Threats, Threat Modeling and Analysis

4,688 views
4,492 views

Published on

I'm Ian. I do that geek thing.

This is an introductory deck on why an SDL or quality/secure software program is a good idea.

I can be found here:
http://gorrie.org
@gorrie

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • good presentation. Could you please share this at rakeshpratap@hotmail.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,688
On SlideShare
0
From Embeds
0
Number of Embeds
37
Actions
Shares
0
Downloads
0
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Threats, Threat Modeling and Analysis

  1. 1. Threats, Threat Modeling and Analysis 1 Super high level presentation of stuff everyone should already know who is developing applications, infrastructure, and operations! :D
  2. 2. Today’s Current Threats 2 Some mention of current threatspace and how to formulate a defense for your code and/or service.
  3. 3. The Hard Truth 2008: 285+ million records compromised 3 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
  4. 4. The Hard Truth 91% of all compromised records were attributed to organized criminal groups 99.6% of records were compromised from servers and applications 74% resulted from external sources 4 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
  5. 5. The Hard Truth 69% were discovered by a 3rd party 67% were aided by significant errors 32% implicated business partners 5 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
  6. 6. The Hard Truth an average of $202 per compromised record 6 http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20US %20Cost%20of%20Data%20Breach%20Report%20Final.pdf
  7. 7. Common Threats SANS Top Risks OWASP Top 10 for 2010 The OWASP Code Review Top 9 7 http://www.sans.org/top-cyber-security-risks/ http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9
  8. 8. SANS Application vulnerabilities Webapp attacks Slow patching 0days Not having good configs 8 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  9. 9. SANS Mostly stuff anyone everyone here has heard about 9 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  10. 10. Typical Targeted Attack Malware placed somewhere 10 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  11. 11. Typical Targeted Attack Executed 11 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  12. 12. Typical Targeted Attack HTTPS or some other common tunnel back to control console 12 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  13. 13. Typical Targeted Attack Credential dump, keylogger, or sniffing for example 13 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  14. 14. Typical Targeted Attack Escalation and looting 14 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  15. 15. OWASP Top 10 Stands for Open Web Security Project Focused on Webapps 15 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ■ A1: Injection ■ A2: Cross-Site Scripting (XSS) ■ A3: Broken Authentication and Session Management ■ A4: Insecure Direct Object References ■ A5: Cross-Site Request Forgery (CSRF) ■ A6: Security Misconfiguration ■ A7: Insecure Cryptographic Storage ■ A8: Failure to Restrict URL Access ■ A9: Insufficient Transport Layer Protection ■ A10: Unvalidated Redirects and Forwards
  16. 16. OWASP Top 10 A1: Injection A6: Security Misconfiguration A2: Cross-Site Scripting (XSS) A7: Insecure Cryptographic Storage A3: Broken Authentication and Session Management A8: Failure to Restrict URL Access A4: Insecure Direct Object References A9: Insufficient Transport Layer Protection A5: Cross-Site Request Forgery (CSRF) A10: Unvalidated Redirects 16 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  17. 17. The Owasp Code Review Top 9 Input validation API usage Source code design Best practices violation Information leakage and Weak Session improper error handling Management Direct object reference Using HTTP GET query strings Resource usage 17 http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9 The Nine Source Code Flaw Categories ■ Input validation ■ Source code design ■ Information leakage and improper error handling ■ Direct object reference ■ Resource usage ■ API usage ■ Best practices violation ■ Weak Session Management ■ Using HTTP GET query strings
  18. 18. Defending from Attackers Simple Threat Modeling Reactive Defense Proactive Defense Defense in Depth 18
  19. 19. Simple Threat Modeling It’s simplified Glorified brainstorming Better than nothing A worthwhile exercise 19 Really a simplified brainstorming activity
  20. 20. Reactive Modeling Driven by: Blackbox testing Grey/Whitebox testing Code audit Operational/ performance bugs Assessment and mitigation/patch/fix 20 Really a less simplified brainstorming activity Performed at the end of development or post-deployment when code finished Hamster wheel of pain. Expensive in time and resources. Difficult. Never ending.
  21. 21. Reactive Modeling Driven by: Blackbox testing Grey/Whitebox testing Code audit Operational/ performance bugs Assessment and mitigation/patch/fix 21 Really a simplified brainstorming activity Performed at the end of development or post-deployment when code finished Hamster wheel of pain. Expensive in time and resources. Difficult. Never ending.
  22. 22. Proactive Modeling Driven by: Data Flow Diagrams [DFD] Data classification Secure coding practices Continuous testing/ improvement Rugged software design 22 Cheeseball but appropriate Sun Tsu quotation: So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. Fixing problems before they are created is an enormous cost and time savings This method prevents bugs from happening instead of remediating them after the fact http://en.wikipedia.org/wiki/Proactive_Cyber_Defence http://en.wikipedia.org/wiki/Operational_risk#Methods_of_operational_risk_management http://en.wikipedia.org/wiki/Risk_modeling (beware use or financial risk management in complex systems) Rugged Software Manifesto: http://ruggedsoftware.org/ http://www.owasp.org/index.php/SAMM_-_Threat_Assessment_-_1
  23. 23. Data Flow Diagram [DFD] 23 http://en.wikipedia.org/wiki/Data_flow_diagram
  24. 24. Data Flow Diagram [DFD] 24 http://en.wikipedia.org/wiki/Data_flow_diagram
  25. 25. Data Flow Diagram [DFD] 25 http://en.wikipedia.org/wiki/Data_flow_diagram
  26. 26. Data Flow Diagram [DFD] 26 http://en.wikipedia.org/wiki/Data_flow_diagram
  27. 27. Threat Model Defining a set of attacks to consider What can you trust? What can you not mitigate in the code or environment? Think defense in depth here 27 http://en.wikipedia.org/wiki/Threat_modeling http://www.owasp.org/index.php/Threat_Risk_Modeling
  28. 28. Threat Model Three types: Attacker centric Software centric Asset centric 28 http://en.wikipedia.org/wiki/Threat_modeling
  29. 29. Attacker What do they want? What resources do they have to get it? 29 This is likely of little interest to us in this context http://www.egadss.org/security.html
  30. 30. Software Anticipate possible attacks Can do beyond secure code Validating inputs Least privilege Fail closed 30 http://www.owasp.org/index.php/Threat_Risk_Modeling
  31. 31. Software Attacks and code countermeasures Methodologies STRIDE / DREAD CVSS OCTAVE 31 http://www.owasp.org/index.php/Threat_Risk_Modeling STRIDE http://msdn.microsoft.com/en-us/magazine/cc163519.aspx CVSS http://www.first.org/cvss/ OCTAVE http://www.cert.org/octave/
  32. 32. Asset Start modeling with things with asset tags Webservers Disk arrays Databases Routers Data channels 32 For those who aren’t programmers, but want to perform some operational threat modeling and risk mitigation, this is a popular choice.
  33. 33. Change Management A good name. Goals: Eliminate unauthorized changes Eliminate unauthorized access and vulnerability exposure Raise communication and awareness Leads to better security 33 Many incidents are caused by a gap in proper configuration. This speaks to an immature change management program Photo: www.flickr.com/photos/ spursfan_ace/2328879637/
  34. 34. Change Management Related important activities: Patching Known-good or gold standard configurations and builds System security Role-based access and least privilege controls 34 http://en.wikipedia.org/wiki/Principle_of_least_privilege
  35. 35. Security Controls Covers what software does not Reinforces what software does cover Defense in depth They are best when they are fed data 35 A nice ancient picture from our friends at the RAND corporation
  36. 36. Security Controls Physical access control Auditing of changes and user access Intrusion detection/ prevention Monitoring 36 There are more, these are just examples
  37. 37. Security Controls Anomaly detection Incident management and handling Single Sign-on 37 ..and much much more
  38. 38. Security Development [SDL] In Seattle most like Microsoft. At Microsoft, they like their SDL Flavors available: Classic Agile Light 38 http://www.microsoft.com/security/sdl/ There are other models and I have my favorites. Ask me if you can’t get enough of this SDL business.
  39. 39. Security Development [SDL] In a nutshell: Requirements Verification Design Release Implementation 39 With the optional stage zero of Training and a post-release stage of Response
  40. 40. Security Development [SDL] OWASP SDL: OpenSAMM Open and free Scoring maturity in skill/ process zones Like all things OWASP, pretty awesome 40 http://www.opensamm.org/2009/03/samm-10-released/ http://blogs.gartner.com/neil_macdonald/2009/08/04/another-excellent-application- security-maturity-model/
  41. 41. Security Development [SDL] Program quality scored from 0 to 3 0 representing none 3 representing comprehensive mastery 41
  42. 42. Security Development [SDL] Figure it out yourself Make your process fit your business needs and team skillsets Define more or less based on your in house framework or other needs 42 http://securosis.com/blog/firestarter-secure-development-lifecycle-your-doing-it-wrong/ Same failing argument used against QA 20 years ago: http://erratasec.blogspot.com/2010/05/you-may-not-need-sdl.html Do what you can do well and farm the rest out or delegate to someone who can do better.
  43. 43. Horrible Consequences Something didn’t work out There was an incident The breach was on the news What might happen now? 43
  44. 44. Horrible Consequences You may be called to a meeting to explain Your company brand or stock price may suffer There may be truly amazingly large fines Businesses can fold over such things 44 Whatever happens, you will not like them, no one will be pleased, and life will not be cool.
  45. 45. The Unexpected Unintended uses for software Landscapes change Future hard to predict Dependencies Legacy 45 Example: IP over HTTP and DNS Futurists thought that we would be on Mars and communicating with telepathy by now. It’s no wonder there is no trust model in TCP/IP. Smurf (and other amplification attacks) and IP spoofing likely not in the TCP/IP design considerations. Try to think about possible applications of the infrastructure you’re developing as, if you do it well, it may be around for a long time.
  46. 46. Thanks Ian Gorrie 46 I am Ian. http://gorrie.org @gorrie

×