Light Dark
December 2, 2016 By Larry Loeb 3 min read
Data Protection
Mainframe
Network

The threat model is one of the most basic tools IT professionals use to analyze security incidents and scenarios. It is the first stop along the security path where potential hazards can be identified and quantified.

Threat models involve judgments about which threats are important to a particular situation. An automated tool that simply lists any potential problem without assigning a probability to it is useless to the overall process. It’s like having to read through a log file in its entirety to find one anomalous event that indicates a breach.

Security analysts need a way to focus on what is relevant to the problem at hand. A threat model can point out all possible scenarios, but it also needs to focus attention on the most important factors in a security context. That focus arises from a judgment call regarding the entire security fabric.

The Threat Model Is a Judgment Call

The environment plays a significant role in the threat modeling process. If the threat model is based on the understanding that a system will be operating with certain parameters, changing those parameters usually causes unintended consequences. Second-order effects come along with any change in an assumed environment.

Threat modeling will always involve judgment. It’s how we create the needed focus, allow for the atypical situation and plan for it. But judgment calls need to be evaluated against data from the field to ensure that they are both correct and relevant.

Looking at the assumed environment of a deployed project versus current realities can help IT managers decide what needs to be reviewed and how soon the items need to be changed. Reviews also help sniff out any second-order effects from environmental change, or perhaps even stop them in their tracks.

That’s what happened in 2016 — the environment changed. Today, cybercriminals primarily use ransomware and Trojans instead of poisoned email attachments to advance their malicious goals. There are more internet-connected devices than ever controlling mundane but necessary industrial things. Cybercriminals can hijack something as simple as your home thermostat or security camera to take down an entire country’s internet service. These days, things are working together in funny ways.

A Game of Phone Tag

An edition of “60 Minutes” described how German researchers were able to connect to a U.S. congressman’s phone by hijacking the telephone switching system. Although he vowed to hold congressional hearings on the matter, he eventually realized that security standards had changed since the telephone system was installed. The threat model at the time assumed that if you could connect, you were cleared from a security standpoint. The connections to the switching network were deemed outside the sphere of influence.

In threat model parlance, the switching network had a dashed trust boundary around its perimeter. Things functioned at the same privilege level within that dashed line box, but anything outside it was beyond the ken.

Obviously, the designers had totally different assumptions about networks and how they functioned at that time. What the congressman experienced was not a vulnerability in the telephone network, but a design decision made for that network that affected security.

Blowing the Whistle on SS7

Signaling System 7 (SS7) was designed to keep the control frequencies of the telephone switch from being carried along with the data. Computer programmer John Draper figured out that he could take control of a telephone line by blowing a whistle that he found in a cereal box at 2600 Hz because the existing switching system worked that way.

Related: Threat Modeling in the Enterprise, Part 1: Understanding the Basics

Once the line was commandeered, the voice data could be redirected to a new destination without tripping any billing notifications. The billing mechanism came when the “local” call was initially placed. This meant that a local call could be turned into a long-distance call while still being billed as local.

The threat model used for SS7 ensured that the switching control channels were not present along with the voice data. That model became obsolete as time went on and network connection methods changed. This obsolescence can be the fate of any extant threat model, which eventually may not reflect the realities of a current situation and who the threat actors truly are.

2017: The Year of Metadata

The threat models of 2017 will bring metadata into sharper focus. Many routine computer connections can generate a lot of metadata that is then sent in the clear and easily harvestable by those who can listen.

Let’s say that, for some reason, you’re utilizing clientside certificates. It may even aim to enhance security, but client certificates are exchanged before the Transport Layer Security (TLS) connection becomes encrypted. If it’s a server-to-server connection, it may be acceptable. But it won’t work for normal clients because the metadata is so easily traceable, and only recently has its full potential entered into security decisions. That changed the threat model for these environments.

The new threat models of 2017 will need to be flexible. Otherwise, they run the risk of not representing the right threats.

 |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature