SearchSecurity.in: Can you outline common deficiencies that you have observed in the information security threat models used by Indian organizations?
In most Indian organizations, security threat models are not designed by the right people. Technically, these threat models should be designed by consultants and information security experts, which I don't see happening in India.
Several technical libraries provide threat modeling guidelines, but most organizations are not aware of such libraries. There is a cost involved in mitigating risks, which may not bring a similar return on investment. Hence organizations are apprehensive about making the required investments in
Threat modeling is related to your business objectives and aligning IT to business goals. When your business is IT-enabled and tries to develop applications, you need to ensure that the applications are threat-proof.
You also need to ensure proper risk assessment, risk management and risk mitigation. These are very effective when it comes to the protection of data assets.
Threat modeling is an engineering technique used to identify threats, attacks and vulnerabilities that affect applications. This activity helps in the identification of security objectives, information assets, relevant threats and relevant vulnerabilities.
After the identification process, you conduct a vulnerability assessment; all the assets need to be protected from internal as well as external threats. There are different methodologies for vulnerability testing, with several libraries available for reference. As part of the process, you define your assets and refer to the library to identify a suitable vulnerability test. Depending on this, you can perform identification of threats. By combining these two steps, you can discover the actual risk and categorize risk as per the relevance. Depending on the risk, you can take countermeasures to mitigate them.
These are the four major steps to mitigate risk. After this, you ensure that your applications have the best levels of security to protect confidential information.
There are three key questions to be kept in mind while designing a threat model:
a. What needs to be protected? A CIO should identify the assets that need protection and assign criticality ratings on the basis of what happens in case of a compromise.
b. Who or what should you protect the asset from? Understand the attack surface of your assets. Correspondingly, you should identify the threat agents.
c. How do you protect the asset? What are the controls that can be applied to mitigate the risk of each identified threat? Also, how will you continue to monitor, update and improve the threat model over time?
People often build very fanciful threat models because they are attracted to complexity and to constructing elaborate "what if" scenarios. Focus on the daily threats that can chip away at an organization, even if these are not very impressive and disastrous sounding on paper.SearchSecurity.in: How can you identify and address the vulnerabilities?
Vulnerabilities have to be identified on the basis of actual business risk. When taken in isolation, a single vulnerability is not important. This vulnerability becomes important only when it is coupled with its corresponding potential loss to the business.
Very often, only technical vulnerabilities are addressed, without the context of whether they actually affect the business. Time and money can be better spent by addressing vulnerabilities that are likely to occur and cause damage.SearchSecurity.in: What are the typical challenges involved in designing a threat model? How can these be overcome?
The biggest challenge is not misidentifying assets. Also, you should be creative enough to see the attack vectors. If you can correctly complete these two steps, the mitigating controls are comparatively easy to decide on.
As a tip, significant involvement of the assets' business owners is essential during the threat modeling process, since they know the problems best. It is also difficult to sell them security as a concept because they will see it as a hindrance. With good interpersonal skills, you can convince them that security actually enables the business, lowers risk, and allows them to perform better.