Embedded Files
Introduction
Introduction
Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats exploit these vulnerabilities in order to cause damage to the assets, and appropriate security countermeasures exist that mitigate the threats.
Laymen explanation
Laymen explanation
Consider the real life use-case of you travelling via train and you are carrying money, jewellery, important documents, uniform, camera etc. These are called assets. Money, jewellery and official documents are very much valuable assets. Money and jewellery have high chance of getting stolen (by anyone), if left unnoticed and impact of loss is high. Some official documents may be secret and can be stolen by targeted thief and impact of loss is very high. Camera is costly electronics item and its loss is not desirable. Same is the case for cloths.
Let's mention above writings in below formatting.
Asset. Money, Jewellery, documents, camera, cloths
Threat. Threat level in descending order are Money and Jewellery followed by documents followed by camera and cloths. Note that this ordering is outcome of above described importance of different assets. So, this ordering can change if importance changes.
Countermeasure. The asset which is labeled with higher threat level, will need better countermeasure. Highest threat level is for Money and Jewellery. To mitigate the risk, keep it attached to body(wallet, small dangling bag). Document should be locked in bag. Cloths should be kept in bag and may not be locked very securely.
Technical definition and explanation
Technical definition and explanation
Threat modelling is a procedure for securing system/network by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.
The key to threat modelling is to determine where the most effort should be applied to keep a system secure. First, systematically identify and rate the threats that are most likely to affect system. Then, address threats with appropriate countermeasures in a logical order, starting with the highest rated threats that present the greatest risk.
Threat modelling and information technology
Threat modelling and information technology
Nowadays, Information Technology is linked to every aspect of life. It impacts business, education, state security, health, entertainment etc whatever we can think of. So, threat modelling is highly important for IT enabled software.
In context of software, threat modelling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application. Threat modelling is not an approach to reviewing code, but it does complement the security code review process. The inclusion of threat modeling in the SDLC can help to ensure that applications are being developed with security built-in from the very beginning. This, combined with the documentation produced as part of the threat modeling process, can give the reviewer a greater understanding of the system. This allows the reviewer to see where the entry points to the application are and the associated threats with each entry point.
it is important that you understand the following basic terminology:
Asset. A resource of value, such as the data in a database or on the file system. A system resource.
Threat. A potential occurrence, malicious or otherwise, that might damage or compromise your assets.
Vulnerability. A weakness in some aspect or feature of a system that makes a threat possible. Vulnerabilities might exist at the network, host, or application levels.
Attack (or exploit). An action taken by someone or something that harms an asset. This could be someone following through on a threat or exploiting a vulnerability.
Countermeasure. A safeguard that addresses a threat and mitigates risk.
Threat Modeling Principles
Threat Modeling Principles
Threat modeling should not be a one time only process. It should be an iterative process that starts during the early phases of the design of your application and continues throughout the application life cycle. There are two reasons for this. First, it is impossible to identify all of the possible threats in a single pass. Second, because applications are rarely static and need to be enhanced and adapted to suit changing business requirements, the threat modeling process should be repeated as your application evolves.
The Process
The Process
Below diagram shows the threat modelling process that you can perform using a six-stage process.
Note The following process outline can be used for applications that are currently in development and for existing applications.
An overview of the threat modeling process
Identify assets.
Identify the valuable assets that your systems must protect.
Create an architecture overview.
Use simple diagrams and tables to document the architecture of your application, including subsystems, trust boundaries, and data flow.
Decompose the application.
Decompose the architecture of your application, including the underlying network and host infrastructure design, to create a security profile for the application. The aim of the security profile is to uncover vulnerabilities in the design,implementation, or deployment configuration of your application.
Identify the threats.
Keeping the goals of an attacker in mind, and with knowledge of the architecture and potential vulnerabilities of your application, identify the threats that could affect the application.
Document the threats.
Document each threat using a common threat template that defines a core set of attributes to capture for each threat.
Rate the threats.
Rate the threats to prioritize and address the most significant threats first. These threats present the biggest risk. The rating process weighs the probability of the threat against damage that could result should an attack occur. It might turn out that certain threats do not warrant any action when you compare the risk posed by the threat with the resulting mitigation costs.
The Output
The Output
The output from the threat modelling process is a document for the various members of your project team. It allows them to clearly understand the threats that need to be addressed and how to address them. Threat models consist of a definition of the architecture of your application and a list of threats for your application scenario, as shown below.
Useful security tools and concepts
Useful security tools and concepts
STRIDE Model for identifying attacks
STRIDE Model for identifying attacks
This model provides the list of items which an attacker considers while breaking the system
Visual aid tool from Mozilla group
Visual aid tool from Mozilla group
Please refer here . This tool can be worked in browser directly without installing executable.
This tool facilitates to create the threats flow in visually.
Refer below example which demonstrates the possibility of HTTP XSS attack
Visual aid tool from OWASP
Visual aid tool from OWASP
Please refer here
Reference
Reference
https://www.owasp.org/index.php/Application_Threat_Modeling
http://searchsecurity.techtarget.com/definition/threat-modeling
https://en.wikipedia.org/wiki/Threat_model
https://msdn.microsoft.com/en-us/library/ff648644.aspx
https://en.wikipedia.org/wiki/STRIDE_(security)
Page updated
Google Sites
Report abuse