Mitigating vs Eliminating Threats

In security industry I have often seen people getting confused or thinking both as same Mitigating Threats vs Eliminating Threats. Let's discuss as security Threat Modeling POV.

When it comes to securing systems, there are four main ways we can address threats: Mitigating threats, Eliminating threats, Transferring threats, and Accepting the risks. In this blog, let's focus on the first two: Mitigating and Eliminating threats.

Mitigating Threats

Mitigating threats means taking steps to make it harder for potential threats to be exploited. Think of it as adding barriers or safeguards to protect your system.

Passwords for Login Control: By requiring passwords, you control who can access your system, mitigating the threat of spoofing (someone pretending to be someone else).

Password Controls: Enforcing complexity requirements (e.g., a mix of letters, numbers, and symbols) and expiration policies makes it less likely that a password can be guessed or misused if stolen.

Eliminating Threats

Eliminating threats involves removing the threat entirely. This is usually done by eliminating features that introduce vulnerabilities.

Administrative Access via URL:

• Mitigation: Use passwords or other authentication methods to secure the URL.

• Obfuscation: Change the URL to something less obvious (e.g., /j8e8vg21euwq/) to make it harder to find.

• Elimination: Remove the web interface altogether and handle administration through a more secure method, like the command line.

Moving Away from HTTP:

Switching from HTTP to a more secure protocol reduces the attack surface, making it easier to manage and mitigate threats.

Key Considerations

Threat Analysis: Identify which threats can be mitigated and which need to be eliminated.

Feasibility: Consider how likely and practical it is to address each threat.

Comprehensive Models: Ensure your threat model covers various scenarios, even those that seem unlikely.

Visualizing Threat Mitigation and Elimination

Below is a simple chart to help visualize the process of mitigating and eliminating threats:

| Strategy         | Example                                              | Description                                                      |
|------------------|------------------------------------------------------|------------------------------------------------------------------|
| Mitigating       | Passwords for Login Control                          | Controls access to the system, reducing spoofing threats.        |
|                  | Password Complexity Requirements                     | Makes passwords harder to guess or misuse.                       |
| Eliminating      | Administrative Access via URL                        | Remove web interface; use command line for administration.       |
|                  | Moving Away from HTTP                                | Reduces attack surface by using a more secure protocol.          |

Mitigating threats adds layers of protection, making it harder for vulnerabilities to be exploited. Eliminating threats removes the vulnerabilities altogether, reducing the potential attack surface. Both strategies are essential for effective threat modeling and securing systems.

By understanding and applying these concepts, organizations can better protect their systems from potential threats and vulnerabilities.

Thanks for reading!