SlideShare a Scribd company logo

Risk Assessment and Threat Modeling

Download as PPTX, PDF
S
sedukull

Software and Information Security : Understand risk related terminologies, risk assessment, risk rating, risk mitigation process.

Related slideshows

Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat Modeling
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
1 of 17
Threat ModelingRisk Analysis Santhosh Kumar Edukulla santhoshedukulla@apache.org
Agenda • Terminologies • Understand Risk • Risk Assessment Process • Q && A
Information Security Principle • CIA Triad : Confidentiality, Integrity and Availability
Which is more “Risky”? • In a lone forest area, waking up in front of a Tiger (Or) In a lone forest area, sleeping in front of a Lion? • Going on a lone holiday trip to Kandhahar in Afghanistan, or Aleppo in Syria? • Giving your wife a debit card, or a credit card for shopping?
Few Key Terms • Asset and its criticality(CPE: cpe:/a:microsoft:sql_server:8.0.6001:beta) • Vulnerability(CVE : CVE-2014-100009 ) • Threat(CWE) • Exposure • Likelyhood • Countermeasure/Security Controls • Risk( Risk Acceptance, Risk Rating, Risk ValueRisk Score, Residual Risk, Risk Register, Risk Management etc. ): (CVSS: Base Score: 5.5) • CVE, CPE, CWE, CVSS, XCCDF, OVAL
Risk Function • Risk = f(A, V, T, C, P, P..) • In simple, Risk = Likelihood * Severity • Vulnerability <-> Threat ( 1 to m mapping ) • Risk can be measure quantitatively and qualitatively. EX : Assign weights and numeric values to risk. • Note: Risk is not “certain”. Its purely “probabilistic” and “objective”
Questions? • Latitude : -33.8718406 Longitude : 151.2082923 • RFC : rfc2616 • What does “Allium Cepa” mean?
EX: Client Server App Risk Assessment • Decompose the solution • Identify Client side threats. • Identify Server side threats. • Identify Interactions(data and control flows) and their threats. • Identify Storage mechanisms involved and threats. • Identify different actorsusers involved and threats. Client Server DB
Risk Classifications • ApplicationSoftware security( Client, Server, Interactions, Data, Transport, Authentication etc. ) • Infrastructure security (Deployment Security Controls) • Process, Business, Documentation, Legal security (Licenses, Data theft etc)
Risk Assessment Process • Iterative Process, document oriented, Audit and Analysis. 1. Identify Risk Goals and Objectives. 2. Identify team members, stakeholders. 3. Tag the application based upon criticality : RED Orange Blue 4. Decompose the application, breakdown the application in to its components, its interactions(internal and external) 5. Identify the data and control flows. 6. Identify Vulnerabilities and Threats. 7. Follow a template of your choice in noting down vulnerabilities, threat, Countermeasures items 8. Risk rate individual items and calculate final Risk or Risk Score. 9. Prepare and update Risk Deliverables, Risk Report, Risk Acceptance, Risk Mitigation documents.
Risk MatrixRisk Management • Known Risk Analysis and Rating processes. No common “T-Shirt” fit for all. DREAD : Damage, Reproducibility, Exploitability, Affected Users, Discoverability STRIDE : Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service. • Risk Artifacts: Design Docs(HLDLLD), Functional Spec, Requirement Docs, Operational Docs, Process Docs. • At what stage, we do Threat Modeling? Requirements <->Design <-> Implementation <-> Transition • Risk Deliverables: Risk Summary Report, Risk Registers. • Note : Code Reviews are not part of Risk Assessment, they will complement the Risk Assessment but are not the must.
Sample 1: Risk Matrix
Sample 2 : Risk Matrix
Defenses : Defense in Depth (Countermeasures)
Questions and Answers? • Latitude : -33.8718406 Longitude : 151.2082923 Ans : 220 Pitt Street, Sydney New South Wales • RFC : rfc2616 Ans : Http • What does “Allium Cepa” mean? Ans : Onion ***Keep it Simple, Stupid (KISS). Don’t complicate Risk Assessment, depends upon maturity model, you can keep it simple to complex.
References • https://www.owasp.org/index.php/Threat_Risk_Modeling • https://cve.mitre.org/ • https://nvd.nist.gov/ • https://Google.com
Thank You  Q && A If (I know) { return “will answer”; } Else { return “will find out and let you know”; } Santhosh Kumar Edukulla santhoshedukulla@apache.org

More Related Content

Risk Assessment and Threat Modeling

  • 1. Threat ModelingRisk Analysis Santhosh Kumar Edukulla santhoshedukulla@apache.org
  • 2. Agenda • Terminologies • Understand Risk • Risk Assessment Process • Q && A
  • 3. Information Security Principle • CIA Triad : Confidentiality, Integrity and Availability
  • 4. Which is more “Risky”? • In a lone forest area, waking up in front of a Tiger (Or) In a lone forest area, sleeping in front of a Lion? • Going on a lone holiday trip to Kandhahar in Afghanistan, or Aleppo in Syria? • Giving your wife a debit card, or a credit card for shopping?
  • 5. Few Key Terms • Asset and its criticality(CPE: cpe:/a:microsoft:sql_server:8.0.6001:beta) • Vulnerability(CVE : CVE-2014-100009 ) • Threat(CWE) • Exposure • Likelyhood • Countermeasure/Security Controls • Risk( Risk Acceptance, Risk Rating, Risk ValueRisk Score, Residual Risk, Risk Register, Risk Management etc. ): (CVSS: Base Score: 5.5) • CVE, CPE, CWE, CVSS, XCCDF, OVAL
  • 6. Risk Function • Risk = f(A, V, T, C, P, P..) • In simple, Risk = Likelihood * Severity • Vulnerability <-> Threat ( 1 to m mapping ) • Risk can be measure quantitatively and qualitatively. EX : Assign weights and numeric values to risk. • Note: Risk is not “certain”. Its purely “probabilistic” and “objective”
  • 7. Questions? • Latitude : -33.8718406 Longitude : 151.2082923 • RFC : rfc2616 • What does “Allium Cepa” mean?
  • 8. EX: Client Server App Risk Assessment • Decompose the solution • Identify Client side threats. • Identify Server side threats. • Identify Interactions(data and control flows) and their threats. • Identify Storage mechanisms involved and threats. • Identify different actorsusers involved and threats. Client Server DB
  • 9. Risk Classifications • ApplicationSoftware security( Client, Server, Interactions, Data, Transport, Authentication etc. ) • Infrastructure security (Deployment Security Controls) • Process, Business, Documentation, Legal security (Licenses, Data theft etc)
  • 10. Risk Assessment Process • Iterative Process, document oriented, Audit and Analysis. 1. Identify Risk Goals and Objectives. 2. Identify team members, stakeholders. 3. Tag the application based upon criticality : RED Orange Blue 4. Decompose the application, breakdown the application in to its components, its interactions(internal and external) 5. Identify the data and control flows. 6. Identify Vulnerabilities and Threats. 7. Follow a template of your choice in noting down vulnerabilities, threat, Countermeasures items 8. Risk rate individual items and calculate final Risk or Risk Score. 9. Prepare and update Risk Deliverables, Risk Report, Risk Acceptance, Risk Mitigation documents.
  • 11. Risk MatrixRisk Management • Known Risk Analysis and Rating processes. No common “T-Shirt” fit for all. DREAD : Damage, Reproducibility, Exploitability, Affected Users, Discoverability STRIDE : Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service. • Risk Artifacts: Design Docs(HLDLLD), Functional Spec, Requirement Docs, Operational Docs, Process Docs. • At what stage, we do Threat Modeling? Requirements <->Design <-> Implementation <-> Transition • Risk Deliverables: Risk Summary Report, Risk Registers. • Note : Code Reviews are not part of Risk Assessment, they will complement the Risk Assessment but are not the must.
  • 12. Sample 1: Risk Matrix
  • 13. Sample 2 : Risk Matrix
  • 14. Defenses : Defense in Depth (Countermeasures)
  • 15. Questions and Answers? • Latitude : -33.8718406 Longitude : 151.2082923 Ans : 220 Pitt Street, Sydney New South Wales • RFC : rfc2616 Ans : Http • What does “Allium Cepa” mean? Ans : Onion ***Keep it Simple, Stupid (KISS). Don’t complicate Risk Assessment, depends upon maturity model, you can keep it simple to complex.
  • 17. Thank You  Q && A If (I know) { return “will answer”; } Else { return “will find out and let you know”; } Santhosh Kumar Edukulla santhoshedukulla@apache.org

Editor's Notes

  1. Lamborgini car Door open, Open ATM in Tasmania.
  2. Example of Bank Job, House
  3. Cigarette Pack Risk, Airplane weather warning.