Welcome to our threat modeling module. Threat modeling is a system that we can use to provide a structured approach to making informed decisions about risk management. The first step is to assess the scope of our threat modeling, whether we will be looking at our software, hardware, or processes, or all of these. We should then determine our threat agents, which could be our adversaries, our employees, our partners or contractors that work for the organization. We then need to look at possible attacks such as social engineering attacks, spoofing, or data exfiltration attacks where someone steals data that they are not entitled to. We then need to understand the countermeasures that we already have in place. Locate our exploitable vulnerabilities that an individual may be able to take advantage of. Once we've come up with our risks, we have to prioritize them based on the likelihood of them occurring and the impact, we should always address the most severe risks first rather than simply addressing the risks in the order in which they were identified, we should then identify countermeasures that we can use to reduce the threats to our organization. Microsoft provides a threat modeling solution known as STRIDE, which is an acronym for the common threats that you might experience, spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. This is a free tool that can be downloaded from the Microsoft Download Center, and it basically is a trimmed down version of Vizio that can be used to create dataflow diagrams. You can use this tool to create your dataflow diagram model, analyze the model for any potential threats, determine the threats that have been mitigated, record threat model information, and then continue to mitigate your remaining threats. You may see STRIDE on the CISSP examination as a potential threat modeling solution that is offered by Microsoft free of charge. When you're working with risks using threat modeling, you have to identify the risks not only to your hardware and software, but also to your operations and your employees. You'll have to identify threats and threat agents, such as external threats from hackers, your adversaries or competitors, insider threats from disgruntled employees or partners or even contractors, as well as environmental threats such as earthquakes, tornadoes, or other severe weather situations. You should determine and diagram your potential attacks such as spoofing or impersonation attacks, social engineering attacks and so on. Then perform reduction analysis to determine the most cost effective mitigation techniques to reduce the risks to your organization. You should then evaluate technologies, processes, and controls that you can use to remediate the threats, such as software architecture or operational changes. This concludes our threat modeling module. Thank you for watching.
