threat modeling part 3 - dread
TRANSCRIPT
Threat ModelingPart 3 - DREAD
Brad Andrews, CISSP, CSSLPNorth Texas Cyber Security Conference
2015
Long time in the tech field Wide range of jobs – Defense, Online,
Banking, Airlines, Doc-Com, Medical, etc. 20+ Years software development
experience 10+ in Information Security M.S. and B.S. in Computer Science from the
University of Illinois Active Certifications – CISSP, CSSLP, CISM
Who Am I?
Work for one of the largest providers of pharmacy software and services in the country
Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus
Carry out independent reading and research for my own company, RBA Communications
My Work
The views and opinions expressed in this session are mine and mine alone. They do
not necessarily represent the opinions of my employers or anyone associated with
anything!
My Opinions and Ideas Alone
Part 1 – Threat Modeling Overview Part 2 – Applying STRIDE to a System Part 3 – Applying DREAD to a System
Sessions Today
A way to evaluate and rank risks
Evaluate each risk / threat for:
Damage
Reproducibility
Exploitability
Affected Users
DiscoverabilityDetails from
https://www.owasp.org/index.php/Threat_Risk_Modeling
What is DREAD?
How much damage if it happens?
0 – None,5 - Individual User Data,
10 – Complete System Destruction
Damage (Impact)
How easy is it to reproduce?
0 – Almost Impossible,5 – One or Two Steps / Authorized User,
10 – Web Browser and Address – No Auth
Reproducibility (Probability)
What is need to exploit the threat?
0 – Advanced Knowledge and Skills,5 – Malware Exists on Internet or Easy Exploit
10 – Only a Web Browser
Exploitability (Probability)
How many users will be impacted?
0 – None,5 – Some Users, But Not All
10 – All Users
Affected Users (Impact)
How easy to discover?
0 – Advanced Knowledge and Skills,5 – Easy to Guess or Find by Monitoring,
9 – Details of Fault Public10 – Details in URL
Discoverability (Probability)
Be Involved Don’t Monopolize Work Together
Interactive Time
Pick values for the risks from the previous sessions
Walk Through Previous Risks
Questions?