Castle under siege (Source Wikipedia) |
Car Air Bag (Source http://www.airbagecu.com/) |
Also consider the inherent risks due to the high value of the data assets and the critical business functions that software stores and process today such as software that runs critical industrial systems like SCADA and runs oil, gas, water and electric utilities, that control manufacturing, traffic controls and mission critical systems for the military. In the financial industry, this is the critical software that handles payments,allows to trade stocks and bonds seldom for million of dollars per transaction. A little bit closer to our every day experience as consumers, consider software for online purchases and that processes and stores credit cards data. Software that is critical for business functions and for the operation of critical business services is today under the focus of persistent attackers and need adequate countermeasures. Let me try to use the car analogy for highly sought targets from attackers. This would be like the limousine car carrying the president of the United States for a state visit trip. Because of the threats that the presidential car might face, it would need at least high grade security built into the car like bullet proof glass and doors. Other cars with secret service agents would escort the presidential car as well to provide a layered defense. The presidential car is not built with the protection of an average car and is not given average security protection. This is because the president is an highly value asset and needs extra level of protection. Similarly, business critical software is an high value asset that needs a level of security that is higher than commercial off the shelf software. For example, business critical software need at minimum additional layers of preventive and detective security. Yet business critical software today is engineered by following more or less the same design of countermeasures of average software that is 20 years behind today car safety standard technology such as air bags. So I hope you got my point with the car metaphor. Today's software security is not adequate because is not resilient enough to cope with the new threat landscape. Today software applications that protect critical company and government digital assets are under the siege of motivated threat agents and persistent attacks. In today threat landscape, business critical software would need the equivalent security of a tank or a bullet proof car. So how we can catch up with the threats ? We need to work toward more resilient and attack proof software. We need to design and implement countermeasures that make more costly for attackers to bypass. We need preventive and detective controls to evolve to effectively detect fraud and prevent fraud and identity theft. We need to move on from infrastructure and perimeter security as network firewalls and intrusion detection systems were good security measures to protect from the cyber attacks of the late 90s and not adequate to protect from today's threats. Because of this, today's cybercrime is an industry that strives with profits of several millions of dollars for cyber criminals by selling malware that is designed to hack into the consumers bank accounts and steal credit card data. Today cybercrime tool vendors offer a money back guarantee to a fraudster in case a cybercrime tools won't provide the financial gain that was sought (e.g. stealing money from bank accounts). Yes, in the mean time we worked to build more secure software, the cybercrime industry did not waste time and our effort of securing software today is not catching up with the threats we face. Not to underscore the progress we made in software security, if you read the the 2006 DHS Security in the SDLC (S-SDLC) guidelines, we can say that after 6 years, most of software organizations conduct penetration tests and some even have deployed static source code analysis tools that automate the process to identify vulnerabilities in source code. This means there are fewer number of vulnerabilities available to exploit by the attackers. We also have software security maturity models like BSIMM that help software development organizations to compare their software security practices among peers and focus their security efforts in the security domains and activities that need the most effort. This is all good but not enough because the threat landscape has changed and the exposure of software to cyber threats has increased dramatically. Consider the widespread use of software for mobile applications and the millions of people storing personal data on social networking sites. Consider the corporate data stored and processed by software in the cloud and the software that processes and stores personal identifiable information such as voice fingerprints for authentication and user's images for a person identification. Today, there is a disconnect between the escalation of cyber threats, the increased exposure of software to cyber threats and the effectiveness of the countermeasures for protecting and detecting cyber threats. Today software security need to evolve and bake in new countermeasures that need to work like a car air bag. Since Microsoft released a threat modeling methodology ten years ago, we had a software centric based approach to design secure software that considered threats against software components including data assets. This methodology is based on a simplified view of threats such as STRIDE (Spoofing Tampering Repudiation, Information Disclosure, Denial of Service and Elevation of Privileges). This type of threat modeling today is not adequate for designing secure software because threats and attacks have evolved from the basic threats. Consider the example of an attacker using an interface that takes credit card information not to steal credit card data but to enumerate which credit card numbers are valid so can be used for online purchases or counterfeit credit cards. This is a type of threat that STRIDE does not categorizes because is tied to business impact not technical impact. Today attacks against application's software not only seek to compromise the data assets but also to abuse the critical application functionality. In a today threat model, the analysis of use and abuse cases and of business impacts caused by vulnerability exploits are essential to identify countermeasures and mitigating business risks. The attack surface of today's applications has also become wider including all the available application interfaces and channels that are exposed to a potential attacker. In enterprise wide software and applications the targets are not just one software component or library but the whole services provided to customers and partners. An attacker will seek to compromise different channels that lead to the data assets such as online, mobile and B2B channels and in the cloud where data is either stored or processed.
Tony UV Gives a talk on P.A.S.T.A. Threat Modeling ATL BSides Conference in Atlanta, 2011 |