An ultimate goal of threat modeling is to prioritize the potential threats against an organization’s assets.
Threat modeling is the security process where potential threats are identified, categorized, and analyzed. This process identifies the potential harm, the probability of occurrence, the priority of concern and the means to eradicate or reduce the threat.
Microsoft uses a Security Development Lifecycle (SDL) process to consider and implement security at each stage of a product’s development. This supports the motto of “Secure by Design, Secure by Default, Secure in Deployment and Communication” (also known as SD3+C). It has two goals in mind with this process:
The overall result is reduced risk.
There are two approach to threat modeling. Proactive and Reactive.
DREAD
The DREAD is a rating system that is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat:
Threat modeling is the security process where potential threats are identified, categorized, and analyzed. This process identifies the potential harm, the probability of occurrence, the priority of concern and the means to eradicate or reduce the threat.
Microsoft uses a Security Development Lifecycle (SDL) process to consider and implement security at each stage of a product’s development. This supports the motto of “Secure by Design, Secure by Default, Secure in Deployment and Communication” (also known as SD3+C). It has two goals in mind with this process:
- To reduce the number of security-related design and coding defects
- To reduce the severity of any remaining defects. In other words, it attempts to reduce vulnerabilities and reduce the impact of any vulnerability that remain.
The overall result is reduced risk.
There are two approach to threat modeling. Proactive and Reactive.
- A proactive approach (also known as defensive approach) takes place during the early stages of systems development, specifically during initial design and specifications establishment. This method is based on predicting threats and designing in specific defenses during the coding and crafting process, rather than relying on post-deployment updates and patches.
- A reactive approach (also known as the adversarial approach) takes place after a product has been created and deployed. This deployment could be in a test or laboratory environment or to the general marketplace. This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing.
Identifying Threats
- Focused on Assets: This method uses asset valuation results and attempts to identify threats to the valuable assets.
- Focused on Attackers: This method identifies potential attackers and can identify the threats they represent based on the attacker’s goals. A challenge with this approach is that new attackers can appear that weren’t previously considered a threat.
- Focused on Software: This method identifies potential threats against the software. Specifically, most organizations have a web presence, and many create their own web pages. Fancy web pages drive more traffic, but they also require more sophisticated programming and present additional threats.
Analyzing Threats
There are two methods to analyze threats to an organization.- Determining and Diagramming Potential Attacks: This is a process of crafting an architecture diagram, where the elements involved in a transaction along with indication of data flow and privilege boundaries are identified. This diagram helps to detail the functions and purpose of each element of a business task, development process, or work activity.
- Performing Reduction Analysis: This is a process of decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements. Five key concepts need to be identified:
- Trust Boundaries Any location where the level of trust or security changes
- Data Flow Paths The movement of data between locations
- Input Points Locations where external input is received
- Privileged Operations Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security
- Details about Security Stance and Approach The declaration of the security policy, security foundations, and security assumptions
Categorize and Prioritize Threats
To categorize and prioritize threat the first step is to fully document the threats. In this documentation, you should define the means, target, and consequences of a threat. After documentation, rank or rate the threats. This can be accomplished using a wide range of techniques, such as Probability × Damage Potential ranking, high/medium/low rating, or the DREAD system.DREAD
The DREAD is a rating system that is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat:
- Damage potential: How severe is the damage likely to be if the threat is realized?
- Reproducibility: How complicated is it for attackers to reproduce the exploit?
- Exploitability: How hard is it to perform the attack?
- Affected users: How many users are likely to be affected by the attack (as a percentage)?
- Discoverability: How hard is it for an attacker to discover the weakness?
Reference: Mike Chappel, (ISC)2 CISSP Official Guide, 8th edition
No comments:
Post a Comment