2016-05-15

‎Why do we need to perform threat modeling

← Older revision

Revision as of 19:47, 15 May 2016

(3 intermediate revisions by the same user not shown)

Line 19:

Line 19:

# Impact of exploitation of vulnerability by a threat agents

# Impact of exploitation of vulnerability by a threat agents

# Controls and process needed to treat specific risks

# Controls and process needed to treat specific risks

+

=Why do we need to perform threat modeling=

=Why do we need to perform threat modeling=

1. Performing threat model at the architecture level, helps in

1. Performing threat model at the architecture level, helps in

−

a. confirming on suitability of the identified security features to be implemented

+

a. confirming on suitability of the identified security features to be implemented

−

b. identification of any gaps in the security features to be implemented

+

b. identification of any gaps in the security features to be implemented

−

c. identification of any further security features

+

c. identification of any further security features

−

d. identification of policy and process requirements

+

d. identification of policy and process requirements

−

e. identification of requirements to be fed into security operations

+

e. identification of requirements to be fed into security operations

−

f. identification of logging and monitoring requirements

+

f. identification of logging and monitoring requirements

−

g. arriving at abuse cases when used in agile methodology

+

g. arriving at abuse cases when used in agile methodology

−

h. understanding business continuity requirements

+

h. understanding business continuity requirements

−

i. understanding capacity and availability requirements

+

i. understanding capacity and availability requirements

2. Performing threat model at the design level, helps in,

2. Performing threat model at the design level, helps in,

−

a. identification of vulnerabilities that need to be closed at design level and input this into build phase

+

a. identification of vulnerabilities that need to be closed at design level and input this into build phase

−

b. identification of information assets that need security controls

+

b. identification of information assets that need security controls

−

c. mapping of identified security controls into technical / administrative / physical controls as the case may be (this activity can be done at the architecture level as well, but doing it at design level helps in being granular)

+

c. mapping of identified security controls into technical / administrative / physical controls as the case may be (this activity can be done at the architecture level as well, but doing it at design level helps in being granular)

−

d. identification of security test cases / security test scenarios to test the security requirements

+

d. identification of security test cases / security test scenarios to test the security requirements

=Starting the threat modeling exercise=

=Starting the threat modeling exercise=

Line 77:

Line 78:

1. Identify the trusted boundaries of your system / application / module / ecosystem that you may want to start off with.

1. Identify the trusted boundaries of your system / application / module / ecosystem that you may want to start off with.

+

2. Add actors – internal and external

2. Add actors – internal and external

+

3. Define internal trusted boundaries. These can be the different security zones that have been designed

3. Define internal trusted boundaries. These can be the different security zones that have been designed

+

4. Relook at the actors you have identified in #2 for consistency

4. Relook at the actors you have identified in #2 for consistency

+

5. Add information flows

5. Add information flows

−

a. Information in transit

+

a. Information in transit

−

b. Information at rest

+

b. Information at rest

−

c. Information processing

+

c. Information processing

−

d. In the above diagram, following are the information flows:

+

d. In the above diagram, following are the information flows:

−

i. Login Information

+

i. Login Information

−

ii. Transmit login information

+

ii. Transmit login information

−

iii. Data process

+

iii. Data process

−

iv. Data store

+

iv. Data store

+

6. Identify the information elements and their classification as per your information classification policy

6. Identify the information elements and their classification as per your information classification policy

+

7. Where possible add assets to the identified information flows

7. Where possible add assets to the identified information flows

+

8. Identify threat agents for each of the information flows

8. Identify threat agents for each of the information flows

+

9. Draw attack vectors and attack trees in an iteratively to make sure that no major attack vector is missed.

9. Draw attack vectors and attack trees in an iteratively to make sure that no major attack vector is missed.

+

10. For each of the information flows perform threat assessment using any of the methodologies that meets the organisation’s requirements:

10. For each of the information flows perform threat assessment using any of the methodologies that meets the organisation’s requirements:

−

a. STRIDE

+

−

b. DREAD

+

−

c. Any other model that meets your organisation’s requirements

+

11. Add a probability value to the materialisation of each of the threat

11. Add a probability value to the materialisation of each of the threat

+

12. Add a value for impact of each threat materialisation

12. Add a value for impact of each threat materialisation

+

13. Identify the acceptable level of risk for the organisation or the identified scope

13. Identify the acceptable level of risk for the organisation or the identified scope

+

14. Identify the risks for mitigation that are above the acceptable level of risk

14. Identify the risks for mitigation that are above the acceptable level of risk

+

15. Mitigate the risks by doing one or more of the following:

15. Mitigate the risks by doing one or more of the following:

−

a. Accept

+

a. Accept

−

b. Transfer

+

b. Transfer

−

c. Avoid

+

c. Avoid

−

d. Reduce

+

d. Reduce

=How to work on getting the mitigations in place, track them to closure and keep monitoring risks=

=How to work on getting the mitigations in place, track them to closure and keep monitoring risks=

1. Upon completion of the initial threat modelling exercise, assign the risks to the relevant business / risk owners of threats for example

1. Upon completion of the initial threat modelling exercise, assign the risks to the relevant business / risk owners of threats for example

−

a. If there is an identified risk with the way the database is implemented, assign the risk to the owner of the database team.

+

a. If there is an identified risk with the way the database is implemented, assign the risk to the owner of the database team.

−

b. If there is an identified risk with the application design assign the risk to the owner of the application team

+

b. If there is an identified risk with the application design assign the risk to the owner of the application team

−

c. However these are responsibilities that are assigned. The accountability of getting these risks addressed lies with the business owner for whose business the application is being developed for. End of the day, it is the business owner who needs to understand if the risk is aligned with the risk appetite of his/her business unit. And if the risk is above or below the acceptable level.

+

c. However these are responsibilities that are assigned. The accountability of getting these risks addressed lies with the business owner for whose business the application is being developed for. End of the day, it is the business owner who needs to understand if the risk is aligned with the risk appetite of his/her business unit. And if the risk is above or below the acceptable level.

+

2. Maintain a Threat Traceability Matrix which at the minimum lists the following:

2. Maintain a Threat Traceability Matrix which at the minimum lists the following:

−

a. Information flow (along with the list of assets)

+

a. Information flow (along with the list of assets)

−

b. Threats for the information flows

+

b. Threats for the information flows

−

c. Probability of occurrence of the risk

+

c. Probability of occurrence of the risk

−

d. Impact of materialisation of the risk

+

d. Impact of materialisation of the risk

−

e. Risk owner – responsibility wise

+

e. Risk owner – responsibility wise

−

f. Risk owner – accountability wise

+

f. Risk owner – accountability wise

−

g. Mitigation

+

g. Mitigation

−

h. Last review date

+

h. Last review date

−

i. Next review date

+

i. Next review date

−

j. Instances of materialisation of the risk

+

j. Instances of materialisation of the risk

+

3. Test the risk as a part of security testing to ensure that the mitigation works as expected

3. Test the risk as a part of security testing to ensure that the mitigation works as expected

+

Periodically retest the risk in either a vulnerability scan or as a test scenario as part of penetration test or security test to ensure that the mitigation is still in place and works as expected

Periodically retest the risk in either a vulnerability scan or as a test scenario as part of penetration test or security test to ensure that the mitigation is still in place and works as expected

+

=Further Reading=

=Further Reading=

Wiki.owasp.org

Threat Modeling Cheat Sheet