/mar 18, 2015

Application Threat Modeling: The Imagination Gap

By Doug Bonderud

Application Threat Modeling: The Imagination GapCisco's annual security report, as highlighted on RCRWireless, indicates that new IT security threats are emerging. The highlights? "Snowshoe spam," which diffuses attacks over hundreds of IP addresses so as not to attract attention, is on the upswing, along with new web exploit kits such as those aimed at Microsoft Silverlight. In addition, "blended" attacks that exploit JavaScript and Flash vulnerabilities are becoming more popular and are difficult to detect. Traditional security measures are losing ground, but enterprises aren't entirely helpless. Application threat modeling offers ways to counter malicious attacks, but there's a catch: It requires imagination.

Everyday Threats

Humans are wired to threat model, and many do it on a daily basis: Is it safe to walk down a particular street at night, park cars in a certain neighborhood or have deliveries left on the front doorstep? By imagining threat scenarios and then calculating their impacts, it's possible to minimize risk while investing a minimum amount of time. The problem? Humans aren't always great at determining the likelihood of particular threats, especially those with emotional impact. For example, many people fear flying far more than driving, despite the fact that airplanes are significantly safer than cars. Shark attacks rarely occur, but they carry a strong emotional component that can make them seem more likely.

Companies experience the same problem. While imagination is required to design new threat models, the emotional impact from a data breach or loss of sensitive company information is often tied to high-profile news reports of vulnerabilities or code flaws. This drives enterprises to overinvest in traditional security measures, or underinvest if they're dealing with new technology. In a CSO Online article, author Tony Bradley recounts a story from Michael Howard, the principal consultant for cybersecurity with Microsoft. Howard had interviewed a grad student from a high-ranking university about a mobile technology project she was working on. When asked about potential security concerns, her response was that she hadn't thought about them — and didn't care. Or consider the frustration of InfoWorld's Roger A. Grimes, a security consultant who often suffers through the same discussion with clients: He asks them to predict their most likely threat vectors, and they ask for technology such as smart cards and advanced firewalls. Bottom line? A good imagination is required to effectively threat model, but enterprises must stay firmly grounded in reality.

Practical Imagination

The easiest way to think about application threat modeling is to break the concept into its component parts: risk and vulnerability. Risk must exist for a threat to develop, and it could take the form of sensitive data, server uptime or anything else of value that would have a serious and immediate impact if compromised. But risk alone is not enough — every enterprise has critical assets. To create a viable threat, a vulnerability such as poor coding, insecure third-party applications or lackluster internal access control must also exist. The key to threat modeling, therefore, is to look at the issue from both sides: What assets are at risk, and how could attackers potentially access them? With a healthy dose of imagination — rooted firmly in data, rather than emotion — and the support of advanced application security controls, it's possible to model attacker methods and create robust defenses.

Want better protection from malicious attackers? Use your imagination.

Further Reading:

Threat Modeling: Designing for Security by Adam Shostack, who is responsible for security development lifecycle (SDL) threat modeling at Microsoft.

Photo Source: Flickr

Related Posts

By Doug Bonderud

Doug Bonderud is a freelance writer passionate about the evolution of technology and its impact on companies, stakeholders and end-users alike. Want to know more? Follow Doug on Twitter.