Threat Model

Risk Management in Secure Electronic Commerce

Four Phases of Risk Management

  1. Assessment:
        - Identify and evaluate assets, potential threats, and existing vulnerabilities.

  2. Planning:
        - Define security policies and objectives.
        - Determine what needs to be protected and why.

  3. Implementation:
        - Select and deploy appropriate security technologies and mechanisms.
        - Define how the policies will be enforced.

  4. Monitoring & Review:
        - Continuously monitor the effectiveness of security measures.
        - Identify successful strategies, detect failures, and adjust as needed to respond to evolving threats.

Measuring the Threat or Evaluating the Risk of Insecure Systems

  • Two primary approaches for assessing risks:

  1. Analysis of Historical Risk:
        - Review past incidents to understand attack types and impacts.
        - Consider the financial and operational impact of previous breaches.

  2. Assessment of Potential Future Attacks:
        - Evaluate emerging threats and trends in cybersecurity.
        - Examine current security positions of existing systems to identify vulnerabilities.

Risk Management Model

  • Countermeasures Defined:
        - Physical or logical procedures implemented to detect, reduce, or eliminate a threat.

  • Key Strategy:
        - Select countermeasures based on the likelihood and consequences of an event, leading to strategies such as:
            - Prevention: Application security, access control, network-level protections (e.g., IPS, WAF).
            - Mitigation: Control and containment measures.
            - Transfer: Use of insurance or backup plans.
            - Acceptance: Ignoring certain risks.

Common Mistakes in Security Risk Management

  1. Underestimating the Value of Information:
        - Inadequate protection due to failure to recognize the value of data and records.

  2. Defining Security Boundaries Too Narrowly:
        - Ignoring broader systems like supply chains and third-party services.

  3. Reactive Security Management:
        - Focusing responses only after the fact instead of proactive strategies.

  4. Outdated Practices:
        - Reliance on obsolete tools does not address modern threats.

  5. Poor Communication of Responsibilities:
        - Lack of clear roles leads to inconsistencies in applying security measures.

Recap: Risk Management

  • Definition and Objective:
        - Systematic process of identifying, assessing, and prioritizing risks, aiming to reduce them to an acceptable level.

  • Typical Process Involves:
        1. Identifying potential risks.
        2. Assessing risk likelihood and impact.
        3. Prioritizing risks based on severity and likelihood.
        4. Implementing risk controls: technical, procedural, or training.
        5. Monitoring and reviewing ongoing effectiveness.

Threat Modeling Overview

  • Definition:
        - Process assessing security risks from an adversary's perspective to identify potential threats and appropriate controls.

  • Purpose and Goals:
        - Understand threats early in analysis.
        - Guide system design and security implementations.

Threat Modeling Process

A. Understand Adversary’s Perspective:
   - Simulate attacks using techniques like penetration testing and red teaming.
B. Characterize System’s Security Position:
   - Identify assets, entry points, trust boundaries, and data flows.
C. Evaluate Threats:
   - Identify and categorize threats; use models like STRIDE for threat identification.
   - Estimate risk likelihood and impact using frameworks like DREAD.

System Assets, Entry Points, and Trust Levels

  1. Identifying System Assets:
        - Valuable resources to protect include user credentials, personal information, network bandwidth, and organizational reputation.

  2. Discovering Entry Points:
       - Locations where data or control exchanges occur; common vectors include network sockets, web forms, and APIs.    - Potential Backdoor Entry Points:
            - Vulnerable services, malware, or misconfigurations.
            - Importance of examining neglected entry points.

  3. Trust Levels and Resource Access:
       - Define privilege levels for users and systems, implementing access control and least privilege principles.

    • Monitor activates from high-trust users. (Admin, DB admin, Web admins)

Coding to a Threat Model

  • Definition:
        - Structured approach for identifying, analyzing, and countering security threats.

  • Benefits:
        1. Identify critical application areas.
        2. Prioritize security efforts and ongoing code reviews.
        3. Determine appropriate defense mechanisms.

Risk Calculation Models

  1. RPD Model:
        - Risk exposure = Probability x Damage.

  2. DREAD Framework:
        - Use scoring to evaluate:
            - Damage: Potential harm from exploitation.
            - Reproducibility: Ease of reproducing the attack.
            - Exploitability: Complexity for attack execution.
            - Affected users: Number of users potentially impacted.
            - Discoverability: Ease of discovering the vulnerability.    - Example vulnerabilities and their DREAD scoring provide actionable insights for prioritizing threats.

Additional Methodologies and Tools

  • Common Attack Pattern Enumeration and Classification (CAPEC):
        - A classification taxonomy aiding in identifying methodologies linked to vulnerabilities.

  • Intel’s Threat Agent Risk Assessment (TARA):
        - Focused on identifying attack vectors for secure development.
        - Assessment steps include measuring current threats and assessing agent capabilities.

  • Process for Attack Simulation and Threat Analysis (PASTA):
        - A risk-centric, attacker-centric methodology for creating effective security countermeasures.

Conclusion

  • Achieving Security:
        - Use of cryptography, secure networks, antivirus software, firewalls, and promoting safe computing practices to reduce risks in electronic commerce.