IT'S THE THREAT MODEL, SILLY! #INCLUDE | GO-JEK | MAY 2017 AKASH MAHAJAN - DIRECTOR APPSECCO

WHAT IS A THREAT MODEL? WHAT EXACTLY IS A THREAT MODEL?

MODEL REAL MODEL REAL

IN COMPUTER SECURITY A THREAT IS A POSSIBLE DANGER THAT MIGHT EXPLOIT A VULNERABILITY TO BREACH SECURITY AND THEREFORE CAUSE POSSIBLE HARM. From Wikipedia for Threat (Computer) CONTROL THREAT

THREATS CAN BE INTENTIONAL ACCIDENTAL FIRES QUAKE STORM FLOOD

AND SOMETIMES…

THREAT MODELLING IS A CONCEPTUAL MODEL FOCUSSING ON DATA FLOW MODELLING Mostly from Wikipedia

DATA FLOW DIAGRAMS CREATED WITH A FEW PRIMITIVES

A GOOD WAY TO CONSUME DATA IS WITH LISTS

IT’S THE THREAT MODEL, SILLY! FOR THREAT MODELLING WE LISTS THAT WE SHOULD HAVE ✓Assets ✓Endpoints ✓External Dependencies ✓Trust Levels ✓and Data Flow Diagrams

ASSETS What is that we need to protect? IT’S THE THREAT MODEL, SILLY!

ENDPOINTS What are the ways, someone will interact with the system? IT’S THE THREAT MODEL, SILLY!

EXTERNAL DEPENDENCIES What does the system need to operate? IT’S THE THREAT MODEL, SILLY!

TRUST LEVELS What are the varying degree of trust levels we will have as part of the interaction ? IT’S THE THREAT MODEL, SILLY!

DATA FLOW DIAGRAMS What are the various ways data will flow in the system? IT’S THE THREAT MODEL, SILLY!

THREAT MODELLING 101 - MAZAA EDITION

No content

EVERYTHING THAT IS RELATED TO SECURITY DEFENCE HAS TO BE LOOKED AT FROM THE POINT OF VIEW OF A THREAT MODEL Our Assertion IT’S THE THREAT MODEL, SILLY!

LETS LOOK AT SOME OF THE SECURITY CONTROLS FROM THE POINT OF VIEW OF THREAT MODELLING

IT’S THE THREAT MODEL, SILLY! PASSWORDS ▸ Why do we want to store passwords in a non-reversible manner? ▸ Why do we want to use a per password salt? ▸ Why do we want to slow down the rate at which hashes can be calculated?

IT’S THE THREAT MODEL, SILLY! CSRF TOKEN ▸ Why do we need a CSRF token? ▸ Why do we need to ensure that we can check for origin?

IT’S THE THREAT MODEL, SILLY! SSL/TLS ▸ How does the browser know that it can trust the initial certificate from the server?

IT’S THE THREAT MODEL, SILLY! SUB RESOURCE INTERGITY ▸ How does SRI help us stay safe?

IT’S THE THREAT MODEL, SILLY! YOUR FAVOURITE CONTROL ▸ Lets add some questions about it, to understand the possible threat model it was created for

CONTROL MOVIE THREAT REAL THREAT

SOMETIMES SECURITY CONTROLS INTRODUCE NEW ATTACK SURFACE Heard of CertificateTransparency Logs? IT’S THE THREAT MODEL, SILLY!

WITHOUT "CONTEXT" SECURITY CONTROLS WILL NOT DO WHAT WE "HOPE" THEY SHOULD DO It is essential that we understand the basic threat model for which a control was envisioned, designed and implemented IT’S THE THREAT MODEL, SILLY!

IT’S THE THREAT MODEL, SILLY! AADHAAR ENABLED PAYMENT SYSTEMS + ONE TIME PASSWORDS ▸ Why does it pose problems? ▸ The things that the architects maybe didn’t think about ▸ Rouge merchants can modify apps in the mobile Point of sale to store fingerprints ▸ GSM and mobile networks can allow sniffing of SMS text messages

IT’S THE THREAT MODEL, SILLY! FOR AND AGAINST AADHAAR Assets UIDAI can’t figure out what is worth stealing External dependency UIDAI feel that leakage of information is not at their end, so they are not responsible Trust Levels UIDAI believe that all bankers and telcos can be trusted with sensitive data Endpoints There is no easy way to figure out what is an official channel or private channel for sharing data

SO IN A WAY BOTH THE POINT OF VIEWS ARE RIGHT

IT’S THE THREAT MODEL, SILLY! SCOPE CREEP - HAPPENS TO ALL THINGS THAT WORK INCLUDING THE INTERNET •Otherwise all working systems are afflicted by scope creep. They are asked to take on functions that they were not designed for. Every such function adds • Assets worth stealing • Endpoints worth investigating • External dependencies that may be insecure • Trust levels that are not thoroughly vetted • And miss some of the data flows

IT’S THE THREAT MODEL, SILLY!

THAT APPLICATION SECURITY GUY

No content

QUESTIONS @makash | https://linkd.in/webappsecguy | akash@appsecco.com