Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun...
Transcript of Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun...
![Page 1: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/1.jpg)
![Page 2: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/2.jpg)
Threat Modeling: Finding Security Threats Before
They Happen (A Quick Summary)
Jeff Kalwerisky, CA(SA), CISA, HISPVP & Director, Cybersecurity & Technical Training
CPE Interactive, Inc.
![Page 3: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/3.jpg)
The Dilemma forAudit & InfoSec
Major security and privacy disasters
occur daily
Major banks subject to DDoS attacks; offline
for hours, days, weeks,
Tens of millions of credit cards, customer
records, personal information routinely
compromised
Sensitive private information and IP
stolen and published for the world to see
An entire company’s data wiped out - all servers and users’
workstations
Cybercrime is rampant
![Page 4: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/4.jpg)
The Hall of Shame Some Recent Hackees
![Page 5: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/5.jpg)
Uncle Sam:
![Page 6: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/6.jpg)
Dear Auditor: Spot the Error(s)
![Page 7: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/7.jpg)
“There are basically 2 types of organizations. Those that have been hacked and those that don’t yet know they’ve been hacked.”
FBI director, James Comey, May 2014
On average, it takes companies three months to discover a breach and then more than four months to resolve it. IOW, cybercriminals are able to find a home and stay as unwelcome guests for well over 200 days on average.
Source: “The Post-Breach Boom”, Ponemon Institute report, 2015
![Page 8: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/8.jpg)
“96% of UK companies have been hacked by cyber criminals with the aim to steal, change, or publish important data”Computer Week survey, Global Chief Finance Officers and Finance Directors
In the USA, the number is “only” 80%
of organizations
![Page 9: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/9.jpg)
Why This Sorry State of Affairs?Do you remember those happy days when information
security meant ensuring:
Data centers
were locked?
Magnetic ID badges to restrict access?
Firewall and AV patches were up to date?
Proper SoD
between Ops and
Dev?
Me neither!
![Page 10: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/10.jpg)
So, Why Are We Using the Same Techniques As In Those Days?
Now That We’re Facing . . .
![Page 11: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/11.jpg)
. . .
Web apps, accessible
by anyone, from anywhere
BYOD, BYOA
Mission-critical data is “up in the Cloud”
Zero-day vulnerabilities
Ransomware and other fun stuff
Industrial espionage: mass data exfiltration
Spear phishing
APTs lurking inside
![Page 12: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/12.jpg)
Relative Costs to Fix Flaws*
* IBM System Sciences Institute, Implementing Software Inspections
![Page 13: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/13.jpg)
So, Why Don’t We Fix Those Flaws?
• Developers focus on making their systems work: debits = credits, 1 + 1 = 2
• Typically, they don’t have the skills to anticipate security flaws in their work
• So, which is easier to train:
– Developers about information security and controls, or
– Security / audit professionals to detect vulnerabilities early on and suggest appropriate mitigation strategies?
![Page 14: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/14.jpg)
“To succeed in war, you must know your own strengths and weaknesses
and know your enemy’s strengths and weaknesses.
Lack of either might result in defeat.”
Gen. Sun Tzu: The Art of War, 500 BCE
![Page 15: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/15.jpg)
You cannot know whether or not a system is secure until you understand its threats
and its threat surface
Sun Tzu’s Principle In Modern Terms
![Page 16: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/16.jpg)
A Practical Approach: Threat Modeling
A formal methodology to find potential security threats to a system, determine risks from those threats, rank the
risks, and deploy appropriate mitigations– at any stage of the SDLC
![Page 17: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/17.jpg)
A Threat Model Helps To …
1. Decompose the system, so we can understand it better• Its scope, functions, controls,
technologies, etc.
2. Using a logical top-downapproach
3. Or goals are to:
• Understand the boundaries between trusted and untrusted components of the system
• Identify and document potential vulnerabilities (threats)
• Reduce the system’s attack surface
![Page 18: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/18.jpg)
The Threat Modeling Process
Step 1:
Model
Step 2:
Enumerate
Threats
Step 3:
Rank Threats
Step 4:
Mitigate
Step 5:
Validate
Permanent Record
SystemDevelopment/
Deployment
![Page 19: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/19.jpg)
Model the system by following the data
Called Data Flow Diagrams (DFDs)
![Page 20: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/20.jpg)
Building the Model
1. Identify all the entities
2. Identify the IT processes
3. ID major transactions
4. Identify filestores, both perm and temp
5. Locate all the trust boundaries
![Page 21: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/21.jpg)
It Starts on the Whiteboard
Where are the Trust Boundaries?
![Page 22: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/22.jpg)
Data crossing a trust boundary
![Page 23: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/23.jpg)
• Example of a High-Level DFD
• A Simplified Web Payroll Application
![Page 24: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/24.jpg)
TrustBoundary
MultipleIT Process
ExternalEntities
Level 0:Context
DFD
Transaction Flows
Trans Crossing ATrust Boundary
![Page 25: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/25.jpg)
Web Payroll: Level-1 DFD
Data Storage (file or DBMS)
DetailedIT Process
TrustBoundary
![Page 26: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/26.jpg)
Finally, A Taxonomy of Security Threats:
“STRIDE”
![Page 27: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/27.jpg)
“STRIDE”
![Page 28: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/28.jpg)
Ranking the Threats,The Hardest Job of All
![Page 29: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/29.jpg)
The Classic Risk “Heat Map”
Risks to be MONITORED: plan DETECTIVE action
Risks to be INVESTIGATED: plan PREVENTIVE action
Risks to be MITIGATED: plan CORRECTIVE action
Risk = Likelihood x Impact
IMPACTLIKELIHOOD
![Page 30: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/30.jpg)
Let’s Think About the Good Ol’ Heat Map
Risk = Likelihood x Impact
• How well do we know Likelihood (probability) it will occur?– Perhaps, based on statistics: how many fires have occurred
in the past in our neighborhood?
– Perhaps, based on gut feel: We’re going to be hacked
– At best, it’s an educated guess!
• How well do we know Impact – business effect in ₤, €, ¥?
– We guess €100,000, ₤500,000, ¥10,000,000, . . .
• So, how accurate is Guess 1 x Guess 2? – Nothing more than pure GIGO!!
![Page 31: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/31.jpg)
Threat Modeling MethodologyHas a Better Way!
![Page 32: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/32.jpg)
A Better Method to Calculate Risk
• Still not an exact science, but based on less “fluffy” numbers
• Things on which most analysts will agree
• Called DREAD:– Damage Potential: if the attack occurs and succeeds
– Reproducibility: ease of making the attack work
– Exploitability: amount of effort, expertise needed
– Affected Users: number of users likely to be affected?
– Discoverability: likelihood that that hackers will find the vulnerability
• Assess each of these on an agreed scale: 1-5 or 1-10
• Then take an average of the 5 DREAD scores
![Page 33: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/33.jpg)
STRIDE and DREAD
STRIDE – type of threat
S – Spoofing
T – Tampering
R – Repudiation
I – Information Disclosure
D- Denial of Service
E – Elevation of Privilege
DREAD – threat impact
D – Damage Potential
R – Reproducibility
E – Exploitability
A – Affected Users
D – Discoverability
Ranked on a 1 – 10 scale
![Page 34: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/34.jpg)
We CAN Achieve This!
![Page 35: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/35.jpg)
Q & (Some) A
![Page 36: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/36.jpg)
My Co-ordinates
Jeff KalweriskyCPE Interactive, Inc.
(Atlanta, Georgia, USA)
[email protected]+1 404-380-1064
![Page 37: Threat Modeling - ISACA Presentations/Jeff... · Threat Modeling: Finding Security ... Gen. Sun Tzu: The Art of War, 500 BCE. You cannot know whether or not a system is ... Sun Tzu’s](https://reader033.fdocuments.us/reader033/viewer/2022051721/5a8ec07e7f8b9a78648d488f/html5/thumbnails/37.jpg)