Threat modelling: real-life asset devaluation example
Threat modelling is a risk assessment technique. Simplified, you systematically assess your environment to identify your true assets and the likely adversaries, along with the possible ways for them (the adversaries) to obtain the assets. The main point is to base the analysis in reality, allowing you to identify what is likely to happen while ignoring the ever-present noise. At the end of the process you end up with a prioritised list of threats, and then use your budget (resources) to address the most dangerous one, using one of the mitigation strategies available to you. You then repeat the process until you run out of resources. It is a simple and elegant technique, and one of my favourite security tools.
One of the most useful generic mitigation strategies is asset devaluation. The logic behind the concept is simple. Attackers are typically driven by their desire to obtain assets. If you remove the asset from your environment, or lower its value, then you also remove the reason the attacker is looking at your system. Without the asset to obtain, he will simply go elsewhere.
One of the best examples of asset devaluation is not storing credit card numbers on e-commerce web sites. While some merchants do need to store them, most need the credit card numbers only initially—to process the transactions they were submitted with—and never use them again. What a wonderful opportunity to reduce one's attractiveness to attackers! By removing the credit card numbers from your systems, and telling the adversaries about it, you stay out of trouble.
Although I've used this example many times during my talks on threat modelling, yesterday was the first time I actually saw the technique used in real life, as I was making a purchase from Introversion, an indie game developer from Britain. Here's a partial screenshot:
An added bonus is that this kind of thinking also makes consumers happy. When I saw the note, I instantly perked up, happy in knowing my beloved credit card number is not going to be stored at yet another web site.
Wouldn't it be great if all web sites disclosed details of their inner workings in a similar manner?