Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat Modeling for Dummies

67 views

Published on

An introduction to threat modeling.

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Threat Modeling for Dummies

  1. 1. @adam_englander Building Secure Applications: Threat Modeling for Dummies Adam Englander Manager of Engineering, TransUnion
  2. 2. @adam_englander What Are We Going to Cover • An overview of threat modeling • The process of threat modeling • Some common tools to assist you • An example from start to finish • Action items for now, near future, and beyond
  3. 3. @adam_englander What is threat modeling?
  4. 4. @adam_englander –Wikipedia “Threat modeling is a process by which potential threats … can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view.”
  5. 5. @adam_englander –Wikipedia “Threat modeling is a process by which potential threats … can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view.”
  6. 6. @adam_englander What’s the process?
  7. 7. @adam_englander Document All the Things!
  8. 8. @adam_englander Map Out Your Application
  9. 9. @adam_englander Internet Internal DMZ System: Big Picture Firewall Load Balancer MySQL MySQL App Server Firewall DNS SMTPCDN Alerting Stats Bastion Logs Consumer Payment CA
  10. 10. @adam_englander Process: Microscope User Logs In Views Product Catalog Adds Item to Cart Initiates Checkout Confirms Billing Info Selects Payment Method Confirms Shipping Info/ Method Confirmation Email Sent Payment Authorized
  11. 11. @adam_englander Identify Assets Commerce Site DB Credentials SMTP Credentials Payment GW Creds Encryption Keys SSL Certs SSL Private Keys Access to SMTP Database Cust Emails Cust Billing Data Cust PII Payment Data Order History User Credentials User Emails Shopping Carts Sessions Inventory/Pricing Transaction Logs SMTP DKIM Creds Mail Logs Payment Gateway Purchase History Charge/Refund Authority Log Server Raw Logs Host Names Stack Traces Client IPs User Behavior Internal Network DB Admin Creds Hosting Creds DNS Admin Creds Payment GW Admin Creds Encryption Keys SSL Certs SSL Private Keys
  12. 12. @adam_englander Identify Entry Points Firewall App Server Database HTTPS Unrestricted Internal Network Internet Firewall
  13. 13. @adam_englander Identify Entry Points Firewall App Server Database HTTPS Unrestricted Internal Network Internet Firewall
  14. 14. @adam_englander Identify Entry Points Firewall App Server Database HTTPS Unrestricted Internal Network Internet Firewall
  15. 15. @adam_englander Identify Entry Points Firewall App Server Database HTTPS Unrestricted Internal Network Internet Firewall
  16. 16. @adam_englander Identify Dependencies
  17. 17. @adam_englander Out-of-Band Dependencies CI/CD Server Library RepositoryCode Repository Configuration Management Build Tools 3rd Party Code 3rd Party Libraries
  18. 18. @adam_englander Internet Internal DMZ Critical Dependencies Firewall Load Balancer MySQL MySQL App Server Firewall DNS SMTPCDN Alerting Stats Bastion Logs Consumer Payment CA
  19. 19. @adam_englander Internet Internal DMZ Secondary Dependencies Firewall Load Balancer MySQL MySQL App Server Firewall DNS SMTPCDN Alerting Stats Bastion Logs Consumer Payment CA
  20. 20. @adam_englander Identify Anything Else Significant
  21. 21. @adam_englander Identify Threats
  22. 22. @adam_englander What about fully mitigated threats?
  23. 23. @adam_englander Identifying Threats with STRIDE • Spoofing - The attacker presents themselves as another user • Tampering - Altering code, data, processes • Repudiation - Providing ability to deny who performed an action • Information disclosure - Attacker discloses secret information • Denial of Service - Your system is partially or fully unavailable • Elevation of Privilege - Accessing items for higher level user
  24. 24. @adam_englander Mapping Attacks with Attack Trees Enter House Through Window Through Door Break Window Force Open Stolen Credentials Authorized User
  25. 25. @adam_englander Quantifying Risk with DREAD • Damage – how bad would an attack be? • Reproducibility – how easy is it to reproduce the attack? • Exploitability – how much work is it to launch the attack? • Affected users – how many people will be impacted? • Discoverability – how easy is it to discover the threat?
  26. 26. @adam_englander Resolve the Threat
  27. 27. @adam_englander Mitigate Large Threats in Stages Terrible Bad Okay Complete
  28. 28. @adam_englander There Is No Absolute Terrible Bad Okay Complete
  29. 29. @adam_englander Quick Reduction of Threat Terrible Bad Okay Complete
  30. 30. @adam_englander Acceptable Reduction Terrible Bad Okay Complete
  31. 31. @adam_englander Complete Mitigation Terrible Bad Okay Complete
  32. 32. @adam_englander Example: Insider Attack
  33. 33. @adam_englander Actor Lone Gunman Competitor Organized Crime Nation State Hactivist Internal Attacker
  34. 34. @adam_englander Asset Commerce Site DB Credentials SMTP Credentials Payment GW Creds Encryption Keys SSL Certs SSL Private Keys Access to SMTP Database Cust Emails Cust Billing Data Cust PII Payment Data Order History User Credentials User Emails Shopping Carts Sessions Inventory/Pricing Transaction Logs SMTP DKIM Creds Mail Logs Payment Gateway Purchase History Charge/Refund Authority Log Server Raw Logs Host Names Stack Traces Client IPs User Behavior Internal Network DB Admin Creds Hosting Creds DNS Admin Creds Payment GW Admin Creds Encryption Keys SSL Certs SSL Private Keys
  35. 35. @adam_englander Entry Point Firewall App Server Database HTTPS UnrestrictedMySQL/TLS Internal Network Internet Firewall
  36. 36. @adam_englander Attack Tree Access Database From Web Server Internal Network Remote Execution SQL Injection Stolen Credentials Authorized User
  37. 37. @adam_englander Attack Tree Stolen Credentials From App Server Code Repository From CI Server
  38. 38. @adam_englander Inside attackers can access all customer PII and PC data from databases using credentials from code repositories on any computer on the internal network and not be discovered via logging
  39. 39. @adam_englander DREAD • Damage: Liability for stolen credit card transactions, loss of credibility, loss of revenue • Reproducibility: The skills necessary would be knowing how to copy down the git repo and execute queries via mysql • Exploitability: There are no considerations beyond install git and mysql-client to perform the attack
  40. 40. @adam_englander DREAD • Affected Users: All user PII and billing data would be accessible • Discoverability: Any user with minimal knowledge of the framework would know how to find configs containing DB credentials and connection information.
  41. 41. @adam_englander Quick Reduction • Database access and query logging for non- repudiation • Restrict read access to the git repo
  42. 42. @adam_englander Mitigation Phase 1 • Have credentials setup on servers by admins • Remove database credentials from git repo • Change credentials to prevent leaked credentials from being utilized going forward
  43. 43. @adam_englander Phase 2 • Restrict access for users to appropriate data • Restrict access to appropriate IP addresses
  44. 44. @adam_englander Phase 3 • Encrypt PII and PC data in the database • Develop and implement key rotation strategy for application secrets
  45. 45. @adam_englander Completely Mitigate • Anonymize link between PC data and PII • Create honey pots for credentials still in git repos that will allow users to see what appears to be real data. These logins will be recorded and alerts will be sent to security personnel to apprehend the culprit
  46. 46. @adam_englander How do I get started?
  47. 47. @adam_englander Right Now: Knock out the OWASP Top 10!
  48. 48. @adam_englander OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project
  49. 49. @adam_englander Near Term: Incorporate threat modeling into your Software Development Lifecycle
  50. 50. @adam_englander Threat Modeling in SDLC Design Threat Model Build Threat Model Release Test
  51. 51. @adam_englander Long Term: Map out and model your applications.
  52. 52. @adam_englander Long Term: Improve your skills!
  53. 53. @adam_englander Elevation of Privilege Card Game https://www.microsoft.com/en-us/SDL/ adopt/eop.aspx https://www.microsoft.com/en-us/SDL/adopt/eop.aspx
  54. 54. @adam_englander Threat Modeling: Designing for Security By Adam Shostack ISBN-13: 978-1118809990
  55. 55. @adam_englander Red/Blue Team Field Manual
  56. 56. @adam_englander Questions and Comments

×