CIS 6614 meeting -*- Outline -*- * Threat Modeling ** Microsoft's STRIDE approach and tool The STRIDE tool is a good introductory tool: it helps make sure the basics are covered Q: What does STRIDE stand for? - Spoofing user identity - Tampering - Repudiation - Information disclosure - Denial of service - Elevation of privilege Q: What's an example of Spoofing? attacker claiming to be administrator Q: How could we define Tampering? changing the state of a system or of its data Q: What's an example of Repudiation? A user withdrawing money from a bank, and then saying that they didn't do that... Q: What's an example of Information disclosure? An attacker getting a user's PII Q: What is an example of Denial of service? Attackers tying up all resources answering useless queries Q: What is an example of Elevation of privilege? Attacker becoming an administrator or changing info they shouldn't ** Threat modeling tool ------------------------------------------ DOWNLOADING THE TOOL Download it from: https://www.microsoft.com/en-us/ securityengineering/sdl/threatmodeling "The SDL Threat Modeling Tool plugs into any issue-tracking system..." Goal: Identify: threats, attacks, vulnerabilities, and countermeasures Steps: - Defining security requirements - Creating an application diagram - Identifying threats - Mitigating threats - Validating mitigations ------------------------------------------ Q: Why does Microsoft care about our applications? - Better computing ecosystem - We will be training their future employees *** alternatives ------------------------------------------ ALTERNATIVE TOOL OWASP Threat Dragon Download from: owasp.org/www-project-threat-dragon/ Vs. Microsoft: - works from browser - more for thinking - less automation ------------------------------------------ Threat Dragon may work better on a Mac... *** Demo of Threat Modeling Q: Consider an online banking app. Q: What data and services would it offer? ------------------------------------------ ONLINE BANKING APP What data stored? What services offered? What user roles? Draw the DFD and trust boundaries (demo) ------------------------------------------ ... data: - account information (type, owner, contact info, balance) What user information? - login, password, 2FA method ... services: - login - check balance - deposit - withdraw Is this from a Browser? Cell phone? API? ... users: - customer - administrator Is there API access also? Steps in modeling: 1. create the model Either start with sample or create a simple example with: A Human User A Web server A Generic Data Store with 2-way communication between all of these and An internet boundary between the user and the web server An app container boundary between the web server and the generic data store 2. Ask if we have what we need? 3. Switch to the analysis view (mag glass or View > Analysis View) 4. Read each threat and decide: a. Is it the right priority (select from drop down at bottom of Threat Properties pane) b. Is this threat justified? (If so record justification, otherwise delete it) c. Do we understand the threat well enough? d. How can we mitigate it? Iterate for each item in the report. Look at the final report.