Using Attack Surface in Threat Models

Last week, I blogged about using threat models to identify and locate countermeasures. Now, I would like to add a little more detail and context. Recall, the purpose of the threat model is to map threats to countermeasures, but he catalyst comes through some part(s) of the attack surface. There are several attack surface models out there, I use a simple one where the attack surface is the sum of the data +  method + channel, that entail the ways the system can be attacked. 

So in an example Web services application we would have an attack surface that includes

• Data: XML
• Method: SOAP or HTTP Verbs 
• Channel: HTTP 

Relating the attack surface construct to our threat model yields interesting possibilities for countermeasure combinations and permutations. Let's assume you are doing security design for a REST Web service and are looking at the constraints and capabilities that REST, HTTP, XML and other standards will help you deal with threats. The combination of the attack surface model and threat model gives you a way to be more precise with mapping countermeasures to threats.

 

Threat	Countermeasure Located in Attack Surface
	Data	Method	Channel
Spoofing	XML Signature (response only)	None	TLS/SSL
Tampering	XML Signature (response only)	None	TLS/SSL
Dispute	None	None	None
Information Disclosure	XML Encryption (response only)	None	SSL
Denial of Service	None	None	None
Elevation of Privilege	Oauth	Oauth	None

This is just an example, but the attack surface is a nice refinement for drilling down on the countermeasure side of the threat model ledger. The location context gives the security designer some flexibility in finding cost effective ways to address security in the software design. In a nutshell, the threat model identifies countermeasures and attak surface locates the countermeasures in the software architecture.

MetriCon 4.0 Preliminary Agenda

MetriCon and the SecurityMetrics list have for several years been host to the most interesting discussions on Security Metrics. This year the MetriCon 4.0 Workshop will be held on Tuesday, August 11, 2009, in Montreal, Quebec, co-located with the USENIX Security Symposium. The formal Call for Participation is still available for your review. As with all MetriCon events, MetriCon 4.0 is by invitation; invitations for attendance-only remain available. If you wish to attend, communicate via email to the MetriCon 4.0 program committee at your earliest convenience.

Preliminary Agenda

1. Baseline Scoring Methods
Reproducible Measurement as a Foundation for Security Assessment Metrics
SCAP Metrics

2. Measuring Impact
Business Focused: Foundations for Security Business Intelligence
Metrics for Detecting Compromised Systems

3. Enterprise Security Management
Security Metrics in Governance, Risk and Compliance
Using Security Metrics to Motivate a Response to A Critical Vulnerability
Foundational Control Practices

4. Software Security
The Building Security In Maturity Model
Does Software Quality Matter?

5. Trends and Stats
Measuring the Future Basis of Competition among AV Products
Crunching Metrics from Public Data
Data Loss DB

6. Security Manager Panel
Asset Profiles
Initiative Alignment
Metrics for Predictive Analysis

7. Discussion Groups on Topics of Mutual Interest
Enterprise Network Security Metrics
PCI DSS Statistics & Metrics
SOX Material Weakness
Vulnerability Response Decision Assistance

Analytical Mindset

From Michael Santoli in Barrons 

IN TALKING TO MARKET PEOPLE OVER THE YEARS, it's clear that the sharper traders and more astute analysts share a couple of traits. The first is to inquire, "What are you hearing?" before they offer their view, and the second is to ask, "Where could I be wrong?" after they do.

The article goes on to discuss "the spirit of challenging the assumptions of the comfortable consensus"; asking the "where could I be wrong?" question is the biggest difference between just programming (getting something to work) and defensive programming (understanding how things fail).

Richard Monson-Haefel on 9 Things Every Software Architect Should Know

Last night, I saw RIchard Monson-Haefel talk on 9 things every software architect should know. The funniest line was on EJB "I feel like I had a kid and he grew up and went on a crime spree", Richard's list of 9 things:

1. People are the plarform (ui is often the weakest link)

2. "All solutions are legacy" (My old partner used to say nothing more permanent than a temporary solution)

3. Data is forever (everything changes - new technology, new processes, but data is evergeen)

4. Flexibility breeds complexity (My security corollary is you empower developers you empower attackers

5. Nothing works as expected (Finally a security principle - design for failure)

6. Know the business 

7. Maintain the vision. Should be cto but how can they do it? They are in too many meetings

8. Software architects should also be coders

9. There is no substitute for experience

I think its a good list, I think #5 is under emphasized of course. Securing software often comes down to developers and security people, but this is not enough. Software people don't know enough about security and security people don't know enough about software. So we need another layer to resolve this. Software architects are supposed to own the non-functional requirements like scalability and security, but too often security is just network firewalls and SSL. Software architects are in a good position to see the failure modes and drive projects to fix vulnerabilities and establish countermeasures.

Floors and Ceilings

Heartland update from WSJ: Heartland Gets Religion on Security

Aside from the scale, the breach stood out from the hundreds of others reported each year because Heartland had recently passed a security audit.

Carr says that one lesson he’s learned from the breach is that the industry’s security standard, called Payment Card Industry or PCI, doesn’t go far enough. It’s the “lowest common denominator,” he says, adding that the audit didn’t detect the vulnerability that led to the hack even though it had existed for years.

Carr also believes that the vast majority of breaches go unreported. He says that around 300 companies were victimized by the same hacker as Heartland, but that most have never come forward. He points to loopholes in the state laws meant to protect consumers in the event of a data breach as the reason.

I could not agree more with the emphasis added bold text. This is not a slam of PCI just reality. Setting a minimally acceptable floor is an important maturity step just not the only one. Anyway, shooting closer to the ceiling than the floor, it looks like Heartland is going to use Voltage's end to end encryption.

Using Threat Models

Threat models are a very good way to make implicit security threats and mechanisms, into explicit threats and mechanisms, so that you can write requirements, build, and test that they do the job you intend. As a starting point, I like to use a modified version of STRIDE, which among other things cleanly maps threat to mechanism. This way when starting a new project, for example with SOA Web services, you can identify where the standards will help you.

 

Threat	Mechanism	Example Standard
Spoofing	Authentication	WS-Security
Tampering	Digital Signature, Hash	WS-Security + XML Signature
Dispute	Audit Logging	None
Information Disclosure	Encryption	WS-Security + XML Encryption
Denial of Service	Availability Services	None
Elevation of Privilege	Authorization	None

Threat models are misunderstood, they are not about modeling threats. As defensive programmers, we have little to no control over threats, our job is to find and fix vulnerabilities. So why bother with threats and threat modeling at all then? It turns out that vulnerabilities are basically passive weaknesses, and the threat is the catalyst that exercises the vulnerability so that we can 1) identify it and 2) deal with it. 

So the end result of threat modeling is not a list of threats, but rather a list of countermeasures. And not just a generic list either. The active ingredient (threat) gives us a way to locate where the countermeasure can/should live in the architecture.

Further, if we are comparing approaches early in architecture/design phases of building software, the threat model is a structured back of the cocktail napkin way to compare/contrast approaches. For example if we are looking to build out a set of Web services and are choosing between SOA style (WS-*) and REST style, we may want to look at the readily available implemented standards that each software security stack supports

 

Threat	Mechanism	Example SOA Standard	Example REST Standard
Spoofing	Authentication	WS-Security	XML Signature (response only)
Tampering	Digital Signature, Hash	WS-Security + XML Signature	XML Signature (response only)
Dispute	Audit Logging	None	None
Information Disclosure	Encryption	WS-Security + XML Encryption	XML Encryption (response only)
Denial of Service	Availability Services	None	None
Elevation of Privilege	Authorization	None	None

Threat modeling gives a concrete structure to a fairly abstract subject like analyzing software security capabilities in services, but as you see its not about the threats its about the security architecture elements. This is just an illustrative example not a complete threat model, but it does give an effective, context-sensitive way to look at tradeoffs in security architecture. In this example, SOA/WS-* has potentially more coverage the security mechanisms work on both the request and response side. In the next series of posts, we'll look slicing and dicing the threat model a layer deeper and how we can use it secure our services.

Update: Using Attack Surface with Threat Models

Twitter-enabled Information Disclosure in Sports

In one of my favorite Richard Thieme talks at Black hat, he exhorted us to look to the edges to find where the new realities are forming. The consensus reality of today is one thing, but the new realities creep in from the edges outside of today's norms. 

Sports has been one area in American life where we can clearly see this happen. We have had Jackie Robinson breaking the color barrier in baseball long before Martin Luther King Jr and others brought this to the wider society. In 1966, we saw Red Auerbach name Bill Russell the first African American coach, 42 years before Americans signed up to have Barack Obama run the whole country. 

Of course, not all the new developments are positive, witness the ongoing sagas in steroids in sports which we will likely also see in wider circulation throughout society with things like biotech, genetic modifications and so on.

On a related note, last we just had a case of information leakage in pro sports via Twitter. In the NBA this off season people have been wondering if coach Kevin McHale would be coming back next season, while fans waited for some kind of news Minnesota Timberwolves rookie star Kevin Love tweeted 

"Today is a sad day. Kevin McHale will NOT be back as head coach."

Turned out to be true. Only thing was the Timberwolves had not issued any official statement of the sort. Love's explanation was that he assumed that everyone already knew. Normal behavior from an insider, but a good example of information breaching the walls, and not through malice, just through increased connectivity. Now that we see the template in sports, it will be interesting to see these things play out in wider population

Still Waiting to Meet a Developer Who Wants to Write Insecure Code

A somewhat common refrain that you hear from security thought leaders is that secure coding is too hard and we shouldn't even bother trying. I have never understood this stance. Of the the thousands of developers I have met, trained and worked with, I am still waiting to meet the first one who actually wants to write weak, insecure code.

Sure lots of systems are poorly designed, but just because we have always built our cities out of wood does this mean the entire Infosec industry should focus on obsessing about threats like Mrs. O'Leary's cow and building a great fire department? If the city has no resiliency to any threat of fire, is the problem to work the threat side or the resiliency side? I am not sure that rounding up all cows and confiscating matches is the answer. Fire departments are very important and its great to get response time down from 10 minutes to five minutes, but still should this be the main focus? 

At a certain point, you need to say that we have got most of what we can from wood and move to building cities out of steel and concrete. Yes this requires new tooling, support and training for the people doing the building work, but its far from impossible.

Anyone who did web development in the early 90s knows it wasn't that easy then. Its easy for developers now and what they build is far more feature rich *and* robust. The protocols are the same, but what's different is 10+ years of engineering, training, and better tooling. Security is not any harder than most of the things developers do every single day, its just that it has not been prioritized by the wider industry yet. To throw software security in the "too hard" pile at this early stage is defeatism and puts a false and unnecessary ceiling on what developers are capable of. I say - empower developers with security tools, knowledge, and space to create, you will be surprised with what problems they are able to solve.

Dangers of Mixed Incentives

How would someone have avoided being snared by Madoff? There were many very successful businesspeople on his list of victims. They liked the fact that Madoff appeared conservative none of this "up 60% one year and down 25% the next." These people were not risk seeking. Interestingly, there were no financial pros on the list because the first thing those folks want to know is "how are you doing this?" and of course they were offered no answers they liked. 

But still did you have to be a Wall St guru to know this was a scam? For one thing you could have looked at the incentives and conflicts of interests, allegedly such as those feeder funds that had 100% of their funds with Madoff but we are told did not do due diligence. The dangers of mixed incentives are nicely summed up by the great Jason Zweig wrt Mutual Funds Is Your Fund Pawning Shares at Your Expense and in this Forbes piece "Don't Take Financial Advice from Salespeople"

Imagine seeking medical attention at a clinic owned by a pharmaceutical company. A doctor treats your backache, but also prescribes the company's most expensive drugs for restless leg syndrome, social anxiety and erectile dysfunction.

Got more than you bargained for?

In the world of investing, too, Americans often get more than they need or want. At large private banks, "financial advisers" claim to play the role of impartial advice-givers, but in reality often act like salespeople. As a result, too many people are now facing massive losses on their personal savings and investments.

In fact, only 8% of financial advisers arrange for fee-based compensation with their clients, according to an annual compensation report by Registered Rep., a magazine for investment professionals. The remaining 92% are paid primarily by commission.

In other words, advisers tend to make more money when they sell the expensive products or services their banks offer.

Much like patients who don't understand the intricacies of the medical profession, financial clients accept this conflict of interest largely because they don't fully understand how the investment industry works.
...
The staggering case of Bernard Madoff's $50 billion fraud was an even more potent example--illustrating the conflicts of interest that arise when the roles of asset manager and custodian aren't clearly delineated.

Typically a custodian bank serves as a middleman, authorized to make trades on behalf of its clients based on orders from the asset manager. The custodian thus acts as an independent third party, helping to safeguard assets. Madoff's investment advisory firm, however, did not use an independent custodian, and Madoff's clients sent their money directly to him.

What better way to cover up investment fraud than to eliminate the checks and balances?
Investors paid no heed to this inherent conflict, lured by Madoff's supposed high returns. After all, he was not the only investment manager doubling as custodian. Shockingly, it is legal for a money manager to also hold custody of assets as long as it is disclosed.

While UBS and Madoff were one-off cases, a more pervasive conflict of interest is the coupling of investment advisory and asset management services.

At most major banks, private bankers dishing investment advice are offered cash incentives to sell funds managed by their firm. Even more insidious is when they claim to have "open architecture" or sell funds on their "third-party platform." This simply means their firm has negotiated a fee-sharing arrangement with an outside fund manager. So they have a financial incentive to steer investors into that fund.

In the investment industry today, most private banks play all three roles: investment adviser, asset manager and broker-dealer. Regardless of the conflicts of interest inherent in this setup, U.S. financial regulations simply require a series of disclosures on the last page of the pitch book. In practice, this does very little to safeguard investors. Indeed, it's akin to the FDA allowing pharmaceutical sales reps to write prescriptions, as long as the treatment comes with a few pages of fine print.

This problem won't be solved with more red-tape disclosure requirements, which ordinary investors don't read anyway. Instead, regulators must shift their focus to addressing the fundamental problem of the financial industry--conflicts of interest. Until they do, many financial advisers will continue to prescribe the wrong medicine. And investors will suffer.

Ross Anderson's "Security Engineering" presents a Security Engineering Analysis Framework that includes the things security folks have dealt with for their whole careers - the policy of what is supposed to happen, the security mechanisms that deliver on the policy, and the assurance that builds up confidence that the policy and implementation are in alignment. But he adds one new factor into the traditional information security mix that explains many things that happen in the real world - incentives

Information security in the real world is nowhere near as simple as defining a policy, then building a mechanism and conducting assurance. For one thing each of these activities by themselves can be a large slice of effort, doing them in concert is more difficult still. In other words for all this to work we need an external driver called incentives. Why are IBM, Oracle and Sun able to sell Identity Management suites for millions of dollars? The technology is not complicated, but they know they are selling to compliance which has a very high incentive to check off that particular check box.

Simple Matrix = Real Mess

This just in: security people are beginning to understand that in the real world access control is much harder than crypto. An amusing post from Thomas Ptacek. Its always amazed me that people are always saying - "hey don't write your own crypto! that is hard stuff - leave it to the pros at the shop."

then when it comes to protecting the keys and cryptosystems, what do you need? why authN, authZ, and audit - your basic access control systems. and people write their own from scratch all the time and no one says boo. A lot of this is marketing and golf of course. But I have never really been able to figure out why people are so adamant that you should NEVEREVEREVER write you own crypto, but sure go ahead and do programmatic authN/authZ/session mgmt. It makes no sense, but then I figured it out, or rather a Dutch guy did

"Normally, everything is split up and problems are solved separately. That makes individual problems easy to solve, but the connections between the problems become very complicated, and something simple ends up in a real mess. If you integrate it in the first place, that turns out to be the most simple solution. You have to think ahead and you must always expect the unexpected." 

- Jan Benthem, Schipol airport chief architect

In crypto things are split or rather you have to split them up to determine the data or channel you're encrypting. Its integrated from the get go and you have some visibility into whether encrypt/decrypt and sign/verify are working.

In access control however things are "split up and problems are solved separately", you supposedly classify your data, define roles, groups, and objects do a big mapping and voila - an access control matrix. 

Unfortunately, your access control matrix is not code, it needs to be mapped to several zillion config files, URLs, resources, SOAP calls, and on and on. Your simple access control matrix ends up in a "real mess"

Crypto theory is vastly harder on the whiteboard than access control (Subject-Object-Session how hard is that?). In practice, implementation is the exact opposite. Yet we are told that crypto is only to be done by the high priests whilst junior programmers build access control functions every day.