Threat modeling the quick and dirty way

From Gender and Tech Resources

Revision as of 09:39, 8 October 2015 by Lilith2 (Talk | contribs)

The traditional way of doing threat modelling, if it was done at all, was to sit down and think up attacks until bored (often ones that applications defended against anyway) and then declare victory.

  • If we have non-security geeks doing the threat modelling then many attacks get missed or mis-identified. An expert facilitator can catch those.
  • If we have security geeks involved then there tends to be a focus on attacks like sending a server custom-crafted messages that take advantage of the unusual mathematical properties of specially-formatted PKCS #1 message padding in RSA-encrypted data blocks and ignore the fact that the server’s private-key file is world-readable and indexed by Google. [1]
  • The problem with checklist-based approaches is that they only work when the attacker is using the same checklist as we are, and isn’t aware that a particular type of attack isn’t supposed to work, then they can walk right past the checklist-standardised defences.
  • A variation of checklist-based threat modelling is risk mitigation: documenting every risk we can think of and then getting sign-off from someone in authority on the document. As a defense strategy, this is even less effective. But, more job-security oriented.
  • Even more job-security oriented is an obfuscated checklist in a notation called Common Criteria, that was recovered from an UFO crash site . Don't allow people understanding it near sharp objects. Better yet, shoot on sight.

In the past this has delivered vulnerabilities and measures that provide the best (theoretical) security but very little effective security:

  • The Internet Threat Model: I’m OK, you’re OK, and eavesdropping on credit card information sent over the Internet is the threat. Then we build something that people without a phone can not use (while ignoring all other threats).
  • Inside-out Threat Model: A wonderful piece of circular reasoning which states that the threat model is whatever the security design is capable of defending against (anything that’s hard to defend against is excluded from the threat model).
  • Provable Security for cryptographic algorithms: algorithms being proven secure against the threats that are defined by the provers (the attacker is transformed into some theoretical bogey man capable of doing anything that we know how to protect against).

Then how?

Dystopia.gif

Basic choreography

Steward Brand: Build a room

Set up a table

The first column contains a short description of the threat, the second the likelihood of it occurring, the third what impact it would have if it did happen, and the fourth an assessment (grade) of the time and energy you would need to protect yourself from the threat (for instance you can have no stars denote that there is no protection from that threat, hence it will cost nothing (except for the cost of the impact if it did happen).

Fill in the table

I recommend doing a brainstorm on threats as initial filling of the threat columns in the table, before thinking about the other columns.

Reorder the list according to your set of priorities

Choose your ordering strategy carefully. Several strategies are possible.

  • If this is a learning experience or you are a fan of "only time for putting out fires" cultures, no need for ordering.
  • In a low risk environment (no immediate death threats) an "on demand" strategy works well. In this strategy you can use "low hanging fruit" and set up protection for items with a big impact and/or high likelihood of occurrence first.
  • In a high risk environment or if any of the items in the list of possible impacts reads " loss of life" or some life-altering experience or you have turned procrastination into an art, best choose an "anticipating strategy", meaning do more research and detailed scenario planning (food for thought) to find possible threats and solutions overlooked (food for gut).

Examples

Silicon Valley first world problems

Threat Likelihood Impact Protection
Having to drink medium Developer will drop dead within a week, deadline will not be made.

The human body needs water to survive. The maximum time an individual can go without water seems to be a week — an estimate that would certainly be shorter in difficult conditions, like broiling heat.

* Blend together half a gallon of water, three and a half tablespoons of macadamia nut oil and a 16-ounce bag of powder called Schmoylent. Then pour the beige beverage into jars and chill them before bringing the containers to work the next day http://timesofindia.indiatimes.com/tech/jobs/No-time-to-eat-Silicon-Valley-drinks-its-meals/articleshow/47424226.cms
Having to eat food high Developer will drop dead within three weeks, deadline will not be made.

A human can go for more than three weeks without food (Mahatma Gandhi survived 21 days of complete starvation)

* Blend together half a gallon of water, three and a half tablespoons of macadamia nut oil and a 16-ounce bag of powder called Schmoylent. Then pour the beige beverage into jars and chill them before bringing the containers to work the next day http://timesofindia.indiatimes.com/tech/jobs/No-time-to-eat-Silicon-Valley-drinks-its-meals/articleshow/47424226.cms
Needing sleep high Like breathing, sleep is essential to humans. It has even been said that one could survive three times longer without food than one could without sleep. One of the better known experiments on this subject, found that depriving rats entirely of sleep resulted in their death, or near-dying state, within 11-32 days (Everson et al. 1989). ** No long term alternatives known, but the deadline is still four weeks off. We tried adding coffee and coke to the Schmoylent in the previous development cycle.
Bathroom breaks high How many times do people go to the bathroom per day? Loads, and all those little breaks can add up to an hour or two per developer per day. ***** Implanting stomata. Costly. Management has suggested we need more surveillance equipment to study the problem of the breaks.

Journalist, observer or sousveillant in europe

A general counter strategy against police misconduct, abuse and brutality has been recording what happens during a protest. This of course, has gotten the police to target (citizen) journalists and observers overtly and covertly. And it is not just the police and government that are interested in us and our data.

The below threats, if happens, make for loss of trust and reputation and that translates to loss of effectiveness as independent observer.

Threat Likelihood Impact Protection
Metanoia & Paranoia low Metanoia (safety delusion) makes us sitting ducks and paranoia renders us ineffective. *
Physical attacks medium Physical damage/intimidation
Arrest: That might include direct approaches such as intimidation and asking for information on sources. medium Physical danger to those sources.
Some contacts are named in reports, and some wish to remain anonymous. If we’re not careful, we might unintentionally disclose contact details or their location http://thenextweb.com/insider/2012/12/03/vice-leaves-metadata-in-photo-of-john-mcafee-pinpointing-him-to-a-location-in-guatemala/
  • Phishing
  • Guess/hack password
  • Metadata
  • Mobile trail
high Intimidation/attack/imprisonment of sources. *
Correspondence with contacts includes all sorts of information that we do not want others to know about.
  • Phishing
  • Guess/hack password
medium Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources. **
Email, social media accounts, websites, communication tools, a pile of passwords. Our passwords may be a used to attack others in our "organisation", and access information we don’t directly hold.
  • Phishing emails can be sent from our email or social media accounts to others.
  • Passwords can be guessed.
high Followers on social media and people on mailinglists can get spammed. ****
All work-in-progress, files and documents which we couldn’t publish for all sorts of reasons (space, legality, protection of others).
  • Where are they? What forms do they have? Is there a security related documentation policy? Hey who is that man walking out the door with those files?
medium Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources.

Intimidation/attack/imprisonment of sources.

*
If we use computers in any way (including phones and even photocopiers) we can safely assume we are being recorded. Can lead to identification of sources through other data, our location, phone or email records.
  • Metadata
  • Computer forensics
high Intimidation/attack/imprisonment of sources. *
It may not be our activities they are interested in, but our reach. An example of this was the Syrian Electronic Army targeting E! Online http://ohnotheydidnt.livejournal.com/77479774.html medium Publication of hoax information on content management systems (the news website) and social media accounts ***
Legal attacks include direct approaches such as subpoenas demanding that we reveal a source, or court orders to pass over footage, and increasingly might also include indirect approaches, to companies and organisations holding your information. medium Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault. **

Related

References

  1. Peter Gutmann https://www.cs.auckland.ac.nz/~pgut001/ (yes, the professional paranoid guy, inventor of the Gutmann method, an algorithm for securely erasing the contents of computer hard drives by writing a series of 35 patterns over the region to be erased, and presented in the paper Secure Deletion of Data from Magnetic and Solid-State Memory in July 1996.)