Skip to main content
  1. Posts/

Understanding the highest risks to secure what matters

Table of Contents

I’m often called to “secure” things - online education, a book manuscript pre-publication, authors’ royalties data, a production center, or a marketing website. My first task is always to understand the “threat model”, or said simply, the main security risks we’re worried about. Are we afraid that the competition may access royalties data (confidentiality), do we fear a modification of third-parties’ bank account information (integrity) or should we prevent a ransomware from taking down our company? (availability)

Business teams usually have a pretty good idea of their risks, which helps us focus our efforts #

Before deploying any security measure, the following questions must be discussed with business teams, as recommended by both Microsoft and the Electronic Frontier Foundation:

  • Assets: What do you want to protect? - which assets, and whether we talk about the assets’ confidentiality, integrity and/or availability
  • Threats: Who/What do you want to protect it from? - natural threats (disasters), unintentional threats (system failure, mistake), intentional threats (bots performing low-level automated attacks, insiders, adversaries or government agencies performing targeted attacks, etc.)
  • Vulnerabilities: What are our known weaknesses? - businesses will have an interesting point of view, although this must be completed by a technical analysis
  • Probability: How likely is it that you will need to protect it? - that’s the “probability” of an attack (quite high on web services for instance)
  • Impact: How bad are the consequences if you fail? - that’s the “impact” if the risk materializes (how much of a problem is it, if this website is compromised?). It can be reputational damage, impact on revenue or operations, financial/legal penalties, etc.
  • Mitigation: How much trouble are you willing to go through in order to try to prevent those risks? - is the business happy to accept the risk, or should it be prevented at all costs?

There are multiple frameworks to formulate threats and vulnerabilities, like the STRIDE model:

  • Spoofing - Someone uses someone else’ account
  • Tampering - Someone modifies data
  • Repudiation - The service can’t prove who did what
  • Information Disclosure - Information is freely available when it should not
  • Denial of Service - The service is unresponsive
  • Elevation of Privilege - Someone gains additional/administrator rights when they shouldn’t have them

Obviously, risks with both high probability and impact will be prioritized to develop adapted mitigations - and these can be technical as well as human (adapting procedures, training users, etc.). Any added control will reduce the risk’s probability or impact, until the “residual risk” is low enough to be documented and accepted.

There are long theories and books about risk management and formal threat modeling1, but such a quick 360-degree assessment can prevent spending time and money on unnecessary measures. “Securing” a folder full of files can mean ensuring confidentiality of HR documents, even from the company’s own IT Admins, as well as ensuring 24/7 availability of media that businesses absolutely need, but that their partner could send again in case files are lost. As we see here, discussing risks does not require any technical knowledge.

But many decisions are taken “in the name of Security” without considering risks #

For instance:

  • “We should not move to the cloud, it’s not secure… while actually, AWS, Azure, Google Cloud have better availability and security tooling than anything done in-house. This is only true if the threat model includes (foreign) government agencies that would be interested in access to data
  • You can’t connect a printer to your work computer for security reasons, while, no, that’s just a consequence of not having admin rights, but we could find ways to allow regular users to connect printers without lowering our security level
  • If you send a sensitive document by email, you must encrypt it with a password-protected ZIP for security reasons, which indeed protects the content in transit (so that Microsoft and GMail can’t read it), but once on the recipient’s machine, the ZIP will be unzipped, and the file will stay there unencrypted and ready to be stolen or reshared - is it a risk we care about? Do we expect to protect ourselves from Google or from a potential viral infection of the recipient’s computer?

To be honest, the expression security reasons should just be banned outright.

  1. To go further:

     ↩︎