Where to Start
The simplest threat model is something (Asset) being manipulated by someone or something (Actor), resulting in a threat.
This post deals with the first part of the equation.
What are you protecting? Computer systems are relatively expensive to purchase. A server and attached disks that cost five thousand dollars to purchase new can easily store millions of dollars worth of data. Prior to engaging any company for a security assessment, it is imperative to understand exactly what needs to be protected and why.
Data and Data Flow
What is your company’s secret sauce? If you are protecting design documents for a widget, there is a chain of systems that all require protection. The storage system needs to be protected from unauthorized access. The end user system that is used to modify the documents require that same level of protection. Also, the entire network that transmits documents needs to be protected. This also needs to be done within a fixed budget and not affect the ability of the company to make money. While Secure Network Management makes money securing networks, most companies do not.
Why would someone want to compromise a computer? Data is valuable, but computers and networks can also be monetized. Bitcoin mining reduces the computing power available for legitimate activities and increases electricity usage. Spam malware uses computing power, network bandwidth, and has the potential for a legitimate business to be blacklisted by SMTP servers.
Know what your network is. While this sounds easy enough, it is normally one of the limiting factors. That is easy right? You use that one 10.10.10.0/24 network for all your computers and servers. Done! Well…except each wireless access point uses a 192.168.1.0/24 network and the LAN-to-LAN tunnel into the Cloud providers network using that 10.10.11.0/28 network. And that one guy who brought a wireless router in from home so he could watch movies on his iPad during work…I wish I had made that last one up. Better update all the spreadsheets! Security assessments are garbage in/garbage out; the assessors will only test what is in the scope you provide or authorize. If you do not know or don’t have the technical expertise to determine all of the networks in use, any reputable security or IT support company can review the network fabric. This review should not be a long or costly engagement.
Most people underestimate the number of devices on their network by at least 30%. Everything with a network cable is a potential target. Server and computer counts are normally pretty accurate. Printers, scanners, and peripherals are normally underestimated, if included at all. Network devices, beyond the core switch and router, normally do not show up on device spreadsheets. Obtaining a fairly accurate count of devices using a simple network scanner is also easily performed by a competent systems administrator, security, or IT support company.
You are now a few days into getting an asset list in order. This is a solid investment with or without an assessment. You cannot protect what you don’t know about.
End of Step 1: What you know – The networks and devices in use and data that is stored, processed, and transmitted on the network.