Threat Modeling Part 3 - DREAD

Preview:

Click to see full reader

Citation preview

Threat ModelingPart 3 - DREAD

Brad Andrews, CISSP, CSSLPNorth Texas Cyber Security Conference

2015

Long time in the tech field Wide range of jobs – Defense, Online,

Banking, Airlines, Doc-Com, Medical, etc. 20+ Years software development

experience 10+ in Information Security M.S. and B.S. in Computer Science from the

University of Illinois Active Certifications – CISSP, CSSLP, CISM

Who Am I?

Work for one of the largest providers of pharmacy software and services in the country

Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus

Carry out independent reading and research for my own company, RBA Communications

My Work

The views and opinions expressed in this session are mine and mine alone. They do

not necessarily represent the opinions of my employers or anyone associated with

anything!

My Opinions and Ideas Alone

Part 1 – Threat Modeling Overview Part 2 – Applying STRIDE to a System Part 3 – Applying DREAD to a System

Sessions Today

A way to evaluate and rank risks

Evaluate each risk / threat for:

Damage

Reproducibility

Exploitability

Affected Users

DiscoverabilityDetails from

https://www.owasp.org/index.php/Threat_Risk_Modeling

What is DREAD?

How much damage if it happens?

0 – None,5 - Individual User Data,

10 – Complete System Destruction

Damage (Impact)

How easy is it to reproduce?

0 – Almost Impossible,5 – One or Two Steps / Authorized User,

10 – Web Browser and Address – No Auth

Reproducibility (Probability)

What is need to exploit the threat?

0 – Advanced Knowledge and Skills,5 – Malware Exists on Internet or Easy Exploit

10 – Only a Web Browser

Exploitability (Probability)

How many users will be impacted?

0 – None,5 – Some Users, But Not All

10 – All Users

Affected Users (Impact)

How easy to discover?

0 – Advanced Knowledge and Skills,5 – Easy to Guess or Find by Monitoring,

9 – Details of Fault Public10 – Details in URL

Discoverability (Probability)

Be Involved Don’t Monopolize Work Together

Interactive Time

Pick values for the risks from the previous sessions

Walk Through Previous Risks

Questions?

Recommended

Organizational Threat Modeling - EnergySec
Documents
Tactical Threat Modeling - SAFECode · Tactical Threat Modeling
Documents
Lecture 11: Threat Modeling
Documents
Adam Shostack Microsoft - LayerOne...Threat Modeling (Swiderski and Snyder, Microsoft Press) "Guerilla Threat Modeling" (Torr) Patterns and Practices (J.D. Meier) Threat modeling for
Documents
WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007
Documents
Application Threat Modeling - OWASP.pdf
Documents
Threat Modeling: Best Practices
Technology
Corporate Threat Modeling v2
Technology
DNS Threat Modeling - OWASP · Threat Modeling Using STRIDE By: Girindro Pringgo Digdo, ... Threat Modeling Diagram Identify Threats Identify Threats Mitigate Validate STRIDE Trike
Documents
Threat Modeling - home.eng.iastate.edu
Documents
Threat Modeling - CrossCountry Consulting
Documents
Introduction to Threat Modeling
Technology
Threat Modeling - ISACA
Documents
Asset-Oriented Threat Modeling
Documents
Application Threat Modeling
Technology
Threat Modeling & Simulation
Documents
Threat Modeling for Secure - Application Security Testing ... · Threat Modeling for Secure Embedded Software | |Klocwork White Paper 2 Threat Modeling – A Brief Overview_____ Threat
Documents
Threat Modeling - GBV
Documents
Threat Modeling - Overview
Documents
Hickman threat modeling
Education