1
00:00:02,080 --> 00:00:05,630
Walk into the module concerning threat modeling and threat classification

2
00:00:08,080 --> 00:00:13,090
module We'll introduce you to one of the methods of threat classification and point out the merits of

3
00:00:13,090 --> 00:00:16,500
such an approach in the security policy development process.

4
00:00:21,530 --> 00:00:24,190
Let's specify what threat modeling actually is.

5
00:00:26,200 --> 00:00:34,410
It consists of the identification assessment and description of threats to computer systems security.

6
00:00:34,470 --> 00:00:38,760
We should try to analyze the computer system from the perspective of a person who would like to break

7
00:00:38,760 --> 00:00:39,450
into it.

8
00:00:41,390 --> 00:00:51,110
To put it simply attack methodology is as follows The attacker has to gain access to the system.

9
00:00:51,120 --> 00:00:55,210
Our task is therefore to identify the ways through which an attacker can do that.

10
00:00:56,930 --> 00:01:04,070
For example VPN remote connections or the possibility to log into an unprotected computer can be classified

11
00:01:04,370 --> 00:01:06,310
as entry points.

12
00:01:06,380 --> 00:01:09,960
This depends on the type of system.

13
00:01:10,080 --> 00:01:15,680
Nevertheless we should continue describing all the threats.

14
00:01:15,870 --> 00:01:19,470
The next step is to list and describe the resources to be protected.

15
00:01:21,900 --> 00:01:26,230
This shouldn't be limited to a general statement that the whole system is to be protected.

16
00:01:28,590 --> 00:01:34,330
The list should be detailed to ensure that every element that needs to be protected will be protected.

17
00:01:35,930 --> 00:01:42,660
In the case of the database server which may be the first resource to be protected we don't have to

18
00:01:42,660 --> 00:01:48,720
list each and every record of the database unless we're trying to create a security policy of this one

19
00:01:48,720 --> 00:01:52,190
database.

20
00:01:52,400 --> 00:01:56,790
The next element of threat modeling is to examine and describe data flow paths.

21
00:01:58,720 --> 00:02:05,250
This involves the description of how the computers stablish has a connection with the server can every

22
00:02:05,250 --> 00:02:08,170
computer establish that connection with the server.

23
00:02:08,310 --> 00:02:14,860
Or are there some specific requirements such as port number or the newest version of the antivirus program.

24
00:02:16,950 --> 00:02:21,040
All possible paths should be described because the attackers can use any of them

25
00:02:24,070 --> 00:02:27,370
no system can be completely protected.

26
00:02:27,370 --> 00:02:29,380
This is simply impossible.

27
00:02:29,380 --> 00:02:35,460
We can however divide this system into more or less protected subsystems.

28
00:02:35,580 --> 00:02:40,990
We should define the trust boundary represented in the diagram with the letter T.

29
00:02:42,420 --> 00:02:47,060
Clearly defined trust boundaries later become the elements under protection.

30
00:02:48,780 --> 00:02:53,270
With a physical computer in a sudden set of servers can be defined as trust boundaries.

31
00:02:55,920 --> 00:03:03,800
A special type of such a sudden that is the DMZ demilitarized zone which requires a separate trust boundary

32
00:03:05,710 --> 00:03:12,600
this pertains to every subnet in our computer system.

33
00:03:12,690 --> 00:03:18,060
The list of protected elements should be as detailed as is required to reflect the actual configuration

34
00:03:18,090 --> 00:03:19,790
of the system resources.

35
00:03:24,370 --> 00:03:29,640
Each resource will be assigned an individual security value or level.

36
00:03:29,690 --> 00:03:35,690
This can be simplified so as to comprise high low medium or none.

37
00:03:38,480 --> 00:03:44,330
Application designers perform threat modeling in a more formal way.

38
00:03:44,350 --> 00:03:49,790
There is a separate branch of I.T. devoted to threat modeling exclusively.

39
00:03:49,820 --> 00:03:54,930
The diagram you see in the slide is a generalized representation of steps we've discussed before.

40
00:03:57,500 --> 00:04:01,210
Application designers had to define system mentary points.

41
00:04:01,280 --> 00:04:07,200
That is how the application communicates with users and other applications.

42
00:04:07,200 --> 00:04:12,220
Moreover they had to examine so-called case studies.

43
00:04:12,390 --> 00:04:17,160
That's different ways in which the application is used and the consequences of each kind of possible

44
00:04:17,160 --> 00:04:20,390
use.

45
00:04:20,440 --> 00:04:23,970
Also they had to define the resources the application uses

46
00:04:27,120 --> 00:04:31,800
such an analysis should help the designer to determine which type of threats the application may be

47
00:04:31,800 --> 00:04:32,980
susceptible to.

48
00:04:35,320 --> 00:04:40,530
To assume that viruses are the only threat to the operating system is a severe mistake.

49
00:04:43,050 --> 00:04:48,630
The lack of a detailed analysis may result in a situation where you focus on a threat that concerns

50
00:04:48,630 --> 00:04:53,800
your system to a very limited degree viruses are common.

51
00:04:53,800 --> 00:04:59,820
But even if your computer gets infected by a virus it won't have a very serious consequence.

52
00:05:01,200 --> 00:05:08,110
Without a detailed analysis we will miss the most serious threats and if we're not aware of them we

53
00:05:08,110 --> 00:05:09,830
won't be protected against them.