Threat Modeling 101
•
1 like•9,855 views
Security is a large topic and so full of jargon that it can be hard to know where to get started when thinking about it. Threat Modeling gives you a framework to help you start building security policies. In this talk, Dan Hardiker, CTO at Adaptavist, will cover what a security model is, when and why it's useful, what its main components are (assets, actors, and vectors), and how they interact. We'll build a basic threat model, enable you to apply these to your systems, and give you references for further learning.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Threat Modeling 101
Similar to Threat Modeling 101 (20)
More from Atlassian
More from Atlassian (20)
Recently uploaded
Recently uploaded (20)
Threat Modeling 101
- 1. Threat Modeling 101 Safety First DAN HARDIKER | CTO | @ADAPTAVIST | @DHARDIKER
- 7. What is Security about?
- 9. STORYTELLING
- 10. KEY CONCEPTS
- 11. KEY CONCEPTS
- 12. KEY CONCEPTS
- 14. ‣ Confidentiality ‣ Integrity KEY CONCEPTS
- 15. ‣ Confidentiality ‣ Integrity ‣ Availability KEY CONCEPTS
- 16. ‣ Confidentiality ‣ Integrity ‣ Availability KEY CONCEPTS https://www.pinterest.co.uk/pin/256423772505109414/
- 21. ASSETS
- 22. ASSETS
- 23. ASSETS
- 24. ASSETS
- 25. ASSETS
- 26. ASSETS
- 27. ASSETS
- 28. ATTACKERS
- 33. ATTACK VECTORS
- 34. ATTACK VECTORS
- 35. ATTACK VECTORS
- 36. ATTACK VECTORS
- 37. ATTACK VECTORS
- 38. ATTACK VECTORS
- 39. ATTACK VECTORS
- 40. ATTACK VECTORS
- 41. ATTACK VECTORS
- 42. The consideration of unwanted access to assets by attackers using attack vectors. THREAT MAP
- 44. Bruce Wayne / Batman’s Threat Model
- 45. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED
- 46. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER
- 47. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 48. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 49. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 50. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 51. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 52. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 53. CONTROLS Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 54. CONTROLS Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS ENCRYPTION
- 55. CONTROLS Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS ENCRYPTION HIDE LOCATION
- 56. CONTROLS Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS ENCRYPTION HIDE LOCATION SECURITY SYSTEM
- 57. My First Models Generic / Server / Cloud
- 59. GENERIC ORGANISATION DIGITAL ASSETS PHYSICAL ASSETS
- 60. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS DOCUMENTS
- 61. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS DOCUMENTS LAPTOPS SERVERS PHONES
- 62. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES
- 63. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE)
- 64. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) VULNERABILITY SCANNERS
- 65. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) WEB CRAWLERS VULNERABILITY SCANNERS
- 66. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) WEB CRAWLERS VULNERABILITY SCANNERS
- 67. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS
- 68. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES
- 69. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES
- 70. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES CORPORATE ESPIONAGE
- 71. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES CORPORATE ESPIONAGE DATA HARVESTING
- 72. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES CORPORATE ESPIONAGE DATA HARVESTING RANSOMWARE
- 73. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES CORPORATE ESPIONAGE DATA HARVESTING RANSOMWARE BOTNETS
- 74. SERVER APP
- 78. SERVER APP ASSETS VERSION CONTROL CI / CD RELEASE REPOSITORY
- 79. SERVER APP ASSETS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY
- 80. SERVER APP ASSETS ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY
- 81. SERVER APP ASSETS @ MAILING LIST ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY
- 82. SERVER APP ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES @ MAILING LIST ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY
- 83. SERVER APP ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES @ MAILING LIST ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY
- 84. SERVER APP ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES @ MAILING LIST ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY MALWARE PAYLOAD
- 85. SERVER APP ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES DATA HARVESTING @ MAILING LIST ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY MALWARE PAYLOAD
- 86. CLOUD APP
- 87. CLOUD APP ASSETS
- 88. CLOUD APP ASSETS INFRA AS CODE PIPELINE
- 89. CLOUD APP ASSETS ARTIFACT REPOSITORIES INFRA AS CODE PIPELINE
- 90. CLOUD APP ASSETS ARTIFACT REPOSITORIES INFRA AS CODE PIPELINE DATABASES
- 91. CLOUD APP ASSETS ARTIFACT REPOSITORIES INFRA AS CODE PIPELINE DATABASES EXECUTION ENVIRONMENTS
- 92. CLOUD APP ASSETS ARTIFACT REPOSITORIES INFRA AS CODE PIPELINE DATABASES EXECUTION ENVIRONMENTS DEV / TEST ENVIRONMENTS
- 93. CLOUD APP ASSETS ARTIFACT REPOSITORIES INFRA AS CODE PIPELINE BACKUPS / DRDATABASES EXECUTION ENVIRONMENTS DEV / TEST ENVIRONMENTS
- 94. CLOUD APP ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES DATA HARVESTING ARTIFACT REPOSITORIES MALWARE PAYLOAD INFRA AS CODE PIPELINE BACKUPS / DRDATABASES EXECUTION ENVIRONMENTS DEV / TEST ENVIRONMENTS
- 95. If you only remember 3 things … … things I said while you were sleeping
- 96. 3 THINGS TO REMEMBER
- 97. 1. Security is not an after thought. It’s Job Zero! 3 THINGS TO REMEMBER
- 98. 1. Security is not an after thought. It’s Job Zero! 2. Threat Model as part of User Stories. 3 THINGS TO REMEMBER
- 99. 1. Security is not an after thought. It’s Job Zero! 2. Threat Model as part of User Stories. 3. Ignorant humans are your biggest threat. 3 THINGS TO REMEMBER
- 102. ‣ Ars Technica ‣ Schneier on Security ‣ The Hacker News ‣ OWASP FURTHER READING
- 105. DAN HARDIKER | CTO | @ADAPTAVIST | @DHARDIKER Thank you!