Threat Modeling

Question 1

What are the basic steps to threat modeling?

Answer 1

1. Identify objects in the system under consideration
2. Identify flows between objects
3. Identify assets of interest
4. Identify system weaknesses and vulnerabilities
5. Identify threats
6. Determine exploitability

Question 2

During threat modeling what is expected when identifying objects in the system under consideration?

Answer 2

• Elements, data stores, external entities of the system
• Actors present and associated with the system

Question 3

When identifying flows between objects in system under consideration what is expected?

Answer 3

• Flows between elements, data stores, external entities of the system
• Meta data about the flows e.g., protocols, directionality, data classification and sensitivity

Question 4

When identifying ‘assets of interest’ what is expected?

Answer 4

• Relevant or interesting assets that are held by objects or communicated by flows between objects

Question 5

When are some examples of assets held by objects or communicated between objects?

Answer 5

• Data internal or external to the application such as control flags or configuration settings
• Data related to the function of the application such as user data

Question 6

When identifying identifying system weaknesses and vulnerabilities in system under consideration, when threat modeling, what is expected?

Answer 6

• Understand how assets of interest may be impacted based on characteristics of system objects and flows

Question 7

What are examples of how ‘assets of interest’ may be impacted based on characteristics of objects and flows?

Answer 7

• Confidentiality of assets
• Integrity of assets
• Availability of assets
• Privacy of assets
• Safety of assets

Question 8

When threat modeling what is expected when identifying threats?

Answer 8

• associate vulnerabilities against the systems assets with threat actors to determine how likely each vulnerability is going to be exploited

Question 9

When threat modeling what is expected when determining ‘exploitability’?

Answer 9

• Identify paths through the system an attacker may use to cause an impact against one or more assets

Question 10

When threat modeling what are you looking for in a System Model?

Answer 10

• Means and opportunities available to attackers of the system

Question 11

When threat modeling what are you looking for in a System Model?

Answer 11

• Means and opportunities available to attackers of the system

Question 12

What are common areas of concerned to be aware of in system models?

Answer 12

• any non secure protocol
• any process or data store without authentication
• any process that fails to authorize access to critical functionality or assets
• any process with missing logging
• sensitive assets in plan text
• sensitive data assets without integrity controls
• incorrect use of cryptography
• communication paths transiting a trust boundary

Question 13

What is meant by a ‘trust boundary’?

Answer 13

• it’s a collection of components where each component is considered trustworthy within the collection

Question 14

What steps should be taken with data that moves across a ‘trust boundary’?

Answer 14

• Measures must be taken to ensure trustworthiness, integrity, and confidentiality of the data

Question 15

Regarding the use of Hashing - What are key indicators of security problems?

Answer 15

• Hashing information that needs to be read in it’s original form

Question 16

Regarding the use of symmetric encryption algorithms - What is a key indicator of security concern?

Answer 16

• The encryption key resides on the same component as the data

Question 17

Regarding the use of random number generators - What is a key indicator of security concern?

Answer 17

• Using random number generators that aren’t cryptographically secure

Question 18

Regarding the choice of an encryption algorithm - What is a key indicator of security concern?

Answer 18

• Using your own homegrown cryptographic algorithm

Question 19

What is important to ensure integrity controls for sensitive assets?

Answer 19

• Have tamper evidence or resistance for the assets

Question 20

What is typical example of tamper evidence?

Answer 20

• Have sufficient logging when modifications are made to assets or data

Question 21

What are techniques to verify the integrity of data?

Answer 21

• Generate digital signatures and cryptographic hashing algorithms to preform integrity checks against the data to determine if it’s been changed

Question 22

Why is logging an important security consideration?

Answer 22

• Logging provides traceability so attempts by adversaries to take advantage of vulnerabilities can be identified
• Also proper behavior can be audited at a later time.

Question 23

What shouldn’t you expect from a System Model?

Answer 23

• To be able to detect flaws in implementation, developer choice, language

Question 24

What constitutes a good threat model?

Answer 24

• One that produces valid findings

Question 25

What constitutes a valid finding in a threat model?

Answer 25

• It is a conclusion, an observation, or a deduction about the security state of your system

Question 26

What are positive characteristics of a valid finding in a threat model?

Answer 26

• Timely and relevant and translates into actions that can allow you to mitigate vulnerabilities

Question 27

What questions should a thread modeling methodology help you answer?

Answer 27

• What are we working on?
• What could go wrong?
• What are we going to do about it?
• Did we do a good job?

Question 28

In thread modeling what are 3 approaches that clearly highlight threats that may be in the system?

Answer 28

• System-centric approach
• Attacker-centric approach
• Asset-centric approach

Question 29

Describe the system-centric approach for thread modeling?

Answer 29

• Considers the system and it’s decomposition into it’s functional parts together with how they interact.
• Also includes external actors and elements that interface with the system and it’s components

Question 30

When using the system-centric approach for thread modeling what is the output?

Answer 30

• data flow diagrams(dfd’s) that show how data goes through the system during it’s operation

Question 31

What are other ways a ‘system-centric approach’ for thread modeling is referred to?

Answer 31

• architecture or design centric approach

Question 32

Describe the attacker-centric approach for thread modeling?

Answer 32

• Modeler adopts the point of view of the attacker to act on their motivation to reach their goals

Question 33

What modeling approach is used when using the attacker-centric approach for threat modeling?

Answer 33

• Attack trees, threat catalogs and lists to identify entry points in the system

Question 34

Describe the asset-centric approach for thread modeling?

Answer 34

• Focuses on important assets that should be defended by understanding threats that may be relevant

Question 35

When using the system-centric approach for thread modeling what is the output?

Answer 35

• data flow diagrams(dfd’s) that show how data goes through the system during it’s operation

Question 36

When using the system-centric approach for thread modeling what is the output?

Answer 36

• data flow diagrams(dfd’s) that show how data goes through the system during it’s operation

Question 37

What does STRIDE stand for?

Answer 37

• (S)poofing
• (T)ampering
• (R)epudiation
• (I)nformation disclosure
• (D)enial of service
• (E)levation of priviledge

Question 38

In the STRIDE model what is spoofing?

Answer 38

• Implies an attacker can mimic the identity of an element(e.g., another process, system or user) of the system

Question 39

In the STRIDE model what is tampering?

Answer 39

• impact of integrity by causing changes to the data or functionality of the system

Question 40

In the STRIDE model what is repudiation?

Answer 40

• An aspect of trust imparted by the system that asserts with full confidence that an operation was performed by the actor who declares having performed it.

Question 41

How does an attacker make use of repudiation?

Answer 41

• The attacker negates that certain operations took place and/or were initiated by the actor in question

Question 42

In the STRIDE model what is information disclosure?

Answer 42

• Restricted information is leaked outside it’s assigned trust boundaries threatening the systems confidentiality

Question 43

In the STRIDE model what is denial of service?

Answer 43

• Use of the system is affected due to its availability being compromised or it’s performance is degraded

Question 44

In the STRIDE model what is ‘elevation of privilege’?

Answer 44

• an attacker gains a higher level of privilege then they normally would be granted

Question 45

What is the purpose of STRIDE per element?

Answer 45

• It adds structure to address the lack of constraints by observing that some elements are more susceptible to specific threats than others

Question 46

What is STRIDE per element?

Answer 46

• It is less open ended then STRIDE and focuses the analysis of possible threats by limiting the set of attacks that target specific classes of elements

Question 47

What are the disadvantages of STRIDE per element?

Answer 47

• It is less open ended then STRIDE
• Threat models aren’t additive

Question 48

What is STRIDE per interaction?

Answer 48

• Focuses on identifying threats as a function of the interaction between two elements in a model

Question 49

What is STRIDE per interaction?

Answer 49

• Focuses on identifying threats as a function of the interaction between two elements in a model