CIS 4615 meeting -*- Outline -*- * Threat modeling based on the paper Suvda Myagmar, Adam J. Lee, and William Yurcik, "Threat Modeling as a Basis for Security Requirements" In Symposium on requirements engineering for information security (SREIS). Vol. 2005. 2005. ------------------------------------------ THREAT MODELING Goal: develop security requirements handle each threat appropriately Looks at: - What the system is designed to protect - From whom it is to be protected Process: A. Enumerate all possible threats: 1. Characterize the system 2. Identify assets and access points 3. Identify threats B. For each possible theat: 1. How critical is it? (based on value of assets) 2. How likely is it? (based on who might gain from it) 3. What should be done? a. mitigate it, b. accept the risks ------------------------------------------ Q: Why not just protect against all possible threats as well can be done? Too costly! May make the system hard to use! Q: What do you get from the process described? A set of security requirements ** Characterizing the system ------------------------------------------ CHARACTERIZING THE SYSTEM Depends on kind of system: - single computer app, use Data Flow Diagram - networked system, use network model ------------------------------------------ *** Traditional Apps and Data Flow Diagrams ------------------------------------------ DATA FLOW DIAGRAM Nodes are Arrows represent E.g., payroll system ------------------------------------------ ... software components or data stores ... information flows ... salaries file pay-period \ / v v pay computation | tax-rate file | pay-info record \ | v v payroll-record generation | | payroll-record v check-formatting | | check v printing ------------------------------------------ PAYROLL SYSTEM THREAT ANALYSIS (1) What assets? What access points? ------------------------------------------ ... (a) the files, particularly the salaries file, (b) the checks (that paper), (c) the printer with the checks (d) the program itself? (ability to run it) ... the files (inputs) ------------------------------------------ PAYROLL SYSTEM THREAT ANALYSIS (2) def: *threats* are an What could be a threat? threat identification method: for each asset, how could a goal apply to it? What are the possible attacks? ------------------------------------------ ... adversary's goals ... (1) get money (integrity) (2) stop the check printing (and payroll) process (availability) (3) obtain information about the company personnel (confidentiality) ... (a1) add to the files bogus information, thus get checks with too much money or for people who don't work for the company increase the pay period length to get more money (b1) steal the check paper, to print checks steal time on the program/computer to print checks (c1) steal the printer+paper or time on them (d1) run the progrm when it is not authorized to print checks (a2) delete or corrupt the files to stop printing (b2) destroy or steal the check paper (c2) harm or destroy the printer (c2/d2) prevent power from running the program or printer (d2) prevent users from running the program on the computer by preventing them from using the computer (a3) steal information from the salaries file (b3) ? (c3) intercept communications to the printer (d3) add a trojan to the program to steal information ------------------------------------------ TECHNIQUES FOR THREAT IDENTIFICATION For each adversary's goal: - how can violate: confidentiality, integrity, availability? - can there be: spoofing, tampering, repudiation, informtion disclosure, denial of service, elevation of privilege? ------------------------------------------ Q: How could those threats be mitigated? e.g., access control and/or signatures for the files + program physical security for the check paper and printer UPS for power Q: Is the payroll system susceptible to these threats? Q: What is the risk for each threat? *** Networked Systems and Network Models ------------------------------------------ NETWORK MODEL Key questions: - What are the - What are their E.g. Airline reservation system ------------------------------------------ ... components? ... interconnections? ... see the Airline_Reservation_Network_Model.png (or .pptx) Customers Banks & Credit processors (browsers) ^ \ / v v ( internet) --> Router ^ ^ | / \ v | /--------> Server System | | ^ | v v | v Firewall Database of reservations ^ ^ \ | v | (company LAN) | ^ v | Accounting Flight operations | | v v Accounting DB Flight Operations DB ------------------------------------------ RESERVATION SYSTEM THREAT ANALYSIS What assets? What access points? What are the threats? ------------------------------------------ ... a. the server system (its cycles) b. seat reservations in the reservations DB c. customer Personally Identifiable Information (PII) d. the router (its cycles) e. the accounting information (in the accounting DB) f. flight information (in the flight ops DB) g. gate information (in the gate ops DB) h. The firewall ... (i) internet connections (from clients) (ii) bank and credit processor connections (iii) flight operations connections (iv) database administrator connections ... 1. get free travel (steal seat reservations) 2. steal customer PII 3. stop the system from running (or slow it down) 4. cause chaos in the airline's physical system (the airplanes, crews, etc.) 5. get proprietary information about flight operations 6. get proprietary information about accountingget travel (steal seat reservations) (integrity) ------------------------------------------ FOR YOU TO DO For one asset, - enumerate possible attacks - rate the risk of that attack ------------------------------------------ ... (a1) By sending information to the server system, such as an SQL injection, have the server insert records in the reservation DB to get a reservation. (b1) Write extra records in the seat reservation DB for the travel desired. (c1) Using stolen PII, make a reservation for the attacker, having the stolen customer's credit card pay for it, for example. (d1) N/A (e1) Change accounting records so it looks like the attacker paid for a reservation, and then have the airline "correct" the missing reservation through customer support. (f1) N/A (g1) Modify the gate information DB so that a bogus bar code and record for the attacker is allowed by the gate agent. (h1) Bypass the firewall to gain access to the company LAN, and then use the attacks in (g1), (b1), (c1), or (e1). Here are some more: (a2) Use the server system to break into the accounting database or to intercept information flowing in the server system to steal PII. (b2) N/A (c2) Read the PII and transmit it back to the attacker (d2) Trap PII as if flows through the router and send it to the attacker (a Trojan Horse) (e2) Read the PII from the accounting DB (f2) N/A (g2) Read information about people's flights from the gate operations DB and send to the attacker. (h2) By compromising the firewall, gain access to the accounting and other databases, and use that access to read PII and send back to the attacker. (a3) Deny service by stealing all the cycles (or most of them) on the server system. (b3) Destroy or lock the reservations DB or its information. (c3) Destroy or lock the PII in the various databases, so that the rest of the system cannot function. (d3) Overwhelm the router with many requests (DDOS attack) (e3) Destroy or lock the accounting DB. (f3) Delete all flights in the flight ops DB (or destroy or lock that database) (g3) Destroy or lock the gate ops DB (h3) Bypass the firewall to carry out one of the above attacks: (g3), (f3), (e3), (b3), (a3). (a4) Use the server system to scramble the reservations database (moving people to different planes, etc.) or change the scheduling of flights. (b4) Scramble the reservations in the reservations database or change the scheduling of flights. (c4) Steal all the customer PII and publicize it, causing customers to flee to other airlines. (d4) N/A (e4) Change accounting records so that it looks like the airline has lost money, causing executives to change things. (f4) Change the flight ops DB to put planes in the wrong places and times or to cancel many flights. (g4) Stop the gate ops from working properly. (h4) Compromise the firewall to change flight or gate operations (as above). (a5) Use the servers to read the flight information from the reservations DB and send it to the attacker. (b5) Read flight information from the reservations DB and send it to the attacker. (c5) N/A (d5) N/A (e5) Glean flight information from the accounting records and send to the attacker. (f5) Read the flight information and send it to the attacker. (h5) From the firewall, compromise the flight information system and database and send information to the hacker. Q: Which attacks are the most likely? Q: How could those risks be mitigated? Q: Do any attacks have negligable risk? Possible additional exercises: - Apple's iTunes Music service ** Summary of threat modeling ------------------------------------------ IMPORTANCE OF THREAT MODELING Why must threat modeling be systematic? What is the threat modeling process? ------------------------------------------ ... because the bad guys just need one way in because building security in from the start is cheaper than reaction but budgeting needs to be based on risk of each attack ... understand the system (network model) identify assets & access points identify attacker's goals (threats) identify possible attacks (then do risk calculations and mitigations)