Copyright

Threat Modeling: Process, Tools & Example

Instructor: David Delony

David is a freelance writer specializing in technology. He holds a BA in communication.

In this lesson, you'll learn about threat modeling to keep your organization safe from hackers. You'll learn about protecting assets from threats, both internal and external, ranging from hackers to natural disasters.

What is threat modeling?

Security might be a nebulous topic, but you can make your business more secure by anticipating the kinds of threats you might face. You could deal with natural disasters, hackers, even rogue employees. A little time spent on prevention can be worth more than a pound of cure.

What kinds of threats?

Everyone, ranging from self-employed professionals to enterprise companies, will have to deal with some kind of security threat. For the purposes of this lesson, we'll define a threat as something that will prevent a user from accessing some kind of asset, namely important data. Threat modeling is the process of identifying assets that you want to protect from threats.

The threats vary from person to person. The biggest risk a person using a laptop faces is someone stealing it, while a company running a web app will mainly have to worry about hackers breaking in from the outside.

Threat definitions

The Electronic Frontier Foundation has an excellent set of questions that everyone should ask themselves when defining threats:

What do you want to protect?

Who do you want to protect it from?

How likely is it that you will need to protect it?

How bad are the consequences if you fail?

How much trouble are you willing to go through in order to try to prevent those?

Protecting Assets

Ultimately, threat modeling is about figuring out what you want to protect. The actions that you'll take to protect your assets will flow from this decision.

Let's take one example of how threat modeling might be used in practice. FaceSpace is a social media network that wants to make sure its security is up to par, so its security team is conducting a threat model on its entire infrastructure.

A social media service's biggest assets will be its user base, messages, photos, among other things. A lot of this information is sensitive, so the company will go to great lengths to keep it safe while balancing that against the need to be available to users.

Strategies Against External Threats

Most of the company's threats will be external: mainly hackers exploiting weaknesses in its software. The company will spend most of its efforts making sure that all of the inputs are handled properly, lessening the possibility of a buffer overflow or SQL injection attack.

Since the company's application is database-driven, they'll also have to vet their database and database administrators very carefully. Ideally, administrators will have the minimum permissions necessary to doing their job. They won't be able to access or make changes to the entire database.

Modern web applications have all sorts of components that work together and all have their own threats, so security professionals will have to analyze all these components together to figure out all how all these pieces are vulnerable. This could range from the file servers to individual developer laptops that are logged into production servers. The company's security requirements will change as the hardware and software components of its system change.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account
Support