2.2 Threat Modeling Part 2
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
2 hours 41 minutes
welcome to Episode three of Cyber Security Architecture fundamentals.
we would carry on on our lesson on track modeling.
For this session,
we would focus on three additional trapped models, namely the application tread model,
the Operation Trap Model
and the data flow Tretton Mortal. We will begin, for example,
on how to develop an application track model
to begin an application trip model. We start with the architectural design diagram
the security architect do does not start from a vacuum
we normally come in after at least a skeleton design has been done by the application. Our system architect.
From the diagram, we will start by identifying our assets on Lee by knowing your assets. Can you start identifying the treads to the assets
and the right controls to mitigate those trends.
Now, after identifying your assets, it's time to think about what are the threats to those assets. The treads can come in many forms, and it might take a few alterations to identify all the trends
most of us come with. Certain bias Is either a system view infrastructure viewer application view to be complete. It's good to bounce off the ideas around other members of the team to get a more complete view off potential threats.
Now that you have the treads identified,
make a list off the track factors.
The track factors include Who are the tread actors
and what is the trap vector that the tread will come from.
sit down with the team and start listing out the different tread factors
with the tread defectives
It is now time to develop controls to mitigate the threats. Now, do you remember from the first lesson there is such a thing as too much security?
I think about the value of the assets and the cost off the controls. To mitigate the risks, find the right balance for your controls.
I will now illustrate this with an example.
The example I use.
It's from a paper by Lockett Martin on a trek driven approach to cybersecurity from 2014.
In this case, imagine this is the diagram given to you
by your application architect.
So we have a tree zone applications with a variety of actus.
The first thing you do is create a less off assets. In this case, the examples would be the credentials.
User profiles critical data in your database
create a legend so that we could use it to identify where they are in the diagram.
In this examples, my legend are colored dots with green being credentials rate, user profile, black for critical data and papa for the D. B. M s
stint on the diagram out at the dots to signify where the assets resigned.
we list the track actors
in this case would be that Internet based malicious actor,
an Internet based compromised credential
and a malicious inside
similar to the assets. Re create legends and then place them on the diagram to signify where these track actors reside
after you identify the actors and where they reside.
Now think off the attack vectors. They were used to compromise the system.
In this case, the list I've created includes social engineering, compromised users compromised at men,
cross like attacks, sequel injection and even zero day malware.
Now that you have identified the treads and tractors and the assets this time to think of controls, I will not cover that in this part of the lecture. But we'll come to that after we've done the enterprise security models.
This is a very quick high level guy on developing an application tread model.
Next, I would talk about a different perspective.
The operational trapped model,
while the application trip Mongol focused on the application for which is created
was men to only look at threats to that application.
Now, Operation Trap Model
allows organization to see the big picture.
It includes other respects like systems that get dependent on and so on.
Both models are needed.
Let me walk through an example, often operational tread model
in the operational trap model. In this example,
it's from a system known as trapped modeler, which is a commercial track modeling software. Now take a look at this track model.
The assets include things that are not typically part off the system. For example, you're single sign on system
all your hosting environment like Amazon, easy to all your windows and some back and systems like the TM.
You take a larger view off all interconnected systems because threat can come in true dependent systems all downstream or option systems. So in the operational view, you need to include a lot more members into the team to help develop it,
to help you get started with Operation Tread models, I would recommend Mazzella Sea Sponge That's a Web based trap modeling to develop my undergrad students. It's a Mary's university in Nova Scotia, Canada, a spot off zealous winter off security projects. In 2014
you can find the link below.
It is a very easy to use guided applications to help use, draw different assets and list the different threats in it.
Go ahead and give it a try. It's wet base, and you should be able to get to it as long as you have Internet connectivity.
The next model I would like to go true, it's the data flow trap model.
The focus off this track model,
as from the name is from the data exchange between components in the system.
It helps you identify what critical data is being transferred from, what system to what system
and what controls you need to save. Got that data.
As the overall foundation is a big proponent off the data flow trap model, they have created
a system called the OAS Trap Dragon, which is that on nine track modeling tool that focus on data floor models
that is in beta,
and I would encourage you to visit the website Track Dragon that are to give it a try. It helps you draw out the threats on a data flow and help you even identify and categorize the trends.
The interface is fairly intuitive, so I guess you can try it with some off the systems and try to draw out the data flow trap models for something you're working on.
So in summary and this episode,
we discuss what this application trap modeling. How to do it.
What is an operational trap model? Which is the bigger picture
and data flow track models, which focused on the data exchange.
And I've introduced three free tools like Sea Monster Cease Bunch and Trap Dragon, which could be used to get you started.
But do also check out track modeler, which is a commercial trap modeling software
that can help you jump start your trip modeling with known tread models for various specific designs, and it helps also identify trends that you may not have looked at.
In the next episode, we would conclude trap modeling
by going true. How to categorize the threats that you have identified
how to rang the treads so you could prioritize your resources
and cover some lesser used tread models like the social and environmental trip models.
If you have to time, we'll see you in the next episode.