Threat Modeling Fundamentals and New PASTA Process
advertisement
Application Threat Modeling Workshop Sponsored by ISACA Ireland Chapters in collaboration with the OWASP Foundation Marco Morana (OWASP) Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 1 Application Threat Modeling Workshop Sponsored by ISACA Ireland Chapters in collaboration with the OWASP Foundation Marco Morana (OWASP) Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 2 Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 3 Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 4 Workshop Agenda & Time Schedule Part I - Threat Modeling Fundamentals - 45 min Break - 15 min Part II – Introduction to the PASTA™ - 45 min Break - 15 min Part III : Threat Modeling Practice - 45 min Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 5 Terminology • Threat: “The potential of a “threat source” to exploit a specific vulnerability” • Threat source: “The intent and method targeting the exploitation of a vulnerability either intentionally or accidentally • Vulnerability: “The weakness in procedures, design, implementation controls etc. that can be exploited and result in a violation of system’s security policy • Threat analysis: “The examination of threat sources against vulnerabilities to determine threat to a particular system in a particular operational environment” • Risk Analysis: “The process of identifying risks and determine probability of occurrence, impact and safeguards that mitigate that impact • Risk Management: “The process of identifying, controlling and mitigating risks, it includes risk analysis, cost-benefit analysis and the implementation, test and evaluation of safeguards. Source: NIST Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 6 PART I Threat Modeling Fundamentals Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 7 Threats, Vulnerabilities & Assets Source: Application Threat Modeling, Chapter V, Threat Modeling & Risk Management ,Wiley Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 8 Application Risk Domains Risk = Threats (probability) x Assets (impact) x Control Vulnerabilities (exploit) Source: Application Threat Modeling, Chapter V, Threat Modeling & Risk Management ,Wiley Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 9 The Essential Elements of Risk Management People trained to use risk frameworks to analyze technical and business risks with technical and business experience Processes for identifying gaps in security measures, identify vulnerabilities and assign levels of risks and impact Tools for the management of risk of the IT assets the management of vulnerabilities, the identification of threats to these assets and determination of countermeasures Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 10 Threat Modeling 101: Definitions “A strategic process aimed at considering possible attack scenarios and vulnerabilities within a proposed or existing application environment for the purpose of clearly identifying risk and impact levels” [Application Threat Modeling Book, Morana Ucedavelez, Wiley] “Formal methods to categorize threats, map them to vulnerabilities and identify countermeasures” Attacks & Attack Libraries Use-Misuse Cases Data-Flow Diagrams Threat-Attack Trees Use-Misuse Cases Data-Flow Diagrams “Tools for modeling the threat, attack and vulnerability/weaknesses analysis:” Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 11 Focalizations of Threat Modeling Software/Architecture Centric – Concentrates on the security of software for an evaluated web app. Starts with a model of the system/application/software Asset Centric – Focused on more risk based approach to application threat modeling. Starts with the data/assets classifications/values Attacker Centric – Focuses on the attacker’s goals/targets and how can be achieved. Starts with a model of the threat agents and the attack vectors Security Centric – Addresses security and technical risks to threats revealed by application threat model. Starts with business objectives, security and compliance requirements Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 12 Web Application Security: Threats & Controls Application Security Controls Network Security Controls Server Security Configurations From Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 13 Web Application Data Flows & Control Analysis Exercise to connect the dots for APIs and other data interfaces Data Process Maps out data Components interfaces across application layers (presentation, app, data, etc) Maps out relationships amongst actors, assets, data sources, trust boundaries, and eventually the variables of the attack tree Incorporates actors and assets as data Security Controls flow start & end points Trust Boundaries Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters Data flows 14 Data Flow Analysis Using Data Flow Diagrams Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 15 Abuse of Functionality Analysis Use and abuse cases define how applications can be used and abused Security requirements can be derived using use and abuse cases Test cases can be derived to test abuse of functionality and identify gaps in security controls Abuse Cases Enter Username and password Includes User Use Cases User Authentication Threatens Brure Force Authentication Includes Includes Show Generic Error Message Includes Mitigates Harverst (e.g. guess) Valid User Accounts Mitigates Includes Application/Server Validate Password Minimum Length and Complexity Mitigates Hacker/Malicious User Dictionary Attack Includes Mitigates Lock Account After N. Failed Login Attempts User Malicious User Source: OWASP Testing Guide Vs 3, https://www.owasp.org/index.php/Testing_Guide_Introduction Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 16 Attack Analysis Using Attack Trees Analyzing the Security of Internet Banking Authentication Mechanisms : http://www.isaca.org/Journal/Past-Issues/2007/Volume-3/Pages/Analyzing-the-Security-of-Internet-Banking-Authentication-Mechanisms1.aspx Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 17 Threat Modeling Methodologies :OWASP Source OWASP Threat Risk Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 18 OWASP Application Threat Modeling The OWASP ATM basic steps are 1) Decompose the application 2) Analyze data flows to identify entry and exit points, assets 3) Enumerate a list of threats such as STRIDE against the application 4) Assert controls to mitigate threats 5) Determine the risk of threats unmitigated 6) Identify countermeasures and propose mitigations OWASP Application Threat Risk Modeling https://www.owasp.org/index.php/Application_Threat_Modeling Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 19 Threats & Security Controls Assessment OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 20 Application Security Control Frameworks Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 21 Modeling Attacks Attacks Types: targeted or opportunistic attacks toward web applications Attack Vectors: channels for which attacks can be introduced Attack Trees: Walking’ the app allows for threats to be IDed while understanding motives Attack Scenarios: based upon threat feeds & observed incidents (SIRTs) Attack Libraries: are key to effective Threat Model and testing with use/ misuse cases & vulns Use Case Web App Use Case Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters Misuse Case Vuln Attack Vuln Attack 22 Modeling Threats, Vulnerabilities and Countermeasures Maps opportunistic attacks to exploit of vulnerabilities Threat Vulnerabilities & Control gapsc Allows to think like an attacker in the pursuit of the attacker’s goals/exploits Attacks map to one to many vulnerabilities Vulnerabilities can map to one or more countermeasures Countermeasures Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 23 Assigning Risk to Threats Threats severity can be calculated using risk factors OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 24 QUESTIONS ANSWERS Application Threat Modeling Workshop November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 25
