In cyber security, it feels like at least once a week there’s a news story that gets people spun up in a panic. While there is no shortage of vulnerabilities and critical issues in the world, not everything applies to everyone. Hence, the importance of threat modeling.
If you’ve never done a threat modeling exercise, you should. At its most basic level, threat modeling asks you to think about ways that things could go wrong, work backwards to understand how your current controls would help, then identify your gaps. Threat modeling is one of the Swiss Army Knives of security, paying dividends over and over once you’ve gotten the hang of it.
So, what does this circus have to do with threat modeling? Frankly it perfectly illustrates how when you aren’t sure what you should be worried about, you worry about everything. Meteor strikes … a very real possibility but I’m not worried about it. Just like I’m not worried about zombies yet. I’m also not worried that a nation-state will hack my home network. Why do I not worry about these things? Simple. I’ve thought through a threat model – nation states, zombies and meteors are not at the top of my list of threats.
That isn’t to say the things above aren’t threats to me – it’s just that there are things that I worry about that have a higher likelihood and more direct impact (and they’re likely things I can do something about, unlike meteors). Makes sense?
Let’s now apply this to our enterprise security roles. Do you ever find yourself trying to protect your organization from exotic attack scenarios that are highly unlikely or that would have a minimal impact on you? Or are you focusing on the statistically likely ways you’ll be attacked and fortifying those gaps? Are you more concerned that someone will develop or exploit a zero-day attack against your CEO’s iPad or that half of your company hasn’t received the Windows patch set from last month? Which is more likely, and more likely to cause you harm? These are things to consider.
Just for giggles – how do you know the difference? My friends, it’s impossible to protect and defend against everything bad that could happen. But you know that. So, the most important action you can take is to educate yourself and your teams about how to threat model to determine the things that are high impact, high likelihood. These are the ones that we can do something about… the rest are just edge cases that we can have contingency plans for if they ever happen.