Threat ModelingPart 1 - Overview

Brad Andrews , CISSP, CSSLPNorth Texas Cyber Security Conference

2015

Long time in the tech field Wide range of jobs – Defense, Online,

Banking, Airlines, Doc-Com, Medical, etc. 20+ Years software development

experience 10+ in Information Security M.S. and B.S. in Computer Science from the

University of Illinois Active Certifications – CISSP, CSSLP, CISM

Who Am I?

Work for one of the largest providers of pharmacy software and services in the country

Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus

Carry out independent reading and research for my own company, RBA Communications

My Work

The views and opinions expressed in this session are mine and mine alone. They do

not necessarily represent the opinions of my employers or anyone associated with

anything!

My Opinions and Ideas Alone

Part 1 – Threat Modeling Overview Part 2 – Applying STRIDE to a System Part 3 – Applying DREAD to a System

Sessions Today

What is It? Why is It Important? How Do You Do It? Flow Diagrams are Important! Some Dangers to Avoid

Threat Modeling Overview

Figuring out all the significant threats to the system.

Microsoft has good guidance◦ I borrow from Adam Shostack later

Good overview at https://www.owasp.org/index.php/Threat_Risk_Modeling

What is Threat Modeling?

Threat Modeling Lessons from Star Wars (and Elsewhere)

https://youtu.be/KLpgaoD8ySM

Good Background Videoby Adam Shostack

We need to protect our systems Always limited time, people and money Must prioritize and focus Knowing the most important threats allows

this

It has had good results Not a panacea, just a part of the process

Why Model Threats?

Know the System

Find Threats

Detail ThreatsRank Threats

Protect Against Threats

How Do You Do It?

You need to know system interfaces and data flows to find out where it could be vulnerable.

Missing in too many cases! Don’t have to be perfect, just good enough. Visio may be worthwhile, though even Paint

can be used.

Flow Diagrams are Important

Trap #1 – You are never done◦ Ongoing process, but endpoints along the way

Trap #2 – Monolithic processes◦ Realize systems have many parts

Trap #3 – A single way to threat model◦ Use what works, not just a single formal process

Trap #4 – Working in a vacuum◦ All systems interact with other systems, not just

end users.

Dangers to Avoid (from Adam

Shostack)

Trap #5 – Threat modeling is an innate skill◦ Some have a better mindset for it, but all can

develop the needed skills◦ Improvement comes with time and practice

Trap #6 – Threat modeling is a single skill◦ Techniques – Know different approaches◦ Knowledge – Know useful data (threats/risks,

patterns, etc.) Trap #7 – Think like an attacker

◦ Limited ability to think outside your own experience

◦ Follow checklists as needed

Dangers to Avoid 2 (from Adam

Shostack)

Trap #8 – One model to rule them all◦ Model of the system◦ Model of the threats◦ Model of the attacker or user

Trap #9 – Focus only on the threats◦ Also consider the impact of requirements, threats

and mitigations Trap #10 – Waiting too long

◦ Earlier is almost always better, though review and repeat as necessary.

Dangers to Avoid 3 (from Adam

Shostack)

Be Involved Don’t Monopolize Work Together

Interactive Time

Work through an example system

Amazon is a good system to consider since most have purchased on their site

Develop a Data Flow Diagram

Questions?