User Tools

Site Tools


threat_modelling

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
threat_modelling [2019/08/06 17:36] – neilthreat_modelling [2021/10/15 10:25] (current) – neil
Line 1: Line 1:
-=====Threat modelling: identification and prioritisation=====+=====Threat modelling: risk identification and prioritisation=====
 This section sets out a basic approach for contemplating cybersecurity. This section sets out a basic approach for contemplating cybersecurity.
  
 The aim is to stop you from running out and buying whatever product some shiny suited salesperson might be promoting, but rather to think about your security needs holistically, so that you spend your time, money and effort where you can get the best results. The aim is to stop you from running out and buying whatever product some shiny suited salesperson might be promoting, but rather to think about your security needs holistically, so that you spend your time, money and effort where you can get the best results.
-  * What threats you face and from whom 
-  * Determine the countermeasures available 
-  * Identify your priorities 
-  * Implement 
  
-You’ll sometimes see this described as “threat modelling” or "risk scenario".+You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario".
  
-====Why do you care?==== +If you are still no wiser about where you should start, try the UK National Cyber Security Centre's [[https://www.ncsc.gov.uk/cyberaware/actionplan|Cyber Security Self-Assessment Tool]]. 
-The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand what are the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future.+ 
 +====Key points ==== 
 +  * [[threat_modelling#What are you trying to protect?|What are you trying to protect?]] 
 +  * [[threat_modelling#Create an information asset register|Create an information asset register]] 
 +  * [[threat_modelling#Who is your threat?|Who is your threat?]] 
 +  * [[threat_modelling#How are you vulnerable?|How are you vulnerable?]] 
 +  * [[threat_modelling#Prioritise your response|Prioritise your response]] 
 +  * [[threat_modelling#Write it down|Write it down]] 
 +  * [[threat_modelling#Make this a regular thing|Make this a regular thing]] 
 + 
 +====What are you trying to protect?==== 
 +The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future.
  
 Let’s consider some different examples. Let’s consider some different examples.
Line 20: Line 27:
 If you are working on litigation against a government, might that government have an interest in trying to understand your case before it is formally presented? One would hope not, of course. If you are working on litigation against a government, might that government have an interest in trying to understand your case before it is formally presented? One would hope not, of course.
  
-Could you simply be the weak link in the chain, which someone wants to break to gain access to the information which you hold? Some useful insider information which might affect share price, for example, or designs for a new or improved product? +Could you simply be the weak link in the chain, which someone wants to break to gain access to the information which you hold? Some useful insider information which might affect share price, for example, or designs for a new or improved product? 
  
 Do you hold information about someone which might be valuable from the perspective of blackmail? Or of interest to the media? Do you hold information about someone which might be valuable from the perspective of blackmail? Or of interest to the media?
Line 27: Line 34:
 Or could it be that the information you hold about a client might be useful in some other attack – someone wanting to get into the client, to exploit what information they have, and getting names and addresses and contact details from you is an easy way to do that? Or could it be that the information you hold about a client might be useful in some other attack – someone wanting to get into the client, to exploit what information they have, and getting names and addresses and contact details from you is an easy way to do that?
  
-Or are you just generally concerned about holding up the confidentiality of your clients’ matters, and ensuring that clients can communicate with you in a reasonably secure manner, to take advantage of their right to seek independent, expert legal advice? Threats might be more casual — someone reading over your shoulder on a train, for example, or listening in on a phone call you are having in a public place.+Or are you just generally concerned about holding up the confidentiality of your clients’ matters, and ensuring that clients can communicate with you in a reasonably secure manner, to take advantage of their right to seek independent, expert legal advice? Threats to this might be more casual — someone reading over your shoulder on a train, for example, or listening in on a phone call you are having in a public place. 
 + 
 +====Create an information asset register ==== 
 + 
 +In a spreadsheet, list every device and service you have which stores data — computers, phones, external hard drives, USB keys, servers, online services, and potentially even printers and scanners. 
 + 
 +Against each device and service: 
 +  * identify what data might be stored on it 
 +  * state who is permitted to access it 
 +  * describe the risks that it might face (for example, that you might lose your computer, leading to someone else getting access to the data on it, and you being unable to work on client files because the only copy is on the computer) 
 +  * describe the security measures currently in place to protect against those risks 
 +  * if relevant, state who is responsible for keeping it updated and ensuring it is wiped or destroyed properly at the end of its life 
 + 
 +Keep this up to date, amending it as you add and remove devices from your firm. 
  
 ====Who is your threat?==== ====Who is your threat?====
-Is your attacker motivated, and focussed on you? Do they have lots of resources at their disposal? If so, chances are you are going to need quite substantial security measures.+Is your attacker motivated, and focussed on you? Do they have lots of resources at their disposal? If so, chances are you are going to need substantial security measures, and probably professional assistance.
  
-Perhaps you are just of passing interest and that, if you have “good enough” security, the attacker will simply find another target — a less secure law firm, more vulnerable to their attack, for instance.+Perhaps you are just of passing interest and, if you have “good enough” security, the attacker will simply find another target — a less secure law firm, more vulnerable to their attack, for instance.
  
 Perhaps it is not even an “attacker”, but rather a fellow commuter, or someone else present in the place you are working. What about private companies tracking what you do online? Are you happy if the operator of your favourite coffee shop’s Wi-Fi network is keeping an eye on what cases or statutes you are researching, or sites you visit, or even your communications with clients? Perhaps it is not even an “attacker”, but rather a fellow commuter, or someone else present in the place you are working. What about private companies tracking what you do online? Are you happy if the operator of your favourite coffee shop’s Wi-Fi network is keeping an eye on what cases or statutes you are researching, or sites you visit, or even your communications with clients?
Line 39: Line 60:
 Once you’ve identified why you might be of interest, and who you might be defending against, the next step is to identify how you might be vulnerable.  Once you’ve identified why you might be of interest, and who you might be defending against, the next step is to identify how you might be vulnerable. 
  
-Other pages discuss different areas in which a lawyer or a law firm might be open to attack, and give some examples of mitigations and defences.+You might find the European Union Agency for Cybersecurity's [[https://etl.enisa.europa.eu/#/|threat report]] to be useful in identifying key threats.
  
-When you’ve got a list of risks and potential mitigations, you can then prioritise and start to implement. +====Prioritise your response====
- +
-====Prioritising your response====+
  
 Chances are, you'll have quite a few risks on your list, so you'll want to prioritise your approach to tackling them. Chances are, you'll have quite a few risks on your list, so you'll want to prioritise your approach to tackling them.
Line 51: Line 70:
 Something which is likely to be exploited, and which would cause a high level of harm, is a greater priority than something either unlikely to happen, or which is unlikely to cause much harm if it did happen. Something which is likely to be exploited, and which would cause a high level of harm, is a greater priority than something either unlikely to happen, or which is unlikely to cause much harm if it did happen.
  
 +Bear in mind that some security controls are appropriate for highly confidential information, but some are less appropriate for less confidential information — the likelihood of harm, or the severity of the harm, does not justify the intrusion or inconvenience. There comes a point at which providing security makes it more difficult for the client to work with you, contrary to their best interests.
  
-====Writing it down====+ 
 + 
 +====Write it down====
 You might find it useful to [[documenting_policies_and_processes|write this down]], so that you have a register of threats and risks, with reasons why you have included, or excluded certain things.  You might find it useful to [[documenting_policies_and_processes|write this down]], so that you have a register of threats and risks, with reasons why you have included, or excluded certain things. 
  
-====Repeating this exercise==== +====Make this a regular thing==== 
-You probably want to make this appraisal a regular exercise — perhaps yearly, or even more frequently. +You probably want to make this appraisal a regular exercise — perhaps yearly, or even more frequently, depending on the likelihood of a risk arising, and the severity of the impact if it did
  
 If you think you fall into a higher risk category, it is probably something you’ll want to do even more often than that. If you think you fall into a higher risk category, it is probably something you’ll want to do even more often than that.
 +
 +If you have a compliance calendar, to help you meet your numerous regulatory obligations, make perhaps a quarterly or half-yearly action to review your risk categorisation, and your security measures.
threat_modelling.1565112984.txt.gz · Last modified: 2021/07/06 09:26 (external edit)