1 00:00:00,005 --> 00:00:02,004 - [Narrator] Organizations face many different 2 00:00:02,004 --> 00:00:05,000 kinds of threats and it's often difficult 3 00:00:05,000 --> 00:00:07,000 to keep track of them all and identify 4 00:00:07,000 --> 00:00:09,007 those that pose the greatest risk. 5 00:00:09,007 --> 00:00:12,008 Security professionals use threat modeling techniques 6 00:00:12,008 --> 00:00:16,004 to identify and prioritize threats and assist 7 00:00:16,004 --> 00:00:19,004 in the implementation of security controls. 8 00:00:19,004 --> 00:00:22,005 When identifying potential threats to an organization, 9 00:00:22,005 --> 00:00:26,004 security professionals should use a structured approach. 10 00:00:26,004 --> 00:00:28,002 Don't just sit down and start thinking of all 11 00:00:28,002 --> 00:00:30,001 the things that could go wrong. 12 00:00:30,001 --> 00:00:32,006 It's too easy to leave things out with that type of 13 00:00:32,006 --> 00:00:35,006 haphazard approach to threat identification. 14 00:00:35,006 --> 00:00:38,005 Instead, conduct a structured walk-through 15 00:00:38,005 --> 00:00:41,007 of the potential threats to information and systems. 16 00:00:41,007 --> 00:00:44,002 Let's look at 3 ways that an organization 17 00:00:44,002 --> 00:00:47,006 can use a structured approach to threat identification. 18 00:00:47,006 --> 00:00:52,003 First, an organization can use an asset-focused approach. 19 00:00:52,003 --> 00:00:55,003 In this approach, analysts use the organization's 20 00:00:55,003 --> 00:00:59,001 asset inventory as the basis for their analysis 21 00:00:59,001 --> 00:01:02,007 and walk through, asset by asset identifying 22 00:01:02,007 --> 00:01:05,006 the potential threats to each asset. 23 00:01:05,006 --> 00:01:07,009 For example, when they get to the organization's 24 00:01:07,009 --> 00:01:10,006 web presence, they might identify the severing 25 00:01:10,006 --> 00:01:13,001 of a single fiber-optic cable as a threat 26 00:01:13,001 --> 00:01:16,000 to the continued availability of the website. 27 00:01:16,000 --> 00:01:20,005 Second, an organization can use a threat-focused approach. 28 00:01:20,005 --> 00:01:22,008 Using this method, the organization thinks 29 00:01:22,008 --> 00:01:25,009 of all the possible threats out there and then 30 00:01:25,009 --> 00:01:28,002 thinks through how those threats might affect 31 00:01:28,002 --> 00:01:31,002 different organizational information systems. 32 00:01:31,002 --> 00:01:35,000 For example, analysts might list the threat of a hacker 33 00:01:35,000 --> 00:01:37,003 and then think through all of the ways that a hacker 34 00:01:37,003 --> 00:01:39,009 might try to gain access to their network. 35 00:01:39,009 --> 00:01:43,001 Threats to an organization may include a wide spectrum 36 00:01:43,001 --> 00:01:47,008 of groups ranging from known adversaries to contractors, 37 00:01:47,008 --> 00:01:51,004 trusted partners and even rogue employees. 38 00:01:51,004 --> 00:01:55,008 Finally, an organization can use a service-focused approach. 39 00:01:55,008 --> 00:01:58,006 This is more commonly used by service providers 40 00:01:58,006 --> 00:02:02,006 who offer services over the Internet to other organizations. 41 00:02:02,006 --> 00:02:06,001 For example, an organization that exposes an API 42 00:02:06,001 --> 00:02:08,004 to the public, might think through all 43 00:02:08,004 --> 00:02:11,000 of the interfaces offered by that API 44 00:02:11,000 --> 00:02:13,009 and the threats that could affect each interface. 45 00:02:13,009 --> 00:02:16,001 This identification of all the threats 46 00:02:16,001 --> 00:02:18,006 facing an organization is the first step 47 00:02:18,006 --> 00:02:21,002 in the threat modeling process.