27
Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Embed Size (px)

Citation preview

Page 1: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Threat Modeling andRisk Management

John R Durrett

January 2003

Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Page 2: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

― Systems― Making completely secure servers― Threats― Risks― Goals― Motives― Vulnerabilities― Risk Analysis― Attack Trees― Defenses

Page 3: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Systems

― Complex

― Interact with other systems

― Have emergent properties that their designers did not intend

― Have bugs

Page 4: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Systems & Security― Usual coping mechanism is to ignore the

problem…WRONG

― Security is system within larger system

― Security theory vs security practice; Real world systems do not lend themselves to

theoretical solutions

― Must look at entire system & how security affects

Page 5: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

The Landscape

― Secure from whom?― Secure against what?

― Never black & white― Context matters more than

technology

― Secure is meaningless out of context

Page 6: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Completely Secure Servers

― Disconnect from Network― Power Down― Wipe & Degauss Memory & Harddrive― Pulverize it to dust

― Threat Modeling― Risk management

Page 7: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Threats

― Attacks are exceptions― Digital Threats mirror Physical― Will become more common, more

widespread, harder to catch due to:; Automation; Action at a Distance

― Every two points are adjacent

; Technical Propagation

Page 8: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Threats― All types of attackers― All present some type of threat― Impossible to anticipate

; all attacks or ; all types of attackers or ; all avenues of attack

― Point is not to prevent all but to “think about and analyze threats with greater depth and to take reasonable steps to prevent…”

Page 9: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Attacks― Criminal

; Fraud-prolific on the Internet; Destructive, Intellectual Property; Identity Theft, Brand Theft

― Privacy: less and less available; people do not own their own data; Surveillance, Databases, Traffic Analysis; Echelon, Carnivore

― Publicity & Denial of Service― Legal

Page 10: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Risk Analysis

“The identification and evaluation of the most likely permutation of assets, known and anticipated vulnerabilities, and known and anticipated types of attackers.”

Page 11: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Assets

― What are you trying to Protect― Why is it being protected― Risk for other systems on network― Data

; Tampering vs. Stealing; Liability

Page 12: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Security Goals #1

― Privacy?, Anonymity?― Authentication― Data confidentiality

; End-user data; Ramifications of disclosure

― Data Integrity; Secure transmission (Vonnegut MIT); Secure servers (/etc); Software developer

Page 13: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Security Goals #2

― System Integrity; Is system being used as intended; Trust relationships; Executables (rootkit)

― System / Network availability; Cyber-vandals; DoS: All but impossible to prevent

― Security through obscurity?

Page 14: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Attackers

― Categorize by; Objective, Access, Resources, Expertise,

and Risk

― Hackers: ; Galileo, Marie Curie

― Lone Criminals, Insiders, Espionage, Press, Organized Crime, Terrorists

Page 15: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Motives

Business competitors― Same motives as “real-life” criminals― Financial motives

; Credit cards; The Cuckcoo’s Egg

― Political motives― Personal / psychological motives

Page 16: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Motives

― Honeypot “to learn tools tactics and motives of blackhat community”

― Script Kiddies; Canned Exploits of Perl or Shell scripts; Still major threat

― Knowing motives helps predict attack― Degrees of motivation

; Automated tools; Hardened systems vs Easy Kills

Page 17: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Steps in an Attack

1. Identify Target & collect Information2. Find vulnerability in target3. Gain appropriate access to target4. Perform the attack5. Complete attack, remove evidence,

ensure future access

Page 18: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

After you get root

1. Remove traces of root compromise2. Gather information about system3. Make sure you can get back in4. Disable or patch vulnerability

Page 19: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Vulnerability Landscape

― Physical World; Laptops

― Virtual World

― Trust Model

― System Life cycled

Page 20: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Vulnerabilities

― Only potential until someone figures out how to exploit

― Need to identify and address; Those applicable & which must mitigated now; Are likely to apply & must be planned against; Seem unlikely and/or are easy to mitagate

Page 21: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Simple Risk Analysis: ALEs― Correlate & quantify

assets+vulnerabilites+attackers

― Annualized Loss Expectancy for each vulnerability associated with each asset

― Single loss Cost x Expected Annual Occurrence = ALE

― Compare against cost to prevent

Page 22: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

ALE

― Strengths; Simplicity (∆ PHB will like), flexibility

― Weakness; Very subjective

Page 23: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Attack Trees (Bruce Schneier)

― Visual Representation of attacks against any given target

― Attack goal is root― Attack subgoals are leaf nodes

; For each leaf determine subgoals necessary to achieve

; And cost to achieve penetration using different types of attackers

Page 24: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Attack Tree Example

Steal Customer Data

Obtain Backup Media Intercept eMail Hack into Server

Burfglarize Office(Cost $10,000)

Bribe Admin at ISP($5,000) Hack remote users home system

($1,000)

Hack SMTP Gateway($2000)

Page 25: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Defenses

― Three general means of mitigating attack risk; Reducing asset value to attacker; Mitigating specific vulnerabilities

― Software patches― Defensive Coding

; Neutralizing or preventing attacks― Access control mechanisms― Distinguish between trusted & untrusted

users

Page 26: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

Security

― Security is a process not a Product

― Weakest link in the process

― Examples of Threat Modeling in Secrets & Lies chapter 19

Page 27: Threat Modeling and Risk Management John R Durrett January 2003 Primarily from Building Secure Linux Servers (0596002173) and Secrets and Lies ( 0471253111)

References

― Cohen, Fred “A Preliminary Classification Scheme for Information Security Threats, Attacks, and Defenses; A Cause and Effect Model; and Some Analysis Based on that Model.” Sandia National Laboratories, Sept 1998 (www.all.net/journal/ntb/cause-and-effect.html)

― Bauer, Michael E. “Building Secure Servers with Linux.” O’Reilly, 2003