In the development of cybersecurity strategy that follows FDA and MDCG recommendations for the commercialization of medical imaging software devices, threat modeling helps customers to manage better risks.
5. WHATWE HAVETO UNDERSTAND? THE
FACTS
AssessConsequences
Create risks and
determine the
overall rating of
each risk
6. • Produce Use Case of your
software/application
• Enumerate all Assets
• Make Data Flow Diagram
• Make Threats scenarios
• Implement potential security
Risks
AThreat
Modeling
session
typically
consists of
the
following
steps
7. THREAT MODELING PRINCIPALE ITERATIVE
PROJECT
(1) NIST SP 800-150 underTactics,Techniques, and Procedures (TTPs)
TTPs describe how threat actors (the bad guys) orchestrate, execute and manage their operations attacks.TTPs are defined as the “patterns of activities or methods
associated with a specific threat actor or group of threat actors,” according to the DefinitiveGuide toCyberThreat Intelligence.
Implement potential security Risks
Make a checklist and
rate each risk by
likelihood, impact and
make decisions about
each risk with
stakeholders
8. Level 1 Diagram: high level and single feature and scenario
HOWTO DEFINE DATA FLOW SCENARIOS SYSTEM
DECOMPOSITION
External
Entity
Any entity outside the application
interacts with it
Process Process a data or performed an action
with data
Data
Storage
Location where data is stored
Data
Flow
Data movement within the
application
Trust
Boundar
y
Change of privilage levels as the data
flows through the application
Légende
9. Context Diagram: very high level with entire component, product and system
HOWTO DEFINE USE SCENARIOS THREAT
IDENTIFICATION
10. Design Principle Security Design Considerations
Communications How the device would interface with other devices or
networks (IncludeWi-Fi, Ethernet, Bluetooth and USB)
How data transfer to and from the device is
secured to prevent unauthorized access or
modification.
Data Confidentiality How data that is stored on/or transferred to or from How to protect message control/sequencing fields
in communication protocols or to prevent the
compromise
Data Integrity How design controls that consider a device that
communicates with a system and/or device that is less
secure
How controls are necessary to ensure data
nonrepudiation
User Access How consider user access controls that validate who can
use the device or allows granting of privileges
Software
Maintenance
How the device will be updated to secure it against newly
discovered cybersecurity threats
How operating system software, third-party
software, or open-source software will be updated
or controlled
Hardware or
Physical Design
How to prevent an unauthorized person from accessing
the device
Reliability and
Availability
How design controls that will allow the device to detect,
resist, respond and recover from cybersecurity attacks
HOWTO DEFINE SECURITY SCENARIOS SECURITY BY
DESIGN
Security Design Principles for protection mechanisms to secure device design
11. All you need to know aboutThreats
Threat modeling allows organizations to build software with security in mind but you
must consider the idea of thinking like an attacker who knows all the techniques to
make threat and cause harm.
■ Social: people are the primary attack vector (I want to believe…)
■ Operational: failures of policy and procedure in place (IT politics)
■ Technological: technical issues knew with the system (IT governance)
■ Environmental: from natural or physical facility factors (Protected area access)
■ Threats themselves are the same but with a different view (Social,Operational,
Technical, Environments)
12. ATTACKTREE is a diagram which describe how an asset, or a target
might be attacked
DREAD is a risk assessment model by categories
STRIDE is a security threats model by categories
PASTA (Process forAttack Simulation andThreatAnalysis) create a
process for simulating attacks in seven steps
OCTAVE is a risk based strategic assessment and planning technique
for security
WHICH
MODEL
FOR
IDENTIFY
SECURITY
THREATS?
13. S.T.R.I.D.E.
SPOOFING TAMPERING REPUDATION INFO
DISCLOSURE
DENIAL OF
SERVICE
ELEVATION OF
PRIVILEGE
Gain an
illegitimate
advantage
Intentional
modification of
product
Genuine with
high confiance
Violation of
data privacy
Cyber attack Privilege
escalation
14. Design Principle Type of Action Threat Description
Common weakness or
vulnerabilities
enumeration
STRIDE
category
Hardware or
Physical Design
Import Data from a device
Device may be spoofed by an attacker, and
this may lead to incorrect data delivered to
Software
MITRE / CWE-290:
Authentication Bypass by
Spoofing
Spoofing
Data Integrity
Write Data from a file
system
Log readers can come under attack via log
files
NIST / CVE-2021-45105:
Denial of Service Tampering
Communications Network Communication
Software claims that it did not receive data
from a source outside the trust boundary
MITRE / CWE-778:
Insufficient Logging Repudiation
Data
Confidentiality
Read Data from a file
system
Improper data protection of File System can
allow an attacker to read information not
intended for disclosure
NIST / CVE-2021-36934:
Windows Elevation of
PrivilegeVulnerability
Information
Disclosure
Reliability and
Availability
Exploits and malware
Does Software or Device take explicit steps
to control resource consumption?
MITRE / CWE-400:
Uncontrolled Resource
Consumption
Denial Of
Service
User Access Access authorization
An attacker may pass data into Software in
order to change the flow of the program
execution within Software to the attacker's
choosing
MITREATTACK /T1068:
Exploitation for Privilege
Escalation
Elevation Of
Privilege
HOWTO DEFINETHREAT SCENARIOS ATTACK
MODELING
STRIDE is a model for identifying computer security threats and develop worst-case scenarios
Probability
Knowledge
Motivation
Discoverability
AttackVector
Skill(s)
Type of
18. Accept vulnerability in design and apply standard mitigations as ACL, encryption, digital signatures, logs, etc.
THREAT MODELING REPORTING MITIGATION
TECHNIQUES
Validate that all threats
have been identified
and mitigated correctly
20. Identify cybersecurity
risks in the device’s
design and operating
environment
Protect the device to
reduce risk through
various risk mitigations
Detect if a device has
been compromised due
to a cybersecurity event
Respond to a
cybersecurity event
Recover and Restore
the device to normal
operation following a
cybersecurity event
Reminder fundamentals to control and manage risks from the National Institute of Standard andTechnology
21. Generic risk model with key risk factors in NIST SP 800-30 Rev 1
Threat Modeling
Threat
event
Initiated by
Exploits
APPROACH
Organizational Risk
Results in residual risk
Risk Control
Mitigated with
Vulnerability
Impact
Likelihood
Causes
Produces
Final readout of threat
modeling findings by the IT to
undertake a risk assessment
Business stakeholders
decide actions for
vulnerabilities
Review vulnerabilities, risk
ratings, and proposed
mitigations with Business
Threat
source
22. Identify all possible and imaginable risks in all your systems, then you will prioritize them based on
different factors:
• Threats are events that could harm the organization through intrusion, destruction or
disclosure
• Vulnerabilities are weaknesses in IT systems, security, procedures, processes and
controls that can be exploited by malicious actors (internal or external!)
• Impact is a measure of the severity of the harm the organization would suffer if a
vulnerability were exploited, or a threat executed
• Likelihood is a measure of risk factor based on the likelihood of an attack against a
specific vulnerability
• Predisposing conditions are a specific factor within the organization that increases /
decreases the impact or the likelihood that a vulnerability will come into play
RISKS
23. Vulnerability STRIDE Catégory Threat Impact Status Justification Priority Likelihood Specific factor
Sniffer Attack Information
Disclosure
Data flowing
across Manage
exams may be
sniffed by an
attacker
Depending on what
type of data an
attacker can read; it
may be used to attack
other parts of the
system or simply be a
disclosure of
information leading
to compliance
violations
Mitigated Consider
encrypting the
data flow
Medium Trustworthy
network unwork
sometimes
Communications
are not protected
in a distributed
system
CommonWeakness Scoring
System calculator allows to
communicate on the
characteristics and the severity
of software vulnerabilities
CVSS v3.1 Base Score Calculator
OWASP Risk Assessment
Calculator is a calculator to
assess the risk of web
vulnerabilities based on OWASP
Risk Assessment
OWASP Risk Assessment
Calculator
24. 1. Risk
Measure-
ment and
Assessment
2. Risk
Mitigation
3. Reporting
and Risk
Monitoring
4. Risk
Governance
All the above steps should
be codified in a risk
governance system
Once you have identified the
threats, vulnerabilities, impact,
likelihood, and predisposing
conditions, you can calculate and
rank the risks your organization
faces
Businesses take the previous
ranking list and start considering
how to mitigate the threats, from
most significant to most minor
Organizations maintain a list
of known risks and monitor
these risks to ensure
compliance with guidelines
Risk Management Framework: Risk Strategy, Appetite, Policies, Guidelines and Procedures as Legal and Operational Cover
27. Links
NATIONALVULNERABILITY DATABASE
https://nvd.nist.gov/Vulnerability-Metrics/Calculator-Product-Integration
Common Weakness Scoring System (CWSS™)
https://cwe.mitre.org/cwss/cwss_v1.0.1.html
CVSS v3.1 Base Score Calculator
https://chandanbn.github.io/cvss/#CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_
OWASP Risk Rating Methodology
https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
National Institute of Standard andTechnology (NIST)
https://www.nist.gov/cyberframework/getting-started
Microsoft Security Development Lifecycle (SDL)
https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
Editor's Notes
Comment la modélisation des menaces s'intègre dans l'évaluation des risques
Règlement Dispositifs Médicaux (MDR)
Éviter : décision de ne pas être impliqué ou de se soustraire à un risque. C’est une décision visant à ne pas être impliquée dans une situation à risques, ou à se retirer d’une situation à risques.
ISO/CEI 17799, 2005 : Techniques de sécurité — Code de bonne pratique pour la gestion de la sécurité de l'information
-
The threat agent risk assessment (TARA) methodology
Normes et standards Cybersécurité + spécificités aux soins de santé
Rappel du contexte dans le milieu industriel médicale de la mission
Les mots clefs sont ils claires de ce que l’on va parler aujourd’hui ?
Qu'est-ce que nous devons comprendre ? Et comment on conçoit les risques ?
---
Évaluer les conséquences sur les Assets (Actifs) et les Risques
La modélisation des menaces (Threat Modeling) est une activité fondamentale pour identifier et traiter les failles dès la conception avant la phase de développement d’un logiciel ou d’un système.
---
Produce Use Case of your application
What exactly does she do? Context? User manual exists?
Enumerate all Assets
Make a Data Flow Diagram (DFD)
Shows how data flows through your system and which applications, API or databases are involved
Make Threats scenarios
Mitigate -> need control after?
Need investigation -> Countermeasure?
Not applicable, etc.
Implement potential security Risks
Make a checklist and rate each risk by likelihood, impact and make decisions about each risk with stakeholders
Projet itératif - Review
Design assez simple voir rudimentaire au format Threat Modeling
Les outils pour modéliser sont : draw.io, OWASP Threat Dragon ou Microsoft’s Threat Modeling tool
RIS : Radiology Information System is a networked software system for managing medical imagery and associated
PACS : Picture Archiving and Communication System is a medical imaging technology used primarily in healthcare organizations to securely store and digitally transmit electronic images and clinically-relevant reports
EMR : Electronic Medical Record are digital versions of the paper charts in clinician offices, clinics, and hospitals.
Principes de conception à prendre en compte dans la conception des dispositifs médicaux
Dans le texte d'introduction de la section des principes architecturaux de l'ISO/IEC 19249, la spécification technique décrit le principal défi que tous les professionnels de la sécurité de l'information connaissent bien : trouver le difficile équilibre entre sécurité et fonctionnalité. (https://info-savvy.com/cissp-iso-iec-19249-bk1d3t1st2/)
Tout ce que vous devez savoir sur les menaces
Il existe 12 modèles pour gérer des menaces/risques. Donc notre cas, STRIDE est adapté pour le développement de logiciels / software
L’approche STRIDE pour la modélisation des menaces a été introduite en 1999 chez Microsoft
STRIDE signifie : usurpation d'identité, falsification, répudiation, divulgation d'informations, déni de service, élévation de privilège
SPOOFING Identity : c’est tout simplement une attaque par usurpation d'identité. Une personne ou un programme réussit à s'identifier à un autre en falsifiant des données, pour obtenir un avantage illégitime
TAMPERING with Data : attaque sous forme de sabotage (modifications intentionnelles du produit d'une manière qui le rendrait nocif pour l'utilisateur)
REPUDATION : un attaquant effectue une opération illégale ou malveillante dans un système, puis nie son implication dans l'attaque
En ch'timi on dirait : « C’éch’ti quî dit, c’éch’ti quî est »
INFO DISCLOSURE : fuite d'informations. Une application ou un site Web révèle involontairement des données à des utilisateurs non autorisés
DENIAL OF SERVICE (DoS) : des attaques empêchent un utilisateur autorisé d'accéder aux ressources auxquelles il devrait pouvoir accéder
ELEVATION OF PRIVILEGE (EoP) : un utilisateur autorisé ou non autorisé dans le système peut accéder à d'autres informations qu'il n'est pas autorisé à voir
MITRE ATT&CK® est une base de connaissances accessible dans le monde entier sur les tactiques et techniques de l'adversaire, basée sur des observations du monde réel
-> 2021 CWE Top 25 Most Dangerous Software Weaknesses
// Common Weakness Enumeration
NIST: National Institute of Standards and Technology
-> Les données de vulnérabilité CVE sont extraites des flux de la base de données nationale sur les vulnérabilités (NVD) fournies par l'Institut National des Normes et de la Technologie
// Common Vulnerabilities and Exposures
Rapport / Modèle de Template / Design
-> Medical Device Model
RIS : Radiology Information System is a networked software system for managing medical imagery and associated
PACS : Picture Archiving and Communication System is a medical imaging technology used primarily in healthcare organizations to securely store and digitally transmit electronic images and clinically-relevant reports
DICOM : c’est un acronyme qui signifie Distributed Component Object Model. C’est un composant logiciel propriétaire de Microsoft qui permet aux objets COM de communiquer entre eux sur le réseau.
ACL : Access Control List (un système permettant de faire une gestion plus fine des droits d'accès aux fichiers)
Comment élaborer la prise en compte des risques au quotidien ?
Petit rappel sur la gestion des risques en Cybersécurité par le NIST
Risk management process as defined in NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View.
Le processus de gestion des risques est spécifiquement détaillé par le NIST dans plusieurs cadres subsidiaires. Le plus important, appelé « NIST SP 800-37 Rev.1 »
Oublie : UL et EBIOS / ANSSI
Risk Management Framework : Stratégie de risque, appétit, politiques, directives et procédures en tant que couverture juridique et opérationnelle