A threat is defined as “a person or thing likely to cause damage or danger.” Threats are all around us, but we shouldn’t treat all threats as equal. Too often we fail to identify threats because they aren’t readily apparent or we consider them to be too small.
Threats and vulnerabilities are both part of the overall risk equation. While organizations are getting better at identifying and fixing weaknesses, many still don’t understand the potential threat landscape. We’ve all heard, “Oh no one would ever want to attack us. We’re so small and our systems have no value.” I can hear Target saying that about their HVAC systems. Malicious hackers can use anything connected to a production network in order to gain access. It shouldn’t be assumed that a small target means it can’t be hit.
All organizations should conduct assessments to understand the multitude of threats they face both in and out of their cybersystems. Threat modeling is still a new arena in security, but it’s gaining in prevalence. In CSOOnline (http://www.csoonline.com/), George V. Hulme has an article, “Can threat modeling keep security a step ahead of the risks?” where he makes a case for more effective threat modeling. He references how a CISO uses threat modeling to understand the organization’s risks, prioritize security spending, and focus security efforts.
Adam Shostack is also calling for increased threat awareness. In his book coming out on Feb 17 called, “Threat Modeling: Designing for Security” he explores various threat modeling approaches, explains how to test system designs against threats, and learn effective ways to address threats that have been validated at many top companies.
What does this mean for you? As security professionals, we conduct threat modeling throughout our career. That’s why we take the time to study threat modeling and apply it.