Post on 19-Dec-2015
1ICT
Threat modellingA short introduction and stories from end user
involvement
SRM Seminar Luxembourg 22.06.2010
Per Håkon Meland - SINTEF ICT, Trondheim, Norwayhttp://www.sintef.com/
2ICT
Motivation and background
3ICT
Hospital systems (2005 ) Integration and access control of
EPRs Models used to communicate
processes and threats
5ICT
SHIELDSDevelopers, security expertsand thewider community
SHIELDS SVRS and community site
Community site
Web interface
SVRS
Web interfaceMachine interface
User credentials Repository storage
Web
-Bro
wse
r
Develop
ment
and
mod
ellingtools
EU project 2008-2010 8 partners
Sharing of security knowledge Models Methods Tools and tool input
End user evaluations Sevaral iterations Real end-users Case studies and commercial
products
7ICT
Threat modelling
9ICT
Threat modelling Misuse cases and attack
trees Understand potential security
threats and vulnerabilities Understand attackers Find security design issues
before code Determine countermeasures Guide the code review
/testing/configuration /deployment
Highly reusable
Easy to grasp
10ICT
Example: Media player
11ICT
Xin
e m
edia
pla
yer
12ICT
Let’s create a model from scratch…
13ICT
Main functionality: Download data (application, codecs,
skins, ...) Play local media file Play media stream
Actors: Software developer User
14ICT
15ICT
16ICT
How about reusing one?
17ICT
Search for existing misuse case diagrams: “Media”, “player”, “Movie”
18ICT
19ICT
Attack trees
20ICT
Hide the details Link to attack
patterns Used to identify
mitigations
21ICT
Finally…
22ICT
Create textual description to accompany the diagram
A document elaborating the diagram
Threat descriptions can be fetched from the SHIELDS SVRS
Gives an understanding of the possible attacker motivation
There can be several different mitigations
Input to risk analysis and security activity planning
26ICT
Case study: eTourism
27ICT
Approach
1:Applicationdescription
2:Threat model created
by experts
3:Threatmodel createdby developers
4:Model consolidatedby experts
5:Threat model updatedby developers
6:Threat model endorsed
by experts
Phase 2: Parallel modelling Phase 3: Serial modelling
Phase 1: Tutorial
28ICT
Pre-visit, plan: Hotels Route Experiences Virtually explore
Post-visit, share Pictures/videos Route Recommendations Blog
Bad stuff?
29ICT
Case study: WaLDo
30ICT
Warehouse information system Dock loading RFID tracking Picking lists Advanced shipping notifications
Bad stuff?
31ICT
32ICT
Case study: eNewsPaper
33ICT
Electronic newspaper Aimed for the Paris metro Shared from distribution points User relays
Bad stuff?
User SystemDistribution Point
User SystemUser System
34ICT
35ICT
Feedback and lessons learned
New threats and mitigations were identified in all case studies
Misuse cases and attack trees: Easy to learn, easy to use
Important with diversity while doing threat modelling
Keep the size of the models down
Need more models from other application areas
36ICT
Share models through the SVRS!
Now contains >200 free security models
18 misuse case models
29 attack trees
Use the free tools, or integrate your own
Add your own, get feedback (and possibly revenue)
http://www.shields-project.eu