What is threat modeling?
Simply put, threat modeling is a way of identifying potential threats, and understanding how you might prepare and respond to them. You may not realize it, but you probably do threat modeling every day in some form or fashion. Threat modeling can be applied to any number of situations – personal or professional.
Say you run into a convenience store to buy a snack and suddenly realize you left your car unlocked. You may quickly think about what valuables may be in the car. Is your laptop under the seat or out in the open? You may look around to see if there are other people nearby that might take a peek in your car. You’ll probably gauge how long you’ll be in the store. Based on this thought process, you’ll decide whether you need to return to the car and lock it or not. This is a type of threat modeling applied to a simple scenario.
Most people naturally weigh out risks and make decisions in their day to day personal lives. The same type of risk evaluations, decision making, and preparedness should apply to your business planning. Online security is a significant risk area, so when it comes to online security practices specifically, there are several questions you can ask to guide your business and IT teams through threat modeling.
Here are five questions you should ask and explore that will help you identify potential threats and determine the best protection solutions for you.
What do I have that is worth protecting?
In the convenience store example, it’s going to be easy to make a mental list of everything in your car. Your purse, laptop, phone or briefcase are tangible items that you often have with you. The valuable information you have online might not be quite so apparent. You should think carefully and make a list of everything of value that’s stored somewhere online. Your contact lists, emails, photos and other files are the obvious ones. But often you may be using systems that store passwords, credit card information, financial data and even your location. There is also likely information such as birthdates and employment history that may seem insignificant, but could be used by a clever identity thief. Beyond the security of your own personal data, you may work with or even store this type of personal information about your customers.
From whom do I need to protect the data?
Unfortunately, the list of people who might want to target your personal information is virtually endless. Not only are public hackers at work from every corner of the globe, but government-sponsored hacking is also on the rise. It’s important to consider, though, that these anonymous foreign attackers may not be your only threat. Former significant others, coworkers, or former employees could be potential adversaries. A college professor recently had his computer hacked by a student trying to change a grade.
How likely is it that someone will try to take data?
This is one of the key elements of the threat model, and it comes down to actual risk. Risk is the likelihood that a specific threat will actually occur. It’s important to distinguish between threats and risk. While a threat is something that could potentially happen, the risk is the probability that it will. There is always the threat of someone getting into your unlocked car, but the risk of someone actually doing it is higher in a crowded urban area than in a remote uninhabited one. Keeping this in mind, you need to decide which threats you are going to take seriously, and which ones are too rare or harmless to worry about. This sort of assessment is a subjective process since not everyone has the same priorities or perceives risk in the same way. One person may feel extremely vulnerable to unknown, far-off hackers, while another may believe the odds of their attack are too low to worry about.
What are the consequences if someone takes data?
There are many ways an attacker can impact you and your data if they’re able to access it. Someone could do something as passive as read your private communications or take more action by deleting or corrupting your data. Ransomware, the practice of holding data hostage for money, is becoming more and more commonplace. Like a risk assessment, determining consequences can be somewhat personal and subjective. You need to think about all the information that’s available, and the potential harm of it being taken and either exposed or destroyed.
How far am I willing to go to protect my data?
Your individual threat model really comes together as you answer this question. There are a wide variety of software, hardware and process solutions available that address different aspects of online security. Each of these come at a cost, however, and some of them can be quite high. You could spend up to $1,000 per month to setup and host your own, secure email server, but is that really necessary? It’s certainly not for most of us in our personal lives, but perhaps an international security consultant sending and receiving highly sensitive information believes that it is. You need to balance the potential threats, risk and impact you’ve identified and then determine what steps it makes sense to take in order to protect yourself or your business appropriately.
Keep in mind that as situations change, your threat model approach will need to adapt. As more of our information and activity moves online, the number of potential threats increase. Similarly, as new online scams emerge and vulnerabilities are exposed and exploited, your risk can go up. Fortunately, the technology and tools that we can use to protect is evolving, and in many cases becoming more available and affordable.