Brad Andrews, CEO, RBA Communications Threat Modeling Overview This session will cover the basic elements of threat modeling, looking at what it does and why it is important. The goal is to provide a high level overview of the process and the use of things like data flow diagrams to look for trust boundaries attacks may come across. We will go through some common threats and hopefully a list of dangers to watch out for when carrying out threat modeling. The session will then work to interactively develop a flow diagram of Amazon.com and possibly another subject if we have time. This will all be based on looking at the system as a user, without any insider knowledge, though Threat Modeling is normally carried out by those who do know the system well.

1. Brad Andrews , CISSP, CSSLP
North Texas Cyber Security Conference
2015

2.  Long time in the tech field
 Wide range of jobs – Defense, Online,
Banking, Airlines, Doc-Com, Medical, etc.
 20+ Years software development experience
 10+ in Information Security
 M.S. and B.S. in Computer Science from the
University of Illinois
 Active Certifications – CISSP, CSSLP, CISM

3.  Work for one of the largest providers of
pharmacy software and services in the
country
 Serve as Lead Faculty-Area Chair and for
Information Systems Security for the
University of Phoenix Online Campus
 Carry out independent reading and research
for my own company, RBA Communications

4. The views and opinions expressed in this
session are mine and mine alone. They do
not necessarily represent the opinions of my
employers or anyone associated with
anything!

5.  Part 1 – Threat Modeling Overview
 Part 2 – Applying STRIDE to a System
 Part 3 – Applying DREAD to a System

6.  What is It?
 Why is It Important?
 How Do You Do It?
 Flow Diagrams are Important!
 Some Dangers to Avoid

7.  Figuring out all the significant threats to the
system.
 Microsoft has good guidance
◦ I borrow from Adam Shostack later
 Good overview at
https://www.owasp.org/index.php/Threat_Risk_Modeling

8. Threat Modeling Lessons from Star Wars (and
Elsewhere)
https://youtu.be/KLpgaoD8ySM

9.  We need to protect our systems
 Always limited time, people and money
 Must prioritize and focus
 Knowing the most important threats allows
this
 It has had good results
 Not a panacea, just a part of the process

10. Know the
System
Find Threats
Detail ThreatsRank Threats
Protect Against
Threats

11.  You need to know system interfaces and data
flows to find out where it could be vulnerable.
 Missing in too many cases!
 Don’t have to be perfect, just good enough.
 Visio may be worthwhile, though even Paint
can be used.

12.  Trap #1 – You are never done
◦ Ongoing process, but endpoints along the way
 Trap #2 – Monolithic processes
◦ Realize systems have many parts
 Trap #3 – A single way to threat model
◦ Use what works, not just a single formal process
 Trap #4 – Working in a vacuum
◦ All systems interact with other systems, not just
end users.

13.  Trap #5 – Threat modeling is an innate skill
◦ Some have a better mindset for it, but all can
develop the needed skills
◦ Improvement comes with time and practice
 Trap #6 – Threat modeling is a single skill
◦ Techniques – Know different approaches
◦ Knowledge – Know useful data (threats/risks,
patterns, etc.)
 Trap #7 – Think like an attacker
◦ Limited ability to think outside your own experience
◦ Follow checklists as needed

14.  Trap #8 – One model to rule them all
◦ Model of the system
◦ Model of the threats
◦ Model of the attacker or user
 Trap #9 – Focus only on the threats
◦ Also consider the impact of requirements, threats
and mitigations
 Trap #10 – Waiting too long
◦ Earlier is almost always better, though review and
repeat as necessary.

15.  Be Involved
 Don’t Monopolize
 Work Together

16. Work through an example system
Amazon is a good system to consider since
most have purchased on their site