In the development of cybersecurity strategy that follows FDA and MDCG recommendations for the commercialization of medical imaging software devices, threat modeling helps customers to manage better risks.

1. HOWTHREAT MODELING FITS
INTO RISK ASSESSMENT
WITH MEDICAL DEVICES
Frédéric Sagez
IT Manager
fsagez@gmail.com

2. Predict
Anticipate
Prevent
Manage Risks
Detect
Monitoring
Response
Recover and Restoration
“Avoid: decision not to be involved or to evade a risk. It is a decision not to be involved in a risky situation, or to withdraw from a risky
situation.” (ISO/IEC 17799, 2005)

3. Overview of applicable security standards with healthcare specific

4. AN
INTRODUCTION
TOTHREAT
MODELING

5. WHATWE HAVETO UNDERSTAND? THE
FACTS
AssessConsequences
Create risks and
determine the
overall rating of
each risk

6. • Produce Use Case of your
software/application
• Enumerate all Assets
• Make Data Flow Diagram
• Make Threats scenarios
• Implement potential security
Risks
AThreat
Modeling
session
typically
consists of
the
following
steps

7. THREAT MODELING PRINCIPALE ITERATIVE
PROJECT
(1) NIST SP 800-150 underTactics,Techniques, and Procedures (TTPs)
TTPs describe how threat actors (the bad guys) orchestrate, execute and manage their operations attacks.TTPs are defined as the “patterns of activities or methods
associated with a specific threat actor or group of threat actors,” according to the DefinitiveGuide toCyberThreat Intelligence.
Implement potential security Risks
Make a checklist and
rate each risk by
likelihood, impact and
make decisions about
each risk with
stakeholders

8. Level 1 Diagram: high level and single feature and scenario
HOWTO DEFINE DATA FLOW SCENARIOS SYSTEM
DECOMPOSITION
External
Entity
Any entity outside the application
interacts with it
Process Process a data or performed an action
with data
Data
Storage
Location where data is stored
Data
Flow
Data movement within the
application
Trust
Boundar
y
Change of privilage levels as the data
flows through the application
Légende

9. Context Diagram: very high level with entire component, product and system
HOWTO DEFINE USE SCENARIOS THREAT
IDENTIFICATION

10. Design Principle Security Design Considerations
Communications How the device would interface with other devices or
networks (IncludeWi-Fi, Ethernet, Bluetooth and USB)
How data transfer to and from the device is
secured to prevent unauthorized access or
modification.
Data Confidentiality How data that is stored on/or transferred to or from How to protect message control/sequencing fields
in communication protocols or to prevent the
compromise
Data Integrity How design controls that consider a device that
communicates with a system and/or device that is less
secure
How controls are necessary to ensure data
nonrepudiation
User Access How consider user access controls that validate who can
use the device or allows granting of privileges
Software
Maintenance
How the device will be updated to secure it against newly
discovered cybersecurity threats
How operating system software, third-party
software, or open-source software will be updated
or controlled
Hardware or
Physical Design
How to prevent an unauthorized person from accessing
the device
Reliability and
Availability
How design controls that will allow the device to detect,
resist, respond and recover from cybersecurity attacks
HOWTO DEFINE SECURITY SCENARIOS SECURITY BY
DESIGN
Security Design Principles for protection mechanisms to secure device design

11. All you need to know aboutThreats
Threat modeling allows organizations to build software with security in mind but you
must consider the idea of thinking like an attacker who knows all the techniques to
make threat and cause harm.
■ Social: people are the primary attack vector (I want to believe…)
■ Operational: failures of policy and procedure in place (IT politics)
■ Technological: technical issues knew with the system (IT governance)
■ Environmental: from natural or physical facility factors (Protected area access)
■ Threats themselves are the same but with a different view (Social,Operational,
Technical, Environments)

12. ATTACKTREE is a diagram which describe how an asset, or a target
might be attacked
DREAD is a risk assessment model by categories
STRIDE is a security threats model by categories
PASTA (Process forAttack Simulation andThreatAnalysis) create a
process for simulating attacks in seven steps
OCTAVE is a risk based strategic assessment and planning technique
for security
WHICH
MODEL
FOR
IDENTIFY
SECURITY
THREATS?

13. S.T.R.I.D.E.
SPOOFING TAMPERING REPUDATION INFO
DISCLOSURE
DENIAL OF
SERVICE
ELEVATION OF
PRIVILEGE
Gain an
illegitimate
advantage
Intentional
modification of
product
Genuine with
high confiance
Violation of
data privacy
Cyber attack Privilege
escalation

14. Design Principle Type of Action Threat Description
Common weakness or
vulnerabilities
enumeration
STRIDE
category
Hardware or
Physical Design
Import Data from a device
Device may be spoofed by an attacker, and
this may lead to incorrect data delivered to
Software
MITRE / CWE-290:
Authentication Bypass by
Spoofing
Spoofing
Data Integrity
Write Data from a file
system
Log readers can come under attack via log
files
NIST / CVE-2021-45105:
Denial of Service Tampering
Communications Network Communication
Software claims that it did not receive data
from a source outside the trust boundary
MITRE / CWE-778:
Insufficient Logging Repudiation
Data
Confidentiality
Read Data from a file
system
Improper data protection of File System can
allow an attacker to read information not
intended for disclosure
NIST / CVE-2021-36934:
Windows Elevation of
PrivilegeVulnerability
Information
Disclosure
Reliability and
Availability
Exploits and malware
Does Software or Device take explicit steps
to control resource consumption?
MITRE / CWE-400:
Uncontrolled Resource
Consumption
Denial Of
Service
User Access Access authorization
An attacker may pass data into Software in
order to change the flow of the program
execution within Software to the attacker's
choosing
MITREATTACK /T1068:
Exploitation for Privilege
Escalation
Elevation Of
Privilege
HOWTO DEFINETHREAT SCENARIOS ATTACK
MODELING
STRIDE is a model for identifying computer security threats and develop worst-case scenarios
Probability
Knowledge
Motivation
Discoverability
AttackVector
Skill(s)
Type of

15. THREAT MODELINGWITH MICROSOFT
TOOL

16. Design and implements all assets from your Data Flow Diagram (DFD)
PROPERTIES

17. VIEW
Uncover Security Design Flaws withThreat Modeling and STRIDE categories

18. Accept vulnerability in design and apply standard mitigations as ACL, encryption, digital signatures, logs, etc.
THREAT MODELING REPORTING MITIGATION
TECHNIQUES
Validate that all threats
have been identified
and mitigated correctly

19. RISK MANAGEMENT
STRATEGY

20. Identify cybersecurity
risks in the device’s
design and operating
environment
Protect the device to
reduce risk through
various risk mitigations
Detect if a device has
been compromised due
to a cybersecurity event
Respond to a
cybersecurity event
Recover and Restore
the device to normal
operation following a
cybersecurity event
Reminder fundamentals to control and manage risks from the National Institute of Standard andTechnology

21. Generic risk model with key risk factors in NIST SP 800-30 Rev 1
Threat Modeling
Threat
event
Initiated by
Exploits
APPROACH
Organizational Risk
Results in residual risk
Risk Control
Mitigated with
Vulnerability
Impact
Likelihood
Causes
Produces
Final readout of threat
modeling findings by the IT to
undertake a risk assessment
Business stakeholders
decide actions for
vulnerabilities
Review vulnerabilities, risk
ratings, and proposed
mitigations with Business
Threat
source

22. Identify all possible and imaginable risks in all your systems, then you will prioritize them based on
different factors:
• Threats are events that could harm the organization through intrusion, destruction or
disclosure
• Vulnerabilities are weaknesses in IT systems, security, procedures, processes and
controls that can be exploited by malicious actors (internal or external!)
• Impact is a measure of the severity of the harm the organization would suffer if a
vulnerability were exploited, or a threat executed
• Likelihood is a measure of risk factor based on the likelihood of an attack against a
specific vulnerability
• Predisposing conditions are a specific factor within the organization that increases /
decreases the impact or the likelihood that a vulnerability will come into play
RISKS

23. Vulnerability STRIDE Catégory Threat Impact Status Justification Priority Likelihood Specific factor
Sniffer Attack Information
Disclosure
Data flowing
across Manage
exams may be
sniffed by an
attacker
Depending on what
type of data an
attacker can read; it
may be used to attack
other parts of the
system or simply be a
disclosure of
information leading
to compliance
violations
Mitigated Consider
encrypting the
data flow
Medium Trustworthy
network unwork
sometimes
Communications
are not protected
in a distributed
system
CommonWeakness Scoring
System calculator allows to
communicate on the
characteristics and the severity
of software vulnerabilities
CVSS v3.1 Base Score Calculator
OWASP Risk Assessment
Calculator is a calculator to
assess the risk of web
vulnerabilities based on OWASP
Risk Assessment
OWASP Risk Assessment
Calculator

24. 1. Risk
Measure-
ment and
Assessment
2. Risk
Mitigation
3. Reporting
and Risk
Monitoring
4. Risk
Governance
All the above steps should
be codified in a risk
governance system
Once you have identified the
threats, vulnerabilities, impact,
likelihood, and predisposing
conditions, you can calculate and
rank the risks your organization
faces
Businesses take the previous
ranking list and start considering
how to mitigate the threats, from
most significant to most minor
Organizations maintain a list
of known risks and monitor
these risks to ensure
compliance with guidelines
Risk Management Framework: Risk Strategy, Appetite, Policies, Guidelines and Procedures as Legal and Operational Cover

25. QUESTIONS
?

26. Toolkits
https://www.diagrams.net/
MicrosoftThreat ModelingTool

27. Links
NATIONALVULNERABILITY DATABASE
https://nvd.nist.gov/Vulnerability-Metrics/Calculator-Product-Integration
Common Weakness Scoring System (CWSS™)
https://cwe.mitre.org/cwss/cwss_v1.0.1.html
CVSS v3.1 Base Score Calculator
https://chandanbn.github.io/cvss/#CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_
OWASP Risk Rating Methodology
https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
National Institute of Standard andTechnology (NIST)
https://www.nist.gov/cyberframework/getting-started
Microsoft Security Development Lifecycle (SDL)
https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling