Threat Modeling in the garden of Eden

Threat Modeling in the garden of Eden

Mano ‘dash4rk’ PaulHackFormers

ABC’s about me

• Author– Official (ISC)2 Guide to the CSSLP

• Advisor– (ISC)2 Software Assurance Advisor

• Biologist (Shark)• Christian• CEO, SecuRisk Solutions & Express

Certifications

Agenda

• Teach Security: Threat Modeling• Teach Christ: In the garden of Eden• Discussion

Teach Security

Threat Modeling

Threat Modeling

• Process/Activity– Systematic to determine applicable threats– Iterative to ensure threats are addressed

• A must-have for companies today– Cannot ignore

Why Threat Model?

• To manage Risk!• Risk of what? Disclosure/Alteration/Destruction• Risk to what? Assets• Why? Threats agents and Vulnerabilities• So what do we do? Threat Model Identify

threats & vulnerabilities• Then what? Manage risk apply controls• Model threats Apply controls Reduce risk

ABC of Threat Modeling

• Step 1: Identify Assets• Step 2: Identify Boundaries (Entry/Exit/Flows)• Step 3: Identify Controls– But first we need to identify applicable Threats

• Assets (anything of value)– Financial

– Personal

– Sensitive

– Intellectual property

Step 1: Identify Assets

Step 2: Identify Boundaries

Internal DMZ External

Step 3: Identify Controls

• Oh but first, we need to identify Threats• Threat Identification– Attack Trees– Threat Framework

STRIDE Threat Framework

Spoofing

Tampering

Repudiation

Info. Disclosure

Denial of Service

Elevation of Privilege

Masquerading

Alteration

Denying

Data Loss/Leakage

Downtime

Admin (root)

Identify ControlsThreat Controls

Secure generation/transmission/storage of credentials (passwords); SSL; Multifactor Authentication

Hashing; Digital signatures; Secure Communications; Input validation

Digital signatures; Secure audit trails (logging)

Cryptographically protection (Encryption/Hashing …); User awareness against Phishing

Input validation and filtration; Resource and bandwidth throttling; Load balancing; Disaster Recovery

Least privilege (Need to know); Compartmentalization

Appropriate INCORPORATION

of Controls reduces Risk

Spoofing

Tampering

Info. Disclosure

Denial of Service

Elevation of Privilege

Repudiation

Teach Christ

In the garden of Eden

• What is man that thou (God) art mindful of him?– Psalm 8:4

• Man - God’s most precious asset– “For you are fearfully and wonderfully made”

(Psalm 139:14)– “Created in the image of God” (Genesis 1:27)

• Man – God’s most prime asset– Dominion was given to man over all the fish, fowl and all

living things that moved upon the earth (Genesis 1:28)– Apex of God’s creation; not Ex-Ape of Evolution

The Asset

The Boundaries

Garden of Eden External

The threatsIn the Garden

Spoofing

Tampering

Repudiation

Info. Disclosure

Denial of Service

Elevation of PrivilegePrelude to the Garden encounter: Lucifer (the devil) tried to elevate himself above God and was thrown out (Ezekiel 28)

Access to the tree of life was denied after man disobeyed (Genesis 3:22-24).

The fruit which was bad for the soul (spirit) was pleasing to the eye (flesh) (Genesis 3:6)

Adam said (denied): It wasn’t me, but Eve; Eve said (denied): It wasn’t me, but the serpent (Genesis 3:12,13)

Devil said: Yea, Hath God said - phishing for information (Genesis 3:1)

God said: You shall not eat of the tree of knowledge … (Genesis 2:17)Devil asked: … you shall not eat of any tree? (Genesis 3:1)

The Impact

Garden of Eden External

The Control

Garden of Eden External

No more boundaries (separation from God);Gift of God is eternal life to all who believe in Jesus Christ – John 3:16

Appropriate INCLUSION of Jesus

Christ in our life eliminates the risk of

second death

Discussion Points

• What are some of the “threats” in your personal/professional life?

• How are you addressing these threats?

Closing Thoughtstry{

if (uLikedThisMtg) {getLinkedIn();subscribeViaEmail();followAndTweet(); // @hackformersemailUs(); // mano.paul@hackformers.org

}else {

giveFeedback(); // mano.paul@hackformers.org }

} catch(Threats t){

applyControl(God JesusChrist);}finally{

ThankUandGodBless(); }

Want More?• Speaker: Michael Howard– Principal Cybersecurity Program Manager, Microsoft– Author, Writing Secure Code and many more …

• Topic: TBD• Date: March 09, 2012• Time: 11:30 a.m. – 1:00 p.m.• Venue: Microsoft Technology Center

• www.hackformers.org • @hackformers

Backup

Identify ControlThreat Controls

Spoofing Secure generation/transmission/storage of credentials (passwords); SSL; Multifactor Authentication

Tampering Hashing; Digital signatures; Secure Communications; Input validation

Repudiation Digital signatures; Secure audit trails (logging)

Information Disclosure Let your ‘Yes’ be ‘Yes’ and your ‘No’ be ‘No’ ()Control your tongue (James 3)

Denial of Service Input validation and filtration; Resource and bandwidth throttling; Load balancing; Disaster Recovery

Elevation of Privilege Least privilege (Need to know); Compartmentalization