Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./

Published byCitlali Gomer Modified over 9 years ago

Similar presentations

Presentation on theme: "1 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./"— Presentation transcript:

1 1 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Threat Modeling and the Zero Day Problem A quick look at how methodical threat modeling could combat an enterprise’s security problem Christopher Lee

2 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 2 Agenda n Software Vulnerabilities are Out of Control! n The Basic Vocabulary of Risk Management n What is Threat Modeling n How does Threat Modeling help, even in the face of Zero-day vulnerabilities?

3 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 3 Coping with Vulnerabilities n Vulnerabilities are being reported at an alarming rate, despite vendors’ focus on writing secure code. CERT/CC Statistics 1988-2007 Year200120022003200420052006 2007 – Q1-Q3 # of vulnerabilities 2,4374,1293,7843,7805,9908,0645,568

4 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 4 Cost of Reacting to Those Vulnerabilities… n Two major reactionary response to Software Vulnerabilities n Patching n System –or- Software Reconfiguration n “10% of machines will need to patched manually at a cost of $50/machine”. - Marc Donner, executive director, Morgan Stanley n $50 * 500 = $25,000 (plus the cost of patch management software and patch testing). n …and this is only for one patch in a 5000-node network… n Major software vendors have published their own “Hardening Guidelines” n In essence, accept no system defaults and remove everything that you don’t need. n However, the operating system vendor’s harden recommendation could also prevent some application from working… n More importantly, system and/or software reconfiguration tend to cost even more than applying patches. n Reactive measures are not the answer!

5 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 5 Let’s be Proactive… n More Firewalls? n More IDS/IPS? n More Heuristics? n More Security Widgets? n More Consultants? n Where is the end to this Madness!

6 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 6 Establish the Language… n Asset n Control n Threat n Vulnerability n Risk

7 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 7 Establish the Language - Asset n Asset n Something an organization has determined to be valuable and must be protected. n e.g. Resource, Process, Product, Infrastructure, Engineering Diagrams, and etc

8 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 8 Establish the Language - Safeguard n Control n Product and/or processes employed to mitigate a specific threat( or a group of threats) to an acceptable level n e.g. Firewall, Locked Doors, Smart Cards, DRP/BCP Processes, Insurance, and etc.

9 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 9 Establish the Language - Threat n Threat n Activity that represents possible dangers to the Assets n e.g. Unexpected Destruction of Buildings, Loss of Power, Destructive Virus, Departure of key Technical Staff n Not possible to protect against all threats

10 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 10 Establish the Language - Vulnerability n Vulnerability n Weakness that allow threats to materialize n Absence of sufficient safeguard n e.g. Poorly Designed Network, Improperly Configured Equipment, Poor Choice of Passwords, Lack of Redundancy, and etc.

11 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 11 Establish the Language - Risk n Risk n = Threat * Vulnerability * Assets Values n The degree for which the vulnerability can be exploited by one or more previous identified threats n Assessed either Quantitatively or Qualitatively

12 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 12 Threat Modeling n Overview of the methodology: 1. Identify Assets 2. Identify Asset Access Mechanism 3. Create Architecture Overview 4. Identify Threats 5. Document Threats 6. Qualify Threats

13 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 13 Threat Modeling – a Walkthrough n ACME Inc. n Financial Data Services n Migrate from Global Dialer to Internet n Client-Server application Client:Visual C++ on Win32 platforms Server:C++ on AIX Middleware: WebSphere MQ-Series Database:DB2

14 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 14 Threat Modeling – a Walkthrough n Step 1, Identify the Assets n The financial data

15 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 15 Threat Modeling – a Walkthrough n Step 2, Identify Asset Access Mechanism n The data is stored in database. And is created, modified, and queried by the end-user through the application server

16 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 16 Threat Modeling – a Walkthrough n Step 3, Create Architecture Overview

17 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 17 Threat Modeling – a Walkthrough n Step 4, Identify the Threats n Eavesdropping Data during Transit n Data Modification/Injection during Transit n Single Points of Failure at Firewall Application Server Database Server n Lack of communication control / physical separation to the DB2

18 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 18 Threat Modeling – a Walkthrough n Step 5, Document the Threats Threat Description Eavesdropping Data during Transit Threat Target Message between Client and Server Risk????? Attack TechniqueTraffic Capturing CountermeasureIPSEC Encryption

19 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 19 Threat Modeling – a Walkthrough n Step 6, Qualify the Threats n The DREAD Model (4) High = 3Medium = 2Low = 1 Damage Potential The attacker can subvert the security system; get full trust authorization; run as administrator; upload content. Leaking sensitive informationLeaking trivial information Reproducibility The attack can be reproduced every time and does not require a timing window. The attack can be reproduced, but only with a timing window and a particular race situation. The attack is very difficult to reproduce, even with knowledge of the security hole. Exploitability A novice programmer could make the attack in a short time. A skilled programmer could make the attack, then repeat the steps. The attack requires an extremely skilled person and in-depth knowledge every time to exploit. Affected Users All users, default configuration, key customers Some users, non-default configuration Very small percentage of users, obscure feature; affects anonymous users Discoverability Published information explains the attack. The vulnerability is found in the most commonly used feature and is very noticeable. The vulnerability is in a seldom- used part of the product, and only a few users should come across it. It would take some thinking to see malicious use. The bug is obscure, and it is unlikely that users will work out damage potential.

20 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 20 Threat Modeling – a Walkthrough n Threat: Eavesdropping Data during Transit n Damage Potential = 2 n Reproducibility = 3 n Exploitability = 2 n Affected Users = 3 n Discoverability = 2 n RISK = 2 + 3 + 2 + 3 + 2 = 12

21 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 21 Apply the Results of Threat Modeling

22 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 22 Upcoming Advisories?

23 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 23 Time between Vulnerability Discovery and Patch Release n Microsoft Security Bulletin MS05-014 n Vendor Notified on Feb-16-2004 (6) n Patch released on Feb-08-2005 (Previously released on Nov-2004)

24 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 24 The Zero-Day Problem… n Patches and workarounds are released after the fact n So is Anti-Virus signatures… n So is Intrusion Prevention Signatures… n What happens between an exploit for a vulnerability is discovered and when one of the above is released?

25 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 25 Threat Modeling for the Zero-Day n Threat Modeling gives us: n Identification of information assets n Identification of threats and associated qualifications n Basis for Risk Assessment Risk Mitigation Strategies Basis for implementation of Products & Processes n No more surprises, no more scrambling, and no more crisis.

26 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 26 Threat Modeling ≠ Silver Bullet n You can’t always eliminate the Risks! n Effectiveness depends on Subject Matter Expertise on the implemented technology n Evolution of Technology

27 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 27 Conclusion n Race between Reactive Countermeasures and Vulnerability Discovery is a fact of life n Systematic defense, build on thorough Threat Modeling methodology, is your best protection n There is still no silver bullet!

28 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 28 References 1. CERT Statistics: http://www.cert.org/stats/cert_stats.htmlhttp://www.cert.org/stats/cert_stats.html 2. Marc Donner, “Bits, Bad Guys, and Bucks”, Volume Three, Issue Two, Secure Business Quarterly, http://www.sbq.com/sbq/patch/sbq_patch_mdonner.pdf http://www.sbq.com/sbq/patch/sbq_patch_mdonner.pdf 3. Dana Epp, “Dana Epp's ramblings at the Sanctuary: Understanding Threat Modeling”, retrieved on May 22, 2005, http://silverstr.ufies.org/blog/archives/000611.html http://silverstr.ufies.org/blog/archives/000611.html 4. J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan, Microsoft Corporation, “Threat Modeling”, retrieved on May 22, 2005, http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx?pull=/library/en- us/dnnetsec/html/thcmch03.asphttp://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx?pull=/library/en- us/dnnetsec/html/thcmch03.asp 5. Carnegie Mellon Software Engineering Institute, “Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0”, retrieved on May 22, 2005 http://www.sei.cmu.edu/publications/documents/99.reports/99tr017/99tr017figures.htmlhttp://www.sei.cmu.edu/publications/documents/99.reports/99tr017/99tr017figures.html 6. Jouko Pynnonen (February, 2005). Posting to the BugTraq mailing list RE: “Internet Explorer zone spoofing with encoded URLs”, retrieved on May 22, 2005, http://www.securityfocus.com/archive/1/389859/2005-02-03/2005-02-09/0http://www.securityfocus.com/archive/1/389859/2005-02-03/2005-02-09/0

29 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. 29 Questions?

Download ppt "1 ® MD Manitoba Telecom Services Inc. Used under license. / Utilisé en vertu d’une licence. MTS Allstream Inc. proprietary. Use pursuant to company instructions./"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
© 2008 Oracle Corporation – Proprietary and Confidential.

© 2008 Oracle Corporation – Proprietary and Confidential.
Requirements Engineering Processes – 2

Requirements Engineering Processes – 2
Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Symantec 2004 Pulse of IT Security in Canada Volume II Survey shows Increases in Concern and Spending for IT Security Andrew Bisson Director, Planning.

Symantec 2004 Pulse of IT Security in Canada Volume II Survey shows Increases in Concern and Spending for IT Security Andrew Bisson Director, Planning.
Client Tools Explained EAE 3014

Client Tools Explained EAE 3014
Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.

Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.
Chapter 1: The Database Environment

Chapter 1: The Database Environment
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03.

No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman
© UNCTAD 2000 1 End. © UNCTAD 2000 2 End Direct Trader Input A short description of how Direct Trader Input ( DTI) is implemented using the ASYCUDA ++

© UNCTAD End. © UNCTAD End Direct Trader Input A short description of how Direct Trader Input ( DTI) is implemented using the ASYCUDA ++
1 Introduction to Safety Management April 2006. 2 Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.

1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
DISTRICT AND SCHOOL ASSESSMENT & TECHNOLOGY COORDINATOR ONLINE TESTING WEBINAR FEBRUARY 7 AND 9, 2012 Washington Online Testi ng OSPI Office of Superintendent.

DISTRICT AND SCHOOL ASSESSMENT & TECHNOLOGY COORDINATOR ONLINE TESTING WEBINAR FEBRUARY 7 AND 9, 2012 Washington Online Testi ng OSPI Office of Superintendent.
1 E-business Security and Control 2 Opening Case: Visa 10 commandments for online merchants – Maintaining a network firewall – Keeping security patches.

1 E-business Security and Control 2 Opening Case: Visa 10 commandments for online merchants – Maintaining a network firewall – Keeping security patches.
1 Term 2, 2004, Lecture 9, Distributed DatabasesMarian Ursu, Department of Computing, Goldsmiths College Distributed databases 3.

1 Term 2, 2004, Lecture 9, Distributed DatabasesMarian Ursu, Department of Computing, Goldsmiths College Distributed databases 3.
Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
Modern Systems Analyst and as a Project Manager

Modern Systems Analyst and as a Project Manager
Making the System Operational

Making the System Operational

Similar presentations

Ads by Google