Basics of Data-Centric System Threat
Modeling
Step 1: Identify and Characterize the System and Data of Interest
l The authorized locations for the data within the system.
Storage: all places where
data may be at rest within the system boundaries;
Transmission: all ways in
which data may transit over networks between system components
and across the system’s boundaries;
Execution environment:
e.g., data held in local memory during runtime, data processed by
virtual CPUs, etc.
Input: e.g., data typed in
using the keyboard; and
Output: e.g., data printed
to a physically attached printer, data displayed on the laptop screen
l A basic understanding of how the data moves within the system
between authorized locations
l The security objectives (e.g., confidentiality, integrity,
availability) for the data
l The people and processes who are authorized to access the data in a
way that could affect the security
objectives.
Example Scenario
Summary
The data of interest is a spreadsheet containing personally identifiable
information (PII) for employees who have received workers’ compensation.
|
The system of interest comprises
|
The authorized locations for the data of
interest are as follows
Storage:
Transmission:
Execution environment:
Input:
Output:
|
Description:
|
Step 2: Identify and Select the Attack Vectors to Be Included in the
Model
Location 1: Stored in a spreadsheet on
the local hard drive.
l Vector 1a: Attacker gains unauthorized physical access to the
laptop, uses forensic tools or other utilities to copy the file (without
authenticating to the OS).
l Vector 1b: Attacker gains unauthorized physical access to the
laptop, exploits vulnerabilities to gain OS access (impersonating
user/admin).
l Vector 1c: Attacker steals and reuses user/admin/service credentials.
l Vector 1d: Attacker gains access to/control over user’s
session/device.
l Vector 1e: User forwards the file to an unauthorized recipient
(user was tricked via social
engineering, user is malicious, user made a mistake, etc.)
l Vector 1f: Attacker accesses unsecured network service (e.g.,
connects to unsecured file share) and gains access to the file.
|
Location 2: Stored in a spreadsheet on a
flash drive backup.
l Vector 2a: Attacker gains unauthorized physical access to the
flash drive, mounts the drive and copies the file
l Vector 2b: Attacker steals and reuses user/admin/service
credentials for laptop while flash drive is mounted.
l Vector 2c: Attacker gains access to/control over user’s
session/device while flash drive is mounted.
l Vector 2d: User forwards the file to an unauthorized
recipient.
|
Location 3: Printed to a nearby printer
over a wireless network connection.
l Vector 3a: Attacker monitors unencrypted or weakly encrypted
wireless network communications and captures the data being sent to the
printer
l Vector 3b: Attacker views a printout of the spreadsheet.
|
Location 4: Processed locally.
l Vector 4a: Attacker gains access to/control over user’s
session/device.
|
Location 5: Input locally
l Vector 5a: Attacker watches the information being typed in to the
laptop.
l Vector 5b: Attacker uses keystroke logger on laptop to monitor
keystrokes.
|
Location 6: Output locally.
l Vector 6a: Attacker views the information on the laptop screen
l Vector 6b: Attacker uses malware on laptop to take screen shots.
|
Selected attack
vectors (based on the possibility and the likelihood of each attack
vector being used to completely compromise confidentiality)
l Vector 1c: Data is stored in a spreadsheet on the local hard
drive; attacker steals and reuses user/admin/service credentials.
l Vector 1d: Data is stored in a spreadsheet on the local hard
drive; attacker gains access to/control over user’s session/device.
l Vector 2b: Data is stored in a spreadsheet on a flash drive
backup; attacker steals and reuses user/admin/service credentials for laptop
while flash drive is mounted.
l Vector 2c: Data is stored in a spreadsheet on a flash drive
backup; attacker gains access to/control over user’s session/device while
flash drive is mounted.
l Vector 4a: Data is processed locally; attacker gains access
to/control over user’s session/device.
|
Step 3: Characterize the Security Controls for Mitigating the Attack
Vectors
Feasible security control alterations:
1.
Require strong password with
strongly encrypted password hash (vectors 1c and 2b).
l Effectiveness: Low
l Acquisition and implementation costs: Low
l Annual management/maintenance costs: Low
l Impact on functionality: Low
l Impact on usability: Low
l Impact on performance: Low
2.
Require multifactor authentication (vectors 1c and 2b)
l Effectiveness: High
l Acquisition and implementation costs: Moderate
l Annual management/maintenance costs: Moderate
l Impact on functionality: Low
l Impact on usability: Moderate
l Impact on performance: Low
3.
Use antivirus software, spam
filtering, real-time blacklists, user awareness, web reputation software, etc.
(vectors 1c, 1d, 2b, 2c, and 4a)
l Effectiveness: Moderate
l Acquisition and implementation costs: Moderate
l Annual management/maintenance costs: Moderate
l Impact on functionality: Moderate
l Impact on usability: Moderate
l Impact on performance: Moderate
4.
Patch vulnerabilities (vectors
1c, 1d, 2b, 2c, and 4a)
l Effectiveness: Low
l Acquisition and implementation costs: Moderate
l Annual management/maintenance costs: Moderate
l Impact on functionality: Moderate
l Impact on usability: Low
l Impact on performance: Moderate
|
Step 4: Analyze the Threat Model
After much debate, the organization
decides to set the following scores for the characteristics and weigh them
all evenly:
l No security control effectiveness = 0
l Security control effectiveness of low = 1
l Security control effectiveness of moderate = 2
l Security control effectiveness of high = 3
l Negative implication of high = 1
l Negative implication of moderate = 2
l Negative implication of low = 3
|
Possible Security Controls
|
Acquisition
and
Implementation
Costs
|
Annual
Management/
Maintenance
Costs
|
Impact
on
Functionality
|
Impact
on Usability
|
Impact
on
Performance
|
Total
for Security
Control
|
Require strong password with strongly
encrypted password hash
|
3
|
3
|
3
|
3
|
3
|
15
|
Require multifactor authentication
|
2
|
2
|
3
|
2
|
3
|
12
|
Use antivirus software, spam filtering,
real-time blacklists, user awareness, web reputation software,
|
2
|
2
|
2
|
2
|
2
|
10
|
Patch vulnerabilities
|
2
|
2
|
2
|
3
|
2
|
11
|
Possible Security Controls
|
Security Control
Effectiveness Per
Attack Vector
每個攻擊媒介的安全控制有效性
|
Negative
Implication
Total
|
Security Control Effectiveness
Times Negative Implication Total Per Attack Vector
安全控制有效性 乘以負面影響 每個攻擊媒介的總影響
|
1c
|
1d
|
2b
|
2c
|
4a
|
1c
|
1d
|
2b
|
2c
|
4a
|
Require strong password with
strongly encrypted password
hash
|
1
|
0
|
1
|
0
|
0
|
15
|
15
|
0
|
15
|
0
|
0
|
Require multifactor
authentication
|
3
|
0
|
3
|
0
|
0
|
12
|
36
|
0
|
36
|
0
|
0
|
Use antivirus software, spam
filtering, real-time blacklists,
user awareness, web
reputation software, etc.
|
2
|
2
|
2
|
2
|
2
|
10
|
20
|
20
|
20
|
20
|
20
|
Patch vulnerabilities
|
1
|
1
|
1
|
1
|
1
|
11
|
11
|
11
|
11
|
11
|
11
|
自訂以數據為中心的系統威脅建模方法
本出版物主要介紹了以數據為中心的系統威脅建模定性方法。定量方法將比定性方法帶來更精確和準確的結果,但定量方法也將更加資源密集,並且除非指標和方法大多是自動化的,否則無法很好地擴展大型複雜系統的建模。 由於這種自動化尚未廣泛使用,如果有的話,本出版物側重於定性
建模,這仍然非常有益。將來,隨著更多自動化定量指標和方法的出現,組織應該重新考慮使用定量建模的可行性。
方法中的大多數操作都可以在內容(捕獲哪些資訊)和格式/結構(如何捕獲資訊)方面以多種方式進行處理。沒有“正確”的方法,這些例子純粹是說明性的。重要的是記錄足夠的資訊,以便為後續步驟提供必要的輸入,併為提出可操作的建議奠定基礎。
該方法靈活性的一個主要例子是步驟2。步驟 2 使用步驟 1 中的授權位置清單來獲取感興趣的數據。在示例中,每個攻擊媒介都以敘述方式定義,例如「攻擊者獲得了對筆記型電腦的未經授權的物理訪問,使用取證工具或其他實用程式複製檔(無需對操作系統進行身份驗證)」。。這個單一的語句實際上傳達了三條數據:1)惡意內容的來源,2)該惡意內容的潛在易受攻擊的處理器,以及3)惡意內容本身的性質。
一些組織可能更喜歡使用更具敘述性的方法來定義攻擊向量,因為其他人更容易理解,而其他組織可能希望採用更徹底或基於技術的方法,因此希望將威脅後果和操作作為識別攻擊向量的分類法。當然,由於現有的流程和工具或其他原因,還有許多其他方法來定義攻擊媒介,各個組織可能更喜歡使用。
另一個要考慮的因素是攻擊媒介的粒度;一個組織可能只有資源在真正高層次上考慮攻擊向量,而另一個組織可能希望進行深入研究,並使攻擊向量盡可能窄。Organizations may also want 確定其威脅建模的範圍,從而減少工作量。以步驟 2 為例,組織可以決定消除任何不值得進一步考慮的攻擊媒介。例如,組織可能決定忽略相對可能性最低的攻擊向量,因為有太多其他攻擊向量需要考慮。
同樣,組織可能只對可能導致機密性、完整性和可用性完全受損的攻擊媒介感興趣(至少在最初階段)。另一種可能性是消除沒有任何可行緩解措施的攻擊媒介。理想情況下,組織應該在篩選出任何攻擊向量之前分析所有攻擊向量 - 例如,一個不太可能的攻擊向量可能變得非常容易且便宜地緩解,或者單個緩解措施可以解決多個攻擊向量 - 但實際上,在某些情況下這可能不可行。
當然,組織可以跳過方法中與特定情況或環境無關的任何元素,同樣,如果其他因素對組織也很重要,組織也可以添加特徵。