threat modeling is listed as a synonym of threat model):
“A way of narrowly thinking about the sorts of protection you want for your data. It’s impossible to protect against every kind of trick or attacker, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. Coming up with a set of possible attacks you plan to protect against is called threat modeling. Once you have a threat model, you can conduct a risk analysis.”
Put simply, threat modeling is a way to evaluate whether a person or an organization is likely to be hacked.
SEE: Threat Modeling, book review: Know your enemy (ZDNet)
5 questions to consider when modeling threats
When modeling threats, the EFF advises that answering the following questions is a good place to start (the first question has been edited slightly).
What do I have that is worth protecting?
Who do I want to protect it from?
How likely is it that I will need to protect it?
How bad are the consequences if I fail?
How much trouble am I willing to go through to prevent these consequences?
Determining the type and extent of security measures is next—after who, what, and how have been worked out. The experts at EFF urge caution during this phase. Security is more than tools or software—it is an ongoing process using threat modeling to decide what is the right kind and right amount of security. On the EFF page about risk assessment: “In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it.”
SEE: Penetration Testing and Scanning Policy (Tech Pro Research)
Caution against overestimating and overreacting to perceived security threats
One might think if a little of something helps, then more is better—the guide’s authors suggest otherwise, as overestimating and overreacting to the perceived threat landscape can be a problem. This is especially true if the security department deploys unneeded custom systems or overly complex hardware and software, and the technology is used incorrectly.
From the guide: “At best, even simple tasks might take longer. In a worst-case scenario, you might be lulling yourself into a false sense of security with services and hardware that you don’t need, while overlooking what actually matters to you and the actual threats you might be facing.”
Why threat modeling is scant for mobile devices
Mobile-device technologies are immensely popular, and thus are fast becoming the target of choice for cybercriminals, and their success is evident, yet threat modeling is seldom employed to help fend off the bad guys.
“With everyone I’ve ever worked with outside of Microsoft, no one’s done it [mobile-device threat modeling] until we’ve done it with them and taught them how to do it,” states Michael Howard, senior principal cybersecurity architect at Microsoft, in Christopher Null’s TechBeacon article. Howard adds that the problem is exacerbated, because few if any threat models exist for mobile devices.
Howard adds, “Many people don’t model for threats because they don’t realize they can do it. Others mistakenly think they can wing it. Unfortunately, when you do it that way, 99 times out of 100 you get at least something wrong.”
SEE: Cybersecurity in an IoT and mobile world (free PDF) (ZDNet/TechRepublic special report)
In talking to Steve Manzuik, director of security research at Duo Security, Null believes another reason threat modeling is not used when determining how to best protect mobile devices is the intricacy of the process. “The complexity lies in the fact that a proper threat model relies on clear design documentation and a full understanding of how the application has been implemented,” says Manzuik. “In a fast-paced [mobile development] environment, this documentation—and even an understanding of the application—does not always exist.”
Threat modeling takes practice
The Motherboard guide suggests that we do not need to be experts when it comes to computer and network security, because the threats and the tools developed to address the threats are constantly changing. It is more important to start thinking about security risks and not be intimidated by the technology.
Null writes that threat modeling is a learned skill, adding, “The OWASP mobile security project threat model provides a great starting point, with an overview of best practices and methodologies such as STRIDE and DREAD.”
Image: Getty Images/iStockphoto
Middle Market CEO, CRO, CFO or Directors – Cyber Job Security Index
Why Cybersecurity Equals Job Security. Better manage your reputational and financial risk.
January 8, 2018 – Dallas, Texas and Atlanta, Georgia – Strategic enterprise risk management (ERM) expert and speaker Gary W. Patterson, FiscalDoctor®, points out that “It’s not if, but when, you’ll be attacked” in his article How Safe Is Your Business? Why Cybersecurity Equals Job Security for CEOs, CFOs and Others published by Corporate Compliance Insights (CCI) at http://www.corporatecomplianceinsights.com/how-safe-is-your-business/
Why CSuite jobs now are at risk and actually being lost.
How organizations, not unlike yours, are silently and invisibly breached every day
Which preventive steps you can implement.
Before you start spending any money for an external assessment of your cyber exposure, start with Three-Minute Self-Scoring Review to suggest your Cyber Job Security category and the article’s accompanying 5-step remedy.
Who should consider applying this process with applications for profitable growth, risk assessments and enterprise risk management (ERM) type issues, inside a value based operational and strategic assessment framework?
Family business, private and public business and equity group investors
Corporate directors, key committee chairs and board chairs
Corporate officers and C-suite executives
Shareholders, stakeholders, regulators and legislators
SMB, middle market and global 2000
About Corporate Compliance Insights
Corporate Compliance Insights is a professionally designed and managed forum dedicated to online discussion and analysis of corporate compliance, risk assessment, ethics, audit and corporate governance topics. Additionally, Corporate Compliance Insights is a focused knowledge-sharing forum designed to educate and encourage informed interaction within the corporate compliance community – dealing with issues of ethics, audit, compliance, FCPA, governance, risk, fraud and GRC.
Corporate Compliance Insights is founded by Maurice Gilbert, managing partner of Conselium, a compliance-focused executive search firm. http://www.corporatecomplianceinsights.com
About Gary W. Patterson
Patterson, a Big 4 CPA / Stanford MBA, speaks regularly on business growth, accountability, facilitation, governance, risk management, achieving corporate financial goals, and building long-term wealth.
He can also help increase your profitability providing access to 100 best of business experts often better and cheaper than incumbents. Gary can be reached at 678-319-4739 or gary@FiscalDoctor.com.
© Gary W. Patterson. ###
Gary W. Patterson