Laymen often believe that predicting and mitigating cyber threats is a job for a specialist. According to Adam Shostack, such belief is a vicious trap. In one of his widely acclaimed books, the industry expert explains why everyone from developers and sysadmins to common folks should know how to design for cybersecurity, but also popularizes a very specific methodology called threat modelling.
Here’s what it means, how to do it, and what benefits to expect.
What Is Threat Modelling, Exactly?
Search Security defines threat modelling as a “procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of threats to the system”.
Shostack describes it in a similar fashion. In his own words, this practice is “something you can do while preparing to deploy or build a system to think about the threats associated with it”.
To rephrase it in even simpler terms, threat modelling is a way to strategically think about data or a system you need to protect, and about who or what you need to protect it from. This may include criminal acts like hacking, phishing, or scamming, or simply various types of system malfunctions.
Designing for Cybersecurity
To believe that threat modelling is a skill that only specialists possess is not the only cybersecurity trap on Shostack’s list. The notorious “think like a criminal” is another one. Predicting what somebody might do to your system (just as well as why, where, or how) is an effective approach, but only as long as it is structured. That’s why Shostack recommends STRIDE as a way of systematic threat modelling.
STRIDE stands for Spoofing, Tampering, Repudiation, Denial of Service, Information Disclosure, and Elevation of Privilege, thus covering a wide range of possible threats. When you’re building a system, STRIDE can point out to common dangers first, and then help you establish the necessary security measures. For every STRIDE threat, there is a standard defence mechanism that acts as its opposite.
Still, STRIDE is only one way to look at threat modelling, and is in no way synonymous with the concept at large. What both of them have in common is a strategy, a.k.a. a model of thinking that allows you to predict, identify, mitigate, and validate threats in a systematic way. As such, they present a foolproof approach to eliminating cybersecurity risks, the one that can be used by virtually any of us.
How to Threat Model Like a Pro
In order to help developers, Shostack established a shortlist of questions for them to keep in mind:
- What kind of a system are you building?
- What can you expect to go wrong?
- What measures are you going to take?
But, we have to assume that you are not a developer yourself, in which case both STRIDE and Shostack’s list of questions mean very little to you. As we’ve mentioned time and time again, threat modelling is for everyone; here’s how to approach it as a layman without any expertise or experience.
The measures you’re going to take will depend on the nature of the predicted threat. Perhaps you suspect that somebody you know has unauthorized access to your email or Facebook account. In that scenario, you can defend your privacy by changing the password and adding additional layers of security.
But, what if you have a vague feeling that somebody is actually spying on you? If you are a businessman, that can be a competitor. If not, well, there are always people and organizations that, in one way or another, may benefit from getting their fingers around your sensitive data.
Defining who, why, where, and how is exactly what threat modelling is for.
If you want to do it like a pro, start by answering these questions:
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through in order to try to prevent those consequences?
A Word to the Wise
Threat modelling is fairly easy, but it can be overdone. There’s always an issue of building a false sense of security too, which is why you need to find balance between keeping yourself protected and getting yourself paranoid. Assess the threat carefully, google to find out more about it, and establish a personal protocol for mitigating the risk. Anything more would be a waste of your time and effort.Search SecurityShostack