Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Slides:

Advertisements

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Advertisements

Elevation of Privilege The easy way to threat model

Michael Howard   Microsoft employee for 17 years  Always in security  Worked on the SDL since inception.

Threat Modeling Michael Howard Principal Security Program Manager

Jon R. Wall Security / IA Microsoft Corp.

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Systems Documentation Techniques

Day O’ Security An Introduction to the Microsoft Security Development Lifecycle Day 1: Threat Modelling - CIA and STRIDE.

Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

© Copyright 2011 John Wiley & Sons, Inc.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Chapter 6: The Traditional Approach to Requirements

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,

Architecting secure software systems

(Duo) Multifactor at Carleton College work in progress Rich Graves

1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

Karolina Muszyńska. Reverse engineering - looking at the solution to figure out how it works Reverse engineering - breaking something down in order to.

A Security Review Process for Existing Software Applications

Threat Modeling and Data Sensitivity Classification for Information Security Risk Analysis Secure Electronic Elections – Case Study Conference on Data.

CSC 386 – Computer Security Scott Heggen. Agenda Security Management.

Chapter 7 Structuring System Process Requirements

Enterprise Privacy Architectures Leveraging Encryption to Keep Data Private Karim Toubba VP of Product Management Ingrian Networks.

امیرحسین علی اکبریان.  Introduction  Goals of Threat Modeling  The approach Overview.

Secure Design Computer Security I CS461/ECE422 Fall 2009.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Hands-On Threat Modeling with Trike v1. Generating Threats.

Security: The Goal Computers are as secure as real world systems, and people believe it. This is hard because: Computers can do a lot of damage fast. There.

Practical Threat Modeling for Software Architects & System Developers

What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.

The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.

Lesson Title: Media Interface Threats, Risks, and Mitigation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Computer Security By Duncan Hall.

CSSE 492 Software Dependability Seattle University Computer Science & Software Engineering Winter 2007 Prof. Roshanak Roshandel.

Chapter 1: Security Governance Through Principles and Policies

Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.

Ken De Souza KWSQA, April 2016 V. 1.0

McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Modeling the Processes and Logic.

Security Development Lifecycle. Microsoft SDL 概觀 The SDL is composed of proven security practices It works in development organizations regardless of.

Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS

Business Process Modeling What is a process model? – A formal way of representing how a business system operates. – Illustrates the activities that are.

Matthias Rohr Practical Threat Modeling with Microsofts Threat Modeling Tool 2016.

Threat Modeling - An Overview All Your Data is Mine

Evaluating Existing Systems

Threat modeling Aalto University, autumn 2013.

Evaluating Existing Systems

Off-line Risk Assessment of Cloud Service Provider

A Security Review Process for Existing Software Applications

Mike Goodwin OWASP Newcastle September 2017

CS 465 Terminology Slides by Kent Seamons Last Updated: Sep 7, 2017.

Engineering Secure Software

Copyright Gupta Consulting, LLC.

Engineering Secure Software

Presentation transcript:

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication

2 Copyright © Microsoft Corp 2006 Threat Analysis The goal of threat modeling is to: Find security design flaws Mitigate the threats Reduce risk

3 Copyright © Microsoft Corp 2006 The Updated Threat Modeling Process Plan Mitigations DefineScenariosCreateDFD Manual Rote Determine Threat Types Leverage Threat Trees Determine Risk

4 Copyright © Microsoft Corp 2006 Define Scenarios & Background Info Define the most common and realistic use scenarios for the application Example from Windows Server 2003 and Internet Explorer “Admin browsing the Internet from a Domain Controller” Example from Windows CE “The stolen device” Define your users

5 Copyright © Microsoft Corp 2006 Data Flow Diagrams (DFDs) A DFD is a graphical representation of how data enters, leaves, and traverses your component It is not a Class Diagram or Flow Chart! Shows all data sources and destinations Shows all relevant processes that data goes through Good DFDs are critical to the process This point can’t be emphasised enough! Building DFDs == understanding the system Analysing DFDs == understanding the threats

6 Copyright © Microsoft Corp 2006 Context Diagram: An Integrity Checker

7 Copyright © Microsoft Corp 2006 Level-0 DFD: An Integrity Checker

8 Copyright © Microsoft Corp 2006 Level-0 DFD: An Integrity Checker Each element in the DFD is susceptible to one or more threat types SR TID TID TID TID TID TID TID STRI DE TID TID TID TRID

9 Copyright © Microsoft Corp 2006 STRIDE A Taxonomy of Threat Types A more fine-grained version of CIA, but from an attacker’s perspective SpoofingTamperingRepudiation Information Disclosure Denial of Service Elevation of Privilege

10 Copyright © Microsoft Corp 2006 DFD Elements are Targets A “Work list” Each threat is governed by the conditions which make the threat possible Each is a potential threat to the system.

11 Copyright © Microsoft Corp 2006 Threat Tree Pattern Examples Spoofing

12 Copyright © Microsoft Corp 2006 A Special Note about Information Disclosure Threats All information disclosure threats are potential privacy issues. Raising the Risk. Is the data sensitive or PII?

13 Copyright © Microsoft Corp 2006 Calculating Risk with Numbers DREAD etc. Very subjective Often requires the analyst be a security expert On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private key? Where do you draw the line? Do you fix everything above 0.4 risk and leave everything below as “Won’t Fix”?

14 Copyright © Microsoft Corp 2006 Calculating Risk with Heuristics Simple rules of thumb Real-world data Similar heuristics as the MSRC bulletin rankings

15 Copyright © Microsoft Corp 2006 Mitigation Techniques Threat Mitigation Feature SpoofingAuthentication TamperingIntegrity RepudiationNonrepudiaton Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization

16 Copyright © Microsoft Corp 2006 Code Review and the DFD Review code and data on the anonymous data flows, the threat path – this is where the bad guys go – they follow the line of least-resistance. AnonymousPriv UserPriv Remove anonymous data paths with authentication

17 Copyright © Microsoft Corp 2006 How to test What needs testing Testing Threats

18 Copyright © Microsoft Corp 2006  No design is complete without a threat model!  Follow anonymous data paths  Every threat needs a security test plan  Check all information disclosure threats – are they privacy issues?  Be wary of elevated processes  Use the threat modeling tool ( Threat Model Checklist