SlideShare uma empresa Scribd logo

Threat_Modelling.pdf

M
MarlboroAbyad

This document summarizes a presentation on threat modeling for web application deployment. The presentation introduces threat modeling and provides a real-world example of threat modeling an e-commerce site. Key steps in the threat modeling methodology include information gathering, analysis of users, assets, and threats, and defining mitigation strategies. The example analyzes threats to an online store's users, entry points, and remaining assets, and defines mitigation strategies like restricting access, reducing the attack surface, and securing the application and database.

Educação
1 de 48
Baixar para ler offline
Threat Modelling for Web Application Deployment Ivan Ristic ivanr@webkreator.com (Thinking Stone)
Talk Overview 1. Introducing Threat Modelling 2. Real-world Example 3. Questions
Who Am I? • Developer / architect / administrator, spent a great deal of time looking at web security issues from different points of view. • Author of ModSecurity, an open source web application firewall/IDS. • Author of Apache Security (O'Reilly) • Founder of Thinking Stone, a web security company.
State of Web Security • It is a difficult job – web deployments consist of many different systems. • Most decisions are made ad-hoc. • Assumptions under which defence is designed are rarely challenged. • Consequently, many systems are not adequately protected. • We are in need of methodology that will help us design secure systems. • Threat Modelling can do this.
Threat Modelling 1. Introduction To Threat Modelling
Threat Modelling • Threat modelling is a semi-formal technique that is used to understand threats against your system. • It is a hot, fashionable, buzzword! • But it is genuinely useful and does not have to be difficult. • Not rocket science.
Key Questions • Where does your system live? • What do you have to protect? • Who are your users? • Who are your adversaries? • What are your weak points? • What can you do to mitigate the threats?
Threat Modelling Advantage Thinking like the adversary! (What is wrong in this system and how can I exploit it?)
Who Should Practice It? • Everyone! – Developers. – System Administrators. – System Architects. – Consultants.
What Is It Good For? • Planning. • Testing (especially penetration testing). • Training – my favourite. • Security improvement. – It is never too late to start using it. Do try to use it as early as possible – it is much safer and cheaper that way.
Scope • Full title of this talk: A lightweight threat modelling methodology for web application deployment. • Includes a mixture of the following: network security, host security, web security, application security. • Practical: 20% effort – 80% gain. (The remaining 80% of effort is mostly in details of web application security.) • At this level we treat web applications as black boxes.
Methodology Overview 1. Information Gathering 2. Analysis 3. Mitigation
Methodology Overview 1. Information Gathering • Look at existing documents. • Interview stakeholders. • Inspect system. • Understand system. 2. Analysis 3. Mitigation
Methodology Overview 1. Information Gathering 2. Analysis • User roles and usage scenarios. • Components and trust boundaries. • Assets and attacker motivation. • Entry points, exit points, data flow. • Weaknesses and threats. 3. Mitigation
Methodology Overview 1. Information Gathering 2. Analysis 3. Mitigation • Establish budget. • Rank treats (fuzzy) - use a model that works for you. • Decide what to do with the threats.
Analysis: Stepping Stones • Algorithm: 1. Pretend you are the adversary. 2. Look at the exposed parts. 3. Find ways to subvert them. 4. Find ways to use the resources available to you to get to the inner layers. 5. Repeat until you grab the asset! • Also known as Attack Trees.
Mitigation: Choices • Ignore risk. (Popular choice!) • Mitigate risk. – Intrusions are expensive – Security is expensive – What can you afford? • Accept risk.
Mitigation: Strategies • Remove entry points (attack vectors). • Reduce attack surface. • Compartmentalise. • Practice the principle of least privilege. • Fail safely.
Tips & Tricks • Do not attempt to do too much - you might get lost. Branch out sub-models to cope with complexity, or work in iterations. • Most web applications are similar - develop a library of reusable threat models. • Start from scratch and assume nothing; mitigating the most obvious threats will result in foolproof operational procedures.
Threat Modelling 2. Real-world Example
Overview • E-commerce operation: – Web site (CMS-powered) – Online store • Two servers: – Application server – Database server
Physical Security • Servers are collocated with a hosting company: – Restricted physical access – Biometrics at the entrance – Equipment in own locked cage • Good, physical security is out of the scope of this talk anyway.
System Users (1) • Customers (public). • Store administration staff. • Marketing department. • Developers. • System administrators.
System Users (2) Developers System administrators Customers Store administration Marketing department ? ? ? ? Services
System Users (3) Developers (manage application, maintain and backup database): 2 System administrators (manage servers): 2 SSH (22) SSH (22), FTP (20, 21), MYSQL (3306) Public (browse web site, buy stuff): 1 BILLION Store administration (manage store): 4 Marketing department (manage web site): 1 Apache (80) SSH FTP MYSQL APACHE Services
System Users (4) • Threat: possible password and data compromise through the use of plain- text communication protocols. • Mitigation: Disallow plain-text protocols: – Shopping in the store – Administrative interfaces (Store, CMS) – Database access
System Users (5) Developers (manage application, maintain and backup database): 2 System administrators (manage servers): 2 SSH (22) SSH (22), SFTP (115), MYSQL+SSL (3306) Public (browse web site, buy stuff): 1 BILLION Store administration (manage store): 4 Marketing department (manage web site): 1 Apache (80), Apache+SSL (443) SSH SFTP MYSQL APACHE Services
Entry Points (1) • On the network level, each service represents one entry point. • Implement firewall restrictions to allow only what is absolutely necessary: – External firewall (hosting company). – Host firewalls (iptables on Linux). – Leave no trust between two internal servers either, only let port 3306 through.
Entry Points (2) • Threat: possible compromise through vulnerabilities in Apache, SFTPD, SSHD, and MySQL. • Mitigation: Prevent access to non- essential services (SFTPD, SSHD, MySQL). • Option: buy an expensive hardware firewall.
What the Public Now Sees (1) Public (browse web site, buy stuff): 1 BILLION Apache (80), Apache+SSL (443) APACHE Store Store Admin CMS Admin Web Site Two of four services are not needed to be accessed by the public. But the firewall cannot do any better than this.
Web Site Attack Surface Reduction (1) Public (browse web site, buy stuff): 1 BILLION Apache (80), Apache+SSL (443) APACHE Store Store Admin CMS Admin Using Apache access control to allow access only to a small subset of IP addresses
Attack Surface Reduction (2) APACHE1 Store Web Site APACHE2 Store Admin CMS Admin APACHE Store Store Admin CMS Admin Web Site 192.168.0.1 192.168.0.2 192.168.0.1 Services split to two IP addresses. We can now use the firewall again. Attack surface reduction
Public (browse web site, buy stuff): 1 BILLION Apache (80), Apache+SSL (443) APACHE1 Store Web Site What the Public Now Sees (2)
Entry Points (4) • Threat: possible compromise through vulnerabilities in Apache. • Mitigation: Keep Apache up-to-date: – Automated patching (use binary Apache) – Manual patching (build Apache from source)
Entry Points (5) • Threat: possible compromise through Apache misconfiguration. • Mitigation: Configuration management. • Mitigation: Regular independent configuration assessments.
Entry Points (6) • Threat: possible compromise through unmitigated Apache problems. • Mitigation: Put Apache in jail. • Mitigation: Implement integrity validation. • Mitigation: Implement kernel patches (e.g. grsecurity).
Remaining Assets (1) • Threat: Adversary accesses the credit card database. • Mitigation: Do not store credit cards online, or store them using public-key encryption. (We lowered the value of the asset.) • Mitigation: Document policy on the web site.
Remaining Assets (2) • Threat: Source code stolen. • Mitigation: Do not keep the source code online, compile PHP pages before uploading. (Again, we lowered the value of the asset.)
Threat That Remains… • Threat: Compromise through a vulnerability of the application. • This opens a door to a new threat modelling sub-model: web application security. • Mitigate from the outside. Treat the application as a black box, and look where action gets out.
Web Application Model Web Client Web Server Application Database Server File system SQL Injection Cross-site Scripting Input Validation Error File Disclosure Command Execution R W X Privilege Escalation
Security Categories • Data validation and transformation • Authentication and authorisation • Sensitive data transport and storage • Session management • Fault management • Auditing and logging
Fix Filesystem Permissions • Do not allow read access – prevents file disclosure. • Do not allow write access – prevents privilege escalation. • Do not have binaries or a compiler around – prevents command execution.
Screen System Boundaries • If you can’t fix the application focus on libraries that interact with external systems. • Screen database queries. • Screen external command execution. • Screen file system operations.
Examine Attack Paths Customers Apache 1 Database Server Apache 2 Web site CMS Admin Store Admin Staff Store All paths lead to the database, which is used by all four applications! Two web servers are isolated from each other to contain intrusion.
Central Database Mitigation • Have four database accounts, each with different access level. • Or, deploy a separate database engine for the CMS application (web site).
Final Mitigation Activities… • Know when you are compromised – Activity monitoring – Integrity Validation – Intrusion Detection • Have off-site backups and disaster recovery procedures!
Where To Go From Here • Chapter 3 of “Improving Web Application Security: Threats and Countermeasures” (free download). • Chapter 4 of “Writing Secure Code”. • If you are a programmer, read “Threat Modeling”. • Use the free threat modelling tool from Microsoft. • More here: http://www.modsecurity.org/blog/ archives/2006/01/threat_modellin.html
Questions? Thank you! Download this presentation from http://www.thinkingstone.com/talks/

Recomendados

CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surface
Security Innovation
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 

Recomendados

CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surface
Security Innovation
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
Tomppa Järvinen
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
M Mehdi Ahmadian
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
Bassam Al-Khatib
 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
IBM Security
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
C days2015
C days2015C days2015
C days2015
Nuno Loureiro
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
National Cheng Kung University
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
Karun Chennuri
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
Alert Logic
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
Lumension
 
The Road to SaaS
The Road to SaaSThe Road to SaaS
The Road to SaaS
Victor Ionescu
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
Poh-Sun Goh
 

Mais conteúdo relacionado

Semelhante a Threat_Modelling.pdf

Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
 

Semelhante a Threat_Modelling.pdf (20)

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
C days2015
C days2015C days2015
C days2015
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
The Road to SaaS
The Road to SaaSThe Road to SaaS
The Road to SaaS
 

Último

Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 

Último (20)

Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 

Threat_Modelling.pdf

  • 1. Threat Modelling for Web Application Deployment Ivan Ristic ivanr@webkreator.com (Thinking Stone)
  • 2. Talk Overview 1. Introducing Threat Modelling 2. Real-world Example 3. Questions
  • 3. Who Am I? • Developer / architect / administrator, spent a great deal of time looking at web security issues from different points of view. • Author of ModSecurity, an open source web application firewall/IDS. • Author of Apache Security (O'Reilly) • Founder of Thinking Stone, a web security company.
  • 4. State of Web Security • It is a difficult job – web deployments consist of many different systems. • Most decisions are made ad-hoc. • Assumptions under which defence is designed are rarely challenged. • Consequently, many systems are not adequately protected. • We are in need of methodology that will help us design secure systems. • Threat Modelling can do this.
  • 5. Threat Modelling 1. Introduction To Threat Modelling
  • 6. Threat Modelling • Threat modelling is a semi-formal technique that is used to understand threats against your system. • It is a hot, fashionable, buzzword! • But it is genuinely useful and does not have to be difficult. • Not rocket science.
  • 7. Key Questions • Where does your system live? • What do you have to protect? • Who are your users? • Who are your adversaries? • What are your weak points? • What can you do to mitigate the threats?
  • 8. Threat Modelling Advantage Thinking like the adversary! (What is wrong in this system and how can I exploit it?)
  • 9. Who Should Practice It? • Everyone! – Developers. – System Administrators. – System Architects. – Consultants.
  • 10. What Is It Good For? • Planning. • Testing (especially penetration testing). • Training – my favourite. • Security improvement. – It is never too late to start using it. Do try to use it as early as possible – it is much safer and cheaper that way.
  • 11. Scope • Full title of this talk: A lightweight threat modelling methodology for web application deployment. • Includes a mixture of the following: network security, host security, web security, application security. • Practical: 20% effort – 80% gain. (The remaining 80% of effort is mostly in details of web application security.) • At this level we treat web applications as black boxes.
  • 12. Methodology Overview 1. Information Gathering 2. Analysis 3. Mitigation
  • 13. Methodology Overview 1. Information Gathering • Look at existing documents. • Interview stakeholders. • Inspect system. • Understand system. 2. Analysis 3. Mitigation
  • 14. Methodology Overview 1. Information Gathering 2. Analysis • User roles and usage scenarios. • Components and trust boundaries. • Assets and attacker motivation. • Entry points, exit points, data flow. • Weaknesses and threats. 3. Mitigation
  • 15. Methodology Overview 1. Information Gathering 2. Analysis 3. Mitigation • Establish budget. • Rank treats (fuzzy) - use a model that works for you. • Decide what to do with the threats.
  • 16. Analysis: Stepping Stones • Algorithm: 1. Pretend you are the adversary. 2. Look at the exposed parts. 3. Find ways to subvert them. 4. Find ways to use the resources available to you to get to the inner layers. 5. Repeat until you grab the asset! • Also known as Attack Trees.
  • 17. Mitigation: Choices • Ignore risk. (Popular choice!) • Mitigate risk. – Intrusions are expensive – Security is expensive – What can you afford? • Accept risk.
  • 18. Mitigation: Strategies • Remove entry points (attack vectors). • Reduce attack surface. • Compartmentalise. • Practice the principle of least privilege. • Fail safely.
  • 19. Tips & Tricks • Do not attempt to do too much - you might get lost. Branch out sub-models to cope with complexity, or work in iterations. • Most web applications are similar - develop a library of reusable threat models. • Start from scratch and assume nothing; mitigating the most obvious threats will result in foolproof operational procedures.
  • 21. Overview • E-commerce operation: – Web site (CMS-powered) – Online store • Two servers: – Application server – Database server
  • 22. Physical Security • Servers are collocated with a hosting company: – Restricted physical access – Biometrics at the entrance – Equipment in own locked cage • Good, physical security is out of the scope of this talk anyway.
  • 23. System Users (1) • Customers (public). • Store administration staff. • Marketing department. • Developers. • System administrators.
  • 24. System Users (2) Developers System administrators Customers Store administration Marketing department ? ? ? ? Services
  • 25. System Users (3) Developers (manage application, maintain and backup database): 2 System administrators (manage servers): 2 SSH (22) SSH (22), FTP (20, 21), MYSQL (3306) Public (browse web site, buy stuff): 1 BILLION Store administration (manage store): 4 Marketing department (manage web site): 1 Apache (80) SSH FTP MYSQL APACHE Services
  • 26. System Users (4) • Threat: possible password and data compromise through the use of plain- text communication protocols. • Mitigation: Disallow plain-text protocols: – Shopping in the store – Administrative interfaces (Store, CMS) – Database access
  • 27. System Users (5) Developers (manage application, maintain and backup database): 2 System administrators (manage servers): 2 SSH (22) SSH (22), SFTP (115), MYSQL+SSL (3306) Public (browse web site, buy stuff): 1 BILLION Store administration (manage store): 4 Marketing department (manage web site): 1 Apache (80), Apache+SSL (443) SSH SFTP MYSQL APACHE Services
  • 28. Entry Points (1) • On the network level, each service represents one entry point. • Implement firewall restrictions to allow only what is absolutely necessary: – External firewall (hosting company). – Host firewalls (iptables on Linux). – Leave no trust between two internal servers either, only let port 3306 through.
  • 29. Entry Points (2) • Threat: possible compromise through vulnerabilities in Apache, SFTPD, SSHD, and MySQL. • Mitigation: Prevent access to non- essential services (SFTPD, SSHD, MySQL). • Option: buy an expensive hardware firewall.
  • 30. What the Public Now Sees (1) Public (browse web site, buy stuff): 1 BILLION Apache (80), Apache+SSL (443) APACHE Store Store Admin CMS Admin Web Site Two of four services are not needed to be accessed by the public. But the firewall cannot do any better than this.
  • 31. Web Site Attack Surface Reduction (1) Public (browse web site, buy stuff): 1 BILLION Apache (80), Apache+SSL (443) APACHE Store Store Admin CMS Admin Using Apache access control to allow access only to a small subset of IP addresses
  • 32. Attack Surface Reduction (2) APACHE1 Store Web Site APACHE2 Store Admin CMS Admin APACHE Store Store Admin CMS Admin Web Site 192.168.0.1 192.168.0.2 192.168.0.1 Services split to two IP addresses. We can now use the firewall again. Attack surface reduction
  • 33. Public (browse web site, buy stuff): 1 BILLION Apache (80), Apache+SSL (443) APACHE1 Store Web Site What the Public Now Sees (2)
  • 34. Entry Points (4) • Threat: possible compromise through vulnerabilities in Apache. • Mitigation: Keep Apache up-to-date: – Automated patching (use binary Apache) – Manual patching (build Apache from source)
  • 35. Entry Points (5) • Threat: possible compromise through Apache misconfiguration. • Mitigation: Configuration management. • Mitigation: Regular independent configuration assessments.
  • 36. Entry Points (6) • Threat: possible compromise through unmitigated Apache problems. • Mitigation: Put Apache in jail. • Mitigation: Implement integrity validation. • Mitigation: Implement kernel patches (e.g. grsecurity).
  • 37. Remaining Assets (1) • Threat: Adversary accesses the credit card database. • Mitigation: Do not store credit cards online, or store them using public-key encryption. (We lowered the value of the asset.) • Mitigation: Document policy on the web site.
  • 38. Remaining Assets (2) • Threat: Source code stolen. • Mitigation: Do not keep the source code online, compile PHP pages before uploading. (Again, we lowered the value of the asset.)
  • 39. Threat That Remains… • Threat: Compromise through a vulnerability of the application. • This opens a door to a new threat modelling sub-model: web application security. • Mitigate from the outside. Treat the application as a black box, and look where action gets out.
  • 40. Web Application Model Web Client Web Server Application Database Server File system SQL Injection Cross-site Scripting Input Validation Error File Disclosure Command Execution R W X Privilege Escalation
  • 41. Security Categories • Data validation and transformation • Authentication and authorisation • Sensitive data transport and storage • Session management • Fault management • Auditing and logging
  • 42. Fix Filesystem Permissions • Do not allow read access – prevents file disclosure. • Do not allow write access – prevents privilege escalation. • Do not have binaries or a compiler around – prevents command execution.
  • 43. Screen System Boundaries • If you can’t fix the application focus on libraries that interact with external systems. • Screen database queries. • Screen external command execution. • Screen file system operations.
  • 44. Examine Attack Paths Customers Apache 1 Database Server Apache 2 Web site CMS Admin Store Admin Staff Store All paths lead to the database, which is used by all four applications! Two web servers are isolated from each other to contain intrusion.
  • 45. Central Database Mitigation • Have four database accounts, each with different access level. • Or, deploy a separate database engine for the CMS application (web site).
  • 46. Final Mitigation Activities… • Know when you are compromised – Activity monitoring – Integrity Validation – Intrusion Detection • Have off-site backups and disaster recovery procedures!
  • 47. Where To Go From Here • Chapter 3 of “Improving Web Application Security: Threats and Countermeasures” (free download). • Chapter 4 of “Writing Secure Code”. • If you are a programmer, read “Threat Modeling”. • Use the free threat modelling tool from Microsoft. • More here: http://www.modsecurity.org/blog/ archives/2006/01/threat_modellin.html
  • 48. Questions? Thank you! Download this presentation from http://www.thinkingstone.com/talks/