威脅建模

 

Basics of Data-Centric System Threat Modeling

Step 1: Identify and Characterize the System and Data of Interest

l   The authorized locations for the data within the system.

Storage: all places where data may be at rest within the system boundaries;

Transmission: all ways in which data may transit over networks between system components 

and across the system’s boundaries;

Execution environment: e.g., data held in local memory during runtime, data processed by

virtual CPUs, etc.

Input: e.g., data typed in using the keyboard; and

Output: e.g., data printed to a physically attached printer, data displayed on the laptop screen

l   A basic understanding of how the data moves within the system between authorized locations

l   The security objectives (e.g., confidentiality, integrity, availability) for the data

l   The people and processes who are authorized to access the data in a way that could affect  the security objectives.

Example Scenario

Summary The data of interest is a spreadsheet containing personally identifiable information (PII) for employees who have received workers’ compensation.

The system of interest comprises

The authorized locations for the data of interest are as follows Storage: Transmission: Execution environment: Input: Output:

Description:

 

Step 2: Identify and Select the Attack Vectors to Be Included in the Model

Location 1: Stored in a spreadsheet on the local hard drive. l   Vector 1a: Attacker gains unauthorized physical access to the laptop, uses forensic tools or other utilities to copy the file (without authenticating to the OS). l   Vector 1b: Attacker gains unauthorized physical access to the laptop, exploits vulnerabilities to gain OS access (impersonating user/admin). l   Vector 1c: Attacker steals and reuses user/admin/service credentials. l   Vector 1d: Attacker gains access to/control over user’s session/device. l   Vector 1e: User forwards the file to an unauthorized recipient (user was tricked via social  engineering, user is malicious, user made a mistake, etc.) l   Vector 1f: Attacker accesses unsecured network service (e.g., connects to unsecured file share) and gains access to the file.

Location 2: Stored in a spreadsheet on a flash drive backup. l   Vector 2a: Attacker gains unauthorized physical access to the flash drive, mounts the drive and copies the file l   Vector 2b: Attacker steals and reuses user/admin/service credentials for laptop while flash drive is mounted.   l   Vector 2c: Attacker gains access to/control over user’s session/device while flash drive is mounted. l   Vector 2d: User forwards the file to an unauthorized recipient.

Location 3: Printed to a nearby printer over a wireless network connection. l   Vector 3a: Attacker monitors unencrypted or weakly encrypted wireless network communications and captures the data being sent to the printer l   Vector 3b: Attacker views a printout of the spreadsheet.

Location 4: Processed locally.  l   Vector 4a: Attacker gains access to/control over user’s session/device.

Location 5: Input locally l   Vector 5a: Attacker watches the information being typed in to the laptop. l   Vector 5b: Attacker uses keystroke logger on laptop to monitor keystrokes.

Location 6: Output locally. l   Vector 6a: Attacker views the information on the laptop screen l   Vector 6b: Attacker uses malware on laptop to take screen shots.

Selected attack vectors (based on the possibility and the likelihood of each attack vector being used to completely compromise confidentiality) l   Vector 1c: Data is stored in a spreadsheet on the local hard drive; attacker steals and reuses user/admin/service credentials. l   Vector 1d: Data is stored in a spreadsheet on the local hard drive; attacker gains access to/control over user’s session/device. l   Vector 2b: Data is stored in a spreadsheet on a flash drive backup; attacker steals and reuses user/admin/service credentials for laptop while flash drive is mounted. l   Vector 2c: Data is stored in a spreadsheet on a flash drive backup; attacker gains access to/control over user’s session/device while flash drive is mounted. l   Vector 4a: Data is processed locally; attacker gains access to/control over user’s session/device.

 

 

 

Step 3: Characterize the Security Controls for Mitigating the Attack Vectors

Feasible security control alterations: 1.        Require strong password with strongly encrypted password hash (vectors 1c and 2b). l   Effectiveness: Low l   Acquisition and implementation costs: Low  l   Annual management/maintenance costs: Low  l   Impact on functionality: Low  l   Impact on usability: Low  l   Impact on performance: Low   2.  Require multifactor authentication (vectors 1c and 2b) l  Effectiveness: High  l  Acquisition and implementation costs: Moderate  l  Annual management/maintenance costs: Moderate  l  Impact on functionality: Low  l  Impact on usability: Moderate  l  Impact on performance: Low  3.          Use antivirus software, spam filtering, real-time blacklists, user awareness, web reputation software, etc. (vectors 1c, 1d, 2b, 2c, and 4a) l   Effectiveness: Moderate  l   Acquisition and implementation costs: Moderate  l   Annual management/maintenance costs: Moderate  l   Impact on functionality: Moderate   l   Impact on usability: Moderate  l   Impact on performance: Moderate  4.          Patch vulnerabilities (vectors 1c, 1d, 2b, 2c, and 4a) l   Effectiveness: Low  l   Acquisition and implementation costs: Moderate  l   Annual management/maintenance costs: Moderate   l   Impact on functionality: Moderate   l   Impact on usability: Low    l   Impact on performance: Moderate

 

Step 4: Analyze the Threat Model

After much debate, the organization decides to set the following scores for the characteristics and weigh them all evenly: l   No security control effectiveness = 0  l   Security control effectiveness of low = 1   l   Security control effectiveness of moderate = 2 l   Security control effectiveness of high = 3    l   Negative implication of high = 1 l   Negative implication of moderate = 2  l   Negative implication of low = 3

 

 

Possible Security Controls	Acquisition and Implementation Costs	Annual Management/ Maintenance Costs	Impact on Functionality	Impact on Usability	Impact on Performance	Total for Security Control
Require strong password with strongly encrypted password hash	3	3	3	3	3	15
Require multifactor authentication	2	2	3	2	3	12
Use antivirus software, spam filtering, real-time blacklists, user awareness, web reputation software,	2	2	2	2	2	10
Patch vulnerabilities	2	2	2	3	2	11

 

Possible Security Controls	Security Control Effectiveness Per Attack Vector 每個攻擊媒介的安全控制有效性					Negative Implication Total	Security Control Effectiveness Times Negative Implication Total Per Attack Vector 安全控制有效性 乘以負面影響 每個攻擊媒介的總影響
	1c	1d	2b	2c	4a		1c	1d	2b	2c	4a
Require strong password with strongly encrypted password hash	1	0	1	0	0	15	15	0	15	0	0
Require multifactor authentication	3	0	3	0	0	12	36	0	36	0	0
Use antivirus software, spam filtering, real-time blacklists, user awareness, web reputation software, etc.	2	2	2	2	2	10	20	20	20	20	20
Patch vulnerabilities	1	1	1	1	1	11	11	11	11	11	11

 

自訂以數據為中心的系統威脅建模方法

 

本出版物主要介紹了以數據為中心的系統威脅建模定性方法。定量方法將比定性方法帶來更精確和準確的結果，但定量方法也將更加資源密集，並且除非指標和方法大多是自動化的，否則無法很好地擴展大型複雜系統的建模。  由於這種自動化尚未廣泛使用，如果有的話，本出版物側重於定性

建模，這仍然非常有益。將來，隨著更多自動化定量指標和方法的出現，組織應該重新考慮使用定量建模的可行性。

 

方法中的大多數操作都可以在內容（捕獲哪些資訊）和格式/結構（如何捕獲資訊）方面以多種方式進行處理。沒有“正確”的方法，這些例子純粹是說明性的。重要的是記錄足夠的資訊，以便為後續步驟提供必要的輸入，併為提出可操作的建議奠定基礎。

 

該方法靈活性的一個主要例子是步驟2。步驟 2 使用步驟 1 中的授權位置清單來獲取感興趣的數據。在示例中，每個攻擊媒介都以敘述方式定義，例如「攻擊者獲得了對筆記型電腦的未經授權的物理訪問，使用取證工具或其他實用程式複製檔（無需對操作系統進行身份驗證）」。。這個單一的語句實際上傳達了三條數據：1）惡意內容的來源，2）該惡意內容的潛在易受攻擊的處理器，以及3）惡意內容本身的性質。

 

一些組織可能更喜歡使用更具敘述性的方法來定義攻擊向量，因為其他人更容易理解，而其他組織可能希望採用更徹底或基於技術的方法，因此希望將威脅後果和操作作為識別攻擊向量的分類法。當然，由於現有的流程和工具或其他原因，還有許多其他方法來定義攻擊媒介，各個組織可能更喜歡使用。 另一個要考慮的因素是攻擊媒介的粒度;一個組織可能只有資源在真正高層次上考慮攻擊向量，而另一個組織可能希望進行深入研究，並使攻擊向量盡可能窄。Organizations may also want 確定其威脅建模的範圍，從而減少工作量。以步驟 2 為例，組織可以決定消除任何不值得進一步考慮的攻擊媒介。例如，組織可能決定忽略相對可能性最低的攻擊向量，因為有太多其他攻擊向量需要考慮。

同樣，組織可能只對可能導致機密性、完整性和可用性完全受損的攻擊媒介感興趣（至少在最初階段）。另一種可能性是消除沒有任何可行緩解措施的攻擊媒介。理想情況下，組織應該在篩選出任何攻擊向量之前分析所有攻擊向量 - 例如，一個不太可能的攻擊向量可能變得非常容易且便宜地緩解，或者單個緩解措施可以解決多個攻擊向量 - 但實際上，在某些情況下這可能不可行。

 

當然，組織可以跳過方法中與特定情況或環境無關的任何元素，同樣，如果其他因素對組織也很重要，組織也可以添加特徵。