Presentation on theme: "Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling."— Presentation transcript:
Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling OCTAVE
Threat Modeling (part of Microsoft’s Trustworthy Computing) Threat Modeling (part of Microsoft’s Trustworthy Computing) ______ potential for harmful event/attack can be realized by an… that occurs due to a… ______ that should be mitigated by a… __________ ____________
Threat Modeling (part of Microsoft’s Trustworthy Computing) Threat Modeling (part of Microsoft’s Trustworthy Computing) Why? create a list of vulnerabilities bridge gap between design & deployment help cross team communication raise awareness of security identify areas of security requiring more research The Players Customers Business Analysts Software architects Developers Testers
What can we prevent? What do we care about most? What is the worst thing that can happen? What laws and regulations apply? Step 1: Identify Security Objectives Identify the system assets. Focus on confidentiality, integrity, availability.
Ways to depict software architecture: __________ Diagram _____ Diagram Step 2: Describe System Architecture
Class Diagrams A picture depicting classes and interconnections. Basic NotationSimple Example
Data Flow Diagrams A picture depicting how data flows within a software system. Basic NotationSimple Example
Data Flow Example 2 Email System Data Flow Example 2 Email System
Drill down to details of software architecture: Data Flow Diagram processes expanded into other processes and flows Class Diagram include methods, packages, inner classes include files, external calls & parameter lists Step 3: Decompose app _____________
This requires a systematic approach: 2) use a classification framework like STRIDE _________(authenticity) _________(integrity) _________ _________ disclosure (confidentiality) _____ of service (availability) ________ of privilege (authorization) 1) look at detailed design for… trust boundaries entry points exit points Step 4: Identify Threats http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
Attack Trees Attack trees (also called threat trees) describe the nature of an attack. Drawing attack trees helps with understanding, discovering, and mitigating threats. Notation A tree root is the goal for the attack children (of a node) define methods to achieve parent children may be ORed or ANDed http://www.schneier.com/paper-attacktrees-ddj-ft.html
Develop a systematic approach: start with an accepted approach Step 5: Rate Threats adjust weighting with experience Two possible approaches Risk = Threat X Asset DREAD
Risk = Threat X Asset The basic formula: Risk = Threat probability * Damage potential Threat probability accounts for exploitability & mitigations. Damage potential is basically the cost or impact. Ranges? numbers might be difficult to use categories (3 to 5) is usually sufficient
A Graph of Threats High Medium Modest Low ModestMediumHigh Probability of Occurrence Potential Damage
DREAD (Microsoft’s first model) DREAD (Microsoft’s first model) Damage potential How much damage will the exploit produce? Reproducability How likely is it for the attack to recur? Exploitability How easy is it to carry out the attack? Affected users What fraction of users will be affected? Discoverability What are the odds an attacker can find the vul? Risk = min(D, (D+R+E+A+D)/5)
Problems with DREAD It’s not simple. Frequent disagreement over risk numbers customers don’t agree with developers people with the same roles don’t agree This lead to a simpler severity rating system... Originally, each vul (DREAD) was graded 0-no threat to 10-high. It’s subjective.
Your consent to our cookies if you continue to use this website.