Next Module: Contextual & Capacity Research
This module will describe the concepts of threat modeling and bounding risk assessments. These concepts are important for practitioners since we will never have enough time to conduct as thorough a risk assessment as we would like. Having some practical bounds when analyzing risk is even more important for organizations attempting to adopt risk-informed practices and proactive security given the resource constraints commonly facing our clients.
- Understand how to prioritize security measures based on risk and other organizational pressures
Identify the cybersecurity maturity and path of growth for an organization
Develop threat models bounded by given resource constraints
- See Course Readings for “Threat Modeling and Bounding Risk Assessments”
Play the following newscast from CyberWire: https://youtu.be/MyY6hjABkk4?t=115
As small groups, discuss the targeting of Citizen Lab and then share answers to the class:
- What are the threats?
- What are the adversaries seeking?
- What damage could this cause? How might this situation played out differently?
- How concerned should Citizen Clinic be about a similar approach?
- What is the probability of this happening?
- What is the potential impact?
- Tier 1 – Partial: Risk management is typically performed in an ad-hoc/reactive manner. Security activities are typically performed with little to no prioritization based on risk.
- Tier 2 – Risk-Informed: Risk management practices are typically not established as organizational-wide policies but, along with the organizational objectives, the threat environment, and business requirements, directly inform the prioritization of security activities.
- Tier 3 – Repeatable: Formally approved and regularly updated risk management practices that are expressed as policy.
- Tier 4 – Adaptive: Organizations adapt their security practices, including lessons learned and predictive factors, implementing a process of continuous improvement.
- What do I want to protect? (Assets)
- Who do I want to protect it from? (Threats / Adversaries)
- How bad are the consequences if I fail? (Impact)
- How likely is it that I will need to protect it? (Probability)
- How much trouble am I willing to go through to try to prevent potential consequences? (Mitigations)
- You suspect many of their devices may be out of date or running illegitimate copies of software
- A system they are deeply dependent runs on a service that is out of the support lifecycle
- A member of their staff recently had the webcam on their laptop turn on and off mysteriously
All of these things will take time to assess. Where do you start? How would you figure out what to focus on?
Part 2. Your partner wants to use Skype as the primary way to communicate. Everyone in their organization has a Skype account and it is currently the primary way they hold conference calls and send messages between staff and partners.
Discuss in assigned teams:
- Initial reactions: Is it secure? Is it reliable?
- What are the risks? What adversaries might present greater concerns?
- What is the your risk tolerance? Why should you tolerate any risk for this partner to use their preferred communications method?
Review the concepts of threat modeling and risk assessment by discussing the threat model for your own Clinic program and how various activities were prioritized. Discuss resource constraints or other business requirements that were considered in implementing risk mitigations.
Develop your initial client threat model.
- What do they want to protect? (Assets)
- Who do they want to protect it from? (Threats / Adversaries)
- How bad are the consequences if they fail? (Impact)
- How likely is it that they will need to protect it? (Probability)
- How much trouble are they willing to go through to try to prevent potential consequences? (Mitigations)