Today, many organizations face unprecedented cyber and insider threats to data and information that is being stored, processed and transmitted. Because of these threats, companies are approaching cyber security making it a necessary concept for the CISSP candidate.
Even companies that place great emphasis on securing their business processes can become the victim of cybercrime. Compliance with narrowly focused standards may not be sufficient to prevent or detect a sophisticated cyber-attack.
Where do we start when tasked to protect everything?
Before we can complete our strategy, we need to understand the components of how to address risk in our environment:
Risk is based on threats to our organization.
Threats are focused on valuable resources.
Threat modeling is a structured approach to identifying, quantifying, and addressing threats. It allows system security staff to communicate the potential damage of security flaws and prioritize remediation efforts.
In threat modeling, we cover the three main elements:
Assets: What valuable data and equipment should be secured?
Threats: What may an attacker do to the system?
Vulnerabilities: What flaws in the system allow an attacker to realize a threat?
In an organization, there are different threats that are addressed to different layers of an organization framework and environment. The three main layers of a threat target are:
Network: The threat includes spoofed, malicious packets, etc.
Host: The threat includes Buffer overflow, malicious file, etc.
Application: The threat includes SQL injection, XSS, input tampering, etc.
Who Do Threat Models and When
Ideally, threat models are created during system design before any deployment. In practice, threat models are often created for existing systems, making it part of maintenance. System designers with security experience are best equipped to identify the threats.
Steps to Threat Modeling
Identify the Assets
Describe the Architecture Describe the Architecture
Break down the Applications
Identify the Threats
Document and Classify the Threats
Rate the Threats
Identifying the Assets:
In this step, we identify the assets that what are the potential assets that are valuable to the organization:
Entry and exit points
System assets and resources System assets and resources
Trust levels (access categories)
Describe the architecture:
In this process, we describe the architecture on which the valuable asset is being processed. It may include the software framework, version, and other architectural details.
Break down the application:
In this step, we break down the application regarding its process. All the sub-processes that are running the application.
Identifying the threats:
In this step, we list down the threat in a descriptive way, so that it can be reviewed to process further.
Categorizing and classifying the threats:
In this step we categorize the threat in predefined classes that are:
Tampering with Data
Denial of Service
Elevation of Privilege
Rate the threats:
In this step we rate the severity of the threat based on a scale developed by Microsoft:
Damage Potential: How bad can an exploit hurt?
Reproducibility: How reliably can the flaw be exploited? How reliably can the flaw be exploited?
Exploitability: How easy is the flaw to exploit?
Affected Users: How many users can be impacted by an exploit?
Discoverability: How “visible” is the vulnerability?
A Corporation has a data collection web application that allows users to login in and enter or change personal data.
The following information was collected on the application:
Web Application – ASP.Net
Database – SQL Server 2000
User Login Credentials
User Personal Information
Microsoft Threat Reporting Template:
ID – Unique ID # of the threat
Name – Brief name of the asset threat
Description – Detailed description of threat and its importance.
STRIDE – How can we classify this threat?
Mitigated– Is the application safe from this threat? Is the application safe from this threat?
Known Mitigation – How can we protect against the threat?
Investigation Notes – What do we know about this threat so far?
Entry Points– What possible means does an adversary have?
Assets – What assets could be damaged?
Threat Tree – How can we visualize the threat? (Optional)
Name: Login Subversion
Description: An adversary tries to inject SQL command through a request into the application to circumvent the login process.
STRIDE Classification: Tampering with data, Elevation of privilege
Known Mitigation: Stored Procedures, Parameterized Queries
Investigation Notes: The database calls to in the application were reviewed, and string concatenation was used on the login query.
Entry Point: Login Page
Assets: Access to backed database
Threat Tree: None
Categorizing Threats with STRIDE:
A standardize short form created by Microsoft to help categorize threats.
Tampering with Data
Denial of Service
Elevation of Privilege
Rating Threats with DREAD:
A standardize short form created by Microsoft to rate the severity of a threat. Each quality is rated based on a scale developed for each project. For most projects, a scale of 1– 3 is sufficient 3 is sufficient.
Damage Potential – How bad can an exploit hurt?
Reproducibility – How reliably can the flaw be exploited? How reliably can the flaw be exploited?
Exploitability – How easy is the flaw to exploit?
Affected Users – How many users can be impacted by an exploit?
Discoverability – How “visible” is the vulnerability?
Attacker can retrieve extremely sensitive data and corrupt or destroy data
Attacker can retrieve sensitive data but do little harm
Attacker can only retrieve data that has little or no potential for harm
Work every time; does not require a timing window or specific extreme cases
Timing-dependent; works only within a time window
Just about anyone could do it
Attacker must be somewhat knowledgeable and skilled
Attacker must be very knowledgeable and skilled
Most or all users
Few if any users
Attacker can easily discover the vulnerability
Attacker might discover the vulnerability
Attacker will have to dig to discover the vulnerability
Threat modeling helps organizations to prioritize their processes with respect to threats and effective response. It is carried out through the complete life cycle of the process from initialization to the deployment and also remains under consideration in the maintenance process. As far as CISSP training is concerned, the candidate must know all the processes of threat modeling and should also know how to mitigate the threats in the most effective manner using threat modeling technique.