Threat modeling terminology
Before we get into the details of how to model threats, we must become familiar with some common terms used throughout the process of threat modeling. Some common terms are as follows:
- Asset: An asset can be any resource that is valuable. The asset can be tangible or intangible. For example, a mainframe computer in a data center may be a tangible asset while the reputation of an organization may be an intangible asset.
- Attack: An attack is something that happens when an actor or a threat agent takes action utilizing one or more vulnerabilities in the system. For example, an application session hijacking attack might happen when someone exploits a cross-site scripting vulnerability to steal user cookies and session IDs.
- Attack vector: An attack vector is a path taken by the attacker in order to successfully compromise the system. For example, an email with a malicious attachment sent to the victim could be one possible attack vector.
- Attack surface: An attack surface...