threat modeling - isaca presentations/jeff... · threat modeling: finding security ... gen. sun...

Threat Modeling: Finding Security Threats Before

They Happen (A Quick Summary)

Jeff Kalwerisky, CA(SA), CISA, HISPVP & Director, Cybersecurity & Technical Training

CPE Interactive, Inc.

The Dilemma forAudit & InfoSec

Major security and privacy disasters

occur daily

Major banks subject to DDoS attacks; offline

for hours, days, weeks,

Tens of millions of credit cards, customer

records, personal information routinely

compromised

Sensitive private information and IP

stolen and published for the world to see

An entire company’s data wiped out - all servers and users’

workstations

Cybercrime is rampant

The Hall of Shame Some Recent Hackees

Uncle Sam:

Dear Auditor: Spot the Error(s)

“There are basically 2 types of organizations. Those that have been hacked and those that don’t yet know they’ve been hacked.”

FBI director, James Comey, May 2014

On average, it takes companies three months to discover a breach and then more than four months to resolve it. IOW, cybercriminals are able to find a home and stay as unwelcome guests for well over 200 days on average.

Source: “The Post-Breach Boom”, Ponemon Institute report, 2015

“96% of UK companies have been hacked by cyber criminals with the aim to steal, change, or publish important data”Computer Week survey, Global Chief Finance Officers and Finance Directors

In the USA, the number is “only” 80%

of organizations

Why This Sorry State of Affairs?Do you remember those happy days when information

security meant ensuring:

Data centers

were locked?

Magnetic ID badges to restrict access?

Firewall and AV patches were up to date?

Proper SoD

between Ops and

Dev?

Me neither!

So, Why Are We Using the Same Techniques As In Those Days?

Now That We’re Facing . . .

. . .

Web apps, accessible

by anyone, from anywhere

BYOD, BYOA

Mission-critical data is “up in the Cloud”

Zero-day vulnerabilities

Ransomware and other fun stuff

Industrial espionage: mass data exfiltration

Spear phishing

APTs lurking inside

Relative Costs to Fix Flaws*

* IBM System Sciences Institute, Implementing Software Inspections

So, Why Don’t We Fix Those Flaws?

• Developers focus on making their systems work: debits = credits, 1 + 1 = 2

• Typically, they don’t have the skills to anticipate security flaws in their work

• So, which is easier to train:

– Developers about information security and controls, or

– Security / audit professionals to detect vulnerabilities early on and suggest appropriate mitigation strategies?

“To succeed in war, you must know your own strengths and weaknesses

and know your enemy’s strengths and weaknesses.

Lack of either might result in defeat.”

Gen. Sun Tzu: The Art of War, 500 BCE

You cannot know whether or not a system is secure until you understand its threats

and its threat surface

Sun Tzu’s Principle In Modern Terms

A Practical Approach: Threat Modeling

A formal methodology to find potential security threats to a system, determine risks from those threats, rank the

risks, and deploy appropriate mitigations– at any stage of the SDLC

A Threat Model Helps To …

1. Decompose the system, so we can understand it better• Its scope, functions, controls,

technologies, etc.

2. Using a logical top-downapproach

3. Or goals are to:

• Understand the boundaries between trusted and untrusted components of the system

• Identify and document potential vulnerabilities (threats)

• Reduce the system’s attack surface

The Threat Modeling Process

Step 1:

Model

Step 2:

Enumerate

Threats

Step 3:

Rank Threats

Step 4:

Mitigate

Step 5:

Validate

Permanent Record

SystemDevelopment/

Deployment

Model the system by following the data

Called Data Flow Diagrams (DFDs)

Building the Model

1. Identify all the entities

2. Identify the IT processes

3. ID major transactions

4. Identify filestores, both perm and temp

5. Locate all the trust boundaries

It Starts on the Whiteboard

Where are the Trust Boundaries?

Data crossing a trust boundary

• Example of a High-Level DFD

• A Simplified Web Payroll Application

TrustBoundary

MultipleIT Process

ExternalEntities

Level 0:Context

DFD

Transaction Flows

Trans Crossing ATrust Boundary

Web Payroll: Level-1 DFD

Data Storage (file or DBMS)

DetailedIT Process

TrustBoundary

Finally, A Taxonomy of Security Threats:

“STRIDE”

“STRIDE”

Ranking the Threats,The Hardest Job of All

The Classic Risk “Heat Map”

Risks to be MONITORED: plan DETECTIVE action

Risks to be INVESTIGATED: plan PREVENTIVE action

Risks to be MITIGATED: plan CORRECTIVE action

Risk = Likelihood x Impact

IMPACTLIKELIHOOD

Let’s Think About the Good Ol’ Heat Map

Risk = Likelihood x Impact

• How well do we know Likelihood (probability) it will occur?– Perhaps, based on statistics: how many fires have occurred

in the past in our neighborhood?

– Perhaps, based on gut feel: We’re going to be hacked

– At best, it’s an educated guess!

• How well do we know Impact – business effect in ₤, €, ¥?

– We guess €100,000, ₤500,000, ¥10,000,000, . . .

• So, how accurate is Guess 1 x Guess 2? – Nothing more than pure GIGO!!

Threat Modeling MethodologyHas a Better Way!

A Better Method to Calculate Risk

• Still not an exact science, but based on less “fluffy” numbers

• Things on which most analysts will agree

• Called DREAD:– Damage Potential: if the attack occurs and succeeds

– Reproducibility: ease of making the attack work

– Exploitability: amount of effort, expertise needed

– Affected Users: number of users likely to be affected?

– Discoverability: likelihood that that hackers will find the vulnerability

• Assess each of these on an agreed scale: 1-5 or 1-10

• Then take an average of the 5 DREAD scores

STRIDE and DREAD

STRIDE – type of threat

S – Spoofing

T – Tampering

R – Repudiation

I – Information Disclosure

D- Denial of Service

E – Elevation of Privilege

DREAD – threat impact

D – Damage Potential

R – Reproducibility

E – Exploitability

A – Affected Users

D – Discoverability

Ranked on a 1 – 10 scale

We CAN Achieve This!

Q & (Some) A

My Co-ordinates

Jeff KalweriskyCPE Interactive, Inc.

(Atlanta, Georgia, USA)

Jeff@CPEinteractive.com+1 404-380-1064