Threat Modeling Vs. Vulnerability Management
Although threat modeling and vulnerability management help businesses secure data infrastructures and services, there are differences.
This article discusses the differences between threat modeling and vulnerability management. We look at the pros and cons of each concept regarding information security.
What Is Threat Modeling
Threat modeling exposes existing attack surfaces, defines how malicious users could leverage attack surfaces to access and retrieve information restricted to unauthorized users or disrupt services to consumers and how to prevent malicious users from using these attack surfaces to achieve their purpose.
Usually, developers work together with security engineers to research and develop preventive solutions against possible attacks. During the development phase or stage, both teams analyze diverse ways a malicious user would try by-pass an authentication system to access data belonging to authorized users.
Assuming we are designing a REST API to feed consumers interested in stock exchange data. The REST API service offers freemium and premium services. Users can subscribe to both freemium and paid services.
Before a user (as a freemium or premium user) executes a GET request or command to retrieve data, the user needs to generate a service token. This service token defines the type of account - whether freemium or premium. Then users issue GET requests with their service tokens to retrieve data from the API service.
At this stage, developers and the infosec team look at different ways a malicious user issues HTTP requests without generating a service token. For instance, an attacker or even a freemium user can use one of the following ways to access data belonging to paid subscribers:
- IDOR ( Indirect Request Object): A freemium user can access a premium user's account by manipulating the user's ID.
- Duplicate API service token: Some REST API services generate sequential tokens. If the REST API service assigns sequential tokens to subscribed users, then hackers or malicious users can forcefully generate a service token for themselves without requesting a service token.
- Some users prefer to store service tokens in files on their laptops or workstations - because some API services do not generate a new service token after a user generates a service token during an API subscription. Attackers can programmatically retrieve a user's service token.
Finally, both teams analyze to choose appropriate preventive solutions to mitigate every possible attack against the REST API authentication service.
Pros of Threat Modeling
The following discusses the advantages of threat modeling:
- Discover Obvious and Subtle Attack Surfaces: Every developer knows that users need to log in (i.e. submit username/email address and passwords ) to use a web service. Without valid credentials, access is denied. However, it's possible to get credentials belonging to a registered user via keylogging. In this case, developers can include conditional access features to the authentication system.
- Decreases Incident Response Time: Threat modeling exposes existing attack surfaces likely to be used by attackers. When the SOC team identifies an IOC, they know where to look and how to resolve or mitigate it.
- Comply with Privacy Regulations: Privacy regulations like HIPAA and PCI-DSS expect businesses not to expose sensitive information ( or what is known as PII) to unauthorized users. Since threat modeling reveals different ways to compromise a data infrastructure, businesses comply with privacy policies by applying preventive solutions to prevent data breaches.
Cons of Threat Modeling
Although threat modeling exposes different ways to attack business assets, there are systems or services not directly accessible by developers and the security team.
For instance, enterprises rely on third-party API services to transact business with customers. Assuming the payment API is vulnerable due to misconfigurations, both the development team and SOC team can do nothing about it unless the owner of the third-party API is notified to resolve the issue.
What Is Vulnerability Management
On the other hand, vulnerability management is performed periodically and not during the development phase or stage. The Infosec team examines the entire production environment ( and sometimes even the testing environment ) to check if some services are vulnerable or not.
Assuming the team discovered that some services are vulnerable, they analyze each vulnerability to decide whether to rank it as severe or not severe. From my experience, some scanners like Nessus often return false positives and negative positives. Not all vulnerabilities discovered by scanners like Nessus are exploitable. You might even notice that some vulnerabilities reported by Nessus do not even exist!
At the remediation stage, the Infosec team works with the development team ( including the DevOps team ) to discuss whether some vulnerabilities require preventive solutions.
This process continues periodically until CISO officers decide there is no need for a vulnerability management program.
Pros of Vulnerability Management
The following discusses the advantages of vulnerability management:
- Bird's -Eye View of Enterprise Workloads
Vulnerability management gives SOC team complete visibility of enterprise assets. You know which workloads are vulnerable but not exploitable and those that are vulnerable and also exploitable. For instance, Nessus reported that my Nginx server version information is publicly accessible, and port 22 ( for SSH service ) on my database server is not restricted. I ignored the "Nginx server version info" vulnerability report because my Nginx server was not vulnerable then. To prevent unauthorized access to my database server via SSH, I placed a bastion host in front of my database server to restrict access.
- Sustain Business Reputation
Investing time and money to perform extensive vulnerability management is a sure way to prevent data breaches. Several businesses experienced data breaches due to misconfiguration and inappropriate RBAC permissions. Scanning for vulnerabilities across enterprise workloads ensures that vulnerable assets are remediated quickly to prevent data breaches.
- Comply with Privacy Regulations
Businesses that do not comply with or violate privacy regulations like HIPAA face penalties from privacy authorities. Vulnerability management ensures your business is in line with HIPAA and co.
Cons of Vulnerability Management
- Excess False Positives
Depending on the type of vulnerability scanners used for performing vulnerability management, the security team has to filter out false positives and focus on the "true vulnerabilities" reported by Nesssus and other scanners.
In this case, the security team should rely on their experience over the years to decide whether vulnerabilities reported by Nessus exist in their system.
Subscribe to my newsletter
Read articles from Michael K. Aboagye directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Michael K. Aboagye
Michael K. Aboagye
Founder of Ring3 Systems -: Build opensource security tools to monitor and mitigate cyber attacks at the kernel and firmware level.