Thursday, January 26, 2017

Information Security: DREAD and Mitigation of Threat Models


Continuing from the last post in which we discussed data flow diagrams, which are useful in building threat model, in this post, we will discuss about mitigation strategies for threat model.

The first important step in mitigation is knowing how serious (or trivial) the vulnerabilities are. For risk-assessing computer security threats, Microsoft came up with a simple a mnemonic that helps in rating risk associated with security threats using five categories. It is referred to as DREAD, and denotes:
  • Damage: This aspect refers to the possible bad effect that can be caused to the system, program, data, reputation or brand. It seeks answers to the question - how bad would the attack be?
  • Reproducibility: This aspect relates to the act of reproducing the attack by an attacker. It seeks answers to the question - how easy is it to re-do the attack? 
  • Exploitability: This trait refers to the difficulty of exploiting the vulnerability. As such, it looks at the barrier to launch an attack, and seeks answer to the question - how much work is it to launch the attack?
  • Affected Users: This represents the number of users / systems that could get affected by a threat, and refers to the blast radius. In short, it tries to gauge how many people will be impacted?
  • Discoverability: It discusses the discovery of the vulnerability, and gauges how easy is it to discover the threat?

In a nutshell, DREAD is an important categorization that helps one prioritize vulnerabilities and threats based on practical data points.

Once the associated risk has been assessed, it is important to actually mitigate. While the actual changes may vary basis the vulnerabilities, in general, there are some rule of thumb which can be used to mitigate threats associated with STRIDE. These are:
  • Spoofing: can be countered with proper authentication of the user
  • Tampering: cryptographic protection and proper authentication will help remove any vulnerability here
  • Repudiation: this is generally managed with auditing and digital signatures (private keys)
  • Information disclosure: digital signatures and cryptographic protection help here 
  • DoS: these are generally mitigated via network level restrictions
  • Elevation of Privilege: usually proper authorization and least privileges check help here

To further ensure that all known threats have been mitigated, developers can play the Elevation of Privilege cards game - that simply proceeds with the least privilege and try to check for all the possible breaches in STRIDE above.

With that, I hope the series of posts was helpful in understanding basics of information security. It is important to remember that security testing is an ever evolving list of action items - new threat vectors keep cropping up at different levels within the system, and constant vigilance is the only solution.

Even when the threat models have been done, and proper security testing has happened, it is important that due revisits are done to the threat model regularly on any new feature release. Software and services change during design and code release, and mitigation of STRIDE provide great security tests which can continuously evolve.