Threat Modeling as a Process: A traditional approach to modern IT problems PDF

Title	Threat Modeling as a Process: A traditional approach to modern IT problems
Author	Andreas Yfantidis
Pages	2
File Size	97.8 KB
File Type	PDF
Total Downloads	46
Total Views	839

Preview

CLICK TO PREVIEW PDF

Summary

Description

Threat Modeling as a Process: A traditional approach to modern IT problems Andreas Yfantidis, MSc E-mail: [email protected]

Abstract Threat modeling appears as a modern tool in the hands of Information Security experts, Systems administrators and IT professionals in order to address contemporary IT problems. As we can see, though, the process of Threat modelling is a relatively traditional approach, where several systems of assessment have been developed and moreover can be enriched with Data Analytics in order to offer better solutions for actors that are trying to secure their infrastructure from exposition to security events. Keywords: Incidents, Threat modelling, IT risk, IT governance

1. A short introduction The process of threat modeling has been described by many developers, security analysts and eventually by large software companies such as Microsoft™. In 1999, Microsoft™ introduced one of the most fundamental approaches for threat modeling called S.T.R.I.D.E, an acronym for 1) Spoofing, 2) Tampering, 3) Repudiation, 4) Information Disclosure (in the form of data leakage), 5) Denial of Service and 6) Elevation of Privilege. More methodologies were developed with slight differences in regards with the broader point of view and the focal point delineated by the objectives, such as P.A.S.T.A, Trike, DREAD, VAST, Attack Trees etc1,2.

Even if the term Threat modeling has been known as a structured approach to identify, assess and eliminate security threats and/or vulnerabilities of an Information Technology System for years, lately this term tends to become more and more used by cyber security analysts, penetration testers, system administrator and even IT risk analysts. As we claimed above, the approach has been known over the last three decades and threat models and threat modeling approaches that have been developed over the past years, are now coming back and act as a major tool for Information Security & Governance, IT auditing and Software – Cyber Security.

1

Myagmar, Suvda, Adam J. Lee, and William Yurcik. "Threat modeling as a basis for security requirements." Symposium on requirements engineering for information security (SREIS). Vol. 2005. 2005.

1

© Andreas Yfantidis

Andreas Yfantidis Most importantly a threat model should include:

and propose mitigations that may be able to tackle the issue.

1. An informative diagram of the system or even the systems that we are trying to assess and evaluate the model. 2.

Threat identification and categories

3.

Mitigations and controls

4.

Validation3

Nevertheless, and most importantly, threat modelling is becoming a necessity as in 2020, 80% of firms had seen an increase in cyberattacks while the financial damage related to cybercrime is expected to reach 6 trillion $ by the end of 20214.

Conclusion In conclusion, it’s more and more apparent why we need to embrace threat modelling and why major companies have begun offering it in the form of a service5. Most importantly we understand that a modern threat modelling approach needs to incorporate data analytics, as the emerging threats and the subsequent increasing needs for security are changing completely the landscape of Information Technology and Cyber Security.

2. Can we apply Data Analytics tools in threat modelling? Data Analytics tend to become one of the most important domains in regards with systematic analysis and indexation. Data analytics can be applied in a great variety of other domains, such as Finance, Insurance and more recently in Cyber Security and of course Threat Modelling. One of the most well-known and widespread tools in threat modelling that applies analytics for indexation is the Common Vulnerability Scoring System or CVSS. CVSS produces common scores for each specific system based on the threat in which it is exposed.

References [1] CISCO. (2021, February 1). What Is Threat Modeling? https://www.cisco.com/c/en/us/products/security/what-is-threatmodeling.htmlSurname A and Surname B 2009 Journal Name 23 544 [2] Lancaster, K. (2021, April 3). 10 Essential Facts About Cybercrime in 2020. ID Agent. https://www.idagent.com/10essential-facts-about-cybercrime-in-2020 [3] Myagmar, Suvda, Adam J. Lee, and William Yurcik. "Threat modeling as a basis for security requirements." Symposium on requirements engineering for information security (SREIS). Vol. 2005. 2005. [4] Simplilearn. (2021, March 11). What is Threat Modeling: Process and Methodologies. Simplilearn.Com. https://www.simplilearn.com/what-is-threat-modeling-article

As abovementioned regarding the available methods, an analyst can possibly apply a hybrid – mixed methodology that combines Attack trees, STRIDE and CVSS scoring, in order to highlight a broader picture of the threats posed to a system. Additionally, several threat models may combine a hypothesis development with specific system variables that can be evaluated with a scenario manager (what-if analysis). In terms of visualization, we can use simple graphs or even radar plots that show an informative view about the “Threat profile” of a company, an organization or even a body functioning in the public sector. It should be noted, though, that threat modelling can’t be a substitute for penetration testing, as threat modelling’s main target is to highlight possible structural and design deficiencies

4

Lancaster, K. (2021, April 3). 10 Essential Facts About Cybercrime in 2020. ID Agent. https://www.idagent.com/10essential-facts-about-cybercrime-in-2020

2

Simplilearn. (2021, March 11). What is Threat Modeling: Process and Methodologies. Simplilearn.Com. https://www.simplilearn.com/what-is-threat-modeling-article 3

5

CISCO. (2021, February 1). What Is Threat Modeling? https://www.cisco.com/c/en/us/products/security/what-isthreat-modeling.html

Ibid.

2...