DREAD and Attack Trees

Question 1

Who is typically the owner of Threat Model and what does he?

Answer 1

technical project manager which also schedules analysis sessions

Question 2

Mitigation –>

Answer 2

to address or lessen a problem:
- protect users
- design secure software

Question 3

Security by Obscurity =

Answer 3

Verstecken/Verschleiern der Security

Question 4

Different Threats affect…

Answer 4

different types

Question 5

Mitigation Process:

Answer 5

• Adress each threat one by one
• 4 ways to adress threats

Question 6

4 ways to address threats:

Answer 6

• redesign to eliminate
• apply standard mitigations (what has worked for similar software packages)
• invent new mitigations (riskier)
• accept vulnerability in design (SDL rules about what you can accept (Bug Bar))

Question 7

Overview of Mitigation Techniques categorized in STRIDE

Answer 7

Question 8

Inventing mitigations is…

Answer 8

hard - be careful!
- Mitigations are an area of expertise
- Amateurs make mistakes, but so do pros
- Mitigation failures may appear to work… until they don’t
- When you need to invent mitigations, get expert support

Question 9

Any residual risk –>

Answer 9

escalated for management review if this threat is acceptable

Question 10

Validate and Review may lead to:

Answer 10

• higher overall code quality
• greater management visibility of security controls

Question 11

Validating Threat Models is…

Answer 11

important!

Question 12

When validating the Threat Model it is important to..

Answer 12

validate the whole Threat Model!

Question 13

What questions can be asked during validating the Threat Model:

Answer 13

o Are threats enumerated?
o Minimum STRIDE per element that touches a trust boundary
o Has Test/QA reviewed the model?
o is each threat addressed?
o Are mitigations done right?

Question 14

Final Security Review will make …

Answer 14

shipping more predictable.

Question 15

Validate Quality of Threats –> Do they:

Answer 15

• describe the attack
• describe the context
• describe the impact

Question 16

Validate Quality of Mitigations:

Answer 16

• Associate with a threat
• describe the mitigations
• file a bug –> fuzzing is a test tactic, not a mitigation

Question 17

Put as much information as possible into the Threat Model like:

Answer 17

• Make your flows be meaningful  specific terms
• Name your trust boundaries  machine? Corporate? Network?
• Process and external interactors  not “server”, better <company>.com
  --> ultimate test: outsiders understand your system without other info than the data flow diagram</company>

Question 18

Tips for Threat Modelling:

Answer 18

• Be honest with the process
  o Model represents reality
  o Consider all types of threats
• As with all modelling, use appropriate complexity
  o Overly simplified?
  o Overly complicated?
• Test your model

Question 19

Risk Rating –> Each threat is graded into … categories.

Answer 19

DREAD

Question 20

DREAD:

Answer 20

• Damage
• Reproducibility
• Exploitability
• Affected users
• Discoverability

Question 21

Damage =

Answer 21

how bad would an attack be?

Question 22

Reproducibility =

Answer 22

how easy is it to reproduce the attack?

Question 23

Exploitability =

Answer 23

how much work is it to launch the attack?

Question 24

Affected users =

Answer 24

how many people will be impacted?

Question 25

Discoverability =

Answer 25

how easy is it to discover the threat?

Question 26

DREAD Rating Descriptions

Answer 26

Question 27

DREAD Calculation =

Answer 27

Risk rating of total number of DREAD --> used to prioritize Threats

Question 28

DREAD-D =

Answer 28

DREAD ohne Discoverability, da Messbarkeit schwierig und sehr abhängig von Skills zum Einschätzen --> immer von maximaler Discoverability ausgehen.

Question 29

Risk Rating DREAD Result list:

Answer 29

Risk rating Result High 12-15 Medium 8-11 Low 5-7

Question 30

OWASP Threat List:

Answer 30

- Authentication - Authorization - Configuration Management - Data Protection in Storage and Transit - Data/Parameter Validation - Error Handling and Exception Management - User and Session Management - Auditing and Logging

Question 31

OWASP Risk Rating =

Answer 31

4x4 factors are evaluated (1-9 points) --> overall risk is computed - Threat Agent - Vulnerability - Technical Impact - Business Impact

Question 32

CVSS provides...

Answer 32

a way to capture principal characteristics of a vulnerability

Question 33

Benefits of CVSS:

Answer 33

- Provides standardized vulnerability scores - Provides an open framework - Enables prioritized risk

Question 34

Attack Tree Aufbau der Ebenen:

Answer 34

1. Was ist mein Problem / Gefahr 2. Wie könnte dieses Problem / Gefahr eintreten 3. Was muss dafür konkret gemacht werden

Question 35

Type of Nodes in Attack Trees:

Answer 35

- “OR” nodes represent different ways to achieve same goal e.g. pick the door lock OR break a window - “AND” nodes represent different steps in achieving a goal e.g. window need to break and climb through the opening

Question 36

Attack tree cost of attack calculation -->

Answer 36

For each step write the cost of attack --> «AND» has to be added together for total costs --> you have to assume the threat with the lowest cost

Question 37

After evaluating the Attack Tree and calculating you have to...

Answer 37

implment specific countermeasures to mitigate the threat

Question 38

Possible Node values in an attack tree:

Answer 38

- Boolean: impossible vs. Possible - Cost (money or resources) to attack / defend - Time to achieve / Time to repulse - Probability of success of a given attack - Likelihood that an attacker will try a given attack

Question 39

Attack Tree cost calculation regarding node types:

Answer 39

«OR» Nodes --> value of the cheapest child «AND» Nodes --> value of the sum of their children