You understand this if you can:
• State the goals & principles of security
• List consequences of poor security
• Apply threat modelling
• DFD Modelling
• Analysis using STRIDE
Security: Why Bother?
• Legal Issues
• Data protection
• Computer misuse
• Commercial Issues
• Loss of commercial information
• Denial of Service
• Data is only available to those intended to access it.
• Resources are only changed in appropriate ways
• System ready when needed and performs acceptably
• Authentication & Authorization
• The identity of users is established.
• Explicitly allow or deny access to resources.
• Users can’t deny an action they’ve performed
Threats & Effects 1
Modification of data in transit Financial losses, Inconsistent
Denial of Service Attacks Prevent business
crashing servers or networks
Penetration attacks resulting Legal requirements to maintain
in theft of information confidentiality
Unauthorized use of Financial loss.
resources Liability (Lack of due diligence)
Tampering: modifying data Inconsistent & incorrect
Threats & Effects 2
Spoofing: Impersonating Financial or data losses or
Monitoring Network traffic for Illegal Access
information e.g. passwords
Viruses Added business expense and
Physical destruction of Prevent business
systems, infrastructure or data
Security Management Goals
• Intrusion Detection
• Unavoidable intrusions
• Internal threats
• Consequence management
• Graceful degradation not catastrophic failure
• Back-up systems & recovery
Security is difficult
• Flaws may have no effect in normal use
• Attackers induce failures by creating the
specific conditions to trigger a flaw.
• Flaws at many different levels
• Not just in your software
• Weaknesses in protocols, operating
systems, applications, Web server, …
• Network traffic is transmitted in clear text,
passwords and data can be recovered
• Ease of Downloading software at work
The Couch Potato’s Summary
• Legal & commercial reasons for security
• Security is more than keeping secrets
• Ensure data is consistent and available
• Ensure users can do what they are entitled to
• Ensure users can’t deny what they’ve done
• Must be right all the time
• Many possible sources of weaknesses
• People, business processes, design
• Implementation, networks, operating systems
• Methodical review of a design or
architecture to discover and correct
potential security problems
• Manage security policies centrally.
• Locate security in the architecture to
maximise usability and minimise modifications
• Perform a business driven risk assessment.
• Apply security levels commensurate to the
resources and the risk.
• Handle varying security needs.
• Implement a security awareness program.
• Maintain a single, accurate date and time
• Authorization and Access Control
Design Principles for Security
• Open design
• Assume attackers have the sources and the specs.
• Fail-safe defaults
• Deny access by default. No single point of failure.
• Least privilege
• No more rights than needed.
• Check everything, every time.
• Least common mechanism
• Beware of shared resources.
• Psychological acceptability
Threat Modelling Approach
• Asset-driven threat modelling
• List assets & how they might be attacked
• What an attacker wants to read, tamper or deny you use of
• Attacker-driven threat modelling
• Potential attackers & their approaches
• Design-driven threat modelling
• Identify components & trust boundaries
• E.g. sockets, remote procedure call services, AJAX APIs.
• A data flow diagram can help identify
• Identify weaknesses
STRIDE Threat Model
Threat Affected property
Information disclosure Confidentiality
Denial of service Availability
Elevation of privilege Authorization
• Break system into relevant components
• Model the system with Data Flow Diagrams
• Analyse components for susceptibility to STRIDE
• Mitigate the threats.
• Consider threats that emerge when systems
combine to create larger systems
• Combining subsystems into larger systems may
violate the assumptions of the subsystem
• E.g. A system that wasn’t designed for Internet use,
may have problems when exposed it.
Data Flow Components
• Data Flow
• Data Store Student Records
• Process Select Students
• Actor Applicant
• Trust Boundary
DFD & STRIDE Analysis
Spoofing Possibly safe
Applicant Collect Applicant Records
Denial of Service
Threats and Data Flow Items
Data Flow Data Store Process Actor
Denial of Service
Elevation of Privilege
Threat Modelling Steps
• Dataflow diagram with trust boundaries
• Threats, mitigations & more threats:
• First order threat is opening the door
• Identify threats by brainstorming.
• First order mitigation each component
• Apply STRIDE model to is a lock.
• Second order threat is picking the lock.
• Consider redesign to reduce threats
• Second order mitigation strong lock
• Mitigate the first order threats.
• Third order mitigation – alarm
• Concentrate on the first order threats first
• Track & check for completeness
• Write code & check against model
Ensuring Security 1
• Policies and practice
• Recruitment & training
• Processes people can follow (e.g. passwords)
• Security designed in
• Freedom from bugs
Ensuring Security 2
• Operating System
• File protection
• Network, hardware
• IT Management
• Administrator passwords
• Improve reliability, but may be easy to access
The Couch Potato’s Summary
• Systematic analysis is needed
• STRIDE can help generate threats
• Consider threat types against components
• Use dataflow diagram to represent system
• External entities, data stores
• Data flows, processes
• Require response at many levels
• People are often weakest link
• Bugs can be vulnerabilities
• Build security into the design
• Security is important
• Spoofing, Tampering, Repudiation
• Information loss, Denial of service
• Elevation of privilege
• Threat Modelling
• Analyse Design
• Identify threats using STRIDE