Cyber security

1. Cyber Security
Week # 08, Lec # 1+2
Instructor: Nazish Razzaq
ADP-IT 4th
Blue
Course Code: IR6001

2. What is the DREAD Threat Model?
The DREAD threat model is a risk assessment framework used to identify,
evaluate, and prioritize potential security threats. DREAD stands for:
• Damage Potential: How much harm can the threat cause?
• Reproducibility: How easily can the threat be repeated or reproduced?
• Exploitability: How easy is it to exploit the threat?
• Affected Users: How many users would be impacted?
• Discoverability: How likely is it for someone to find the threat?
• Each factor is rated on a scale (commonly 1–10). The total score helps
determine the severity of the threat, so you can prioritize your mitigation
efforts accordingly.

3. Workflow of DREAD
1. Identify Threats
• Start by listing all potential threats to your system, application, or
process.
• Example: Unauthorized access, data leakage, denial of service, etc.

4. Workflow of DREAD
2. Analyze Each Threat
• For every threat, evaluate it based on the five DREAD factors:
• Damage Potential:
• Ask: What’s the worst-case outcome if this threat occurs?
• Example: Loss of customer data.
• Reproducibility:
• Ask: Can an attacker easily reproduce this threat?
• Example: Is the vulnerability repeatable, or does it need specific conditions?

5. Workflow of DREAD
• Exploitability:
• Ask: How easy is it for an attacker to exploit this vulnerability?
• Example: Is specialized knowledge or a specific tool required?
• Affected Users:
• Ask: How many users would be impacted if the threat happens?
• Example: Affects only admins vs. all users.
• Discoverability:
• Ask: How likely is it for someone to find this vulnerability?
• Example: Is it obvious in the system or hidden?

6. Workflow of DREAD
3. Assign Scores
• Rate each factor on a scale (commonly 1 to 10, but the scale can vary).
• Example: A high score for Damage Potential might indicate a severe
impact.

7. Workflow of DREAD
4. Calculate Total Risk Score
• Add the scores for all five DREAD factors.
• Example:
• Damage Potential: 8
• Reproducibility: 6
• Exploitability: 5
• Affected Users: 7
• Discoverability: 9
• Total Score = 35

8. Workflow of DREAD
5. Prioritize Threats
• Compare total scores for all threats.
• Higher scores indicate more critical threats that need immediate
attention.

9. Workflow of DREAD
6. Plan Mitigation
• For each high-priority threat, develop a plan to reduce or eliminate it.
• Example: Implement stricter access controls, apply security patches,
or monitor system logs.

10. Workflow of DREAD
7. Review and Update
• Periodically reassess threats as the system evolves.
• Threat landscapes change, so ensure the model reflects new
vulnerabilities.
Key Takeaway:
• DREAD provides a systematic and collaborative way to identify,
score, and prioritize threats, ensuring that teams focus on the most
significant risks first.

11. Advantages of DREAD
• Simple and Structured: It provides a clear, easy-to-follow framework
for evaluating threats.
• Quantifiable: Assigning scores allows for a numerical comparison of
threats.
• Customizable: Organizations can adapt scoring scales to fit their
specific needs.
• Team Collaboration: It encourages team discussions about security
risks, leading to more thorough threat identification.
• Focus on Prioritization: By calculating total scores, teams can focus on
addressing the most critical threats first.

12. Best Usage Scenario for DREAD
• Risk Prioritization in Development: When building software or systems,
DREAD is ideal for assessing security threats early in the development
lifecycle to prevent issues before they escalate.
• Evaluating Multiple Threats: When faced with several potential
vulnerabilities, DREAD helps determine which to address first based on their
severity and likelihood.
• Penetration Testing: Security teams can use DREAD to rate and prioritize
findings during or after a penetration test.
• Training New Teams: Its structured nature makes it a great tool for teaching
new team members how to think about and evaluate threats systematically.

13. DREAD on Attacks
1. SQL Injection on the Login Page
• Damage (8): Attackers can access or modify the database, potentially
exposing customer information or allowing unauthorized access.
• Reproducibility (9): The attack can be repeated easily with automated tools.
• Exploitability (8): Requires basic knowledge of SQL injection.
• Affected Users (10): All users' data is at risk if the database is compromised.
• Discoverability (8): Login forms are common targets for attackers.
• Total Score: 43

14. DREAD on Attacks
2. Insecure Password Storage
• Damage (9): If attackers gain access to the database, they can decrypt or crack
user passwords.
• Reproducibility (8): Once the database is accessed, this vulnerability can be
repeatedly exploited.
• Exploitability (7): Requires gaining access to the database but can be done
through other exploits.
• Affected Users (10): All users are impacted if passwords are compromised.
• Discoverability (6): May not be easily discovered until the database is breached.
• Total Score: 40

15. DREAD on Attacks
3. Open Ports on the Server
• Damage (6): Attackers could use open ports to identify entry points for
attacks.
• Reproducibility (7): Scanning tools can easily find open ports.
• Exploitability (5): Requires understanding of network protocols to exploit
open ports effectively.
• Affected Users (4): Only backend infrastructure is affected unless the
vulnerability leads to further exploits.
• Discoverability (8): Open ports are easily identified with scanning tools.
• Total Score: 30

16. Prioritization
• Based on the scores, the team prioritizes fixing vulnerabilities as
follows:
• SQL Injection (Score: 43) – Critical and needs immediate attention.
• Insecure Password Storage (Score: 40) – High priority due to the
potential for massive data breaches.
• Open Ports (Score: 30) – Low priority but should still be addressed
to reduce risks.

18. OCTAVE Threat Model
• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk
assessment framework designed to help organizations identify and manage cybersecurity
risks. It focuses on understanding the organization’s critical assets, identifying threats and
vulnerabilities, and implementing strategies to mitigate risks. This method is organization-
centric and helps align security with business goals. It is especially useful for small-to-
medium businesses with limited resources.
• OCTAVE is process-driven and involves three main phases:
• Build Asset-Based Threat Profiles: Identify critical assets, potential threats, and
vulnerabilities.
• Identify Infrastructure Vulnerabilities: Assess technical vulnerabilities in the IT
infrastructure.
• Develop a Security Strategy and Mitigation Plan: Create an actionable plan to address
identified risks.

19. Visualizing the Workflow of OCTAVE
• Critical Assets (What do we need to protect?)
↓
• Threats & Vulnerabilities (What can harm us?)
↓
• Risk Prioritization (What should we fix first?)
↓
• Mitigation Strategies (How do we reduce the risks?)
↓
• Implementation & Monitoring (Are we staying secure?)

20. Phase 1: Build Asset-Based Threat Profiles
• Goal: Understand your organization’s critical assets and the risks they face.
• Steps:
• Identify Critical Assets:
• Determine what is most important to your organization (e.g., databases, applications,
intellectual property).
• Evaluate Security Requirements:
• Assess what each asset needs to remain secure (e.g., confidentiality, integrity, availability).
• Identify Threats and Vulnerabilities:
• Brainstorm potential threats to these assets (e.g., cyberattacks, human errors, natural disasters).
• Create Threat Profiles:
• Link specific threats to assets, describing how they could be exploited.

21. Example
• A hospital identifies patient medical records as a critical asset.
• Threats include unauthorized access by hackers or accidental
exposure due to a system error.

22. Phase 2: Identify Infrastructure Vulnerabilities
• Goal: Focus on technical weaknesses in your systems and IT
environment.
• Steps:
• Evaluate Current Practices:
• Assess the effectiveness of your existing security policies and controls.
• Perform Technical Vulnerability Assessments:
• Use tools (e.g., vulnerability scanners, penetration testing) to identify technical
weaknesses.
• Correlate Threats and Vulnerabilities:
• Map vulnerabilities to the threat profiles created in Phase 1.

23. Example
• The hospital finds that medical records are stored on a server with
outdated security patches.
• Employees often use weak passwords, which increases the risk of
unauthorized access.

24. Phase 3: Develop a Security Strategy and Mitigation Plan
• Goal: Create a plan to reduce risks and improve security practices.
• Steps:
• Prioritize Risks:
• Rank threats and vulnerabilities based on their potential impact and likelihood.
• Develop Mitigation Strategies:
• Define actions to reduce or eliminate high-priority risks (e.g., applying patches, updating
policies).
• Create a Long-Term Security Plan:
• Incorporate policies, procedures, and training to maintain security over time.
• Document and Communicate Findings:
• Share results with stakeholders to ensure everyone understands risks and mitigation plans.

25. Example
• The hospital upgrades its server security, implements multi-factor
authentication (MFA) for employees, and trains staff on secure
handling of patient records.

26. Real-Life Examples
• Example 1: Financial Institution
• Critical Asset: Customer bank account data.
• Threats: Phishing attacks, insider threats, and database vulnerabilities.
• Mitigation: Implement anti-phishing training, encrypt sensitive data, and
monitor access logs.
• Example 2: E-commerce Website
• Critical Asset: Customer payment details and order history.
• Threats: SQL injection attacks, data breaches.
• Mitigation: Conduct regular vulnerability assessments, apply security patches,
and use secure payment gateways.

27. Example: Retail Company
• Critical Assets: Customer payment data, point-of-sale (POS) systems.
• Threats:
• Malware attack on POS systems.
• Insider threat from disgruntled employees stealing payment data.
• Vulnerabilities:
• POS systems are not updated with the latest security patches.
• Employees have too many access privileges.
• Mitigation Plan:
• Regularly patch POS systems.
• Limit employee access to sensitive systems.
• Conduct employee training on security best practices.

28. Example of OCTAVE in Action
• Scenario: A Healthcare System
• Step 1: Identify Critical Assets
• Patient medical records stored in a cloud database.
• Systems that handle billing and payments.
• Step 2: Identify Threats
• External hackers trying to access patient records.
• Employees accidentally sharing login credentials.
• Ransomware attack targeting the billing system.
• Step 3: Pinpoint Vulnerabilities
• The database is accessible through an exposed API.
• Weak password policies for employee accounts.
• Outdated antivirus software on billing systems.
• Step 4: Create a Mitigation Plan
• Secure the API with authentication and encryption.
• Implement multi-factor authentication (MFA) for all employees.
• Regularly update antivirus software and patch systems.

29. Key Takeaway
• The OCTAVE model is organization-centric and focuses on both
operational and technical risks. Its structured, phased approach ensures
organizations thoroughly identify, prioritize, and address security risks
effectively.
By following these steps, organizations can protect what matters most
and handle risks effectively.

30. Advantages of OCTAVE
• Organization-Centric: It focuses on an organization’s unique goals, critical
assets, and operations rather than using a one-size-fits-all approach.
• Holistic View: OCTAVE considers not only technical risks but also process
organizational risks.
• Encourages Collaboration: Involves stakeholders across various teams
(management, IT, security, and operations) for a comprehensive perspective.
• Flexible: Can be tailored to organizations of different sizes and industries.
• Strategic Focus: Helps create long-term strategies to manage and mitigate
risks rather than just responding to immediate threats.

31. Best Usage Scenario for OCTAVE
• Enterprise-Wide Risk Assessment: It’s ideal for large organizations
looking to evaluate risks at a strategic level, involving multiple
departments and processes.
• Risk Prioritization: When you need to identify and prioritize the
most critical assets and threats to focus on mitigation efforts.
• Compliance and Governance: OCTAVE can help organizations meet
regulatory requirements by demonstrating a structured approach to
risk management.
• Organizational Policy Development: It’s a great starting point for
creating or improving security policies, procedures, and practices.

32. Summary of Threat Models
• STRIDE is threat-centric, identifying specific types of threats during
design.
• PASTA is risk-centric, focusing on simulating attacks and aligning
with business goals.
• VAST is team-centric, providing scalability and collaboration across
large enterprises.
• DREAD is impact-centric, prioritizing threats by scoring their severity.
• OCTAVE is organization-centric and focuses on evaluating and
managing risks to critical assets.

33. Comparison of Models