Threat Modelling

A threat model is a process that reviews the security of an information system, identifies potential security issues, and determines the risk associated with each identified issue. The threat risk model process comprises the following steps:

• Identification of Security Objectives – This step determines the overall goals the organization has concerning its security.
• System Survey – The identification of the components that comprise the overall system, data transmission paths, and trust boundaries with external networks.
• System Decomposition – The identification of the constituent components of the system that have a security impact or act as a control.
• Threat Identification – The enumeration of potential known and credible threats to the system.
• Vulnerability Identification – The assessment of identified threats and evaluation of system weaknesses for each threat.

In the context of threat modeling, the STRIDE acronym stands for:

• Spoofing Identity – Threats associated with an attacker taking on the identity of a user.
• Tampering with Data – Threats associated with the unauthorized modification of information.
• Repudiation – Threats associated with the unauthorized deletion or modification of transactional or access information in an attempt to refute that an event has taken place.
• Information Disclosure – Threats associated with the unauthorized disclosure of sensitive information.
• Denial of Service – Threats associated with the overwhelming of a system’s resources to halt the operation of the system.
• Elevation of Privilege – Threats associated with an authorized user taking on the identity of a different user to gain access to services or information that they are not authorized to access.

The goal of STRIDE threat modeling is to deliver assurance that a system or application will meet the security properties of Confidentiality, Integrity, and Availability (CIA), along with Authorization, Authentication, and Non-Repudiation.

The principle behind threat modeling using STRIDE is the construction of a data flow diagram-based threat model by security subject matter experts. This model then allows the system engineers and other expert stakeholders to review the system or application against the STRIDE threat model classification scheme.

Threat modeling can be applied to systems and applications during development to counter problems before they occur. It also has an application for production systems where retrospective security assessment is required after the event. The main benefits to threat modeling come when it is adopted early in a development life cycle when the cost of implementing security controls is significantly reduced, and the risk of developing a system that can never be secure is eliminated. However, if its too late and the system is designed, threat modeling can still have a role to play in assuring the security of the developed system.

• Analyze early, ideally during the preliminary design phase, once a complete design has been formed, is the most cost-effective option if possible.
• Analyze each component individually during development to secure each component and simplify the security process during the integration of the elements.
• Analyze the integrated system as part of verification and validation processes where issues can be resolved as part of the system debug procedures.

Whenever the system undergoes modification, the change control process should include a review of the threat modeling to identify the presence impact of security-related changes.