If a company wants to determine how vulnerable its systems are to outside attack, it should put itself in the position of the attacker, using a technique known as threat modelling, says Naeem Seedat, PricewaterhouseCoopers advisory senior manager.
Seedat describes threat modelling as an information security risk management technique that uses threat and attack scenarios to create a simulation of system security.
Threat modelling takes an outside-in approach, closely modelling the way in which potential attackers view an organisation. It allows a company to understand the different internal and external threats that could exploit assets such as its people, processes, resources and technology, says Seedat.
He believes threat modelling helps a business to quickly identify its security requirements, relevant threats and vulnerabilities, as well as possible controls and safeguards.
"Too many organisations attempt to blindly identify and eliminate vulnerabilities without considering the threats the impact of a successful exploit or attack," explains Seedat. "Threat modelling allows you to take a risk-based approach to vulnerability management and ensures you spend money protecting what matters most to you."
A threat modelling exercise includes undertaking an analysis of potential circumstances or events with the potential to cause harm to a company. This allows it to simulate potential attack scenarios and determine which paths are critical, as well as which assets should be examined for vulnerabilities, he explains.
Threat modelling assists companies to prioritise and focus attention on the right places within the organisation to identify people-, process- or technology-based vulnerabilities, he states.
Seedat emphasises that to understand and mitigate the threats to an organisation, it is essential for the company to create a dynamic "living" threat model that changes as its environment does. This capability will then help minimise any possibilities of financial and reputation loss, he concludes.
Share