Joe`s notes on threat models

advertisement
MIT 6.805
24 October 2002
Threat Models
What is a Threat Model?
Requirements Spec / Functional Spec
Constrains the solution – provides bounds for what needs to
be done
Why is this important?
Security is not Binary
Choices have costs
Means to make sense of landscape
Definitions
Vulnerability
Security relevant flaw in system
Attack
Means of exploiting a vulnerability
Adversary
A “bad guy” = entity with hostile intent
Threat
A motivated, capable adversary
Countermeasure
Mechanisms or procedures to counter attacks
-1-
MIT 6.805
24 October 2002
What are elements of a Threat Model?
Who, why, how, risk sensitivity
Common Adversaries
Hackers
Insiders
Industrial Spies
Criminals
Activists
Nation State Spies
Complex Adversaries

Who is the adversary?
o
Individual joy riding hacker, with no specific malicious intent
o
Individual coached by someone with extra knowledge and intent.
Motivation for individual remains joy ride, coach may have more malicious
aims
o
Team being run together – may or may not be aware of each other.
o

Limited information at each participant

Multiple resources being applied – coordinated but oblivious

Multiple access points
Runner is a well-funded organization – with broad knowledge and
capabilities. Possibly a nation-state or other organized criminal activity.
Motives (why)
-2-
MIT 6.805
24 October 2002
How
much power is available?
Computation power, Network Bandwidth, Connectivity
points.
Source of attack?
Cyberspace: (goals of the attack)
Gaining unauthorized access to a trusted/privileged system
Flooding the network and impacting connectivity performance
Denial of Service attack on a point of entry of the service to be
protected
Taking over the points of entry to the emergency service to
provide a fake service
Pretending that an end-system used to access the service will
perform some controls and authorization checks on its
applications and users
Physical access to privileged devices (inc. Insider attack)
Gaining unauthorized access to a trusted/privileged system (i.e.
Physically rebooting a system –floppy- into a different state to
subvert existing security mechanisms)
Gaining access to secrets on a privileged system (i.e. reading
secrets from a hard-disk)
Gaining access to networking equipment to deny connectivity or
modify behavior of the device
Gaining access to administrative privileges to modify the service
configuration without alarms being raised
Combined cyber and physical access to privileged devices
(inc. Insider attack)
-3-
MIT 6.805
24 October 2002
Threat Modeling
Process of creating a threat model
Thinking out of the box
Who are the actors
What are the protocols
Example: Stored Value Card (chap 19 Secrets & Lies – Bruce
Schneier)
Bank
Deposit to
account
Load card
Consumer
Merchant
Transfer funds
-4-
MIT 6.805
24 October 2002
Attacks that can be mounted by Consumer or Merchant
o Attack the card – change the stored value
o Alter records to reflect different value transfer
o Forge cards
o Clone cards
Consumer attacks
 Repudiate a transaction
 Report another consumer’s card stolen and intercept replacement
Merchant attacks
 Accept a transaction and skip town
 Replay valid transactions
Bank attacks
 Load less money onto the card
 Don’t credit the account for merchant payments
Collusion attacks
Privacy attacks…
Denial of service attacks
Key connection to Risk Assessment
What are the likely threats
What is the likely loss?
Estimate probability of attack and expected cost of loss
Yields annual loss expectancy
Point of the exercise
Understand the real threats to the system – and assess the risk
of these threats
Describe the security policy required to defend against the
threats
Develop the countermeasures that enforce the policy
-5-
MIT 6.805
24 October 2002
Failure often occurs in getting the threat wrong
Version rollback
Anti-fraud measures in analog cell phones – scanners were
“expensive”
Anti fraud measures in digital cell phones… same rationale…
Attack Trees (chap 21)
Methodology for threat modeling
Goal state, and / or leaves
Metrics on the nodes – environment specific
Possible / impossible
Expensive / cheap
Cost range…
Iterative process – but more formal than brainstorming
Exercise 2: Begin a threat model for your project
-6-
Download