lecture8

lecture8 - Lecture 8: Threat Modeling CS 392/6813: Computer...

Info iconThis preview shows pages 1–5. Sign up to view the full content.

View Full Document Right Arrow Icon
Lecture 8: Threat Modeling CS 392/6813: Computer Security Fall 2009 Nitesh Saxena * Adopted from a previous lecture by Nasir Memon 1/30/2006 Lecture 8 - Threat Modeling 2 Recall the Security Life Cycle Threats Policy Specification Design Implementation Operation and Maintenance So far what we have learnt helps us in design, specification and implementation mainly. What about others? We start with threat analysis/modeling.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
1/30/2006 Lecture 8 - Threat Modeling 3 Threats, Vulnerabilities and Attacks ± A threat to a system is any potential occurrence, malicious or otherwise, that can have an adverse effect on the assets and resources associated with the system. ± A vulnerability of a system is some characteristic that makes it possible for a threat to occur. ± An attack on a system is some action that involves exploitation of some vulnerability in order to cause an existing threat to occur. 1/30/2006 Lecture 8 - Threat Modeling 4 Risk ± Risk: What (adverse) happens if a threat occurs? ± Risk can exist when there is a known issue that increases the attack surface. Risk can also exist when there are non-specific issues, unexplored threat areas, or lack of depth-of-knowledge. An essential component of Computer security risk analysis and risk management.
Background image of page 2
1/30/2006 Lecture 8 - Threat Modeling 5 Why Threat Modeling ± Helps you understand your application better. ± Discover potential design flaws and vulnerabilities ± Prioritize security analysis ± Understand overall security risk ± Develop mitigating strategies ± Provide more complete analysis 1/30/2006 Lecture 8 - Threat Modeling 6 Threat Modeling ± Threats and assets are key – vulnerabilities and attacks are only concerns if there is a threat to an asset to be concerned about. ± How do we identify and evaluate threats? ± Arbitrary Threat or Attack Lists ± Random and unstructured ± Dubious completeness ± Threat Trees or Attack Trees ± More structured ± Modular and Re-usable ± Currently favored approach
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
1/30/2006 Lecture 8 - Threat Modeling 7 Threat Modeling ± Start with questions like the following: ± Who are my potential adversaries? ± What is their motivation, and what are their goals? ± How much inside information do they have? ± How much funding do they have? ± How averse are they to risk? ± [Be paranoid: do not underestimate the attacker’s capability; do not also ignore easy/dumb attacks] ± Then enumerate threats by stepping through each of the system’s assets, reviewing a list of attack goals for each asset. Assets and threats are closely correlated. 1/30/2006 Lecture 8 - Threat Modeling 8 Threat Modeling – main steps ± Understand your system ± Understand what assets/resources need to be protected ± Predict who the potential attackers are against a particular asset and what are the possible (known) attacks ± Perform risk assessment ± Determine what is the expected risk (quantitative or qualitative) because of an attack ± Perform risk management: Employ security mechanisms (mitigation), if needed ± Determine if they are cost effective
Background image of page 4
Image of page 5
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 23

lecture8 - Lecture 8: Threat Modeling CS 392/6813: Computer...

This preview shows document pages 1 - 5. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online