CyberSecurity Threat Modelling Part1:
Introduction to Risk & Asset Selection
Ensure success with an analysis and detailed plan. Get started now!
This article was published on: May 7, 2019
Cybercrime is estimated to cost $6 trillion annually by 2021 and is said to be the greatest threat to every business in the world. To begin understanding this complex battle between security experts and cybercriminals it helps to develop and understand a basic Threat and Risk Model.
This is part 1: Introduction to Risk & Asset Selection
To start it’s important to consider that “security” is the degree to which our assets (whether digital or ohterwise) are resistant to threats from exploiters. To that end, security controls that we select are based on the type of threats and exploiters that we may face. Security controls are systems and/or processes such as Firewalls, VPNs, and Operational Security (OPSec) meant to protect against threats and subvert exploiters. Threats are enabled by exploiters such as hackers and ex-employees – and are aimed to exploit vulnerability in your security in order to impact your protected assets.
Risk is a key factor when determining the correct security measures against threats to your assets. The likelihood of threats exploiting vulnerabilities in your security controls and the consequences of that breach is known as risk. Risk can be positive (opportunity) or negative – and can be modelled as follows.
You can think of determining your risk appetite by taking the probability of and overall negative risk impact and subtracting it from the probability of an overall benefit of taking the risk. The closer the number is to 1 the lower the risk and higher the reward, and inversely the closer to -1 the higher the risk and the lower the reward. Security is a balance between usability and risk – typically to lower risk you reduce usability. Security often gets in the way of ease of use and should therefore be given careful consideration and ensure that they are fit for purpose while not upsetting our appetite for risk.
Determining assets isn’t too difficult, but can often have missing or overlooked elements. For instance, while it is easily understood that items such as files, financial data, emails, and equipment are considered “assets” – in the security world, however, business processes, employee onboarding and offboarding, and corporate culture are all things that also fall under the assets category as they also bring in various risks and opportunities for your organization. All assets have security controls, possible vulnerabilities, and exploiters – and how you define what your assets are will depend on the entity you are trying to protect.
For example: if you are trying to secure a banking app, the login function of that app may be considered an asset – and that asset would have security controls such as well written code that prevents SQL-Injection, and cross-site scripting (XSS). Meanwhile the sales and finance departments (as individual assets) respectively, would have their own security controls that would be unique to them – such as restricted access and delegation of authority to sales and financial systems. Alternatively, the process of handling employees who resign or are terminated can be considered an asset as well with its own unique threats and exploiters. A basic security control that would be implemented to protect the asset (i.e. the process) is to remove or disable access to resources (such as systems and facilities) that those employees once had. This will help in protecting the asset (the process of termination) and reducing the risk that exploiters (e.g. disgruntled ex-employees) will not take advantage of the organization’s lapse in operational security – or prevent a hacker from accessing system resources with the identity of a staff member who is no longer employed.
It’s important to note here that while cybersecurity controls and threat modelling are clearly unique to each individual business – they get further granular and become unique to each asset within an organization.
Oftentimes there are degrees to which security controls will be applied based on asset classification. For instance, business information and data classified as secret or sensitive will have different controls compared to data that is classified as internal-only or public. The level of granularity will depend on the entity being protected. There are multiple risk assessment frameworks, with some of the popular ones being: ISO/IEC Standards, SABSA Enterprise Security Architecture, and OWASP for Application Security.
Now that we’ve covered fundamental topics, we can move on to part 2 of the article: Threat Modelling and Risk Assessment