Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Similar documents
CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Development*Process*for*Secure* So2ware

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Malware, , Database Security

A (sample) computerized system for publishing the daily currency exchange rates

C1: Define Security Requirements

CS 356 Operating System Security. Fall 2013

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

Copyright

COMPUTER NETWORK SECURITY

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

Threat Modeling Using STRIDE

Secure Development Processes

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Engineering Your Software For Attack

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Security and Authentication

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Overview of Information Security

Instructions 1 Elevation of Privilege Instructions

- Table of Contents -

Cyber Criminal Methods & Prevention Techniques. By

Security activities during development

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Secure Application Development. OWASP September 28, The OWASP Foundation

90% of data breaches are caused by software vulnerabilities.

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

A Review Paper on Network Security Attacks and Defences

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

ANATOMY OF AN ATTACK!

Practical Threat Modeling. SecAppDev 2018

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Education Network Security

Security Audit What Why

CS Final Exam

Security Architecture

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting

Effective Threat Modeling using TAM

ISO/IEC Common Criteria. Threat Categories

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Security analysis and assessment of threats in European signalling systems?

OWASP March 19, The OWASP Foundation Secure By Design

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Distributed Systems. Lecture 14: Security. Distributed Systems 1

SANS Institute , Author retains full rights.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Distributed Systems. Lecture 14: Security. 5 March,

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Building Security Into Applications

IANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

CHAPTER 8 SECURING INFORMATION SYSTEMS

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Chapter 4. Network Security. Part I

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Software Security and Exploitation

Cyber Security Audit & Roadmap Business Process and

CITADEL INFORMATION GROUP, INC.

The Common Controls Framework BY ADOBE

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

IEEE Sec Dev Conference

LBI Public Information. Please consider the impact to the environment before printing this.

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Checklist: Credit Union Information Security and Privacy Policies

Digital Payments Security Discussion Secure Element (SE) vs Host Card Emulation (HCE) 15 October Frazier D. Evans

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

THREAT MODELLING FOR WEB SERVICES BASED WEB APPLICATIONS

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

CSWAE Certified Secure Web Application Engineer

Product Security Briefing

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Secure Development Lifecycle

CIH

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

epldt Web Builder Security March 2017

A Look Back at Security Problems in the TCP/IP Protocol Suite Review

Define information security Define security as process, not point product.

Cybersecurity glossary. Please feel free to share this.

Using and Customizing Microsoft Threat Modeling Tool 2016

19.1. Security must consider external environment of the system, and protect it from:

E-Commerce/Web Security

Having learned basics of computer security and data security, in this section, you will learn how to develop secure systems.

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Web Application Vulnerabilities: OWASP Top 10 Revisited

Pass Microsoft Exam

Transcription:

Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1

Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process Conclusion 3 Different SE processes Software engineering & security Waterfall, Spiral, Prototyping, UP, XP, Adaptive programming,... Different phases None of the processes really supports security Security is highly demanding wrt. SE process No good and overall support for security in standard processes 4 2

Software engineering & security - in practice - Often ad hoc (typically in later phases) or not covered at all Issues: Non systematic approach Bad early decisions can make your life very difficult Hard to manage and modify First attempts at systematic integration in SW engineering process in big software houses Too early to evaluate, but first indications promising E.g. MS IIS 5 -> MS IIS 6 5 Example: Cigital s touchpoints 6 3

Example: Microsoft s SDL 7 Key Activities Both process models rank the following two activities as key: Threat modeling as a late form of security requirements engineering (Tool-assisted) code review to deal with implementation level vulnerabilities This lecture will discuss threat modeling from a practical perspective 8 4

Threat modeling Threat modeling is performed early in the software development lifecycle Primary goal: get a good view on possible threats to the system being developed Business threats, architectural threats, Threat modeling can be done on various levels of abstraction System level E.g. Threat modeling of the Internet e-mail system Application or component level E.g. Threat modeling of the e-mail client software 9 Threat Modeling (ctd.) Fundamental step in risk management System vs. Organizational threat modeling E.g., OCTAVE 10 5

Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process Conclusion 11 Owners wish to maximize wish to minimize availability/ usefulness impose countermeasures that may be to reduce that may possess that increases of reduced by vulnerabilities may be aware of leading Threat- to agents give rise to that exploit threats that increase to risk to assets wish to abuse and/or may damage 12 6

Threats versus Security Goals In a first approximation, threats and security goals are each others negation: A security goal is a statement of intent to counter identified threats A threat is the intention of a threat agent to break a security goal 13 Information disclosure Typical Threats Threat: Information leaks to threat agents that should not be able to get access to that information Corresponding Security Goals: Data Confidentiality: protecting data against unauthorized reading Access Control: preventing unauthorized access to software functions Example: stealing of credit card numbers 14 7

Typical Threats Information tampering Threat: threat agents tamper with data they should not be able to modify Corresponding Security Goals: Data Integrity: protecting data against unauthorized writing Data Origin Authentication: verifying the claimed identity of the originator of a message Access Control: preventing unauthorized access to software functions Example: changing the price of purchased goods 15 Repudiation Typical Threats Threat: threat agent denies involvement in an event Corresponding Security Goals: Non-repudiation: the provision of irrefutable evidence about what happened and who was involved Audit: chronological record of system activities to enable the reconstruction of events Example: denying placement of a stock order 16 8

Denial of Service Typical Threats Threat: threat agent destroys the usefulness of the system for legitimate users Corresponding Security Goals: Availability: ensuring availability of the system to legitimate users Example: Distributed Flood Attack 17 Elevation of privilege Typical Threats Threat: threat agent gets more access to information/communication/processing resources than he is authorized for Corresponding Security Goals: Access Control: preventing unauthorized access to software functions Entity Authentication: verifying the claimed identity of a party one is interacting with Example: getting root 18 9

Spoofing Typical Threats Threat: Threat agent pretends to be someone/something he is not Corresponding Security Goals: Entity Authentication: verifying the claimed identity of a party one is interacting with Data Origin Authentication: verifying the originator of a message Example: phishing 19 Vulnerabilities A vulnerability is an aspect of (a component of) the system that allows a threat agent to realize a threat (i.e. break a security goal) Hence, vulnerabilities are relative to the capabilities of the threat agent E.g. the system can be vulnerable to insiders but not to outsiders 20 10

Vulnerabilities Vulnerabilities arise through failures in: Requirements, Failure to identify all relevant assets, or specific threats E.g. protecting against the threat of downloaded malicious code was not recognized as a requirement for OS security in the eighties Construction, Vulnerabilities in security components E.g. a weak cryptographic algorithm Vulnerabilities in application functionality E.g. buffer overflows, SQL injection, Operation E.g. Setting an incorrect policy 21 Vulnerabilities Vulnerabilities can exist in the different layers of a software system Application, e.g. SQL injection Programming language runtime, e.g. type confusion Middleware, e.g. open management interface Operating system, e.g. FAT32 file system Hardware, e.g. side-channels 22 11

Countermeasures Countermeasures are the mechanisms used to: Reduce vulnerabilities, and hence: Realize security goals Counter threats 23 Countermeasures Countermeasures can be: Preventive: avoid vulnerability Detective: detect vulnerability exploitation Reactive: handle incidents Countermeasures can be taken by: Software engineers, programmers who develop software Administrators, system managers who deploy software 24 12

Software Engineer Countermeasures For vulnerabilities introduced in the requirements phase: Security reqs engineering, threat analysis and modeling To address threats collected during requirements engineering Security technologies cryptography, access control mechanisms, authentication mechanisms, For vulnerabilities introduced during construction: Secure programming, static analysis, safe languages, For vulnerabilities introduced during operation: Documentation, operational procedures, secure defaults, 25 Administrator Countermeasures Preventive countermeasures: deployment of additional protection: Firewalls, VPN s, patching weaknesses where possible: CERT advisories, Windows Update, Detective countermeasures: Intrusion Detection software or Fraud Detection software Virus scanning Security solutions should be managed, supporting reactive countermeasures 26 13

Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process Conclusion 27 Simplified e-mail system User u1 mail storage server 1 mail transfer server 2 mail client 3 mail 4 transfer server mail client 6 5 8 mail storage server 7 User u2 domain1.com domain2.com 28 14

Assets E-mail messages header body Address book / contact information Client and Server machines Storage space Computational resources Mail delivery service Infrastructural software (OS, ) Network infrastructure 29 E-mail message Threats Unauthorized reading of message body Define what is authorized! Tampering with message In transit In storage E-mail spoofing (tampering with the from: field) Repudiation Of sending Of receipt 30 15

Threats Client and Server machines Denial of service E.g. Inbox storage space Elevation of privilege Server is a trusted software layer, making a limited functionality (sending/receiving mail) available to clients If you can break the server out of this limited functionality (e.g. because of bugs), you can attack the server machine E-mail viruses E.g. through executable attachments Unauthorized use of mail delivery service E.g. Spam e-mail 31 Threats Not all undesirable behavior can easily be related to assets: Detecting when somebody reads his mail Asset = privacy of the reader? 32 16

Vulnerabilities Requirements: Security was not a concern in the original design of Internet e-mail As a consequence, plain e-mail system is vulnerable to all identified threats Countermeasures have been designed and integrated over the past decades Construction: Implementation bugs in all e-mail components have been exploited Sometimes amplified because of vulnerabilities in OS Operation: Insecure configuration of e-mail: open mail relays, sendmail debug mode, 33 Possible Countermeasures Public key encryption and signing of e-mail, counters: e-mail spoofing tampering / reading messages in transit repudiation of sending Password based authentication and access control Counters tampering / reading messages in storage Sandboxing of attachments Counters virus-spreading Code review or static analysis of server code Counters elevation-of-privilege on server 34 17

Vulnerabilities in Countermeasures Weak encryption algorithms Predictable generation of encryption keys Guessable passwords False negatives in static analysis for bugs 35 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process Conclusion 36 18

Microsoft s Threat Modeling process As part of it s Secure Development Life Cycle, Microsoft has defined a threat modeling activity Supported by documentation and tools We discuss it as an example: Discuss the structure of this Threat Modeling process Illustrate it on example application (taken from the left book) 37 Example application: Pet Shop 38 19

client Infrastructure for Pet Shop company network client 1 FW1 2 web server FW2 3 FW3 4 application back-end server client 1 Browsers: Internet Explorer Firefox Web and Application server : Windows Server 2003 with: MS IIS.NET Framework 2.0 Back-end: SQL Server 2005 39 Overall Structure of the Threat Modeling Process 1. Define Use Scenarios 2. List External Dependencies 3. Define Security Assumptions 4. Create External Security Notes 5. Model the Application 6. Determine Threat Types 7. Identify Threats 8. Determine Risk 9. Plan Mitigations 40 20

1. Define Use Scenarios Define how the system will be used, and how it won t be used Bound the threat modeling discussion What threat scenarios are in scope? E.g. do we care about insider threat agents? 41 2. List External Dependencies All application software relies on infrastructural software for its correct functioning Document these dependencies E.g. Pet Shop depends on: Web-based client s.a. Internet Explorer or Firefox MS Windows Server 2003 operating system MS IIS SQL Server 2005.NET Framework 2.0 42 21

3. Define Security Assumptions What security guarantees do you expect from your external dependencies? E.g. for Pet Shop: IIS and ASP.NET enforce authentication correctly Physical access to the servers is restricted to administrators Configuration files are protected using operating system access controls 43 4. Create External Security Notes Document security-relevant information for users of the application E.g. 44 22

Model the system 5. Model the Application Typically modeled using dataflow diagrams External entities Processes Data stores Data flow Privilege boundaries 45 To model or not to model? 46 23

Example Model for Pet Shop 47 Example Model for Pet Shop 48 24

Example Model for Pet Shop 49 6. Determine Threat Types Microsoft s process uses the STRIDE threat types: Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege 50 25

Identify assets 7. Identify Threats By default, all DFD elements are considered an asset 51 8. Determine Risk Subjective numerical estimation techniques have been abandoned, e.g. DREAD Current guideline is to use objective thread characteristics: Server app versus client app Local versus remote accessibility Accessible to anonymous or remote users 52 26

Spoofing threats risk ranking 53 Tampering threats risk ranking 54 27

Information Disclosure risk ranking 55 DoS threats risk ranking 56 28

EoP threats risk ranking 57 Mitigation strategies Do nothing External security note! Remove the feature Turn off the feature Warn the user 9. Plan Mitigations Dancing pigs syndrome! Counter the threat with technology 58 29

Example countermeasures 59 Conclusion Threat modeling is an activity to be performed in the early phases of the software life cycle In order to understand the threat profile of the software In order to select countermeasures in an informed way Microsoft places Threat Modeling in the top 2 of most important security related activities Other one is static analysis for implementation vulnerabilities 60 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback