Threat Modeling in the garden of Eden
Mano ‘dash4rk’ PaulHackFormers
ABC’s about me
• Author– Official (ISC)2 Guide to the CSSLP
• Advisor– (ISC)2 Software Assurance Advisor
• Biologist (Shark)• Christian• CEO, SecuRisk Solutions & Express
Certifications
Agenda
• Teach Security: Threat Modeling• Teach Christ: In the garden of Eden• Discussion
Teach Security
Threat Modeling
Threat Modeling
• Process/Activity– Systematic to determine applicable threats– Iterative to ensure threats are addressed
• A must-have for companies today– Cannot ignore
Why Threat Model?
• To manage Risk!• Risk of what? Disclosure/Alteration/Destruction• Risk to what? Assets• Why? Threats agents and Vulnerabilities• So what do we do? Threat Model Identify
threats & vulnerabilities• Then what? Manage risk apply controls• Model threats Apply controls Reduce risk
ABC of Threat Modeling
• Step 1: Identify Assets• Step 2: Identify Boundaries (Entry/Exit/Flows)• Step 3: Identify Controls– But first we need to identify applicable Threats
• Assets (anything of value)– Financial
– Personal
– Sensitive
– Intellectual property
Step 1: Identify Assets
Step 2: Identify Boundaries
Internal DMZ External
Step 3: Identify Controls
• Oh but first, we need to identify Threats• Threat Identification– Attack Trees– Threat Framework
STRIDE Threat Framework
Spoofing
Tampering
Repudiation
Info. Disclosure
Denial of Service
Elevation of Privilege
Masquerading
Alteration
Denying
Data Loss/Leakage
Downtime
Admin (root)
Identify ControlsThreat Controls
Secure generation/transmission/storage of credentials (passwords); SSL; Multifactor Authentication
Hashing; Digital signatures; Secure Communications; Input validation
Digital signatures; Secure audit trails (logging)
Cryptographically protection (Encryption/Hashing …); User awareness against Phishing
Input validation and filtration; Resource and bandwidth throttling; Load balancing; Disaster Recovery
Least privilege (Need to know); Compartmentalization
Appropriate INCORPORATION
of Controls reduces Risk
Spoofing
Tampering
Info. Disclosure
Denial of Service
Elevation of Privilege
Repudiation
Teach Christ
In the garden of Eden
• What is man that thou (God) art mindful of him?– Psalm 8:4
• Man - God’s most precious asset– “For you are fearfully and wonderfully made”
(Psalm 139:14)– “Created in the image of God” (Genesis 1:27)
• Man – God’s most prime asset– Dominion was given to man over all the fish, fowl and all
living things that moved upon the earth (Genesis 1:28)– Apex of God’s creation; not Ex-Ape of Evolution
The Asset
The Boundaries
Garden of Eden External
The threatsIn the Garden
Spoofing
Tampering
Repudiation
Info. Disclosure
Denial of Service
Elevation of PrivilegePrelude to the Garden encounter: Lucifer (the devil) tried to elevate himself above God and was thrown out (Ezekiel 28)
Access to the tree of life was denied after man disobeyed (Genesis 3:22-24).
The fruit which was bad for the soul (spirit) was pleasing to the eye (flesh) (Genesis 3:6)
Adam said (denied): It wasn’t me, but Eve; Eve said (denied): It wasn’t me, but the serpent (Genesis 3:12,13)
Devil said: Yea, Hath God said - phishing for information (Genesis 3:1)
God said: You shall not eat of the tree of knowledge … (Genesis 2:17)Devil asked: … you shall not eat of any tree? (Genesis 3:1)
The Impact
Garden of Eden External
The Control
Garden of Eden External
No more boundaries (separation from God);Gift of God is eternal life to all who believe in Jesus Christ – John 3:16
Appropriate INCLUSION of Jesus
Christ in our life eliminates the risk of
second death
Discussion Points
• What are some of the “threats” in your personal/professional life?
• How are you addressing these threats?
Closing Thoughtstry{
if (uLikedThisMtg) {getLinkedIn();subscribeViaEmail();followAndTweet(); // @hackformersemailUs(); // [email protected]
}else {
giveFeedback(); // [email protected] }
} catch(Threats t){
applyControl(God JesusChrist);}finally{
ThankUandGodBless(); }
Want More?• Speaker: Michael Howard– Principal Cybersecurity Program Manager, Microsoft– Author, Writing Secure Code and many more …
• Topic: TBD• Date: March 09, 2012• Time: 11:30 a.m. – 1:00 p.m.• Venue: Microsoft Technology Center
• www.hackformers.org • @hackformers
Backup
Identify ControlThreat Controls
Spoofing Secure generation/transmission/storage of credentials (passwords); SSL; Multifactor Authentication
Tampering Hashing; Digital signatures; Secure Communications; Input validation
Repudiation Digital signatures; Secure audit trails (logging)
Information Disclosure Let your ‘Yes’ be ‘Yes’ and your ‘No’ be ‘No’ ()Control your tongue (James 3)
Denial of Service Input validation and filtration; Resource and bandwidth throttling; Load balancing; Disaster Recovery
Elevation of Privilege Least privilege (Need to know); Compartmentalization