threat modeling in the garden of eden
DESCRIPTION
Threat Modeling in the garden of Eden. Mano ‘dash4rk’ Paul HackFormers . ABC’s about me. Author Official (ISC) 2 Guide to the CSSLP Advisor (ISC) 2 Software Assurance Advisor Biologist (Shark) Christian CEO, SecuRisk Solutions & Express Certifications . Agenda. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/1.jpg)
Threat Modeling in the garden of Eden
Mano ‘dash4rk’ PaulHackFormers
![Page 2: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/2.jpg)
ABC’s about me
• Author– Official (ISC)2 Guide to the CSSLP
• Advisor– (ISC)2 Software Assurance Advisor
• Biologist (Shark)• Christian• CEO, SecuRisk Solutions & Express
Certifications
![Page 3: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/3.jpg)
Agenda
• Teach Security: Threat Modeling• Teach Christ: In the garden of Eden• Discussion
![Page 4: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/4.jpg)
Teach Security
Threat Modeling
![Page 5: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/5.jpg)
Threat Modeling
• Process/Activity– Systematic to determine applicable threats– Iterative to ensure threats are addressed
• A must-have for companies today– Cannot ignore
![Page 6: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/6.jpg)
Why Threat Model?
• To manage Risk!• Risk of what? Disclosure/Alteration/Destruction• Risk to what? Assets• Why? Threats agents and Vulnerabilities• So what do we do? Threat Model Identify
threats & vulnerabilities• Then what? Manage risk apply controls• Model threats Apply controls Reduce risk
![Page 7: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/7.jpg)
ABC of Threat Modeling
• Step 1: Identify Assets• Step 2: Identify Boundaries (Entry/Exit/Flows)• Step 3: Identify Controls– But first we need to identify applicable Threats
![Page 8: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/8.jpg)
• Assets (anything of value)– Financial
– Personal
– Sensitive
– Intellectual property
Step 1: Identify Assets
![Page 9: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/9.jpg)
Step 2: Identify Boundaries
Internal DMZ External
![Page 10: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/10.jpg)
Step 3: Identify Controls
• Oh but first, we need to identify Threats• Threat Identification– Attack Trees– Threat Framework
![Page 11: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/11.jpg)
STRIDE Threat Framework
Spoofing
Tampering
Repudiation
Info. Disclosure
Denial of Service
Elevation of Privilege
Masquerading
Alteration
Denying
Data Loss/Leakage
Downtime
Admin (root)
![Page 12: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/12.jpg)
Identify ControlsThreat Controls
Secure generation/transmission/storage of credentials (passwords); SSL; Multifactor Authentication
Hashing; Digital signatures; Secure Communications; Input validation
Digital signatures; Secure audit trails (logging)
Cryptographically protection (Encryption/Hashing …); User awareness against Phishing
Input validation and filtration; Resource and bandwidth throttling; Load balancing; Disaster Recovery
Least privilege (Need to know); Compartmentalization
Appropriate INCORPORATION
of Controls reduces Risk
Spoofing
Tampering
Info. Disclosure
Denial of Service
Elevation of Privilege
Repudiation
![Page 13: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/13.jpg)
Teach Christ
In the garden of Eden
![Page 14: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/14.jpg)
• What is man that thou (God) art mindful of him?– Psalm 8:4
• Man - God’s most precious asset– “For you are fearfully and wonderfully made”
(Psalm 139:14)– “Created in the image of God” (Genesis 1:27)
• Man – God’s most prime asset– Dominion was given to man over all the fish, fowl and all
living things that moved upon the earth (Genesis 1:28)– Apex of God’s creation; not Ex-Ape of Evolution
The Asset
![Page 15: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/15.jpg)
The Boundaries
Garden of Eden External
![Page 16: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/16.jpg)
The threatsIn the Garden
Spoofing
Tampering
Repudiation
Info. Disclosure
Denial of Service
Elevation of PrivilegePrelude to the Garden encounter: Lucifer (the devil) tried to elevate himself above God and was thrown out (Ezekiel 28)
Access to the tree of life was denied after man disobeyed (Genesis 3:22-24).
The fruit which was bad for the soul (spirit) was pleasing to the eye (flesh) (Genesis 3:6)
Adam said (denied): It wasn’t me, but Eve; Eve said (denied): It wasn’t me, but the serpent (Genesis 3:12,13)
Devil said: Yea, Hath God said - phishing for information (Genesis 3:1)
God said: You shall not eat of the tree of knowledge … (Genesis 2:17)Devil asked: … you shall not eat of any tree? (Genesis 3:1)
![Page 17: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/17.jpg)
The Impact
Garden of Eden External
![Page 18: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/18.jpg)
The Control
Garden of Eden External
No more boundaries (separation from God);Gift of God is eternal life to all who believe in Jesus Christ – John 3:16
Appropriate INCLUSION of Jesus
Christ in our life eliminates the risk of
second death
![Page 19: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/19.jpg)
Discussion Points
• What are some of the “threats” in your personal/professional life?
• How are you addressing these threats?
![Page 20: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/20.jpg)
Closing Thoughtstry{
if (uLikedThisMtg) {getLinkedIn();subscribeViaEmail();followAndTweet(); // @hackformersemailUs(); // [email protected]
}else {
giveFeedback(); // [email protected] }
} catch(Threats t){
applyControl(God JesusChrist);}finally{
ThankUandGodBless(); }
![Page 21: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/21.jpg)
Want More?• Speaker: Michael Howard– Principal Cybersecurity Program Manager, Microsoft– Author, Writing Secure Code and many more …
• Topic: TBD• Date: March 09, 2012• Time: 11:30 a.m. – 1:00 p.m.• Venue: Microsoft Technology Center
• www.hackformers.org • @hackformers
![Page 22: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/22.jpg)
Backup
![Page 23: Threat Modeling in the garden of Eden](https://reader035.vdocument.in/reader035/viewer/2022062323/56816625550346895dd97f73/html5/thumbnails/23.jpg)
Identify ControlThreat Controls
Spoofing Secure generation/transmission/storage of credentials (passwords); SSL; Multifactor Authentication
Tampering Hashing; Digital signatures; Secure Communications; Input validation
Repudiation Digital signatures; Secure audit trails (logging)
Information Disclosure Let your ‘Yes’ be ‘Yes’ and your ‘No’ be ‘No’ ()Control your tongue (James 3)
Denial of Service Input validation and filtration; Resource and bandwidth throttling; Load balancing; Disaster Recovery
Elevation of Privilege Least privilege (Need to know); Compartmentalization