Threat Modeling / iPad
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Threat Modeling / iPad

on

  • 1,223 views

La sécurité de l’information : Quelle sécurité pour vos données ?

La sécurité de l’information : Quelle sécurité pour vos données ?

Séminaire du 24 mai 2012 / Lausanne

net-Banking via iPad

Statistics

Views

Total Views
1,223
Views on SlideShare
1,217
Embed Views
6

Actions

Likes
0
Downloads
15
Comments
0

3 Embeds 6

http://www.linkedin.com 4
http://us-w1.rockmelt.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Threat Modeling / iPad Presentation Transcript

  • 1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch iPad net-Banking Project Technical Risk Assessment Sylvain Maret / Security Architect / 2012-05-24 @smaret Conseil en technologies
  • 2. Agenda  Context  Technical Risk Assessment approach  A six step process  Threat Model – DFD  STRIDE Model  Open discussionwww.maret-consulting.ch Conseil en technologies
  • 3. Contextwww.maret-consulting.ch Conseil en technologies
  • 4. Context  Business case: enable customer access to portfolio performance reports from mobile equipments (iPad) located outside the controlled network.www.maret-consulting.ch Conseil en technologies
  • 5. Actors Security Product ACME Bank Web Agencywww.maret-consulting.ch Conseil en technologies
  • 6. The TRA relies on a series of six activities:#1 • System characterization#2 • Threat identification#3 • Vulnerabilities identification#4 • Impacts analysis#5 • Risk characterization#6 • Risk treatment and mitigation www.maret-consulting.ch Conseil en technologies
  • 7. Step #1System characterizationwww.maret-consulting.ch Conseil en technologies
  • 8. #1 - Appropriate safeguards  The selected solution shall implement the appropriate safeguards to maintain the overall security to its expected level. Required level C I Awww.maret-consulting.ch Conseil en technologies
  • 9. #1  Ensure service integrity:  Uncontrolled client systems mean unpredictable request behavior  Prevent access from:  Offensive / hostile / corrupt requestswww.maret-consulting.ch Conseil en technologies
  • 10. #1  Ensure information confidentiality:  While data travels across uncontrolled networks  While the client application is “offline” (turned-off)  While the client application is “online” (running)  Prevent access from:  Network capture:  Sniffers, gateways, cache proxies, MitM, etc.  Local capture:  Unsecure backups, memory-card access  Data interception by locally installed malware Conseil en technologieswww.maret-consulting.ch
  • 11. #1  Consider project specific risks:  Outsourced vs. in-house development   where will security assurance come from?  Multi-disciplinary project involving three major actors:  The Bank (Acme - IT projects)  The portfolio performance reporting application (Web Agency)  The sandboxing application (Sysmosoft)  Who will be responsible for key security aspects?www.maret-consulting.ch Conseil en technologies
  • 12. Step #2 Threat identificationwww.maret-consulting.ch Conseil en technologies
  • 13. #2  Building a threat model  Decompose the Application  Diagramming - Data Flow Diagram - DFD  Determine and Rank Threats  STRIDE modelwww.maret-consulting.ch Conseil en technologies
  • 14. #2 - Data Flow Diagram (DFD) Process External entity Multiple Process Data store Data flow Trust Boundarywww.maret-consulting.ch Conseil en technologies
  • 15. #2 - DFD - iPad net-Bankingwww.maret-consulting.ch Conseil en technologies
  • 16. #2 – STRIDE Model Threat Categorieswww.maret-consulting.ch Conseil en technologies
  • 17. #2 - Threat Agentswww.maret-consulting.ch Conseil en technologies
  • 18. #2 - Threats - iPad net-Banking - Examplewww.maret-consulting.ch Conseil en technologies
  • 19. #2 - Different threats affect each type of element DFD Threat Comment S T R I D E ID ID Unsecure backups 2 Memory-card access T1 (iPad) Data interception by locally installed malware 3 Sniffers, gateways, cache (Transport- T2 proxies, MitM, etc. Internet) 7 Offensive / hostile / corrupt T3(Banking- App) requests www.maret-consulting.ch Conseil en technologies
  • 20. Step #3Vulnerabilities identificationwww.maret-consulting.ch Conseil en technologies
  • 21. #3 - Security controls - Example Threat Family Controls ID T1 Feature: local mobile application Secure offline data storage sandboxing Secure online data storage (in- memory storage) Secure environment validation (OS + client application integrity) Safeguards against malware T2 Feature: data transport security Confidential transport T3 Feature: secure architecture - defense in depth - privilege separation - trusted links & endpoint T3 Process: secure software Presence of software security development assurance controls in each development lifecycle: - Outsourced Devwww.maret-consulting.ch - Acme Bank Conseil en technologies
  • 22. #3 - Vulnerabilities identificationThreat Controls V-ID Vulnerabilities ID T1 Secure offline data storage V100 ?? Secure online data storage (in-memory storage) Secure environment validation (OS + client application integrity) Safeguards against malware T2 Confidential transport V200 No Application Level Data Security T3 - defense in depth V300 No Hardening Strategy - privilege separation at Service Layer - trusted links & endpoint T3 Presence of software security assurance V400 Poor SDLC activities controls in each development lifecycle: - Outsourced Dev - Acme Bank www.maret-consulting.ch Conseil en technologies
  • 23. #3 - V100 - unknown Data Sharing between apps ? Device Jailbreaking ? Malicious legal App. ?www.maret-consulting.ch Conseil en technologies
  • 24. #3 - V200 - No Application Level Data Security Banking Appwww.maret-consulting.ch Conseil en technologies
  • 25. #3 - V300 - No Hardening Strategy at Service Layer No XML Firewall No Mutual Trust SSL at WS Transport Level No Hardening at OS & Service Levelwww.maret-consulting.ch Conseil en technologies
  • 26. #3 - V400 - Poor SDLC activitiesSDL de Microsoft www.maret-consulting.ch Conseil en technologies
  • 27. #3 - Security Assurance during development Project phase Assurance Security level activities -Security requirements Analysis - Compliance reqs., policy - Secure design / Design security review - Threat model Design - Security testing plan - Safe APIs Implementation - Secure coding / defensive programming ? - Automated source code analysis - Security testing Verification - Penetration testing - Secure default configuration Delivery - Hardening / secure deployment guides - Configuration validation - Incident response process Operations - Threat / vulnerability managementwww.maret-consulting.ch Conseil en technologies
  • 28. #3 – Web Agency: software development security assurance Project phase Assurance Security level activities Analysis - involvement of a security architect during the design process Design - use of automated code quality analysis Implementation tools Verification Delivery - experience with customers conducting Operations regular security evaluationswww.maret-consulting.ch Conseil en technologies
  • 29. #3 - Acme Bank: software development security assurance Assurance Project phase Security level activities Analysis Design Implementation ? Verification Delivery Operationswww.maret-consulting.ch Conseil en technologies
  • 30. #3 - Software development security assurance: Summary Actor Assurance Conclusions level - Assurance level is low. Acme Bank shall agree withOutsourced Dev vendor on minimum security assurance requirements along the project, or establish a clear statement of responsibilities (SLA). - Assurance level is low. Acme Bank shall define minimum Acme Bank ? security assurance requirements with project management. www.maret-consulting.ch Conseil en technologies
  • 31. Step #4 Impact analysiswww.maret-consulting.ch Conseil en technologies
  • 32. #4 – Impact analysis – ExampleV-ID Description Severity ExposureV-100 Information disclosure on iPad HIGH Additional controls neededV-200 Information disclosure on data MEDIUM Additional controls transport neededV-300 Intrusion on Banking Application HIGH Additional controls neededV-400 Intrusion on Banking Application HIGH Additional controls needed www.maret-consulting.ch Conseil en technologies
  • 33. Step #5 Risk estimationwww.maret-consulting.ch Conseil en technologies
  • 34. #5 – Risk estimation - Example Tech. BusinessR-ID V-ID Description Likelihood Severity Impact ImpactR-1 V-200 Confidentiality Compliance Theft of credentials MEDIUM HIGH Reputation or personal data during transportR-2 V-300 Integrity Compliance User input LOW HIGH V-400 Reputation, tampering attempts Operations resulting in system compromiseR-3 -- -- -- -- -- --R-4 -- -- -- -- -- --R-5R-6 www.maret-consulting.ch Conseil en technologies
  • 35. Step #6Risk treatment and mitigation www.maret-consulting.ch Conseil en technologies
  • 36. #6 – Security controls - Example Reco. ID Risk Description Decision MCSC.1 R-1 Perform a pentest on the iPad Mitigate applicationSC.2 R-1 Implement Data encryption for transport MitigateSC.3 R-2 Deploy a XML Firewall in front of Web Mitigate ServiceSC.4 R-2 Perform code review Mitigate Perform Pentest www.maret-consulting.ch Conseil en technologies
  • 37. Conclusion  Security in mind during the project  Iterative process  Risk Assessment during the project  Risk Assessment after deployment  Threat Modeling  A new approach  A guideline for all projectwww.maret-consulting.ch Conseil en technologies
  • 38. Questions ? www.maret-consulting.ch Conseil en technologies
  • 39. Who am I?  Security Expert  17 years of experience in ICT Security  Principal Consultant at MARET Consulting  Expert at Engineer School of Yverdon & Geneva University  Swiss French Area delegate at OpenID Switzerland  Co-founder Geneva Application Security Forum  OWASP Member  Author of the blog: la Citadelle Electronique  http://ch.linkedin.com/in/smaret or @smaret  http://www.slideshare.net/smaret  Chosen field  AppSec & Digital Identity Securitywww.maret-consulting.ch Conseil en technologies
  • 40. References  https://www.owasp.org/index.php/Application_Threat_ Modeling  http://msdn.microsoft.com/en-us/library/ff648644.aspx  http://en.wikipedia.org/wiki/Threat_model  http://www.microsoft.com/security/sdl/default.aspx  http://www.appsec-forum.ch/www.maret-consulting.ch Conseil en technologies
  • 41. "Le conseil et lexpertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes dinformation et de lidentité numérique"www.maret-consulting.ch Conseil en technologies
  • 42. Backup Slideswww.maret-consulting.ch Conseil en technologies
  • 43. #2 - Understanding the threatsThreat Property Definition ExampleSpoofing Authentication Impersonating Pretending to be any of billg, xbox.com or something or a system update someone else.Tampering Integrity Modifying data or Modifying a game config file on disk, or a code packet as it traverses the networkRepudiation Non-repudiation Claiming to have not “I didn’t cheat!” performed an actionInformation Confidentiality Exposing Reading key material from an appDisclosure information to someone not authorized to see itDenial of Service Availability Deny or degrade Crashing the web site, sending a packet service to users and absorbing seconds of CPU time, or routing packets into a black holeElevation of Authorization Gain capabilities Allowing a remote internet user to runPrivilege without proper commands is the classic example, but authorization running kernel code from lower trust levels www.maret-consulting.ch is also EoP Conseil en technologiesSource: Microsoft SDL Threat Modeling
  • 44. #3 - V400 - Poor SDLC activities Software assurance maturity models: SAMM (OWASP)www.maret-consulting.ch Conseil en technologies
  • 45. #2 – Data Flow Diagram External Data Process Data Store entity Flow• People • DLLs • Function call • Database• Other systems • EXEs • Network traffic • File• Microsoft.com • Components • Etc… • Registry• etc… • Services • Shared • Web Services Memory • Assemblies • Queue/Stack • etc… • etc… Trust Boundary • Process boundary • File system www.maret-consulting.ch Conseil en technologies