Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat modeling Aalto University, autumn 2013.

Published byMiranda Mason Modified over 6 years ago

Similar presentations

Presentation on theme: "Threat modeling Aalto University, autumn 2013."— Presentation transcript:

1 Threat modeling Aalto University, autumn 2013

2 Threats Threat = something bad that can happen
Given an system or product Assets: what is there to protect? What are the threats against these assets? How serious are the threats i.e. what is the risk?

3 [Internet, original source unknown]

4 Security “pixie dust” Security mechanism are often applied without particular reason Cryptography, especially encryption does not in itself make your system secure If there is no explanation why some security mechanism is used, ask questions: What threats does it protect against? What if we just remove it? Is there something simpler or more suitable for the purpose?  Must understand threats before applying security mechanisms

5 [Internet, original source unknown]

6 Threat modeling approaches
Different angles to threat modeling: Assets: what is valuable in the system and how could it be lost? Attackers and their motivations: who would want to do something bad and why? Engineering: what parts are there in the system and how could they be caused to fail? Defenses: what (more) could be done to prevent or mitigate attacks? Checklists: what have we learned from the past?

7 Case study Mobile phone app shop

8 Assets Money Apps Feedback, reputation
App shop: servers, software, service Right to publish apps Customer account Customer’s phone, e.g. control and integrity User PII incl. location and purchases

9 Potential attackers and their motivation
Customers Want free apps Shopkeeper Selling more Paying less to the authors App authors Avoiding publishing fees Better feedback and reputation Spying on users Outsiders, colluding third parties Attackers on the Internet or in the cloud infrastructure Shop Author Customer Payment App Apps, adds Payment, feedback

10 Threats / potential attacks
Against the customer or phone: Malware, spyware Unauthorized access to personal data, or misuse of authorized access By the shop, by apps, by someone with access to your account Compromised customer accounts, unauthorized purchases Unauthorized purchases on the phone Against the shop: Fake positive feedback Disputed purchases Compromised servers or cloud infrastructure False sales data or feedback, malware distribution, leak of business secrets,... DoS attacks Against the authors: Negative feedback for competitors, especially free apps Shop paying the authors too little, reporting lower sales Copying apps to use without paying, to sell for profit, to insert malware Others: Attacks against Internet communication (sniffing, spoofing, MitM) Tax avoidance, money laundering

11 Systematic threat analysis

12 Basic security goals Consider first the well-known security goals:
Confidentiality Integrity Availability Authentication Authorization Non-repudiation Which goals apply to the system? How could they be violated?

13 Threat trees [source: Microsoft]

14 STRIDE STRIDE model used at Microsoft:
Spoofing vs. authentication Tampering vs. integrity Repudiation vs. non-repudiation Information disclosure vs. confidentiality Denial of service vs. availability Elevation of privilege vs. authorization Idea: divide the system into components and analyze each component for these threats Note: security of components is necessary but not sufficient for the security of the system

15 STRIDE Model the system as a data flow diagram (DFD)
Data flows: network connections, RPC Data stores: files, databases Processes: programs, services Interactors: users, clients, services etc. connected to the system Also mark the trust boundaries in the DFD Consider the following threats: Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege Data flow x Data store Process Interactor

16 [source: Microsoft]

17 Risk assessment Risk assessment is very subjective
Risk = probability of attack × damage in euros 0 < Risk < 1 Risk = low / medium / high Numerical risk values tend to be meaningless: What does risk level 0.4 mean in practice? Usually difficult to assess absolute risk but easier to prioritize threats Risk assessment models, e.g. DREAD Damage: how much does the attack cost to defender? Reproducibility: how reliable is the attack Exploitability: how much work to implement the attack? Affected users: how many people impacted? Discoverability: how likely are the attackers to discover the vulnerability?

18 Pitfalls in risk assessment
The systematic threat analysis methods help but there is no guarantee of find all or even the most important threats You need to understand the system: technology, architecture, stakeholders and business model Attackers are clever and invent new threats while threat analysis often enumerates old ones Always start by considering assets and attackers, not technology or security mechanisms

19 Saltzer and Schroeder Design principles that help avoid problems
Violations often indicate vulnerabilities Saltzer and Schroeder design principles [CACM 1974]: Economy of mechanism: keep the design simple Fail-safe defaults: fail towards denying access Complete mediation: check authorization of every access request Open design: assume attacker knows the system internals Separation of privilege: require two separate keys or other ways to check authorization whenever possible Least privilege: give only the necessary access rights Least common mechanisms: ensure failures stay local Psychological acceptability: design security mechanism that are easy to use correctly

20 What next? After identifying threats, we must assess the risk, prioritize the threats and choose countermeasures The process is iterative i.e. new analysis must be done after designing the system with countermeasures More detailed threat models can be done for each system component Threat analysis should be done during system design but can also be done on existing systems

21 Reading material Swiderski and Snyder, Threat modeling, 2004
Dieter Gollmann: Computer Security, 2nd ed., chapter 1.4.3; 3rd ed., chapter 2 Ross Anderson: Security Engineering, 2nd ed., chapter 25 Swiderski and Snyder, Threat modeling, 2004 Online resources: OWASP, Threat Risk Modeling, MSDN, Uncover Security Design Flaws Using The STRIDE Approach, MSDN, Improving Web Application Security: Threats and Countermeasures, Chapter 3

22 Exercises Analyze the threats in the following systems:
Oodi student register, Noppa Remote read electric meter University card keys Traffic light priority control for public transportation Lyyra student card, (based on Sony FeliCa contactless ICC) What are the assets and potential attackers? Apply the STRIDE model or threat trees; this will require you to model the system first

Download ppt "Threat modeling Aalto University, autumn 2013."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Cryptography and Network Security

Cryptography and Network Security
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Similar presentations

Ads by Google