• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
IT Security Days - Threat Modeling
 

IT Security Days - Threat Modeling

on

  • 952 views

Learning threat modeling by doing: the case study of a local business owner in the medical field, willing to create his own first

Learning threat modeling by doing: the case study of a local business owner in the medical field, willing to create his own first

Statistics

Views

Total Views
952
Views on SlideShare
952
Embed Views
0

Actions

Likes
1
Downloads
34
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    IT Security Days - Threat Modeling IT Security Days - Threat Modeling Presentation Transcript

    • Threat Modelingidentifying threats in your webapp before coding: a case study
      Antonio FontesLength: 45+15 minutes
      IT Security Days – March 16th 2011
      Yverdon-Les-Bains
    • Speaker info
      Antonio Fontes
      Owner L7 Sécurité (Geneva, Switzerland)
      6+ years experience in information security
      Lecturer at HEIG-VD
      Fields of expertise:
      Web applications defense
      Security in the development lifecycle
      Threat modeling & risk management
      OWASP:
      Chapter leader – Geneva
      Board member - Switzerland
      L7 Sécurité - http://L7securite.ch
      2
    • My objectives for today:
      You understand the concept of threat modeling
      You can build a basic but still actionable threat model for your web application
      You know when you should build a threat model and what you should document in it
      This new technique helps you feel more confident about the security of your web application.
      L7 Sécurité - http://L7securite.ch
      3
    • Let'slearn by doing…
      L7 Sécurité - http://L7securite.ch
      4
    • Case study
      A local pediatrician is constantly receiving phone calls (and messages on Facebook) from desperate parents, outside cabinet hours.
      L7 Sécurité - http://L7securite.ch
      5
    • Case study
      He hired an assistant but he refuses to answer late evening phone calls (and apparently, law is on his side…)
      He tried hiding his personal phone number (and configuring his Facebook profile to hide his phone number) but parents keep finding ways to contact him outside regular hours.
      L7 Sécurité - http://L7securite.ch
      6
    • Case study
      He has a stunning idea: building a webapp for managing his appointments!
      L7 Sécurité - http://L7securite.ch
      7
    • Case study
      Basically, he just wants his clients to be able at any time (night and day):
      to schedule for an appointment at the closest free slot available
      to describe a few symptoms, to help him, if necessary, reschedule the appointment or even contact the family back (in case it looks worse than it appears).
      L7 Sécurité - http://L7securite.ch
      8
    • Case study
      He contacts a local web agency and describes his need.
      The web agency accepts to build the solution.
      (easy job, easy money!)
      They actually just started designing the system on last Monday…
      L7 Sécurité - http://L7securite.ch
      9
    • Case study
      It happens (by total chance) that the pediatrician attend the IT Security Days #1 conference 
      He heard about pesky guys, who hack into web applications seeking chaos by destroying databases, stealing personal data and selling it on a black market to large corporations that want to control the world!
      L7 Sécurité - http://L7securite.ch
      10
    • Case study
      He also meets a guy, who tells him about an obscure technique called threat modeling.
      He says it might help project teams detecting major threats and appropriate countermeasures to their web applications at design time.
      L7 Sécurité - http://L7securite.ch
      11
    • Case study
      L7 Sécurité - http://L7securite.ch
      12
      He suddenly realises that the web agency did not talk a lot about security the other day...
    • Case study
      He hires you, for one day.
      Your job is to observe the project, gather information,and eventually, issue some recommendations...
      L7 Sécurité - http://L7securite.ch
      13
    • 1. Understand the system
      L7 Sécurité - http://L7securite.ch
      14
    • 1. Describe (understand) the system
      What is the business requirement behind it?
      What role is the system playing in the organization?
      Will it bring money?
      Will it be the main revenue source?
      Is the system processing online transactions?
      Is it storing/collecting sensitive/private information?
      Should it be kept always online or is it okay if it stops sometimes?
      Is the business exposed to particular data regulations? (Privacy? Healthcare? Food? Drugs? Legal? Financial?)
      L7 Sécurité - http://L7securite.ch
      15
    • "The system is not built to generate revenue."
      "It is not processing orders."
      "It just allows my clients to schedule for an appointment. "
      "Oh yes, and also provide some basic information on the case (symptoms)."
      L7 Sécurité - http://L7securite.ch
      16
    • 1. Describe (understand) the system
      What is the motive of your presence?
      L7 Sécurité - http://L7securite.ch
      17
    • 1. Describe (understand) the system
      L7 Sécurité - http://L7securite.ch
      18
    • 1. Describe (understand) the system
      L7 Sécurité - http://L7securite.ch
      19
    • "I never had a website for my cabinet." (well, I think…)
      "I just don't want a bad thing to happen when this service comes online."
      "No, I don't really know of particular regulatory requirements…"
      L7 Sécurité - http://L7securite.ch
      20
    • 1. Describe (understand) the system
      Let's add the developer and the architect to the discussion…
      L7 Sécurité - http://L7securite.ch
      21
    • 1. Describe (understand) the system
      What will the system look like?
      Technologies?
      Architecture?
      Functionalities? (use cases?)
      Components?
      What will be the typical use cases?
      L7 Sécurité - http://L7securite.ch
      22
    • "It's a standard web project, including a frontend application connected to a backend database."
      "Users must create a profile with basic personal information (patient name/lastname, parent name/lastname, address, email address, phone numbers, username, password."
      "Once they have logged in, they can schedule for an appointment."
      L7 Sécurité - http://L7securite.ch
      23
    • 1. Describe (understand) the system
      What will be its typical usage scenarios?
      Visitors? Members? Other doctors? Access from outside?
      How will users be authenticated?
      Where will the system be hosted?
      Where will users connect from?
      and where will the doctor connect from?
      L7 Sécurité - http://L7securite.ch
      24
    • "Users can connect and see their appointments, edit their info or cancel them."
      "The cabinet will be using a supervising access, who has entire view on the agenda and can access details of every appointment."
      "Authentication is made by username/password."
      "The credentials will be stored securely."
      "The system will be hosted on our web farm."
      L7 Sécurité - http://L7securite.ch
      25
    • "I will connect from work! Of course!"
      …"okay, and sometimes from home. If I can…"
      L7 Sécurité - http://L7securite.ch
      26
    • 1. Describe (understand) the system
      Can we draw this?
      L7 Sécurité - http://L7securite.ch
      27
    • L7 Sécurité - http://L7securite.ch
      28
    • L7 Sécurité - http://L7securite.ch
      29
    • L7 Sécurité - http://L7securite.ch
      30
    • L7 Sécurité - http://L7securite.ch
      31
    • L7 Sécurité - http://L7securite.ch
      32
    • L7 Sécurité - http://L7securite.ch
      33
    • 1. Describe (understand) the system
      L7 Sécurité - http://L7securite.ch
      34
    • 1. Describe (understand) the system
      What would be the assets of highest value?
      Is there sensitive/private/proprietary/regulated information anywhere?
      Where are credentials stored?
      Are there any financial flows?
      Is one of these components critical for your business?
      Has the system access (is it connected) to other more sensitive systems?
      L7 Sécurité - http://L7securite.ch
      35
    • "The accounts database contains personal information about my customers and patients."
      "The accounts database contains credentials."
      "Money doesn't flow through the application."
      "If they can't reach it, they will call me…"
      "They also host other customers databases on the same network."
      L7 Sécurité - http://L7securite.ch
      36
    • 1. Describe (understand) the system
      How many occurrences of these assets are you expecting in say…two years?
      (We are gathering volumetric data here)
      L7 Sécurité - http://L7securite.ch
      37
    • "In two years?
      I'd say 200-400 families entered in the system.
      2'400 appointments.
      And 400 urgent appointments…"
      L7 Sécurité - http://L7securite.ch
      38
    • 2. Identify potential threat sources
      L7 Sécurité - http://L7securite.ch
      39
    • 2. Identifypotentialthreat sources
      Given what we know, who might be interested in compromising your system?
      Who wants to steal the data?
      Who wants to sell it?
      Who wants to corrupt it?
      Who wants to stop it?
      L7 Sécurité - http://L7securite.ch
      40
    • 2. Identify potential threat sources
      L7 Sécurité - http://L7securite.ch
      41
    • 2. Identify potential threat sources
      L7 Sécurité - http://L7securite.ch
      42
    • 2. Identify potential threat sources
      L7 Sécurité - http://L7securite.ch
      43
    • 2. Identify potential threat sources
      L7 Sécurité - http://L7securite.ch
      44
    • 2. Identifypotentialthreat sources
      Information can also come directly from the customer:
      In information critical organizations, some managers have access to undisclosed threat information:
      National level, international level, industry level, etc.
      Don’t forget to ask:
      "Yeah, there is another pediatrician who recently moved here…"
      L7 Sécurité - http://L7securite.ch
      45
    • 3. Identify major threats
      L7 Sécurité - http://L7securite.ch
      46
    • 3. Identify major threat scenarios
      What would be (really) bad for the business?
      Which threat source would trigger that scenario?
      How would she/he/they proceed technically?
      What would be the impact for my business?
      Shameful (bad news)? Bad (financial loss)? Catastrophic (end of the my world)?
      Some helpers:
      Think about threats induced naturally, by the technology itself.
      Think about what the CEO really doesn't want.
      Think AIC: availability, integrity, confidentiality
      L7 Sécurité - http://L7securite.ch
      47
    • 3. Identify major threats
      L7 Sécurité - http://L7securite.ch
      48
    • 3. Identify major threats
      L7 Sécurité - http://L7securite.ch
      49
    • 3. Identify major threats
      L7 Sécurité - http://L7securite.ch
      50
    • How would we prevent these attacks?
      L7 Sécurité - http://L7securite.ch
      51
    • 3. Identify major threats
      L7 Sécurité - http://L7securite.ch
      52
    • 4. Document what you found(aka "opportunities for risk mitigation")
      L7 Sécurité - http://L7securite.ch
      53
    • 4. Document the opportunity
      Document:
      The threats we identified
      The controls, which prevent these threats from being exercised by the threat-sources
      Recommend and prioritize:
      What should be absolutely done?
      In what order?
      L7 Sécurité - http://L7securite.ch
      54
    • 4. Document the opportunity
      L7 Sécurité - http://L7securite.ch
      55
    • 4. Document the opportunity
      L7 Sécurité - http://L7securite.ch
      56
    • L7 Sécurité - http://L7securite.ch
      57
    • Conclusion…and perspective…
      L7 Sécurité - http://L7securite.ch
      58
    • Conclusion
      TM seemsimprecise, inexact, undefined:
      Requires good understanding of the business case
      Requires good knowledge of web application threats
      Requires common sense
      Can be frustrating the first times…
      L7 Sécurité - http://L7securite.ch
      59
    • Conclusion
      Repeating the basic process a few timesquickly brings good results:
      1. Characterize the system
      2. Identify the threat sources
      3. Identify the major threats
      4. Document the countermeasures
      5. Transmit (translate) to the team
      L7 Sécurité - http://L7securite.ch
      60
    • Conclusion
      "Who should make the TM?"
      Theoretically: the design team
      Practically: an appsec guy with good knowledge of internet threats, web attack techniques and the ability to understand what isimportant for the business underassessment will definitely setthe "efficiency" attribute.
      L7 Sécurité - http://L7securite.ch
      61
    • Conclusion
      "When should I make a TM?"
      Sometime is good. Early is better.
      If the objective is to avoid implementing poor code  do it at design time.
      After v1 is online: when new data "assets" appear in the data-flow diagram, it's usually a good sign to update the TM.  yes, it can be updated!
      If you conduct risk-driven vulnerability assessments or code reviews, the TM will help.
      L7 Sécurité - http://L7securite.ch
      62
    • Conclusion
      TMingcan be performed early:
      L7 Sécurité - http://L7securite.ch
      63
      Analyze
      Design
      Implement
      Verify
      Deploy
      Respond
      Incident response
      Security requirements
      Secure coding
      Security testing
      Secure design
      Secure deployment
      Vulnerability management
      Code review
      Risk analysis
      Design review
      Risk assessment
      Threat modeling
      Penetration testing
      Training & awareness
      Policy / Compliance
      Governance (Strategy , Metrics)
    • Conclusion
      TMing can also be performed later:
      L7 Sécurité - http://L7securite.ch
      64
      Analyze
      Design
      Implement
      Verify
      Deploy
      Respond
      Incident response
      Security requirements
      Secure coding
      Security testing
      Secure deployment
      Secure design
      Vulnerability management
      Code review
      Risk analysis
      Design review
      Threat modeling
      Risk assessment
      Threat modeling
      Penetration testing
      Threat modeling
      Training & awareness
      Policy / Compliance
      Governance (Strategy , Metrics)
    • Conclusion
      TMing can be performed from an asset perspective:
      Aka the asset-centric approach (what we just did today)
      It can be performed from an attacker perspective:
      Aka the attacker-centric approach
      Who would attack the system with what means?
      L7 Sécurité - http://L7securite.ch
      65
    • Conclusion
      TMing can also be performed according to the system description:
      Aka the system-centric approach
      Most detailed and rigorous technique
      Use of threat identification tools: STRIDE
      Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges…
      Use of threat classification tools: DREAD
      Damageability, Reproducibility, Exploitability, Affected population, Discoverability…
      Structured DFD analysis (see next slide)
      L7 Sécurité - http://L7securite.ch
      66
    • Conclusion
      L7 Sécurité - http://L7securite.ch
      67
    • Conclusion
      L7 Sécurité - http://L7securite.ch
      68
    • Conclusion
      "What should I document in a TM? "
      Basically: what you think is right. There is no rule (yet). TM'ing is never absolute.
      If you spend days writing a threat model for a single web app, there might be a problem…
      Remember that threat modeling is often a way of both formalizing and engaging on the most important controls, which might be forgotten later.
      L7 Sécurité - http://L7securite.ch
      69
    • Conclusion
      "Your example was really 'basic'. How can I reach next level?"
      Practice your DFD drawing skills
      Stay updatedon new web attacks, threats and intrusion trends
      Read feedback from field practitioners (some good references are provided at end of presentation)
      Standardizeyour technique:
      ISO 27005 : Information security risk management (§8.2)
      NIST SP-800-30: Risk management guide (§3)
      L7 Sécurité - http://L7securite.ch
      70
    • Conclusion
      "Do pediatriciansfeel more confident about their web app?"
      L7 Sécurité - http://L7securite.ch
      71
      YES!
    • Questions?
      L7 Sécurité - http://L7securite.ch
      72
    • Merci! / Thankyou!
      Contact me: antonio.fontes@L7securite.ch
      Follow me: @starbuck3000
      Download us: http://slideshare.net (user: starbuck3000)
      L7 Sécurité - http://L7securite.ch
      73
    • Recommended readings:
      Guerilla threat modeling (Peter Torr)http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx
      Threat risk modeling (OWASP)http://www.owasp.org/index.php/Threat_Risk_Modeling
      Application threat modeling (OWASP)http://www.owasp.org/index.php/Application_Threat_Modeling
      Threat modeling web applications (Microsoft)http://msdn.microsoft.com/en-us/library/ff648006.aspx
      Comments on threatmodeling (in French, DLFP)http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les-menaces-qui-guette
      NIST SP-800-30: risk management guidehttp://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
      L7 Sécurité - http://L7securite.ch
      74