Threat Modeling / iPad

1,401 views

Published on

La sécurité de l’information : Quelle sécurité pour vos données ?

Séminaire du 24 mai 2012 / Lausanne

net-Banking via iPad

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,401
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Threat Modeling / iPad

  1. 1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch iPad net-Banking Project Technical Risk Assessment Sylvain Maret / Security Architect / 2012-05-24 @smaret Conseil en technologies
  2. 2. Agenda  Context  Technical Risk Assessment approach  A six step process  Threat Model – DFD  STRIDE Model  Open discussionwww.maret-consulting.ch Conseil en technologies
  3. 3. Contextwww.maret-consulting.ch Conseil en technologies
  4. 4. Context  Business case: enable customer access to portfolio performance reports from mobile equipments (iPad) located outside the controlled network.www.maret-consulting.ch Conseil en technologies
  5. 5. Actors Security Product ACME Bank Web Agencywww.maret-consulting.ch Conseil en technologies
  6. 6. The TRA relies on a series of six activities:#1 • System characterization#2 • Threat identification#3 • Vulnerabilities identification#4 • Impacts analysis#5 • Risk characterization#6 • Risk treatment and mitigation www.maret-consulting.ch Conseil en technologies
  7. 7. Step #1System characterizationwww.maret-consulting.ch Conseil en technologies
  8. 8. #1 - Appropriate safeguards  The selected solution shall implement the appropriate safeguards to maintain the overall security to its expected level. Required level C I Awww.maret-consulting.ch Conseil en technologies
  9. 9. #1  Ensure service integrity:  Uncontrolled client systems mean unpredictable request behavior  Prevent access from:  Offensive / hostile / corrupt requestswww.maret-consulting.ch Conseil en technologies
  10. 10. #1  Ensure information confidentiality:  While data travels across uncontrolled networks  While the client application is “offline” (turned-off)  While the client application is “online” (running)  Prevent access from:  Network capture:  Sniffers, gateways, cache proxies, MitM, etc.  Local capture:  Unsecure backups, memory-card access  Data interception by locally installed malware Conseil en technologieswww.maret-consulting.ch
  11. 11. #1  Consider project specific risks:  Outsourced vs. in-house development   where will security assurance come from?  Multi-disciplinary project involving three major actors:  The Bank (Acme - IT projects)  The portfolio performance reporting application (Web Agency)  The sandboxing application (Sysmosoft)  Who will be responsible for key security aspects?www.maret-consulting.ch Conseil en technologies
  12. 12. Step #2 Threat identificationwww.maret-consulting.ch Conseil en technologies
  13. 13. #2  Building a threat model  Decompose the Application  Diagramming - Data Flow Diagram - DFD  Determine and Rank Threats  STRIDE modelwww.maret-consulting.ch Conseil en technologies
  14. 14. #2 - Data Flow Diagram (DFD) Process External entity Multiple Process Data store Data flow Trust Boundarywww.maret-consulting.ch Conseil en technologies
  15. 15. #2 - DFD - iPad net-Bankingwww.maret-consulting.ch Conseil en technologies
  16. 16. #2 – STRIDE Model Threat Categorieswww.maret-consulting.ch Conseil en technologies
  17. 17. #2 - Threat Agentswww.maret-consulting.ch Conseil en technologies
  18. 18. #2 - Threats - iPad net-Banking - Examplewww.maret-consulting.ch Conseil en technologies
  19. 19. #2 - Different threats affect each type of element DFD Threat Comment S T R I D E ID ID Unsecure backups 2 Memory-card access T1 (iPad) Data interception by locally installed malware 3 Sniffers, gateways, cache (Transport- T2 proxies, MitM, etc. Internet) 7 Offensive / hostile / corrupt T3(Banking- App) requests www.maret-consulting.ch Conseil en technologies
  20. 20. Step #3Vulnerabilities identificationwww.maret-consulting.ch Conseil en technologies
  21. 21. #3 - Security controls - Example Threat Family Controls ID T1 Feature: local mobile application Secure offline data storage sandboxing Secure online data storage (in- memory storage) Secure environment validation (OS + client application integrity) Safeguards against malware T2 Feature: data transport security Confidential transport T3 Feature: secure architecture - defense in depth - privilege separation - trusted links & endpoint T3 Process: secure software Presence of software security development assurance controls in each development lifecycle: - Outsourced Devwww.maret-consulting.ch - Acme Bank Conseil en technologies
  22. 22. #3 - Vulnerabilities identificationThreat Controls V-ID Vulnerabilities ID T1 Secure offline data storage V100 ?? Secure online data storage (in-memory storage) Secure environment validation (OS + client application integrity) Safeguards against malware T2 Confidential transport V200 No Application Level Data Security T3 - defense in depth V300 No Hardening Strategy - privilege separation at Service Layer - trusted links & endpoint T3 Presence of software security assurance V400 Poor SDLC activities controls in each development lifecycle: - Outsourced Dev - Acme Bank www.maret-consulting.ch Conseil en technologies
  23. 23. #3 - V100 - unknown Data Sharing between apps ? Device Jailbreaking ? Malicious legal App. ?www.maret-consulting.ch Conseil en technologies
  24. 24. #3 - V200 - No Application Level Data Security Banking Appwww.maret-consulting.ch Conseil en technologies
  25. 25. #3 - V300 - No Hardening Strategy at Service Layer No XML Firewall No Mutual Trust SSL at WS Transport Level No Hardening at OS & Service Levelwww.maret-consulting.ch Conseil en technologies
  26. 26. #3 - V400 - Poor SDLC activitiesSDL de Microsoft www.maret-consulting.ch Conseil en technologies
  27. 27. #3 - Security Assurance during development Project phase Assurance Security level activities -Security requirements Analysis - Compliance reqs., policy - Secure design / Design security review - Threat model Design - Security testing plan - Safe APIs Implementation - Secure coding / defensive programming ? - Automated source code analysis - Security testing Verification - Penetration testing - Secure default configuration Delivery - Hardening / secure deployment guides - Configuration validation - Incident response process Operations - Threat / vulnerability managementwww.maret-consulting.ch Conseil en technologies
  28. 28. #3 – Web Agency: software development security assurance Project phase Assurance Security level activities Analysis - involvement of a security architect during the design process Design - use of automated code quality analysis Implementation tools Verification Delivery - experience with customers conducting Operations regular security evaluationswww.maret-consulting.ch Conseil en technologies
  29. 29. #3 - Acme Bank: software development security assurance Assurance Project phase Security level activities Analysis Design Implementation ? Verification Delivery Operationswww.maret-consulting.ch Conseil en technologies
  30. 30. #3 - Software development security assurance: Summary Actor Assurance Conclusions level - Assurance level is low. Acme Bank shall agree withOutsourced Dev vendor on minimum security assurance requirements along the project, or establish a clear statement of responsibilities (SLA). - Assurance level is low. Acme Bank shall define minimum Acme Bank ? security assurance requirements with project management. www.maret-consulting.ch Conseil en technologies
  31. 31. Step #4 Impact analysiswww.maret-consulting.ch Conseil en technologies
  32. 32. #4 – Impact analysis – ExampleV-ID Description Severity ExposureV-100 Information disclosure on iPad HIGH Additional controls neededV-200 Information disclosure on data MEDIUM Additional controls transport neededV-300 Intrusion on Banking Application HIGH Additional controls neededV-400 Intrusion on Banking Application HIGH Additional controls needed www.maret-consulting.ch Conseil en technologies
  33. 33. Step #5 Risk estimationwww.maret-consulting.ch Conseil en technologies
  34. 34. #5 – Risk estimation - Example Tech. BusinessR-ID V-ID Description Likelihood Severity Impact ImpactR-1 V-200 Confidentiality Compliance Theft of credentials MEDIUM HIGH Reputation or personal data during transportR-2 V-300 Integrity Compliance User input LOW HIGH V-400 Reputation, tampering attempts Operations resulting in system compromiseR-3 -- -- -- -- -- --R-4 -- -- -- -- -- --R-5R-6 www.maret-consulting.ch Conseil en technologies
  35. 35. Step #6Risk treatment and mitigation www.maret-consulting.ch Conseil en technologies
  36. 36. #6 – Security controls - Example Reco. ID Risk Description Decision MCSC.1 R-1 Perform a pentest on the iPad Mitigate applicationSC.2 R-1 Implement Data encryption for transport MitigateSC.3 R-2 Deploy a XML Firewall in front of Web Mitigate ServiceSC.4 R-2 Perform code review Mitigate Perform Pentest www.maret-consulting.ch Conseil en technologies
  37. 37. Conclusion  Security in mind during the project  Iterative process  Risk Assessment during the project  Risk Assessment after deployment  Threat Modeling  A new approach  A guideline for all projectwww.maret-consulting.ch Conseil en technologies
  38. 38. Questions ? www.maret-consulting.ch Conseil en technologies
  39. 39. Who am I?  Security Expert  17 years of experience in ICT Security  Principal Consultant at MARET Consulting  Expert at Engineer School of Yverdon & Geneva University  Swiss French Area delegate at OpenID Switzerland  Co-founder Geneva Application Security Forum  OWASP Member  Author of the blog: la Citadelle Electronique  http://ch.linkedin.com/in/smaret or @smaret  http://www.slideshare.net/smaret  Chosen field  AppSec & Digital Identity Securitywww.maret-consulting.ch Conseil en technologies
  40. 40. References  https://www.owasp.org/index.php/Application_Threat_ Modeling  http://msdn.microsoft.com/en-us/library/ff648644.aspx  http://en.wikipedia.org/wiki/Threat_model  http://www.microsoft.com/security/sdl/default.aspx  http://www.appsec-forum.ch/www.maret-consulting.ch Conseil en technologies
  41. 41. "Le conseil et lexpertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes dinformation et de lidentité numérique"www.maret-consulting.ch Conseil en technologies
  42. 42. Backup Slideswww.maret-consulting.ch Conseil en technologies
  43. 43. #2 - Understanding the threatsThreat Property Definition ExampleSpoofing Authentication Impersonating Pretending to be any of billg, xbox.com or something or a system update someone else.Tampering Integrity Modifying data or Modifying a game config file on disk, or a code packet as it traverses the networkRepudiation Non-repudiation Claiming to have not “I didn’t cheat!” performed an actionInformation Confidentiality Exposing Reading key material from an appDisclosure information to someone not authorized to see itDenial of Service Availability Deny or degrade Crashing the web site, sending a packet service to users and absorbing seconds of CPU time, or routing packets into a black holeElevation of Authorization Gain capabilities Allowing a remote internet user to runPrivilege without proper commands is the classic example, but authorization running kernel code from lower trust levels www.maret-consulting.ch is also EoP Conseil en technologiesSource: Microsoft SDL Threat Modeling
  44. 44. #3 - V400 - Poor SDLC activities Software assurance maturity models: SAMM (OWASP)www.maret-consulting.ch Conseil en technologies
  45. 45. #2 – Data Flow Diagram External Data Process Data Store entity Flow• People • DLLs • Function call • Database• Other systems • EXEs • Network traffic • File• Microsoft.com • Components • Etc… • Registry• etc… • Services • Shared • Web Services Memory • Assemblies • Queue/Stack • etc… • etc… Trust Boundary • Process boundary • File system www.maret-consulting.ch Conseil en technologies

×