threat_modelling
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
threat_modelling [2019/08/09 11:29] – neil | threat_modelling [2019/08/09 19:18] – neil | ||
---|---|---|---|
Line 3: | Line 3: | ||
The aim is to stop you from running out and buying whatever product some shiny suited salesperson might be promoting, but rather to think about your security needs holistically, | The aim is to stop you from running out and buying whatever product some shiny suited salesperson might be promoting, but rather to think about your security needs holistically, | ||
- | * What threats you face and from whom | ||
- | * Determine the countermeasures available | ||
- | * Identify your priorities | ||
- | * Implement | ||
You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario" | You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario" | ||
Line 20: | Line 16: | ||
====What are trying to protect? | ====What are trying to protect? | ||
- | The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand | + | The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future. |
Let’s consider some different examples. | Let’s consider some different examples. | ||
Line 29: | Line 25: | ||
If you are working on litigation against a government, might that government have an interest in trying to understand your case before it is formally presented? One would hope not, of course. | If you are working on litigation against a government, might that government have an interest in trying to understand your case before it is formally presented? One would hope not, of course. | ||
- | Could you simply be the weak link in the chain, which someone wants to break to gain access to the information which you hold? Some useful insider information which might affect share price, for example, or designs for a new or improved product? | + | Could you simply be the weak link in the chain, which someone wants to break to gain access to the information which you hold? Some useful insider information which might affect |
Do you hold information about someone which might be valuable from the perspective of blackmail? Or of interest to the media? | Do you hold information about someone which might be valuable from the perspective of blackmail? Or of interest to the media? | ||
Line 36: | Line 32: | ||
Or could it be that the information you hold about a client might be useful in some other attack – someone wanting to get into the client, to exploit what information they have, and getting names and addresses and contact details from you is an easy way to do that? | Or could it be that the information you hold about a client might be useful in some other attack – someone wanting to get into the client, to exploit what information they have, and getting names and addresses and contact details from you is an easy way to do that? | ||
- | Or are you just generally concerned about holding up the confidentiality of your clients’ matters, and ensuring that clients can communicate with you in a reasonably secure manner, to take advantage of their right to seek independent, | + | Or are you just generally concerned about holding up the confidentiality of your clients’ matters, and ensuring that clients can communicate with you in a reasonably secure manner, to take advantage of their right to seek independent, |
====Create an information asset register ==== | ====Create an information asset register ==== | ||
Line 53: | Line 49: | ||
====Who is your threat?==== | ====Who is your threat?==== | ||
- | Is your attacker motivated, and focussed on you? Do they have lots of resources at their disposal? If so, chances are you are going to need quite substantial security measures. | + | Is your attacker motivated, and focussed on you? Do they have lots of resources at their disposal? If so, chances are you are going to need substantial security measures, and probably professional assistance. |
- | Perhaps you are just of passing interest and that, if you have “good enough” security, the attacker will simply find another target — a less secure law firm, more vulnerable to their attack, for instance. | + | Perhaps you are just of passing interest and, if you have “good enough” security, the attacker will simply find another target — a less secure law firm, more vulnerable to their attack, for instance. |
Perhaps it is not even an “attacker”, | Perhaps it is not even an “attacker”, |
threat_modelling.txt · Last modified: 2021/10/15 10:25 by neil