QUESTION & ANSWER

Information security threat modeling is immature in India

By Yuga Chaudhari, Principal Correspondent, SearchSecurity.in 01 Oct 2009 | SearchSecurity.in

Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.in: Can you outline common deficiencies that you have observed in the information security threat models used by Indian organizations?

VL Mehta

VL Mehta: In most Indian organizations, security threat models are not designed by the right people. Technically, these threat models should be designed by consultants and information security experts, which I don't see happening in India.

Several technical libraries provide threat modeling guidelines, but most organizations are not aware of such libraries. There is a cost involved in mitigating risks, which may not bring a similar return on investment. Hence organizations are apprehensive about making the required investments in threat modeling processes.

SearchSecurity.in: Which are the aspects to be kept in mind when designing an organization's threat model?
Mehta: Threat modeling is related to your business objectives and aligning IT to business goals. When your business is IT-enabled and tries to develop applications, you need to ensure that the applications are threat-proof.

You also need to ensure proper risk assessment, risk management and risk mitigation. These are very effective when it comes to the protection of data assets.

In most organizations, threat models are not designed by the right people. These models should be designed by consultants and security experts, which I don't see happening in India. VL Mehta director, MIEL e-Security Pvt Ltd

SearchSecurity.in: Can you detail the various steps involved in threat model design?
Mehta: Threat modeling is an engineering technique used to identify threats, attacks and vulnerabilities that affect applications. This activity helps in the identification of security objectives, information assets, relevant threats and relevant vulnerabilities.

After the identification process, you conduct a vulnerability assessment; all the assets need to be protected from internal as well as external threats. There are different methodologies for vulnerability testing, with several libraries available for reference. As part of the process, you define your assets and refer to the library to identify a suitable vulnerability test. Depending on this, you can perform identification of threats. By combining these two steps, you can discover the actual risk and categorize risk as per the relevance. Depending on the risk, you can take countermeasures to mitigate them.

These are the four major steps to mitigate risk. After this, you ensure that your applications have the best levels of security to protect confidential information.

There are three key questions to be kept in mind while designing a threat model:

a. What needs to be protected? A CIO should identify the assets that need protection and assign criticality ratings on the basis of what happens in case of a compromise.
b. Who or what should you protect the asset from? Understand the attack surface of your assets. Correspondingly, you should identify the threat agents.
c. How do you protect the asset? What are the controls that can be applied to mitigate the risk of each identified threat? Also, how will you continue to monitor, update and improve the threat model over time?

People often build very fanciful threat models because they are attracted to complexity and to constructing elaborate "what if" scenarios. Focus on the daily threats that can chip away at an organization, even if these are not very impressive and disastrous sounding on paper.

SearchSecurity.in: How can you identify and address the vulnerabilities?
Mehta: Vulnerabilities have to be identified on the basis of actual business risk. When taken in isolation, a single vulnerability is not important. This vulnerability becomes important only when it is coupled with its corresponding potential loss to the business.

Very often, only technical vulnerabilities are addressed, without the context of whether they actually affect the business. Time and money can be better spent by addressing vulnerabilities that are likely to occur and cause damage.

SearchSecurity.in: What are the typical challenges involved in designing a threat model? How can these be overcome?
Mehta: The biggest challenge is not misidentifying assets. Also, you should be creative enough to see the attack vectors. If you can correctly complete these two steps, the mitigating controls are comparatively easy to decide on.

As a tip, significant involvement of the assets' business owners is essential during the threat modeling process, since they know the problems best. It is also difficult to sell them security as a concept because they will see it as a hindrance. With good interpersonal skills, you can convince them that security actually enables the business, lowers risk, and allows them to perform better.

Tags: Enterprise risk management strategies,  Information security policies and end-user awareness training,  Incident response management best practices,  Risk Management Strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise risk management strategies PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection Information rights management helps L&T protect its knowhow Cloud Security Alliance releases top cloud computing security threats Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Zeus Trojan continues reign infecting 74,000 PCs in global botnet Information security policies and end-user awareness training Cloud Security Alliance releases top cloud computing security threats Fraud risk management is key to avoid Wipro-like incidents Security awareness is the key... cultivate employee loyalty Information security awareness mantras from the Apeejay campaign Preventing password fatigue with single sign-on (SSO) authentication PCI DSS checklist: Mistakes and problem areas to avoid Creating and enforcing a clear-desk policy CISO career 101: Chief Information Security Officer route basics Creating a HIPAA employee training program Shifting to a flexible information security framework Incident response management best practices Improving regulatory compliance management through log analysis, SIEM The TCS Website hack: Don't let your company join the list SIEM systems streamline compliance processes, offer security benefits First step in forensics: Create a bootable Windows environment CD Nishith Desai Associates keeps business risk at bay with infosec Managed security service for risk management: The Kotak Mahindra story Best practices to tackle (small) botnets CISO reporting to board of directors: Myth or for real? Business Model for Information Security: Security right the first time 9 ways to improve application security after an incident

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CERT-In  (SearchSecurityIN.com) Information Technology Amendment Act 2008  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary