Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.

Published byAubrey Harvey Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented by Mike Sues, Ethical Hack Specialist Threat Modeling."— Presentation transcript:

1 Presented by Mike Sues, Ethical Hack Specialist Threat Modeling

2 2 Threat Modelling Objectives  To understand  The basics of threat modeling  Where threat modeling fits in the SDLC  Use and construction of attack trees

3 3 Talk Outline  Threat modeling  SDLC  Attack trees Threat Modelling

4 4 Motivation  Threat Risk Assessment  Understand threats and risks  Manage costs of mitigation  Minimize the attack surface  Sales  Increased security/privacy concerns  C & A Threat Modelling

5 5 Historically  Lack of understanding of threats  Security was an add-on  Band-aid solutions  Use of security buzzwords/technology Threat Modelling

6 6 Threat Modeling  Threat Risk Assessment  Apply appropriate controls  Attack Trees Threat Modelling

7 7 Goals  Identify,  assets protected by the application  threats to the assets  Develop,  Mitigation strategies Threat Modelling

8 8 Assets  Data  Application  Configuration  Database records Threat Modelling

9 9 Assets  Examples  Application  Code  Configuration  User authentication credentials  Business data  User data records  Audit trails Threat Modelling

10 10 Assets  Value  Classification  Monetary value  Replacement cost  Intangible  Reputation Threat Modelling

11 11 Threats  Model application and data flows  High-level architectural diagram of application  Model threats to assets  Multiple vectors  Consider,  Asset  Severity  Likelihood  Costs Threat Modelling

12 12 Threats  Taxonomy  S.T.R.I.D.E  S poofing  T ampering  R epudiation  I nformation disclosure  D enial of service  E levation of privilege Threat Modelling

13 13 Threats  Spoofing  Replay requests to a database server to gain unauthorized access to data  Tampering  Defacement of a web site  Repudiation  Deleting or modifying audit trail records  Information disclosure  Gaining unauthorized access to data Threat Modelling

14 14 Threats  Denial of service  Crashing or flooding a service  Elevation of privilege  Hijacking another user’s session with the application to gain access to the user’s data Threat Modelling

15 15 Threats  Attack trees  Graphically model attack goals & vectors  Root of tree is the overall goal  e.g. Steal passwords  Children are sub-goals  One step or multiple steps  e.g. Collect plaintext passwords or shoulder surf  e.g. Collect password hashes and crack hashes  e.g. Gain privileged access and install keystroke collector and exfiltrate password Threat Modelling

16 16 Attack Trees Threat Modelling Steal passwords Shoulder surfCollect sessions Parse plaintext password Parse password hash Crack password hash Gain remote access Install keystroke logger Exfiltrate passwords

17 17 Attack Trees  Node attributes  Cost  Availability of tools  etc  Threat evaluation  Risk Threat Modelling

18 18 Mitigation  Rank threats  Prioritize  Develop a strategy,  Ignore the risk  Accept the risk  Delegate the risk  Fix the problem Threat Modelling

19 19 Exercise  HackMe Travel  Identify assets  Identify threats  STRIDE  Build one attack tree Threat Modelling

20 20 Conclusion  Threat modeling,  Understanding the threat environment  Manage costs of mitigation  Guide to the application secure design principles  Minimize an application’s attack surface Threat Modelling

21 21 Conclusion  Questions? Threat Modelling

22 22 w w w. r i g e l k s e c u r i t y. c o m Presented by Mike Sues, Ethical Hack Specialist m s u e s @ r i g e l k s e c u r i t y. c o m Marie Pilon, Director of Operations t r a i n i n g @ r i g e l k s e c u r i t y. c o m Rigel Kent Training - 180 Preston St. 3 Rd Floor – Ottawa, On 1(613)233-HACK 1-877-777-H8CK

Download ppt "Presented by Mike Sues, Ethical Hack Specialist Threat Modeling."

Similar presentations

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007.

WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Lecture 7: Threat Modeling CS 436/636/736 Spring 2014 Nitesh Saxena.

Lecture 7: Threat Modeling CS 436/636/736 Spring 2014 Nitesh Saxena.
Architecting secure software systems

Architecting secure software systems
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
By Hafez Barghouthi. Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation.

By Hafez Barghouthi. Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation.
Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.

Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.

Similar presentations

Ads by Google