Risk Assessment and Threat Modeling
- 4. Which is more “Risky”?
• In a lone forest area, waking up in front of a Tiger (Or) In a
lone forest area, sleeping in front of a Lion?
• Going on a lone holiday trip to Kandhahar in Afghanistan, or
Aleppo in Syria?
• Giving your wife a debit card, or a credit card for shopping?
- 5. Few Key Terms
• Asset and its criticality(CPE:
cpe:/a:microsoft:sql_server:8.0.6001:beta)
• Vulnerability(CVE : CVE-2014-100009 )
• Threat(CWE)
• Exposure
• Likelyhood
• Countermeasure/Security Controls
• Risk( Risk Acceptance, Risk Rating, Risk ValueRisk Score,
Residual Risk, Risk Register, Risk Management etc. ):
(CVSS: Base Score: 5.5)
• CVE, CPE, CWE, CVSS, XCCDF, OVAL
- 6. Risk Function
• Risk = f(A, V, T, C, P, P..)
• In simple, Risk = Likelihood * Severity
• Vulnerability <-> Threat ( 1 to m mapping )
• Risk can be measure quantitatively and qualitatively. EX :
Assign weights and numeric values to risk.
• Note: Risk is not “certain”. Its purely “probabilistic” and
“objective”
- 8. EX: Client Server App Risk Assessment
• Decompose the solution
• Identify Client side threats.
• Identify Server side threats.
• Identify Interactions(data and control flows) and their
threats.
• Identify Storage mechanisms involved and threats.
• Identify different actorsusers involved and threats.
Client Server DB
- 9. Risk Classifications
• ApplicationSoftware security( Client, Server, Interactions,
Data, Transport, Authentication etc. )
• Infrastructure security (Deployment Security Controls)
• Process, Business, Documentation, Legal security (Licenses,
Data theft etc)
- 10. Risk Assessment Process
• Iterative Process, document oriented, Audit and Analysis.
1. Identify Risk Goals and Objectives.
2. Identify team members, stakeholders.
3. Tag the application based upon criticality : RED Orange Blue
4. Decompose the application, breakdown the application in to its
components, its interactions(internal and external)
5. Identify the data and control flows.
6. Identify Vulnerabilities and Threats.
7. Follow a template of your choice in noting down vulnerabilities,
threat, Countermeasures items
8. Risk rate individual items and calculate final Risk or Risk Score.
9. Prepare and update Risk Deliverables, Risk Report, Risk
Acceptance, Risk Mitigation documents.
- 11. Risk MatrixRisk Management
• Known Risk Analysis and Rating processes. No common
“T-Shirt” fit for all.
DREAD : Damage, Reproducibility, Exploitability, Affected Users,
Discoverability
STRIDE : Spoofing, Tampering, Repudiation, Information Disclosure, Denial
of Service.
• Risk Artifacts: Design Docs(HLDLLD), Functional Spec, Requirement Docs,
Operational Docs, Process Docs.
• At what stage, we do Threat Modeling?
Requirements <->Design <-> Implementation <-> Transition
• Risk Deliverables: Risk Summary Report, Risk Registers.
• Note : Code Reviews are not part of Risk Assessment, they will complement
the Risk Assessment but are not the must.
- 15. Questions and Answers?
• Latitude : -33.8718406
Longitude : 151.2082923
Ans : 220 Pitt Street, Sydney New South Wales
• RFC : rfc2616
Ans : Http
• What does “Allium Cepa” mean?
Ans : Onion
***Keep it Simple, Stupid (KISS). Don’t complicate Risk Assessment, depends upon maturity
model, you can keep it simple to complex.
- 17. Thank You
Q && A
If (I know)
{
return “will answer”;
}
Else
{
return “will find out and let you know”;
}
Santhosh Kumar Edukulla
santhoshedukulla@apache.org
Editor's Notes
- Lamborgini car Door open, Open ATM in Tasmania.
- Example of Bank Job, House
- Cigarette Pack Risk, Airplane weather warning.