Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat analysis Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014.

Similar presentations


Presentation on theme: "Threat analysis Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014."— Presentation transcript:

1 Threat analysis Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014

2 Threats  Threat = something bad that can happen  Given an system or product – Assets: what is there to protect? – What are the threats against these assets? – How serious are the threats i.e. what is the risk? 2

3 3 [Internet, original source unknown]

4 Security “pixie dust”  Security mechanism are often applied without particular reason – Cryptography, especially encryption does not in itself make your system secure  If there is no explanation why some security mechanism is used, ask questions: – What threats does it protect against? – What if we just remove it? – Is there something simpler or more suitable for the purpose?  Must understand threats before applying security mechanisms 4

5 5 [Internet, original source unknown]

6 Threat modeling approaches  Different angles to threat modeling: – Assets: what is valuable in the system and how could it be lost? – Attackers and their motivations: who would want to do something bad and why? – Engineering: what parts are there in the system and how could they be caused to fail? – Defenses: what (more) could be done to prevent or mitigate attacks? – Checklists, lessons learned: what has gone wrong in the past? 6

7 Case study  Drink vending machine with text-message payment  Public-transport ticketing  Electronic postage stamps 7

8 Public transport ticketing 8 Clearing Operator backend system Station and depot systems POS terminal Vehicle terminal Travel card Internet shop Internet shop NFC interface Connections over Internet Wireless data Possibly multiple operators

9 Assets  Travel – Right to travel – Transport capacity (seats)  Money – Money spent on ticket purchases – Stored value tickets: balance on card – Money received from ticket sales – Money received from public subsidies  Personally identifiable information (PII) – Passenger identity, travel history  Secondary: – Terminals in vehicle or at the station, POS terminals – Cards – Keys – Back-end IT system 9

10 Potential attackers and their motivation  Passengers: want to travel and save money  Criminals: want to make money  Insider attackers: want to make money or get other benefits – Operator employees, IT staff – Sales staff, bus drivers  Nosy people and organizations (passengers’ family, police, stalker etc.): want PII  Operators: extra payment, subsidies, tax savings – Competitors might want to hurt business  Outsiders, vandals, hackers (on the Internet) 10

11 Threats / potential attacks  By passengers: – Sharing tickets: passback etc. – Ticket copying and counterfeit tickets – Misuse of discount tickets, using a cheaper ticket – Intentionally losing or breaking cards and getting replacement or free rides – Misuse of customer complaints – Riding without a ticket in open ticketing (e.g. Helsinki Metro and trains) – Vandalism of readers to get free rides for everyone – Credit default on postpaid tickets  By criminals: – Counterfeit tickets – Sale of fake tickets that might not even not work – Ticket theft, sale of stolen tickets – Resale of used tickets (e.g. London ticket touts)  By insiders: – Free tickets or rides for themselves and for friends – Keeping money from sold tickets – Selling rides without giving a ticket or receipts  By nosy people and organizations: – Learning passenger identity or route, from card or backend database – Keeping personal information unnecessarily  By traffic operators: – Misuse of public subsidies, tax fraud – Anything to damage competing business  By outsiders and hackers: – Vandalism – All kinds of Internet attacks 11

12 SYSTEMATIC THREAT MODELING 12

13 Basic security goals  Consider first the well-known security goals: – Confidentiality – Integrity – Availability – Authentication – Authorization – Non-repudiation  Which goals apply to the system? How could they be violated? 13

14 Threat trees 14 [source: Microsoft]

15 STRIDE  STRIDE model used at Microsoft: – Spoofing vs. authentication – Tampering vs. integrity – Repudiation vs. non-repudiation – Information disclosure vs. confidentiality – Denial of service vs. availability – Elevation of privilege vs. authorization  Idea: divide the system into components and analyze each component for these threats – Note: security of components is necessary but not sufficient for the security of the system 15

16 STRIDE  Model the system as a data flow diagram (DFD) – Data flows: network connections, RPC – Data stores: files, databases – Processes: programs, services – Interactors: users, clients, services etc. connected to the system  Also mark the trust boundaries in the DFD  Consider the following threats: 16 SpoofingTamperingRepudiation Information disclosure Denial of service Elevation of privilege Data flow xxx Data store xxx Processxxxxxx Interactorxx

17 17 [source: Microsoft]

18 Risk assessment  Risk assessment is very subjective, many definitions: – Risk = probability of attack × damage in euros – 0 < Risk < 1 – Risk = low, medium, high  Numerical risk values tend to be meaningless: – What does risk level 0.4 mean in practice?  Usually difficult to assess absolute risk but easier to prioritize threats  Risk assessment models, e.g. DREAD – Damage: how much does the attack cost to defender? – Reproducibility: how reliable is the attack – Exploitability: how much work to implement the attack? – Affected users: how many people impacted? – Discoverability: how likely are the attackers to discover the vulnerability? 18

19 Pitfalls in risk assessment  The systematic threat analysis methods help but there is no guarantee of find all or even the most important threats  You need to understand the system: technology, architecture, stakeholders and business model  Attackers are clever and invent new threats while threat analysis often enumerates old ones  Always start by considering assets and attackers, not technology or security mechanisms 19

20 Saltzer and Schroeder  Design principles that help avoid problems – Violations often indicate vulnerabilities  Saltzer and Schroeder design principles [CACM 1974]: – Economy of mechanism: keep the design simple – Fail-safe defaults: fail towards denying access – Complete mediation: check authorization of every access request – Open design: assume attacker knows the system internals – Separation of privilege: require two separate keys or other ways to check authorization whenever possible – Least privilege: give only the necessary access rights – Least common mechanisms: ensure failures stay local, diversity – Psychological acceptability: design security mechanism that are easy to use correctly 20

21 What next?  After identifying threats, we must assess the risk, prioritize the threats and choose countermeasures  The process is iterative i.e. new analysis must be done after designing the system with countermeasures  More detailed threat models can be done for each system component  Threat analysis should be done during system design but can also be done on existing systems 21

22 Reading material  Dieter Gollmann: Computer Security, 2nd ed., chapter 1.4.3; 3rd ed., chapter 2  Ross Anderson: Security Engineering, 2nd ed., chapter 25  Swiderski and Snyder, Threat modeling, 2004  Online resources: – OWASP, Threat Risk Modeling, https://www.owasp.org/index.php/Threat_Risk_Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling – MSDN, Uncover Security Design Flaws Using The STRIDE Approach, – MSDN, Improving Web Application Security: Threats and Countermeasures, Chapter

23 Exercises  Analyze the threats in the following systems: – Oodi student register, https://oodi.aalto.fi/https://oodi.aalto.fi/ – Noppa – Remote read electric meter – University card keys – Traffic light priority control for public transportation – Lyyra student card, https://www.lyyra.fi/ (based on Sony FeliCa contactless ICC)https://www.lyyra.fi/  What are the assets and potential attackers?  Apply the STRIDE model or threat trees; this will require you to model the system first 23


Download ppt "Threat analysis Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014."

Similar presentations


Ads by Google