Responding to Rob Graham’s “Your Threat Model is Wrong” Post

I’m a huge fan of Rob Graham and all he’s done for InfoSec. I also enjoy the fact that he seldom avoids a tussle. If he disagrees with you, you’re likely to hear about it.

I probably agree with him on 85% of topics, so when he did a post recently, called Your Threat Model is Wrong, I was surprised I disagreed with so much of it. He basically took multiple complaints being made by others, and explained them away by saying their threat model was wrong.

Phishing

First, he argues that it’s wrong to fire people for failing phishing tests because it’s impossible to pass them.

The (wrong) threat model is here is that phishing is an email that smart users with training can identify and avoid. This isn’t true. Good phishing messages are indistinguishable from legitimate messages.

Robert Graham, Your threat model is wrong

Robert Graham, Your threat model is wrong

This ignores the fact that there are clearly people good at spotting phishing, and people who are bad at it. Some people go for years at a company, through dozens of campaigns that are taking place constantly, and never click a phishing email. Others are repeat offenders and will click almost anything. Whether that’s a mindset difference or a training difference, the person who is is more click-happy represents more risk to the company.

Nobody is making the argument that this should be your only control—yes, absolutely do 2FA and many other things—but today’s reality is that the user is still often the last line of defense, and that the more trained and cautious they are the better posture the entire company will have.

Internet of Things

Here he argues that auto-updates are a bigger threat than billions of IoT devices coming online.

Anyway, this is just the start of your “wrong threat model”. The main security weaknesses that cause 99% of the problems are services exposed to the public Internet and users exposed to the public Internet. IoT has neither of these, and thus, billions added to the Internet are not the problem you imagine.

Robert Graham, Your threat model is wrong

Robert Graham, Your threat model is wrong

First, I agree about the auto-updates piece, but it seems like that can be mitigated somewhat easily by introducing staggered rollouts of updates, improved rollback capabilities, and other controls. But still, I agree it’s a major issue.

But as far as IoT devices not being an issue, I don’t get that. The future doesn’t have IoT devices, it has everyday things that are online. Cars, houses, cities, roads, lights, power, water, etc. And the thing that makes their connectivity useful is having it be…well, connected.

The internet-ization of ICS/SCADA is a case in point.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

If you can click a button, or give a voice command, and have major things happen—which is the entire point of IoT—then that’s because the systems are listening and receiving commands in some way. Whether that happens with internet-facing ports, single ports passing back to private control systems—it matters not. The point is that this is the functionality that everyone wants, that everyone is building, and that is being put into more and more systems with more and more power/functionality/risk.

I don’t see a world of billions (and then trillions) of smart objects that aren’t accessible because we ran out of IPv4. There are ways around that, and you can rest comfortably knowing that a multi-billion dollar industry will find those ways.

Finally, he says in the last part of that section that he worries about Windows vulns, things exposed to the internet, and automatic updates of popular products—but not IoT.

We must be disagreeing on terminology here, because things online that control the world around us WILL LARGELY BE THE IOT. A lot of them will run Windows, be exposed to the internet, and will have update considerations. Every problem he mentioned will apply.

Analysis

I agree with Rob that people often get distracted by the wrong threat scenarios and end up worrying about and fixing the wrong things. I also agree that fixing admin rights is more important than launching phishing campaigns.

But you don’t have to choose one.

Many organizations can, have to, and are doing both—in addition to many other things. So it’s not one or the other—not for phishing vs. admin, and not for updates vs. IoT.

Rob is awesome, but I think he went astray on these.

Notes

  1. I also pinged Rob before writing and posting this, just to give him a heads-up that a friendly volley was coming his way. He was a good sport as always.

Related posts: