IriusRisk Team
|
The Threat Modeling Experts
December 21, 2022

Threat Modeling Terminology

Threat Modeling Lingo

Are you looking to get familiar with the threat modeling lingo? Check out this guide below to get you started with your threat modeling journey.

  • Asset - Things you care about, sensitive information. E.g. PCI or PII data
  • Attack - Could be real or hypothetical, based upon possible actions or assaults attempted by a cybercriminal such as an attack on your company network
  • Boundary - (see Trust Zone)
  • Business Unit - A group of users and Products within the system. With basic permissions, the users only have access to the Products that are in their Business Unit and limited to the role they have been assigned
  • Components - Parts that make up the representation such as an EC2 instance or an API or even a function within a web application. Components can be nested within each other
  • Content Library - A knowledge base of Risk Patterns, where each pattern consists of a logical group of security threats, weaknesses and countermeasures
  • Controls - (see Countermeasures)
  • Countermeasures - Actions that can be implemented to reduce the impact or likelihood of a threat
  • Data Flows - How information and assets move around between components
  • Design Flaw - Defect in a product
  • Impact - Assessing what damage something could have, such as the impact of not having a firewall in place - equally by implementing a countermeasure, the potential impact of an action or an attack can be reduced
  • Mitigations - (see Countermeasures)
  • Project metadata - Name, identifier, description, owner of the thing you’re threat modeling
  • Questionnaire - IriusRisk provides contextual questionnaires for each component to infer specific threats and countermeasures depending on the responses that would otherwise go undetected
  • RBAC/Role Based Access Controls - A means of restricting access to users based upon their roles, such as Admin
  • Representations - A perspective on the thing being threat modeled, e.g. architecture diagram, data flow diagram, source code, JIRA story, user interface
  • Reports - Periodically, throughout the lifecycle of a project, teams might want to generate executive reports to internally empower and provide stakeholders with the information they need. These can be generated for various use-cases, such as a compliance summary, or a verbose report of all countermeasures identified
  • Risk - Another way of saying your company’s exposure and potential impact to danger or threats
  • Risk Score - A metric to assess how high your business level of risk is
  • Template - Templates can be created from scratch or generated from pre-existing projects to streamline the creation of future threat models. Templates are often used to provide the skeleton of a threat model to give colleagues a head start in canvassing the diagram
  • Threats - The things that can go wrong
  • Trust Zone - The differing levels of security and trust. Internet vs Web vs App vs Data tier
  • Standards - Every industry and country has its own standards to adhere to or consider, from healthcare and finance to government organizations. Such as GDPR. There are multiple Standards included automatically within Iriusrisk, but companies can also add their own more unique standards or requirements
  • Versioning - Systems change and evolve over time; using versioning, organizations can retain historical representations of a threat model in IriusRisk, whilst working on the current design
  • Vulnerability - How exposed or how likely is it for a particular item/ area to be hacked?

Some IriusRisk Terms

  • OTM/ Open Threat Model - The Open Threat Model (OTM) standard is a generic and tool-agnostic way of describing a threat model in a simple to use and understand format
  • Project - In IriusRisk this refers to an actual Threat Model and its associated metadata
  • Risk Patterns - Risk patterns are reusable collections of use-cases, threats, weaknesses and countermeasures, that can be imported into a threat model as a unit
  • Rules Engine - The IriusRisk rules engine automatically generates risk and countermeasures, based upon your questionnaire answers or your populated threat model

What next?

Check out our blog called ‘What is Threat Modeling’ to see some additional tips. Or if you have already started threat modeling and want to evolve your efforts, read this blog Evolving Threat Modeling from one of IriusRisk’s experienced Solution Architects.