Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers ( ) and Secrets and Lies ( )

―Systems ―Making completely secure servers ―Threats ―Risks ―Goals ―Motives ―Vulnerabilities ―Risk Analysis ―Attack Trees ―Defenses

Systems ―Complex ―Interact with other systems ―Have emergent properties that their designers did not intend ―Have bugs

Systems & Security ―Usual coping mechanism is to ignore the problem…WRONG ―Security is system within larger system ―Security theory vs security practice ̵ Real world systems do not lend themselves to theoretical solutions ―Must look at entire system & how security affects

The Landscape ―Secure from whom? ―Secure against what? ―Never black & white ―Context matters more than technology ―Secure is meaningless out of context

Completely Secure Servers ―Disconnect from Network ―Power Down ―Wipe & Degauss Memory & Harddrive ―Pulverize it to dust ―Threat Modeling ―Risk management

Threats ―Attacks are exceptions ―Digital Threats mirror Physical ―Will become more common, more widespread, harder to catch due to: ̵ Automation ̵ Action at a Distance ―Every two points are adjacent ̵ Technical Propagation

Threats ―All types of attackers ―All present some type of threat ―Impossible to anticipate ̵ all attacks or ̵ all types of attackers or ̵ all avenues of attack ―Point is not to prevent all but to “think about and analyze threats with greater depth and to take reasonable steps to prevent…”

Attacks ―Criminal ̵ Fraud-prolific on the Internet ̵ Destructive, Intellectual Property ̵ Identity Theft, Brand Theft ―Privacy: less and less available ̵ people do not own their own data ̵ Surveillance, Databases, Traffic Analysis ̵ Echelon, Carnivore ―Publicity & Denial of Service ―Legal

Risk Analysis “The identification and evaluation of the most likely permutation of assets, known and anticipated vulnerabilities, and known and anticipated types of attackers.”

Assets ―What are you trying to Protect ―Why is it being protected ―Risk for other systems on network ―Data ̵ Tampering vs. Stealing ̵ Liability

Security Goals #1 ―Privacy?, Anonymity? ―Authentication ―Data confidentiality ̵ End-user data ̵ Ramifications of disclosure ―Data Integrity ̵ Secure transmission (Vonnegut MIT) ̵ Secure servers (/etc) ̵ Software developer

Security Goals #2 ―System Integrity ̵ Is system being used as intended ̵ Trust relationships ̵ Executables (rootkit) ―System / Network availability ̵ Cyber-vandals ̵ DoS: All but impossible to prevent ―Security through obscurity?

Attackers ―Categorize by ̵ Objective, Access, Resources, Expertise, and Risk ―Hackers: ̵ Galileo, Marie Curie ―Lone Criminals, Insiders, Espionage, Press, Organized Crime, Terrorists

Motives Business competitors ―Same motives as “real-life” criminals ―Financial motives ̵ Credit cards ̵ The Cuckcoo’s Egg ―Political motives ―Personal / psychological motives

Motives ―Honeypot “to learn tools tactics and motives of blackhat community”Honeypot ―Script Kiddies ̵ Canned Exploits of Perl or Shell scripts ̵ Still major threat ―Knowing motives helps predict attack ―Degrees of motivation ̵ Automated tools ̵ Hardened systems vs Easy Kills

Steps in an Attack 1.Identify Target & collect Information 2.Find vulnerability in target 3.Gain appropriate access to target 4.Perform the attack 5.Complete attack, remove evidence, ensure future access

After you get root 1.Remove traces of root compromise 2.Gather information about system 3.Make sure you can get back in 4.Disable or patch vulnerability

Vulnerability Landscape ―Physical World ̵ Laptops ―Virtual World ―Trust Model ―System Life cycled

Vulnerabilities ―Only potential until someone figures out how to exploit ―Need to identify and address ̵ Those applicable & which must mitigated now ̵ Are likely to apply & must be planned against ̵ Seem unlikely and/or are easy to mitagate

Simple Risk Analysis: ALEs ―Correlate & quantify assets+vulnerabilites+attackers ―Annualized Loss Expectancy for each vulnerability associated with each asset ―Single loss Cost x Expected Annual Occurrence = ALE ―Compare against cost to prevent

ALE ―Strengths ̵ Simplicity (∆ PHB will like), flexibility ―Weakness ̵ Very subjective

Attack Trees (Bruce Schneier) ―Visual Representation of attacks against any given target ―Attack goal is root ―Attack subgoals are leaf nodes ̵ For each leaf determine subgoals necessary to achieve ̵ And cost to achieve penetration using different types of attackers

Attack Tree Example Steal Customer Data Obtain Backup Media Burfglarize Office (Cost $10,000) Intercept Bribe Admin at ISP ($5,000) Hack remote users home system ($1,000) Hack SMTP Gateway ($2000) Hack into Server

Defenses ―Three general means of mitigating attack risk ̵ Reducing asset value to attacker ̵ Mitigating specific vulnerabilities ―Software patches ―Defensive Coding ̵ Neutralizing or preventing attacks ―Access control mechanisms ―Distinguish between trusted & untrusted users

Security ―Security is a process not a Product ―Weakest link in the process ―Examples of Threat Modeling in Secrets & Lies chapter 19

References ―Cohen, Fred “A Preliminary Classification Scheme for Information Security Threats, Attacks, and Defenses; A Cause and Effect Model; and Some Analysis Based on that Model.” Sandia National Laboratories, Sept 1998 ( effect.html) effect.html ―Bauer, Michael E. “Building Secure Servers with Linux.” O’Reilly, 2003