Earthquakes, Cyber Breaches, and Mitigating Disasters through Design

By Archie Agarwal, Founder and CEO of ThreatModeler

The Great Earthquake of San Francisco in 1906 caused unbelievable levels of damage in the city, with over 28,000 buildings destroyed and 500 city blocks reduced to rubble. The event basically wiped large swaths of the city off the map, yet the rebuilding process saw the city continue to prioritize financial considerations over earthquake proofing. This reluctance to acknowledge the likelihood of future earthquakes further exacerbated the damage when the next big earthquake struck in 1989. Although the damage and death toll were less than in 1906, the buildings that were rebuilt with unreinforced masonry and without earthquakes in mind suffered the most harm. This time, San Francisco learned its lesson. The city strengthened its seismic code and made changes that would apply both to structures already standing and new construction.

Similar to the aftermath of the Great Earthquake of San Francisco, cybersecurity is currently undergoing a transformation. With the increasing frequency and sophistication of cyberattacks, organizations must take a proactive approach to stay ahead of the evolving threat landscape.

A Different Kind of Disaster

In the rapidly evolving landscape of cybersecurity, organizations face an escalating array of threats that can jeopardize their valuable assets, sensitive information, and overall reputation. Despite this, many application design teams prioritize functionality and speed of development over security. As a result, security considerations are often treated as an afterthought. This can lead to vulnerabilities that attackers can exploit.

These vulnerabilities can come in many forms, including insecure data storage and transmission and poorly designed third-party integrations. For data storage and transmission, weak encryption practices, inadequate access controls, or using insecure protocols (e.g., HTTP instead of HTTPS) can compromise data confidentiality and integrity. Further, modern applications often integrate with third-party services or APIs that are not thoroughly vetted or securely implemented, which can introduce vulnerabilities, expose sensitive data, and provide an entry point for attackers.

To effectively safeguard against these risks, a comprehensive and proactive cybersecurity strategy is essential.

Secure by Design 

When designing buildings in San Francisco today, architects and structural engineers rely on computer-aided design (CAD) and other specialized software to ensure their buildings are structurally sound and able to withstand seismic events. By assessing the structural integrity of buildings and identifying potential weak points before construction, engineers can design reinforcements and implement preventative measures to mitigate risks.

Much as an architect cannot earthquake-proof their building once an earthquake is in progress, it is not enough to be reactive to security threats. Organizations must prioritize security during the design process itself to ensure comprehensive protection. By embracing the secure-by-design approach cybersecurity organizations can lay the foundation for secure, resilient systems that can withstand the challenges posed by malicious actors.

A ‘CAD’ Solution for Cybersecurity

Threat modeling is to cybersecurity what CAD is to building design and earthquake-proofing. Threat modeling emphasizes a secure-by-design approach that identifies security concerns at the initial stages of development to create robust and resilient systems. By providing visibility into an environment’s attack surface, threat modeling enables organizations to proactively identify, assess, and mitigate potential security risks.

Threat modeling embodies the same proactive stance against vulnerabilities that architects employ. By identifying potential threats and weaknesses within their systems during the design phase and prioritizing them based on severity and likelihood, organizations can implement the necessary countermeasures to fortify their defenses. This significantly enhances an organization’s cybersecurity posture, reducing the likelihood of successful attacks and minimizing the potential damage they can inflict.

By implementing threat modeling as an ongoing process, organizations are able to prioritize their mitigation strategy and identify the right controls that can be implemented to prevent a disaster. It is no longer a luxury but a critical element of a strong cybersecurity strategy.

Preventing the Great Cyber Breach of 2024

In an era where cyber threats are constantly evolving, relying solely on reactive security measures is inadequate. The imperative for proactive risk assessment and mitigation has never been greater.

Much like CAD drawings provide a blueprint for earthquake-resistant structures, threat modeling in cybersecurity offers a framework for making informed security decisions. By embracing threat modeling and integrating it into their cybersecurity strategy, organizations can bolster their security posture, safeguard valuable assets and information, and protect their reputation. Threat modeling empowers organizations to stay one step ahead, making it a critical element of any comprehensive cybersecurity strategy. Through these secure by design approaches, both seismic preparedness and cybersecurity can continue to anticipate and mitigate risks effectively.

About the Author

Archie Agarwal, Founder and CEO of ThreatModeler. Archie Agarwal is the Founder and CEO of ThreatModeler. Archie has over 20 years of experience in risk and threat analysis.  Previously, at WhiteHat Security, as director of education and thought leader he specialized in threat modeling, security training and strategic development. He has also held positions at PayCycle (acquired by Intuit), Citi, HSBC and Cisco. Archie is a Certified Information Systems Security Professional (CISSP) and is SANS GWEB certified. Archie can be reached online through LinkedIn and at our company website https://threatmodeler.com/