• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Rapid Threat Modeling : case study
 

Rapid Threat Modeling : case study

on

  • 1,936 views

Rapid Threat Modeling: doctor's case study

Rapid Threat Modeling: doctor's case study
September 6th. 2011
Securitybyte Conference
Bangalore, India

Statistics

Views

Total Views
1,936
Views on SlideShare
1,935
Embed Views
1

Actions

Likes
3
Downloads
63
Comments
1

1 Embed 1

https://sl-wiki.polyright.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Rapid Threat Modeling : case study Rapid Threat Modeling : case study Presentation Transcript

    • rapid Threat Modelingidentifying threats in a webapp before coding it: thecase study of the innocent (but still nice) Doctor Antonio Fontes Length: 45+15 minutes Securitybyte Conference – Sept 6th – 9th 2011 Bangalore
    • 2About me • Antonio Fontes • Owner L7 Sécurité (Geneva, Switzerland) • 6+ years experience in information security • Fields of expertise: – Online applications defense – Security integration in the software development lifecycle – Threat modeling, risk analysis and estimation • Lecturer at the University of applied sciences, Western Switzerland • OWASP: – Chapter leader: Geneva – Board member: Switzerland http://L7securite.ch
    • 3My objectives for today: 1. You understand the concept of threat modeling and its fast track approach 2. You can build a basic but still actionable threat model for your web application 3. You know when you should build a threat model and what you should document in it 4. This new technique helps you feel more confident about the security of your web application. http://L7securite.ch
    • 4Disclaimer • Don’t expect “100%” coverage – Our main goal here is to prioritize the security effort, not to replace testing activities! • If full analysis is strictly necessary: – Use system-centric TM instead (much more systematic) – Extend with other SDLC security activities: review, testing, best practices, secure APIs, etc. http://L7securite.ch
    • 5Panic mode? • Don’t write what you see on the slides! – They will be freely available on request – and uploaded to: http://slideshare.net/starbuck3000 http://L7securite.ch
    • 6Threat Modeling crash course A repeatable process, to help identify and document: – A system’s characteristics and security requirements – Data-flows – Threats – Potential responses to these threats (controls) http://L7securite.ch
    • 7Threat Modeling crash course A threat model is: – Reusable: it can serve at different stages of development, like design, implementation, deployment and testing – Editable: it’s an ongoing threat assessment of your application. It should be updated along with the application http://L7securite.ch
    • 8Lets learn by doing… http://L7securite.ch
    • 9Case study • A local pediatrician is constantly receiving phone calls (and messages on Facebook!) from desperate parents, outside cabinet opening hours. http://L7securite.ch
    • 10Case study • He hired an assistant but he refuses to answer late evening phone calls (and apparently, law is on his side…) • He tried hiding his personal phone number (and configuring his Facebook profile to hide his phone number) butparents keep finding ways to contact him outside regular hours. http://L7securite.ch
    • 11Case study • His patients have a stunning idea: a webapp for managing his appointments! http://L7securite.ch
    • 12Case study • Basically, he wants his patients to be able, at any time (night and day): – to schedule for an appointment at the closest free slot available – to describe the symptoms, to help him, if necessary, reschedule the appointment or even contact the family back (in case it looks worse than it appears). http://L7securite.ch
    • 13Case study • He contacts a local web agency and describes his need. • The web agency accepts to build the solution. (easy job, easy money!) • They start immediately. Actually, they just started designing the system yesterday! http://L7securite.ch
    • 14Case study • The pediatrician reads news about an infosec conference ☺ • He hears about guys, who wear black hats, hack into web applications, seek chaos by destroying databases, stealing and selling personal data on the black market to large corporations that want to control the world! http://L7securite.ch
    • 15Case study • He meets a guy, who tells him about an obscure technique called threat modeling. • He says it might help the outsourcing web agency to avoid doing some major mistakes, and implement appropriate countermeasures in the web application while still at design time. http://L7securite.ch
    • 16Case study The doctor suddenly realises that the web agency did not talk about security the other day... http://L7securite.ch
    • 17Case study • He hires you, for one day. • Your job is to observe the project, gather information, and eventually, issue some recommendations... http://L7securite.ch
    • 18Task 1:Understand and describe the systema.k.a. « ask questions! » http://L7securite.ch
    • 191. Describe (understand) the system • What is the motive/driver of the client? – Compliance? – Intrusion follow-up? – Awareness / self-determination / corporate culture ? – Is someone-thing in particular threatening the organization? – Other reasons? http://L7securite.ch
    • 201. Describe (understand) the system • What is the business requirement? • What role is the system playing in the organization? • Will it be the only/major revenue source? • Will it bring money? • Is it processing online transactions? • Is it feeding other transactional systems? • Is it storing/collecting sensitive/private information? • Should it be always online or is it okay if it stops sometimes? http://L7securite.ch
    • 211. Describe (understand) the system • Is the business under particular data processing regulation? – Privacy? – Healthcare? – Food? Chemicals? Drugs? – Transports? Energy? – Legal? Financial? http://L7securite.ch
    • 221. Describe (understand) the system • Is the system protecting or supporting the life of someone? Or can it endanger someone? – Water cleaning? – Transportation? – Energy? – Health equipment? – Interactions with the physical environment? – Weaponized? Military? http://L7securite.ch
    • 23"The system is not built to generate revenue.""It is not processing orders.""It allows my clients to schedule for an appointment. ""Oh, I forgot, and it also allows them to provide some basic information on the case (symptoms)." http://L7securite.ch
    • 24“Well, I guess…certainly compliance with some health information Act?““It can be offline.”“It is not consumed by third-party systems.”“It is not interacting with people or things.”“I will be the only one accessing it.” …”and my assistant, of course!” http://L7securite.ch
    • 251. Describe (understand) the systemMotivator CommentMy employees/clients life/safety is at risk (SCADA systems,energy, transports, food & drugs, etc.)I want to stay compliant with laws and regulationsI just want to sleep peacefully and avoid hackersI never want my systems to be compromised again!I want to protect my employees/customers privacyI want to make sure my customers pay for our goods/servicesI want to keep the money inside my companyI cannot afford my website going offlineIt is connected to our ERPThreat Modeling really seems awesome! (seen the ad on TV) http://L7securite.ch
    • 261. Describe (understand) the systemMotivator CommentMy employees/clients life/safety is at risk (SCADA systems, not really…energy, transports, food & drugs, etc.)I want to stay compliant with laws and regulations Are there any?I just want to sleep peacefully and avoid hackers Yes!I never want my systems to be compromised again! not really…I want to protect my employees/customers privacy Of course!I want to make sure my customers pay for our goods/services Not applicableI want to keep the money inside my company Not applicableI cannot afford my website going offline Yes. They will call me.It is connected to our ERP Our what??Threat Modeling really seems awesome! (seen the ad on TV) Definitely! http://L7securite.ch
    • 27"I never had a website for my cabinet." (well, I think…)"I just dont want a bad thing to happen when this service comes online.“"I dont really know of particular regulatory requirements…" http://L7securite.ch
    • 28http://L7securite.ch
    • 29http://L7securite.ch
    • 301. Describe (understand) the systemMotivator CommentMy employees/clients life/safety is at risk (SCADA systems, not really…energy, transports, food & drugs, etc.)I want to stay compliant with laws and regulations Are there any? YESI just want to sleep peacefully and avoid hackers Yes!I never want my systems to be compromised again! not really…I want to protect my employees/customers privacy Of course!I want to make sure my customers pay for our goods/services Not applicableI want to keep the money inside my company Not applicableI cannot afford my website going offline Yes. They will call me.It is connected to our ERP Our what??Threat Modeling really seems awesome! (seen the ad on TV) Definitely! http://L7securite.ch
    • 311. Describe (understand) the system Lets add the developer and the architect to the discussion… http://L7securite.ch
    • 321. Describe (understand) the system • Please describe the system as you imagine it: – Technologies? – Architecture? – Functionalities? (use cases?) – Components? • What will be the major use cases? http://L7securite.ch
    • 33"Its a standard webapp, including a frontend application connected to a backend database."“Clients will create a profile with basic personal information (patient name/lastname, parent name/lastname, address, email address, phone numbers, username, password.""Once they have logged in, they can schedule for an appointment." http://L7securite.ch
    • 341. Describe (understand) the system • What will be its typical usage scenarios? – Visitors? Members? Other doctors? Access from outside? • Who (where) will host the system? • How will users be authenticated? • Where will users connect from? – and where will the doctor connect from? http://L7securite.ch
    • 35"Users can connect and see their appointments, edit their info or cancel them.""The cabinet will be using a supervisor access, who has entire view on the agenda and can access details of every appointment."“Users authenticate with username/password."“Credentials will be stored securely.""The system will be hosted on our web farm." http://L7securite.ch
    • 36"I will connect from work! Of course!"…"and from home, if I can…" http://L7securite.ch
    • 371. Describe (understand) the system Can we draw this? http://L7securite.ch
    • 38Data-flow diagram http://L7securite.ch
    • 39also known as… DFD http://L7securite.ch
    • 40…may show actors… http://L7securite.ch
    • 41…data processing units… http://L7securite.ch
    • 42…data storage units… http://L7securite.ch
    • 43…data transmission channels… http://L7securite.ch
    • 44…and security trust zones! Who can access this? http://L7securite.ch
    • 451. Describe (understand) the system • What/Where are the assets of highest value? – Is there private/proprietary/regulated information anywhere? – Are user credentials stored? Where? How? – Are there any financial/transactional flows? – Is one of these components critical for your business? – Is the system connected to other more sensitive systems? (company ERP? Bank? Machines?) http://L7securite.ch
    • 46"The accounts database contains PII about my patients.""The accounts database contains credentials.""Money doesnt flow through the application.““The system does not connect to anything else.”“The system can turn offline. Patients will call me on my phone, as before!" http://L7securite.ch
    • 47“We host several customers on our shared hosting environment.”“It is totally secure!” http://L7securite.ch
    • 481. Describe (understand) the system • How many occurrences of these assets are you expecting in say…two years from today? (We are gathering volumetric data here) http://L7securite.ch
    • 49"In two years?Id say around 300 family accounts.3’600 appointments (6/family/year)And 2400 urgent appointments… (4/family/year)" http://L7securite.ch
    • 50End of task 1 • It’s a non-transactional web application • It is not connected to other systems • It hosts patient health information + PII – Data should be protected from unauthorized access (in-transit + offline) • It is accessible from the Internet • It contains usernames + passwords – Credentials storage should observe best practices http://L7securite.ch
    • 51Task 2:Identify potential threat agents http://L7securite.ch
    • 522. Identify potential threat agents - Given what we know, who might be interested in compromising your system? - No one! - Any competitor recently installed? - Mmmmh…yes…One, actually. She just arrived. She’s a pediatrician, too. - Could she steal your patients? - Oh! http://L7securite.ch
    • 532. Identify potential threat agents - Any businesses would be interested in acquiring health details on 300 geographically- linked families, including their problems, illnesses, special situations? - Any businesses interested in acquiring personal details of 300 families including usernames, passwords, contact details? - Mmmmh…probably http://L7securite.ch
    • 542. Identify potential threat agents • Would anyone want to steal your data? • Would anyone be able to sell it? • Would anyone be interested in corrupting it? • Would anyone benefit from an interruption of your application? http://L7securite.ch
    • 55“You have a scary way of asking questions…” http://L7securite.ch
    • 562. Identify potential threat agents http://L7securite.ch
    • 572. Identify potential threat agents Threat source Motivation Approach (strategy/tactics) Dumb users Opportunistic Mistakes Smart users Opportunistic Circumventing complex GUI Script kiddies / hackers Opportunistic Use of automated exploit/scanning tools, (low-profile) known vulnerabilities research Hackers (higher profile) Targeted Vulnerability research Competitors Targeted Hiring hackers Other businesses Targeted Hiring hackers Organized cybercriminals Targeted 0-day research and trade Government / Military Targeted Long-term ops APT magic Mixed Continuous + long-term + multilayer ops http://L7securite.ch
    • 582. Identify potential threat sources Which of these sources might hit or target my business? – With a high probability? • Population size • Exposure – With a high impact? • Personal/health information disclosure (compliance) – With the incentive of a high reward? • Users/passwords stealing / health information trading http://L7securite.ch
    • 592. Identify potential threat agents Don’t forget to ask the customer if she/he has access to confidential threat information: – CIOs/CSOs in information critical organizations may have access to undisclosed threat information: • National/international/industry threat analysis reports – Don’t forget to ask! http://L7securite.ch
    • 602. Identify potential threat agents Threat source Threats, which were removed:(strategy/tactics) Motivation Approach Dumb users Opportunistic They can do mistakes, but not that critical Organized cybercriminals Targeted They are not known for targeting small- sized medical databases Government / Military Targeted They should not be interested in the data. -> no high-profile patients! APT magic Mixed Joker* http://L7securite.ch
    • 612. Identify potential threat agents Threat source Motivation Comment Threats, which were prioritized: Smart users Opportunisti They will try to bypass other patients c requests Script kiddies / hackers Opportunisti They will play with their tools (low-profile) c Several hours investment Hackers (higher profile) Targeted They will try to hack into the application during a day Competitors Targeted Hiring a hacker to try stealing/corrupting data during a few days Other businesses Targeted Hiring a hacker to try stealing/corrupting data during a few days http://L7securite.ch
    • 622. Identify potential threat agents Script Kiddies and low-profile hackers Threat agent profile Prevalence HIGH Damage potential MEDIUM (repeated disturbances, reputation, data corruption) Tactics Automated security scanners, exploits testing, exploitation of injection flaws, short-term bruteforcing/dictionary attacks (high HTTP req. freq.) OWASP Top10 direct attacks (A1, A3, A4, A6, A8, A10) Business layer attacks No Countermeasures Request throttling Strong defense against OWASP T10 direct attacks Secure configurations (systems, services) http://L7securite.ch
    • 632. Identify potential threat agents Hacker (high profile) Threat agent profile Prevalence LOW Damage potential MEDIUM to HIGH (personal reward, contract engagements) Tactics Combination of automated + manual scanning Lower HTTP request frequency Short timespan vulnerability research Full range OWASP T10 investigation, including A2 and A5 Business layer attacks No Countermeasures Complete OWASP T10 risk coverage http://L7securite.ch
    • 64Task 3:Identify major threat scenarios http://L7securite.ch
    • 653. Identify major threat scenarios • Which threat scenarios would be (really) bad for the business? – Which threat source would trigger that scenario? – How would she/he/they proceed technically? – What would be the impact for my business? • Shameful (bad news)? Bad (financial loss)? Catastrophic (end of the my world)? http://L7securite.ch
    • 663. Identify major threat scenarios • Some helpers: – Think about threats induced naturally, by the technology itself. – Think about what the CEO really doesnt want. • Think AIC: – Availability, integrity, confidentiality – Apply on every component of the DFD! http://L7securite.ch
    • 673. Identify major threats # Threat scenario Agent Attack description T1 T2 T3 T4 n http://L7securite.ch
    • 683. Identify major threats # Threat Source Attack details T1 Page defacement, hacking for Script - Automated tools fame kiddies - expl. of injection flaws T2 Users circumventing the Smart user - Eyesight tampering appointment lock feature (already booked) T3 Corruption of the central Competitor - expl. of injection flaws agenda - unauthorized appointment cancellation T4 Extraction of the users info DB Competitor, - expl. of injection flaws other bus. - unsecure direct references - expl. of authentication http://L7securite.ch flaws
    • 693. Identify major threats # Threat Source Attack details T5 Extraction of the appointment Competitor, - expl. of injection flaws (med) details other bus. - unsecure direct references - expl. of authentication flaws T6 User credentials interception Script - traffic interception kiddies attacks - XSS T7 Doctors credentials Competitor, - same as T6 interception other bus. - trojan bonus… ☺ http://L7securite.ch
    • 703. Identify major threats # Threat Impact T2 Users circumventing the appointment lock feature Medium (Bus.) (already booked) T3 Corruption of the central agenda Medium (Bus.) T6 Users credentials stealing Medium (bus) T1 Page defacement, fame hacking High (Tech) T4 Extraction of the users info DB High (bus.) T5 Extraction of the appointment (med) details Critical (bus.) T7 Doctors credentials stealing Critical (bus.) -> T5 http://L7securite.ch
    • 71How would we prevent/detect each scenario? http://L7securite.ch
    • 723. Identify major threatsTh# Attack Scenario prevention controlsT1 Defacement Layered hardeningT1 Defacement Parameter tampering defensesT4 Privacy data extraction Parameter tampering defensesT4 Privacy data extraction Unpredictable/unexposed profile/accounts referencesT5 Medical data extract. Parameter tampering defensesT5 Medical data extract. Unpredictable/unexposed appointment referencesT5 Medical data extract. Defensive "appointment details" access controlT7 Doctors account stealing Encrypted data transmission channelT7 Doctors account stealing Dynamic authentication (OTP)T7 Doctors account stealing Output encoding… … … http://L7securite.ch
    • 733. Identify major threatsTh# Attack Scenario detection controlsT1 Defacement Homepage integrity checkingT4 Privacy data extraction Injection of honeypot data + usage monitoringT5 Medical data extract. Injection of honeypot data + usage monitoringT7 Doctors account stealing Out-of-band notification of authentication events… … … http://L7securite.ch
    • 74Task 4:Document your observations (aka "opportunities for risk mitigation") http://L7securite.ch
    • 754. Document • Document: – The threat agents model you selected for your TM – The threat scenarios you identified – The controls to prevent or detect these threat scenarios • Recommend and prioritize: – What should be absolutely done? – In what order? http://L7securite.ch
    • 764. Document C# Control(s) Priority Cost type P1 Layered hardening High Medium P2 Parameter tampering defense (input validation) High Medium P3 Parameter tampering defense (parameterized queries) High Low P4 Unpredictable/unexposed profile/accounts references High Medium P5 Unpredictable/unexposed appointment references High Medium P6 Defensive "appointment details" access control High Medium P7 Encrypted data transmission channel at least during auth. Sequence High Medium P8 Dynamic authentication model (OTP) for the supervisor account High High P9 Output encoding on all dynamic data returned to the user High Medium D1 Homepage integrity checking Low Low D2 Injection of honeypot data + usage monitoring Low High D3 Injection of honeypot data + usage monitoring Low High D4 Out-of-band notification of authentication events Low Low http://L7securite.ch
    • 774. Document C# Control(s) Priority Action P1 Layered hardening High Implement P2 Parameter tampering defense (input validation) High Implement P3 Parameter tampering defense (parameterized queries) High Implement P4 Unpredictable/unexposed profile/accounts references High Implement P5 Unpredictable/unexposed appointment references High Next ver. P6 Defensive "appointment details" access control High Implement P7 Encrypted data transmission channel at least during auth. Sequence High Implement P8 Dynamic authentication model (OTP) for the supervisor account High Next ver. P9 Output encoding on all dynamic data returned to the user High Implement D1 Homepage integrity checking Low Implement D2 Injection of honeypot data + usage monitoring Low Postpone D3 Injection of honeypot data + usage monitoring Low Postpone D4 Out-of-band notification of authentication events Low Implement http://L7securite.ch
    • 784. Document Expected threat coverage for next version:# Threat Impact CoverageT1 Page defacement, hacking for fame High Complete (P+D)T4 Extraction of the users details DB High Complete (P)T5 Extraction of the appointment (med) details Critical PartialT7 Doctors credentials interception Critical Partial http://L7securite.ch
    • 79http://L7securite.ch
    • 80Conclusion…and opportunities…. http://L7securite.ch
    • 81Conclusion rTM is imprecise, inexact, undefined: – Requires good understanding of the business case – Requires good knowledge of web application threats – Requires common sense – Can be frustrating the first times http://L7securite.ch
    • 82Conclusion Repeating the basic process a a few times quickly brings good results: 1. Characterize the system 2. Identify the threat sources 3. Identify the major threats 4. Document the countermeasures 5. Transmit (translate) to the team http://L7securite.ch
    • 83Conclusion "Who should make the TM?" – Theoretically: the design team – Practically: an appsec guy with good knowledge of internet threats, web attack techniques and the ability to understand what is important for the business under assessment will definitely set the "efficiency" attribute. http://L7securite.ch
    • 84Conclusion • "When should I make a TM?" – Sometime is good. Early is better. – If the objective is to avoid implementing poor code do it at design time. – After v1 is online: when new data "assets" appear in the data-flow diagram, its usually a good sign to update the TM. yes, it can be updated! – If you conduct risk-driven vulnerability assessments or code reviews, the TM will help. http://L7securite.ch
    • 85Conclusion • TM can be performed early: Analyze Design Implement Verify Deploy Respond Security Secure Security Incident requirements Secure coding testing Secure response design deployment Risk Design Vulnerability Code review management analysis Threat review Risk modeling assessment Penetration testing Training & awareness Policy / Compliance Governance (Strategy , Metrics) http://L7securite.ch
    • 86Conclusion TM can also be performed later (risk-based testing): Analyze Design Implement Verify Deploy Respond Security Secure Security Secure Incident requirements Secure coding testing deployment response design Risk Design Threat Code Vulnerability Risk management analysis Threat review modeling review assessment modeling Threat Penetration modeling testing Training & awareness Policy / Compliance Governance (Strategy , Metrics) http://L7securite.ch
    • 87Conclusion • TM can be performed from an asset perspective: – Aka the asset-centric approach (mostly what we just did) • It can be performed from an attacker perspective: – Aka the attacker-centric approach • Who would attack the system with what means? • (remember the “threat agent profile” cards) http://L7securite.ch
    • 88Conclusion • TMing can also be performed systematically: – Aka the system-centric approach – Most detailed and rigorous technique • Use of threat identification tools: STRIDE – Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges… • Use of threat classification tools: DREAD – Damageability, Reproducibility, Exploitability, Affected population, Discoverability… • Structured DFD analysis (see next slides) http://L7securite.ch
    • 89Conclusion • "What should be documented in a TM? " – Basically: what you think is right. There is no rule (yet). TMing is never absolute. – If you spend days writing a threat model for a single web app, there might be a problem… – Remember that threat modeling is often a way of both formalizing and engaging on the most important controls, which might be forgotten later. http://L7securite.ch
    • 90Conclusion http://L7securite.ch
    • 91Conclusion http://L7securite.ch
    • 92Conclusion • "Your example was really basic. How can I reach next level?" 1. Practice your DFD drawing skills 2. Stay updated on new web attacks, threats and intrusion trends 3. Read feedback from field practitioners (some good references are provided at end of presentation) 4. Standardize your technique: • ISO 27005 : Information security risk management (§8.2) • NIST SP-800-30: Risk management guide (§3) http://L7securite.ch
    • 93Conclusion "Do pediatricians feel more confident about their web app?" YES! http://L7securite.ch
    • 94Questions? http://L7securite.ch
    • 95Merci! / Thank you! Contact me: antonio.fontes@L7securite.ch Follow me: @starbuck3000 Discover L7: http://L7securite.ch Download these slides: http://slideshare.net/starbuck3000 http://L7securite.ch
    • 96Recommended readings: • Guerilla threat modeling (Peter Torr) http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx • Threat risk modeling (OWASP) http://www.owasp.org/index.php/Threat_Risk_Modeling • Application threat modeling (OWASP) http://www.owasp.org/index.php/Application_Threat_Modeling • Threat modeling web applications (Microsoft) http://msdn.microsoft.com/en-us/library/ff648006.aspx • Comments on threat modeling (in French, DLFP) http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les- menaces-qui-guette • NIST SP-800-30: risk management guide http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf http://L7securite.ch