PTA is free-of-charge for individuals and can be downloaded, installed and operated within minutes. We believe that high availability of a calculative practical threat analysis tool will have a positive impact on the numerous systems which are responsible for the quality of our life by enabling analysts and developers to provide safer systems.
We invite our professional users to write about their practical threat models as well as share their experiences, ideas and insights with the members of the security community worldwide. If you wish to contribute to this forum please email me directly - Zeev.
Self-diagnose your Threat Models
Threat Management - the Bigger Picture
Useful vocabulary for Practical Threat Analysis sessions
PTA package for PCI DSS 1.1 compliance
PTA library for ISO 27001
Mitigating Internal Threats with PTA
A Risk Reduction Methodology for Legacy Software
Map PTA Along With the Chronology of the Penetration Testing Process
Integrating PTA with the Nessus scanning tool***
Self-diagnose your Threat Models
(Using the new Model Completeness report for self-diagnosing PTA threat model consistency)
From: Adi Amir - InteliGraph
Introduction
A common issue in maintaining large scale PTA projects is the constant need to monitor and assure the threat models’ internal completeness and consistency. As we all know, the building of a new threat model typically starts by using existing template models or entity libraries which are relevant to the analyzed domain but are not fully adapted to the specific system.
The PTA Professional Edition data entry and import features enable the analyst to enter partial entities data in order to quickly construct a preliminary model and have first results. This is the main reason why a substantive portion of the model’s life cycle maintenance effort is invested in removing irrelevant entities, adding additional entities, crystallizing the interrelations between the entities and tuning their parameters in order to get the best match of the model to the specific analyzed system realities. The ongoing model improvement process is involved with continuous data collection, what-if analysis and research updates which are essential for the accuracy of the risk assessment results and the prioritized mitigation plans recommended by the analyst.Maintenance of large scale PTA threat models
Things are getting really tedious when dealing with large models which include hundreds of threats, assets, vulnerabilities and countermeasures. When managing large scale models we often come to a point where the number of entities hampers our ability to check the integrity of the model. For example: a model with ‘orphan’ entities such as a threat which does not exploit vulnerabilities, may impact the quality of the mitigation recommendations since the orphan threat can not be associated with countermeasure(s). Other common phenomena are overcrowded models with irrelevant leftover entities or entities that have partial data e.g., assets with no financial value, which cannot take part in the PTA risk calculations.
This new Model Completeness self-diagnosing report (available as of version 1205) has greatly helped us in checking the completeness and integrity of our threat models. Running the report on a mature huge threat model has revealed interesting findings which facilitate the cleaning of the model from junk data and actually saved us from an embarrassing flaws caused by several duplicate vulnerabilities which were not associated with the correct countermeasures. The outcome had a straight impact on the threat analysis results!
The report presents (for each of the threats, assets, vulnerabilities and countermeasures in the model) a checklist of conditions which the entity should fulfill. Conditions which are not fulfilled, and therefore reduce the model’s readability and reliability are marked in red. The following is a list of the threat model completeness conditions as borrowed from the report’s online help page:Threat:
Has Unique Name – The readability and coherence of the model is weakened when entity names are not unique.
Exploits Vulnerabilities – A threat should exploit at least one vulnerability in order to comply with the basic PTA entities interrelations scheme.
Threatens Assets – A threat should threaten at least one asset in order to comply with the basic PTA entities interrelations scheme.
Causes Damage – A threat should cause damage to at least one asset; if a threat does not cause damage to any asset, it is considered irrelevant to the model’s risk calculations. This issue can be corrected by assigning a positive value to at least one of the ‘Threat’s Damage to Asset’ fields or by deleting / temporarily excluding the threat from the model.
Occurs – The probability that a threat will materialize should be greater than zero; if the threat’s probability is zero, the threat is considered to be irrelevant to the model’s risk calculations. You can correct this issue by entering a non-zero value to the ‘Threat’s Probability’ field or by deleting / or temporarily excluding the threat from the model.
Asset:Has Unique Name – The readability and coherence of the model is weakened when entity names are not unique.
Threatened by Threats – Assets which are not threatened by any threat do not contribute to the threat model.
Is Damaged – An asset which is threatened by threats but is not damaged by any of them is considered irrelevant to the model’s risk calculations. This issue can be corrected by assigning a positive value to the ‘Threat’s Damage to Asset’ field of at least one of the threats that threaten the asset or by deleting / temporarily excluding the asset from the threat model.
Has Value – If an asset has no financial value it is considered irrelevant to the model’s risk calculations. If you wish the asset to take part in the quantitative risk calculations you should assign non-zero value to the Asset’s Value field.
Vulnerability:Has Unique Name – The readability and coherence of the model is weakened when entity names are not unique.
Exploited by Threats – A vulnerability which is not exploited by any threat does not contribute to the threat model.
Has Countermeasures – Although there might be cases when a specific vulnerability has no known countermeasure(s), this fact should be explicitly outlined. A good practice is to define a dummy countermeasure with a meaningful name (e.g. ‘No remedy’) and associate it with the vulnerabilities which can not be mitigated – this may prevent negligence in building and maintaining the threat model and stimulate the research for mitigations.
Countermeasure:Has Unique Name – The readability and coherence of the model is weakened when entity names are not unique.
Mitigates Vulnerabilities – A countermeasure which is not associated with vulnerability does not comply with the PTA threat model entities interrelations.
Mitigates Threats – A countermeasure which is not included in a mitigation set of any threat does not contribute to the threat model.
Has Cost – A countermeasure which has no financial cost value does not take part in the threat model cost-effective and mitigation priorities calculations. You can correct this issue by assigning a non-zero value to the ‘Countermeasure’s Implementation Cost’ field.
***
Threat Management - the Bigger Picture
From: Rocky Heckman - Attack Patterns(Quoted from Rocky's post in Microsoft Application Threat Modeling Blog)
Threat Modeling is one those ‘sciences’ that is just now starting to gel into something that can be implemented in a semi-automated fashion. With TAM/e, we have a good approach to threat modeling that is both easy on the development team, and fairly comprehensive (perhaps too much so). However there are still two very different camps on the subject within Microsoft, and a few more outside.There have been a lot of advances in groups such as PTA (Practical Threat Analysis http://www.ptatechnologies.com/ ) as well as a push to formalize Attack Patterns (yours truly http://en.wikipedia.org/wiki/Attack_patterns and http://www.attackpatterns.org/ , Mitre / Homeland Security http://capec.mitre.org/ , and some commissioned work by Cigital https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack.html ) into something that can be used to assist not only Threat Modeling, but attack activity classification as well.
In any case, a thorough, and comprehensive threat modeling methodology must begin to consider these things. There aren’t any established standards yet, but I feel there will be in the near future. For my money, there are a few key things that a TM methodology must have:
1. It must consider and be adaptable to the known usage pattern (TAMe/SDL-IT {Microsoft ACE Team})and unknown usage pattern (Snyder/Swiderski, SDL {Howard/Lipner}) approaches
2. It must be expandable to adapt to proposed standards for classification of threats, attack patterns, and mitigations
3. It must be able to model any system from software to physical devices. The standard way to break down the blocks into Threat, Attack, Mitigation will fit almost anything.
4. There must be a clear and concise way to explain the threat, the associated attacks, and the mitigation
5. There must be a way to loop the TM process back into the development lifecycle, as well as provide visibility up the chain to management
6. Tooling support is critical to the success of a process like this. There are way way too many manual processes and methodologies involved in writing software. We need to remove the process burden from the team, and build it into workflow of the toolset.a. The tool must be intuitive to use and not require a degree to figure it out
b. It must provide the information most important to the particular viewer in context, and in a clear uncluttered manner
c. It must provide a comprehensive view of the security profile of the application portfolio across the organization.
d. It must provide information relevant to auditing and regulatory compliance
e. It must provide trend analysis across the application portfolio to identify areas where training, and process improvements need to be made.
f. It must integrate closely with common development platforms (Visual Studio, Rational Rose/Clearcase) to reduce the need for re-entering data of the modeled system
g. It must provide usable output to the development, test, deployment, and operations teams in the form of actionable tasks.Our base ACE Threat Modeling methodology, where threats are essentially broken down into three parts, the Threat, the Attacks, and the associated mitigations, can be used in a physical world. For example:
Vandalism
Threat – Denial of Service due to damage of the machine
Attack – Damage through blunt weapon attacks
Vulnerability - Machines made of mostly plastic parts
Mitigation - Use Cast Iron parts
Vulnerability - Exposed telephone style button
Mitigation - Use recessed buttons
Attack - Damage through vehicle intrusions
Vulnerability - ATM exposed in outdoor settings
Mitigation - Recess ATM behind wall with only nterop panel exposed
Mitigation - Install Secura-Posts in front of ATMsSkimming
Threat - exposure of ATM card/account data due to the presence of skimming devices on machines
Attack - Skimming device placed over card reader slot
Vulnerability - User cannot tell when a skimming device is present
Mitigation - place an LCD screen along edge of card slot. When user inserts card, ask user to enter code displayed on LCD. If the user cannot see the LCD, skimming device present, notify bank personnelWith this simple process in place, you can model any threat/vulnerability/mitigation from a software system, to defending a radio comms truck on a battlefield. There is a tendency, especially in academia, to over complicate things for the sake of appearing to be doing new research. KISS is the key.
Comparing Risk Analysis to Threat Modeling
During some discussions on this topic one of the guys on our team said:
"All security people know about Risk Assessment. If the end goal is to measure (loose definition) Risk, then why still call in Threat Modelling? Modelling the threats is a part of the goal (if you think about what ACE does its find the threats and vulns) but it’s not the end goal and it’s the end goal that customers care about, managing risk."
I’m not sure I’d generalize that much. Security people also care about Risk Management, not just assessment. If you can identify and assess a risk, you are only ˝ way there. Doing something about it needs to be part of the process. So if Threat Modeling is the first ˝, would Threat Management be a more appropriate term for the full process?
Hmm...the more I think about it the more I like that term. It’s akin to the paring of Risk assessment and Risk Management. Risk Assessment is what those rent-an-auditors do. But Risk Management completes the circle. Threat Modeling, provides the context and identifies the areas to be covered, but Threat Management completes the process. Threat Management should be a part of any good Risk Management strategy.
Another person on the team said:
As I understand it, threat modeling is the combination of risk analysis and risk management.
Risk analysis has these steps:-
1. Asset and data valuation
2. Identification of threats and vulnerabilities to the assets
3. Calculation of risk for each threatRisk management has the following steps:-
1. Choose what to do with the risk based on the risk appetite (reduce/accept/transfer/avoid the risk)
2. If you choose to reduce the risk, choose a countermeasure commensurate with the level of risk.
Threat modeling does all the above 5 steps and hence covers both risk assessment and management.I believe that Threat Modeling is a subset of an RA process. There is more to RA/RM than threat modeling. There are many areas of RM that do not include any sort of ‘attack’ portion. There are many instances where RA/RM is performed on things that are not systems in any stretch of the term. While TM is a Risk Management process, it is not completely transferable as Risk Management.
Think of it this way, Risk Management is a base class, while Threat Management inherits from Risk Management.
Risk Management ideas/principals can be used on almost anything, but Threat Management is generally restricted to implementations of things.
You can have internal risks, and their mitigations, but there may not be any ‘attacks’ associated with it. TM comes into play where you may have nefarious entities actively or accidentally damaging your stuff.
For Example, investment firms and financial organizations do a lot of RA against stock and share prices. Yet there is nothing they can do to prevent them from actually crashing, and there is no attack or attacker involved. This is not something you can threat model based on commonly understood or applied principals of TM. You can’t identify a vulnerability that you can provide an actionable mitigation for. So the best you can do is plan for failure based on probability and likelihood and shore up your decisions on those plans.
Threat Management is differentiated by the fact that there is an identifiable vulnerability that could be attacked intentionally or accidentally where an actionable mitigation can be executed to remove or reduce the identified vulnerability. (look, a new definition just appeared. )
So while I agree that TM is PART of an RM strategy, I believe they are distinct and different things with one being a subset of the other. Ask yourself, isn’t it important to be able to clearly identify the holes you can, and be able to do something about the hole itself? In standardized RM strategies, you can't do anything about the stock crashing, you can only decide if you are willing to take the chance that the value will hold or not. You will either buy the stock, or you won't.
So, Threat Management is a part of any good Risk Management strategy. It includes identifying the threats, and providing actionable items that can address a vulnerability in the system/thing being modeled. This process is essential in the larger picture of Risk Management which not only takes into account system/thing based risks, but postures, and approaches to risk in general at a higher level.
***
Useful vocabulary for Practical Threat Analysis sessions
From: Paul Varner - InteliGraph
Introduction
Since some of the terms frequently used within the scope of the risk assessment process are not tightly defined, I thought it might be productive to provide PTA analysts with a short list of practical definitions. In the following you can find several definitions of terms I have found applicable to the majority of my PTA threat risk assessment and threat modeling projects.
Asset in general, is anything you wish to protect - any tangible or intangible thing that has value to an organization or to a system. In information security scenarios, an asset is usually data, a computer system or a network of computer systems. The following terms are usually associated with assets:Availability (as applies to assets) - an asset is available if it is accessible and usable when needed by authorized users or subsystems. Assets such as information, applications, facilities, networks, and computers, must be available to authorized users when they need to access or use them.
Integrity (as applies to information assets) - preserving the integrity of information means to protect the accuracy and completeness of information and the methods that are used to process and manage it. Integrity can be defined as the absence of unauthorized changes. Unauthorized changes result in that computer's or data's integrity being compromised e.g. bogus data was inserted into the legitimate data, or configuration information have been altered in such a way as to allow unauthorized users to use the system improperly.Confidentiality (as applies to information assets) – protecting and preserving the confidentiality of information means to ensure that the information is not made available or disclosed to unauthorized individuals and/or processes. Confidentiality is a somewhat different problem than that of integrity, since it can be compromised completely passively. If someone alters your data, it can be detected by comparing the compromised data with the original data. If someone copies and steals the data, detection is much harder since the data actually has not been changed.
Information processing facility is any system, service, infrastructure, or any physical location that houses information. It can be either an activity or a place; and (as true for all types of assets) it can be either tangible or intangible.Vulnerability is a weakness in an asset or group of assets that are part of the system. An asset’s weakness could allow it to be exploited and harmed by one or more threats. In general vulnerabilities can be divided into 2 types: known and plausible vulnerabilities in the assets and in the systems that directly interact with them and unknown vulnerabilities. Known vulnerabilities, of course, are much easier to deal with than vulnerabilities that are purely speculative. Never the less, you need to try to identify both.
A threat is a potential event which exploits vulnerabilities in assets and may harm an organization or system. When a threat turns into an actual event, it is called a threat incident. A threat incident indicates that the security of the system may have been breached or compromised thus the business operation may have been weaken or impaired. In general, a threat incident is the combination of asset(s) that are damaged, vulnerability(s) that are exploited and attacker(s) that materialize the threat scenario. The following terms are usually relevant to threats:Attackers can range from the predictable (e.g. disgruntled ex-employees, mischievous youths or hackers) to the strange-but-true (drug cartels, government agencies, industrial spies). When you consider possible attackers, almost any type is possible - the challenge is to gauge which attackers are the most likely.
Risk combines a threat incident with its probability and with its potential impact or damage. When composing a threat model we usually ask: what is the probability that a particular event will occur and what negative impact or damage would this event have if it actually occurred? A high risk event would have a high probability of occurring as well as a big negative impact if it occurred. The concept of risk is always future oriented and deals with the impact events could have in the future.
Risk analysis is a process intended to identify and describe possible sources of risk to a system or organization. It uses information to identify threats or events that could have a harmful impact. It then calculates the estimated risk embedded in each threat by estimating the probability that this event will actually occur in the future and the impact it would have on the system’s assets if it actually occurred.
Risk assessment combines the risk analysis described above with a process of risk evaluation which compares the estimated risk with a set of risk criteria. This is done in order to determine the actual significance of the risk.
Risk treatment is a decision making process. For each risk, risk treatment involves choosing amongst the following 4 options: accept the risk, reject/ignore the risk, transfer the risk, or reduce the risk. In general, risks are treated by selecting and implementing countermeasures designed to reduce the risk.
Residual risk is the risk left over after reducing the risk by implementing the countermeasures derived from the risk treatment phase. Risk acceptance means that you have decided that you can live with a particular risk. Transferring risk usually takes the form of purchasing insurance to soften the impact of a threat incident.Countermeasure / Control / Safeguard is any administrative, management, technical, or legal method that is used to block vulnerabilities and reduce the risk caused by threats. Countermeasures include practices, policies, procedures, programs, techniques, technologies, guidelines and regulations. Countermeasures can be classified as corrective actions that are taken to address existing actual problems or preventive actions that are taken to avoid potential problems, ones that have not yet occurred. The following terms are also relevant:
Information security is all about protecting and preserving information confidentiality, integrity, authenticity, availability, and reliability.
Information security management system (ISMS) includes policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used by the organization to manage and control its information security risks.
Information security policy expresses organization’s commitment to the implementation, maintenance, and improvement of its information security management system.
Management review is intended to evaluate the overall performance of an organization's information security management system and to identify improvement opportunities.Document refers to information and to the medium used to bring it into existence. The following terms are usually associated with documents in the context of practical threat analysis:
A standard is a document with a set of rules that control how people develop and manage materials, products, services, technologies, tasks, processes, and systems.
ISO standards for example, are agreements because its members must agree on content and give formal approval before they are published. Most standards are developed by technical committees whose members come from many different countries and organizations; therefore, they tend to have very broad support.
A requirement is a need, expectation, or obligation that can be stated or implied by an organization, its customers, or other interested parties. Usually the types of requirements relevant to the threat analysis process are security requirements, contractual requirements, management requirements, regulatory requirements, and legal requirements.
A Statement of Applicability is a document that lists the organization’s information security countermeasures objectives and controls. In order to figure out what the organization’s specific security countermeasures and control objectives should be, a comprehensive risk assessment should be carried out, risk treatments should be selected, the relevant legal and regulatory requirements should be identified, contractual obligations should be studied, and the organization’s unique business needs and requirements should be reviewed.
***
PTA Package for PCI DSS 1.1 compliance
(Using Practical Threat Analysis to attain PCI DSS 1.1 compliance)
From: Y. Avital - Open SolutionsIntroduction
The PCI Data Security Standard version 1.1 (Aka PCI DSS 1.1) combines best practices from the card associations on how to protect customers' payment card data. The question is how merchants can use the PCI DSS effectively to reduce their data assets breach risk.In this article, we show how PTA can help take the pain out of the threat risk assessment (TRA) planning and the controls implementation process and reduce cost of the security investment.
The PCI DSS specifications tells retailers all they need to do to be secure, without telling them where to start and how to prioritize controls against threats. The standard does not consider how to balance the value of retailer payment data assets against the cost of implementing the security controls specified in the standard.
It is obvious that the objective should not be "compliance for compliance sake". Used properly, PCI DSS can be an effective way of reducing the merchant's operational risk of handling payment card data. The free PTA PCI 1.1 package, which accompanies this article, includes a practical threat model and a library that have been used in several real-life PCI assessment projects and were found to be productive in shortening risk assessment timetables and constructing risk mitigation programs for Level 2, 3 and 4 merchants.BTW:
The concept of PTA security entities and threat model libraries was found to be the best approach for transforming compliance knowledge and data into practical quantitative risk analysis process which provides effective mitigation actions. We use this mechanism for converting standards such as NERC/FERC, SOX and other popular industry security compliance methodologies to PTA threat models and use them as a dynamic baseline for employing modern risk management system based on quantitative risk analysis.
PTA benefits for PCI DSS risk assessments
Business impact analysis: enable business decision makers to state asset values, calculate risk profiles and consider controls in $ values - this transforms security from a technology acquisition process into a business decision process.
Reusable: enable merchants to easily change their threat model as the business evolves and perform PCI quarterly self-assessments and "what-if" analysis on actual threat scenarios.
Robust: produce management reports of risk profile at any time with the click of a button.
Effective: recommend the most effective security countermeasures and their order of implementation; the PTA optimized risk mitigation plan analysis can save as much as 80% of the cost of security controls implementation.
How we created the PTA PCI 1.1 Threat ModelThe current version of the PCI standard specifications contains 12 sections, where each section describes a security policy and list of security controls. For example, Section 1 deals with the need for a firewall and contains a list of firewall best practices.
We needed to map the PCI DSS 1.1 data model to the PTA threat model concept that is composed of threats, vulnerabilities, assets and countermeasures. We observed that the top-level items in each section mapped nicely to PTA vulnerabilities and that the sub-items were controls that translate directly to PTA countermeasures.A few examples:
- PCI section 1 "Requirement 1: Install and maintain a firewall configuration to protect cardholder data" corresponds to a common network vulnerability "Sensitive areas within a company internal network may be accessible from the Internet" .
- PCI section 5 "Systems may be affected by viruses and malware" maps to vulnerability "Malicious viruses can enter the network e.g. via employees e-mail activities" and the corresponding countermeasures to this vulnerability are "5.1 Deploy anti-virus software on all systems commonly affected by viruses" and "5.2 Ensure that all anti-virus mechanisms are current and actively running".
In order to simplify (yet retain all of the original best practices) we cataloged top-level controls as PTA countermeasure entities with the relevant sub-items information organized as a specific countermeasure Attached Document (that can be accessed by double clicking on the name of the document or clicking on the Open Document button).
For example:
After mapping the PCI DSS 1.1 data model to the PTA vulnerabilities and countermeasures, we have built a baseline PTA threat model by adding some sample threats and assets. We then converted our model into a generic PTA risk expertise library by using the "Save as Library" function.Double clicking on the attached document for countermeasure 2.1 "2.1 Always change vendor-supplied defaults before installing a system on the network" opens a Microsoft Word document with a detailed description of how to protect systems including changing default vendor passwords, eliminating unnecessary accounts and protecting wireless environments.
The baseline threat model PCI_DSS_1.1_Base_Model.thm is intended for use as a baseline model in self-assessments by PCI risk assessors who wish to develop customized business threat models. The PCI_DSS_1.1_Library.thl can be used by PTA analysts who wish to integrate PCI DSS entities into their business threat model and create an integrated risk model for the entire enterprise. The threat model and the library as well as the attached documents and the original PCI DSS 1.1 specifications pdf were packed in a free download zip file.
PCI DSS Risk assessment in practice
Doing a PCI DSS risk assessment with PTA is faster, easier, more robust and lot more fun than with an Excel spreadsheet or with the Microsoft Word self-assessment form.
Stage 1 is a "first cut" review of the existence and completeness of key documentation of systems that store payment card data and how they are vulnerable to internal and external threats. This is done by cycling through the PTA threat model, tagging top-level vulnerabilities with a status and storing appropriate documentation in the model, while linking to the appropriate entity.
Stage 2 is a detailed, in-depth audit that tests existence and effectiveness of control policies as well as their supporting documentation. Controls that already exist would be marked as Already Implemented in PTA Professional Edition countermeasures detail screen. Controls needing work would be tagged with action-required status (see the tagging option of the PTA tool). FYI, a complete software security assessment methodology with PTA is described in details the article Your Defense Against Data Security Threats from ITAudit - the Institute of Internal Auditors.
Choosing the most cost-effective controls - preliminary conclusions
After establishing the threat model which is suitable for a specific merchant business, the practical question is what security controls should be first implemented? Should you buy database firewall technology or should you focus on restricting access based on users need to know?
While a company with deep pockets might decide to implement the entire checklist of controls, most merchants and processors must get the most for their security investment i.e. reduce total cost of ownership. Implementing additional controls does not necessarily reduce risk in an ongoing operation. For example, beefing up network security (like firewalls and proxies) and installing advanced application security products, is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and inflation in the number of firewall and content filtering rules. The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.
PTA PCI 1.1 enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of an all-or-nothing checklist implementation that may impact its competitiveness.
Use the PTA package on your own PCI DSS self-assessmentsHere is how you would use PTA PCI 1.1 in your own self-assessment project (after installing the PTA Professional Edition freeware on your Windows PC).
Extract the PTA PCI 1.1 zip file into a dedicated folder. The zip contains the PTA PCI threat model and attached documents.
Step 0 - Fire up PTA.Step 1 - Open the "PCI_DSS_1.1_Base_Model.thm" data model in its entirety and get started using the sample model as your baseline; before you exit, don't forget to save the model under a new name ….
Step 2 - Create assets with valuations
Step 3 - Enter the costs of countermeasures; the model that we provide is agnostic; we understand that each organization has their own estimates of how much a control policy should cost.
Step 4 - Run the "Optimized Risk Mitigation Plan" report and build your own cost-justified mitigation plan of controls compliant with PCI DSS 1.1.
Step 5 - Refine the model. Return to the model periodically and test effectiveness of your risk mitigation program.
Read more on Risk assessment with the PTA PCI DSS library.
***
(Risk assessment with the PTA ISO 27001 Library)
From: Eli Moran & Maciej Lewandowski Control Policy Group
Introduction:The ISO 27001 library is a full PTA threat model implementation of the ISO 27001 compliance check list for the ISO 27001 standard. The library is available for free download, licensed from the Control Policy Group under the Creative Commons Attribution License.
Plain certification vs. identifying the appropriate risk reduction controls
The ISO 27001 certification process can be simple or involved but, at the end of the day, there are always far more controls (countermeasures) to be implemented than resources for applying them. Organizations, large and small, find themselves coping with long and confusing check lists of controls. You can implement the entire check list of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase (i.e. get the most for your security investment dollar) with a set of controls optimized for your specific business risk.
We all know that additional security controls do not necessarily reduce risk. Modifying existing infrastructure (e.g. firewalls and proxies) and installing layers of security products is not a free lunch and often increase the total system risk and cost of ownership, as a result of the interaction between the elements.
The combination of PTA threat model and its calculative methods with the ISO 27001 check list enables us to create a quantitative risk model and construct an economically justified set of countermeasures that reduces risk according to the specific customer’s business and state. Moreover, we were able to execute a moderate implementation plan of countermeasures according to customer’s budget instead of an “all-or-nothing” checklist implementation that may cost fortune and badly affect the competitiveness of the business.
How we created the library
ISO 27001 sets the requirements that an organization must fulfill in order to establish an information security management system. It contains 185 items in 11 sections, where each item has a reference number, and describes a security policy and a corresponding security control. For example Item 6.1.5 is a "Confidentiality agreements" security policy with the following control: "Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified and regularly reviewed"
First we mapped the ISO 27001 data model to the PTA threat model which is composed of threats, vulnerabilities, assets and countermeasures. Since the ISO 27001 standard does not refer to particular threats or assets, we realized that the top level items in each section (number x.y) map nicely to PTA vulnerabilities and that the sub-items were controls that translate directly to PTA countermeasures.For example:
06.1 "Internal organization; information security is lacking or not well-defined" can be easily defined as a PTA threat model vulnerability mitigated by the following PTA threat model countermeasures:
6.1.1 Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.
6.1.2 Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.
6.1.3 All information security responsibilities shall be clearly defined
6.1.4 A management authorization process for new information processing facilities shall be defined and implemented.
6.1.5 Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified and regularly reviewed.
6.1.6 Appropriate contacts with relevant authorities shall be maintained.
6.1.7 Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
6.1.8 The organization's approach to managing information security and its implementation (i.e. control objectives, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.
We used PTA “Import Entities from Text File” tool to load the text of the ISO 27001 checklist into a baseline PTA threat model of vulnerabilities and countermeasures and then we packed it as a standard PTA library.
The standard specifies that organizations should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level etc.). The PTA ISO 27001 library provides not only a systematic, but also a quantitative approach to risk assessment that adds a great deal of value by enabling you to arrive at a set of controls optimized for your business situation.Read more on Risk assessment with the PTA ISO 27001 library.
Download a free copy of the PTA ISO 27001 library and let us know what you think!(revised: September 2007)
***
Mitigating Internal Threats with PTA
(Producing financial justification for extrusion prevention)
From: Y. Avital - Open Solutions - Specialists in controlling unauthorized disclosure.
Introduction:After 3 years of a growing wave of data breach events, ranging from Bank of America and ChoicePoint to the Israeli Trojan, there is growing awareness to the importance of mitigating internally-launched threats. However, as practioners in this field will attest and as recent studies show, the majority of organizations are not allocating people and technology resources to reduce extrusion risk.
We believe that the reason for this is that there is no accepted, practical methodology for end users to assess internal threats and vulnerabilities and generate a financial justification for a decision-making manager. In contrast, the security industry has well-developed indicators for anti-virus, spyware, exploits and software vulnerabilities to external threats.
Daily indicators and advisories are published by vendors such as McAfee and industry consortia such as CVE (Mitre) and SANS. While compliance may be a driver for some industries, there are always many different, often non-technical ways to comply with GLBH, California SB1386 and PCI data security without purchasing a $300K system from Vontu or a $65K EPS appliance from Fidelis Security Systems.
Case study summaryThis article summarizes a practical threat analysis (performed using the PTA tool) conducted in August 2006 with a NASDAQ-traded technology company with 10 branches worldwide. The company was concerned with protecting valuable IP and network infrastructures from internal threats. The output of the threat analysis was an optimized mitigation plan that clearly showed the top threats and top 3 countermeasures the company should be deploying. The reader will note that the study did not limit itself to employee abuse or ignorance but focused on any significant internally-launched attack, whether the attacker was an employee or a malicious hacker that broke in.
Five classes of countermeasures were specified:
IDM - Identity Management, primarily regarding database user logins
SYSTEM - Patch management for workstations, database and Web servers
SDLC - Software development life cycle - Enforce secure code development standards
AUP - Acceptable Usage policy for using the corporate IT resources
EPS - Extrusion prevention system from Fidelis Security Systems that would mitigate threats of insider Web postings, design database file transfer, AUP violations and unauthorized non-proxied end points.
What were the threats?The top threats were:
1) Malicious hacker connects to internal databases/file system in order to access/modify sensitive data.
2) Employees are tempted to download music/share files/Google chat for personal ends.
3) Hacker uses HTTP requests to get access to OS resources of the Web server.
4) Malicious insider connects to internal databases/file system in order to access/modify sensitive data.
5) Insiders may leak sensitive information over the Web relating to company image/trading.
Conclusions:
Surprisingly enough to the executive management of the company, insider disclosures in Web postings were the least of their problems and the majority of the risk was mitigated by only two countermeasures:
1) Mitigate threats from AUP violations using an extrusion prevention system from Fidelis Security Systems.
2) Enforce secure code development standards for internally developed e-business applications that interface with partners.
These two countermeasures alone reduced risk from 38 percent to 12 percent at a cost of less than 1 percent of the total asset value as you can see in the attached Countermeasure Optimization Report pdf file.
Click here to download the Practical Threat Analysis Threat Model (zipped) used in the study.
***
A Risk Reduction Methodology for Legacy Software
From: Dan Lieberman Software Associates
Security breaches continue to garner headlines as conventional information security tools fail to halt attacks on customer data and intellectual property.
The alternative is an approach based on the notion that buggy software is insecure software. The Carnegie Mellon Software Engineering Institute (SEI) reports that 90 percent of all software vulnerabilities are due to well-known defect types (for example using a hard coded server password or writing temporary work files with world read privileges). All of the SANS Top 20 Internet Security vulnerabilities are the result of “poor coding, testing and sloppy software engineering.
Why isn't software quality better? Let’s examine commitment to quality at three levels in an organization: end-users, development managers and top executives.
- Users are conditioned to accept unreliable software on their desktop and development managers are inclined to accept faulty software as a tradeoff to meeting a development schedule.
- Executives, while committed to quality of their own products and services, do not find security breaches sufficient reason to become security leaders with their enterprise systems because they usually receive conflicting proposals for new information security initiatives with weak or missing financial justifications. Moreover, in most cases the recommended security initiatives often disrupt the business.
Challenges to removing software defects in legacy systems:It is rare to see systematic defect reduction projects in production software, so what makes it so hard?
1) The familiar top-down structured development processes (including Extreme Programming) used by internal development groups are totally inappropriate for risk analysis of legacy systems.2) The cost of finding and fixing a bug in a production system can be much higher than finding and fixing the bug during requirements and design phase.
3) The application developers and IT security teams don’t usually talk to each other. The larger the organization, the more they lose when information gets lost in the cracks.
We can meet the above challenges in a cost-effective way by establishing and maintaining three tenets:
1) Use a risk analysis process that is suitable for legacy systems. The process collects data from all levels in the organization that touch the legacy system and classify defects for risk mitigation according to standard vulnerability and problem types.
2) Provide executives with financial justification for defect reduction. Quantify the risk in terms of assets, software vulnerabilities, and the organization’s current threats. Identify system components with higher vulnerabilities and payback to reduce total system risk.
3) Require the development and IT security teams to start talking, make a "culture of security" part of the software development process. Explicit communications between software developers and IT security can be facilitated by an online knowledge base and ticketing tool that provide an updated picture of well-known defects and security events.
The risk analysis process for legacy systemsThe familiar top-down structured development processes (including Extreme Programming) used by internal development groups are totally inappropriate for risk analysis of legacy systems.
Therefore, our first tenet is to use a risk analysis process that identifies, classifies and evaluates software vulnerabilities in order to recommend cost-effective countermeasures. This process is iterative and its steps can run independently, enabling any step to feed changes into previous steps even after partial results have been attained.
Continuous review of findings is key to success of the project. For example, an end-user may point-out fatal flows in an order entry form to the VP engineering during the Validate Findings step and influence the results in the Classify Vulnerabilities and Build the threat model steps. The process has seven steps:
1. Set scope.
This preliminary step determines the scope of work in terms of business units and assets. Focus on a particular business unit and application functions will improve the ability to converge quickly. The process will also benefit from executive level sponsorship that will need to buy into implementation of the risk mitigation plan. The team members are chosen at a preliminary planning meeting with the lead analyst and the project’s sponsor. There will be 4-8 active participants with relevant knowledge of the business and the software. The team will be guided by 2-4 expert risk analysts that have good people skills and patience to work in a chaotic process.
2. Identify business assets.
In this step the team identifies operational business functions and the key information/operational/transactional assets that they use.
3. Identify software components.
After identifying business functions in Identify business assets, the team now identifies software components (but doesn’t assess vulnerabilities) using two sub-steps:
- Identify application functions that serve the business function.
- Decompose application functions to software components.
4. Classify the software vulnerabilities.
CVSS (Common Vulnerability Scoring System) scores are computed for each component identified in the Identify software components step. CVSS is a standard way to convey vulnerability severity and help determine urgency and priority of response, Vendors such as Cisco, Symantec and Skype use CVSS to score their own application vulnerabilities. In addition to the CVSS score, we collect an additional field, the CLASP (Comprehensive, Lightweight Application Security Process) problem type category, for example Use of hard-coded password. The knowledge base supporting the process contains a baseline of classified software vulnerabilities and evolves over time as the team classifies new vulnerabilities. Various source code scanners may also be used in this step, for example FindBugs to find problems in Java source code.
5. Build the threat model.
The team now populates the PTA (Practical Threat Analysis) threat model. Assets collected in the Identify business assets step are assigned a financial value. Threats are named and classified as to their probability of occurrence and damage levels. Vulnerabilities that were collected in the Classify the vulnerabilities step are associated with threats
6. Build the risk-mitigation plan.
In this step, the team specifies countermeasures for vulnerabilities found in the software components and records them in the PTA data model. While the best countermeasure for a problem is fixing it, in reality there may not be documentation and the programmers who wrote the code are probably in some other job. This means that other means may be required, such as code wrappers or application proxies. The possible types of countermeasures are Retain, Modify and Add:
- Retain the existing component (leave the defects in place) or,
- Modify the component (fix the defect or put in a workaround) or,
- Add components (for example call the Global LDAP directory to authenticate on-line users instead of using a proprietary customer table).Each countermeasure is assigned a cost and mitigation level. The cost may be a combination of fixed and variable cost in order to describe a one time cost of fixing a problem and ongoing maintenance cost.
7. Validate findings
This extremely important step validates the current findings with expert/relevant players in the enterprise. The objective is to use all means at the disposal of the team to qualify components and vulnerabilities as to where (they are in the system), which (assets are involved), what (they do now and in the past), why (they perform the way they do) and when (a component is initialized and activated).
Conceptually, no limits are placed on what questions can be asked. Users may downgrade low-risk software components and escalate others for priority attention. They may add or remove assets from the model and argue parameters such as probability, asset value, estimated damage etc.
For example, a server-side order confirmation script that sends email to the customer may have received a low CVSS score in Classify the software vulnerabilities. The team can simply decide to eliminate that vulnerability from the list during Validate findings.
The output:A quantitative evaluation and financial justification
The output of the process provides executives with financial justification for an effective risk mitigation plan. After specifying countermeasures, the PTA risk-reduction optimization algorithm produces a prioritized list of the countermeasures in financial terms. The risk-reduction algorithm combines the most cost-effective countermeasures to reduce the overall system risk level to a minimum at a total fixed and variable cost.Note:
The complete article with a real life case study and the detailed process schemes are available for download at Software Associates.
***
Map PTA Along With the Chronology of the Penetration Testing Process
From: skillz SecGuru
What I understand by going through your article and using PTA, most of the process is manual that is:
Security Analyst does the scan -> Defines Assets and assign financial values (fixed and recurring) -> List vulnerabilities for those assets -> associate threats (level, chances) due to those vulnerabilities -> and countermeasures to mitigate that threat.
Now let me try to map these steps along with the chronology of a pentest. This is just a gist of typical pentest which people do out there, enlisting everything in detail is obviously out of scope.
The analyst either receives a list of servers/subnets/domains that needs to be tested. This basically defines the realm of assets which he will attack during the test. Pentest scans as jotted down in most of the books, starts with reconnaissance, dns xfers, port scans etc..etc.. At this stage analyst gathers more information about the target assets, yet unable to determine the financial value, predict criticality or threat level.
Next step is the use of vulnerability scanners, mostly automated probing programs which look into all open ports and test for various public vulnerabilities. This process sometimes takes time, so analyst try to fiddle with the server on its own and see what is out there based on the initial recon and port scans. Manual probing again helps in some establishment of assets financial value.
Once, the vulnerability scan report is obtained - next step is to remove false positives and thus, create list of actual vulnerabilities plus what analyst found during manual probing of asset using his custom/other programs. Now, if you do this hundred times you can easily predict the threat to those servers by glancing at the list of vulnerabilities. By now the analyst starts questioning himself, "what will happen to asset_a, if I own asset_b using that vulnerability" and basically create inter-web and add subject-matter-expertise to the problem on hand.
Now, during all this process many steps for “Risk / Threat Assessment” can be automated – e.g. creating list of assets, mapping vulnerabilities to assets. If you use the same scanner day-in-day-out you can easily tag all your plug-ins / scripts to threats they may cause and also automate that process. You may also define chances of threat becoming successful from outside and inside the network, which will later on help in calculations of the actual risk values.
So, basically all that is left is assigning categories to assets. Here I try to use 4-quardrant rule from "seven habits of influential people" -- Steven Covey.
LEVEL I = Important and Urgent
LEVEL II = Important, but not Urgent
LEVEL III = Not Important but Urgent
LEVEL IV = Not Important and not Urgent
That is what Steven Covey suggests for optimizing work throughput, in our case we replace Urgency by whether the server is accessible over internet and Importance by Biz Criticality. So the new quadrants would be:
LEVEL I = Critical and Internet Accessible
LEVEL II = Critical, but not Internet Accessible
LEVEL III = Not Critical but Internet Accessible
LEVEL IV = Not Critical and not Internet Accessible
I understand that a CFO, legal advisors should decide values for these assets; and my designed categories are just a quick and dirty way of doing it (not advised for many reasons). However, many security assignments don’t require risk assessment. Client requires a 3rd party vulnerability assessment and then they engage internal teams to develop models and assess risk.
In such cases, a better prediction of risk to the company can be provided by doing automation as suggest above and reprioritize the threats by also taking into consideration the category in which it is placed.
Now, the remaining element to this whole picture is finding the countermeasure's priorities. As mentioned in your article, “The countermeasure's priorities are a function of the system’s assets values, level of potential damage, threats probabilities and degrees of mitigation provided by countermeasures.”
Out of four entities required to calculate countermeasure's priorities, we can automate three and base the asset value on a broader terms such as, four quadrants mentioned above.
***
Integrating PTA with Nessus - the industry standard tool for scanning
From: skillz SecGuru
...IMHO, the industry standard tool for scanning is Nessus (*) and I have seen many security auditors just using that as their primary source of vulnerability information. However, like every scanner Nessus too produces a lot of false positives and it requires manual checking too. Most of the scanner now output their findings using xml which can be easily played around with.
If you are aware of what Nessus scripts are being used to discover asset features (e.g. OS, Applications running on it etc... ) then you can easily write a script which goes through the xml and brings out that information for you from only those selected plug-ins, as you said in the form of CSV.
Once you have that information, another script can create list of vulnerabilities per host like this :
[host A] = [vuln1],[vuln2],[vuln3]
After that is created you will have to remove false positives from this list. OR ... you can mark the false positives in the scanner's GUI and then export results out in xml, so that you know everything is clean :-) either ways you can get the list of vulnerability per host.
With expertise in security, an analyst can then assign every vulnerability (based on plug-in id ?) to a threat ( another id ). like this :
XSS Bug => vulnerabililty_id_30012 = threat_id_input_validation SQL
Inject => vulnerabililty_id_30015 = threat_id_input_validation
or something similar based on industry standards like this
http://www.secguru.com/web_security_threat_classification
Moreover, most of the scanners now give CVSS rating to each vulnerability based. You may also use that information if your scanner provides it :-).
On the same note, you can define countermeasures for every threat id that you created. e.g...
threat_id_input_validation = countermeasure_id_sanitize_input
So, now you have the Asset Info , Vulnerability Info, threat and countermeasure ; all the stuff that PTA requires :-)
So the end result could be :
---[asset_1]
------[vulnerability__A]
----------------[threat]
----------------[countermeasure]
----------------[info_from_cvss]
------[vulnerability__B]
----------------[threat]
----------------[countermeasure]
----------------[info_from_cvss]
---[asset_2]
------[vulnerability__A]
----------------[threat]
----------------[countermeasure]
----------------[info_from_cvss]
... and so on...
Once all this information is entered into PTA it would be trivial task for Risk Assessment team to assign actual dollar value to every asset and immediately generate a report !
Hope this helps
-=skillz=-
(*) Nessus is released under the GPL and is designed to automate the testing and discovery of known security problems. Click for Introduction to Nessus Tutorial.
***