Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of...
-
Upload
sadie-longstreet -
Category
Documents
-
view
220 -
download
0
Transcript of Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of...
![Page 1: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/1.jpg)
Risk AssessmentRisk AssessmentWhat is RISK?
requires vulnerability likelihood of successful attack
amount of potential damage
Two approaches: threat modeling
OCTAVE
![Page 2: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/2.jpg)
Threat Modeling (part of Microsoft’s Trustworthy
Computing)
Threat Modeling (part of Microsoft’s Trustworthy
Computing)
______ potential for harmful event/attack
can be realized by an…
that occurs due to a…
______
that should be mitigated by a…
__________
____________
![Page 3: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/3.jpg)
Threat Modeling (part of Microsoft’s Trustworthy
Computing)
Threat Modeling (part of Microsoft’s Trustworthy
Computing)Why? create a list of vulnerabilities
bridge gap between design & deployment help cross team communication raise awareness of security
identify areas of security requiring more research
The Players Customers Business Analysts Software architects Developers Testers
![Page 4: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/4.jpg)
Threat Modeling Steps
Threat Modeling Steps
![Page 5: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/5.jpg)
What can we prevent?
What do we care about most?
What is the worst thing that can happen?
What laws and regulations apply?
Step 1: Identify Security Objectives Step 1: Identify Security Objectives
Identify the system assets.
Focus on confidentiality, integrity, availability.
![Page 6: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/6.jpg)
Ways to depict software architecture:
__________ Diagram
_____ Diagram
Step 2: Describe System ArchitectureStep 2: Describe System Architecture
![Page 7: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/7.jpg)
Class DiagramsClass Diagrams
A picture depicting classes and interconnections.
Basic Notation Simple Example
![Page 8: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/8.jpg)
Data Flow DiagramsData Flow DiagramsA picture depicting how data flows within a software system.
Basic Notation Simple Example
![Page 9: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/9.jpg)
Data Flow Example 2Email System
Data Flow Example 2Email System
![Page 10: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/10.jpg)
Drill down to details of software architecture:
Data Flow Diagram processes expanded into other processes and flows
Class Diagram include methods, packages, inner classes include files, external calls & parameter lists
Step 3: Decompose appStep 3: Decompose app
_____________
![Page 11: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/11.jpg)
Example 2Edit zoom
Example 2Edit zoom
![Page 12: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/12.jpg)
This requires a systematic approach:
2) use a classification framework like STRIDE _________(authenticity) _________(integrity) _________ _________ disclosure (confidentiality) _____ of service (availability) ________ of privilege (authorization)
1) look at detailed design for… trust boundaries entry points exit points
Step 4: Identify ThreatsStep 4: Identify Threats
http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
![Page 13: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/13.jpg)
Attack TreesAttack Trees
Attack trees (also called threat trees) describe the natureof an attack.
Drawing attack trees helps with understanding,discovering, and mitigating threats.
Notation
A tree root is the goal for the attack children (of a node) define methods to achieve parent children may be ORed or ANDed
http://www.schneier.com/paper-attacktrees-ddj-ft.html
![Page 14: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/14.jpg)
Example
![Page 15: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/15.jpg)
Develop a systematic approach:
start with an accepted approach
Step 5: Rate ThreatsStep 5: Rate Threats
adjust weighting with experience
Two possible approaches
Risk = Threat X AssetDREAD
![Page 16: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/16.jpg)
Risk = Threat X Asset
Risk = Threat X AssetThe basic formula:
Risk = Threat probability * Damage potential
Threat probability accounts for exploitability & mitigations.
Damage potential is basically the cost or impact.
Ranges? numbers might be difficult to use categories (3 to 5) is usually sufficient
![Page 17: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/17.jpg)
A Graph of Threats
A Graph of Threats
High
Medium
Modest
Low
Low ModestMediumHigh
Pro
bab
ilit
y o
f O
ccu
rren
ce
Potential Damage
![Page 18: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/18.jpg)
DREAD(Microsoft’s first model)
DREAD(Microsoft’s first model)
Damage potentialHow much damage will the exploit produce?
ReproducabilityHow likely is it for the attack to recur?
ExploitabilityHow easy is it to carry out the attack?
Affected usersWhat fraction of users will be affected?
DiscoverabilityWhat are the odds an attacker can find the vul?
Risk = min(D, (D+R+E+A+D)/5)
![Page 19: Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.](https://reader036.fdocuments.in/reader036/viewer/2022081520/56649c945503460f94950e80/html5/thumbnails/19.jpg)
Problems with DREAD
Problems with DREAD
It’s not simple.
Frequent disagreement over risk numbers customers don’t agree with developers people with the same roles don’t agree
This lead to a simpler severity rating system...
Originally, each vul (DREAD) was graded 0-no threat to10-high.
It’s subjective.