It varies by perspective. To your business, an asset might be the availability of information, or the information itself, such as customer data. It might be intangible, such as your company's reputation. • Threat. A threat is an undesired event. A potential occurrence, often best described as an effect that might damage or compromise an asset or objective. • Vulnerability. A vulnerability is a weakness in some aspect or feature of a system that makes an exploit possible. Vulnerabilities can exist at the network, host, or application levels and include operational practices. • Attack (or exploit). An attack is an action taken that utilizes one or more vulnerabilities to realize a threat. • Countermeasure. Countermeasures address vulnerabilities to reduce the probability of attacks or the impacts of threats. They do not directly address threats; instead, they address the factors that define the threats. • Use Case. Functional, as designed features of an application. • Abuse Case. Deliberate abuse of functional use cases in order to yield unintended results • Attack Vector. Point & channel for which attacks travel over (card reader, form fields, network proxy) • Attack Surface. Logical area (browser stack) or physical area (hotel kiosk ) • Actor. Legit or adverse caller of use or abuse cases. • Impact. Value of [financial] damage possibly sustained via attack. • Attack Tree. Diagram of relationship amongst asset-actor-use case-abuse case-vuln-exploit-countermeasure
occurrence, often best described as causal factors that may manifest into attacks that compromise an asset or objective. Relative to each site, industry, company; more difficult to uniformly define.
2. What are the cyber-threat targets? 3. What are the cyber-threat motivations? 4. What are the cyber-threat capabilities ? 5. Which are the assets that cyber-threat attack? 6. Which attacking tools and techniques are used? 7. Which vulnerabilities do they exploit? 8. What is the business impact of these attacks ? 9. What is the probability of these attacks targeting my financial institution? 10. Which security measures protect and detect my bank from these attacks which ones do not?
• Risk centric threat modeling methodology • Contextual – ultimate relates back to business context • Only methodology that considers business impact • Still retains traditional threat modeling exercises • Attack trees, defining kill chain, data flow diagrams Value? • Collaborative process to think like adversarial groups • Integrates into risk management functions & process • Integrates into governance • Fosters greater security awareness • Elevates security risk to more operational risk areas
Account/ Transaction Query Calls Web Server Application Server Application Calls Encryption + Authentication Encryption + Authentication Financial Server Authentication Data Restricted Network (App & DB Server/Financial Server Boundary) Database Server Application Responses Financial Data Auth Data Message Response SQL Query Call Customer Financial Data Internal (Web Server/ App & DB Server Boundary) <SCRIPT>alert(“Cookie”+ document.cookie)</SCRIPT > Injection flaws CSRF, Insecure Direct Obj. Ref, Insecure Remote File Inclusion ESAPI/ ISAPI Filter Custom errors OR ‘1’=’1—‘, Prepared Statements/ Parameterized Queries, Store Procedures ESAPI Filtering, Server RBAC Form Tokenization XSS, SQL Injection, Information Disclosure Via errors Broken Authentication, Connection DB PWD in clear Hashed/ Salted Pwds in Storage and Transit Trusted Server To Server Authentication, SSO Trusted Authentication, Federation, Mutual Authentication Broken Authentication/ Impersonation, Lack of Synch Session Logout Encrypt Confidential PII in Storage/Transit Insecure Crypto Storage Insecure Crypto Storage "../../../../etc/passwd %00" Cmd=%3B+mkdir+ha ckerDirectory http://www.abc.com? RoleID Phishing, Privacy Violations, Financial Loss Identity Theft System Compromise, Data Alteration, Destruction
check-box driven • Passing the audit and avoiding fines is the goal • Compliance driven organizations forego security Framework/controls/audit oriented • Existence of controls against a standard • Not a true risk analysis Assessing security weakness • Many vulnerabilities found, less remediated “Threat Hunting” • Allowing a focus on threats to drive security focus Security Risk Management
Security Risk Management Educate the business on possible damage from vulnerability Only do what is necessary to pass the audit Missing controls lead to “high risk” Assets • Applications • Technology • Data – PII/PHI • Workers - CSRs Vulnerabilities and Controls • SQLi • Strong encryption • Call center authentication
Must fall back to FUD arguments “traffic cop” “I don’t think this vuln will be exploited” “I have to get this release done, I’ll accept the risk” Assets • Applications • Technology • Data – PII/PHI • Workers - CSRs Vulnerabilities and Controls • SQLi • Strong encryption • Call center authentication
Management Threat • Threat: undesired event on an asset • Attack: manifestation of threat Impact • Value of damage as a result of attack - legal, operational, IP, reputation Vulnerabilities and Controls • SQLi • Strong encryption • Call center authentication Assets • Applications • Technology • Data – PII/PHI • Workers - CSRs
- Risk Based Threat Modeling Security Compliance Risk Management RISK Threat Modeling • Identifies security countermeasures based on likelihood and impact • Threat focused – mitigation as a business problem • Collaboration among stakeholders PASTA – Process for Attack Simulation and Threat Analysis
risk into business risk § Promotes greater risk understanding by all stakeholders § Focuses security program on areas of greatest business impact Security & Controls Asset Threat Impact RISK Threat Modeling § Predictive – anticipates attack/response § Measures security program effectiveness from a business impact perspective § Adds credibility to risk assessments
PASTA SDLC x x Threat - attacks x x Technical weakness x x Threat - attacks x x Threat - motives x Assets x Business impact x Countermeasures x Possibility Probability Risk questions - How big? How likely? What are the options?
Banking Application Organization North America Retail Banking General Description The online banking application allows customers to perform banking activities such as financial transactions over the internet. The type of transactions supported by the application includes bill payments, wires, funds transfers between customer’s own accounts and other bank institutions, account balance-inquires, transaction inquires, bank statements, new bank accounts loan and credit card applications. New online customers can register an online account using existing debit card, PIN and account information. Customers authenticate to the application using username and password and different types of Multi Factor Authentication (MFA) and Risk Based Authentication (RBA) Application Type Internet Facing Data Classification Public, Non Confidential, Sensitive and Confidential PII Inherent Risk HIGH (Infrastructure , Limited Trust Boundary, Platform Risks, Accessibility) High Risk Transactions YES User roles Visitor, customer, administrator, customer support representative Number of users 3 million registered customers
Business Impact What? Business Bus. Objectives and impact • Organization • Cost of damage • Security requirements Digital assets • Applications • Technology • Data • People 1. Decompose technology and application tiers 2. Map application use cases – user roles/data/technology 3. Security architecture risk analysis - Extract security exposure of the assets
Automated SQL Injection Attack To upload malware Serve malicious IFRAME to victim visiting the web site Phishing Email/ Social Engineering SQL Injection Exploit Alter Query To Get CC data Exploit Weak Session Management Insecure Cryptographic Storage/ Transit Impersonate user to get access to CC data Upload Sniffer To Get CC data Session Fixation to get access to CC data Attack User/ Browser Attack Web Application Clickjacking Serve Invisible Frame that runs malware Take Credentials and CC data from user Capture Non- Encrypted CC Data #2 Test for SQL injection and code injection (Frames) vulnerabilities #4 Test for session fixation and hijacking #3 Test encryption of sensitive CC data in storage and transit #1 Test web application assuming browser compromise and/or automation attacks Risk Identification via Attack Trees
for security programs • Simulated attacks provide evidence to support threat claims • Expression of risk in technical and business terms promotes common understanding of risk • Business oriented measurements to make remediation decisions Security & Controls Asset Threat Impact RISK Threat Modeling
& MEASURE VISIBILITY AROUND RISK ISSUES NEED TO HAPPEN VERTICALLY & HORIZONTALLY RISK ISSUES NEED TO CORRELATE TO BUSINESS IMPACT AREAS & THREATS TO THE ORGANIZATION REMEDIATION EFFORTS SHOULD BE MEASURED & MEASURED AGAINST KEY RISK INDICATORS TO SHOW PROGRESS THREAT ANALYSIS KNOWING TODAY’S THREATS & HOW THEY RELATE TO A COMPANY’S HIGHEST TARGET AREAS IS KEY ATTACK SURFACE MANAGE RISK COMPANIES NEED TO KNOW THEIR IT FOOTPRINT AND OFTEN DID NOT KNOW THE EXTENT OF THEIR IT, PHYSICAL, OR VENDOR FOOTPRINT RISK ISSUES NEED ONGOING MANAGEMENT WHERE ASSESSMENTS FEED A RISK REGISTER
§ ROSI analysis on proposed countermeasures Threat Model ERM/ORM Security Business Use Cases for Threat Modeling § Remediation prioritization based on operational risk § Drive security into SDLC § Exception handling Improve reporting include cyber into operational risk register Rationalize cyber insurance coverage
versprite
seafay
nikkei_engineer_recruiting
ebiken
sakaik
iotengineer22
aeonpeople
kworkdev
subroh0508
oracle4engineer
cheng_wei_chen
edeandrea
ninomiya_ii
aemeredith
baasie
katiecoart
pedronauck
wjessup
swwweet
cassininazir
shlominoach
csswizardry
chrislema
addyosmani
minecr
