Threat models are a way of looking at risks in order to identify the most likely threats to your organisation’s security. The first step in the threat modelling process is concerned with gaining an understanding of the application and how it interacts with external entities. This involves creating use-cases to understand how the application is used, identifying entry points to see where a potential attacker could interact with the application, identifying assets, and more. In this post, we focus on identifying information assets.

Assets are essentially threat targets, i.e. they are the reason threats will exist. Assets can be both physical assets and abstract assets. For example, an asset of an application might be a list of clients and their personal information; this is a physical asset. An abstract asset might be the reputation of an organisation. Hereunder, we identify some key informational assets that your organisation or information system might have or process:

• Credit card data: yours, or (if you sell stuff) a customer’s.
• Banking data: account numbers, routing numbers, e-banking usernames and passwords.
• Personally identifying information: Social Security number, date of birth, income data, W-2s, passport numbers, drivers’ license or national ID numbers.
• Intellectual property: like source code or software documentation.
• Sensitive personal or business information and communications: e-mails and texts that could be used to embarrass, blackmail, or imprison you.
• Politically sensitive information or activities that could get you in trouble with your employer, the government, law enforcement, or other interested parties.
• Travel plans that could be used to target you or others for fraud or other forms of attack.
• Other business or personal data that are financially or emotionally essential (family digital photos, for example).
• Your identity itself, if you are trying to stay anonymous online for your protection.

When it comes to protecting the assets pieces of information that could be used to expose your assets are just as essential. Personal biographical and background data might be used for social engineering against you, your friends, or a service provider. Keys, passwords, and PIN codes should also be considered as valuable as the things that they provide access to.

Other operational information about your activities that could be exploited should also be considered, including the name of your bank or other financial services provider. For instance, a spear-phishing attack on the Pentagon used a fake e-mail from USAA, a bank and insurance company that serves many members of the military and their families.