Threat Modeling / iPad
-
Upload
sylvain-maret -
Category
Documents
-
view
51 -
download
0
description
Transcript of Threat Modeling / iPad
![Page 1: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/1.jpg)
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch
Conseil en technologies
Sylvain Maret / Security Architect / 2012-05-24
@smaret
iPad net-Banking Project
Technical Risk Assessment
![Page 2: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/2.jpg)
Conseil en technologies www.maret-consulting.ch
Agenda
Context
Technical Risk Assessment approach
A six step process
Threat Model – DFD
STRIDE Model
Open discussion
![Page 3: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/3.jpg)
Conseil en technologies www.maret-consulting.ch
Context
![Page 4: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/4.jpg)
Conseil en technologies www.maret-consulting.ch
Context
Business case: enable customer access to
portfolio performance reports from mobile
equipments (iPad) located outside the
controlled network.
![Page 5: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/5.jpg)
Conseil en technologies www.maret-consulting.ch
Actors
ACME Bank
Web Agency
Security Product
![Page 6: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/6.jpg)
Conseil en technologies www.maret-consulting.ch
The TRA relies on a series of six activities:
#1 • System characterization • System characterization
#2 • Threat identification • Threat identification
#3 • Vulnerabilities identification • Vulnerabilities identification
#4 • Impacts analysis • Impacts analysis
#5 • Risk characterization • Risk characterization
#6 • Risk treatment and mitigation • Risk treatment and mitigation
![Page 7: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/7.jpg)
Conseil en technologies www.maret-consulting.ch
Step #1
System characterization
![Page 8: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/8.jpg)
Conseil en technologies www.maret-consulting.ch
#1 - Appropriate safeguards
The selected solution shall implement the
appropriate safeguards to maintain the overall
security to its expected level.
C I A
Required level
![Page 9: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/9.jpg)
Conseil en technologies www.maret-consulting.ch
#1
Ensure service integrity:
Uncontrolled client systems mean unpredictable
request behavior
Prevent access from:
Offensive / hostile / corrupt requests
![Page 10: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/10.jpg)
Conseil en technologies www.maret-consulting.ch
#1
Ensure information confidentiality:
While data travels across uncontrolled networks
While the client application is “offline” (turned-off)
While the client application is “online” (running)
Prevent access from:
Network capture:
Sniffers, gateways, cache proxies, MitM, etc.
Local capture:
Unsecure backups, memory-card access
Data interception by locally installed malware
![Page 11: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/11.jpg)
Conseil en technologies www.maret-consulting.ch
#1
Consider project specific risks:
Outsourced vs. in-house development
where will security assurance come from?
Multi-disciplinary project involving three major actors:
The Bank (Acme - IT projects)
The portfolio performance reporting application (Web Agency)
The sandboxing application (Sysmosoft)
Who will be responsible for key security aspects?
![Page 12: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/12.jpg)
Conseil en technologies www.maret-consulting.ch
Step #2
Threat identification
![Page 13: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/13.jpg)
Conseil en technologies www.maret-consulting.ch
#2
Building a threat model
Decompose the Application
Diagramming - Data Flow Diagram - DFD
Determine and Rank Threats
STRIDE model
![Page 14: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/14.jpg)
Conseil en technologies www.maret-consulting.ch
#2 - Data Flow Diagram (DFD)
External entity
Data store
Multiple Process Process
Data flow Trust Boundary
![Page 15: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/15.jpg)
Conseil en technologies www.maret-consulting.ch
#2 - DFD - iPad net-Banking
![Page 16: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/16.jpg)
Conseil en technologies www.maret-consulting.ch
#2 – STRIDE Model
Threat Categories
![Page 17: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/17.jpg)
Conseil en technologies www.maret-consulting.ch
#2 - Threat Agents
![Page 18: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/18.jpg)
Conseil en technologies www.maret-consulting.ch
#2 - Threats - iPad net-Banking - Example
![Page 19: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/19.jpg)
Conseil en technologies www.maret-consulting.ch
#2 - Different threats affect each type of element
DFD
ID
Threat
ID Comment S T R I D E
2
(iPad) T1
Unsecure backups
Memory-card access
Data interception by locally
installed malware
3
(Transport-
Internet)
T2 Sniffers, gateways, cache
proxies, MitM, etc.
7
(Banking- App) T3
Offensive / hostile / corrupt
requests
![Page 20: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/20.jpg)
Conseil en technologies www.maret-consulting.ch
Step #3
Vulnerabilities identification
![Page 21: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/21.jpg)
Conseil en technologies www.maret-consulting.ch
#3 - Security controls - Example
Threat
ID
Family Controls
T1 Feature: local mobile application
sandboxing
Secure offline data storage
Secure online data storage (in-
memory storage)
Secure environment validation
(OS + client application integrity)
Safeguards against malware
T2 Feature: data transport security Confidential transport
T3 Feature: secure architecture - defense in depth
- privilege separation
- trusted links & endpoint
T3 Process: secure software
development
Presence of software security
assurance controls in each
development lifecycle:
- Outsourced Dev
- Acme Bank
![Page 22: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/22.jpg)
Conseil en technologies www.maret-consulting.ch
#3 - Vulnerabilities identification
Threat
ID
Controls V-ID Vulnerabilities
T1 Secure offline data storage
Secure online data storage (in-memory
storage)
Secure environment validation (OS +
client application integrity)
Safeguards against malware
V100 ??
T2 Confidential transport V200 No Application Level
Data Security
T3 - defense in depth
- privilege separation
- trusted links & endpoint
V300 No Hardening Strategy
at Service Layer
T3 Presence of software security assurance
controls in each development lifecycle:
- Outsourced Dev
- Acme Bank
V400 Poor SDLC activities
![Page 23: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/23.jpg)
Conseil en technologies www.maret-consulting.ch
#3 - V100 - unknown
Device Jailbreaking ?
Data Sharing between apps ?
Malicious legal App. ?
![Page 24: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/24.jpg)
Conseil en technologies www.maret-consulting.ch
#3 - V200 - No Application Level Data Security
Banking App
![Page 25: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/25.jpg)
Conseil en technologies www.maret-consulting.ch
#3 - V300 - No Hardening Strategy at Service Layer
No XML Firewall
No Mutual Trust SSL at
WS Transport Level
No Hardening at OS &
Service Level
![Page 26: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/26.jpg)
Conseil en technologies www.maret-consulting.ch
#3 - V400 - Poor SDLC activities
SDL de Microsoft
![Page 27: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/27.jpg)
Conseil en technologies www.maret-consulting.ch
#3 - Security Assurance during development
Analysis
Design
Implementation
Verification
Delivery
Operations
-Security requirements
- Compliance reqs., policy
- Secure design / Design security review
- Threat model
- Security testing plan
- Safe APIs
- Secure coding / defensive programming
- Automated source code analysis
- Security testing
- Penetration testing
- Secure default configuration
- Hardening / secure deployment guides
- Configuration validation
- Incident response process
- Threat / vulnerability management
Project phase Assurance
level
Security
activities
?
![Page 28: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/28.jpg)
Conseil en technologies www.maret-consulting.ch
#3 – Web Agency: software development security assurance
Analysis
Design
Implementation
Verification
Delivery
Operations
- involvement of a security architect
during the design process
- use of automated code quality analysis
tools
- experience with customers conducting
regular security evaluations
Project phase Assurance
level
Security
activities
![Page 29: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/29.jpg)
Conseil en technologies www.maret-consulting.ch
#3 - Acme Bank: software development security assurance
Analysis
Design
Implementation
Verification
Delivery
Operations
Project phase Assurance
level Security
activities
?
![Page 30: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/30.jpg)
Conseil en technologies www.maret-consulting.ch
#3 - Software development security assurance: Summary
Outsourced Dev
Acme Bank
Actor Assurance
level
Conclusions
?
- Assurance level is low. Acme Bank shall agree with
vendor on minimum security assurance requirements along the
project, or establish a clear statement of responsibilities (SLA).
- Assurance level is low. Acme Bank shall define minimum
security assurance requirements with project management.
![Page 31: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/31.jpg)
Conseil en technologies www.maret-consulting.ch
Step #4
Impact analysis
![Page 32: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/32.jpg)
Conseil en technologies www.maret-consulting.ch
#4 – Impact analysis – Example
V-ID Description Severity Exposure
V-100 Information disclosure on iPad HIGH Additional controls
needed
V-200 Information disclosure on data
transport
MEDIUM Additional controls
needed
V-300 Intrusion on Banking Application HIGH Additional controls
needed
V-400 Intrusion on Banking Application HIGH Additional controls
needed
![Page 33: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/33.jpg)
Conseil en technologies www.maret-consulting.ch
Step #5
Risk estimation
![Page 34: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/34.jpg)
Conseil en technologies www.maret-consulting.ch
#5 – Risk estimation - Example
R-ID V-ID Tech.
Impact
Business
Impact Description Likelihood Severity
R-1 V-200 Confidentiality Compliance
Reputation
Theft of credentials
or personal data
during transport
MEDIUM HIGH
R-2 V-300
V-400
Integrity Compliance
Reputation,
Operations
User input
tampering attempts
resulting in system
compromise
LOW HIGH
R-3 -- -- -- -- -- --
R-4 -- -- -- -- -- --
R-5
R-6
![Page 35: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/35.jpg)
Conseil en technologies www.maret-consulting.ch
Step #6
Risk treatment and mitigation
![Page 36: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/36.jpg)
Conseil en technologies www.maret-consulting.ch
#6 – Security controls - Example
ID Risk Description Reco.
MC Decision
SC.1 R-1 Perform a pentest on the iPad
application
Mitigate
SC.2 R-1 Implement Data encryption for transport Mitigate
SC.3 R-2 Deploy a XML Firewall in front of Web
Service
Mitigate
SC.4 R-2 Perform code review
Perform Pentest
Mitigate
![Page 37: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/37.jpg)
Conseil en technologies www.maret-consulting.ch
Conclusion
Security in mind during the project
Iterative process
Risk Assessment during the project
Risk Assessment after deployment
Threat Modeling
A new approach
A guideline for all project
![Page 38: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/38.jpg)
Conseil en technologies www.maret-consulting.ch
Questions ?
![Page 39: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/39.jpg)
Conseil en technologies www.maret-consulting.ch
Who am I?
Security Expert
17 years of experience in ICT Security
Principal Consultant at MARET Consulting
Expert at Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret or @smaret
http://www.slideshare.net/smaret
Chosen field
AppSec & Digital Identity Security
![Page 40: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/40.jpg)
Conseil en technologies www.maret-consulting.ch
References
https://www.owasp.org/index.php/Application_Threat_
Modeling
http://msdn.microsoft.com/en-us/library/ff648644.aspx
http://en.wikipedia.org/wiki/Threat_model
http://www.microsoft.com/security/sdl/default.aspx
http://www.appsec-forum.ch/
![Page 41: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/41.jpg)
Conseil en technologies www.maret-consulting.ch
"Le conseil et l'expertise pour le choix et la mise
en oeuvre des technologies innovantes dans la sécurité
des systèmes d'information et de l'identité numérique"
![Page 42: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/42.jpg)
Conseil en technologies www.maret-consulting.ch
Backup Slides
![Page 43: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/43.jpg)
Conseil en technologies www.maret-consulting.ch
#2 - Understanding the threats
Threat Property Definition Example
Spoofing Authentication Impersonating
something or
someone else.
Pretending to be any of billg, xbox.com or
a system update
Tampering Integrity Modifying data or
code
Modifying a game config file on disk, or a
packet as it traverses the network
Repudiation Non-repudiation Claiming to have not
performed an action
“I didn’t cheat!”
Information
Disclosure
Confidentiality Exposing
information to
someone not
authorized to see it
Reading key material from an app
Denial of Service Availability Deny or degrade
service to users
Crashing the web site, sending a packet
and absorbing seconds of CPU time, or
routing packets into a black hole
Elevation of
Privilege
Authorization Gain capabilities
without proper
authorization
Allowing a remote internet user to run
commands is the classic example, but
running kernel code from lower trust levels
is also EoP Source: Microsoft SDL Threat Modeling
![Page 44: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/44.jpg)
Conseil en technologies www.maret-consulting.ch
#3 - V400 - Poor SDLC activities
Software assurance maturity models: SAMM (OWASP)
![Page 45: Threat Modeling / iPad](https://reader033.fdocuments.in/reader033/viewer/2022050921/5535434f550346330f8b46e3/html5/thumbnails/45.jpg)
Conseil en technologies www.maret-consulting.ch
#2 – Data Flow Diagram
• People
• Other systems
• Microsoft.com
• etc…
• Function call
• Network traffic
• Etc…
• DLLs
• EXEs
• Components
• Services
• Web Services
• Assemblies
• etc…
• Database
• File
• Registry
• Shared
Memory
• Queue/Stack
• etc…
External
entity Process
Data
Flow Data Store
Trust Boundary
• Process boundary
• File system