Post on 22-Feb-2018
Threat Modeling: Finding Security Threats Before
They Happen (A Quick Summary)
Jeff Kalwerisky, CA(SA), CISA, HISPVP & Director, Cybersecurity & Technical Training
CPE Interactive, Inc.
The Dilemma forAudit & InfoSec
Major security and privacy disasters
occur daily
Major banks subject to DDoS attacks; offline
for hours, days, weeks,
Tens of millions of credit cards, customer
records, personal information routinely
compromised
Sensitive private information and IP
stolen and published for the world to see
An entire company’s data wiped out - all servers and users’
workstations
Cybercrime is rampant
The Hall of Shame Some Recent Hackees
Uncle Sam:
Dear Auditor: Spot the Error(s)
“There are basically 2 types of organizations. Those that have been hacked and those that don’t yet know they’ve been hacked.”
FBI director, James Comey, May 2014
On average, it takes companies three months to discover a breach and then more than four months to resolve it. IOW, cybercriminals are able to find a home and stay as unwelcome guests for well over 200 days on average.
Source: “The Post-Breach Boom”, Ponemon Institute report, 2015
“96% of UK companies have been hacked by cyber criminals with the aim to steal, change, or publish important data”Computer Week survey, Global Chief Finance Officers and Finance Directors
In the USA, the number is “only” 80%
of organizations
Why This Sorry State of Affairs?Do you remember those happy days when information
security meant ensuring:
Data centers
were locked?
Magnetic ID badges to restrict access?
Firewall and AV patches were up to date?
Proper SoD
between Ops and
Dev?
Me neither!
So, Why Are We Using the Same Techniques As In Those Days?
Now That We’re Facing . . .
. . .
Web apps, accessible
by anyone, from anywhere
BYOD, BYOA
Mission-critical data is “up in the Cloud”
Zero-day vulnerabilities
Ransomware and other fun stuff
Industrial espionage: mass data exfiltration
Spear phishing
APTs lurking inside
Relative Costs to Fix Flaws*
* IBM System Sciences Institute, Implementing Software Inspections
So, Why Don’t We Fix Those Flaws?
• Developers focus on making their systems work: debits = credits, 1 + 1 = 2
• Typically, they don’t have the skills to anticipate security flaws in their work
• So, which is easier to train:
– Developers about information security and controls, or
– Security / audit professionals to detect vulnerabilities early on and suggest appropriate mitigation strategies?
“To succeed in war, you must know your own strengths and weaknesses
and know your enemy’s strengths and weaknesses.
Lack of either might result in defeat.”
Gen. Sun Tzu: The Art of War, 500 BCE
You cannot know whether or not a system is secure until you understand its threats
and its threat surface
Sun Tzu’s Principle In Modern Terms
A Practical Approach: Threat Modeling
A formal methodology to find potential security threats to a system, determine risks from those threats, rank the
risks, and deploy appropriate mitigations– at any stage of the SDLC
A Threat Model Helps To …
1. Decompose the system, so we can understand it better• Its scope, functions, controls,
technologies, etc.
2. Using a logical top-downapproach
3. Or goals are to:
• Understand the boundaries between trusted and untrusted components of the system
• Identify and document potential vulnerabilities (threats)
• Reduce the system’s attack surface
The Threat Modeling Process
Step 1:
Model
Step 2:
Enumerate
Threats
Step 3:
Rank Threats
Step 4:
Mitigate
Step 5:
Validate
Permanent Record
SystemDevelopment/
Deployment
Model the system by following the data
Called Data Flow Diagrams (DFDs)
Building the Model
1. Identify all the entities
2. Identify the IT processes
3. ID major transactions
4. Identify filestores, both perm and temp
5. Locate all the trust boundaries
It Starts on the Whiteboard
Where are the Trust Boundaries?
Data crossing a trust boundary
• Example of a High-Level DFD
• A Simplified Web Payroll Application
TrustBoundary
MultipleIT Process
ExternalEntities
Level 0:Context
DFD
Transaction Flows
Trans Crossing ATrust Boundary
Web Payroll: Level-1 DFD
Data Storage (file or DBMS)
DetailedIT Process
TrustBoundary
Finally, A Taxonomy of Security Threats:
“STRIDE”
“STRIDE”
Ranking the Threats,The Hardest Job of All
The Classic Risk “Heat Map”
Risks to be MONITORED: plan DETECTIVE action
Risks to be INVESTIGATED: plan PREVENTIVE action
Risks to be MITIGATED: plan CORRECTIVE action
Risk = Likelihood x Impact
IMPACTLIKELIHOOD
Let’s Think About the Good Ol’ Heat Map
Risk = Likelihood x Impact
• How well do we know Likelihood (probability) it will occur?– Perhaps, based on statistics: how many fires have occurred
in the past in our neighborhood?
– Perhaps, based on gut feel: We’re going to be hacked
– At best, it’s an educated guess!
• How well do we know Impact – business effect in ₤, €, ¥?
– We guess €100,000, ₤500,000, ¥10,000,000, . . .
• So, how accurate is Guess 1 x Guess 2? – Nothing more than pure GIGO!!
Threat Modeling MethodologyHas a Better Way!
A Better Method to Calculate Risk
• Still not an exact science, but based on less “fluffy” numbers
• Things on which most analysts will agree
• Called DREAD:– Damage Potential: if the attack occurs and succeeds
– Reproducibility: ease of making the attack work
– Exploitability: amount of effort, expertise needed
– Affected Users: number of users likely to be affected?
– Discoverability: likelihood that that hackers will find the vulnerability
• Assess each of these on an agreed scale: 1-5 or 1-10
• Then take an average of the 5 DREAD scores
STRIDE and DREAD
STRIDE – type of threat
S – Spoofing
T – Tampering
R – Repudiation
I – Information Disclosure
D- Denial of Service
E – Elevation of Privilege
DREAD – threat impact
D – Damage Potential
R – Reproducibility
E – Exploitability
A – Affected Users
D – Discoverability
Ranked on a 1 – 10 scale
We CAN Achieve This!
Q & (Some) A
My Co-ordinates
Jeff KalweriskyCPE Interactive, Inc.
(Atlanta, Georgia, USA)
Jeff@CPEinteractive.com+1 404-380-1064