Profile picture
, 12 tweets, 2 min read
My Authors
Read all threads
1/ While this article on threat modeling isn't bad, neither is it anywhere close to how I'd describe "threat modeling".
martinfowler.com/articles/agile…
2/ It mentions NotPetya taking down Maersk, blaming nation-state malware that was weaponise. That's the wrong threat model. The correct threat model is lateral spreading through windows credentials with PsExec.
3/ Likewise, the correct threat model includes entry of NotPetya from the public Internet like historic worms, but from subvertef software updates and from partners over private VPNs.
4/ This reflects the most important problem with threat modeling: instead of expanding understanding to fit the real threats, they shrink the threats to fit what they understand.
5/ This then leads to the second most important problem: teams lack security competency to understand the threats. If nobody on the web team understands SQL injection then all that effort spent on threat modeling is just useless make-work.
6/ That's why so much threat modeling focuses on data flows, because it's grunt work that anybody can do without needing to understand the threats. But it's still only part of the way there, until you understand the threats, you don't really have a model for them.
7/ Instead of a threat modeling guide starting with process, it should start with the threats. Take DNS, for example. Everyone's DNS threat model is similar. You could write an entire book on "DNS threat modeling".
8/ For example, consider Epic Games and it's Houseparty service. It's DNS servers had records like …38-197-97-151.ms.thehousepartyapp.com to refer to an Amazon instance with IPv4 address 138.197.97.151.
9/ They stopped using the Amazon instance, but still had the DNS record in their servers. That meant hackers could get that IP address in their own Amazon instance, then bypass domain HTTPS security by using that address to deliver hostile content.
10/ The list of threats you have to understand is enormous. The various efforts to list vulnerabilities, threats, attack patterns, and so on is a good start (e.g. Mitre Attack framework).
11/ It's something large parts of the organization need to learn to avoid overly politicizing threats, either inconvenient realistic threats people want to ignore, or unrealistic threats that are conveniently exploited to promote internal politics.
12/ My point is this: start with actual threats you understand, and develop process to deal with them. Don't develop process when you lack understanding, hoping that the process will teach you.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Robᵉʳᵗ Graham😷

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Robᵉʳᵗ Graham😷
@ErrataRob
1/ Remember: China, Russia, and every other country we view of as anti-free-speech, have the same constitutional protections for free speech that we do.
2/ What separates us from them is that when leaders protect themselves by creative use of the law to target critics. We react against this obvious abuse of power, whereas other countries shrug their shoulders and ignore it.
3/ The problem all these countries face is the same partisanship problems we have. People are more interested in defending their party than their principles. Republicans aren't going to defend free speech when it means going against Trump.
Read 9 tweets
Profile picture
Robᵉʳᵗ Graham😷
@ErrataRob
1/ I feel that any textbook on "Cybersecurity 101" should start with stories like this. Politics is more integral to cybersecurity than other subjects.
2/ Ideally, cybersecurity should simply be about risk vs. reward, costs vs. benefits. Instead, it's become a moral fight. It's your moral duty to be secure even if you get no benefit from it. It's a moral transgression when you don't do what you are supposed to.
3/ Take Richard Clarke's quote that you "deserve" to be hacked if you spend less on security than free coffee for your employees -- "deserve" means "punished for your moral transgressions".
Read 31 tweets
Profile picture
Robᵉʳᵗ Graham😷
@ErrataRob
1/ "First Amendment" is trending because people are morons. While the terms "free speech" and "First Amendment" are often used interchangeably, they are not exactly the same. You can infringe free speech even when government is not involved.
2/ For example, when terrorists murdered cartoonists, we called this a "free speech" issue, as terrorists tried to suppress speech with violence.
3/ Free speech is based on the idea of tolerance of people you disagree with, that you give them equal opportunity to express their views no matter how much you disagree with them.
Read 7 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!