Determine the Threats to the System
Next you want to take the identified components from the decomposition process and use them as the threat targets for the threat model. The reason you analyze the application structure is not to determine how everything works, but rather to investigate the components, or assets, of the application and how data flows between the components. The components or assets are often called the threat targets
. Before I dive into how to determine the threats to the system, let's look at a way to categorize threats. This becomes useful later because you can apply certain strategies to mitigate specific threat categories.
Using STRIDE to Categorize Threats
When you're considering threats, it's useful to look at each component of the application and ask questions like these:
- Can a nonauthorized user view the confidential network data?
- Can an untrusted user modify a customer's record data in the database?
- Could someone deny valid users service from the application?
- Could someone take advantage of the feature or component to raise his or her privileges to that of an administrator?
To aid asking these kinds of pointed questions, you should use threat categories. In this case we'll use STRIDE, an acronym derived from the following six threat categories:
Spoofing threats allow an attacker to pose as another user or allow a rogue server to pose as a valid server. One example of user identity spoofing is illegally accessing and then using another user's authentication information, such as username and password. A good real-life example is an insecure authentication technique such as HTTP Authentication. Examples of server spoofing include DNS spoofing and DNS cache poisoning.
Tampering With Data
Data tampering involves malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet. A real-life example includes changing data in a file protected with a weak Access Control List (ACL), such as Everyone (Full Control), on the target computer.
Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise. For example, a user could perform an illegal operation in a system that lacks the ability to trace the prohibited operations. Nonrepudiation is the ability of a system to counter repudiation threats. For example, if a user purchases an item, he might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package. As you can imagine, nonrepudiation is important for e-commerce applications.
Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to that information. For example, a user might be able to read a file that she was not granted access to, or an intruder might be able to read data in transit between two computers. The spoofing example discussed earlier is also an example of an information disclosure threat because to replay a user's credentials, the attacker must view the user's credentials first.
Denial of Service
Denial of service (DoS) attacks deny service to valid users. For example, an attack could make a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability. A very real example of this includes the various distributed denial of service attacks (DDoS), such as Trinoo and Stacheldraht. You can learn more about these attacks at staff.washington.edu/dittrich/misc/ddos/.
Elevation of Privilege
In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations where an attacker has penetrated system defenses and effectively become part of the trusted system itselfa dangerous situation indeed. An example is a vulnerable computer system that allows an attacker to place an executable on the disk and then to wait for the next person to log on to the system. If the next user is an administrator, the malicious code runs within the security profile settings of an administrator.
Threats That Lead to Other Threats
Some threat types can interrelate. It's not uncommon for information disclosure threats to lead to spoofing threats if the user's credentials are not secured. And, of course, elevation of privilege threats are, by far, the worst threatsif someone can become an administrator or can get to the root on the target computer, every other threat category becomes a reality. Conversely, spoofing threats might lead to a situation where escalation is no longer needed for an attacker to achieve his goal. For example, using SMTP spoofing, an attacker could send an e-mail purporting to be from the CEO and instructing the workforce to take a day off for working so well. Who needs to elevate their privilege to CEO when you have social engineering attacks like this?
Now we'll discuss the process of determining threats to the system. We'll use threat trees and you'll see how to apply STRIDE to threat trees.