Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS

Published byKelly Gordon Modified over 8 years ago

Similar presentations

Presentation on theme: "Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS"— Presentation transcript:

1 Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS jgm106@psu.edu

2 % whoami I have been working for the University since the Spring of 1994. My teacher and mentor was extremely security conscious. I’ve done everything from networking to desktop support. Primarily networking, storage, security, unix/linux system administration. Currently work in ITS/DLT as a DevOps Engineer.

3 Threat Modeling SANS: a process to ensure application security. Microsoft: systematically identify and rate the threats that are most likely to affect your system. OWASP: an essential process for secure web application development.

4 Simply put, a threat model is An outline, chart, graph or text: Identifying the system’s attack surfaces Identifying threats who can attack the system Identifying assets the threats may compromise

5 The 5 Ws Yes, the 5 Ws (and the oddball H) we all know and love from grade school: Who What When Why Where How

6 Thinkin’ n’ Stuff – Socrates Rocks Always ask questions Foster critical thinking Search for answers Research, study, and learn. You’re always in school.

7 The general process Gather info about the entire application stack Assets, risks of loss of data Break it down into pieces Draw it Identify the risks Look for data entry/exit points Look for different access layers and restrictions Define the threats Look for angles of attack Methods of mitigation

8 Data Flow Diagrams (DFD) Visual representations of how the application processes data. Example from https://www.owasp.org/index.php/File:Data_flow1.jpg

9 Dive into those Ws and 1 H What/Who are you protecting asset wise Technology Stack Best practices Network paths Data entry and exit points Input sanitation, validation AuthN/Z Compliance and regulations What is impacted if something occurs (business impact) 1000’s more

10 Forced Interactive Time Case study on the the white board. Oh no, class participation time!

11

12

13 All talks need statistics or charts

14 T.M. for the Extremists There are all different tools and schemes you can do if you delve into threat modeling.

15 Characterizing threats STRIDE – exploit classification scheme Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege

16 Threats and associated risk DREAD – quantify risk Damage Potential Reproducibility Exploitability Affected Users Discoverability

17 Wrapping Up Know your threats Secure the network, hosts, application, dependencies Incorporate security into development practices Focus on principles, patterns, and practices Continuous measures throughout the lifecycle of the app Control the use of the resources granted, not which resources are granted.

18 Thinkin’ n’ Stuff – part redux Always ask questions Foster critical thinking Search for answers Research, study, and learn. You’re always in school. By products: Additional skills Staying relevant These tools transfer Enhance your SRDP Make your CV/resume shinier

19 Some Security Operations and Services services [sic] http://sos.its.psu.edu/ Intrusion Detection & Prevention – help identify and prevent malicious activity on computers connected to a network. Vulnerability Assessment -- help you identify vulnerabilities and misconfigurations in operating systems and software. Web Application Assessment -- automated and manual assessment tools to investigate a web application for vulnerabilities, misconfigurations, and other issues that could pose security risks to the University's assets

20 Some Security Operations and Services services the 2 nd [sicer] http://sos.its.psu.edu/ Security Assessment and Analysis – one on one meetings assessing and analyzing security risk. Unit Assessment - holistic assessment with recommendations to improve the overall unit security posture, which includes continued collaboration and a feasible action plan.

21 Suggested Starting Points https://www.owasp.org/index.php/Threat_Risk_Modeling http://www.sans.org/reading- room/whitepapers/securecode/threat-modeling-process- ensure-application-security-1646 http://www.sans.org/reading- room/whitepapers/securecode/threat-modeling-process- ensure-application-security-1646 http://msdn.microsoft.com/en-us/library/ff648644.aspx Don’t stop there. Keep digging, reading and learning. Take the “read” pill.

22 Questions, Comments?

23 Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 https://scholarsphere.psu.edu/files/r781wm924 Jeff Minelli jgm106@psu.edu https://www.yammer.com/psu.edu/users/jgm0106

Download ppt "Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
© Blackboard, Inc. All rights reserved. Developing Secure Software Bob Alcorn, Blackboard Inc.

© Blackboard, Inc. All rights reserved. Developing Secure Software Bob Alcorn, Blackboard Inc.
Bridging the gap between software developers and auditors.

Bridging the gap between software developers and auditors.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
THREAT MODELLING Kick start your application security with Threat Modelling.

THREAT MODELLING Kick start your application security with Threat Modelling.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google