First, a little context in case you haven’ t been following the story.
At the HOPEX conference last month, a researcher by the name of Jonathan Zdziarski delivered a presentation called “Identifying Back Doors, Attack Points and Surveillance Mechanisms in iOS Devices.” There was a lot of press coverage about how Apple’s devices have back doors used by the NSA to steal your data and a fair amount of backlash from the information security community about the accuracy of Zdziarski’s findings.
I, for one, am often enthralled by the details on a topic like this. I like a good disagreement along with detailed analysis, and then analysis of that analysis. Throw in a wide range of 140 character opinions and it’s a regular party.
There is, however, a larger topic for the information security community as a whole that this particular debate highlights. While this research is about Apple, we should really be talking about threat modeling. Regardless of intent, what Zdziarski points out is a potential shift in the probability of a specific set of threat actors.
If you are in information security, you should be familiar with threat modeling as a means of identifying and prioritizing risk. Threat models can be used in a variety of ways, from a component of the SSDLC to more expansive risk and mitigation prioritization. Regardless of the use case, a complete threat model includes the identification of possible threat actors. Definitions differ, but a threat actor is essentially the individual or group that carries out an attack.
Underlying the research about Apple’s backdoor or diagnostic utilities is the implication of a new threat actor for organizations to consider when they conduct a threat modeling exercise. Strictly speaking, this research doesn’t introduce a brand new threat actor, but it represents another point in a trend towards the expansion of probable threat actors for the enterprise to consider.
We’re used to thinking about criminals as threat actors, including organized crime, hacktivists and event lone attackers. We’ve come to grips with the idea of insider threat, whether malicious or accidental. We’ve quite recently started to deal with nation-states as threat actors, including our very own. The vendors themselves, however, are not routinely identified as probable threat actors.
In this context, it doesn’t matter whether Apple intentionally put in utilities for snooping, for diagnostics, or for some other reason. The question itself forces the consideration of a ‘vendor’ class of threat actor. Don’t forget about Huawei, which came under fire as a potential threat actor not too long ago. There are also the recent questions about whether Microsoft is complicit in government data collections schemes.
While we might inherently want to focus on malicious intent, a threat actor isn’t necessarily out to do you harm intentionally. A good threat model should consider the non-malicious agents of threat too. Even something as simple as diagnostic data collection might cause significant outages if misused. Take the example of Google and Android battery life. Interestingly, the addition of malicious intent does present a possible attack scenario in which a battery-based denial of service is induced on a population in order to prevent effective incident response.
This shift in threat actor visibility and consideration has generated some interesting market moves, as well. The amount of attention paid to encrypted communications has certainly escalated. The release announcement by Open Whisper Systems of their encrypted voice communications for iPhone is one example. At the other end of the spectrum is the very recent acquisition of a German cryptography company by Blackberry.
In the end, keeping current on these kinds of trends is a requirement for accurate threat modeling. A threat model isn’t static once generated. Just as new vulnerabilities can appear in your environment because of external changes, so does the threat model shift as probable actors move and threat intelligence changes. In order to effectively defend against threats, you have to adapt the threat model to the changing environment.
- Is Third-Party Risk Software Worth It?
- Threat Mitigation and the 20 Critical Security Controls
- Your Biggest Threats Are Coming From Inside
- The Information Security Hierarchy of Needs
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Header image courtesy of ShutterStock