Threat Modeling
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Software design really isn't that
00:00
different in terms of risk
00:00
to anything else that we're going to be doing.
00:00
We talked about risk-management way,
00:00
way back in the first chapter.
00:00
We said you start risk management by
00:00
looking at the assets you're protecting,
00:00
looking at threats and vulnerabilities.
00:00
That's the exact same thing we do with software.
00:00
We think about what data is being
00:00
protected or held or processed within our software,
00:00
and then what are the threats
00:00
and what are the vulnerabilities.
00:00
We had mentioned that we use
00:00
threat modeling in order
00:00
to determine what the threats are.
00:00
Then we take the asset
00:00
and the threats and see what weaknesses
00:00
would allow the threats to
00:00
exploit those vulnerabilities or weaknesses.
00:00
That's threat modeling.
00:00
We'll talk a little bit more about
00:00
it and we're going to look at
00:00
two common ways of threat modeling.
00:00
We're going to look at the STRIDE model and then we'll
00:00
talk about use and misuse cases.
00:00
There are just some risks that are
00:00
inherent to software design.
00:00
The very fact that you're going to be
00:00
putting something in the hands of
00:00
an unknown user is going
00:00
to introduce risk into the scenario.
00:00
This whole chapter really,
00:00
this whole domain really is about reducing those risks.
00:00
Now, with threat modeling, again,
00:00
asset, threat, vulnerability, that's what makes a risk.
00:00
We start out with the asset, what's it worth?
00:00
Now remember, its value or what is worth
00:00
is going to be not just what I
00:00
would have to pay for the asset,
00:00
but it's going to include things like value to me,
00:00
value to my competitors,
00:00
are there laws and regulations that would be
00:00
violated if it wasn't protected,
00:00
would I be held liable,
00:00
would it influence my customer reputation?
00:00
We have to look at the value of
00:00
the asset and figure out what are our goals.
00:00
We go back to the CIA triad,
00:00
what's most important for us?
00:00
Confidentiality, integrity or
00:00
availability It's not that
00:00
I have to choose one or the other,
00:00
but certainly when you give that
00:00
the kind of an objective look,
00:00
usually one is more important than the
00:00
other and that can vary at different times.
00:00
So we want to figure out our objectives.
00:00
Now in this slide,
00:00
this is the STRIDE threat model.
00:00
STRIDE comes from the first letter of each threat,
00:00
S-T-R-I-D-E,
00:00
and these are the most common threats to software.
00:00
When I'm developing software,
00:00
I want to make sure that I take each of these threats
00:00
into consideration and I'm
00:00
going to implement mitigation
00:00
in order to lessen the risk.
00:00
One of the greatest concerns with
00:00
application software is spoofing,
00:00
me being able to impersonate, an email application.
00:00
For instance, me being able
00:00
to make it look like the origin
00:00
of the message is from
00:00
PayPal when it's actually something I've written out.
00:00
That's spoofing or being
00:00
able to change the source address
00:00
so that it looks like a packet comes from
00:00
a different location or a different system.
00:00
When we build our software,
00:00
one of the best ways to mitigate
00:00
spoofing is through strong authentication.
00:00
Now we talked about authentication in Module 5,
00:00
so that's always worth going
00:00
>> back and giving a listen to.
00:00
>> But when we talk about authentication,
00:00
we're talking about proving we are who we say we are.
00:00
I'm going to provide proof of identity.
00:00
Strong authentication is going to be multi-factor.
00:00
Three factors, something I know,
00:00
something I have, something I am.
00:00
We're going to provide those three factors
00:00
to give strong authentication.
00:00
Multi-factor authentication is just
00:00
considered to be two or more factors,
00:00
so something I know and something I am,
00:00
or something I am and something I
00:00
have or whatever that may be.
00:00
That's spoofing. Now,
00:00
our next element is tampering.
00:00
Attackers modify information, messages,
00:00
files, and I want to be able to detect it.
00:00
If I'm going to be able to detect modification,
00:00
I need some form of integrity verification.
00:00
I need some way to guarantee that
00:00
the message or file or packet hasn't been modified.
00:00
Primarily, we think about message digests for that.
00:00
Another word for message digest,
00:00
you could also hear hashes.
00:00
CRCs used to be used but the
00:00
>> idea is we want a thumbprint
00:00
>> of the message or the file so
00:00
that if the file changes, the thumbprint changes.
00:00
If I compare the first thumbprint
00:00
with the current one and they're different,
00:00
I know there's been a modification.
00:00
Talked about that in Domain 3, cryptography.
00:00
We also, in Domain 3,
00:00
talked about repudiation and non-repudiation.
00:00
For non-repudiation,
00:00
I want to make sure that a sender can't
00:00
dispute having sent a message or
00:00
the contents of the message so they can't say,
00:00
"I didn't send that,
00:00
must have been spoofed."
00:00
Or they can't say, "Yeah,
00:00
I sent that, but that's not what I said."
00:00
Digital signatures are the way to make sure that
00:00
we get integrity and authenticity,
00:00
which together give us non-repudiation.
00:00
Now the I in
00:00
the STRIDE model is for information disclosure.
00:00
The best way to prevent
00:00
unauthorized disclosure is through encryption.
00:00
In my application, I make sure that
00:00
if we store application there are means for encryption.
00:00
We talked about redundancy in Chapter 7 or Domain 7,
00:00
and we talked about redundancy
00:00
means avoiding a single point of failure.
00:00
For instance, I want to make
00:00
>> sure that my application is
00:00
>> resilient and can withstand
00:00
a fault without necessarily completely failing.
00:00
We want to make sure that, for instance,
00:00
there may be defensive mechanisms
00:00
in place in the event that
00:00
some buffer overflow happened
00:00
or to prevent certain types of floods.
00:00
We want to mitigate the risk of denial-of-service.
00:00
Then last but not least,
00:00
the E in STRIDE is for escalation of privilege.
00:00
It's when someone gains access to
00:00
a system as a regular user,
00:00
and then they find a way to escalate their rights,
00:00
their permissions, their privileges.
00:00
They might find a way to run a function as
00:00
administrator or they may find
00:00
weak policy that allows them to create
00:00
a new account or weak policy that allows
00:00
them to add rights and permissions themselves.
00:00
But whatever the cause may be,
00:00
escalation of privilege is best
00:00
mitigated by strong authorization,
00:00
making sure only those who have
00:00
authenticated with multi-factor authentication
00:00
or authorized just to
00:00
do the function necessary for their job.
00:00
Another threat modeling means is
00:00
by running use and misuse cases.
00:00
Once again, doing the what if game.
00:00
We look at a basic application.
00:00
We say, what are the steps of using this application?
00:00
The very first step, we got a user who's going to
00:00
enter their name and password. Fair enough.
00:00
That password is going to provide authentication.
00:00
An attacker might try to
00:00
bypass that through brute force attacks.
00:00
Some types of brute force attacks: harvest attacks,
00:00
dictionary attacks, how are we going to mitigate those?
00:00
What you can see in
00:00
this diagram is basically
00:00
we're looking at the features of
00:00
the application and figure
00:00
out how an attacker is going to misuse
00:00
those features and how we can
00:00
mitigate the attempts at misuse.
00:00
These are just ways to consider what are
00:00
the threats and how we can strengthen those.
00:00
Another way that we can protect and harden
00:00
our system is we look at
00:00
the controls that are already in place.
00:00
Many operating systems have controls in place.
00:00
They have audit, they have logs and so on.
00:00
Are we reviewing the logs,
00:00
are we making sure that
00:00
the control mechanisms we put in place are working?
00:00
Look at the key performance indicators,
00:00
KPIs, look at the KRIs.
00:00
Performance indicators will tell us is
00:00
the system performing as it should?
00:00
Is our processor functioning?
00:00
Are we having limited amount of virtual memory access?
00:00
How are we performing?
00:00
Then the KRIs are going to tell us,
00:00
based on the risks that we looked at earlier,
00:00
does it look like our mitigation strategies
00:00
are keeping these risks from
00:00
happening or are the risks materializing?
00:00
Ultimately we have to evaluate the mechanisms we
00:00
put in place to find out if the controls are working.
00:00
What controls we put in place are
00:00
going to be driven by threat modeling.
00:00
We look at the STRIDE and the use and misuse cases,
00:00
as well as just common risks in the design of software.
00:00
Just like we've talked about in risk management,
00:00
we figure out what our asset is,
00:00
what threats and vulnerabilities exist,
00:00
and then we move into risk assessment,
00:00
where we try to determine
00:00
a cost effective means at
00:00
mitigating the risk to the degree except.
Up Next
Instructed By
Similar Content
