Who can deny the importance of security in virtually every task we try to achieve nowadays, digital or not? Security is increasingly becoming the most important, sensitive and complex topic to cover because it relates in almost every aspect of our lives.
An important and mostly underestimated task to be applied when developing any kind of system, whether it was a software, web application, or even a bank alarm system, is the threat modeling of the possible risks that might be faced. Unfortunately due to various factors in the design and development process, security is not given the necessary attention by the designers, developers, and most importantly the management yet instead by the attackers resulting in devastating results to systems owners and their users, starting from the most important factor, “Money”, which will exponentially grow when more resources and time are dedicated to face the threats when its almost or it is too late.
To enhance systems security and minimize [almost eliminate] the weaknesses, a process has to be implemented from the beginning of the design phase, continuously throughout the whole life-cycle of the system laying the foundation for better security, such process is referred to as “Thread Modeling”.
What is Threat Modeling?
Threat modeling is an important part of any system life-cycle and especially the design part, which will allow the designers, the security experts, the team, and the management to determine what could cause a possible threat to the system, taking all possibilities even the small ones, analyze and prioritize them and come up with a mitigation plan for each.
During the Process
During threat modeling, system designers take the system in question and put it into analysis, check each part, plan a set of security specifications to be tested, allowing a better understanding of the vulnerabilities in the system, how they can be used by attackers, why, and how they can be mitigated (more info in this SANS institute paper). An important part to highlight here is to understand the attacker on different levels such as his possible skills, what tools can be used and what are the motivations; the idea of understanding the attackers is very crucial when designing a thread model, therefore to catch the bad guys we have to change our mindset to match theirs, this is a crucial point of a certified ethical hacker or any security expert, for example the CEH uses the techniques and tools used by the black hat hackers themselves to attack the systems, find vulnerabilities and exploit them, the main difference is that CEH report the vulnerabilities found and propose possible solutions.
STRIDE and DREAD
When modeling the system threats we need to classify the possible threats that we found in order to better understand what attacker s can do, and we need to determine what level of risks their threats can pose by applying a certain measurement mechanism, quantifying the risks which will help us in the prioritization process.
When using stride, the classification of the threats has to be based on the following points.
- Spoofing: is it something or someone that tricks us to be legitimate and valid. For example, an attacker masquerading as a legitimate user.
- Tampering: can attackers modify or interfere with legitimate information?
- Repudiation: is when the user deny performing a certain action which could be illegal and harmful.
- Information Disclosure: for example when unauthorized personel get access to confidential information, which he was not supposed to have access to.
- Denial of Service: this is basically when a service is brought down intentionally or unintentionally resulting in disruptions for legitimate users.
- Elevation of privilege: in this case an unauthorized user gets higher privilege access from the one he was supposed to have, which might result in access to restricted information, or might apply dangerous tasks.
When it comes to measuring and raking the threats risk level, DREAD, the acronym for the following points, is a great technique provided by Microsoft for this purpose.
- Damage potential: how much damage can this threat do to our system?
- Reproducibility: is it easy to be reproduced?
- Exploitability: how much effort and experience does it require to be exploited?
- Affected users: in case the threat became an attack, how many users can be affected?
- Discoverability: As Howard and LeBlanc said in their Book “Writing Secure Code“, it is good to assume that all threats are discoverable to some extent, therefore we can rank them to the highest metric.
So basically we rank the threat level based on DREAD on a scale of ‘0’ to ’10’ where greater the number is, greater the threat.
Finally we can calculate the value of the Risk(DREAD) by averaging the values like so: Risk = (D + R + E + A + D) / 5
“threat models play an important role in the process of building a secure system”
The above statement makes complete sense, systems security cannot rely on being implemented at the end of the development process or after production release of the system, even as Burns (2005; P.11) stated “[n]etwork security is no longer sufficient to secure an application. Security needs to be a part of the application design process”. Unfortunately nowadays many organization developing any type of system requiring security are not considering or not giving the necessary attention to their system security either by implementing threat modeling or other types of processes and that due to projects budgets, strict deadlines and more.
Cover Image courtesy of Dilbert