Threat Analysis

The process of formally evaluating the degree of threat to an information system. It describes the nature of the threat, and may provide specific suggestions for countermeasure to the threat, if countermeasures exist.

• Who are we defending against?
• What is the threat model?
• What risks are there, and how are they managed?

Threat Assessment

It is important to determine the level of threat, and to gauge the significance of a threat for a specific organization. A threat might be high for a financial institution, and not for an internet portal site. Certain threats are significate accross all types of enterprises.

1. Physical access is everything.. If a perpetrator has physical access, that person or group will be able to compromise the network, or computer, or any other element under consideration.
2. Insiders of all kinds are already past the first barrier.
   • Employees may be unhappy, or tempted, or curious, or just plain clueless.
   • Contractors have even less loyalty than employees.
   • The janitorial/plant security/secretarial staff are not your friends, and they certainly may not be whom they seem.
   • Visitors to the building are always a possibility.
   • Children and other relatives of employees can be a significant problem. Consider the level of knowledge of some of the more expressive web site defacers, and then consider the relative age of most of them.
3. Every exploit doesn't end up on bugtraq or other security databases. In fact, many exploits stay secret for years, and are only exposed by accident or malice.
4. Depending on the industry, between 50% and 80% of all deliberate breakins are internal.

Threat Model

The value of assessing risk and identifying weaknesses in systems cannot be understated. Recognizing threats that are specific to an entity or enterprise is an important part of determining the security stance required. There is no security or threat model that is suitable for everything. The costs of loss and effort to prevent that loss must all fit appropriately into a consequence management model.

How can you identify risk if you don't know, or have not identified who or what you are defending against? Each risk must be examined carefully to determine whether that risk is applicable to the current enterprise, and whether the cost of defending against that risk is worth the mitigation of that risk.

Risk Management

How can you identify risk if you don't know, or have not identified who or what you are defending against? Each risk must be examined carefully to determine whether that risk is applicable to the current enterprise, and whether the cost of defending against that risk is worth the mitigation of that risk. It is possible to play the odds and win. The true cost of losing must always be weighed against the price to protect against it.