Upload File

threat modeling part 3 - dread

14
Threat Modeling Part 3 - DREAD Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference 2015

Upload: north-texas-chapter-of-the-issa

Post on 07-Aug-2015

373 views

Category:

Internet


0 download

Report

TRANSCRIPT

Page 1: Threat Modeling Part 3 - DREAD

Threat ModelingPart 3 - DREAD

Brad Andrews, CISSP, CSSLPNorth Texas Cyber Security Conference

2015

Page 2: Threat Modeling Part 3 - DREAD

Long time in the tech field Wide range of jobs – Defense, Online,

Banking, Airlines, Doc-Com, Medical, etc. 20+ Years software development

experience 10+ in Information Security M.S. and B.S. in Computer Science from the

University of Illinois Active Certifications – CISSP, CSSLP, CISM

Who Am I?

Page 3: Threat Modeling Part 3 - DREAD

Work for one of the largest providers of pharmacy software and services in the country

Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus

Carry out independent reading and research for my own company, RBA Communications

My Work

Page 4: Threat Modeling Part 3 - DREAD

The views and opinions expressed in this session are mine and mine alone. They do

not necessarily represent the opinions of my employers or anyone associated with

anything!

My Opinions and Ideas Alone

Page 5: Threat Modeling Part 3 - DREAD

Part 1 – Threat Modeling Overview Part 2 – Applying STRIDE to a System Part 3 – Applying DREAD to a System

Sessions Today

Page 6: Threat Modeling Part 3 - DREAD

A way to evaluate and rank risks

Evaluate each risk / threat for:

Damage

Reproducibility

Exploitability

Affected Users

DiscoverabilityDetails from

https://www.owasp.org/index.php/Threat_Risk_Modeling

What is DREAD?

Page 7: Threat Modeling Part 3 - DREAD

How much damage if it happens?

0 – None,5 - Individual User Data,

10 – Complete System Destruction

Damage (Impact)

Page 8: Threat Modeling Part 3 - DREAD

How easy is it to reproduce?

0 – Almost Impossible,5 – One or Two Steps / Authorized User,

10 – Web Browser and Address – No Auth

Reproducibility (Probability)

Page 9: Threat Modeling Part 3 - DREAD

What is need to exploit the threat?

0 – Advanced Knowledge and Skills,5 – Malware Exists on Internet or Easy Exploit

10 – Only a Web Browser

Exploitability (Probability)

Page 10: Threat Modeling Part 3 - DREAD

How many users will be impacted?

0 – None,5 – Some Users, But Not All

10 – All Users

Affected Users (Impact)

Page 11: Threat Modeling Part 3 - DREAD

How easy to discover?

0 – Advanced Knowledge and Skills,5 – Easy to Guess or Find by Monitoring,

9 – Details of Fault Public10 – Details in URL

Discoverability (Probability)

Page 12: Threat Modeling Part 3 - DREAD

Be Involved Don’t Monopolize Work Together

Interactive Time

Page 13: Threat Modeling Part 3 - DREAD

Pick values for the risks from the previous sessions

Walk Through Previous Risks

Page 14: Threat Modeling Part 3 - DREAD

Questions?


Lecture 7: Threat Modeling

Lecture 11: Threat Modeling

threat modeling - SecAppDev Peeters/threat... · threat modeling Johan Peeters ... threat model looks out: adversaries ... assignment I who are the potential adversaries?

Adam Shostack Microsoft - LayerOne...Threat Modeling (Swiderski and Snyder, Microsoft Press) "Guerilla Threat Modeling" (Torr) Patterns and Practices (J.D. Meier) Threat modeling for

WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007

Application Threat Modeling - OWASP.pdf

Threat Modeling - Overview

Reverse Threat Modeling

Threat Modeling of Banking Malware-Based Attacks...STRIDE & DREAD are not methodologies, threat and risk classification respectively Narrow focus on risk mitigation (e.g. asset, attack,

Threat Modeling for Automotive Security Analysisonlinepresent.org/proceedings/vol139_2016/68.pdf · Threat Modeling for Automotive Security Analysis ... threat modeling STRIDE method

Cloud Threat Modeling

DNS Threat Modeling - OWASP · Threat Modeling Using STRIDE By: Girindro Pringgo Digdo, ... Threat Modeling Diagram Identify Threats Identify Threats Mitigate Validate STRIDE Trike

Secure Design: Threat Modeling

Adventures in Threat Modeling

Cryptocurrency-based Systems Threat Modeling for · Threat Modeling and Cryptocurrencies Threat modeling is an essential step in secure systems design. Explore the threat space to

Tactical Threat Modeling - SAFECode · Tactical Threat Modeling

Threat Modeling & Simulation

Threat Modeling - home.eng.iastate.edu

Threat Modeling: Best Practices

Threat Modeling And Analysis

Threat modeling guide - DW.COM

Threat Modeling (Part 4)

Threat Modeling for Secure - Application Security Testing ... · Threat Modeling for Secure Embedded Software | |Klocwork White Paper 2 Threat Modeling – A Brief Overview_____ Threat

02 Threat Modeling

Threat Modeling with STRIDE - Concordia Universityusers.encs.concordia.ca/~clark/courses/1601-6150/scribe/L04c.pdf · Threat Modeling with STRIDE Slides adapted from Threat Modeling:

Threat Modeling / iPad

Introduction to Threat Modeling

Application Threat Modeling

Security Threat Modeling

Organizational Threat Modeling - EnergySec

Threat Modeling - CrossCountry Consulting

Threat Modeling (Part 3)

Asset-Oriented Threat Modeling

Threat Modeling (Part 1)

Threat Modeling - GBV