1 / 29

Threat Modeling and the Zero Day Problem

Threat Modeling and the Zero Day Problem. A quick look at how methodical threat modeling could combat an enterprise’s security problem Christopher Lee. Agenda. Software Vulnerabilities are Out of Control! The Basic Vocabulary of Risk Management What is Threat Modeling

tirzah
Download Presentation

Threat Modeling and the Zero Day Problem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Threat Modeling and the Zero Day Problem A quick look at how methodical threat modeling could combat an enterprise’s security problem Christopher Lee

  2. Agenda • Software Vulnerabilities are Out of Control! • The Basic Vocabulary of Risk Management • What is Threat Modeling • How does Threat Modeling help, even in the face of Zero-day vulnerabilities?

  3. Coping with Vulnerabilities • Vulnerabilities are being reported at an alarming rate, despite vendors’ focus on writing secure code. CERT/CC Statistics 1988-2007

  4. Cost of Reacting to Those Vulnerabilities… • Two major reactionary response to Software Vulnerabilities • Patching • System –or- Software Reconfiguration • “10% of machines will need to patched manually at a cost of $50/machine”. - Marc Donner, executive director, Morgan Stanley • $50 * 500 = $25,000 (plus the cost of patch management software and patch testing). • …and this is only for one patch in a 5000-node network… • Major software vendors have published their own “Hardening Guidelines” • In essence, accept no system defaults and remove everything that you don’t need. • However, the operating system vendor’s harden recommendation could also prevent some application from working… • More importantly, system and/or software reconfiguration tend to cost even more than applying patches. • Reactive measures are not the answer!

  5. Let’s be Proactive… • More Firewalls? • More IDS/IPS? • More Heuristics? • More Security Widgets? • More Consultants? • Where is the end to this Madness!

  6. Establish the Language… • Asset • Control • Threat • Vulnerability • Risk

  7. Establish the Language - Asset • Asset • Something an organization has determined to be valuable and must be protected. • e.g. Resource, Process, Product, Infrastructure, Engineering Diagrams, and etc

  8. Establish the Language - Safeguard • Control • Product and/or processes employed to mitigate a specific threat( or a group of threats) to an acceptable level • e.g. Firewall, Locked Doors, Smart Cards, DRP/BCP Processes, Insurance, and etc.

  9. Establish the Language - Threat • Threat • Activity that represents possible dangers to the Assets • e.g. Unexpected Destruction of Buildings, Loss of Power, Destructive Virus, Departure of key Technical Staff • Not possible to protect against all threats

  10. Establish the Language - Vulnerability • Vulnerability • Weakness that allow threats to materialize • Absence of sufficient safeguard • e.g. Poorly Designed Network, Improperly Configured Equipment, Poor Choice of Passwords, Lack of Redundancy, and etc.

  11. Establish the Language - Risk • Risk • = Threat * Vulnerability * Assets Values • The degree for which the vulnerability can be exploited by one or more previous identified threats • Assessed either Quantitatively or Qualitatively

  12. Threat Modeling • Overview of the methodology: • Identify Assets • Identify Asset Access Mechanism • Create Architecture Overview • Identify Threats • Document Threats • Qualify Threats

  13. Threat Modeling – a Walkthrough • ACME Inc. • Financial Data Services • Migrate from Global Dialer to Internet • Client-Server application • Client: Visual C++ on Win32 platforms • Server: C++ on AIX • Middleware: WebSphere MQ-Series • Database: DB2

  14. Threat Modeling – a Walkthrough • Step 1, Identify the Assets • The financial data

  15. Threat Modeling – a Walkthrough • Step 2, Identify Asset Access Mechanism • The data is stored in database. And is created, modified, and queried by the end-user through the application server

  16. Threat Modeling – a Walkthrough • Step 3, Create Architecture Overview

  17. Threat Modeling – a Walkthrough • Step 4, Identify the Threats • Eavesdropping Data during Transit • Data Modification/Injection during Transit • Single Points of Failure at • Firewall • Application Server • Database Server • Lack of communication control / physical separation to the DB2

  18. Threat Modeling – a Walkthrough • Step 5, Document the Threats

  19. Threat Modeling – a Walkthrough • Step 6, Qualify the Threats • The DREAD Model (4)

  20. Threat Modeling – a Walkthrough • Threat: Eavesdropping Data during Transit • Damage Potential = 2 • Reproducibility = 3 • Exploitability = 2 • Affected Users = 3 • Discoverability = 2 • RISK = 2 + 3 + 2 + 3 + 2 = 12

  21. Apply the Results of Threat Modeling

  22. Upcoming Advisories?

  23. Time between Vulnerability Discovery and Patch Release • Microsoft Security Bulletin MS05-014 • Vendor Notified on Feb-16-2004 (6) • Patch released on Feb-08-2005 (Previously released on Nov-2004)

  24. The Zero-Day Problem… • Patches and workarounds are released after the fact • So is Anti-Virus signatures… • So is Intrusion Prevention Signatures… • What happens between an exploit for a vulnerability is discovered and when one of the above is released?

  25. Threat Modeling for the Zero-Day • Threat Modeling gives us: • Identification of information assets • Identification of threats and associated qualifications • Basis for Risk Assessment • Risk Mitigation Strategies • Basis for implementation of Products & Processes • No more surprises, no more scrambling, and no more crisis.

  26. Threat Modeling ≠ Silver Bullet • You can’t always eliminate the Risks! • Effectiveness depends on Subject Matter Expertise on the implemented technology • Evolution of Technology

  27. Conclusion • Race between Reactive Countermeasures and Vulnerability Discovery is a fact of life • Systematic defense, build on thorough Threat Modeling methodology, is your best protection • There is still no silver bullet!

  28. References • CERT Statistics: http://www.cert.org/stats/cert_stats.html • Marc Donner, “Bits, Bad Guys, and Bucks”, Volume Three, Issue Two, Secure Business Quarterly, http://www.sbq.com/sbq/patch/sbq_patch_mdonner.pdf • Dana Epp, “Dana Epp's ramblings at the Sanctuary: Understanding Threat Modeling”, retrieved on May 22, 2005, http://silverstr.ufies.org/blog/archives/000611.html • J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan, Microsoft Corporation, “Threat Modeling”, retrieved on May 22, 2005, http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx?pull=/library/en-us/dnnetsec/html/thcmch03.asp • Carnegie Mellon Software Engineering Institute, “Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0”, retrieved on May 22, 2005 http://www.sei.cmu.edu/publications/documents/99.reports/99tr017/99tr017figures.html • Jouko Pynnonen (February, 2005). Posting to the BugTraq mailing list RE: “Internet Explorer zone spoofing with encoded URLs”, retrieved on May 22, 2005, http://www.securityfocus.com/archive/1/389859/2005-02-03/2005-02-09/0

  29. Questions?

More Related