01 Dive In and Threat Model

Question 1

Why do we threat model?

Answer 1

Threat modeling is about using models to find security problems. Using a model means abstracting away a lot of details to provide a look at a bigger picture, rather than the code itself.

You model because it enables you to find issues in things you haven’t built yet, and because it enables you to catch a problem before it starts. Lastly, you threat model as a way to anticipate the threats that could affect you.

Question 2

What are the four key questions to threat model?

Answer 2

Four key questions are:
1. What are you building?
2. What can go wrong?
3. What should you do about the things that can go wrong?
4. Did you do a decent job of analysis?

Question 3

What are the four activities of threat modeling?

Answer 3

1. Building a diagram
2. Finding threats
3. Addressing them
4. Checking your work

Question 4

Which is the most important diagram in threat modeling?

Answer 4

Data flow diagram

Question 5

How can you improve a diagram?

Answer 5

A simple way to improve the diagram is to add boundaries. Adding boundaries shows who controls what.

These boundaries are called trust boundaries. You should draw boundaries wherever different people control different things.

Question 6

What are some examples of trust boundaries?

Answer 6

1. Account (UIDs on unix system, or SIDS on windows)
2. Network interfaces
3. Different physical computers
4. Virtual machines
5. Organizational boundaries
6. Almost anywhere you can argue for different privileges

Question 7

What is an attack surface?

Answer 7

An attack surface is a trust boundary and a direction from which an attacker could launch an attack.

Question 8

What is the purpose of labeling your diagram?

Answer 8

As the diagram gets larger and more complex, it becomes easy to miss a part of it, or to become confused by labels on the data flows. Therefore, it can be very helpful to number each process, data flow, and data store in the diagram.

Question 9

What does STRIDE stand for?

Answer 9

STRIDE stands for:
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Question 10

What is Spoofing?

Answer 10

Spoofing is pretending to be something or someone you’re not.

Question 11

What is Tampering?

Answer 11

Tampering is modifying something you’re not supposed to modify. It can include packets on the wire/wireless, bits on disk, or the bits in memory.

Question 12

What is Repudiation?

Answer 12

Repudiation means claiming you didn’t so something (regardless of whether you did or not).

Question 13

What is Information Disclosure?

Answer 13

Information Disclosure is about exposing information to people who are not authorized to see it.

Question 14

What is Denial of Service?

Answer 14

Denial of Service are attacks designed to prevent a system from providing service, including by crashing it, making it unusably slow, or filling all its storage.

Question 15

What is Elevation of Privilege?

Answer 15

Elevation of Privilege is when a program or user is technically able to do things that they’re not supposed to do.

Question 16

What are a few tips to keep in mind that helps in identifying threats?

Answer 16

1. Start with external entities.
2. Never ignore a threat because it’s not what you’re looking for right now.
3. Focus on feasible threats.

Question 17

What are the four actions you can take against each threat?

Answer 17

1. Mitigate it
2. Eliminate it
3. Transfer it
4. Accept it

Question 18

What is mitigating threats?

Answer 18

Mitigating threats is about doing things to make it harder to take advantage of a threat.

Question 19

What is eliminating threats?

Answer 19

Eliminating threats is almost always achieved by eliminating features.

Question 20

What is transferring threats?

Answer 20

Transferring threats is about letting someone or something else handle the risk.

Question 21

What is accepting the risk?

Answer 21

Accepting the risk is the final approach to addressing threats.

Question 22

What are the mitigation strategy and technique for addressing “spoofing of a person”?

Answer 22

Mitigation strategy:
* Identification and authentication (usernames and something you know/have/are)

Mitigation technique:
* Username, real names, or other identifiers (Password, tokens, biometrics)
* Enrollment/maintenance expiry

Question 23

What are the mitigation strategy and technique for addressing “spoofing a file on disk”?

Answer 23

Mitigation strategy:
* Leverage the OS

Mitigation technique:
* Full paths, Checking ACLs, Ensuring that pipes are created properly
—
Mitigation strategy:
* Cryptographic authenticators

Mitigation technique:
* Digital signatures or authenticators

Question 24

What are the mitigation strategy and technique for addressing “spoofing a network address”?

Answer 24

Mitigation strategy:
* Cryptographic

Mitigation technique:
* DNSSEC, HTTPS/SSL, IPSec

Question 25

What are the mitigation strategy and technique for addressing “spoofing a program in memory”?

Answer 25

Mitigation strategy:
* Leverage the OS

Mitigation technique:
* Many modern operating systems have some form of application identifier that the OS will enforce