Threat modeling Flashcards

1
Q

What is threat modeling?

A

Looking at the vulnerability landscape of a system, and ways to attacks it.

Look at a system from an adversary’s perspective to anticipate attack goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why do we use threat modeling? (4)

A

Understand and document a system’s threat environment

Discover weaknesses

How to spend the security budget

To retrospect - How was my system attacked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Name a principle in threat modeling?

A

The outcomes of threat modeling are meaningful when they are of value to stakeholders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When in the trustworthy computing security development lifecycle does threat modelling happen?

A

Security training
Security kickoff & register with SWI
Security design best practices
Security architecture & attack surface review
[Threat modeling]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the flow of agile threat modeling?

A

Project inception: Look at high level threats

Requirements planning: Threats with highest impact

Sprint planning: Where are the threats

Sprint execution: Develop, update and complete

Final release planning: Complete models

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are important principles in agile threat modeling?

A

Continuous refinement over a single delivery

Early and frequent analysis

Must align with an organization’s development practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What 4 key questions are asked when doing threat modeling?

A
  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good enough job?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the output of threat modeling?

A

Known threats to a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What do we use the result of threat modeling to?

A

The result informs decisions that you might make in subsequent design, development, testing and post-deployment phases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What two guidelines does the threat model manifesto identify?

A

Values
Principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are a value in threat modeling?

A

Something that has relative worth or importance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are principles in threat modeling?

A

Describes the fundamental truths of threat modeling.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the 3 types of principles in threat modeling?

A
  1. Fundamental, primary, or general truths that enable successful threat modeling
  2. Patterns that are highly recommended
  3. Anti-patterns that should be voided
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Name 5 values in threat modeling

A

A culture of finding and fixing design issues over checkbox compliance

People and collaboration over processes, methodologies and tools

A journey of understanding over a security or privacy snapshot

Doing threat modeling over talking about it

Continuous refinement over a single delivery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Name 4 principles of threat modeling

A

Frequent and early analysis to Improve the security and privacy of a system

Align with an organization’s development practices and follow design changes in iterations that are each scoped to manageable portions of the system

Outcomes are meaningful when they are of value to stakeholders

Dialog is key to establishing the common understandings, while documents record those understandings and enable measurement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Name 5 patterns that benefit threat modeling

A

Systematic approach

Informed creativity

Varied viewpoints

Useful toolkit

Theory into practice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Describe the pattern: Systematic approach

A

Apply security and privacy knowledge in a structured manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Describe the pattern: Informed creativity

A

Allow for creativity by including both craft and science

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Describe the pattern: Varied viewpoints

A

Diverse team with appropriate subject matter experts

Cross-functional collaboration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Describe the pattern: Useful toolkit

A

Use tools that:
- increase productivity
- enhance workflows
- enable repeatability
- provide measurability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Describe the pattern: Theory into practice

A

Use field-tested techniques and be informed of the benefits and limits of these

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Name 4 anti-patterns that inhibit threat modeling

A

Hero threat modeller

Admiration for the problem

Tendency to overfocus

Perfect representation

23
Q

What is the anti-pattern: Hero threat modeller

A

Threat modeling does not depend on one’s innate ability or unique mindset; everyone can and should do it

24
Q

What is the anti-pattern: Admiration for the problem

A

Go beyond just analyzing the problem; reach for practical and relevant solutions

25
What is the anti-pattern: Tendency to overfocus
Do not lose sight of the big picture, as parts of a model may be interdependent. Avoid exaggerating attention on adversaries, assets or teachniques
26
What is the anti-pattern: Perfect representation
Better to create multiple threat modeling representations. Additional representations may illuminate different problems
27
What are attacker-centric threat models?
Focus on identifying likely opponents, what capabilities they have and what motivation.
28
What are some attributes of threat agents?
Skillset Motivation Resources (in regards to costs of computation and such)
29
Name types of threat agents (8)
Spooks: Undercover, intelligence officer Crooks: Cyber criminals Government cyber warriors: Engaged in real-world missions protecting army networks, data, weapon systems,etc. Geeks Terrorists CEO criminals The swamps Insiders
30
What information is documented about threat agents during threat modelling? (4)
The actor Opportunity Means assessment (what resources, knowledge do they have) Motivation (intent) Each category gets a weight-value, that is then taken the average of.
31
What are software centric threat models?
Focus on the software being built or deployed
32
What pattern is used in software centric models?
Systematic approach
33
Name the 6 steps of software centric modeling
1. Identify critical assets 2. Decompose the system to be assessed 3. Identify possible points of attack 4. Identify threats 5. Categorise and prioritise the threats 6. Mitigate
34
What is STRIDE
Mnemonic for things that go wrong in security: Spoofing Tampering Repudiation Information disclosure DoS Elevation of privilege
35
What is spoofing?
Pretending to be someone you're not Examples: fake websites, emails, csrf, GPS, IP, DNS, deep fake
36
What is tampering?
Unauthorized modification of: forms, URLs, Files, Databases, Memory, Network data
37
What is repudiation?
Claiming you didn't do something, regardless of whether or not you did Examples: Claimed not received/sent, use someone else's account, attacking the logs
38
What is information disclosure?
Unauthorized exposure of information Examples: data theft, eavesdropping, System/API info
39
What is DoS?
Attacks preventing a system from providing the service Examples: Network flooding, crashing software, making systems slow, filing storage
40
What is elevation of privileges?
A user gets access to information or actions they are not supposed to do Examples: xss, buffer overflow, injection attacks, modify access control, social engineering
41
Name 4 levels of threat details from abstract to detailed
STRIDE OWASP top 10 CAPEC Checklists
42
What are misuse cases?
Extends UML use cases High level negative scenarios Easy to grasp by different stakeholders
43
Give an example of a misuse case diagram?
Actors: - User - Developer Malicious actor: - Attacker Use case: Post blog - Actor: user - <>: Improper input validation Usecase: Sanitize input - Actor: Dev - <>: Inject malicious content Misuse case: Inject malicious content - Actor: Attacker - <>: Post blog -<>: Improper input validation
44
What are attack trees?
Possible ways of achieving an attack goal Tree structure with AND/OR nodes Nodes are the ways/actions needing to be done to achieve goal Root node: Goal
45
What are attack-defense trees?
Add additional Defense-nodes
46
Name examples of attack tree attributes
Cost Detectability Difficulty Impact Penalty Profit Probability Special skill Time
47
What is a bow tie diagram?
Model a single unwanted event at a time Shows different causes/threats to unwanted events Shows the different consequences once the event has happend Picture preventitive/reactive controls In the shape of a bow tie: Left side: Before event Middle: Event Right side: After event
48
What can controls be in a bow tie diagram?
Exam example: Preventitive controls: - Lock cabinet - Use guards Reactive controls: - Switch to paper
49
What can the hazard be in a bow tie diagram?
Exam example: Digital exam
50
What can the unwanted event be in a bow tie diagram?
Exam example: Disrupt exam, Cheating during exam
51
What can the assets be in a bow tie diagram?
Exam example: Software Network Premises Answers
52
What can the consequences be in a bow tie digram?
Exam example: Computers not working You're expelled
53
What is a data flow diagram?
Shows how data flows between subsystems Used to find attack surface and critical components Shows trust/privilege boundaries
54
Give an example of a data flow diagram
External entity -> (data flow) -> process-> [--- trust boundary ---] -> data store