The Official (ISC)2 CISSP CBK Reference. Aaron Kraus
Чтение книги онлайн.

Читать онлайн книгу The Official (ISC)2 CISSP CBK Reference - Aaron Kraus страница 41

СКАЧАТЬ These diagrams are then evaluated by threat analysts to identify potential attacks against each component and to determine whether a security control is necessary, exists, and achieves the control effect.

      Threat Modeling Methodologies

      There are many different threat modeling methodologies. Some of the most important methodologies are STRIDE, PASTA, NIST 800-154, and DREAD — we discuss each of these in the following sections.

      STRIDE

      STRIDE is a threat modeling methodology developed by Microsoft in the late 1990s to help identify and classify computer security threats. The name itself is a mnemonic for six categories of security threats, discussed here:

       Spoofing: Spoofing is an attack during which a malicious party assumes the identity of another party (either a user or a system) by falsifying information. A common example of identity spoofing occurs when email spammers modify the “From:” field to depict the name of a sender that the target recipient is more likely to trust. Within applications, spoofing can occur if an attacker steals and uses a victim's authentication information (like username and password) to impersonate them within the application.

       Tampering: Data tampering is an attack on the integrity of data by intentionally and maliciously manipulating data. Tampering can include altering data on disk, in memory, over the network, or elsewhere. Applications that don't properly validate user input may allow malicious actors to modify values and have the manipulated data stored and used by the application.

       Repudiation: Repudiation is the ability of a party to deny that they are responsible for performing an action. The threat of repudiation occurs when a user claims that they did not perform an action, and no other party is able to prove otherwise. In the physical world, signing for a mail delivery is a common form of nonrepudiation — the delivery company maintains a record that you received and accepted the mail on a specific date. In the digital world, an example of a repudiation threat is a user claiming that they did not make an online purchase — even if they did, in fact, make that purchase. Comprehensive logging, digital signatures, and multifactor authentication can be integrated into applications to provide nonrepudiation for high-risk actions.

       Information disclosure: Information disclosure is when information is shared with an unauthorized party — such as during a data breach or when inadvertently sending an email to the wrong person. This threat compromises the confidentiality of data and carries a great deal of risk depending on the sensitivity of the leaked data. Organizations that store and process PII, PHI, cardholder data, or other confidential information should focus on this threat, and identify controls to mitigate against it. Data encryption, strong access control, and other data protection mechanisms are the keys to protecting against unauthorized information disclosure.

       Denial of service: A denial-of-service (DoS) attack is a common availability attack that denies access to resources by legitimate users. Controls should be put in place to monitor and detect abnormally high resource consumption by any single user; this may be an indication of either malicious or unintentional resource exhaustion. As a principle, applications should be developed with availability and reliability in mind.

       Elevation of privilege: Elevation of privilege (or privilege escalation) occurs when an unprivileged user is able to upgrade their privileges to those of a privileged user (e.g., a system administrator). Elevation of privilege can give an untrusted party the “keys to the kingdom” and grant them access to and control over sensitive data and systems. Strong access control is required to help protect against this threat. Systems should revalidate a user's identity and credentials prior to granting privileged access, and multifactor authentication should be used, wherever possible.

      PASTA

      The Process for Attack Simulation and Threat Analysis (PASTA) is a risk-based threat model, developed in 2012, that supports dynamic threat analysis. The PASTA methodology integrates business objectives with technical requirements, making the output more easily understood by upper management.

       Define objectives

       Define technical scope

       Application decomposition

       Threat analysis

       Vulnerability analysis

       Attack enumeration

       Risk and impact analysis

      NIST 800-154

      NIST 800-154, “Guide to Data-Centric System Threat Modeling,” was released in draft form in 2016. It explicitly rejects that best-practice approaches are sufficient to protect sensitive information, as best practice is too general and often overlooks controls specifically tailored to meet the protection of the sensitive asset. NIST 800-154 establishes four major steps for data-centric system threat modeling:

      1 Identify and characterize the system and data of interest.

      2 Identify and select the attack vectors to be included in the model.

      3 Characterize the security controls for mitigating the attack vectors.

      4 Analyze the threat model.

      DREAD

      DREAD is an older threat modeling technique, previously used by Microsoft but later abandoned. DREAD provides a mnemonic for quantitative risk rating security threats using five categories:

       Damage

       Reproducibility

       Exploitability

       Affected users

       Discoverability

      Though it is sparsely used today, you should be familiar with the DREAD mnemonic and the categories that it represents.

      Other Models

      Other threat modeling methodologies include the following:

       Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is an approach for managing information security risks, developed at the Software Engineering Institute (SEI).

       Trike is an open-source threat modeling approach and tool that focuses on using threat models as a risk management tool.

       Construct a platform for Risk Analysis of Security Critical Systems (CORAS), also open source, is a European project that relies heavily on Unified Modeling Language (UML) as the front end for visualizing the threats.

       Visual, Agile, and Simple Threat Modeling (VAST) is a proprietary approach that leverages Agile concepts.

      Implementing a structured threat modeling program allows an organization to consistently identify and characterize the threats it faces and then apply appropriate СКАЧАТЬ