SlideShare a Scribd company logo

Architecting for Security and Resilience

Download as PPTX, PDF
J
Joel Aleburu

Joel Oseiga Aleburu presented on architecting for security resilience. The presentation covered basic definitions like security, vulnerability and resilience. It discussed basic principles for secure design like earning trust rather than assuming it. The presentation also covered application threat modeling, common architectural flaws, and questions. It emphasized that processes, not just products, prevent cyber attacks and outlined techniques like STRIDE for threat modeling.

Technology
1 of 36
Architecting for Security Resilience Joel Oseiga Aleburu 11/05/2021
Content of this Talk • About the Speaker • Basic Definitions • Basic Principles for Secure Design • What is application threat modelling ? • Common Architectural Flaws • Questions
About the Speaker • Joel Oseiga Aleburu B.Sc. (Bowen) , M.Sc. (York) • Outsourced IT Security and Risk Architecture Lead - Smarttech247 • Interests- Mathematics, Computer Science • Security Interests- Cyber Warfare, NSA, Critical Systems and Encryption • Other Stuff: Hiking, Small Planes and Fast Cars
Basic Definitions • Security  Risk management-> Enable the business process • Information Security Risk: Damage that a beach of, or attack on IT system could cause. Can be defined in Monetary terms or non-monetary terms. • Vulnerability: Weakness, flaw or error within a security system that can be leveraged by a threat in order to compromise an architecture. • Resilience: Ability to enable business acceleration by preparing for, responding to and recovering from cyber threats.
Strategic Resiliency Design Principles (MITRE)
The Basics. i.e Cyber Resilience 101. • The overall goal is to align people, process and technology to build resilient cyber defense architecture in line with business objectives
SDLC Work flow, OWASP SAMM 2
Threat Modelling Basics • Products do not stop cyber attacks, processes do • Threat modelling is a structured process through which IT pros can identify potential security threats and vulnerabilities, quantify the seriousness of each, and prioritize techniques to mitigate attack and protect IT resources. • Use Threat Modeling techniques : 1. STRIDE 2. PASTA 3. ATTACK Trees 4. OCTAVE, etc Use STRIDE to step through diagram elements Get specific about threat manifestation. Attack trees are conceptual diagrams showing how an asset or target, might be attacked.
Looking for technical threats • Use Cases and user stories - Features -Different user roles • Architecture descriptions - Where is your data stored? - Where is it transferred and how? • Threat Actor - Who can abuse your system and how
The Process: Identifying Threats • The four steps to make a threat model
Identify Threats • Experts can brainstorm Use STRIDE to step through the diagram elements Get specific about threat manifestation Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Nonrepudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
Threat: Spoofing Threat Spoofing Property Authentication Definition Impersonating something or someone else Example Pretending to be any of, microsoft.com, or ntdll.dll
Threat: Tampering Threat Tampering Property Integrity Definition Modifying data or code Example Modifying a DLL on disk or DVD, or a packet as it traverses the LAN
Threat: Repudiation Threat Repudiation Property Non-Repudiation Definition Claiming to have not performed an action Example “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that Web site, dear!”
Threat: Information Disclosure Threat Information Disclosure Property Confidentiality Definition Exposing information to someone not authorized to see it Example Allowing someone to read the application source code; publishing a list of customers to a Web site
Threat: Denial of Service Threat Denial of Service Property Availability Definition Deny or degrade service to users Example Crashing application or a Web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole
Threat: Elevation of Privilege Threat Elevation of Privilege (EoP) Property Authorization Definition Gain capabilities without proper authorization Example Allowing a remote Internet user to run commands is the classic example, but going from a “Limited User” to “Admin” is also EoP
Some technical ways to address
Bugs vs Flaw • A design is a protocol between two things- It could be how a file is built or the methodology for logging. • Coding mistakes = bug • Design mistake = flaw • Flaws are harder, more expensive and labor intensive to fix. • Bugs can be detected and found by automated interactive analysis
Common Design Flaws Missing authentication Weak authentication Missing/weak encryption Missing authorization Weak authorization Leaking important data Uncontrolled resources Not validating input/data Insufficient auditing Insufficient session management
Avoiding flaws in design • Earn or give, but never assume trust • Use an authentication mechanism that cannot be bypassed or tampered with • Authorize after you authenticate • Strictly separate data and control instructions and never process control instructions received from untrusted sources • Define an approach that ensures all data are explicitly validated • Use cryptography correctly • Identify sensitive data and how they should be handled • Always consider the users • Understand how integrating external components changes your attack surface • Be flexible when considering future changes to objects and actors
Earn or give, but never assume • Make sure all data from an untrusted client are validated or even better still, validate everything (zero trust) • Assume data is compromised • Avoid authorization, access control, policy enforcement and use of sensitive data in client code
Use authenticated mechanism that can’t be bypassed Prevent the user from changing identity without re-authentication, once authenticated Consider the strength of the authentication a user has provided before taking action Make use of Time outs MFA actually works! Enforce it Avoid shared resources e.g. IP and MAC addresses Avoid predictable tokens
Authorize after authentication Perform authorization as an explicit check Re-use common infrastructure for conducting authorization checks Authorization depends on a given set of privileges and on the context of the request Failing to revoke authorization can result in authenticated users exercising out-of- date authorizations
Strictly separate data and control instructions, and never process control instructions from untrusted sources • Utilize hardware capabilities to enforce separation of code and data • Know and use appropriate compiler/linker security flags • Expose methods or endpoints that consume structured types • Co-mingling data and control instructions in a single entity is bad • Beware of injection prone APIs (XSS, SQL injection, Shell injection)
Define an approach that ensures all data are explicitly validated • Ensure that comprehensive data validation actually takes place • Make security review of the validation scheme possible • Use centralized validation mechanisms and canonical data forms (avoid strings) • Avoid blacklisting, use whitelisting
Use cryptography correctly • Use standard algorithms and libraries • Centralize and re-use • Design for crypto agility • Get help from real experts • DO NOT roll your own • Watch out for key management issues • Avoid non-random randomness
Identify sensitive data and how they should be handled • Know where your sensitive data are • Classify your data into categories • Consider data controls- File, memory, database protection • Plan for change over time • Confidentiality is not data protection • Watch out for trust boundaries
Always consider the users • Think about: deployment configuration, use, update • Know that security is an emergent property of the system • Make things secure by default • Security is not a feature • Don’t impose too much security • Don’t assume users and care about security • Don’t let users make security decisions
Understand how integrating external components changes your attack surface Test Test your components for security Include Include external components and dependencies in review Isolate Isolate components Keep Keep an eye out for public security information about components Be Security risk can be inherited Don’t trust Don’t trust until you have applied and reviewed controls
Be flexible when considering future changes to objects and actors Design for change Consider security updates Have a plan for “secret compromise” recovery
Conclusion • Threat model your work • Work with a security advisor from start to finish! • Products don’t stop cyberattacks, process does. • Learn more
Thank you very much Any Questions? Contact: joel@smarttech247.com
Threat Modeling Learning Resources MSDN Magazine Reinvigorate your Threat Modeling Process http://msdn.microsoft.com/en- us/magazine/cc700352.aspx Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach http://msdn.microsoft.com/msdnmag/issues/06/1 1/ThreatModeling/default.aspx SDL Blog All threat modeling posts http://blogs.msdn.com/sdl/archive/tags/threat%2 0modeling/default.aspx Books The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Howard, Lipner, 2006) “Threat Modeling” chapter http://www.microsoft.com/mspress/books/author s/auth8753.aspx
References • https://www.cs.montana.edu/courses/csci476/topics/threat_mode ling.pdf • https://cybersecurity.ieee.org/blog/2015/11/13/authorize-after- you-authenticate/ • https://owasp.org/www-community/Application_Threat_Modeling • https://users.encs.concordia.ca/~clark/courses/1601- 6150/scribe/L04c.pdf • https://owasp.org/www-pdf-archive//Slide_Deck_- _Threat_Modelling.pdf • https://www.slideshare.net/sapran/threat-modeling-101 • https://www.nttsecurity.com/docs/librariesprovider3/resources/uk _thought_leadership_innovation_resilient_cyber_uea_v2 • https://www.mitre.org/sites/default/files/publications/PR%2017- 0103%20Cyber%20Resiliency%20Design%20Principles%20MT R17001.pdf

Recommended

Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and ChallengesHappiest Minds Technologies
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 

Recommended

Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and ChallengesHappiest Minds Technologies
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surfacePriyanka Aash
 
Topic11
Topic11Topic11
Topic11Anne Starr
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsOurCrowd
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionPECB
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 

More Related Content

What's hot

GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surfacePriyanka Aash
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsOurCrowd
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionPECB
 

What's hot (20)

GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Information security principles
Information security principlesInformation security principles
Information security principles
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_services
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surface
 
Topic11
Topic11Topic11
Topic11
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for Investors
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus Cloud
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
 

Similar to Architecting for Security and Resilience

Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionNicholas Davis
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss PreventionNicholas Davis
 
Lecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionLecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionNicholas Davis
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid themKarl Ots
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptxdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxTechnocracy2
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnSamuel Reed
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?Precisely
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 

Similar to Architecting for Security and Resilience (20)

Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss Prevention
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss Prevention
 
Lecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionLecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_prevention
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
OWASP_Training.pptx
OWASP_Training.pptxOWASP_Training.pptx
OWASP_Training.pptx
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 

Recently uploaded

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Architecting for Security and Resilience

  • 2. Content of this Talk • About the Speaker • Basic Definitions • Basic Principles for Secure Design • What is application threat modelling ? • Common Architectural Flaws • Questions
  • 3. About the Speaker • Joel Oseiga Aleburu B.Sc. (Bowen) , M.Sc. (York) • Outsourced IT Security and Risk Architecture Lead - Smarttech247 • Interests- Mathematics, Computer Science • Security Interests- Cyber Warfare, NSA, Critical Systems and Encryption • Other Stuff: Hiking, Small Planes and Fast Cars
  • 4. Basic Definitions • Security  Risk management-> Enable the business process • Information Security Risk: Damage that a beach of, or attack on IT system could cause. Can be defined in Monetary terms or non-monetary terms. • Vulnerability: Weakness, flaw or error within a security system that can be leveraged by a threat in order to compromise an architecture. • Resilience: Ability to enable business acceleration by preparing for, responding to and recovering from cyber threats.
  • 6. The Basics. i.e Cyber Resilience 101. • The overall goal is to align people, process and technology to build resilient cyber defense architecture in line with business objectives
  • 8. Threat Modelling Basics • Products do not stop cyber attacks, processes do • Threat modelling is a structured process through which IT pros can identify potential security threats and vulnerabilities, quantify the seriousness of each, and prioritize techniques to mitigate attack and protect IT resources. • Use Threat Modeling techniques : 1. STRIDE 2. PASTA 3. ATTACK Trees 4. OCTAVE, etc Use STRIDE to step through diagram elements Get specific about threat manifestation. Attack trees are conceptual diagrams showing how an asset or target, might be attacked.
  • 9. Looking for technical threats • Use Cases and user stories - Features -Different user roles • Architecture descriptions - Where is your data stored? - Where is it transferred and how? • Threat Actor - Who can abuse your system and how
  • 10.
  • 11. The Process: Identifying Threats • The four steps to make a threat model
  • 12. Identify Threats • Experts can brainstorm Use STRIDE to step through the diagram elements Get specific about threat manifestation Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Nonrepudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
  • 13. Threat: Spoofing Threat Spoofing Property Authentication Definition Impersonating something or someone else Example Pretending to be any of, microsoft.com, or ntdll.dll
  • 14. Threat: Tampering Threat Tampering Property Integrity Definition Modifying data or code Example Modifying a DLL on disk or DVD, or a packet as it traverses the LAN
  • 15. Threat: Repudiation Threat Repudiation Property Non-Repudiation Definition Claiming to have not performed an action Example “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that Web site, dear!”
  • 16. Threat: Information Disclosure Threat Information Disclosure Property Confidentiality Definition Exposing information to someone not authorized to see it Example Allowing someone to read the application source code; publishing a list of customers to a Web site
  • 17. Threat: Denial of Service Threat Denial of Service Property Availability Definition Deny or degrade service to users Example Crashing application or a Web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole
  • 18. Threat: Elevation of Privilege Threat Elevation of Privilege (EoP) Property Authorization Definition Gain capabilities without proper authorization Example Allowing a remote Internet user to run commands is the classic example, but going from a “Limited User” to “Admin” is also EoP
  • 20. Bugs vs Flaw • A design is a protocol between two things- It could be how a file is built or the methodology for logging. • Coding mistakes = bug • Design mistake = flaw • Flaws are harder, more expensive and labor intensive to fix. • Bugs can be detected and found by automated interactive analysis
  • 21. Common Design Flaws Missing authentication Weak authentication Missing/weak encryption Missing authorization Weak authorization Leaking important data Uncontrolled resources Not validating input/data Insufficient auditing Insufficient session management
  • 22. Avoiding flaws in design • Earn or give, but never assume trust • Use an authentication mechanism that cannot be bypassed or tampered with • Authorize after you authenticate • Strictly separate data and control instructions and never process control instructions received from untrusted sources • Define an approach that ensures all data are explicitly validated • Use cryptography correctly • Identify sensitive data and how they should be handled • Always consider the users • Understand how integrating external components changes your attack surface • Be flexible when considering future changes to objects and actors
  • 23. Earn or give, but never assume • Make sure all data from an untrusted client are validated or even better still, validate everything (zero trust) • Assume data is compromised • Avoid authorization, access control, policy enforcement and use of sensitive data in client code
  • 24. Use authenticated mechanism that can’t be bypassed Prevent the user from changing identity without re-authentication, once authenticated Consider the strength of the authentication a user has provided before taking action Make use of Time outs MFA actually works! Enforce it Avoid shared resources e.g. IP and MAC addresses Avoid predictable tokens
  • 25. Authorize after authentication Perform authorization as an explicit check Re-use common infrastructure for conducting authorization checks Authorization depends on a given set of privileges and on the context of the request Failing to revoke authorization can result in authenticated users exercising out-of- date authorizations
  • 26. Strictly separate data and control instructions, and never process control instructions from untrusted sources • Utilize hardware capabilities to enforce separation of code and data • Know and use appropriate compiler/linker security flags • Expose methods or endpoints that consume structured types • Co-mingling data and control instructions in a single entity is bad • Beware of injection prone APIs (XSS, SQL injection, Shell injection)
  • 27. Define an approach that ensures all data are explicitly validated • Ensure that comprehensive data validation actually takes place • Make security review of the validation scheme possible • Use centralized validation mechanisms and canonical data forms (avoid strings) • Avoid blacklisting, use whitelisting
  • 28. Use cryptography correctly • Use standard algorithms and libraries • Centralize and re-use • Design for crypto agility • Get help from real experts • DO NOT roll your own • Watch out for key management issues • Avoid non-random randomness
  • 29. Identify sensitive data and how they should be handled • Know where your sensitive data are • Classify your data into categories • Consider data controls- File, memory, database protection • Plan for change over time • Confidentiality is not data protection • Watch out for trust boundaries
  • 30. Always consider the users • Think about: deployment configuration, use, update • Know that security is an emergent property of the system • Make things secure by default • Security is not a feature • Don’t impose too much security • Don’t assume users and care about security • Don’t let users make security decisions
  • 31. Understand how integrating external components changes your attack surface Test Test your components for security Include Include external components and dependencies in review Isolate Isolate components Keep Keep an eye out for public security information about components Be Security risk can be inherited Don’t trust Don’t trust until you have applied and reviewed controls
  • 32. Be flexible when considering future changes to objects and actors Design for change Consider security updates Have a plan for “secret compromise” recovery
  • 33. Conclusion • Threat model your work • Work with a security advisor from start to finish! • Products don’t stop cyberattacks, process does. • Learn more
  • 34. Thank you very much Any Questions? Contact: joel@smarttech247.com
  • 35. Threat Modeling Learning Resources MSDN Magazine Reinvigorate your Threat Modeling Process http://msdn.microsoft.com/en- us/magazine/cc700352.aspx Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach http://msdn.microsoft.com/msdnmag/issues/06/1 1/ThreatModeling/default.aspx SDL Blog All threat modeling posts http://blogs.msdn.com/sdl/archive/tags/threat%2 0modeling/default.aspx Books The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Howard, Lipner, 2006) “Threat Modeling” chapter http://www.microsoft.com/mspress/books/author s/auth8753.aspx
  • 36. References • https://www.cs.montana.edu/courses/csci476/topics/threat_mode ling.pdf • https://cybersecurity.ieee.org/blog/2015/11/13/authorize-after- you-authenticate/ • https://owasp.org/www-community/Application_Threat_Modeling • https://users.encs.concordia.ca/~clark/courses/1601- 6150/scribe/L04c.pdf • https://owasp.org/www-pdf-archive//Slide_Deck_- _Threat_Modelling.pdf • https://www.slideshare.net/sapran/threat-modeling-101 • https://www.nttsecurity.com/docs/librariesprovider3/resources/uk _thought_leadership_innovation_resilient_cyber_uea_v2 • https://www.mitre.org/sites/default/files/publications/PR%2017- 0103%20Cyber%20Resiliency%20Design%20Principles%20MT R17001.pdf

Editor's Notes

  1. Keypoint1: The ultimate goal of security and IT is to enable business processes. Security is not in the product, it is in the process. Key point 2: Security Risk Management is the ongoing process of identifying these security risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on a valuable asset. Monetary terms which measures the effects of a cyber security breach on organizational assets or Non-monetary terms which compromise reputational, strategic, legal, political or other types of risk. Key point 3: The ultimate goal of cyber resiliency is to help an organization thrive in the face of adverse conditions.
  2. Mitre’s Security design principles. Assets that are common to multiple missions or business functions are potentially high value targets for cyber attacks, either because those assets are critical or because their compromise increases the attackers’ options for lateral motion or persistence. Identify how the asset is used? What makes the asset critical? Agility: In the context of cyber resiliency, agility is the property of a system or an infrastructure which can be reconfigured, in which resources can be reallocated and in which components can be reused so that cyber defenders can define, select and tailor cyber cources of action for a broad range of disruptions and malicious cyber activities. Reduce attack surface: At a minimum, the term “attack surface” refers to “accessible areas where weaknesses or deficiencies in information systems (including the hardware, software, and firmware components) provide opportunities for adversaries to exploit vulnerabilities.” in other words, any hardware, software, connection, data exchange, service, removable media, etc. that might expose the system to potential threat access. Assume compromised resources: This design principle implies the need for analysis of how the system architecture reduces the potential consequences of a successful compromise – in particular, the duration and degree of adversary-caused disruption, as well as the speed and extent of malware propagation . Expect Adversaries to Evolve: Adversaries evolve in response to opportunities offered by new technologies or uses of technology, as well as to the knowledge they gain about defender TTPs. In (increasingly short) time, the tools developed by advanced adversaries become available to less sophisticated adversaries. Therefore, systems and missions need to be resilient in the face of unexpected attacks. This design principle therefore supports a risk management strategy which includes but goes beyond the common practice of searching for and seeking ways to remediate vulnerabilities (or classes of vulnerabilities); a system which has been hardened in the sense of remediating known vulnerabilities will remain exposed to evolving adversaries.
  3. Five Steps towards a resilient cyber defence capability: 1. Establish a resilient cyber defence architecture in line with business objectives 2. Engage all relevant stakeholders to agree performance metrics and analytics 3. Review existing technology investments against resilient cyber defence capability to identify areas of little, low or over investment 4. Review existing security teams against the capability areas to understand where your skill sets need investment 5. Create processes that ensure information and intelligence sharing between all aspects of the model and regular governance and review points to drive continuous improvement Reference: https://www.nttsecurity.com/docs/librariesprovider3/resources/uk_thought_leadership_innovation_resilient_cyber_uea_v2
  4. The 4 steps to make a threat model: Source: Microsoft https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiY2vaBw8HwAhW1tXEKHZpyDrEQFjAKegQIBRAD&url=https%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F9%2F3%2F5%2F935520EC-D9E2-413E-BEA7-0B865A79B18C%2FIntroduction_to_Threat_Modeling.ppsx&usg=AOvVaw2eemQo4VQDdBIyJSJ1a7f-
  5. Self explanatory. The next slides go into more detail, with examples
  6. Source: Microsoft.com
  7. Source: Microsoft.com
  8. Source: Microsoft.com
  9. Source: Microsoft.com
  10. Source: Microsoft.com
  11. Source: Microsoft.com
  12. Even if your code contains thousands of bugs, automated tools- static, dynamic and interactive analysis alongside software composition analysis will help your devs find and fix them all. A design flaw would be saying “I’m going to allow this application or microservice to accept any number of requests at any speed from any source. There will be no velocity checker, no identity and access control, no access management. That’s a design flaw. It’s not just screwing up a few lines of code.
  13. Missing authentication: Missing authentication or Authentication Bypass using an alternate path Weak authentication: Relying on Single Factor Authentication, Downgrade Authentication, No reauthentication, insufficient credential management. Missing/weak encryption: Insufficient cryptographic key management or use of custom weak encryption Missing authorization: Missing authorization or missing access controls Weak authorization: No context when authorizing, not revoting authorization Leaking important data: Insecure data storage or insecure data exposure Uncontrolled resources: Unmonitored execution and uncontrolled resource consumption
  14. Predictable session tokens: Server picks session token by incrementing a counter for each new session. Attacker opens connection to server, gets session token. Subtract 1 from session token: can hijack the last session opened to the server.
  15. Authorization should be conducted as an explicit check, and as necessary even after an initial authentication has been completed. Authorization depends not only on the privileges associated with an authenticated user, but also on the context of the request. The time of the request and the location of the requesting user may both need to be taken into account Just as a common infrastructure (e.g., system library or back end) should be responsible for authenticating users, so too should common infrastructure be re-used for conducting authorization checks. Sometimes a user’s authorization for a system or service needs to be revoked, for example, when an employee leaves a company. If the authorization mechanism fails to allow for such revocation, the system is vulnerable to abuse by authenticated users exercising out-of-date authorizations. For particularly sensitive operations, authorization may need to invoke authentication. Although authorization begins only after authentication has occurred, this requirement is not circular. Authentication is not binary — users may be required to present minimal (e.g. password) or more substantial (e.g. biometric or token-based) evidence of their identity, and authentication in most systems is not continuous — a user may authenticate, but walk away from the device or hand it to someone else. Hence authorization of a specially sensitive operation (for example, transferring a sum of money larger than a designated threshhold) may require a re-authentication or a higher level of authentication. Some policies require two people to authorize critical transactions (“two-person rule”). In such cases, it is important to assure that the two individuals are indeed distinct; authentication by password is insufficient for this purpose.
  16. At lower levels, software platforms can utilize hardware capabilities to enforce separation of code and data. For example, memory access permissions can be used to mark memory that contains only data as non-executable and to mark memory where code is stored as executable, but immutable, at runtime.  When designing APIs (both general-purpose or public interfaces as well as those that are domain- or application-specific), avoid exposing methods or endpoints that consume strings in languages that embed both control and data. Prefer instead to expose, for example, methods or endpoints that consume structured types that impose strict segregation between data and control information. Co-mingling data and control instructions in a single entity, especially a string, can lead to injection vulnerabilities. Lack of strict separation between data and code often leads to untrusted data controlling the execution flow of a software system. This is a general problem that manifests itself at several abstraction layers, from low-level machine instructions and hardware support to high-level virtual machine interpreters and application programming interfaces (APIs) that consume domain-specific language expressions. Ensuring that appropriate validation or escaping is consistently applied in all code that interfaces with the query API is a difficult and error-prone process; implementing that functionality repeatedly increases the risk of injection vulnerabilities. Use or develop an API that mediates between application code and raw query-language based interfaces (e.g., SQL, LDAP) and exposes a safer API. Avoid code that constructs queries based on ad-hoc string concatenation of fixed query stanzas with potentially untrusted data.
  17. Design or use centralized validation mechanisms to ensure that all data entering a system (from the outside) or major component (from another component of the same system) are appropriately validated. For example: It is desirable for web applications to utilize a mechanism (such as a request filter or interceptor facility provided by the underlying web application framework) to centrally intercept all incoming requests, and to apply basic input validation to all request parameters. Use common libraries of validation primitives, such as predicates that recognize well-formed email addresses, URLs, and so forth. This ensures that all validation of different instances of the same type of data applies consistent validation semantics. Consistent use of common validation predicates can also increase the fidelity of static analysis. Validation should be based on a whitelisting approach, rather than blacklisting.
  18. Cryptography is one of the most important tools for building secure systems. Through the proper use of cryptography, one can ensure the confidentiality of data, protect data from unauthorized modification, and authenticate the source of data. Cryptography can also enable many other security goals as well.  Failure to centralize cryptography. Numerous situations have been observed in which different teams within an organization each implemented their own cryptographic routines. Cryptographic algorithms often don’t interact nicely. Best practices indicate getting it “right” once and reusing the component elsewhere. Poor key management. When everything else is done correctly, the security of the cryptographic system still hinges on the protection of the cryptographic keys. Key management mistakes are common, and include hard-coding keys into software (often observed in embedded devices and application software), failure to allow for the revocation and/or rotation of keys, use of cryptographic keys that are weak (e.g., keys that are too short or that are predictable), and weak key distribution mechanisms. Randomness that is not random. Confusion between statistical randomness and cryptographic randomness is common. Cryptographic operations require random numbers that have strong security properties. In addition to obtaining numbers with strong cryptographic randomness properties, care must be taken not to re-use the random numbers.
  19. Technical data sensitivity controls that a designer might consider include access control mechanisms (including file protection mechanisms, memory protection mechanisms, and database protection mechanisms), cryptography to preserve data confidentiality or integrity, and redundancy and backups to preserve data availability. Not all data protection requirements are the same. For some data, confidentiality is critical. Examples include financial records and corporate intellectual property. For data on which business continuity or life depends (for example, medical data), availability is critical. In other cases, integrity is most important. Spoofing or substituting data to cause a system to misbehave intentionally are examples of failures to ensure data integrity. Do not conflate confidentiality alone with data protection. Data sets do not exist only at rest, but in transit between components within a single system and between organizations. As data sets transit between systems, they may cross multiple trust boundaries. Identifying these boundaries and rectifying them with data protection policies is an essential design activity
  20. The security stance of a software system is inextricably linked to what its users do with it. It is therefore very important that all security-related mechanisms are designed in a manner that makes it easy to deploy, configure, use, and update the system securely. Remember, security is not a feature that can simply be added to a software system, but rather a property emerging from how the system was built and is operated.
  21. Tt is unlikely that you will develop a new system without using external pieces of software. In fact, when adding functionality to an existing system, developers often make use of existing components to provide some or all of that new functionality. In this context, external components refer to software “not written here”, such as: Software procured as off-the-shelf components, platforms, and applications Third-party open source or proprietary libraries. Isolate external components as much as your required functionality permits; use containers, sandboxes, and drop privileges before entering uncontrolled code. When possible, configure external components to enable only the functionality you intend to use.
  22. Design for change: Software security must be designed for change, rather than being fragile, brittle, and static. During the design and development processes, the goal is to meet a set of functional and security requirements. However, software, the environments running software, and threats and attacks against software all change over time. Even when security is considered during design, or a framework being used was built correctly to permit runtime changes in a controlled and secure manner, designers still need to consider the security implications of future changes to objects and actors. Design for secure updates. It is easier to upgrade small pieces of a system than huge blobs. Doing so ensures that the security implications of the upgrade are well understood and controlled. For example, a database engine upgrade may involve new access control defaults or rewrites of the controls such that previously tight permissions loosen, or create new default users that need to be disabled. If the update happens with the same change operation performed on the web server, the amount of change and adjustment to a dynamic, already-configured system may be overwhelming to track and assure Design for changes to objects intended to be kept secret. History has shown us that secrets such as encryption keys and passwords get compromised. Keeping secrets safe is a hard problem, and one should be prepared to have secrets replaced at any time and at all levels of the system. This includes several aspects: A secure way for users to change their own passwords, including disallowing the change until the old password has been successfully presented by the user.
  23. Source: Microsoft.com