Transcript Threat Modeling and Risk Management

Threat Modeling
and
Risk Management
John R Durrett
January 2003
Primarily from Building Secure Linux Servers (0596002173)
and Secrets and Lies ( 0471253111)
―
―
―
―
―
―
―
―
―
―
Systems
Making completely secure servers
Threats
Risks
Goals
Motives
Vulnerabilities
Risk Analysis
Attack Trees
Defenses
Systems
― Complex
― Interact with other systems
― Have emergent properties that their
designers did not intend
― Have bugs
Systems & Security
― Usual coping mechanism is to ignore the
problem…WRONG
― Security is system within larger system
― Security theory vs security practice
̵
Real world systems do not lend themselves to
theoretical solutions
― Must look at entire system & how security
affects
The Landscape
― Secure from whom?
― Secure against what?
― Never black & white
― Context matters more than
technology
― Secure is meaningless out of context
Completely Secure Servers
― Disconnect from Network
― Power Down
― Wipe & Degauss Memory & Harddrive
― Pulverize it to dust
― Threat Modeling
― Risk management
Threats
― Attacks are exceptions
― Digital Threats mirror Physical
― Will become more common, more
widespread, harder to catch due to:
Automation
Action at a Distance
̵
̵
̵
― Every two points are adjacent
Technical Propagation
Threats
― All types of attackers
― All present some type of threat
― Impossible to anticipate
̵
̵
̵
all attacks or
all types of attackers or
all avenues of attack
― Point is not to prevent all but to “think
about and analyze threats with greater
depth and to take reasonable steps to
prevent…”
Attacks
― Criminal
Fraud-prolific on the Internet
Destructive, Intellectual Property
Identity Theft, Brand Theft
̵
̵
̵
― Privacy: less and less available
̵
̵
̵
people do not own their own data
Surveillance, Databases, Traffic Analysis
Echelon, Carnivore
― Publicity & Denial of Service
― Legal
Risk Analysis
“The identification and evaluation of
the most likely permutation of assets,
known and anticipated vulnerabilities,
and known and anticipated types of
attackers.”
Assets
― What are you trying to Protect
― Why is it being protected
― Risk for other systems on network
― Data
̵
̵
Tampering vs. Stealing
Liability
Security Goals #1
― Privacy?, Anonymity?
― Authentication
― Data confidentiality
End-user data
Ramifications of disclosure
̵
̵
― Data Integrity
̵
̵
̵
Secure transmission (Vonnegut MIT)
Secure servers (/etc)
Software developer
Security Goals #2
― System Integrity
Is system being used as intended
Trust relationships
Executables (rootkit)
̵
̵
̵
― System / Network availability
̵
̵
Cyber-vandals
DoS: All but impossible to prevent
― Security through obscurity?
Attackers
― Categorize by
Objective, Access, Resources, Expertise,
and Risk
̵
― Hackers:
̵
Galileo, Marie Curie
― Lone Criminals, Insiders, Espionage,
Press, Organized Crime, Terrorists
Motives
Business competitors
― Same motives as “real-life” criminals
― Financial motives
̵
̵
Credit cards
The Cuckcoo’s Egg
― Political motives
― Personal / psychological motives
Motives
― Honeypot
“to learn tools tactics and motives of blackhat
community”
― Script Kiddies
Canned Exploits of Perl or Shell scripts
Still major threat
̵
̵
― Knowing motives helps predict attack
― Degrees of motivation
̵
̵
Automated tools
Hardened systems vs Easy Kills
Steps in an Attack
1.
2.
3.
4.
5.
Identify Target & collect Information
Find vulnerability in target
Gain appropriate access to target
Perform the attack
Complete attack, remove evidence,
ensure future access
After you get root
1.
2.
3.
4.
Remove traces of root compromise
Gather information about system
Make sure you can get back in
Disable or patch vulnerability
Vulnerability Landscape
― Physical World
̵
Laptops
― Virtual World
― Trust Model
― System Life cycled
Vulnerabilities
― Only potential until someone figures out
how to exploit
― Need to identify and address
̵
̵
̵
Those applicable & which must mitigated now
Are likely to apply & must be planned against
Seem unlikely and/or are easy to mitagate
Simple Risk Analysis: ALEs
― Correlate & quantify
assets+vulnerabilites+attackers
― Annualized Loss Expectancy for each
vulnerability associated with each asset
― Single loss Cost x Expected Annual
Occurrence = ALE
― Compare against cost to prevent
ALE
― Strengths
Simplicity (∆ PHB will like), flexibility
̵
― Weakness
̵
Very subjective
Attack Trees
(Bruce Schneier)
― Visual Representation of attacks
against any given target
― Attack goal is root
― Attack subgoals are leaf nodes
̵
̵
For each leaf determine subgoals
necessary to achieve
And cost to achieve penetration using
different types of attackers
Attack Tree Example
Steal Customer Data
Obtain Backup Media
Burfglarize Office
(Cost $10,000)
Intercept eMail
Bribe Admin at ISP
($5,000)
Hack SMTP Gateway
($2000)
Hack into Server
Hack remote users home system
($1,000)
Defenses
― Three general means of mitigating
attack risk
Reducing asset value to attacker
Mitigating specific vulnerabilities
̵
̵
̵
― Software patches
― Defensive Coding
Neutralizing or preventing attacks
― Access control mechanisms
― Distinguish between trusted & untrusted
users
Security
― Security is a process not a Product
― Weakest link in the process
― Examples of Threat Modeling in
Secrets & Lies chapter 19
References
― Cohen, Fred “A Preliminary Classification
Scheme for Information Security Threats,
Attacks, and Defenses; A Cause and Effect
Model; and Some Analysis Based on that
Model.” Sandia National Laboratories, Sept
1998 (www.all.net/journal/ntb/cause-andeffect.html)
― Bauer, Michael E. “Building Secure Servers
with Linux.” O’Reilly, 2003