threat modeling
play

Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) - PowerPoint PPT Presentation

Jan 09, 2023 •382 likes •784 views

Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE Secappdev 2007 1 UNIVERSITEIT LEUVEN Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsofts Threat

  1. Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE Secappdev 2007 1 UNIVERSITEIT LEUVEN

  2. Overview • Introduction • Key Concepts – Threats, Vulnerabilities, Countermeasures – Example • Microsoft’s Threat Modeling Process • Conclusion KATHOLIEKE Secappdev 2007 2 UNIVERSITEIT LEUVEN

  3. Threat modeling • Threat modeling is an activity early in the software development lifecycle – Primary goal: get a good view on possible threats to the system being developed • Threat modeling can be done on various levels of abstraction – System level • E.g. Threat modeling of the Internet e-mail system – Application or component level • E.g. Threat modeling of the e-mail client software KATHOLIEKE Secappdev 2007 3 UNIVERSITEIT LEUVEN

  4. Overview • Introduction • Key Concepts – Threats, Vulnerabilities, Countermeasures – Example • Microsoft’s Threat Modeling Process • Conclusion KATHOLIEKE Secappdev 2007 4 UNIVERSITEIT LEUVEN

  5. wi sh t o m axi m i ze avai l abi l i t y/ O wner s wi sh t o m i ni m i ze usef ul ness i m pose t o r educe t hat of count er - i ncr eases t hat m ay m easur es possess t hat m ay be r educed by vul ner abi l i t i es m ay be awar e of l eadi ng t o Thr eat - r i sk agent s t hat t hat expl oi t t o gi ve i ncr ease r i se t o t hr eat s t o asset s wi sh t o abuse and/ or m ay dam age KATHOLIEKE Secappdev 2007 5 UNIVERSITEIT LEUVEN

  6. Threats versus Security Goals • In a first approximation, threats and security goals are each others negation: – A security goal is a statement of intent to counter identified threats – A threat is the intention of a threat agent to break a security goal KATHOLIEKE Secappdev 2007 6 UNIVERSITEIT LEUVEN

  7. Typical Threats • Information disclosure – Threat: Information leaks to threat agents that should not be able to get access to that information – Corresponding Security Goals: • Data Confidentiality : protecting data against unauthorized reading • Access Control : preventing unauthorized access to software functions – Example: stealing of credit card numbers KATHOLIEKE Secappdev 2007 7 UNIVERSITEIT LEUVEN

  8. Typical Threats • Information tampering – Threat: threat agents tamper with data they should not be able to modify – Corresponding Security Goals: • Data Integrity : protecting data against unauthorized writing • Data Origin Authentication : verifying the claimed identity of the originator of a message • Access Control : preventing unauthorized access to software functions – Example: changing the price of purchased goods KATHOLIEKE Secappdev 2007 8 UNIVERSITEIT LEUVEN

  9. Typical Threats • Repudiation – Threat: threat agent denies involvement in an event – Corresponding Security Goals: • Non-repudiation : the provision of irrefutable evidence about what happened and who was involved • Audit : chronological record of system activities to enable the reconstruction of events – Example: denying placement of a stock order KATHOLIEKE Secappdev 2007 9 UNIVERSITEIT LEUVEN

  10. Typical Threats • Denial of Service – Threat: threat agent destroys the usefulness of the system for legitimate users – Corresponding Security Goals: • Availability: ensuring availability of the system to legitimate users – Example: Distributed Flood Attack KATHOLIEKE Secappdev 2007 10 UNIVERSITEIT LEUVEN

  11. Typical Threats • Elevation of privilege – Threat: threat agent gets more access to information/communication/processing resources than he is authorized for – Corresponding Security Goals: • Access Control : preventing unauthorized access to software functions • Entity Authentication : verifying the claimed identity of a party one is interacting with – Example: “getting root” KATHOLIEKE Secappdev 2007 11 UNIVERSITEIT LEUVEN

  12. Typical Threats • Spoofing – Threat: Threat agent pretends to be someone/something he is not – Corresponding Security Goals: • Entity Authentication : verifying the claimed identity of a party one is interacting with • Data Origin Authentication : verifying the originator of a message – Example: phishing KATHOLIEKE Secappdev 2007 12 UNIVERSITEIT LEUVEN

  13. Vulnerabilities • A vulnerability is an aspect of (a component of) the system that allows a threat agent to realize a threat (i.e. break a security goal) • Hence, vulnerabilities are relative to the capabilities of the threat agent – E.g. the system can be vulnerable to insiders but not to outsiders KATHOLIEKE Secappdev 2007 13 UNIVERSITEIT LEUVEN

  14. Vulnerabilities • Vulnerabilities arise through failures in: – Requirements, • Failure to identify all relevant assets, or specific threats • E.g. protecting against the threat of downloaded malicious code was not recognized as a requirement for OS security in the eighties – Construction, • Vulnerabilities in security components – E.g. a weak cryptographic algorithm • Vulnerabilities in application functionality – E.g. buffer overflows, SQL injection, … – Operation • E.g. Setting an incorrect policy KATHOLIEKE Secappdev 2007 14 UNIVERSITEIT LEUVEN

  15. Vulnerabilities • Vulnerabilities can exist in the different layers of a software system – Application, e.g. SQL injection – Programming language runtime, e.g. type confusion – Middleware, e.g. open management interface – Operating system, e.g. FAT32 file system – Hardware, e.g. side-channels KATHOLIEKE Secappdev 2007 15 UNIVERSITEIT LEUVEN

  16. Countermeasures • Countermeasures are the mechanisms used to: – Reduce vulnerabilities, and hence: • Realize security goals • Counter threats KATHOLIEKE Secappdev 2007 16 UNIVERSITEIT LEUVEN

  17. Countermeasures • Countermeasures can be: – Preventive: avoid vulnerability – Detective: detect vulnerability exploitation – Reactive: handle incidents • Countermeasures can be taken by: – Software engineers, programmers who develop software – Administrators, system managers who deploy software – … KATHOLIEKE Secappdev 2007 17 UNIVERSITEIT LEUVEN

  18. Software Engineer Countermeasures • For vulnerabilities introduced in the requirements phase: – Security reqs engineering, threat analysis and modeling • To address threats collected during requirements engineering – Security technologies • cryptography, access control mechanisms, authentication mechanisms, … • For vulnerabilities introduced during construction: – Secure programming, static analysis, safe languages,… • For vulnerabilities introduced during operation: – Documentation, operational procedures, secure defaults, … KATHOLIEKE Secappdev 2007 18 UNIVERSITEIT LEUVEN

  19. Administrator Countermeasures • Preventive countermeasures: – deployment of additional protection: Firewalls, VPN’s, … – patching weaknesses where possible: CERT advisories, Windows Update, … • Detective countermeasures: – Intrusion Detection software or Fraud Detection software – Virus scanning • Security solutions should be managed, supporting reactive countermeasures KATHOLIEKE Secappdev 2007 19 UNIVERSITEIT LEUVEN

  20. Overview • Introduction • Key Concepts – Threats, Vulnerabilities, Countermeasures – Example • Microsoft’s Threat Modeling Process • Conclusion KATHOLIEKE Secappdev 2007 20 UNIVERSITEIT LEUVEN

  21. Simplified e-mail system 3 mail mail 4 mail mail transfer storage storage transfer server server server server 6 7 2 User u2 8 User u1 mail mail 1 client client 5 domain2.com domain1.com KATHOLIEKE Secappdev 2007 21 UNIVERSITEIT LEUVEN

  22. Assets • E-mail messages – header – body • Address book / contact information • Client and Server machines – Storage space – Computational resources – Mail delivery service – Infrastructural software (OS,…) • Network infrastructure • … KATHOLIEKE Secappdev 2007 22 UNIVERSITEIT LEUVEN

  23. Threats • E-mail message – Unauthorized reading of message body • Define what is “authorized”! – Tampering with message • In transit • In storage – E-mail spoofing (tampering with the from: field) – Repudiation • Of sending • Of receipt – … KATHOLIEKE Secappdev 2007 23 UNIVERSITEIT LEUVEN

  24. Threats • Client and Server machines – Denial of service • E.g. Inbox storage space – Elevation of privilege • Server is a “trusted software layer”, making a limited functionality (sending/receiving mail) available to clients • If you can break the server out of this limited functionality (e.g. because of bugs), you can attack the server machine – E-mail viruses • E.g. through executable attachments – Unauthorized use of mail delivery service • E.g. Spam e-mail – … KATHOLIEKE Secappdev 2007 24 UNIVERSITEIT LEUVEN

  25. Threats • Not all “undesirable behavior” can easily be related to assets: – Detecting when somebody reads his mail • Asset = “privacy of the reader”? – … KATHOLIEKE Secappdev 2007 25 UNIVERSITEIT LEUVEN

Recommend

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect Multi-phase approach Initially: create Cyber Domain PIM and S TIX PS M with UML Profile for NIEM Expand to other PS M, create Threat Meta

211 views • 10 slides
Outline Starting synchronous lecture recording CSci 4271W More perspectives on threat modeling

Outline Starting synchronous lecture recording CSci 4271W More perspectives on threat modeling

Outline Starting synchronous lecture recording CSci 4271W More perspectives on threat modeling Development of Secure Software Systems Threat modeling: printer manager Day 7: More Threat Modeling Stephen McCamant Logistics update, incl.

564 views • 4 slides
AN INTRODUCTION TO THREAT MODELING IN PRACTICE Thorsten Tarrach, Christoph Schmittner WHAT IS

AN INTRODUCTION TO THREAT MODELING IN PRACTICE Thorsten Tarrach, Christoph Schmittner WHAT IS

AN INTRODUCTION TO THREAT MODELING IN PRACTICE Thorsten Tarrach, Christoph Schmittner WHAT IS THREAT MODELING Introduction WHAT IS THREAT MODELING Structured Process Examination of a system for potential weaknesses

391 views • 28 slides
Practical Approach For Lightway Threat Modeling Automation Vitaly Davidoff CISSP , CSSLP

Practical Approach For Lightway Threat Modeling Automation Vitaly Davidoff CISSP , CSSLP

Practical Approach For Lightway Threat Modeling Automation Vitaly Davidoff CISSP , CSSLP Agenda What is Threat Modeling Existing Methodologies Problems in common solution Lightway Threat Modeling As a Code

659 views • 34 slides
Lessons from Star Wars Adam Shostack @adamshostack Agenda What is threat modeling? A

Lessons from Star Wars Adam Shostack @adamshostack Agenda What is threat modeling? A

Threat Modeling: Lessons from Star Wars Adam Shostack @adamshostack Agenda What is threat modeling? A simple approach to threat modeling Top 10 lessons Learning more What is threat modeling? A SIMPLE APPROACH TO THREAT

606 views • 41 slides
CS 642: Midterm 1 Review Questions and General Study Pointers March 2020 1 Threat Modeling,

CS 642: Midterm 1 Review Questions and General Study Pointers March 2020 1 Threat Modeling,

CS 642: Midterm 1 Review Questions and General Study Pointers March 2020 1 Threat Modeling, Security Mindset Review the security mindset, and practice threat modeling on a few example websites. Also, review the various types of attacker models

401 views • 3 slides
CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020 Previous Class The CIA Triad as security objectives Threat: potential Attack: attempt Compromise: success Vulnerability: security

660 views • 29 slides
Threat Modeling against Payment systems Dr. Grigorios Fragkos H e a d o f O fg e n s i v e C y b

Threat Modeling against Payment systems Dr. Grigorios Fragkos H e a d o f O fg e n s i v e C y b

Threat Modeling against Payment systems Dr. Grigorios Fragkos H e a d o f O fg e n s i v e C y b e r S e c u r i t y a t i n v i n s e c (@invinsec) @drgfragkos Agenda T h r e a t M o d e l i n g H i g h l i g h t s Point of Sale (#POS)

680 views • 54 slides
Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling

Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling

Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling Phil Neray, VP of Industrial Cybersecurity Agenda NotPetya: How a Single Piece of Code Crashed the World (Wired) VPNFilter Update

610 views • 24 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Al Alliso son Bish

ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Al Alliso son Bish

ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Al Alliso son Bish shop 1, 1,2 , Justin Cappos 3 1 Columbia, 2 Proof Trading, 3 NYU CryBlock 2019, Paris, France Outline Background. Motivation. The ABC

472 views • 26 slides
Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan Schaumann 99CE 1DC7 770A C5A8 09A6 @jschauma 0DCD 66CE 4FE9 6F6B D3D7 Me. Errday. Obligatory James Mickens This World of Ours reference.

714 views • 40 slides
ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Allison Bishop 1,2 ,

ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Allison Bishop 1,2 ,

ABC: A Cryptocurrency-Focused Threat Modeling Framework Ghada Almashaqbeh 1 , Allison Bishop 1,2 , Justin Cappos 3 1 Columbia, 2 Proof Trading, 3 NYU CryBlock 2019, Paris, France Outline Background. Motivation. The ABC framework.

1.25k views • 26 slides
Section 1: Threat Modeling TA Introduction Keanu Vestil, he/him (keanu@cs.washington.edu) Eric

Section 1: Threat Modeling TA Introduction Keanu Vestil, he/him (keanu@cs.washington.edu) Eric

CSE 484 / CSE M 584 Section 1: Threat Modeling TA Introduction Keanu Vestil, he/him (keanu@cs.washington.edu) Eric Zeng, he/him (ericzeng@cs.washington.edu) Office Hours TBD - stay tuned! Icebreaker In breakout rooms, share your answers to

689 views • 23 slides
Limitations of Threat Modeling in Adversarial Machine Learning Florian Tramr EPFL, December 19

Limitations of Threat Modeling in Adversarial Machine Learning Florian Tramr EPFL, December 19

Limitations of Threat Modeling in Adversarial Machine Learning Florian Tramr EPFL, December 19 th 2019 Based on joint work with Jens Behrmannn, Dan Boneh, Nicholas Carlini, Pascal Dupr, Jrn-Henrik Jacobsen, Nicolas Papernot, Giancarlo

498 views • 39 slides
Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure

Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure

Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure Software Systems Binary-level GDB commands and demo Day 5: Memory safety attacks In-person lab logistics reminders Stephen McCamant Project 1 bcimgview

1.17k views • 6 slides
Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Honeymoon Threat Restoration Rescue Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to normal living. A disaster has not yet oc- curred, but there is a sense of impending doom. Individual

605 views • 6 slides
Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest

Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest

Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest Overview Threat Modeling - Common Web Vulnerabilities - Automated Tooling - Modern Attacks - whoami Threat Modeling Analyzing the security of an

558 views • 44 slides
What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

DDoS & Modern Threat Motives Dan Holden Director, ASERT What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape Geo-poli:cal More defenses ? App/Content t a

1.13k views • 44 slides
Threat Modeling in Cyber-Physical Systems May 16, 2017 By Emeka Eyisi Ph.D. Mark Moulin Ph.D.

Threat Modeling in Cyber-Physical Systems May 16, 2017 By Emeka Eyisi Ph.D. Mark Moulin Ph.D.

Threat Modeling in Cyber-Physical Systems May 16, 2017 By Emeka Eyisi Ph.D. Mark Moulin Ph.D. Devu Manikantan Shila Ph.D. Cyber-Physical Systems (CPS) Physical CPS Control Computa<on Communica<on This page contains no technical

323 views • 14 slides
Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be defined as: A person whose immediate activity can cause death and/or serious injury An active threat can involve a firearm or another

395 views • 15 slides
Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 The

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 The

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 The Homeland Security Systems Engineering and Development Institute (HSSEDI) is a trademark of the U.S. Department of Homeland Security (DHS). The HSSEDI

149 views • 13 slides
Outline Integer overflow debrief CSci 4271W Development of Secure Software Systems Code

Outline Integer overflow debrief CSci 4271W Development of Secure Software Systems Code

Outline Integer overflow debrief CSci 4271W Development of Secure Software Systems Code auditing Day 4: Auditing and Threat Modeling 1 Stephen McCamant Threat modeling University of Minnesota, Computer Science & Engineering Integer

314 views • 4 slides

More recommend