Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Similar documents
Threat modeling. Tuomas Aura T Informa1on security technology. Aalto University, autumn 2012

SANS Institute , Author retains full rights.

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

How To Make Threat Modeling Work For You

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

OWASP March 19, The OWASP Foundation Secure By Design

Governance Ideas Exchange

Threat Modeling For Secure Software Design

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Cyberspace : Privacy and Security Issues

Unit 3 Cyber security

Development*Process*for*Secure* So2ware

Threat Modeling Using STRIDE

CSWAE Certified Secure Web Application Engineer

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

How Threat Modeling Can Improve Your IAM Solution

Information security summary

CYBER SECURITY AND MITIGATING RISKS

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

COMPUTER NETWORK SECURITY

Managing an Active Incident Response Case. Paul Underwood, COO

Network Security: Threats and goals. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Application Security Design Principles. What do you need to know?

Outline. 1 Introduction. 2 Security Architecture and Design. 3 Threat Risk Modelling. 4 Phishing. 5 Web Services. 6 Secure Coding Guidelines

Information Security

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Cyber Security Audit & Roadmap Business Process and

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

10 FOCUS AREAS FOR BREACH PREVENTION

Certified Secure Web Application Engineer

Instructions 1 Elevation of Privilege Instructions

HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands

C1: Define Security Requirements

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

A (sample) computerized system for publishing the daily currency exchange rates

Threat Modeling against Payment systems

Cyber Criminal Methods & Prevention Techniques. By

How Cyber-Criminals Steal and Profit from your Data

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

Security Solutions. Overview. Business Needs

2014 TRANSIT CEOs SEMINAR. Cybersecurity What Every CEO Should Know to Help Secure the System

Using and Customizing Microsoft Threat Modeling Tool 2016

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

ISO/IEC Common Criteria. Threat Categories

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security

Cryptography and Network Security Chapter 1

90% of data breaches are caused by software vulnerabilities.

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

Overview of Information Security

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

An Example of use the Threat Modeling Tool

EXAMINATION [The sum of points equals to 100]

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Combating Cyber Risk in the Supply Chain

Secure Development Processes

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Compliance: How to Manage (Lame) Audit Recommendations

cs642 /introduction computer security adam everspaugh

Practical Threat Modeling. SecAppDev 2018

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

ANATOMY OF AN ATTACK!

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

S e c u rity S o lu tio n s

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

Advanced IT Risk, Security management and Cybercrime Prevention

Using the BS 7799 to improve Organization Information Security. Gaurav Malik

IS Today: Managing in a Digital World 9/17/12

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

owasp helsinki meeting,

How Breaches Really Happen

The emerging battle between Cyber Defense and Cybercrime: How Technology is changing to keep Company and HR data safe

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Vulnerabilities in online banking applications

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Cyber Security Program

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Cybersecurity glossary. Please feel free to share this.

Protecting your next investment: The importance of cybersecurity due diligence

Lecture 4: Threats CS /5/2018

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cryptography and Network Security

A Hybrid Approach to Threat Modelling

IANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty

PRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT. Eoin Woods,

Who We Are! Natalie Timpone

Security activities during development

Security Testing White Paper

CSE 3482 Introduction to Computer Security. Introduction to Information/Computer Security

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

with Advanced Protection

Adam Shostack Microsoft

Cyber Hygiene Guide. Politicians and Political Parties

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

Transcription:

Threat analysis Tuomas Aura CS-C3130 Information security Aalto University, autumn 2017

Outline What is security Threat analysis Threat modeling example Systematic threat modeling 2

WHAT IS SECURITY 3

What is security When talking about security, we are concerned about bad events caused with malicious intent Security vs. reliability? Terminology: Threat = bad event that might happen Attack = someone intentionally causes the bad thing to happen Vulnerability = weakness in an information system that enables an attack Exploit = implementation of an attack Risk = probability of an attack damage in euros

Security Goals Confidentiality, Integrity, Availability CIA Confidentiality protection of secrets Integrity only authorized modification of data and system configuration Availability no denial of service, business continuity Examples: web server, customer data The CIA model is a good starting point but not all: Access control no unauthorized use of resources Privacy control of personal data and space What else? Security is a non-functional property of a system 5

Some goals not covered by CIA Authentication for access control and accountability Accounting, payment Content protection Protection of services and infrastructure in a hostile environment (e.g. Internet) Anonymity, freedom of expression Control and monitoring

Who is the attacker? We partition the world into good and bad entities Honest parties vs. attackers, red vs. blue Good ones follow specification, bad ones do not Must consider different partitions to cover all viewpoints Typical attackers: Curious individuals Friends and family Dishonest people for personal gain, making and saving money Hackers, script kiddies for challenge and reputation Companies for business intelligence and marketing Organized criminals for money Governments and security agencies NSA, SVR RF, GCHQ, DGSE, etc. Military SIGINT strategic and tactical intelligence, cyber defense Insiders are often the greatest threat Employee, administrator, service provider, customer, family member Often, not all types of attackers matter Who would you not want to read your email? 7

THREAT ANALYSIS 8

Threats Threat = something bad that can happen Given an system or product What assets are there to lose and to protect? Who are the stakeholders? What are the threats against the assets? How serious are the threats i.e. what is the risk? Threat analysis requires both security and domain expertise 9

[Internet, original source unknown] 10

Threat modeling approaches Different angles to threat modeling: Assets: what is valuable in the system and how could it be lost? Attackers and their motivations: who would want to do something bad and why? Engineering: what parts are there in the system and how could they fail? Draw diagrams of the system architecture, data flows etc. Countermeasures: what is or could be done to prevent or mitigate attacks? Checklists, lessons learned: what has gone wrong in the past?! 11

THREAT MODELING EXAMPLE: STUDENT LUNCH DISCOUNT See a separate document for the details 12

SYSTEMATIC THREAT MODELING 13

Basic security goals Consider first the well-known security goals: Confidentiality Integrity Availability Authentication Authorization, access control Non-repudiation Which goals apply to the system? How could they be violated? 14

Checklist: some threats to consider Typical assets: the product or service, money paid or saved, customer and business information, reputation, and the system components Crime motivated by money Theft, fraud Industrial espionage, dishonest ways to competitive advantage Corruption: tax evasion, subsidy fraud, bribery, theft by those in power Threats to customer data and personal privacy Insider threats Employees, IT administrators, trusted entities Curiosity and pretty theft Misincentivized employees doing their best Privilege escalation and stepping stones to further attacks Threats to accounts, devices and administration Weaknesses in authentication credentials: issuing and use Bypassing controls, misuse of reputation systems Social-engineering threats Threats related to error handling and failure recovery Threats to business continuity Denial-of-service attacks, crisis management issues, business risks Public safety threats Critical infrastructure, vehicles, food safety Threats against brands and reputation Political threats: Nation-state actors, terrorism, authoritarian governments, dependence on hostile powers 15

Threat trees Lecturer s opinion: Threat threes are pretty useless as an analysis tool, but can be ok as a way to present the results of systematic analysis by experts [source: Microsoft] 16

STRIDE STRIDE model used at Microsoft: Spoofing vs. authentication Tampering vs. integrity Repudiation vs. non-repudiation Information disclosure vs. confidentiality Denial of service vs. availability Elevation of privilege vs. authorization Note: STRIDE is intended for analyzing vulnerabilities in PC or server software, with access to the code. When applying it to distributed computing, humans or cyber-physical systems, you need to think creatively Idea: divide the system into components and analyze each component for these threats Note: security of components is necessary but not sufficient for the security of the system 17

STRIDE Model the software system as a data flow diagram (DFD) Data flows: network connections, RPC Data stores: files, databases Processes: programs, services Interactors: users, clients, services etc. connected to the system Also mark the trust boundaries in the DFD Consider the following threats: Spoofing Tampering Repudiation Information disclosure Denial of service Data flow x x x Data store x x x Elevation of privilege Process x x x x x x Interactor x x 18

19

Risk assessment Risk assessment is very subjective, many definitions: Risk = probability of attack damage in euros 0 < Risk < 1 Risk { low, medium, high } Numerical risk values tend to be meaningless: What does risk level 0.4 mean in practice? Usually difficult to assess absolute risk but easier to prioritize threats Risk assessment models, e.g. DREAD Damage: how much does the attack cost to defender? Reproducibility: how reliable is the attack Exploitability: how much work to implement the attack? Affected users: how many people impacted? Discoverability: how likely are attackers to discover the vulnerability? 20

Pitfalls in risk assessment The systematic threat analysis methods help but there is no guarantee of finding all or even the most important threats You need to understand the system: technology, architecture, stakeholders and business model Attackers are clever and invent new threats while threat analysis often enumerates old ones Always start by considering assets and attackers, not technology or security mechanisms 21

Security pixie dust Security mechanism are often applied without particular reason Cryptography, especially encryption does not in itself make your system secure If there is no explanation why some security mechanism is used, ask questions: What threats does it protect against? What if we just remove it? Is there something simpler or more suitable? Must understand threats before applying security mechanisms 22

[Internet, original source unknown] 23

SUMMARY 24

List of key concepts Security, threat, attack, vulnerability, exploit, risk, countermeasure Confidentiality, integrity, availability Asset, attacker, insider Threat trees, STRIDE, DREAD 25

After threat analysis After identifying threats, we must assess risks, prioritize the threats and decide countermeasures Threat analysis is an iterative process: the analysis must be repeated after designing the system with countermeasures and over time More detailed threat models can be done for each system component Threat analysis should be done during system design but can also be applied to existing systems 26

Reading material Dieter Gollmann: Computer Security, 2nd ed., chapter 1.4.3; 3rd ed., chapter 2 Ross Anderson: Security Engineering, 2nd ed., chapter 25 Swiderski and Snyder, Threat modeling, 2004 Stallings, Brown: Computer Security: Principles and Practice, 3rd ed., chapter 1 Online resources: OWASP, Threat Risk Modeling, https://www.owasp.org/index.php/threat_risk_modeling MSDN, Uncover Security Design Flaws Using The STRIDE Approach, MSDN Magazine 2016/11 (search for copies) MSDN, Improving Web Application Security: Threats and Countermeasures, Chapter 3 http://msdn.microsoft.com/en-us/library/ff648644.aspx 27

Exercises Analyze the threats in the following systems: Oodi student register My Courses Remote read electric meter University card keys Contactless smartcard bus tickets Traffic light priority control for public transportation What are the assets and potential attackers? Apply the STRIDE model or threat trees; this will require you to model the system first 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback