How to Build a Threat Assessment Model

Increased cybersecurity threats such as ransomware, phishing, and DDoS attacks underscore a critical need for companies to invest in the appropriate cyber defenses to protect their digital assets. Building and optimizing a threat assessment model can help your company better understand the IT threat landscape and achieve the most efficient protection for your digital assets.

 

Considerations for Building a Threat Assessment Model

A comprehensive threat assessment model defines the most critical vulnerabilities amongst your company’s IT infrastructure. Ideally, your cybersecurity efforts should focus on minimizing risks to your critical assets and reducing gaps in related vulnerabilities.

One of the crucial considerations in building a threat assessment model is first defining risks to your critical digital assets. To cover baseline cybersecurity and compliance requirements, you’ll especially need to consider:

• Personally Identifiable Information (PII)
• Critical networks and applications

Once constructed, your threat assessment model will help manage risks, mitigate threats to valuable digital assets, and minimize disruptions to company operations.

 

Risk Assessment and Threat Assessment Model Building

The broader strategy for threat assessment modeling applies regardless of your organization’s various industry, client base, operational, and other factors. Understanding how to conduct a threat assessment begins with risk assessment and threat intelligence.

Conducting a risk assessment relies on identifying digital and physical IT assets’ vulnerabilities, evaluating the likelihood and impact of attack occurrence, and ranking these risks’ priority accordingly. For guidance, organizations conducting risk assessments should refer to the National Institute of Technology’s (NIST) Special Publication 800-30 (SP 800-30) Revision 1: Guide for Conducting Risk Assessments.

Note that the most up-to-date version of SP 800-30, published in 2012, is denoted at “Revision 1” or “Rev. 1” and supersedes the original 2002 publication: Risk Management Guide for Information Technology Systems.

 

Request a Free Consultation

 

Utilizing Risk Assessments for Threat Assessment Modeling

Risk assessments (and current threat intelligence) are foundational to threat assessment modeling; you can’t assess threats or build a model without knowing their targets, methods, and commonly exploited vulnerabilities.

Leveraging this information allows you to build your model. According to the Open Web Application Security Project (OWASP), a threat assessment model includes:

• The modeled subject’s definition and description, which can be derived from your risk assessment model
  • A comprehensive model should account for both your holistic IT environment and its various segmentations and components. A wise strategy for building your model would be to work through the list of risks identified in your risk assessment model from highest to lowest priority.
• Any assumptions subject to revision pending future technology, threat, and cybersecurity developments
• The compiled list of potential threats, including attack methods, which should be comprehensively identified during the risk assessment phase
• Threat monitoring and hunting efforts (e.g., your security information and event management (SIEM) system)
• Your threat response action plan and processes for validation
• Processes for verifying successful threat response

You should consider your threat assessment model as a pragmatic guide for informed decision-making regarding what to protect, from what, and how to protect it. To maintain up-to-date models, your organization should review them periodically and after significant updates or changes.

 

The Importance of Threat Assessment for PII

A threat assessment model can help build security protocols to provide the necessary protections for sensitive data. Aside from intellectual property, most companies at high risk for cyber threats deal with individuals’ data, specifically personally identifiable information (PII).

The most common forms of PII, as covered by various regulations, include:

• Protected health information (PHI), protected by HIPAA
• Cardholder data (CHD), protected by the PCI DSS
• Data of—or pertaining to—European Union citizens, protected by the EU GDPR 
• Data rights for individuals residing in California, protected by the CCPA 

The compliance requirements stipulated in these regulations ensure that companies adequately protect individuals’ sensitive data and serve as excellent guidelines for assessing risk and building a robust threat assessment model. 

 

Protected Health Information (PHI)

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), organizations that process PHI, including covered entities (e.g., providers, plans, clearinghouses) and their business associates, need to maintain security, integrity, and confidentiality for all forms of PHI. Covered entities must build risk management portfolios containing robust a threat assessment model, given the high rates of healthcare data breaches.

As a covered entity or business associate thereof, a threat assessment model can help your company achieve HIPAA compliance by:

• Identifying vulnerabilities in the storage, transmission, or processing of PHI, per the HIPAA Privacy Rule. Some of the critical uses and disclosures of PHI that require protection include:
  • Transactions covered under the HIPAA Transactions Rule such as claims, inquiries for benefits eligibility, or referral authorization requests, regardless of whether a health care provider directly transmits PHI or uses a third-party service
  • Activities conducted by business associates of covered entities that involve the use or disclosure of PHI, including but not limited to data analysis, billing, processing of claims 
• Identifying vulnerabilities to electronic PHI (ePHI) within a diverse and evolving IT environment, as covered by the HIPAA Security Rule. Some of the critical measures covered entities should consider for HIPAA Security Rule compliance include:
  • Organization size and complexity
  • Technical aspects of an organization’s hardware and existing software implementations
  • Potential risks to ePHI and the anticipated damages of any materializing threats
• Establishing administrative, physical, and technical safeguards for ePHI as prescribed by the HIPAA Security Rule, covering:
  • Security management for identifying potential risks to ePHI and preventive measures for minimizing risk
  • Staffing of security personnel to implement security practices
  • Access control measures to minimize unauthorized access to ePHI
  • Training of organization workforce in the proper implementation of ePHI security protocols
  • Evaluation and assessment of cybersecurity policies and procedures
  • Limitations to physical access of ePHI
  • Adequate protections for ePHI access points such as workstations and devices
  • Access and activity audit logs monitoring all ePHI, data alterations, and related transactions
  • Checks for proper disposal of ePHI
  • Proper transmission of ePHI across covered entities
• Ensuring the timely reporting of any threats resulting in breaches to PHI, as specified by the Breach Notification Rule. Covered entities must report any breaches to the affected individuals, the Secretary of Health and Human Services, or local media outlets when 500 or more individuals are affected.

It is critical for covered entities and their business associates to comply with HIPAA rules, ensuring sufficient protections for PHI. HIPAA non-compliance can result in serious legal, financial, and reputational consequences, per the Enforcement Rule. 

A threat assessment model can help your company achieve required HIPAA compliance and provide necessary PHI protections. Working with a HIPAA-knowledgeable MSSP can help navigate any HIPAA complexities and mitigate any threats to valuable PHI. 

 

Cardholder Data (CHD)

Like PHI, cardholder data (CHD) is frequently targeted by threat actors, with significant breaches at major organizations in recent years. A threat assessment model can help companies in the payment card industry identify and mitigate threats to CHD, using the PCI DSS compliance requirements to guide efforts.

PCI DSS compliance covers all organizations that collect, process, store, or transmit CHD, as well as the software and applications facilitating these transactions. A threat assessment model can help identify and address CHD vulnerabilities, including:

• Unsecured CHD transmission – Assessing network security controls can identify broken firewall configurations and potentially malicious external traffic, limiting exposure of CHD environments to unsecured public networks. Identifying cryptographic failures, such as the use of default or vendor-supplied passwords, can also prevent security vulnerabilities. 
• Limited CHD encryptions – Identifying unnecessary storage of CHD for non-business needs and the misuse of cryptographic keys under poorly documented and managed processes can prevent encryption failures and minimize data breach risks. Identifying unsecured transmission protocols wherein CHD is exposed to public networks can also prevent breaches.
• Outdated security software and applications – Detecting areas within your IT networks with outdated or disabled anti-virus software and mechanisms can help prevent malware from affecting CHD. Identifying poorly documented or dysfunctional security policies can provide insight into sources of exploitable vulnerabilities.
  • Similarly, identifying areas in the network with uninstalled security updates can help address patch management and minimize evolving threats.
• Poor access control measures – Identifying sources of cryptographic and access control failures including, but not limited to:
  • Unrestricted access for least privilege user accounts
  • Single-factor authentication to access CHD environment
  • Use of non-unique IDs
  • Low complexity password usage
  • Poor or limited documentation of security policies
  • Unrestricted physical access to servers containing CHD
• Limited vulnerability testing – Testing user access and activity within CHD environments to identify unusual activity, including:
  • Invalid access attempts
  • Modifications to administrator privileges such as addition, deletion, or elevation 
  • Altered access or activity logs

A threat assessment model can help address these vulnerabilities linked to PCI DSS non-compliance, preventing your company from the associated legal, financial, and reputational consequences or data breaches, should they occur.

 

Personal Data by Customer Location—GDPR

Unlike PCI DSS protections for CHD that cover any company, regardless of size and industry, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA) protect the rights of data belonging to citizens of EU Member states and California, respectively.

Companies working with data belonging to customers in these locations should build a threat assessment model informed by the compliance guidelines stipulated under the GDPR and CCPA.

The most critical GDPR rights are listed in Chapter 3 (Articles 12-23) and require companies to:

• Provide transparency and communicate about the modalities surrounding the exercise of data subjects’ rights.
• Provide information on the collection of personal data from data subjects, specifically whether data has been collected or not.
• Provides data subjects the right to access their data.
• Allow data subjects to rectify and erase personal data, or restrict the processing of their data.
• Provide data to data subjects in an easily accessible format.
• Allow data subjects to object to the processing of personal data.

Failure to comply with the GDPR could result in significant penalties and fines, as high as €20 million or 4% of a company’s total global revenue, whichever is higher. A threat assessment model can help manage potential vulnerabilities in the processing of personal data, per GDPR stipulations, minimizing the risk of any unforeseen data breaches.

 

Personal Data by Customer Location—CCPA

Similar to the GDPR, the CCPA ensures companies protect data subjects’ rights to:

• Request disclosures around companies’ collection and usage of personal data, including data sources, categories, purposes, and any third parties with access to the data  
• Have their personal data deleted at any time
• Opt out of having their personal data collected
• Non-discrimination when exercising their CCPA rights

Companies subject to the CCPA can utilize a threat assessment model to identify and mitigate CCPA compliance risks, ensuring adequate customer data protection.

Working with an experienced GDPR and CCPA compliance partner can help your company avoid evolving threats to sensitive customer data and potential non-compliance penalties.

 

Threat Assessment Modeling for Critical Applications and Networks

Companies should account for applications and networks critical to core operational functions when building threat assessment models. Penetration testing may be used to inform and later evaluate the model, assessing cyberdefenses for:

• Web applications, including email and web browsers
• External networks, including firewalls, operating systems, and routers
• Internal networks, including local area network (LAN) infrastructure
• Wireless networks, including access points

 

Refining and Utilizing Threat Assessment Models for Applications and Networks

Your company could build and refine a threat assessment model by performing or implementing:

• • Penetration testing – Simulating threat attacks and thinking like a hacker could generate insight on targetable vulnerabilities in your company’s networks and applications. “Pen testing” the security infrastructure protecting digital assets most critical to business operations will guide ongoing risk and threat assessments.
  • Cloud security – Minimizing exploitable gaps in cloud infrastructure can also significantly reduce the risk of cyberattacks. A cloud risk assessment can identify flawed security architecture, API security gaps, and unusual cloud traffic. Working with a cloud security partner can survey existing security measures and help optimize your cloud risk assessment program, ultimately informing your model.
  • Patch management – The timely installation of security updates to your company’s networks and applications can help identify an evolving threat and prevent an attack from materializing. Conducting log assessments during patch installation can also help identify sources of gaps and vulnerabilities, guiding your company’s patch management protocols.
  • Well-defined patch management policies and practices are integral to your company’s model remaining up-to-date.

Given their broad applications, working with a managed security services provider (MSSP) can help your company build and then leverage its model to optimize cybersecurity measures. A key element is implementing threat assessment training to ensure that an internal cybersecurity team can assess the risks to critical data, applications, and networks, monitor and identify these risks, and then respond to them.

 

Optimize Cyberdefenses with Effective Threat Assessment Models

Whether your most critical digital assets are data, networks, or applications, a threat assessment model can help mitigate impending cyber threats. Regardless of industry, threat assessment modeling is critical to understanding the nature of cyber threats you’re faced with and building timely and appropriate defenses for fast-evolving threats.

To learn more about building a threat assessment model, contact RSI Security today for a free consultation.