March 26, 2019

Threat Modelling

Threat Modelling

Threat Modelling

Threat modelling is a process of looking at the composite components of a web application and how data flows between them with the purpose of identifying areas of security weakness or where an attacker could potentially attack. By identifying assets, applications and data from an attacker’s perspective it is possible to conduct risk assessment and create defensive measures.

Microsoft have been the leaders in this field because their products have been particularly targeted by attackers.
Snyder and Swiderski published their seminal book Threat Modelling in 2004 and introduced the concept of Attack Threats, Techniques and Procedures (TTPs)

Threat centric modelling looks at attackers’ motivations.
System centric models look at the technical aspects of the system especially data flows.
Asset centric models focus on what needs to be protected.

What do hackers want anyway?

What is useful data?

Take inventory of what might be of value or interest to an attacker

Data about users

  1. Identity theft
  2. Credentials to reuse on other sites e.g. if a user uses the same password elsewhere an attacker can attempt to login to another site with known credentials.
  3. Security questions and answers can be helpful to authenticate on another site
  4. If can query on a specific user can carry out targeted abuse, bully, find user location and purchase history, messages, images, posts
  5. Stalking, harassment, conduct reconnaissance to carry out robbery, burglary, steal a car

Denial of service

  1. Attackers might vandalise your site to show off skills, prowess, boast on social media.
  2. Ransom and blackmail -- Hold data hostage to obtain payment School held to ransom
  3. Threaten DDOS to obtain payment

Data and Privacy Breaches

  • Publish embarrassing activity, customer billing, payment information
  • Obtain Gift card numbers, promotion codes to obtain goods free of charge
  • Credit card data do you need to store this or just leave it with a PCI compliant payment gateway?
  • Seek to obtain or make available Free Stuff that interferes with your business model or marketing
  • Create fake orders to obtain goods by deception
  • Place free ads publicising their cause
  • Some AWS services such as S3 and API Gateway have publicly accessible URLs that can be called as APIs from the internet or AWS CLI.
  • It is possible for an attacker to make an educated guess as to the URL for an S3 bucket as the default naming style is likely based on the domain name, AWS account number and deployment region?

Preparing for Cloud Transition

One of the benefits of external certifications such as ISO 9001 as a Quality Management System or ISO 27001 with an Information Security Management System is that it forces a business to take a top down approach to its business assets and processes. An asset register, regular audits of processes, improvement in process, and security of data, role management with job descriptions that scope allowed permissions and denied permissions and a culture of shared ownership of the system are a worthwhile foundation to prepare for the nuanced challenges that a cloud based business faces.

Old models of asset recording are no longer viable. An on-premise business may plan compute asset acquisition in advance according to a schedule, amortise assets to a schedule and decommission to a timetable.
Cloud based business radically changes the paradigm.
Compute assets can be created and destroyed every few hours, every few minutes or every few milliseconds. Autoscaling groups, load balancers and replicated databases mean that your asset profile is changing frequently. Trying to manage that according to on premise mindsets is not going to work.
I don’t propose to cover that here but you can find a whitepaper on this.

Cloud is a Different Business Paradigm

If the plan is to replicate on-premise operations in the cloud, this approach may be a good practical way to get started, but makes no sense in terms of taking advantage of the agility, innovation and scaling, business insights and flexibility that a cloud based business can experience.
Cloud enables you to gain business advantage by focussing your efforts on your unique business proposition without being overly involved in running compute hardware and datacentres. It offers you the opportunity to outsource to trusted partners those parts of your business model that are not core to your business such as Authentication and Authorisation, database administration, compute administration, networking, payment gateways and so on.
Nonetheless the cloud model is a shared responsibility especially in the area of security. A badly, loosely configured cloud setup is a recipe for disaster. Understanding your role and responsibility in the partnership with your service provider is critical.

How to Deal with Security Threats in the Cloud

We have looked briefly at why your data is really the only asset that you have once your compute, data management and storage is in the cloud, everything else is just rented.
Data is your only asset

How to protect data in the Cloud?

Senior Management

One thing I learned in setting up a quality management system and it is even more true with an Information Security Management System is that success or failure is a top down driven outcome.
If security is not a senior management issue it will by default become one when things go wrong.

  • Security reviews should be conducted at least every six months
  • Awareness of risk should be continuous
  • Treat security as a high priority, take decisive action quickly. Breaches should be notified and escalated.
    Netflix have made durability an art form

"At Netflix, our culture of freedom and responsibility led us not to force engineers to design their code in a specific way. Instead, we discovered that we could align our teams around the notion of infrastructure resilience by isolating the problems created by server neutralization and pushing them to the extreme. We have created Chaos Monkey, a program that randomly chooses a server and disables it during its usual hours of activity. Some will find that crazy, but we could not depend on the random occurrence of an event to test our behavior in the face of the very consequences of this event. Knowing that this would happen frequently has created a strong alignment among engineers to build redundancy and process automation to survive such incidents, without impacting the millions of Netflix users. Chaos Monkey is one of our most effective tools to improve the quality of our services."
Netflix deliberately test service resilience of their servers by shutting down some randomly.
Business in the cloud faces the challenge of continually looking for ways to breach the security of their data in order to confirm its security.

Developers

  • Consider how could I attack this website?
  • Can I inject code?
  • Can I overload an API?
  • Can I send wildcard requests?
  • Can I create an error and get some useful clues from the error message?
  • Budget time and resources to investigate and test security
    More on this later…..

Operator

Infrastructure

  • Is any part out of date, not patched?
  • Is any part vulnerable –because of load limits, time to scale up, throttles
  • Is everything logged?
  • What alarms, warnings do I have?
  • What are the blind spots, where do I have no insight on what is happening?
  • Implement software to analyse, look for security holes, run static checks look for outdated software

Helpful AWS Whitepapers on managing security risks

AWS_Well-Architected_Framework
AWS_Cloud_Best_Practice
AWS_Security_Best_Practices