Security professionals often focus their energy on purchasing the latest shiny security tool to protect them from cyber-attacks. While this might help with your immediate detection and prevention tactics, it is severely short sighted when it comes to how you should be thinking about your security and privacy strategy.
Taking a risk first approach, where you analyze what you need to protect and what the consequences are if you’re unable to protect these assets, is a much more strategic and long term approach to security. Once you have this mapped out you’ll then be able to start looking for the right products to fill the holes and protect you against relevant threats to your organization.
There are many ways to perform threat modeling, and there isn’t a one-size fits all approach to rolling out a particular model. In this article we’ll review a threat model from the Electronic Frontier Foundation (EFF) which I think will give you a better understanding of where to start and how to assess your goals when assessing your real threats.
These are the assets you’re trying to protect from an attack, exposure or leakage. It’s something important enough to you that you’re willing to put defenses around for protection. This could be financial data, proprietary code, customer data such as PCI or PII data, a particular website, content that impacts brand reputation, etc.
After you’ve determined what your assets are you’ll need to understand who you’re trying to protect the asset from: hackers, malicious botnets, DDoS attacks, internal employees stealing data, hacktivists, etc. The list will continue to grow as you start adding more assets to the list, but each one might be slightly less of a risk based off the asset itself. This brings us to step 3.
Just because there’s a risk of attack against a particular asset doesn’t mean that it’s likely that the attack will occur. For example, it’s possible that your site will be DDoS’d but depending on the nature of your business this might not be likely. While on the other hand if you’re hosting credit cards or PII data it’s very possible hackers will attempt to compromise the systems housing this information. This is where you should start focusing your attention.
When reviewing the risks of failing to protect an asset it’s important to consider what would happen if you failed? Using the example of DDoS, if your site was hit by an attacker could you failover to another site, or leave the site offline? If you can leave a site offline, why worry about the threat? But if your business is no longer able to function with a site down, the consequences of failing to protect this asset are detrimental to your business. If hackers broke in and stole information on your network it’s never good, but there’s a difference between hackers stealing data that is of no immediate consequence, vs. customer credit cards numbers where there is no room for failure.
Now that we know the asset, who to protect it from and the consequences of failing to protect them, we need to assess the effort and cost of implementing the proper defenses on the asset. It doesn’t make a lot of sense to spend time and money protecting a low value asset.
Once you’ve completed the first run through of a threat assessment (completed is a loaded word here since you’re never really done) you should have a framework that gives you a better understanding of what you’re trying to accomplish with your security program and how to view new systems and data being architected into your enterprise.
Receive notifications of new posts by email.