JA
Uploaded byJoel Aleburu
PPTX, PDF255 views

Architecting for Security Resilience

Joel Oseiga Aleburu presented on architecting for security resilience. The presentation covered basic definitions like security, vulnerability and resilience. It discussed basic principles for secure design like earning trust rather than assuming it. The presentation also covered application threat modeling, common architectural flaws, and questions. It emphasized that processes, not just products, prevent cyber attacks and outlined techniques like STRIDE for threat modeling.

Embed presentation

Downloaded 12 times
Architecting for Security Resilience Joel Oseiga Aleburu 11/05/2021
Content of this Talk • About the Speaker • Basic Definitions • Basic Principles for Secure Design • What is application threat modelling ? • Common Architectural Flaws • Questions
About the Speaker • Joel Oseiga Aleburu B.Sc. (Bowen) , M.Sc. (York) • Outsourced IT Security and Risk Architecture Lead - Smarttech247 • Interests- Mathematics, Computer Science • Security Interests- Cyber Warfare, NSA, Critical Systems and Encryption • Other Stuff: Hiking, Small Planes and Fast Cars
Basic Definitions • Security  Risk management-> Enable the business process • Information Security Risk: Damage that a beach of, or attack on IT system could cause. Can be defined in Monetary terms or non-monetary terms. • Vulnerability: Weakness, flaw or error within a security system that can be leveraged by a threat in order to compromise an architecture. • Resilience: Ability to enable business acceleration by preparing for, responding to and recovering from cyber threats.
Strategic Resiliency Design Principles (MITRE)
The Basics. i.e Cyber Resilience 101. • The overall goal is to align people, process and technology to build resilient cyber defense architecture in line with business objectives
SDLC Work flow, OWASP SAMM 2
Threat Modelling Basics • Products do not stop cyber attacks, processes do • Threat modelling is a structured process through which IT pros can identify potential security threats and vulnerabilities, quantify the seriousness of each, and prioritize techniques to mitigate attack and protect IT resources. • Use Threat Modeling techniques : 1. STRIDE 2. PASTA 3. ATTACK Trees 4. OCTAVE, etc Use STRIDE to step through diagram elements Get specific about threat manifestation. Attack trees are conceptual diagrams showing how an asset or target, might be attacked.
Looking for technical threats • Use Cases and user stories - Features -Different user roles • Architecture descriptions - Where is your data stored? - Where is it transferred and how? • Threat Actor - Who can abuse your system and how
The Process: Identifying Threats • The four steps to make a threat model
Identify Threats • Experts can brainstorm Use STRIDE to step through the diagram elements Get specific about threat manifestation Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Nonrepudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
Threat: Spoofing Threat Spoofing Property Authentication Definition Impersonating something or someone else Example Pretending to be any of, microsoft.com, or ntdll.dll
Threat: Tampering Threat Tampering Property Integrity Definition Modifying data or code Example Modifying a DLL on disk or DVD, or a packet as it traverses the LAN
Threat: Repudiation Threat Repudiation Property Non-Repudiation Definition Claiming to have not performed an action Example “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that Web site, dear!”
Threat: Information Disclosure Threat Information Disclosure Property Confidentiality Definition Exposing information to someone not authorized to see it Example Allowing someone to read the application source code; publishing a list of customers to a Web site
Threat: Denial of Service Threat Denial of Service Property Availability Definition Deny or degrade service to users Example Crashing application or a Web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole
Threat: Elevation of Privilege Threat Elevation of Privilege (EoP) Property Authorization Definition Gain capabilities without proper authorization Example Allowing a remote Internet user to run commands is the classic example, but going from a “Limited User” to “Admin” is also EoP
Some technical ways to address
Bugs vs Flaw • A design is a protocol between two things- It could be how a file is built or the methodology for logging. • Coding mistakes = bug • Design mistake = flaw • Flaws are harder, more expensive and labor intensive to fix. • Bugs can be detected and found by automated interactive analysis
Common Design Flaws Missing authentication Weak authentication Missing/weak encryption Missing authorization Weak authorization Leaking important data Uncontrolled resources Not validating input/data Insufficient auditing Insufficient session management
Avoiding flaws in design • Earn or give, but never assume trust • Use an authentication mechanism that cannot be bypassed or tampered with • Authorize after you authenticate • Strictly separate data and control instructions and never process control instructions received from untrusted sources • Define an approach that ensures all data are explicitly validated • Use cryptography correctly • Identify sensitive data and how they should be handled • Always consider the users • Understand how integrating external components changes your attack surface • Be flexible when considering future changes to objects and actors
Earn or give, but never assume • Make sure all data from an untrusted client are validated or even better still, validate everything (zero trust) • Assume data is compromised • Avoid authorization, access control, policy enforcement and use of sensitive data in client code
Use authenticated mechanism that can’t be bypassed Prevent the user from changing identity without re-authentication, once authenticated Consider the strength of the authentication a user has provided before taking action Make use of Time outs MFA actually works! Enforce it Avoid shared resources e.g. IP and MAC addresses Avoid predictable tokens
Authorize after authentication Perform authorization as an explicit check Re-use common infrastructure for conducting authorization checks Authorization depends on a given set of privileges and on the context of the request Failing to revoke authorization can result in authenticated users exercising out-of- date authorizations
Strictly separate data and control instructions, and never process control instructions from untrusted sources • Utilize hardware capabilities to enforce separation of code and data • Know and use appropriate compiler/linker security flags • Expose methods or endpoints that consume structured types • Co-mingling data and control instructions in a single entity is bad • Beware of injection prone APIs (XSS, SQL injection, Shell injection)
Define an approach that ensures all data are explicitly validated • Ensure that comprehensive data validation actually takes place • Make security review of the validation scheme possible • Use centralized validation mechanisms and canonical data forms (avoid strings) • Avoid blacklisting, use whitelisting
Use cryptography correctly • Use standard algorithms and libraries • Centralize and re-use • Design for crypto agility • Get help from real experts • DO NOT roll your own • Watch out for key management issues • Avoid non-random randomness
Identify sensitive data and how they should be handled • Know where your sensitive data are • Classify your data into categories • Consider data controls- File, memory, database protection • Plan for change over time • Confidentiality is not data protection • Watch out for trust boundaries
Always consider the users • Think about: deployment configuration, use, update • Know that security is an emergent property of the system • Make things secure by default • Security is not a feature • Don’t impose too much security • Don’t assume users and care about security • Don’t let users make security decisions
Understand how integrating external components changes your attack surface Test Test your components for security Include Include external components and dependencies in review Isolate Isolate components Keep Keep an eye out for public security information about components Be Security risk can be inherited Don’t trust Don’t trust until you have applied and reviewed controls
Be flexible when considering future changes to objects and actors Design for change Consider security updates Have a plan for “secret compromise” recovery
Conclusion • Threat model your work • Work with a security advisor from start to finish! • Products don’t stop cyberattacks, process does. • Learn more
Thank you very much Any Questions? Contact: joel@smarttech247.com
Threat Modeling Learning Resources MSDN Magazine Reinvigorate your Threat Modeling Process http://msdn.microsoft.com/en- us/magazine/cc700352.aspx Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach http://msdn.microsoft.com/msdnmag/issues/06/1 1/ThreatModeling/default.aspx SDL Blog All threat modeling posts http://blogs.msdn.com/sdl/archive/tags/threat%2 0modeling/default.aspx Books The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Howard, Lipner, 2006) “Threat Modeling” chapter http://www.microsoft.com/mspress/books/author s/auth8753.aspx
References • https://www.cs.montana.edu/courses/csci476/topics/threat_mode ling.pdf • https://cybersecurity.ieee.org/blog/2015/11/13/authorize-after- you-authenticate/ • https://owasp.org/www-community/Application_Threat_Modeling • https://users.encs.concordia.ca/~clark/courses/1601- 6150/scribe/L04c.pdf • https://owasp.org/www-pdf-archive//Slide_Deck_- _Threat_Modelling.pdf • https://www.slideshare.net/sapran/threat-modeling-101 • https://www.nttsecurity.com/docs/librariesprovider3/resources/uk _thought_leadership_innovation_resilient_cyber_uea_v2 • https://www.mitre.org/sites/default/files/publications/PR%2017- 0103%20Cyber%20Resiliency%20Design%20Principles%20MT R17001.pdf

More Related Content

PDF
Chapter 15 incident handling
bynewbie2019
 
PDF
OWASP based Threat Modeling Framework
byChaitanya Bhatt
 
PPTX
Cyber Security Needs and Challenges
byHappiest Minds Technologies
 
PDF
Vulnerability threat and attack
bynewbie2019
 
PDF
Vulnerability management - beyond scanning
byVladimir Jirasek
 
PPTX
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
byMichael Noel
 
PDF
From Business Architecture to Security Architecture
byPriyanka Aash
 
PDF
Identifying Code Risks in Software M&A
byMatt Tortora
 
Chapter 15 incident handling
bynewbie2019
 
OWASP based Threat Modeling Framework
byChaitanya Bhatt
 
Cyber Security Needs and Challenges
byHappiest Minds Technologies
 
Vulnerability threat and attack
bynewbie2019
 
Vulnerability management - beyond scanning
byVladimir Jirasek
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
byMichael Noel
 
From Business Architecture to Security Architecture
byPriyanka Aash
 
Identifying Code Risks in Software M&A
byMatt Tortora
 

What's hot

PPT
002.itsecurity bcp v1
byMohammad Ashfaqur Rahman
 
PDF
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
PDF
GDPR: The Application Security Twist
bySecurity Innovation
 
PDF
Defense In Depth Using NIST 800-30
byKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PDF
Enumerating your shadow it attack surface
byPriyanka Aash
 
PDF
Incident response methodology
byPiyush Jain
 
PPTX
Information security principles
byDan Morrill
 
PDF
Securing your presence at the perimeter
byBen Rothke
 
PPTX
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
PDF
The Cyber Security Landscape: An OurCrowd Briefing for Investors
byOurCrowd
 
PPTX
Your cyber security webinar
byIntergen
 
PPTX
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
byMichael Noel
 
PPTX
Topic11
byAnne Starr
 
PPTX
It and-cyber-module-2
byMarneil Sanchez
 
PDF
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
byUBM_Design_Central
 
PDF
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
byShah Sheikh
 
PDF
Case study financial_services
byG. Subramanian
 
PPTX
A holistic approach to risk management 20210210 w acfe france & cyber rea...
byJudith Beckhard Cardoso
 
DOCX
VAPT- A Service on Eucalyptus Cloud
bySwapna Shetye
 
002.itsecurity bcp v1
byMohammad Ashfaqur Rahman
 
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
GDPR: The Application Security Twist
bySecurity Innovation
 
Defense In Depth Using NIST 800-30
byKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Enumerating your shadow it attack surface
byPriyanka Aash
 
Incident response methodology
byPiyush Jain
 
Information security principles
byDan Morrill
 
Securing your presence at the perimeter
byBen Rothke
 
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
byOurCrowd
 
Your cyber security webinar
byIntergen
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
byMichael Noel
 
Topic11
byAnne Starr
 
It and-cyber-module-2
byMarneil Sanchez
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
byUBM_Design_Central
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
byShah Sheikh
 
Case study financial_services
byG. Subramanian
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
byJudith Beckhard Cardoso
 
VAPT- A Service on Eucalyptus Cloud
bySwapna Shetye
 

Similar to Architecting for Security Resilience

PDF
Security Fundamentals and Threat Modelling
byKnoldus Inc.
 
PDF
Application Threat Modeling
byPriyanka Aash
 
PDF
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
PDF
Null bachav
byNaga Venkata Sunil Alamuri
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PDF
Security-and-Privacy-in-Architectural-Modeling (2).pdf
bypatidararnav007
 
PDF
[Warsaw 26.06.2018] SDL Threat Modeling principles
byOWASP
 
PPTX
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
PPTX
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
byDharmalingam Ganesan
 
PPSX
Introduction to threat_modeling
byPrabath Siriwardena
 
PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PPTX
Threat Modeling-modélisation_de_menaces.pptx
bytuxbambi
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
PPTX
Threat Modeling And Analysis
byLalit Kale
 
PDF
Application Threat Modeling In Risk Management
byMel Drews
 
PPT
Application Threat Modeling
byMarco Morana
 
DOCX
Residency ResearchISOL 536 Security Architecture and Design.docx
bybrittneyj3
 
PPTX
The security mindset securing social media integrations and social learning...
byfranco_bb
 
PPTX
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
byNorth Texas Chapter of the ISSA
 
Security Fundamentals and Threat Modelling
byKnoldus Inc.
 
Application Threat Modeling
byPriyanka Aash
 
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
Null bachav
byNaga Venkata Sunil Alamuri
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Security-and-Privacy-in-Architectural-Modeling (2).pdf
bypatidararnav007
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
byOWASP
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
byDharmalingam Ganesan
 
Introduction to threat_modeling
byPrabath Siriwardena
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
Threat Modeling-modélisation_de_menaces.pptx
bytuxbambi
 
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
Threat Modeling And Analysis
byLalit Kale
 
Application Threat Modeling In Risk Management
byMel Drews
 
Application Threat Modeling
byMarco Morana
 
Residency ResearchISOL 536 Security Architecture and Design.docx
bybrittneyj3
 
The security mindset securing social media integrations and social learning...
byfranco_bb
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
byNorth Texas Chapter of the ISSA
 

Recently uploaded

PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
API-First Architecture in Financial Systems
bycyy111112
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 

Architecting for Security Resilience

  • 1.
  • 2.
    Content of thisTalk • About the Speaker • Basic Definitions • Basic Principles for Secure Design • What is application threat modelling ? • Common Architectural Flaws • Questions
  • 3.
    About the Speaker •Joel Oseiga Aleburu B.Sc. (Bowen) , M.Sc. (York) • Outsourced IT Security and Risk Architecture Lead - Smarttech247 • Interests- Mathematics, Computer Science • Security Interests- Cyber Warfare, NSA, Critical Systems and Encryption • Other Stuff: Hiking, Small Planes and Fast Cars
  • 4.
    Basic Definitions • Security Risk management-> Enable the business process • Information Security Risk: Damage that a beach of, or attack on IT system could cause. Can be defined in Monetary terms or non-monetary terms. • Vulnerability: Weakness, flaw or error within a security system that can be leveraged by a threat in order to compromise an architecture. • Resilience: Ability to enable business acceleration by preparing for, responding to and recovering from cyber threats.
  • 5.
  • 6.
    The Basics. i.eCyber Resilience 101. • The overall goal is to align people, process and technology to build resilient cyber defense architecture in line with business objectives
  • 7.
  • 8.
    Threat Modelling Basics • Products donot stop cyber attacks, processes do • Threat modelling is a structured process through which IT pros can identify potential security threats and vulnerabilities, quantify the seriousness of each, and prioritize techniques to mitigate attack and protect IT resources. • Use Threat Modeling techniques : 1. STRIDE 2. PASTA 3. ATTACK Trees 4. OCTAVE, etc Use STRIDE to step through diagram elements Get specific about threat manifestation. Attack trees are conceptual diagrams showing how an asset or target, might be attacked.
  • 9.
    Looking for technical threats • UseCases and user stories - Features -Different user roles • Architecture descriptions - Where is your data stored? - Where is it transferred and how? • Threat Actor - Who can abuse your system and how
  • 11.
    The Process: IdentifyingThreats • The four steps to make a threat model
  • 12.
    Identify Threats • Expertscan brainstorm Use STRIDE to step through the diagram elements Get specific about threat manifestation Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Nonrepudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
  • 13.
    Threat: Spoofing Threat Spoofing PropertyAuthentication Definition Impersonating something or someone else Example Pretending to be any of, microsoft.com, or ntdll.dll
  • 14.
    Threat: Tampering Threat Tampering PropertyIntegrity Definition Modifying data or code Example Modifying a DLL on disk or DVD, or a packet as it traverses the LAN
  • 15.
    Threat: Repudiation Threat Repudiation PropertyNon-Repudiation Definition Claiming to have not performed an action Example “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that Web site, dear!”
  • 16.
    Threat: Information Disclosure Threat InformationDisclosure Property Confidentiality Definition Exposing information to someone not authorized to see it Example Allowing someone to read the application source code; publishing a list of customers to a Web site
  • 17.
    Threat: Denial ofService Threat Denial of Service Property Availability Definition Deny or degrade service to users Example Crashing application or a Web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole
  • 18.
    Threat: Elevation of Privilege ThreatElevation of Privilege (EoP) Property Authorization Definition Gain capabilities without proper authorization Example Allowing a remote Internet user to run commands is the classic example, but going from a “Limited User” to “Admin” is also EoP
  • 19.
  • 20.
    Bugs vs Flaw • Adesign is a protocol between two things- It could be how a file is built or the methodology for logging. • Coding mistakes = bug • Design mistake = flaw • Flaws are harder, more expensive and labor intensive to fix. • Bugs can be detected and found by automated interactive analysis
  • 21.
    Common Design Flaws Missing authentication Weak authentication Missing/weakencryption Missing authorization Weak authorization Leaking important data Uncontrolled resources Not validating input/data Insufficient auditing Insufficient session management
  • 22.
    Avoiding flaws in design • Earnor give, but never assume trust • Use an authentication mechanism that cannot be bypassed or tampered with • Authorize after you authenticate • Strictly separate data and control instructions and never process control instructions received from untrusted sources • Define an approach that ensures all data are explicitly validated • Use cryptography correctly • Identify sensitive data and how they should be handled • Always consider the users • Understand how integrating external components changes your attack surface • Be flexible when considering future changes to objects and actors
  • 23.
    Earn or give,but never assume • Make sure all data from an untrusted client are validated or even better still, validate everything (zero trust) • Assume data is compromised • Avoid authorization, access control, policy enforcement and use of sensitive data in client code
  • 24.
    Use authenticated mechanism that can’t be bypassed Preventthe user from changing identity without re-authentication, once authenticated Consider the strength of the authentication a user has provided before taking action Make use of Time outs MFA actually works! Enforce it Avoid shared resources e.g. IP and MAC addresses Avoid predictable tokens
  • 25.
    Authorize after authentication Perform authorizationas an explicit check Re-use common infrastructure for conducting authorization checks Authorization depends on a given set of privileges and on the context of the request Failing to revoke authorization can result in authenticated users exercising out-of- date authorizations
  • 26.
    Strictly separate dataand control instructions, and never process control instructions from untrusted sources • Utilize hardware capabilities to enforce separation of code and data • Know and use appropriate compiler/linker security flags • Expose methods or endpoints that consume structured types • Co-mingling data and control instructions in a single entity is bad • Beware of injection prone APIs (XSS, SQL injection, Shell injection)
  • 27.
    Define an approachthat ensures all data are explicitly validated • Ensure that comprehensive data validation actually takes place • Make security review of the validation scheme possible • Use centralized validation mechanisms and canonical data forms (avoid strings) • Avoid blacklisting, use whitelisting
  • 28.
    Use cryptography correctly •Use standard algorithms and libraries • Centralize and re-use • Design for crypto agility • Get help from real experts • DO NOT roll your own • Watch out for key management issues • Avoid non-random randomness
  • 29.
    Identify sensitive dataand how they should be handled • Know where your sensitive data are • Classify your data into categories • Consider data controls- File, memory, database protection • Plan for change over time • Confidentiality is not data protection • Watch out for trust boundaries
  • 30.
    Always consider theusers • Think about: deployment configuration, use, update • Know that security is an emergent property of the system • Make things secure by default • Security is not a feature • Don’t impose too much security • Don’t assume users and care about security • Don’t let users make security decisions
  • 31.
    Understand how integrating external components changes your attacksurface Test Test your components for security Include Include external components and dependencies in review Isolate Isolate components Keep Keep an eye out for public security information about components Be Security risk can be inherited Don’t trust Don’t trust until you have applied and reviewed controls
  • 32.
    Be flexible when considering future changes to objectsand actors Design for change Consider security updates Have a plan for “secret compromise” recovery
  • 33.
    Conclusion • Threat modelyour work • Work with a security advisor from start to finish! • Products don’t stop cyberattacks, process does. • Learn more
  • 34.
    Thank you very much AnyQuestions? Contact: joel@smarttech247.com
  • 35.
    Threat Modeling Learning Resources MSDNMagazine Reinvigorate your Threat Modeling Process http://msdn.microsoft.com/en- us/magazine/cc700352.aspx Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach http://msdn.microsoft.com/msdnmag/issues/06/1 1/ThreatModeling/default.aspx SDL Blog All threat modeling posts http://blogs.msdn.com/sdl/archive/tags/threat%2 0modeling/default.aspx Books The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Howard, Lipner, 2006) “Threat Modeling” chapter http://www.microsoft.com/mspress/books/author s/auth8753.aspx
  • 36.
    References • https://www.cs.montana.edu/courses/csci476/topics/threat_mode ling.pdf • https://cybersecurity.ieee.org/blog/2015/11/13/authorize-after- you-authenticate/ •https://owasp.org/www-community/Application_Threat_Modeling • https://users.encs.concordia.ca/~clark/courses/1601- 6150/scribe/L04c.pdf • https://owasp.org/www-pdf-archive//Slide_Deck_- _Threat_Modelling.pdf • https://www.slideshare.net/sapran/threat-modeling-101 • https://www.nttsecurity.com/docs/librariesprovider3/resources/uk _thought_leadership_innovation_resilient_cyber_uea_v2 • https://www.mitre.org/sites/default/files/publications/PR%2017- 0103%20Cyber%20Resiliency%20Design%20Principles%20MT R17001.pdf

Editor's Notes

  • #5 Keypoint1: The ultimate goal of security and IT is to enable business processes. Security is not in the product, it is in the process. Key point 2: Security Risk Management is the ongoing process of identifying these security risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on a valuable asset. Monetary terms which measures the effects of a cyber security breach on organizational assets or Non-monetary terms which compromise reputational, strategic, legal, political or other types of risk. Key point 3: The ultimate goal of cyber resiliency is to help an organization thrive in the face of adverse conditions.
  • #6 Mitre’s Security design principles. Assets that are common to multiple missions or business functions are potentially high value targets for cyber attacks, either because those assets are critical or because their compromise increases the attackers’ options for lateral motion or persistence. Identify how the asset is used? What makes the asset critical? Agility: In the context of cyber resiliency, agility is the property of a system or an infrastructure which can be reconfigured, in which resources can be reallocated and in which components can be reused so that cyber defenders can define, select and tailor cyber cources of action for a broad range of disruptions and malicious cyber activities. Reduce attack surface: At a minimum, the term “attack surface” refers to “accessible areas where weaknesses or deficiencies in information systems (including the hardware, software, and firmware components) provide opportunities for adversaries to exploit vulnerabilities.” in other words, any hardware, software, connection, data exchange, service, removable media, etc. that might expose the system to potential threat access. Assume compromised resources: This design principle implies the need for analysis of how the system architecture reduces the potential consequences of a successful compromise – in particular, the duration and degree of adversary-caused disruption, as well as the speed and extent of malware propagation . Expect Adversaries to Evolve: Adversaries evolve in response to opportunities offered by new technologies or uses of technology, as well as to the knowledge they gain about defender TTPs. In (increasingly short) time, the tools developed by advanced adversaries become available to less sophisticated adversaries. Therefore, systems and missions need to be resilient in the face of unexpected attacks. This design principle therefore supports a risk management strategy which includes but goes beyond the common practice of searching for and seeking ways to remediate vulnerabilities (or classes of vulnerabilities); a system which has been hardened in the sense of remediating known vulnerabilities will remain exposed to evolving adversaries.
  • #7 Five Steps towards a resilient cyber defence capability: 1. Establish a resilient cyber defence architecture in line with business objectives 2. Engage all relevant stakeholders to agree performance metrics and analytics 3. Review existing technology investments against resilient cyber defence capability to identify areas of little, low or over investment 4. Review existing security teams against the capability areas to understand where your skill sets need investment 5. Create processes that ensure information and intelligence sharing between all aspects of the model and regular governance and review points to drive continuous improvement Reference: https://www.nttsecurity.com/docs/librariesprovider3/resources/uk_thought_leadership_innovation_resilient_cyber_uea_v2
  • #12 The 4 steps to make a threat model: Source: Microsoft https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiY2vaBw8HwAhW1tXEKHZpyDrEQFjAKegQIBRAD&url=https%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F9%2F3%2F5%2F935520EC-D9E2-413E-BEA7-0B865A79B18C%2FIntroduction_to_Threat_Modeling.ppsx&usg=AOvVaw2eemQo4VQDdBIyJSJ1a7f-
  • #13 Self explanatory. The next slides go into more detail, with examples
  • #14 Source: Microsoft.com
  • #15 Source: Microsoft.com
  • #16 Source: Microsoft.com
  • #17 Source: Microsoft.com
  • #18 Source: Microsoft.com
  • #19 Source: Microsoft.com
  • #21 Even if your code contains thousands of bugs, automated tools- static, dynamic and interactive analysis alongside software composition analysis will help your devs find and fix them all. A design flaw would be saying “I’m going to allow this application or microservice to accept any number of requests at any speed from any source. There will be no velocity checker, no identity and access control, no access management. That’s a design flaw. It’s not just screwing up a few lines of code.
  • #22 Missing authentication: Missing authentication or Authentication Bypass using an alternate path Weak authentication: Relying on Single Factor Authentication, Downgrade Authentication, No reauthentication, insufficient credential management. Missing/weak encryption: Insufficient cryptographic key management or use of custom weak encryption Missing authorization: Missing authorization or missing access controls Weak authorization: No context when authorizing, not revoting authorization Leaking important data: Insecure data storage or insecure data exposure Uncontrolled resources: Unmonitored execution and uncontrolled resource consumption
  • #25 Predictable session tokens: Server picks session token by incrementing a counter for each new session. Attacker opens connection to server, gets session token. Subtract 1 from session token: can hijack the last session opened to the server.
  • #26 Authorization should be conducted as an explicit check, and as necessary even after an initial authentication has been completed. Authorization depends not only on the privileges associated with an authenticated user, but also on the context of the request. The time of the request and the location of the requesting user may both need to be taken into account Just as a common infrastructure (e.g., system library or back end) should be responsible for authenticating users, so too should common infrastructure be re-used for conducting authorization checks. Sometimes a user’s authorization for a system or service needs to be revoked, for example, when an employee leaves a company. If the authorization mechanism fails to allow for such revocation, the system is vulnerable to abuse by authenticated users exercising out-of-date authorizations. For particularly sensitive operations, authorization may need to invoke authentication. Although authorization begins only after authentication has occurred, this requirement is not circular. Authentication is not binary — users may be required to present minimal (e.g. password) or more substantial (e.g. biometric or token-based) evidence of their identity, and authentication in most systems is not continuous — a user may authenticate, but walk away from the device or hand it to someone else. Hence authorization of a specially sensitive operation (for example, transferring a sum of money larger than a designated threshhold) may require a re-authentication or a higher level of authentication. Some policies require two people to authorize critical transactions (“two-person rule”). In such cases, it is important to assure that the two individuals are indeed distinct; authentication by password is insufficient for this purpose.
  • #27 At lower levels, software platforms can utilize hardware capabilities to enforce separation of code and data. For example, memory access permissions can be used to mark memory that contains only data as non-executable and to mark memory where code is stored as executable, but immutable, at runtime.  When designing APIs (both general-purpose or public interfaces as well as those that are domain- or application-specific), avoid exposing methods or endpoints that consume strings in languages that embed both control and data. Prefer instead to expose, for example, methods or endpoints that consume structured types that impose strict segregation between data and control information. Co-mingling data and control instructions in a single entity, especially a string, can lead to injection vulnerabilities. Lack of strict separation between data and code often leads to untrusted data controlling the execution flow of a software system. This is a general problem that manifests itself at several abstraction layers, from low-level machine instructions and hardware support to high-level virtual machine interpreters and application programming interfaces (APIs) that consume domain-specific language expressions. Ensuring that appropriate validation or escaping is consistently applied in all code that interfaces with the query API is a difficult and error-prone process; implementing that functionality repeatedly increases the risk of injection vulnerabilities. Use or develop an API that mediates between application code and raw query-language based interfaces (e.g., SQL, LDAP) and exposes a safer API. Avoid code that constructs queries based on ad-hoc string concatenation of fixed query stanzas with potentially untrusted data.
  • #28 Design or use centralized validation mechanisms to ensure that all data entering a system (from the outside) or major component (from another component of the same system) are appropriately validated. For example: It is desirable for web applications to utilize a mechanism (such as a request filter or interceptor facility provided by the underlying web application framework) to centrally intercept all incoming requests, and to apply basic input validation to all request parameters. Use common libraries of validation primitives, such as predicates that recognize well-formed email addresses, URLs, and so forth. This ensures that all validation of different instances of the same type of data applies consistent validation semantics. Consistent use of common validation predicates can also increase the fidelity of static analysis. Validation should be based on a whitelisting approach, rather than blacklisting.
  • #29 Cryptography is one of the most important tools for building secure systems. Through the proper use of cryptography, one can ensure the confidentiality of data, protect data from unauthorized modification, and authenticate the source of data. Cryptography can also enable many other security goals as well.  Failure to centralize cryptography. Numerous situations have been observed in which different teams within an organization each implemented their own cryptographic routines. Cryptographic algorithms often don’t interact nicely. Best practices indicate getting it “right” once and reusing the component elsewhere. Poor key management. When everything else is done correctly, the security of the cryptographic system still hinges on the protection of the cryptographic keys. Key management mistakes are common, and include hard-coding keys into software (often observed in embedded devices and application software), failure to allow for the revocation and/or rotation of keys, use of cryptographic keys that are weak (e.g., keys that are too short or that are predictable), and weak key distribution mechanisms. Randomness that is not random. Confusion between statistical randomness and cryptographic randomness is common. Cryptographic operations require random numbers that have strong security properties. In addition to obtaining numbers with strong cryptographic randomness properties, care must be taken not to re-use the random numbers.
  • #30 Technical data sensitivity controls that a designer might consider include access control mechanisms (including file protection mechanisms, memory protection mechanisms, and database protection mechanisms), cryptography to preserve data confidentiality or integrity, and redundancy and backups to preserve data availability. Not all data protection requirements are the same. For some data, confidentiality is critical. Examples include financial records and corporate intellectual property. For data on which business continuity or life depends (for example, medical data), availability is critical. In other cases, integrity is most important. Spoofing or substituting data to cause a system to misbehave intentionally are examples of failures to ensure data integrity. Do not conflate confidentiality alone with data protection. Data sets do not exist only at rest, but in transit between components within a single system and between organizations. As data sets transit between systems, they may cross multiple trust boundaries. Identifying these boundaries and rectifying them with data protection policies is an essential design activity
  • #31 The security stance of a software system is inextricably linked to what its users do with it. It is therefore very important that all security-related mechanisms are designed in a manner that makes it easy to deploy, configure, use, and update the system securely. Remember, security is not a feature that can simply be added to a software system, but rather a property emerging from how the system was built and is operated.
  • #32 Tt is unlikely that you will develop a new system without using external pieces of software. In fact, when adding functionality to an existing system, developers often make use of existing components to provide some or all of that new functionality. In this context, external components refer to software “not written here”, such as: Software procured as off-the-shelf components, platforms, and applications Third-party open source or proprietary libraries. Isolate external components as much as your required functionality permits; use containers, sandboxes, and drop privileges before entering uncontrolled code. When possible, configure external components to enable only the functionality you intend to use.
  • #33 Design for change: Software security must be designed for change, rather than being fragile, brittle, and static. During the design and development processes, the goal is to meet a set of functional and security requirements. However, software, the environments running software, and threats and attacks against software all change over time. Even when security is considered during design, or a framework being used was built correctly to permit runtime changes in a controlled and secure manner, designers still need to consider the security implications of future changes to objects and actors. Design for secure updates. It is easier to upgrade small pieces of a system than huge blobs. Doing so ensures that the security implications of the upgrade are well understood and controlled. For example, a database engine upgrade may involve new access control defaults or rewrites of the controls such that previously tight permissions loosen, or create new default users that need to be disabled. If the update happens with the same change operation performed on the web server, the amount of change and adjustment to a dynamic, already-configured system may be overwhelming to track and assure Design for changes to objects intended to be kept secret. History has shown us that secrets such as encryption keys and passwords get compromised. Keeping secrets safe is a hard problem, and one should be prepared to have secrets replaced at any time and at all levels of the system. This includes several aspects: A secure way for users to change their own passwords, including disallowing the change until the old password has been successfully presented by the user.
  • #34 Source: Microsoft.com