Saturday, June 16, 2012

Threat Modeling with Customers as Assets

One thing I've been contemplating lately is if the security world isn't missing something when threat modeling.
Threat modeling will generally list assets and then see what kinds of threats can threaten those assets and see what the expected loss might be.  Assets are typically thought of as being physical systems like a web server or database. 

But a consideration has been percolating since I had a discussion with one very confident threat modeler working for a fortune 100 company.  I suggested that it would be possible to consider a customer, who has a company distributed token and can move their data from one service to another in seconds, could be considered an asset.  This credentialed expert was absolutely beside himself with indignation, "the business doesn't own the customer. And a customer is also not an asset because a customer can't be attacked or exploited!" 

Oh really?

Follow me down this rabbit hole and see if there isn't a case to be made for at least considering that your customers might be an asset.

An asset is defined as:
"Any item of economic value owned by an individual or corporation, especially that which could be converted to cash. Examples are cash, securities, accounts receivable, inventory, office equipment, real estate, a car, and other property. On a balance sheet, assets are equal to the sum of liabilities, common stock, preferred stock, and retained earnings. From an accounting perspective, assets are divided into the following categories: current assets (cash and other liquid items), long-term assets (real estate, plant, equipment), prepaid and deferred assets (expenditures for future costs such as insurance, rent, interest), and intangible assets (trademarks, patents, copyrights, goodwill)."

As a business do you invest money to retain customers? - maybe you don't own customers but you invest in them -
As a business do you carefully maintain and grow your customer base?
As a business do customers provide you money? (maybe not unlike accounts receivable?)
As a business, if all of your customers leave do your physical assets have any value beyond their depreciated physical value?

So I think a reasonable person would agree that customers are an investment which pays dividends over time.  Also note in the definition of asset the sub list of "intangible assets" which include... goodwill.  Your customers represent a huge pile of cash which may or may not be delivered to your revenue stream. (think Netflix when they changed their terms and service model)

So let's say for the sake of argument that customers are the embodiment of goodwill represented in terms of accounts receivable and have been invested in both in terms of advertising dollars and education as you have tried to help your customer keep themselves secure while they use your product.

Let's go further and examine this claim that a customer cannot be attacked by a hacker.  I would suggest that it's not only possible but it is part of your threat model and sphere of business.  It is your concern.  My justification is as follows:

1) customers can be socially engineered
2) customers can be attacked by spam, trojans, viruses
3) customers can be lured away if service is denied from the customer's computer
But when someone tells me that something is impossible the lateral thinker in me feels compelled to find an exception to the rule... what if the customer is attacked by DOS and thereby denied service and leaves your service because it never works?  What if a browser helper object is put on the user's browser that denies service to Amazon Web Services or Netflix or Gmail?  What if a BHO stops service to one company and facilitates it with another?  I can think of one such BHO - Cool Web Search. So such a thing has already happened.  Microsoft has already realized they they need to protect their customers via anti-spyware and anti-virus in order to keep their company alive.
So your customers can be threatened!  The customer can take their money elsewhere.  If compromised, the customer could lead to a general compromise of your entire system. The following source indicates that customer data is an asset and probably could be considered even when transient.  Consider for a moment what happens when the customer has tiny bit of our data such as an access key or certificate?

Could you educate your customer about how to keep their secret key secret? 

Could you educate your customers about how to avoid being socially engineered? 

Could you educate them on how to keep their computers secure? 

Could you educate your customer on how to avoid service interruptions? 

I think the answer to all these questions is yes even if it would lead to an extra expense...  You probably already have spent money trying to educate your customer to some degree.  So maybe you can't entirely control your customer but the customer can be educated and controlled, and even somewhat protected.  * almost like an asset *  You could provide your customer with a security token for example, or a X509 certificate.  Maybe you could even put a program on their computer that assists them in securing their credentials.

Now you can say that you're not responsible for the customer... and why should you be?  Why take on an extra expense for something you can't control?  Given the threats we face you may want to consider changing your thinking.  Operating system vendors like Microsoft understand that they need to make efforts to secure their customer in order to keep them.

The following is a hypothetical which may illustrate the point-

What happens if a customer uses your company's lowest assurance method of login to your cloud hosting services... a shared key for example.  A hacker uses Google to find the customer's exposed code using a specialized search.  Imagine then, the hacker uses the customer's login and secret key to create a fully authenticated message to the customer's account gaining access to a VM that can't be traced back to them.  Then the hacker uses the new zero-day ring 3 VM breakout to compromise the host running hundreds of VMs inside the cloud service.  From there, the hacker or nation-state can leverage sufficient computing power to crack other systems in minutes.  The hosting company now has a compromised reputation, and permanently compromised revenue stream all because they didn't consider their customer is an asset.

So should a business fold users into their threat model?  The answer I would say "depends".  Customer=Asset does not compute for every industry.  But if your customers have highly portable data that can be taken elsewhere and and your business' reputation for security is the only thing between it and disaster... including your customer as an asset in your threat models may be the only sensible approach.