The threat model is one of the most basic tools IT professionals use to analyze security incidents and scenarios. It is the first stop along the security path where potential hazards can be identified and quantified.

Threat models involve judgments about which threats are important to a particular situation. An automated tool that simply lists any potential problem without assigning a probability to it is useless to the overall process. It’s like having to read through a log file in its entirety to find one anomalous event that indicates a breach.

Security analysts need a way to focus on what is relevant to the problem at hand. A threat model can point out all possible scenarios, but it also needs to focus attention on the most important factors in a security context. That focus arises from a judgment call regarding the entire security fabric.

The Threat Model Is a Judgment Call

The environment plays a significant role in the threat modeling process. If the threat model is based on the understanding that a system will be operating with certain parameters, changing those parameters usually causes unintended consequences. Second-order effects come along with any change in an assumed environment.

Threat modeling will always involve judgment. It’s how we create the needed focus, allow for the atypical situation and plan for it. But judgment calls need to be evaluated against data from the field to ensure that they are both correct and relevant.

Looking at the assumed environment of a deployed project versus current realities can help IT managers decide what needs to be reviewed and how soon the items need to be changed. Reviews also help sniff out any second-order effects from environmental change, or perhaps even stop them in their tracks.

That’s what happened in 2016 — the environment changed. Today, cybercriminals primarily use ransomware and Trojans instead of poisoned email attachments to advance their malicious goals. There are more internet-connected devices than ever controlling mundane but necessary industrial things. Cybercriminals can hijack something as simple as your home thermostat or security camera to take down an entire country’s internet service. These days, things are working together in funny ways.

A Game of Phone Tag

An edition of “60 Minutes” described how German researchers were able to connect to a U.S. congressman’s phone by hijacking the telephone switching system. Although he vowed to hold congressional hearings on the matter, he eventually realized that security standards had changed since the telephone system was installed. The threat model at the time assumed that if you could connect, you were cleared from a security standpoint. The connections to the switching network were deemed outside the sphere of influence.

In threat model parlance, the switching network had a dashed trust boundary around its perimeter. Things functioned at the same privilege level within that dashed line box, but anything outside it was beyond the ken.

Obviously, the designers had totally different assumptions about networks and how they functioned at that time. What the congressman experienced was not a vulnerability in the telephone network, but a design decision made for that network that affected security.

Blowing the Whistle on SS7

Signaling System 7 (SS7) was designed to keep the control frequencies of the telephone switch from being carried along with the data. Computer programmer John Draper figured out that he could take control of a telephone line by blowing a whistle that he found in a cereal box at 2600 Hz because the existing switching system worked that way.

Once the line was commandeered, the voice data could be redirected to a new destination without tripping any billing notifications. The billing mechanism came when the “local” call was initially placed. This meant that a local call could be turned into a long-distance call while still being billed as local.

The threat model used for SS7 ensured that the switching control channels were not present along with the voice data. That model became obsolete as time went on and network connection methods changed. This obsolescence can be the fate of any extant threat model, which eventually may not reflect the realities of a current situation and who the threat actors truly are.

2017: The Year of Metadata

The threat models of 2017 will bring metadata into sharper focus. Many routine computer connections can generate a lot of metadata that is then sent in the clear and easily harvestable by those who can listen.

Let’s say that, for some reason, you’re utilizing clientside certificates. It may even aim to enhance security, but client certificates are exchanged before the Transport Layer Security (TLS) connection becomes encrypted. If it’s a server-to-server connection, it may be acceptable. But it won’t work for normal clients because the metadata is so easily traceable, and only recently has its full potential entered into security decisions. That changed the threat model for these environments.

The new threat models of 2017 will need to be flexible. Otherwise, they run the risk of not representing the right threats.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today