Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Modeling - An Overview All Your Data is Mine

Published byGeorgia Jacobs Modified over 6 years ago

Similar presentations

Presentation on theme: "Threat Modeling - An Overview All Your Data is Mine"— Presentation transcript:

1 Threat Modeling - An Overview All Your Data is Mine
Megha Anand itsmeghaanand-at-gmail-dot-com <date>

2 Agenda Statistics Terminology Terminology Example Threat Modeling
Benefits Threat Modeling Steps STRIDE & its Relation Threat Tree Risk Assessment Case Study

3 How bad it is?

4 Look at Me!!! Source: Jeremiah's Blog Source: nCircle

5 Solutions

6 Security into SDLC Source: Software Security, by Gary McGraw

7 Assumptions You are an application architect or otherwise interested in understanding how to effectively create security design requirements You have gone through the Michael Howard webinar before participating in threat modelling exercise

8 Terminology Asset: Things to protect (tangible or intangible)
Entry/Exit Points: Ways to get at an asset Threat: Risks to an asset Attack / exploit: An action taken that harms an asset Vulnerability: Specific ways to execute the attack Risk: Likelihood that vulnerability could be exploited Mitigation / Countermeasure: Something that addresses a specific vulnerability We can mitigate vulnerabilities… …but the threat still exists!!!

9 Asset – ATM Terminology Example Closed Attacker – Burglar Use Case
a) Customer withdraws cash from ATM b) Checks balance in his/her account c) Transfers cash to some other account Asset – ATM Closed Attacker – Burglar Threat – Denial of Service Attack – Physically tempered Vulnerability – Plastic made

10 But threat still persists!!!
Terminology Example Security Controls Guard CCTV Cameras ATM Machine should be made of Steel/Iron But threat still persists!!!

11 Take Away!!! Key Point: We can reduce the risk but cannot rid of completely!!! Assumption: Lets engage in repetitive penetration testing Question: During Development? At deployment? After deployment?

12 Threat Modeling Threat modeling is a procedure for optimizing application’s security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. The key to threat modeling is to determine where the most effort should be applied to keep a system secure.

13 Avoids CSD = Compulsive Security Disorder!!!
Benefits In order to manage all risks efficiently Security budget can be optimally utilized Strengths & weakness of a system can be characterized Flaws can be found at earlier stage Rather than performing penetration testing for all cases, targeted penetration testing can be performed Avoids CSD = Compulsive Security Disorder!!!

14 Cost

15 Another Way to Look At Costs of an exploited vulnerability:
Cost of application is unavailable Cost of deploying incident response team Cost of developing patch Cost of testing patch Potential regulatory fines Risk of litigation Reputation risk to company

16 Pre- Production Requirement Gathering or Early stages of SDLC

17 Post Production

18 Threat Modeling Steps Information Gathering Decompose Application
Understand attacker & abuse cases Threat Analysis Risk Analysis

19 Information Gathering
Sessions with - Architects - Developers - Business Analyst - Information Risk Officers Review Architecture Document Collect information about user roles, data sensitivity, Intranet/Internet, application components. Identify Business Security Objectives

20 Business Security Objective
It’s a high level overview of what security issues need to be addressed in order to maintain business objective. Generate security objective with help of - Confidentiality - Integrity - Availability

21 Decompose Application
List Components User – Admin/Normal User, Client Web Server - Web Tier App Server - Business Logic Tier DB Server - Backend Tier

22 Data Flow Diagram Visual representation of data flow between different components of an application. - Level 0 DFD - Level 1 DFD

23 DFD Components Web Server Customer Data Store
Request Web Server Request Customer Data Store Response Response External Entity - Entry point of application

24 DFD Components Web Server Customer Data Store
Request Web Server Request Customer Data Store Response Response Process - Perform an Action

25 DFD Components Web Server Customer Data Store
Request Web Server Request Customer Data Store Response Response Data store - Where data is stored

26 DFD Components Web Server Customer Data Store
Request Web Server Request Customer Data Store Response Response Data Flows - Direction of Data Movement

27 Trust Boundary – Physical or Logical
DFD Components Request Web Server Request Customer Data Store Response Response Trust Boundary – Physical or Logical

28 Simple Approach – Threat Profile
Request Request Middle Layer Front -End Backend Layer Response Response

29 STRIDE – Threat Categories
Spoofing Tempering Repudiation Information Disclosure Denial of Service Escalation of Privileges

30 Threat Categories & Security Control
Spoofing Authentication Tempering Integrity Repudiation Non – Repudiation Information Disclosure Confidentiality Denial of Service Availability Escalation of Privileges Authorization

31 Threat – Element Relation
DFD Component S T R I D E Entity X Process Data Flow Data Store

32 Threat Tree

33 Risk Assessment Simplest Approach Low, Medium, High
Impact/Likelihood Matrix Low Medium High

34 Case Study Internet based application hosted on dedicated environment.
DFD Components External Entity – Customer Process - Web Server Data Flows - b/w Client to Web Server STRIDE Applicability External Entity – Spoofing, Repudiation Process - Spoofing, Tempering, Repudiation, Information Disclosure, Denial of Service, Escalation of privileges. Data Flow – Tempering, Information disclosure, Denial of service

35 Now, raw material is ready. Lets prepare gravy…

36 Lets Understand Threats
External Entity Credentials held at the client are often disclosed or tampered with, leading to future spoofing attacks Credentials on the wire are often subject to snooping attacks. Dataflow without sequence numbers or timestamps are captured Does your web server supports anonymous user. What is username/password policy. What makes logging triggered. Type of data captured in logs Access to log files.

37 Data Flows Is the dataflow time stamped/sequenced and integrity protected? Is there a cryptographically strong channel integrity system? Is there a cryptographically strong message confidentiality system? Are all endpoints mutually authenticated with keys obtained? Does the app validate messages are arriving in the right order? How channel/message integrity is been maintained?

38 Process Credentials held at the server are often disclosed or tampered with, leading to future spoofing attacks. Username/Password Policy. Anonymous access allowed Is all input verified (server side validation for all data) What makes logging triggered. Type of data captured in logs Access to log files Is there a cryptographically strong channel integrity system? Is there a cryptographically strong message confidentiality system? Is the dataflow time stamped/sequenced and integrity protected?

39 All your DATA is mine

40 Continue… DFD Components Data Store – Customer Account data
Process - Service Data Flows - b/w Process to Data Store STRIDE Applicability Data Store - Tempering, Repudiation, Information Disclosure, Denial of Service Process - Spoofing, Tempering, Repudiation, Information Disclosure, Denial of Service, Escalation of privileges. Data Flow – Tempering, Information disclosure, Denial of service

41 Data Store Protection plan for data. Permissions set for accessibility to DB. Does log capture enough data. How sensitive data is been stored Configuration issues with DB. DB credentials in .config file.

42

Download ppt "Threat Modeling - An Overview All Your Data is Mine"

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
Discussing “Risk Analysis in Software Design” 1 FEB 2006 - Joe Combs.

Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.
Security Architecture

Security Architecture

Similar presentations

Ads by Google