Reference no: EM132245041

Question: Discuss at least four risk management strategy that you can apply to address threats.

Agenda

• Different ways to address threats

• Common mistakes

• Prioritization

• Reading: Chapter 9

How to Threat Model (Summary)

• What are you building?

• What can go wrong?

• What are you going to do about it?

• Check your work on 1-3

What Are You Going to Do About It?

• For each threat:

- Fix it (avoid the problem)

- Mitigate with standard or custom approaches

- Standard approaches were the previous session

- Accept it

- Transfer the risk

• For each assumption:

- Check it

- Wrong assumptions lead to reconsider what goes wrong

Fix It!

• The best way to fix a security bug is to remove the functionality

- For example, if SSL doesn't have a "heartbeat" message, the "heartbleed bug" couldn't exist

- You can only take this so far

- Oftentimes end up making risk tradeoffs

• If you don't remove it, you can only mitigate, not fix

• Mitigate the risk in various ways (next slide)

Mitigate Threat

• Add/use technology to prevent attacks

• As covered in previous session in depth

- You learned those first because they're "go-to"

- Only try other approaches when they're not effective/feasible

• For example, prevent tampering:

- Network: Digital signatures, cryptographic integrity tools, crypto tunnels such as SSH or IPsec

• Developers, sysadmins have different toolkits for mitigating problems

• Standard approaches available which have been tested & worked through

• Sometimes you need a custom approach

Custom Mitigations

• Sometimes the standard technologies don't work for your situation

• Requires custom mitigations (or risk acceptance)

• Easy to get a custom mitigation wrong

• Hard and expensive to test (page 176)

Accepting Risk/Threats

• Works best when it's your risk

- Your organization can accept risk

• Ultimately, a management decision

- Be careful about "accepting" risk for your customers.

• Customer risk acceptance

- Via user interface

- Sometimes the customer has details you can't have (is this network your work or a coffee shop?)

Transferring Risk/Threats

• Via license agreements, terms of service, etc

• Silently

• Both can lead to unhappy customers

- Threat that no one reads ToS

- Surprise!

- Media blowups

Common Mistakes

• Custom mitigations because they're fun

• Fuzzing as a mitigation

• Not covering all threats

Issue Prioritization Strategies

• Wait and see

• Easy fixes first

• Threat ranking with a bug bar

• Cost/damage estimation approaches

• DREAD

- Abandoned by its creators for being too subjective

- Loss of an awesome acronym

Wait and See

• Can be risky

- The "cheeseburger approach"

• Requires some way of seeing

- Change detection

- Signature-based detection

- Anomaly-based detection

- Impact detection

Easy Fixes First

• May be helpful when getting started

• Benefit: demonstrate value

• Risk: fixing the wrong things

Bug Bars

• Concrete impact levels drive severity (sev.)

• All anonymous, remote EoP are sev 1

• Information disclosure to authenticated users

- Normally sev 2

- Severity 1 if security info (passwords, crypto secrets) or violates explicit permissions

- Severity 3 if random information only

• Microsoft offers usable sample bars

Cost/Damage Estimation

• Probability/Impact

- Hard to do well

- Predicting odds and difficulty is challenging (visa holograms beaten by tin-foil, gummy bear fingerprints)

- People living on a dollar a day

• FAIR (Factor analysis of information risk)

- Useful

- Can be more time consuming than a bug bar

Arms Races

• Avoid when you can

• Economic game

- Maximize your profit

- Drive cost to the competition

• Tools

- Bag of tricks

- Last mover advantage

Recap

• For each threat:

- Fix/Standard mitigate/custom approaches

• Prioritization

- Wait & see/Easy fixes/bug bar

- Probability/Impact

• Arms races