da - encsclark/courses/1901-6150/scribe/l0… · stride 6150 security evaluation methodologies...

6
STRIDE 6150 Security Evaluation Methodologies Jeremy Clark Course Goal given x asked is it secure what do you do applications databases OS softw firm hu yw Aetw computer server smart e do lot locks safes s physi da hydro plant saa cars big data privacy People Prutc cryptographic rat engineer j usability procedures policies argo Evaluat on is hard no single meth duty that works for everything

Upload: others

Post on 30-Apr-2020

8 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: da - Encsclark/courses/1901-6150/scribe/L0… · STRIDE 6150 Security Evaluation Methodologies Jeremy Clark Course Goal given x asked is it secure what do you do applications databases

STRIDE 6150 Security Evaluation Methodologies

Jeremy Clark

Course Goal given x asked is it secure

what do you do

applicationsdatabases OS

softwfirm

hu yw

Aetw computerserver smart

edo

lotlocks safes s

physida hydro plant saa

cars

big data privacy

PeoplePrutc

cryptographicrat engineer j usability procedurespolicies argo

Evaluat on is hardno single meth duty that works for

everything

Page 2: da - Encsclark/courses/1901-6150/scribe/L0… · STRIDE 6150 Security Evaluation Methodologies Jeremy Clark Course Goal given x asked is it secure what do you do applications databases

you have to understand the functionalof something before think y about

its security

security is necessary but not

sufficient

after evaluation you cannotconclude it is secure onlythat it isn't insecure withregards to a set of known

vulnerabilities

High Level Methodologies

Useful for organizing securityand brainstorming attacks

Three Examples

STRIDE 7 evaluate ya solution

Evaluation Framework 3 evaluating aset of solutions

Attack Tree eualtat y a singlethreat on a solution

Page 3: da - Encsclark/courses/1901-6150/scribe/L0… · STRIDE 6150 Security Evaluation Methodologies Jeremy Clark Course Goal given x asked is it secure what do you do applications databases

STRIDENClass f cation for threatsExtension of a basic classification

CIA

Confident.nl lyintegrityAvailability

C

A

ETalat on

Page 4: da - Encsclark/courses/1901-6150/scribe/L0… · STRIDE 6150 Security Evaluation Methodologies Jeremy Clark Course Goal given x asked is it secure what do you do applications databases

N

Spoofery TocutUTime of check us time

of use

Denial of Service DosO

DistributedO O Dos

THA

µ websiteO OB YID

0

website

riffne

ppospjq.int'MEg

Page 5: da - Encsclark/courses/1901-6150/scribe/L0… · STRIDE 6150 Security Evaluation Methodologies Jeremy Clark Course Goal given x asked is it secure what do you do applications databases

EvaluatrunFraneworkycomparison between alternativesthere are no solutions only 1 rude offs

deliverable is a simple chart coming

up with cr.it area is harder than

it seems

there is more to security than security

holisticsecurity usability deployability

Fmmewk oeeijIeetiIs.e.tt phrased positivelydesirable properties

O

a'it.is I nexem oi e strue alternatives

Goal Neutral presentation of information

Dots achieves propertyachieves property w caveats

doesn't ache.ve property

Page 6: da - Encsclark/courses/1901-6150/scribe/L0… · STRIDE 6150 Security Evaluation Methodologies Jeremy Clark Course Goal given x asked is it secure what do you do applications databases

Example Passwords

AlternativesPasswordsBiometrics

Hardware Token e.g RSA

Google 2 FA e g SMS one time password

Password Managers

Cl.ent certificate certificates

Single Sign On Facebook connect

Graph nl Passwords e g Android