CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Threat Modeling.

Slides:



Advertisements
Similar presentations
Sachin Rawat Crypsis SDL Threat Modeling.
Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Risk Analysis James Walden Northern Kentucky University.
Risk Analysis James Walden Northern Kentucky University.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Threat Modeling for Hostile Client Systems Avni Rambhia.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Web server security Dr Jim Briggs WEBP security1.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Secure Software Development Chris Herrick 01/29/2007.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Requirements James Walden Northern Kentucky University Case study and diagrams used from Natarajan Meghanathan’s NSF TUES project: Incorporating Systems.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
CSCD 303 Essential Computer Security Winter 2014 Lecture 16 Creating Secure Programs.
Architecting secure software systems
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
1 Presented by July-2013, IIM Indore. 2  RFID = Radio Frequency IDentification.  RFID is ADC (Automated Data Collection) technology that:-  uses radio-frequency.
Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.
Risk Analysis James Walden Northern Kentucky University.
CSCD 303 Essential Computer Security Spring 2013 Lecture 18 Creating Secure Programs.
Secure Design Computer Security I CS461/ECE422 Fall 2009.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Identity.
Faculty of Computer & Information
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
Hands-On Threat Modeling with Trike v1. Generating Threats.
Topic 5: Basic Security.
Module 11: Designing Security for Network Perimeters.
Practical Threat Modeling for Software Architects & System Developers
Malicious Software.
What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.
CSC 593: Secure Software Engineering Seminar
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Module 7: Designing Security for Accounts and Services.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Distributed Systems Ryan Chris Van Kevin. Kinds of Systems Distributed Operating System –Offers Transparent View of Network –Controls multiprocessors.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Network security Vlasov Illia
Securing Network Servers
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Threat Modeling - An Overview All Your Data is Mine
CIT 380: Securing Computer Systems
Secure Software Confidentiality Integrity Data Security Authentication
Evaluating Existing Systems
Threat modeling Aalto University, autumn 2013.
Controlling Computer-Based Information Systems, Part II
Evaluating Existing Systems
Lecture 2 - SQL Injection
Operating System Security
Copyright Gupta Consulting, LLC.
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Threat Modeling

CSC 382: Computer SecuritySlide #2 Topics 1.What is Threat Modeling? 2.Purpose of Threat Modeling. 3.Threat Modeling Process 1.Understand adversary’s view of system. 2.Characterize security of system. 3.Evaluate threats.

CSC 382: Computer SecuritySlide #3 What is Threat Modeling? Assessing security risks of a software system from an adversary’s perspective.

CSC 382: Computer SecuritySlide #4 Goals of Threat Modeling 1.Understand threats to guard against during requirements analysis. 2.Provide basis for which security mechanisms to include during design. 3.Verify security of system design. 4.Provide basis for prescribing secure implementation practices. 5.Provide basis for testing system security after implementation.

CSC 382: Computer SecuritySlide #5 Threat Modeling Process 1.Understand adversary’s view of system. 2.Characterize security of system. 3.Evaluate threats.

CSC 382: Computer SecuritySlide #6 Understanding the Adversary’s View 1.Identify System Assets. –System resources that an adversary might attempt to access, modify, or steal. –Ex: credit cards, network bandwidth, user access. 2.Identify Entry Points. –Any location where data or control transfers between the system being modeled and another system. –Ex: network sockets, RPCs, web forms, files 3.Determine Trust Levels. –Privileges external entities have to legitimately use system resources.

CSC 382: Computer SecuritySlide #7 Identify System Assets User login data User personal data Web process resources –Execute code as web server –Network/disk resources Application resources Database server resources –Access to stored data Organization’s reputation

CSC 382: Computer SecuritySlide #8 Discover Entry Points Any method for system to accept input Example: –Web server: cs.nku.edu All network protocols that can access host Web server specific attacks –ctrl.psp Your controller application –pg=login The login subsystem invoked by controller

CSC 382: Computer SecuritySlide #9 Analyze Entry Points 1.Are you missing any potential back door entry points? –What if attacker is on the web server? –What if attacker between web and db servers? 2.How does system distinguish between bad and good input? 3.Can system distinguish a request from a legitimate client from a replay attack?

CSC 382: Computer SecuritySlide #10 Trust Levels Resources with higher trust levels are accessible to fewer users, but higher trust levels offer access to a wider range of resources. Trust Levels –Remote Unauthenticated Users –Remote Authenticated User –Remote Application Admin User –Web Administrator –Web Server Process –DB Administrator

CSC 382: Computer SecuritySlide #11 Characterize System Security 1.Use and misuse scenarios. –How do users use the system to fulfill needs? –How could an adversary use these system interfaces to attack the system? 2.Identify assumptions and dependencies. –How does system security depend on external systems? –What assumptions do components make about data or control transfers with other components? 3.Model the system. –Model how system processes data from each entry point using tools like DFDs.

CSC 382: Computer SecuritySlide #12 Use Case Example UC 1: Login to Web Store Primary Actor: Customer Stakeholders and Interests: –Customer: Wants to purchase products. Preconditions: Customer has web access. Postconditions: Customer has access to their account, with the ability to pay for and ship products. Summary: Customer gains access to system using an assigned username and password.

CSC 382: Computer SecuritySlide #13 Misuse Case Example MUC 1: Sniff Password Primary Actor: Attacker Stakeholders and Interests: –Attacker: Wants to obtain user credentials. Preconditions: Attacker has access to a machine on network path between user and system. Postconditions: Attacker has obtained one or more valid usernames and passwords. Summary: Attacker obtains and later misuses passwords to gain unauthorized access to system.

CSC 382: Computer SecuritySlide #14 Misuse Case Example Basic Flow: 1.Attacker installs network sniffer. 2.Sniffer saves all packets which contain strings matching “Logon,” “Username,” or “Password.” 3.Attacker reads sniffer logs. 4.Attacker finds valid username/password in log. 5.Attacker uses sniffed password to access system.

CSC 382: Computer SecuritySlide #15 Misuse Case Example Alternate Flows: 1a. Attacker not on path between user and system : 1. Attacker uses ARP poisoning or similar attack to redirect user packets through his system. 1b. Customer uses wireless connection. 1. Attacker drives to customer location. 2. Attacker uses wireless sniffer to intercept passwords. 4a. Attacker finds no passwords in log 1. Continue sniffing until a password is found.

CSC 382: Computer SecuritySlide #16 Dependencies and Assumptions What does the system depend on or trust? –Power –Network –Filesystem –Shared libraries –Database –Authentication service –Auditing service –What other programs does system run?

CSC 382: Computer SecuritySlide #17 Data Flow Diagrams Visual model of how system processes data. Hierarchical –Level 0: Models whole system. –Level 1: Models subsystems, … 1. SystemClient Report System Database

CSC 382: Computer SecuritySlide #18 Level 0 DFD Example User Admin AuthnEngine AuditEngine Service Mnmgt Tool Credentials Data Files Audit Data Request Response AuthnRequest AuthnInfo Set/Get Creds Requested File(s) Audit Data Set User Data Verify User Data AuditRequests AuditInfo AuditRead AuditWrite Get Creds

CSC 382: Computer SecuritySlide #19 DFD Exercise Draw a level 1 data flow diagram of an service. Don’t forget to include: –Users receiving and sending mail. –Mail server interactions with other mail servers for non-local messages. –Message store interactions. –Error conditions: What if a user sends a message to a remote server that’s currently down? You should retry the send later, without bothering the user until X retries have failed.

CSC 382: Computer SecuritySlide #20 Evaluate Threats Identify Threats –For each entry point, determine how an adversary may attempt to affect an asset. –Based on asset, predict what adversary would try to do and what his goals would be. Analyze Threats. –Decompose threats into individual, testable conditions using techniques like attack trees. –Evaluate risk of threat with DREAD categories.

CSC 382: Computer SecuritySlide #21 Identify Threats 1.Can an unauthorized network user view confidential information such as addresses or passwords? 2.Can an unauthorized user modify data like payments or purchases in the database? 3.Could someone deny authorized users access to the application? 4.Could an authorized user exploit a feature to raise their privileges to administrator level?

CSC 382: Computer SecuritySlide #22 STRIDE Threat Categorization Spoofing ex: Replaying authentication transaction. Tampering ex: Modifying authentication files to add new user. Repudiation ex: Denying that you purchased items you actually did. Information disclosure ex: Obtaining a list of customer credit card numbers. Denial of service ex: Consuming CPU time via hash algorithm weakness. Elevation of privilege ex: Subverting a privileged program to run your cmds.

CSC 382: Computer SecuritySlide #23 Analyze Threats Decompose threats into individual, testable conditions using attack trees. Attack Trees –Hierarchical decomposition of a threat. –Root of tree is adversary’s goal in the attack. –Each level below root decomposes the attack into finer approaches. –Child nodes are ORed together by default. –Special notes may indicate to AND them.

CSC 382: Computer SecuritySlide #24 Attack Trees—Graph Notation Goal: Read file from password-protected PC. Read File Get Password Search Desk Social Engineer Network Access Physical Access Boot with CD Remove hard disk

CSC 382: Computer SecuritySlide #25 Attack Trees—Text Notation Goal: Read message sent from one PC to another. 1. Convince sender to reveal message. 1.1 Blackmail. 1.2 Bribe. 2. Read message when entered on sender’s PC. 1.1 Visually monitor PC screen. 1.2 Monitor EM radiation from screen. 3. Read message when stored on receiver’s PC. 1.1 Get physical access to hard drive. 1.2 Infect user with spyware. 4. Read message in transit. 1.1 Sniff network. 1.2 Usurp control of mail server.

CSC 382: Computer SecuritySlide #26 Evaluate Risk with DREAD Damage Potential –Extent of damage if vulnerability exploited. Reproducibility –How often attempt at exploitation works. Exploitability –Amount of effort required to exploit vulnerability. Affected Users. –Ration of installed instances of system that would be affected if exploit became widely available. Discoverability –Likelihood that vulnerability will be discovered.

CSC 382: Computer SecuritySlide #27 Quantifying Threats Calculate risk value for nodes in attack tree –Start at bottom of tree. –Assign a number 1-10 to each DREAD item. –Assign average of numbers to node. –Propagate risk values to parent nodes. Sum risk values if child nodes are ANDed together. Use highest risk value of all children if nodes are ORed together. Alternate technique: monetary evaluation –Estimate monetary value to carry out attacks. –Propagate values to parent nodes as above. –Note: smaller values are higher risks in this method.

CSC 382: Computer SecuritySlide #28 Attack Tree Exercise Create an attack tree for the reading a message stored on the mail server that you described in the DFD exercise. –Consider all entry points. –While you’re starting as an unauthorized network user, consider all trust levels in constructing your tree, with gaining the required trust level to conduct your attack being one of your subgoals.

CSC 382: Computer SecuritySlide #29 Key Points 1.Goals of Threat Modeling –Requirements, Design, Implement, Testing. 2.Threat Modeling Process 1.Understand adversary’s view of system. 2.Characterize security of system. 3.Evaluate threats. 3.Threat-modeling Techniques –Attack Trees –Data Flow Diagrams –STRIDE categorization –DREAD risk evaluation –Quantifying risk.

CSC 382: Computer SecuritySlide #30 References 1.Bishop, Matt, Introduction to Computer Security, Addison-Wesley, Graff, Mark and van Wyk, Kenneth, Secure Coding: Principles & Practices, O’Reilly, Howard, Michael and LeBlanc, David, Writing Secure Code, 2 nd edition, Microsoft Press, Schneier, Bruce, Secrets and Lies, Wiley, Swiderski, Frank and Snyder, Window, Threat Modeling, Microsoft Press, Viega, John, and McGraw, Gary, Building Secure Software, Addison-Wesley, Wheeler, David, Secure Programming for UNIX and Linux HOWTO, programs/Secure-Programs-HOWTO/index.html, programs/Secure-Programs-HOWTO/index.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.