Threat model
Encyclopedia
Threat modeling has two distinct, but related, meanings in computer security
. The first is a description of the security
issues the designer cares about. This is the sense of the question, "What is the threat model for DNSSec?" In the second sense, a threat model is a description of a set of security aspects; that is, when looking at a piece of software (or any computer system), one can define a threat
model by defining a set of possible attacks to consider. It is often useful to define many separate threat models for one computer system. Each model defines a narrow set of possible attacks
to focus on. A threat model can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. More recently, threat modeling
has become an integral part of Microsoft's SDL (Security Development Lifecycle
) process. The two senses derive from common military uses in the United States and the United Kingdom.
Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities
, internal or external threats exploit these vulnerabilities in order to cause damage to the assets, and appropriate security countermeasures
exist that mitigate the threats.
Attacker-centric
Software-centric
Asset-centric
Threat modeling has changed in recent times (around 2004) to take on a more defensive perspective rather than an adversarial perspective. The problem with an adversarial perspective is that it is reactive.
When you adopt an adversarial perspective, you examine software applications, or any system, by trying to find holes in it and ways they might be exploit
ed. Techniques that are often used in an adversarial approach are penetration testing
(white box and black box), and code review
. While these are valuable techniques to discover potential problems, the flaw is that you can only use them once the software has been written.
This means that if you discover any security related problems, you have to rework and re-write your code. This is very expensive in terms of both time and money.
Security bugs have a much larger impact than functionality bugs. Since code around security usually touches every portion of the application, the 'ripple effect' makes the cost exponentially more expensive than functionality bugs.
Current threat modeling takes on a defender's perspective. This means that threats are examined and countermeasures, or security service
s, are identified at the design state of the application before any code is written. This way the defensive mechanisms are built into the code as it is written rather than patched in later. This is much more cost effective and has the added benefit of increasing security awareness in the development team. However, the disadvantage is that all threats can not be identified unless the code is trivially simple and often threat modeling on a defender's perspective will cause the development team to falsely believe that the code is secure.
A general high level overview of common steps in the defensive perspective threat modeling are:
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
. The first is a description of the security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
issues the designer cares about. This is the sense of the question, "What is the threat model for DNSSec?" In the second sense, a threat model is a description of a set of security aspects; that is, when looking at a piece of software (or any computer system), one can define a threat
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
model by defining a set of possible attacks to consider. It is often useful to define many separate threat models for one computer system. Each model defines a narrow set of possible attacks
Attack (computer)
In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
to focus on. A threat model can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. More recently, threat modeling
STRIDE (security)
STRIDE is a system developed by Microsoft for classifying computer security threats. It provides a mnemonic for security threats in six categories.The threat categories are:* Spoofing of user identity* Tampering* Repudiation...
has become an integral part of Microsoft's SDL (Security Development Lifecycle
Trustworthy Computing Security Development Lifecycle
The Microsoft Security Development Lifecycle is a software development process used and proposed by Microsoft to reduce software maintenance costs and increase reliability of software concerning software security related bugs. It is based on the classical spiral model.- Versions :- Further reading...
) process. The two senses derive from common military uses in the United States and the United Kingdom.
Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
, internal or external threats exploit these vulnerabilities in order to cause damage to the assets, and appropriate security countermeasures
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
exist that mitigate the threats.
Approaches to threat modeling
There are at least three general approaches to threat modeling:Attacker-centric
- Attacker-centric threat modeling starts with an attacker, and evaluates their goals, and how they might achieve them. Attacker's motivations are often considered, for example, "The NSA wants to read this email," or "Jon wants to copy this DVD and share it with his friends." This approach usually starts from either entry points or assets.
Software-centric
- Software-centric threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric') starts from the design of the system, and attempts to step through a model of the system, looking for types of attacks against each element of the model. This approach is used in threat modeling in Microsoft's Security Development Lifecycle.
Asset-centric
- Asset-centric threat modeling involves starting from assets entrusted to a system, such as a collection of sensitive personal information.
Example threat modeling approach
Threat modeling has changed in recent times (around 2004) to take on a more defensive perspective rather than an adversarial perspective. The problem with an adversarial perspective is that it is reactive.
When you adopt an adversarial perspective, you examine software applications, or any system, by trying to find holes in it and ways they might be exploit
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
ed. Techniques that are often used in an adversarial approach are penetration testing
Penetration test
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
(white box and black box), and code review
Code review
Code review is systematic examination of computer source code. It is intended to find and fix mistakes overlooked in the initial development phase, improving both the overall quality of software and the developers' skills...
. While these are valuable techniques to discover potential problems, the flaw is that you can only use them once the software has been written.
This means that if you discover any security related problems, you have to rework and re-write your code. This is very expensive in terms of both time and money.
Security bugs have a much larger impact than functionality bugs. Since code around security usually touches every portion of the application, the 'ripple effect' makes the cost exponentially more expensive than functionality bugs.
Current threat modeling takes on a defender's perspective. This means that threats are examined and countermeasures, or security service
Security service (telecommunication)
Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....
s, are identified at the design state of the application before any code is written. This way the defensive mechanisms are built into the code as it is written rather than patched in later. This is much more cost effective and has the added benefit of increasing security awareness in the development team. However, the disadvantage is that all threats can not be identified unless the code is trivially simple and often threat modeling on a defender's perspective will cause the development team to falsely believe that the code is secure.
A general high level overview of common steps in the defensive perspective threat modeling are:
- Define the application requirements:
- Identify business objectives
- Identify user rolesActor (UML)An actor in the Unified Modeling Language "specifies a role played by a user or any other system that interacts with the subject.""An Actor models a type of role played by an entity that interacts with the subject ,...
that will interact with the application - Identify the dataData (computing)In computer science, data is information in a form suitable for use with a computer. Data is often distinguished from programs. A program is a sequence of instructions that detail a task for the computer to perform...
the application will manipulate - Identify the use cases for operating on that data that the application will facilitate
- Model the application architectureSoftware architectureThe software architecture of a system is the set of structures needed to reason about the system, which comprise software elements, relations among them, and properties of both...
- Model the components of the application
- Model the service roles that the components will act under
- Model any external dependencies
- Model the calls from roles, to components and eventually to the data store for each use case as identified above
- Identify any threats to the confidentialityConfidentialityConfidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
, availabilityAvailabilityIn telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...
and integrityData integrityData Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
of the data and the application based on the data access control matrix that your application should be enforcing - Assign riskRiskRisk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
values and determine the risk responses - Determine the countermeasures to implement based on your chosen risk responses
- Continually update the threat model based on the emerging security landscape.
See also
- :Category:Computer security exploits — Types of computer security vulnerabilities and attacks
- Application securityApplication securityApplication security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.Applications only...
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- Attack treeAttack treeAttack trees are conceptual diagrams of threats on computer systems and possible attacks to reach those threats. The concept was suggested by Bruce Schneier, CTO of Counterpane Internet Security. Attack trees are similar to threat trees...
- Computer insecurityComputer insecurityComputer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- Data securityData securityData security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. Data security is part of the larger practice of Information security.- Disk Encryption...
- Economics of securityEconomics of securityThe economics of information security addresses the economic aspects of privacy and computer security. Economics of information security includes models of the strictly rational “homo economicus” as well as behavioral economics...
- Information assuranceInformation AssuranceInformation assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- Network securityNetwork securityIn the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...
- Risk assessmentRisk assessmentRisk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...
- Risk managementRisk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
- Security engineeringSecurity engineeringSecurity engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
- Software architectureSoftware architectureThe software architecture of a system is the set of structures needed to reason about the system, which comprise software elements, relations among them, and properties of both...
- Software Security AssuranceSoftware Security AssuranceSoftware security assurance is a process that helps design and implement software that protects the data and resources contained in and controlled by that software...
- STRIDE (security)STRIDE (security)STRIDE is a system developed by Microsoft for classifying computer security threats. It provides a mnemonic for security threats in six categories.The threat categories are:* Spoofing of user identity* Tampering* Repudiation...
- Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
External links
- Threat Modeling from OWASP
- Threat Modeling as a Basis for Security Requirements - NCASSR Publications
- ThreatModeler: MyAppSecurity's Software-Centric Threat Modeling Product
- Microsoft's Application Consulting & Engineering Team's Threat Modeling Blog
- The Microsoft SDL Threat Modeling Tool
- Uncover Security Design Flaws Using The STRIDE Approach
- Guerrilla Threat Modelling (or 'Threat Modeling' if you're American)