1 / 23

What is RISK?  requires vulnerability  likelihood of successful attack

Risk/Threat Assessment. What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage. Two approaches:  threat modeling  OCTAVE. Threat Modeling (part of Microsoft ’ s Trustworthy Computing). ______.

misty
Télécharger la présentation

What is RISK?  requires vulnerability  likelihood of successful attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Risk/Threat Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE

  2. Threat Modeling (part of Microsoft’s Trustworthy Computing) ______ potential & cost of harmful event/attack is realized by an… ______ that occurs due to a… __________ that should be mitigated by a… ____________

  3. Threat Modeling (part of Microsoft’s Trustworthy Computing) Why? The Players • Customers • Business Analysts • Software architects • Developers • Testers

  4. Threat Modeling Steps

  5. Step 1: Identify Security Objectives Identify the system assets. Focus on confidentiality, integrity, availability.  What can we prevent?  What do we care about most?  What is the worst thing that can happen?  What laws and regulations apply?

  6. Step 2: Describe System Architecture Ways to depict software architecture: _____ Diagram __________ Diagram

  7. Class Diagrams A picture depicting classes and interconnections. Basic Notation Simple Example

  8. Data Flow Diagrams A picture depicting how data flows within a software system. Basic Notation Simple Example

  9. DFD Rules 1) Every process is labeled with a _____ phrase. 2) Every data flow is labeled with a ______ phrase. 3) Sources, sinks and data stores are named with _____ phrases. 4) Every process must have at least one entering and one exiting data flow. 5) Data stores cannot connect to each other without intervening processes.

  10. Data Flow Example 2 Make an Omelet

  11. Step 3: Decompose app Drill down to details of software architecture: Class Diagram  include methods, packages, inner classes  include files, external calls & parameter lists Data Flow Diagram  processes expanded into other processes and flows _____________

  12. Data Flow Example 3 Email System DFDs are usually constructed via refinement. This is a possible Level 0 DFD.

  13. Data Flow Example 3 cont'd This is a possible Level 1 DFD.

  14. Example 3 Edit zoom This is a possible Level 2 refinement.

  15. Step 4: Identify Threats This requires a systematic approach: 1) look at detailed design for…  trust boundaries  entry points  exit points 2) use a classification framework like STRIDE _________(authenticity) _________(integrity) _________ _________ disclosure (confidentiality) _____ of service (availability) ________ of privilege (authorization) http://msdn.microsoft.com/en-us/magazine/cc163519.aspx

  16. Data Flow Example 3 …again

  17. Attack Trees Attack trees (also called threat trees) describe the nature of an attack. Drawing attack trees helps with understanding, discovering, and mitigating threats. Notation • A tree • root is the goal for the attack • children (of a node) define methods to achieve parent • children may be ORed or ANDed http://www.schneier.com/paper-attacktrees-ddj-ft.html

  18. Example

  19. Step 5: Rate Threats Develop a systematic approach:  start with an accepted approach  adjust weighting with experience Two possible approaches  Risk = Threat X Asset  DREAD

  20. Risk = Threat X Asset The basic formula: Risk = Threat probability * Damage potential Threat probability accounts for exploitability & mitigations. Damage potential is basically the cost or impact. Ranges?  numbers might be difficult to use  categories (3 to 5) is usually sufficient

  21. DREAD (Microsoft’s first model) Damage potential How much damage will the exploit produce? Reproducability How likely is it for the attack to recur? Exploitability How easy is it to carry out the attack? Affected users What fraction of users will be affected? Discoverability What are the odds an attacker can find the vul? Risk = min(D, (D+R+E+A+D)/5)

  22. Problems with DREAD Originally, each vul (DREAD) was graded 0-no threat to 10-high. It’s not simple. It’s subjective. Frequent disagreement over risk numbers  customers don’t agree with developers  people with the same roles don’t agree This lead to a simpler severity rating system...

  23. A Graph of Threats High Medium Probability of Occurrence Modest Low Potential Damage Low Modest Medium High

More Related