Threats, Threat Modeling and Analysis

1. Threats, Threat Modeling and Analysis 1 Super high level presentation of stuff everyone should already know who is developing applications, infrastructure, and operations! :D

2. Today’s Current Threats 2 Some mention of current threatspace and how to formulate a defense for your code and/or service.

3. The Hard Truth 2008: 285+ million records compromised 3 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf

4. The Hard Truth 91% of all compromised records were attributed to organized criminal groups 99.6% of records were compromised from servers and applications 74% resulted from external sources 4 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf

5. The Hard Truth 69% were discovered by a 3rd party 67% were aided by signiﬁcant errors 32% implicated business partners 5 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf

6. The Hard Truth an average of $202 per compromised record 6 http://www.ponemon.org/local/upload/fckjail/generalcontent/18/ﬁle/2008-2009%20US %20Cost%20of%20Data%20Breach%20Report%20Final.pdf

7. Common Threats SANS Top Risks OWASP Top 10 for 2010 The OWASP Code Review Top 9 7 http://www.sans.org/top-cyber-security-risks/ http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9

8. SANS Application vulnerabilities Webapp attacks Slow patching 0days Not having good conﬁgs 8 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com

9. SANS Mostly stuff anyone everyone here has heard about 9 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com

10. Typical Targeted Attack Malware placed somewhere 10 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com

11. Typical Targeted Attack Executed 11 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com

12. Typical Targeted Attack HTTPS or some other common tunnel back to control console 12 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com

13. Typical Targeted Attack Credential dump, keylogger, or snifﬁng for example 13 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com

14. Typical Targeted Attack Escalation and looting 14 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com

15. OWASP Top 10 Stands for Open Web Security Project Focused on Webapps 15 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ■ A1: Injection ■ A2: Cross-Site Scripting (XSS) ■ A3: Broken Authentication and Session Management ■ A4: Insecure Direct Object References ■ A5: Cross-Site Request Forgery (CSRF) ■ A6: Security Misconﬁguration ■ A7: Insecure Cryptographic Storage ■ A8: Failure to Restrict URL Access ■ A9: Insufﬁcient Transport Layer Protection ■ A10: Unvalidated Redirects and Forwards

16. OWASP Top 10 A1: Injection A6: Security Misconﬁguration A2: Cross-Site Scripting (XSS) A7: Insecure Cryptographic Storage A3: Broken Authentication and Session Management A8: Failure to Restrict URL Access A4: Insecure Direct Object References A9: Insufﬁcient Transport Layer Protection A5: Cross-Site Request Forgery (CSRF) A10: Unvalidated Redirects 16 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

17. The Owasp Code Review Top 9 Input validation API usage Source code design Best practices violation Information leakage and Weak Session improper error handling Management Direct object reference Using HTTP GET query strings Resource usage 17 http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9 The Nine Source Code Flaw Categories ■ Input validation ■ Source code design ■ Information leakage and improper error handling ■ Direct object reference ■ Resource usage ■ API usage ■ Best practices violation ■ Weak Session Management ■ Using HTTP GET query strings

18. Defending from Attackers Simple Threat Modeling Reactive Defense Proactive Defense Defense in Depth 18

19. Simple Threat Modeling It’s simplified Glorified brainstorming Better than nothing A worthwhile exercise 19 Really a simplified brainstorming activity

20. Reactive Modeling Driven by: Blackbox testing Grey/Whitebox testing Code audit Operational/ performance bugs Assessment and mitigation/patch/fix 20 Really a less simplified brainstorming activity Performed at the end of development or post-deployment when code finished Hamster wheel of pain. Expensive in time and resources. Difficult. Never ending.

21. Reactive Modeling Driven by: Blackbox testing Grey/Whitebox testing Code audit Operational/ performance bugs Assessment and mitigation/patch/fix 21 Really a simplified brainstorming activity Performed at the end of development or post-deployment when code finished Hamster wheel of pain. Expensive in time and resources. Difficult. Never ending.

22. Proactive Modeling Driven by: Data Flow Diagrams [DFD] Data classiﬁcation Secure coding practices Continuous testing/ improvement Rugged software design 22 Cheeseball but appropriate Sun Tsu quotation: So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. Fixing problems before they are created is an enormous cost and time savings This method prevents bugs from happening instead of remediating them after the fact http://en.wikipedia.org/wiki/Proactive_Cyber_Defence http://en.wikipedia.org/wiki/Operational_risk#Methods_of_operational_risk_management http://en.wikipedia.org/wiki/Risk_modeling (beware use or ﬁnancial risk management in complex systems) Rugged Software Manifesto: http://ruggedsoftware.org/ http://www.owasp.org/index.php/SAMM_-_Threat_Assessment_-_1

23. Data Flow Diagram [DFD] 23 http://en.wikipedia.org/wiki/Data_ﬂow_diagram

27. Threat Model Deﬁning a set of attacks to consider What can you trust? What can you not mitigate in the code or environment? Think defense in depth here 27 http://en.wikipedia.org/wiki/Threat_modeling http://www.owasp.org/index.php/Threat_Risk_Modeling

28. Threat Model Three types: Attacker centric Software centric Asset centric 28 http://en.wikipedia.org/wiki/Threat_modeling

29. Attacker What do they want? What resources do they have to get it? 29 This is likely of little interest to us in this context http://www.egadss.org/security.html

30. Software Anticipate possible attacks Can do beyond secure code Validating inputs Least privilege Fail closed 30 http://www.owasp.org/index.php/Threat_Risk_Modeling

31. Software Attacks and code countermeasures Methodologies STRIDE / DREAD CVSS OCTAVE 31 http://www.owasp.org/index.php/Threat_Risk_Modeling STRIDE http://msdn.microsoft.com/en-us/magazine/cc163519.aspx CVSS http://www.ﬁrst.org/cvss/ OCTAVE http://www.cert.org/octave/

32. Asset Start modeling with things with asset tags Webservers Disk arrays Databases Routers Data channels 32 For those who aren’t programmers, but want to perform some operational threat modeling and risk mitigation, this is a popular choice.

33. Change Management A good name. Goals: Eliminate unauthorized changes Eliminate unauthorized access and vulnerability exposure Raise communication and awareness Leads to better security 33 Many incidents are caused by a gap in proper conﬁguration. This speaks to an immature change management program Photo: www.ﬂickr.com/photos/ spursfan_ace/2328879637/

34. Change Management Related important activities: Patching Known-good or gold standard conﬁgurations and builds System security Role-based access and least privilege controls 34 http://en.wikipedia.org/wiki/Principle_of_least_privilege

35. Security Controls Covers what software does not Reinforces what software does cover Defense in depth They are best when they are fed data 35 A nice ancient picture from our friends at the RAND corporation

36. Security Controls Physical access control Auditing of changes and user access Intrusion detection/ prevention Monitoring 36 There are more, these are just examples

37. Security Controls Anomaly detection Incident management and handling Single Sign-on 37 ..and much much more

38. Security Development [SDL] In Seattle most like Microsoft. At Microsoft, they like their SDL Flavors available: Classic Agile Light 38 http://www.microsoft.com/security/sdl/ There are other models and I have my favorites. Ask me if you can’t get enough of this SDL business.

39. Security Development [SDL] In a nutshell: Requirements Veriﬁcation Design Release Implementation 39 With the optional stage zero of Training and a post-release stage of Response

40. Security Development [SDL] OWASP SDL: OpenSAMM Open and free Scoring maturity in skill/ process zones Like all things OWASP, pretty awesome 40 http://www.opensamm.org/2009/03/samm-10-released/ http://blogs.gartner.com/neil_macdonald/2009/08/04/another-excellent-application- security-maturity-model/

41. Security Development [SDL] Program quality scored from 0 to 3 0 representing none 3 representing comprehensive mastery 41

42. Security Development [SDL] Figure it out yourself Make your process fit your business needs and team skillsets Define more or less based on your in house framework or other needs 42 http://securosis.com/blog/firestarter-secure-development-lifecycle-your-doing-it-wrong/ Same failing argument used against QA 20 years ago: http://erratasec.blogspot.com/2010/05/you-may-not-need-sdl.html Do what you can do well and farm the rest out or delegate to someone who can do better.

43. Horrible Consequences Something didn’t work out There was an incident The breach was on the news What might happen now? 43

44. Horrible Consequences You may be called to a meeting to explain Your company brand or stock price may suffer There may be truly amazingly large ﬁnes Businesses can fold over such things 44 Whatever happens, you will not like them, no one will be pleased, and life will not be cool.

45. The Unexpected Unintended uses for software Landscapes change Future hard to predict Dependencies Legacy 45 Example: IP over HTTP and DNS Futurists thought that we would be on Mars and communicating with telepathy by now. It’s no wonder there is no trust model in TCP/IP. Smurf (and other ampliﬁcation attacks) and IP spooﬁng likely not in the TCP/IP design considerations. Try to think about possible applications of the infrastructure you’re developing as, if you do it well, it may be around for a long time.

46. Thanks Ian Gorrie 46 I am Ian. http://gorrie.org @gorrie

Threats, Threat Modeling and Analysis

Esté a ler uma amostra.

Confira estes a seguir

Threats, Threat Modeling and Analysis

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (6)

Semelhante a Threats, Threat Modeling and Analysis (20)

Mais recentes (20)