Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.

Slides:



Advertisements
Similar presentations
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Advertisements

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
1 Telstra in Confidence Managing Security for our Mobile Technology.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Lecture 7: Threat Modeling CS 436/636/736 Spring 2014 Nitesh Saxena.
Architecting secure software systems
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
By Hafez Barghouthi. Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation.
Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.
Security Architecture
1 Presented by July-2013, IIM Indore. 2  RFID = Radio Frequency IDentification.  RFID is ADC (Automated Data Collection) technology that:-  uses radio-frequency.
SEC835 Practical aspects of security implementation Part 1.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Threat Modeling.
Secure Design Computer Security I CS461/ECE422 Fall 2009.
INTRUDERS BY VISHAKHA RAUT TE COMP OUTLINE INTRODUCTION TYPES OF INTRUDERS INTRUDER BEHAVIOR PATTERNS INTRUSION TECHNIQUES QUESTIONS ON INTRUDERS.
Documenting threats and vulnerabilities in a web services infrastructure Lieven Desmet DistriNet Research Group, Katholieke Universiteit Leuven, Belgium.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Module 6: Designing Security for Network Hosts
Module 11: Designing Security for Network Perimeters.
Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.
Practical Threat Modeling for Software Architects & System Developers
Chap1: Is there a Security Problem in Computing?.
Security fundamentals Topic 1 Addressing security threats and vulnerabilities.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Module 2: Designing Network Security
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
CSC 593: Secure Software Engineering Seminar
CSSE 492 Software Dependability Seattle University Computer Science & Software Engineering Winter 2007 Prof. Roshanak Roshandel.
Computers and Security by Calder Jones. What is Computer Security Computer Security is the protection of computing systems and the data that they store.
Chapter 1: Security Governance Through Principles and Policies
Module 7: Designing Security for Accounts and Services.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Security Development Lifecycle. Microsoft SDL 概觀 The SDL is composed of proven security practices It works in development organizations regardless of.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Lecture 16 Page 1 CS 236 Online Evaluating Program Security What if your task isn’t writing secure code? It’s determining if someone else’s code is secure?
Threat Modeling for Cloud Computing
Manuel Brugnoli, Elisa Heymann UAB
Threat Modeling - An Overview All Your Data is Mine
Network Security (the Internet Security)
CHAPTER FOUR OVERVIEW SECTION ETHICS
Secure Software Confidentiality Integrity Data Security Authentication
Evaluating Existing Systems
Threat modeling Aalto University, autumn 2013.
Chapter 17 Risks, Security and Disaster Recovery
Evaluating Existing Systems
Off-line Risk Assessment of Cloud Service Provider
Evaluating Program Security
A Data Focussed Approach to Mapping Security Issues to Safety Impacts Dr Robert Oates Private – Rolls-Royce Proprietary Information.
How to Mitigate the Consequences What are the Countermeasures?
CS 465 Terminology Slides by Kent Seamons Last Updated: Sep 7, 2017.
CHAPTER FOUR OVERVIEW SECTION ETHICS
Engineering Secure Software
Copyright Gupta Consulting, LLC.
Engineering Secure Software
The design and development of Vulnerability management system
Threat Modelling and Risk Assessment
Presentation transcript:

Presented by Mike Sues, Ethical Hack Specialist Threat Modeling

2 Threat Modelling Objectives  To understand  The basics of threat modeling  Where threat modeling fits in the SDLC  Use and construction of attack trees

3 Talk Outline  Threat modeling  SDLC  Attack trees Threat Modelling

4 Motivation  Threat Risk Assessment  Understand threats and risks  Manage costs of mitigation  Minimize the attack surface  Sales  Increased security/privacy concerns  C & A Threat Modelling

5 Historically  Lack of understanding of threats  Security was an add-on  Band-aid solutions  Use of security buzzwords/technology Threat Modelling

6 Threat Modeling  Threat Risk Assessment  Apply appropriate controls  Attack Trees Threat Modelling

7 Goals  Identify,  assets protected by the application  threats to the assets  Develop,  Mitigation strategies Threat Modelling

8 Assets  Data  Application  Configuration  Database records Threat Modelling

9 Assets  Examples  Application  Code  Configuration  User authentication credentials  Business data  User data records  Audit trails Threat Modelling

10 Assets  Value  Classification  Monetary value  Replacement cost  Intangible  Reputation Threat Modelling

11 Threats  Model application and data flows  High-level architectural diagram of application  Model threats to assets  Multiple vectors  Consider,  Asset  Severity  Likelihood  Costs Threat Modelling

12 Threats  Taxonomy  S.T.R.I.D.E  S poofing  T ampering  R epudiation  I nformation disclosure  D enial of service  E levation of privilege Threat Modelling

13 Threats  Spoofing  Replay requests to a database server to gain unauthorized access to data  Tampering  Defacement of a web site  Repudiation  Deleting or modifying audit trail records  Information disclosure  Gaining unauthorized access to data Threat Modelling

14 Threats  Denial of service  Crashing or flooding a service  Elevation of privilege  Hijacking another user’s session with the application to gain access to the user’s data Threat Modelling

15 Threats  Attack trees  Graphically model attack goals & vectors  Root of tree is the overall goal  e.g. Steal passwords  Children are sub-goals  One step or multiple steps  e.g. Collect plaintext passwords or shoulder surf  e.g. Collect password hashes and crack hashes  e.g. Gain privileged access and install keystroke collector and exfiltrate password Threat Modelling

16 Attack Trees Threat Modelling Steal passwords Shoulder surfCollect sessions Parse plaintext password Parse password hash Crack password hash Gain remote access Install keystroke logger Exfiltrate passwords

17 Attack Trees  Node attributes  Cost  Availability of tools  etc  Threat evaluation  Risk Threat Modelling

18 Mitigation  Rank threats  Prioritize  Develop a strategy,  Ignore the risk  Accept the risk  Delegate the risk  Fix the problem Threat Modelling

19 Exercise  HackMe Travel  Identify assets  Identify threats  STRIDE  Build one attack tree Threat Modelling

20 Conclusion  Threat modeling,  Understanding the threat environment  Manage costs of mitigation  Guide to the application secure design principles  Minimize an application’s attack surface Threat Modelling

21 Conclusion  Questions? Threat Modelling

22 w w w. r i g e l k s e c u r i t y. c o m Presented by Mike Sues, Ethical Hack Specialist m s u e r i g e l k s e c u r i t y. c o m Marie Pilon, Director of Operations t r a i n i n r i g e l k s e c u r i t y. c o m Rigel Kent Training Preston St. 3 Rd Floor – Ottawa, On 1(613)233-HACK H8CK

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.