Threat model

Threat model

In computer security, the term threat modeling has two distinct, but related meanings. The first is a description of the security issues the designer cares about. This is the sense of the question, "What is the threat model for DNSSec?" In the second sense, a threat model is a description of a set of security aspects; that is, when looking at a piece of software (or any computer system), one can define a threat model by defining a set of to consider. It is often useful to define many separate threat models for one computer system, this way you have groups of more narrow set of possible attacks to focus on. Having a threat model you can assess the probability, the potential harm, the priority etc. of attacks, and from this point on try to minimize or eradicate the threats. More recently, threat modeling has become an integral part of Microsoft's SDL (Security Development Lifecycle) process. [http://msdn.microsoft.com/msdnmag/issues/05/11/SDL/] The two senses derive from common military uses in the United States and the United Kingdom.

Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats exploit these vulnerabilities in order to cause damage to the assets, and appropriate security countermeasures exist that mitigate the threats.

Approaches to Threat Modeling

There are at least three general approaches to threat modeling:

Attacker-Centric

Attacker-centric threat modeling starts with an attacker, and evaluates their goals, and how they might achieve them. Attacker's motivations are often considered, for example, "The NSA wants to read this email," or "Jon wants to watch this DVD on his Linux system." This approach usually starts from either entry points or assets.

Software-Centric

Software-centric threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric') starts from the design of the system, and attempts to step through a model of the system, looking for types of attacks against each element of the model. This approach is used in threat modeling in Microsoft's Security Development Lifecycle.

Asset-Centric

Asset-centric threat modeling involves starting from assets entrusted to a system, such as a collection of sensitive personal information.

Example threat modeling approach

Threat modeling has changed in recent times (around 2004) to take on a more defensive perspective rather than an adversarial perspective. The problem with an adversarial perspective is that it is reactive.

When you adopt an adversarial perspective, you examine software applications, or any system, by trying to find holes in it and ways they might be exploited. Techniques that are often used in an adversarial approach are penetration testing (white box and black box), and code review. While these are valuable techniques to discover potential problems, the flaw is that you can only use them once the software has been written.

This means that if you discover any security related problems, you have to rework and re-write your code. This is very expensive in terms of both time and money.

Security bugs have a much larger impact than functionality bugs. Since code around security usually touches every portion of the application, the 'ripple effect' makes the cost exponentially more expensive than functionality bugs.

Current threat modeling takes on a defender's perspective. This means that threats are examined and countermeasures, or mitigations, are identified at the design state of the application before any code is written. This way the defensive mechanisms are built into the code as it is written rather than patched in later. This is much more cost effective and has the added benefit of increasing security awareness in the development team. However, the disadvantage is that all threats can not be identified unless the code is trivially simple and often threat modeling on a defender's perspective will cause the development team to falsely believe that the code is secure.

A general high level overview of common steps in the defensive perspective threat modeling are:
* Define the application requirements:
** Identify business objectives
** Identify user roles that will interact with the application
** Identify the data the application will manipulate
** Identify the use cases for operating on that data that the application will facilitate

* Model the application architecture
** Model the components of the application
** Model the service roles that the components will act under
** Model any external dependencies
** Model the calls from roles, to components and eventually to the data store for each use case as identified above

* Identify any threats to the confidentiality, availability and integrity of the data and the application based on the data access control matrix that your application should be enforcing
* Assign risk values and determine the risk responses
* Determine the countermeasures to implement based on your chosen risk responses
* Continually update the threat model based on the emerging security landscape.

ee also

* — Types of computer security vulnerabilities and attacks
*Application security
*Computer insecurity
*Computer security
*Data security
*Economics of security
*Information assurance
*Information security
*Network security
*Risk assessment
*Risk management
*Security engineering
*Software architecture
*Software Security Assurance
*STRIDE (security)

External links

* [http://blogs.msdn.com/threatmodeling Microsoft's Application Consulting & Engineering Team's Threat Modeling Blog]
* [http://www.rockyh.net/Posts/Post.aspx?postId=c85d6411-3eb8-4f26-9213-cbd735d01979 RockyH.net Threat Modeling v2]
* [http://blogs.msdn.com/sdl/ Microsoft's Security Development Lifecycle Blog]
* [http://msdn2.microsoft.com/en-us/security/default.aspx Microsoft's Security Developer Center]
* [http://www.projects.ncassr.org/threatmodeling/ Threat modeling research page] , National Center for Supercomputing Applications
* [http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx Uncover Security Design Flaws Using The STRIDE Approach] , Shawn Hernan, Scott Lambert, Tomasz Ostwald and Adam Shostack
* [http://msdn.microsoft.com/msdnmag/issues/05/11/SDL/ A Look Inside the Security Development Lifecycle at Microsoft] , Michael Howard, November 2005
* [http://www.owasp.org/index.php/Threat_Risk_Modeling Threat Modeling from OWASP]
* [http://blogs.msdn.com/ptorr/archive/2005/02/22/GuerillaThreatModelling.aspx Guerrilla Threat Modelling (or 'Threat Modeling' if you're American)] , Peter Torr blog entry


Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Dolev-Yao threat model — The Dolev Yao model represents an attacker that can overhear, intercept, and synthesise any message and is only limited by the constraints of the cryptographic methods used. In other words: the attacker carries the message. This omnipotence has… …   Wikipedia

  • Model Spy — Captain Scarlet and the Mysterons episode Episode no. Episode 14 Directed by Ken Turner Written by …   Wikipedia

  • Model of masculinity under fascist Italy — The model of masculinity under fascist Italy is the hegemonic masculinity prescribed by dictator Benito Mussolini during his fascist reign. This hegemonic model was deemed as the appropriate, ideal identity to follow during the development of a… …   Wikipedia

  • Model minority — Sociology …   Wikipedia

  • threat — A communicated intent to inflict physical or other harm on any person or on property. A declaration of an intention to injure another or his property by some unlawful act. State v. Schweppe, Minn., 237 N.W.2d 609, 615. A declaration of intention… …   Black's law dictionary

  • threat-oriented munitions — In stockpile planning, munitions intended to neutralize a finite assessed threat and for which the total requirement is determined by an agreed mathematical model. See also level of effort munitions …   Military dictionary

  • Walter Model — Nickname Hitler s fireman, Frontline Pig Born …   Wikipedia

  • New Model Army — For the band, see New Model Army (band). The Soldier s Catechism: rules, regulations and drill procedures of the New Model Army. The New Model Army of England was formed in 1645 by the Parliamentarians in the English Civil War, and was disbanded… …   Wikipedia

  • Propaganda model — The propaganda model is a theory advanced by Edward S. Herman and Noam Chomsky that alleges systemic biases in the mass media and seeks to explain them in terms of structural economic causes. Overview First presented in their 1988 book , the… …   Wikipedia

  • Biopsychosocial model — The biopsychosocial model (abbreviated BPS ) is a general model or approach that posits that biological, psychological (which entails thoughts, emotions, and behaviors), and social factors, all play a significant role in human functioning in the… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”