Upload
sadie-longstreet
View
224
Download
0
Tags:
Embed Size (px)
Citation preview
Risk AssessmentRisk AssessmentWhat is RISK?
requires vulnerability likelihood of successful attack
amount of potential damage
Two approaches: threat modeling
OCTAVE
Threat Modeling (part of Microsoft’s Trustworthy
Computing)
Threat Modeling (part of Microsoft’s Trustworthy
Computing)
______ potential for harmful event/attack
can be realized by an…
that occurs due to a…
______
that should be mitigated by a…
__________
____________
Threat Modeling (part of Microsoft’s Trustworthy
Computing)
Threat Modeling (part of Microsoft’s Trustworthy
Computing)Why? create a list of vulnerabilities
bridge gap between design & deployment help cross team communication raise awareness of security
identify areas of security requiring more research
The Players Customers Business Analysts Software architects Developers Testers
Threat Modeling Steps
Threat Modeling Steps
What can we prevent?
What do we care about most?
What is the worst thing that can happen?
What laws and regulations apply?
Step 1: Identify Security Objectives Step 1: Identify Security Objectives
Identify the system assets.
Focus on confidentiality, integrity, availability.
Ways to depict software architecture:
__________ Diagram
_____ Diagram
Step 2: Describe System ArchitectureStep 2: Describe System Architecture
Class DiagramsClass Diagrams
A picture depicting classes and interconnections.
Basic Notation Simple Example
Data Flow DiagramsData Flow DiagramsA picture depicting how data flows within a software system.
Basic Notation Simple Example
Data Flow Example 2Email System
Data Flow Example 2Email System
Drill down to details of software architecture:
Data Flow Diagram processes expanded into other processes and flows
Class Diagram include methods, packages, inner classes include files, external calls & parameter lists
Step 3: Decompose appStep 3: Decompose app
_____________
Example 2Edit zoom
Example 2Edit zoom
This requires a systematic approach:
2) use a classification framework like STRIDE _________(authenticity) _________(integrity) _________ _________ disclosure (confidentiality) _____ of service (availability) ________ of privilege (authorization)
1) look at detailed design for… trust boundaries entry points exit points
Step 4: Identify ThreatsStep 4: Identify Threats
http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
Attack TreesAttack Trees
Attack trees (also called threat trees) describe the natureof an attack.
Drawing attack trees helps with understanding,discovering, and mitigating threats.
Notation
A tree root is the goal for the attack children (of a node) define methods to achieve parent children may be ORed or ANDed
http://www.schneier.com/paper-attacktrees-ddj-ft.html
Example
Develop a systematic approach:
start with an accepted approach
Step 5: Rate ThreatsStep 5: Rate Threats
adjust weighting with experience
Two possible approaches
Risk = Threat X AssetDREAD
Risk = Threat X Asset
Risk = Threat X AssetThe basic formula:
Risk = Threat probability * Damage potential
Threat probability accounts for exploitability & mitigations.
Damage potential is basically the cost or impact.
Ranges? numbers might be difficult to use categories (3 to 5) is usually sufficient
A Graph of Threats
A Graph of Threats
High
Medium
Modest
Low
Low ModestMediumHigh
Pro
bab
ilit
y o
f O
ccu
rren
ce
Potential Damage
DREAD(Microsoft’s first model)
DREAD(Microsoft’s first model)
Damage potentialHow much damage will the exploit produce?
ReproducabilityHow likely is it for the attack to recur?
ExploitabilityHow easy is it to carry out the attack?
Affected usersWhat fraction of users will be affected?
DiscoverabilityWhat are the odds an attacker can find the vul?
Risk = min(D, (D+R+E+A+D)/5)
Problems with DREAD
Problems with DREAD
It’s not simple.
Frequent disagreement over risk numbers customers don’t agree with developers people with the same roles don’t agree
This lead to a simpler severity rating system...
Originally, each vul (DREAD) was graded 0-no threat to10-high.
It’s subjective.