David is a freelance writer specializing in technology. He holds a BA in communication.
Threat Modeling: Process, Tools & Example
What is threat modeling?
Security might be a nebulous topic, but you can make your business more secure by anticipating the kinds of threats you might face. You could deal with natural disasters, hackers, even rogue employees. A little time spent on prevention can be worth more than a pound of cure.
What kinds of threats?
Everyone, ranging from self-employed professionals to enterprise companies, will have to deal with some kind of security threat. For the purposes of this lesson, we'll define a threat as something that will prevent a user from accessing some kind of asset, namely important data. Threat modeling is the process of identifying assets that you want to protect from threats.
The threats vary from person to person. The biggest risk a person using a laptop faces is someone stealing it, while a company running a web app will mainly have to worry about hackers breaking in from the outside.
Threat definitions
The Electronic Frontier Foundation has an excellent set of questions that everyone should ask themselves when defining threats:
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through in order to try to prevent those?
Protecting Assets
Ultimately, threat modeling is about figuring out what you want to protect. The actions that you'll take to protect your assets will flow from this decision.
Let's take one example of how threat modeling might be used in practice. FaceSpace is a social media network that wants to make sure its security is up to par, so its security team is conducting a threat model on its entire infrastructure.
A social media service's biggest assets will be its user base, messages, photos, among other things. A lot of this information is sensitive, so the company will go to great lengths to keep it safe while balancing that against the need to be available to users.
Strategies Against External Threats
Most of the company's threats will be external: mainly hackers exploiting weaknesses in its software. The company will spend most of its efforts making sure that all of the inputs are handled properly, lessening the possibility of a buffer overflow or SQL injection attack.
Since the company's application is database-driven, they'll also have to vet their database and database administrators very carefully. Ideally, administrators will have the minimum permissions necessary to doing their job. They won't be able to access or make changes to the entire database.
Modern web applications have all sorts of components that work together and all have their own threats, so security professionals will have to analyze all these components together to figure out all how all these pieces are vulnerable. This could range from the file servers to individual developer laptops that are logged into production servers. The company's security requirements will change as the hardware and software components of its system change.
The company might try penetration testing to see if they can break into all of these components the way a hacker would. This means they will act as hackers and try to break into the core components of the system. They'll document and fix any problems they'll find and revisit these threat modeling plans periodically.
The company doesn't just face threats from humans. Nature has all kinds of threats, ranging from tornadoes to hurricanes to earthquakes. Given that FaceSpace is located in the Bay Area, earthquakes are a big concern. Fortunately, their new data center is in a seismically reinforced building with generators in case of power failure, making sure the company's offsite backups are reliable is always a good idea. Even better, they have alternate data centers that will come online in case the main one fails.
Other threats might include government surveillance, malware and even warfare.
The great thing about threat modeling is that it forces you to think through all the issues that make you secure or insecure. Security can be a vague concept, but by taking a few moments to think about what you want to protect and how you should protect it, you really can make yourself more secure.
Lesson summary
Threat modeling is the process of defining what an organization wants to protect and the steps taken to protect it. Threat modeling involves protecting assets from threats. The goal is to anticipate potential threats and eliminate or mitigate them. Companies will work to secure their applications from external and internal threats, and often perform penetration testing; try to break into their own system. Threat modeling should be an ongoing activity, as threats continue to grow and evolve, companies need to be prepared to handle them and mitigate them.
To unlock this lesson you must be a Study.com Member.
Create your account
Register to view this lesson
Unlock Your Education
See for yourself why 30 million people use Study.com
Become a Study.com member and start learning now.
Become a MemberAlready a member? Log In
BackThreat Modeling: Process, Tools & Example
Related Study Materials
- General Science Lessons
- TExES Science of Teaching Reading (293): Practice & Study Guide
- Next Gen NCLEX-PN Study Guide & Practice
- Next Gen NCLEX-RN Study Guide & Practice
- TExES Core Subjects EC-6 (391): Practice & Study Guide
- Identifying Grammatical Errors in Writing
- Teaching Students to Use, Analyze & Understand Media
- Assessing Students Literacy Levels
- Diversity, Equity and Inclusion in the Workplace
- Writing Development and Skills
- How to Pick Your Homeschool Curriculum
- Role of Student Support in Open & Distance Learning
- TExES Principal Exam Redesign (068 vs. 268)
- Teacher Salary by State
- ESL Resource Guide for Teachers
- What is a Homeschool Co-op?
- How to Start Homeschooling Your Children
Latest Courses
- Victimization Consequences: Emotional, Psychological & Social
- Political Satire: Definition & Examples
- Niels Bohr: Biography, Atomic Theory & Discovery
- Aymara People: Language, Culture & Religion
- Silicon Carbide Chemistry & Structure | What is Silicon Carbide?
- Lanthanide Contraction: Definition & Consequences
- Sticky End Ligation: Definition, Protocol & Efficiency
- Quiz & Worksheet - Italian Fascist Propaganda Methods & Types
- Quiz & Worksheet - Hittite Government, Laws & Economy
- Quiz & Worksheet - Witchcraft, Oracles, and Magic Among the Azande Synopsis
- Quiz & Worksheet - Paleo Indian Culture & Artifacts
- Flashcards - Real Estate Marketing Basics
- Flashcards - Promotional Marketing in Real Estate
- Algebra 2 Worksheets
- Calculus Worksheets
Latest Lessons
- 7th Grade Physical Science: Enrichment Program
- AP Calculus BC: Exam Prep
- Abnormal Psychology for Teachers: Professional Development
- CLEP Principles of Marketing: Study Guide & Test Prep
- Beowulf Study Guide
- Compare Properties of Functions: CCSS.Math.Content.8.F.A.2
- Archaeology and Anthropology
- Quiz & Worksheet - Predicates
- Quiz & Worksheet - Battle of Nashville
- Quiz & Worksheet - Cache Memory
- Quiz & Worksheet - Music Notation Symbols
- Quiz & Worksheet - GRE Sentence Equivalence Format
Popular Courses
- What is Albumin? - Definition & Levels
- Current SI Standards in Science
- Common Core State Standards in Missouri
- How to Pass a Chemistry Test
- Sequencing Activities for 3rd Grade
- How to Ace a Nursing Interview
- Persuasive Writing Topics for Kids
- Social Studies Games for Kids
- How to Pass Intermediate Algebra
- eBooks vs. Textbooks
- FTCE Social Science 6-12: Passing Score
- Autism Awareness Activities for Kids
Popular Lessons
Math
Social Sciences
Science
Business
Humanities
Education
History
Art and Design
Tech and Engineering
- Tech and Engineering - Videos
- Tech and Engineering - Quizzes
- Tech and Engineering - Questions & Answers