Risk Assessment What is RISK? requires vulnerability likelihood of successful attack amount of potential damage Two approaches: threat modeling.

Risk AssessmentRisk AssessmentWhat is RISK?

requires vulnerability likelihood of successful attack

amount of potential damage

Two approaches: threat modeling

OCTAVE

Threat Modeling (part of Microsoft’s Trustworthy

Computing)

Threat Modeling (part of Microsoft’s Trustworthy

Computing)

______ potential for harmful event/attack

can be realized by an…

that occurs due to a…

______

that should be mitigated by a…

__________

____________

Threat Modeling (part of Microsoft’s Trustworthy

Computing)

Threat Modeling (part of Microsoft’s Trustworthy

Computing)Why? create a list of vulnerabilities

bridge gap between design & deployment help cross team communication raise awareness of security

identify areas of security requiring more research

The Players Customers Business Analysts Software architects Developers Testers

Threat Modeling Steps

Threat Modeling Steps

What can we prevent?

What do we care about most?

What is the worst thing that can happen?

What laws and regulations apply?

Step 1: Identify Security Objectives Step 1: Identify Security Objectives

Identify the system assets.

Focus on confidentiality, integrity, availability.

Ways to depict software architecture:

__________ Diagram

_____ Diagram

Step 2: Describe System ArchitectureStep 2: Describe System Architecture

Class DiagramsClass Diagrams

A picture depicting classes and interconnections.

Basic Notation Simple Example

Data Flow DiagramsData Flow DiagramsA picture depicting how data flows within a software system.

Basic Notation Simple Example

Data Flow Example 2Email System

Data Flow Example 2Email System

Drill down to details of software architecture:

Data Flow Diagram processes expanded into other processes and flows

Class Diagram include methods, packages, inner classes include files, external calls & parameter lists

Step 3: Decompose appStep 3: Decompose app

_____________

Example 2Edit zoom

Example 2Edit zoom

This requires a systematic approach:

2) use a classification framework like STRIDE _________(authenticity) _________(integrity) _________ _________ disclosure (confidentiality) _____ of service (availability) ________ of privilege (authorization)

1) look at detailed design for… trust boundaries entry points exit points

Step 4: Identify ThreatsStep 4: Identify Threats

http://msdn.microsoft.com/en-us/magazine/cc163519.aspx

Attack TreesAttack Trees

Attack trees (also called threat trees) describe the natureof an attack.

Drawing attack trees helps with understanding,discovering, and mitigating threats.

Notation

A tree root is the goal for the attack children (of a node) define methods to achieve parent children may be ORed or ANDed

http://www.schneier.com/paper-attacktrees-ddj-ft.html

Example

Develop a systematic approach:

start with an accepted approach

Step 5: Rate ThreatsStep 5: Rate Threats

adjust weighting with experience

Two possible approaches

Risk = Threat X AssetDREAD

Risk = Threat X Asset

Risk = Threat X AssetThe basic formula:

Risk = Threat probability * Damage potential

Threat probability accounts for exploitability & mitigations.

Damage potential is basically the cost or impact.

Ranges? numbers might be difficult to use categories (3 to 5) is usually sufficient

A Graph of Threats

A Graph of Threats

High

Medium

Modest

Low

Low ModestMediumHigh

Pro

bab

ilit

y o

f O

ccu

rren

ce

Potential Damage

DREAD(Microsoft’s first model)

DREAD(Microsoft’s first model)

Damage potentialHow much damage will the exploit produce?

ReproducabilityHow likely is it for the attack to recur?

ExploitabilityHow easy is it to carry out the attack?

Affected usersWhat fraction of users will be affected?

DiscoverabilityWhat are the odds an attacker can find the vul?

Risk = min(D, (D+R+E+A+D)/5)

Problems with DREAD

Problems with DREAD

It’s not simple.

Frequent disagreement over risk numbers customers don’t agree with developers people with the same roles don’t agree

This lead to a simpler severity rating system...

Originally, each vul (DREAD) was graded 0-no threat to10-high.

It’s subjective.