Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Published byBrandon Morrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication."— Presentation transcript:

1 Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication

2 2 Copyright © Microsoft Corp 2006 Threat Analysis The goal of threat modeling is to: Find security design flaws Mitigate the threats Reduce risk

3 3 Copyright © Microsoft Corp 2006 The Updated Threat Modeling Process Plan Mitigations DefineScenariosCreateDFD Manual Rote Determine Threat Types Leverage Threat Trees Determine Risk

4 4 Copyright © Microsoft Corp 2006 Define Scenarios & Background Info Define the most common and realistic use scenarios for the application Example from Windows Server 2003 and Internet Explorer “Admin browsing the Internet from a Domain Controller” Example from Windows CE “The stolen device” Define your users

5 5 Copyright © Microsoft Corp 2006 Data Flow Diagrams (DFDs) A DFD is a graphical representation of how data enters, leaves, and traverses your component It is not a Class Diagram or Flow Chart! Shows all data sources and destinations Shows all relevant processes that data goes through Good DFDs are critical to the process This point can’t be emphasised enough! Building DFDs == understanding the system Analysing DFDs == understanding the threats

6 6 Copyright © Microsoft Corp 2006 Context Diagram: An Integrity Checker

7 7 Copyright © Microsoft Corp 2006 Level-0 DFD: An Integrity Checker

8 8 Copyright © Microsoft Corp 2006 Level-0 DFD: An Integrity Checker Each element in the DFD is susceptible to one or more threat types SR TID TID TID TID TID TID TID STRI DE TID TID TID TRID

9 9 Copyright © Microsoft Corp 2006 STRIDE A Taxonomy of Threat Types A more fine-grained version of CIA, but from an attacker’s perspective SpoofingTamperingRepudiation Information Disclosure Denial of Service Elevation of Privilege

10 10 Copyright © Microsoft Corp 2006 DFD Elements are Targets A “Work list” Each threat is governed by the conditions which make the threat possible Each is a potential threat to the system.

11 11 Copyright © Microsoft Corp 2006 Threat Tree Pattern Examples Spoofing

12 12 Copyright © Microsoft Corp 2006 A Special Note about Information Disclosure Threats All information disclosure threats are potential privacy issues. Raising the Risk. Is the data sensitive or PII?

13 13 Copyright © Microsoft Corp 2006 Calculating Risk with Numbers DREAD etc. Very subjective Often requires the analyst be a security expert On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private key? Where do you draw the line? Do you fix everything above 0.4 risk and leave everything below as “Won’t Fix”?

14 14 Copyright © Microsoft Corp 2006 Calculating Risk with Heuristics Simple rules of thumb Real-world data Similar heuristics as the MSRC bulletin rankings

15 15 Copyright © Microsoft Corp 2006 Mitigation Techniques Threat Mitigation Feature SpoofingAuthentication TamperingIntegrity RepudiationNonrepudiaton Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization

16 16 Copyright © Microsoft Corp 2006 Code Review and the DFD Review code and data on the anonymous data flows, the threat path – this is where the bad guys go – they follow the line of least-resistance. AnonymousPriv UserPriv Remove anonymous data paths with authentication

17 17 Copyright © Microsoft Corp 2006 How to test What needs testing Testing Threats

18 18 Copyright © Microsoft Corp 2006  No design is complete without a threat model!  Follow anonymous data paths  Every threat needs a security test plan  Check all information disclosure threats – are they privacy issues?  Be wary of elevated processes  Use the threat modeling tool (http://msdn.microsoft.com) Threat Model Checklist

Download ppt "Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Elevation of Privilege The easy way to threat model

Elevation of Privilege The easy way to threat model
Michael Howard   Microsoft employee for 17 years  Always in security  Worked on the SDL since inception.

Michael Howard   Microsoft employee for 17 years  Always in security  Worked on the SDL since inception.
Threat Modeling Michael Howard Principal Security Program Manager

Threat Modeling Michael Howard Principal Security Program Manager
Jon R. Wall Security / IA Microsoft Corp.

Jon R. Wall Security / IA Microsoft Corp.
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Systems Documentation Techniques

Systems Documentation Techniques
Day O’ Security An Introduction to the Microsoft Security Development Lifecycle Day 1: Threat Modelling - CIA and STRIDE.

Day O’ Security An Introduction to the Microsoft Security Development Lifecycle Day 1: Threat Modelling - CIA and STRIDE.
Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
© Copyright 2011 John Wiley & Sons, Inc.

© Copyright 2011 John Wiley & Sons, Inc.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Similar presentations

Ads by Google