corporate threat modeling v2
DESCRIPTION
Presentation by Charl der Walt and Francesco Geremla at The ITweb security summit in 2009. This presentation is about the methodology behind version 2 of Sensepost's threat modeling tool, the corporate threat modeller.TRANSCRIPT
1
2
3
4
5
6
7
8
Single loss expectancy (SLE) is the value you expect to lose each time a risk
occurs. You calculate SLE by using the following formula: SLE = AV x EF
9
Single loss expectancy (SLE) is the value you expect to lose each time a risk
occurs. You calculate SLE by using the following formula: SLE = AV x EF
10
Annual loss expectancy (ALE) is the value you expect to lose to a given risk
each year. You calculate ALE by using the following formula: ALE = SLE x
ARO
11
Annual loss expectancy (ALE) is the value you expect to lose to a given risk
each year. You calculate ALE by using the following formula: ALE = SLE x
ARO
12
Annual loss expectancy (ALE) is the value you expect to lose to a given risk
each year. You calculate ALE by using the following formula: ALE = SLE x
ARO
13
14
15
16
17
18
19
Microsoft says:
Provides a consistent methodology for objectively identifying and evaluating
threats to applications.
Translates technical risk to business impact.
Empowers a business to manage risk.
Creates awareness among teams of security dependencies and assumptions.
20
21
Step 1: Identify security objectives.
Clear objectives help you to focus the threat modeling activity and determine
how much effort to spend on subsequent steps.
Step 2: Create an application overview.
Itemizing your application's important characteristics and actors helps you to
identify relevant threats during step 4.
Step 3: Decompose your application.
A detailed understanding of the mechanics of your application makes it easier
for you to uncover more relevant and more detailed threats.
Step 4: Identify threats.
Use details from steps 2 and 3 to identify threats relevant to your application
scenario and context.
Step 5: Identify vulnerabilities.
Review the layers of your application to identify weaknesses related to your
threats. Use vulnerability categories to help you focus on those areas where
mistakes are most often made.
22
23
24
25
26
27
Would prefer to use a diagram here
28
29
30
31
32
33
34
35
36
37
Define Locations, Interfaces & Users (Trust Levels) But not “assets”, as
organizations are too complex
Create a map showing how Locations, Users and Interfaces relate
Users are restricted to locations
Interfaces are exposed to locations
38
Risks are gleamed from three sources
Analyst Experience
Organizational History
Group Brainstorming
Each Risk has key elements
Likelihood
Impact
Use an iterative process to describe the Risk, apply it to an Interface, then refine as required
A new Risk is added if:
Likelihood or Impact differs
The required defense is likely to differ
39
This creates a Threat Vector
Directly linked:
What Interfaces could this Risk Impact?
Indirectly linked:
What Trust Level is required?
At which location would such Users be found?
40
The Threat Vector therefore becomes a 4-Tuple
Risk, Interface, Location, User
A many-to-many relation means the number of Threat Vectors scales
linearly
41
Tests could be any of
Focused Technical Tests
E.g. Penetration Test
Sample Data
Drawn from existing monitoring systems e.g. Incident Logs or previous assessments
Interviews
Conducted with relevant individuals or teams
Policy and procedure reviews
Research
Drawing on external sources
The more tests are conducted the more certainty we have
However, the most ‘efficient’ tests are easily calculated by considering the Weights of all the Threat Vectors impacted
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66