1ICT

Threat modellingA short introduction and stories from end user

involvement

SRM Seminar Luxembourg 22.06.2010

Per Håkon Meland - SINTEF ICT, Trondheim, Norwayhttp://www.sintef.com/

2ICT

Motivation and background

3ICT

Hospital systems (2005 ) Integration and access control of

EPRs Models used to communicate

processes and threats

5ICT

SHIELDSDevelopers, security expertsand thewider community

SHIELDS SVRS and community site

Community site

Web interface

SVRS

Web interfaceMachine interface

User credentials Repository storage

Web

-Bro

wse

r

Develop

ment

and

mod

ellingtools

EU project 2008-2010 8 partners

Sharing of security knowledge Models Methods Tools and tool input

End user evaluations Sevaral iterations Real end-users Case studies and commercial

products

7ICT

Threat modelling

9ICT

Threat modelling Misuse cases and attack

trees Understand potential security

threats and vulnerabilities Understand attackers Find security design issues

before code Determine countermeasures Guide the code review

/testing/configuration /deployment

Highly reusable

Easy to grasp

10ICT

Example: Media player

11ICT

Xin

e m

edia

pla

yer

12ICT

Let’s create a model from scratch…

13ICT

Main functionality: Download data (application, codecs,

skins, ...) Play local media file Play media stream

Actors: Software developer User

14ICT

15ICT

16ICT

How about reusing one?

17ICT

Search for existing misuse case diagrams: “Media”, “player”, “Movie”

18ICT

19ICT

Attack trees

20ICT

Hide the details Link to attack

patterns Used to identify

mitigations

21ICT

Finally…

22ICT

Create textual description to accompany the diagram

A document elaborating the diagram

Threat descriptions can be fetched from the SHIELDS SVRS

Gives an understanding of the possible attacker motivation

There can be several different mitigations

Input to risk analysis and security activity planning

26ICT

Case study: eTourism

27ICT

Approach

1:Applicationdescription

2:Threat model created

by experts

3:Threatmodel createdby developers

4:Model consolidatedby experts

5:Threat model updatedby developers

6:Threat model endorsed

by experts

Phase 2: Parallel modelling Phase 3: Serial modelling

Phase 1: Tutorial

28ICT

Pre-visit, plan: Hotels Route Experiences Virtually explore

Post-visit, share Pictures/videos Route Recommendations Blog

Bad stuff?

29ICT

Case study: WaLDo

30ICT

Warehouse information system Dock loading RFID tracking Picking lists Advanced shipping notifications

Bad stuff?

31ICT

32ICT

Case study: eNewsPaper

33ICT

Electronic newspaper Aimed for the Paris metro Shared from distribution points User relays

Bad stuff?

User SystemDistribution Point

User SystemUser System

34ICT

35ICT

Feedback and lessons learned

New threats and mitigations were identified in all case studies

Misuse cases and attack trees: Easy to learn, easy to use

Important with diversity while doing threat modelling

Keep the size of the models down

Need more models from other application areas

36ICT

Share models through the SVRS!

Now contains >200 free security models

18 misuse case models

29 attack trees

Use the free tools, or integrate your own

Add your own, get feedback (and possibly revenue)

http://www.shields-project.eu