Welcome to the fourth article in the “How to be a better Threat Modeler” series.
We have started the series identifying three primary skills required to Threat Modelers:
- Good knowledge of common security risks and mitigations
- The ability to recognize threats to both the Infrastructure and Applications, and a good understanding of the various approaches to mitigate them by applying the best of both worlds (in other words, the application of a holistic approach)
- A critical mindset, never assuming
We have already addressed the first two skills, respectively with an article entitled Knowing Risks and Mitigations and with the one about The Importance of the Holistic Approach. Now it is time to delve in the Critical Mindset.
Critical thinking is the analysis of facts to form a judgment. The subject is complex, and several different definitions exist, which generally include the rational, skeptical, unbiased analysis, or evaluation of factual evidence. Critical thinking is self-directed, self-disciplined, self-monitored, and self-corrective thinking. It presupposes assent to rigorous standards of excellence and mindful command of their use. It entails effective communication and problem-solving abilities as well as a commitment to overcome native egocentrism and sociocentrism.From https://en.wikipedia.org/wiki/Critical_thinking
This definition is particularly enlightening. I know people who mistake some aprioristic destructive approach for critical thinking, and even some organizations who reward those who oppose any idea by principle, believing that this would make them look smarter. Critical thinking is quite the opposite because it requires an unbiased approach, based on the awareness that you have limits you have to overcome. It is more about working on yourself than about dismantling someone else’s ideas.
Another interesting read about critical thinking is an article published on Huffpost in 2011, by Christine M. Riordan, entitled “It’s a Matter of Mindset: Ten Principles for Unleashing Critical Thinking”. This article identified ten different principles underlying a critical thinking mindset:
- View problems as an exciting challenge.
- Act courageously and take risks.
- Don’t use excuses.
- Blink, which is about acting even when you do not have enough information.
- Learn and question.
- Think at the organization-environment level.
- Push through roadblocks.
- Be open to new __________ (fill in the blank).
- Be optimistic.
- Create an environment that supports it.
Of course, you may argue that those principles do not entirely apply to Threat Modeling, but they still hold a lot of value for our scenario. Let’s find a possible translation of those principles in a way that would be more clearly related to our goals.
View problems as an exciting challenge
Threat Modeling is first and foremost about analyzing systems and solutions. Each of them represents a riddle to be solved. A proper Threat Model requires thinking inside but also outside the box, and most of the time, the best findings come from the latter. Never discount the intellectual challenge represented by a new scenario.
On the contrary, boredom is most frequently what causes low quality for Threat Models. According to my experience, when Threat Modeling is based on the automated generation of Threats and Mitigations, it declines more often than not to a bottomless lake of boredom and despair. To avoid failure, Threat Modeling needs to be a very active and intellectually intensive experience.
So, enjoy your ride: your ticket entitles you to the most creative and exciting experience you can get!
Act courageously and take risks
To me, the second principle is about not accepting conventions as a given, but only after thorough analysis and deep understanding.
Have you ever had someone demanding you to accept that some service is secure because it is provided by some third party or from the Company you work for? *cough*
I cannot count the times I have had some Architect telling me something in the line of “SAS Tokens are the standard way to authenticate with Service X. Are you saying that they are not secure? [How you dare???]”. Funnily enough, what typically follows is the same Architect admitting that the said SAS Tokens granted access to everything, forever.
Of course, Threat Models allow you to assume some service’s security, but it would not be proper to do that blindly. What if there are more ways to use that service, including some causing security risks? What if someone misconfigured the service, granting access to malicious actors?
In other words, while it is proper to assume the security of a third-party solution, you need to state the conditions clearly and to understand the implications.
What is the courage in that? Not accepting something as secure simply because they force you to, that requires courage.
Don’t use excuses
Do your best in every condition.
Of course, you will not be able to identify all the issues and mitigations. Of course, you will miss details, sometimes even important ones. Of course, the Architects have a lot on their plate too, and most often than not, the limited information you receive is full of contradictions.
Still, you must feel proud of your work, at its end.
Anything else would be your fault. Learn from it and do not blame others. Why is that important for critical thinking? Because the first one you should criticize constructively is yourself: you are the one who needs to improve continuously.
The need to improve is not dependant on the fact you are good at your job or not. I consider myself quite experienced. Nevertheless, I can find mistakes in every Threat Model I have produced. For this reason, having an open mind and accepting failure as an opportunity to learn and improve is paramount.
Blink, which is about acting even when you do not have enough information
That’s a matter of life: you need to work with limited information. But that should not stop you.
When you lack some data, try to guess it by agreeing with your counterparty on the most probable outcome, which usually is the worst case. If your counterparty doesn’t know the answer but still insists on the best option, simply remark this as an Assumption: this will make that choice more evident.
In any case, do not fear to ask. Is your counterparty intolerant to your questions? Does she accuse you of not being aligned with all your colleagues who know the details? Thank her and just interview your colleagues, then return to her for any missing piece of information.
Bottom line: ask first, then agree on assumptions preferring to err toward the worst case.
This approach may not allow getting a perfect view about Risks and Mitigations, but it is an improvement and allows identifying issues needing addressing.
Learn and question
Learning and questioning about the solution is the crucial point of the critical mindset. Never assume that something is as it appears. Most often than not, life is not black or white but colored, and the specific nuance may make all the difference.
Moreover, when you talk about very dynamic contexts like the Cloud, never assume that your knowledge is current: double-check the latest and greatest news, because you may miss something important.
Think at the organization-environment level
This principle is about the Business: you need to consider it when you do your Threat Model. Your counterparties assume you will.
The implication is not that you should conform with what your counterparty wants, even if you do not agree. On the contrary, ethics compel you to give honest risk evaluations and mitigations recommendations. But when you do that, you should consider what the Business wants: for example, many companies who sell goods on the Internet tend to favor the immediateness of the experience. It is not uncommon for those organizations to forfeit more robust authentication mechanisms like Multi-Factor Authentication, because they would require more steps and thus prospect customers may be discouraged and move away. As a Security Expert, you would tend to disagree, and that’s ok. Still, you should take your customer’s culture into account, for example by tweaking the Severity of some findings because evidently, Authentication is not so crucial for that scenario.
Be sure to track all your decisions and the inputs from your counterparties: this will ensure that you will provide a Threat Model that is more relevant and useful to the Business.
Push through roadblocks
Be creative; think about how you can improve the process and insist. Hone your ideas by getting feedbacks and integrating them. Have faith in yourself while maintaining an open mind.
Another angle of this is that every process can be improved. An example of this is Threat Modeling vNext, an idea that we have discussed extensively on those pages. It has just started by understanding the limits of the current process and then identifying a step at the time how to improve it.
To be successful, you do not need to be stubborn: on the contrary, you need to be open and self-critical.
The principle applies not only to the Threat Modeling process but to the Threat Model itself: you will find yourself stuck, from time to time. Think about those situations as opportunities to think and identify better ways to do your job. Every roadblock can be moved, given time. Most of the time, it is very effective to try and understand why those roadblocks are there and address the related concerns.
Be open to new __________ (fill in the blank)
Another key concept.
Do not fear new knowledge, new solutions, or new processes. On the contrary, understand them with an open mind. For sure, you will be able to get something useful out of it.
Optimism is about thinking that everything has a solution. You have to search for it.
It is also essential to mitigate blind optimism with careful planning. You can be optimistic that if you do your work in the right way, you’ll get all the required information to understand the system at hand, identify its weaknesses, evaluate the risk and propose the best actions to do so.
You can also read this as: never go unprepared. Again, a critical thinker knows that a lot depends on her, recognizes her mistakes, and acts on them. Going unprepared is an evident mistake as it gets.
Create an environment that supports it
The environment is crucial to foster the right mindset.
If a Company values alignment and principle agreements, it will get yes-sirs with no critical thinking capability. It may look like a desirable achievement short term, but it would ultimately cause more damage than anything else.
On the other end, a Company that values critical thinking, without really understanding that it starts from being self-critical, may end up with naysayers, just because that would allow them to look smarter and get benefits.
The best approach is to take critical thinkers in high regard, and at the same time to value even more people who are self-critical and learn from their mistakes. The combination of both behaviors hits the sweet spot and helps the organization to leverage those persons to grow and be better.
We are at the end of yet another article. With the current one, we have completed our analysis of the three required skills to be a better Threat Modeler.
Before closing, I have some final recommendations to help you training your critical thinking skills. On that account, you may start by reading some books on the topic. There are some excellent examples, out of there, like those recommended by Nigel Warburton in Five Books. Another couple not touched by Nigel, are Jonathan Harber’s Critical Thinking book by MIT Press or Critical Thinking Skills for Dummies, by Martin Cohen. Whatever you choose, Critical Thinking remains a crucial skill to learn, perhaps the most important of them all.
Next time, surprise! I’m preparing a couple of new articles for you. I hope you’ll enjoy them.
For now, stay safe and happy Threat Modeling!