Security is a large topic and so full of jargon that it can be hard to know where to get started when thinking about it. Threat Modeling gives you a framework to help you start building security policies.
In this talk, Dan Hardiker, CTO at Adaptavist, will cover what a security model is, when and why it's useful, what its main components are (assets, actors, and vectors), and how they interact. We'll build a basic threat model, enable you to apply these to your systems, and give you references for further learning.
45. Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
46. Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
47. Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
LOW RISK
MED RISK
HIGH RISK
VECTORS
48. Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
LOW RISK
MED RISK
HIGH RISK
VECTORS
49. Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
LOW RISK
MED RISK
HIGH RISK
VECTORS
50. Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
LOW RISK
MED RISK
HIGH RISK
VECTORS
51. Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
LOW RISK
MED RISK
HIGH RISK
VECTORS
52. Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
LOW RISK
MED RISK
HIGH RISK
VECTORS
53. CONTROLS
Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
LOW RISK
MED RISK
HIGH RISK
VECTORS
54. CONTROLS
Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
LOW RISK
MED RISK
HIGH RISK
VECTORS
ENCRYPTION
55. CONTROLS
Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
LOW RISK
MED RISK
HIGH RISK
VECTORS
ENCRYPTION
HIDE LOCATION
56. CONTROLS
Bruce Wayne / Batman’s Threat Model
ASSETS
@
E-MAILS
TEXTS
BAT CAVE
ALFRED
ATTACKERS
POLICE
PRESS
JOURNALISTS
THE JOKER
LOW RISK
MED RISK
HIGH RISK
VECTORS
ENCRYPTION
HIDE LOCATION
SECURITY SYSTEM
97. 1. Security is not an after thought. It’s Job Zero!
3 THINGS TO REMEMBER
98. 1. Security is not an after thought. It’s Job Zero!
2. Threat Model as part of User Stories.
3 THINGS TO REMEMBER
99. 1. Security is not an after thought. It’s Job Zero!
2. Threat Model as part of User Stories.
3. Ignorant humans are your biggest threat.
3 THINGS TO REMEMBER
100.
101.
102. ‣ Ars Technica
‣ Schneier on Security
‣ The Hacker News
‣ OWASP
FURTHER READING