1

I am trying to understand threat modeling but it seems too elasti from restrictive requirements to general requirements.

Now i am trying to understand it with some realistic examples. The first example which comes to my mind is physical access control of an office premise in which visitors have preapproved restrictive access and employees have unrestricted access. Each employee and legitimate visitor is given an id card to prevent this. Any official laptop should not go outside office without permission. Each laptop has an rfid tag to prevent this.

Can somebody help me understand threat model in this example? Or can somebody point me to where similar analysis has been done?

user3488903
  • 121
  • 2
  • 1
    Can we assume you've read this? https://security.stackexchange.com/questions/225012/what-is-a-threat-model-and-how-do-i-make-one – schroeder Apr 03 '20 at 07:57

1 Answers1

1

I think you're mixing a couple of different sorts of things into your question. You want to threat model the office, which has a set of entry points, and some stuff* you want to protect. That stuff includes laptops, which you've identified, and probably other things, like confidential printouts, the hard drives in desktops, those fancy Apple monitor stands, the scotch in the company bar, the employees and their sense of well being... We don't have to be exhaustive.

You have two types of problems you've informally identified: one is the visitor, the other is the laptop walking away. You have two controls: badges and RFID tags. Let me now take this, and re-frame it a little.

I advocate for a four-question framework as central to threat modeling:

  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good job?

So what you're working on is the security system for an office. What can go wrong, we can approach in a few ways. We could expand the attacker list to include other types of person. That has a failure mode of excluding people, say, kids or drunk employees, and so I tend to avoid it, and focus on the threats (" future problems"). Here we might look at theft, damage, disclosure as a list of threats to worry about. In software, we'd look at STRIDE or a kill chain as a model of the threats.

We'd use that list to come up with a list of countermeasures or controls. You've listed two, we might add turnstiles or other physical controls, conference rooms near the entryway, a second set of doors, etc. These are the answers to what we're going to do about it.

*I'm carefully not using the jargon 'asset,' because it has too many meanings. Also, 'entry point' is a term of art that lots of people used to use, from a physical protection analogy and so I bring it back here. More commonly, in software-focused threat modeling today, we'd talk about trust boundaries or attack surfaces.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
  • 1
    We are trying to create a canonical answer for threat modelling because we get a lot of unfocused questions like this. Could you consider posting an answer to our canonical post: https://security.stackexchange.com/questions/225012/what-is-a-threat-model-and-how-do-i-make-one Your 4-Q framework seems like a great primer – schroeder Apr 04 '20 at 13:00
  • Sure, although to be honest I'm unsure why given an answer with 47 votes – Adam Shostack Apr 04 '20 at 15:46
  • If you think that the existing answers suffice, then that's cool, too. I just thought that given your expertise, you could provide significant value. – schroeder Apr 04 '20 at 20:52
  • Thank you very much it was really informative. – user3488903 Apr 05 '20 at 06:09