Page 1 of 7. LESSON TITLE: THREAT MODELING. 9/26/11. Copyright © 2008,
2009, 2011 by Dale R. Thompson {
}. Rationale.
Page 1 of 7
LESSON TITLE: THREAT MODELING 9/26/11 Copyright © 2008, 2009, 2011 by Dale R. Thompson {
[email protected]}
Rationale Why is this lesson important? Why does the student need this lesson? How does this lesson fit in the larger module? It is important to have a process to rank the risks to a system. The student needs this lesson to be able to identify, quantify, and mitigate threats to a system. The lesson provides the process that will be used throughout the course to determine the priority of threats.
Objective(s) What will the student know, be able to do, and value at the end of this lesson? This is smaller amounts of information than the module objectives. The student will be able to describe all the STRIDE threat model categories.
Exploration Explicit concepts related to the Module goal are explored. It is at this point that the student will be provided basic information about the topic and the chance to explore some basic concepts about the topic. This is where the instructor imparts information. •
•
•
Terminology o
Threat – It is a potential event that causes damage.
o
Threat modeling – It is a security analysis technique to determine the most important security risks to a system. The goal is to reduce the risk to an acceptable level by determining threats to mitigate and the steps to mitigate the identified threats.
o
Vulnerability – It is a weakness in the system.
o
Attack – This is when an attacker takes advantage of vulnerability.
o
Asset – It is something of value and in threat modeling is called a threat target.
o
Threat target – It is an asset.
Three components of security (Take one or more away to mitigate a threat) o
Assets
o
Vulnerabilities
o
Attackers
Threat modeling steps (Teach this section by using an example)
o
o
Assemble team
Design, sales, marketing, manufacturing, etc.
Led by someone with security background
Decompose the system
Describe data flow diagrams •
Process
•
Multiple processes
•
Data store
•
Boundary
•
Interactor
•
Data flow
High-level context diagram
High-level physical view
List components •
o
Each component is an asset and is also called a threat target
Determine the threats to the system
Apply STRIDE threat model, which is an effective classification model, to each threat target •
Spoofing occurs when an attacker successfully poses as an authorized user of a system.
•
Tampering with data occurs when an attacker modifies, adds, deletes, or reorders data.
•
Repudiation occurs when a user denies an action and no proof exists to prove that the action was performed.
•
Information disclosure occurs when information is exposed to an unauthorized user.
•
Denial-of-service denies service to valid users. Denial-of-service attacks are easy to accomplish and difficult to guard against.
•
Elevation of privilege occurs when an unprivileged user or attacker gains higher privileges in the system than what they are authorized.
Page 3 of 7
o
Create threat tree for each threat target
o
List classification and threat target(s)
Threat tree – It describes the process an attacker would use.
Determine risk for each threat tree
Risk = (damage potential of vulnerability) x (likelihood of vulnerability)
DREAD is an acronym for damage potential, reproducibility, exploitability, affected users, and discoverability [1]. Each of the five categories is ranked from one to ten with ten being the highest risk and the scores are averaged to obtain a quantitative score.
Apply DREAD •
Damage potential is an estimate of the amount of damage that the threat can cause.
•
Reproducibility is how easy it is for an attack to work.
•
Exploitability is the amount of effort and expertise required to implement the attack.
•
The affected user category estimates the number of affected users.
•
Discoverability ranks the probability that the threat will be discovered and is sometimes set to a maximum value assuming that the threat will eventually be discovered.
o
Rank threats by decreasing risk
o
Mitigation
Choose whether to respond to threat
Choose technique to mitigate threat
Mitigation techniques for each category in the STRIDE model [1] Category
Techniques Appropriate authentication, Protect secrets, Don’t store secrets Appropriate authentication, Hashes, Message authentication codes, Digital signatures, Tamper-resistant protocols
Spoofing identity
Tampering with data
Digital signatures, Timestamps, Audit trails
Repudiation
Authorization, Privacyenhanced protocols, Encryption, Protect secrets, Don’t store secrets
Information disclosure
Denial of service
Appropriate authentication, Appropriate authorization, Filtering, Throttling, Quality of Service
Elevation of privilege
Run with least privilege
Choose appropriate technologies •
Examples o
Particular encryption algorithm
o
Particular hash function
Reflection Several questions are posed to the student to answer and then often discuss as a class. This is an attempt to determine whether the student "gets" the basic concepts delivered above. If they do get it, move on to engagement. If they do not get it, go back to exploration above. It could be as simple as asking a few probing questions or as complex as asking the student to write a paper. •
What are threats, a vulnerability, assets, and threat targets?
•
What is the goal of threat modeling?
Page 5 of 7 •
What is the symbol in data flow diagrams for a process, multiple processes, a data store, a boundary, an interactor, and a data flow?
•
What does STRIDE stand for?
•
What does DREAD stand for?
•
Review Threat Modeling Process o
o
o
Decompose the system
High-level context diagram
High-level physical view
List components
Determine the threats to the system
Apply STRIDE
Create threat tree for each threat target
Determine risk for each threat tree
Apply DREAD
o
Rank threats by decreasing risk
o
Mitigation
Choose whether to respond to threat
Choose technique to mitigate threat
Choose appropriate technologies
Engagement Concepts learned in the Exploration are further developed by conducting experiments, designing and building solutions, and solving problems. This is an attempt to cause the student to apply the new knowledge. By applying the new knowledge, the student is much more likely to retain this information. This engagement could be accomplished through a debate, an experiment, a problem solving activity, or anything else that would cause the student to demonstrate understanding and competence. •
Describe threat modeling by performing it on a given system in the class.
Expansion Provide opportunities for students to expand the concepts to more general or global situations including connection to the Module goal. Expand back to the big ideas of the module and prepare for the next lesson.
•
Are threats to the tag layer different than threats to the media interface layer?
Lesson Assessment Assess student understanding of the lesson content. This does not have to be a full-blown examination. It could be a graded homework assignment, a quiz, a performance examination, a graded problem solving activity, or something similar. •
Homework
Equipment •
None
Software •
None
References [1] Michael Howard and David LeBlanc, Writing Secure Code, 2nd ed., Redmond, Washington: Microsoft Press, 2003.
Page 7 of 7
Copyright Notice This material is Copyright © 2008, 2009, 2011 by Dale R. Thompson. It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or incorporated in commercial documents without the written permission of the copyright holder.
Acknowledgment These materials were developed through a grant from the National Science Foundation at the University of Arkansas. Any opinions, findings, and recommendations or conclusions expressed in these materials are those of the author(s) and do not necessarily reflect those of the National Science Foundation or the University of Arkansas.
Liability Release The curriculum activities and lessons have been designed to be safe and engaging learning experiences and have been field-tested with university students. However, due to the numerous variables that exist, the author(s) does not assume any liability for the use of this product. These curriculum activities and lessons are provided as is without any express or implied warranty. The user is responsible and liable for following all stated and generally accepted safety guidelines and practices.
