Identifying applicable threats is a good step to take before defining security controls your organisation should put in place. There are various techniques to help you with threat modelling but I wanted to give you some high-level pointers in this blog to get you started. Of course, all of these should be tailored to your specific business.
I find it useful to think about potential attacks as three broad categories:
1. Commoditised attacks. Usually not targeted and involve off-the-shelf-malware. Examples include:
- Ransomware (Maersk ransomware attack)
- Crypto mining (Hackers enlisted Tesla’s public cloud to mine cryptocurrency)
- Denial of service (Biggest-Ever DDoS Attack (1.35 Tbs) Hits Github Website)
2. Tailored attacks. As the name suggests, these are tailored and can vary in degree of sophistication. Examples include:
- Business email compromise (Online money transfer provider Xoom suffers multimillion-dollar fraud)
- Retail website breach (British Airways data breach)
- Data exfiltration (Private data of 500 million Marriott guests exposed in massive breach)
3. Accidental. Not every data breach is triggered by a malicious actor. Therefore, it is important to recognise that mistakes happen. Unfortunately sometimes they lead to undesired consequences, like the below:
- Human error (London Sexual Health Clinic Fined £180,000 for Data Breach)
- Insecure engineering practices (The NHS is blaming a coding error for 150,000 patients in England being involved in a data breach)
- Mishandling of data (Personal details of as many as 500 NHS doctors were exposed after an internal spreadsheet containing their details was published online)
Information security professionals can use the above examples in communications with their business stakeholders not to spread fear, but to present certain security challenges in context.
It’s often helpful to make it a bit more personal, defining specific threat actors, their target, motivation and impact on the business. Again, the below table serves as an example and can be used as a starting point for you define your own.
|Threat actor||Description||Motivation||Target||Impact on business|
|Organised crime||International hacking groups||Financial gain||Commercial data, personal data for identity fraud||Reputational damage, regulatory fines, loss of customer trust|
|Insider||Intentional or unintentional||Human error, grudge, financial gain||Intellectual property, commercial data||Destruction or alteration of information, theft of information, reputational damage, regulatory fines|
|Competitors||Espionage and sabotage||Competitive advantage||Intellectual property, commercial information||Disruption or destruction, theft of information, reputational damage, loss of customer|
|State-sponsored||Espionage||Political||Intellectual property, commercial data, personal data||Theft of information, reputational damage|
You can then use your understanding of assets and threats relevant to your company to identify security risks. For instance:
- Failure to comply with relevant regulation – revenue loss and reputational damage due to fines and unwanted media attention as a result of non-compliance with GDPR, PCI DSS, etc.
- Breach of personal data – regulatory fines, potential litigation and loss of customer trust due to accidental mishandling, external system compromise or insider threat leading to exposure of personal data of customers
- Disruption of operations – decreased productivity or inability to trade due to compromise of IT systems by malicious actor, denial of service attacks, sabotage or employee error
Again, feel free to use these as examples, but always tailor them based on what’s important you your business. It’s also worth remembering that this is not a one-off exercise. Tracking your assets, threats and risks should be part of your security management function and be incorporated in operational risk management and continuous improvement cycles.
This will allow you to demonstrate the value of security through pragmatic and prioritised security controls, focusing on protecting the most important assets, ensuring alignment to business strategy and embedding security into the business.