An Approach To. Web Application Threat Modeling

Transcription

1 An Apprach T Web Applicatin Threat Mdeling By Akash Shrivastava April 2008 Akash.InfSec@gmail.cm

2 1. Overview In present internet cmputing envirnment ne r the ther frm f security has becme a requirement fr all web applicatins. Imprtance f Cnfidentiality, Integrity and Privacy is increasing day by day and security has becme vital in internet technlgy. T design a secure web applicatin, it is very imprtant t analyze and mdel the ptential threats. Threat mdeling is a prcedure fr ptimizing Netwrk/ Applicatin/ Internet Security by identifying bjectives and vulnerabilities, and then defining cuntermeasures t prevent, r mitigate the effects f, threats t the system. [5] A threat is a ptential r actual undesirable event that may be malicius (such as DS attack) r incidental (Infrmatin Disclsure). Threat mdeling is a planned activity fr identifying and assessing applicatin threats and vulnerabilities. Threat Mdeling is an nging prcess s a framewrk shuld be develped and implemented by the cmpanies fr threats mitigatin. The aim f this paper is t identify relevant threats and vulnerabilities in the Web Applicatin and build a Security Framewrk t help in designing a secure Web Applicatin. 2. Practical Utilities f Threat Mdeling There are varius vulnerabilities present in the Web Applicatins. Organizatins shuld invest in the vulnerabilities accrding t their impact n the rganizatin. A vulnerability that can be explited is a threat t rganizatin s functins and assets. Threat Mdeling can be used t: Identify ptential threats that can be explited t launch a successful attack against applicatin and rganizatin s assets. Design the applicatin t meet the Security bjectives. Help making key engineering decisins while priritizing ptential threats. Identify the vulnerabilities thse are actually critical in the unique envirnment such as cmpany netwrk. Priritize and Reduce risk f security issues arising during develpment and peratins. [8]

3 3. Prcedure f Web Applicatin Threat Mdeling Majr steps invlved in the Threat Mdeling f Web Applicatin are mentined belw: Security Objectives Identificatin Assets Identificatin Applicatin Walkthrugh System Mdeling Threats Identificatin Vulnerabilities Identificatin Threat Agent Selectin Threat Histry Examinatin Priritizing the Assets & Vulnerabilities Threat Impact Analysis 3.1 Security Objectives Identificatin: Security bjectives are gals and cnstraints related t the Cnfidentiality, Integrity, and Availability f custmer s data and applicatins. The Security Objectives are: Prtect custmer accunt details and custmer credit histry fr example prevent attackers frm btaining sensitive custmer data, including passwrds, prfile infrmatin, financial histry, custmer Credit Card Numbers, Bank details, r travel itineraries. Ensure the availability f the applicatin at any time i.e. meet Service-Level Agreements (SLA) fr applicatin availability r meeting Cmpliance requirement r standard. Prevent unauthrized users frm mdifying infrmatin, especially financial infrmatin. The guarantee the cmpany makes t their custmers abut service availability, cnfidentiality r integrity f data such as prtect the cmpany's nline business credibility r what guarantee the cmpany makes t their custmers abut cnfidentiality r integrity f the data.

4 3.2 Assets Identificatin: An asset is a resurce f value which varies by perspective. T the business, an asset might be the availability f infrmatin, r the infrmatin itself, such as custmer data. It is imprtant t identify and create a list f assets that invlves cnsidering every ptential cmpany asset and deciding whether r nt it fits within the "security perimeter. Fllwing is a list f cmmn sensitive assets [7]: Cmputers and Laptps Ruters and Netwrking equipment Printers & Fax Machines Cameras, digital r analg, with cmpany-sensitive phtgraphs Data - sales, custmer infrmatin, emplyee infrmatin Cmpany Smartphnes/ PDAs VIP Phnes, IP PBXs (digital versin f phne exchange bxes), related servers VIP r regular phne call recrdings and recrds Lg f emplyees daily schedule and activities Web pages, especially thse that ask fr custmer details and thse that are backed by web scripts that query a database Web server cmputer Security cameras Emplyee access cards. Access pints (i.e., any scanners that cntrl rm entry) T an attacker, an asset culd be the ability t misuse an applicatin fr unauthrized access t data r privileged peratins.

5 3.3 Applicatin Walkthrugh: In this step the web applicatin is summarized int what it des, its cmmunicatin and security mechanism etc. This step is all abut acquiring maximum pssible infrmatin abut the target applicatin. The bjective is t identify the applicatin's key functinality, characteristics, rles, key usage, technlgy and security mechanism etc. This will help t identify relevant threats during phase f Identify Threats. Fllwing things need t be cnsidered t create an applicatin walkthrugh: Gather details abut the deplyment tplgy, lgical layers key services, Cmmunicatin prts and prtcls. Identify the applicatin's rles like wh can d what within yur applicatin, Higherprivileged grups f users, Identify internal user and Administratr, Guest user and Internet user, identify Web Service r Database rles. It is a very imprtant factr t identify the key usage scenaris f yur applicatin. What are the imprtant features f yur applicatin? What des it d? Sme typical scenari will be user view and search prducts and add them in Shpping Cart, Registered user lgs in and place an rder thrugh Shpping Cart. Identifying the functinality and usage f the applicatin helps yu t understand hw the applicatin is prjected t be used and hw it can be misused. Identify and list the Technlgies and Sftware that the applicatin uses. Fr example Operating System type, Web Server type and versin, Database, Technlgy used i.e..net r C# r any ther etc. This nt nly helps t put mre fcus n technlgy-specific threats but als helps us t determine the crrect and mst apprpriate mitigatin techniques. Identify which Security Mechanism is being used by the applicatin. Varius key pints shuld be cnsidered when identifying applicatin security mechanisms knwn. Fr example: Input and data validatin Authenticatin & Authrizatin Mechanism Sessin Management Cryptgraphy Technique used Auditing and lgging

6 3.4 System Mdeling: At the start f the Threat Mdeling prcess, the security designer needs t understand the system abslutely. With the help f the use cases and architectural mdel, system mdel fr the applicatin can be created. The mre yu knw abut the applicatin, the easier it is t expse threats and discver vulnerabilities. This step invlves breaking dwn the applicatin t create a security prfile. The prcess f decmpsitin f the applicatin invlves understanding every cmpnent (Website, Web Service r Database) and its intercnnectins, defining usage scenaris, and identifying assumptins and dependencies (external r internal such as AD, Mail System etc). There are different techniques that can be used t mdel a cmputing system. Fllwing pints can be cnsidered t create a mdel f the applicatin/ System: Identify trust bundaries f the system such as a perimeter firewall r the bundary between the Web Applicatin and a third-party service. Draw the Data Flw Diagram (DFD) f the applicatin which dissects the applicatin int its functinal cmpnents and indicates the flw f data int and ut f the varius parts f system cmpnents such as user lgin methd, data flw between Web Applicatin, Database Server and a Third Party Service r Web Service. Identify the entry pints t the applicatin as they als serve as entry pints fr attacks such as Web request thrugh Prt 80 r Prt 443, Lgin Pages fr internal and external users, admin pages etc. Identify exit pints as they can als be used as an attack vectr such as search page, which writes the client's search string and the crrespnding results and index page, which displays prduct details. What we need is a system mdel that reveals the essential characteristics f the system and helps in identifying threats which may arise due t specific applicatin lgic r technlgy engaged in the applicatin. The mre cmplete and detailed the mdel is, the mre successful the ther stages will be.

7 3.5 Threats Identificatin: In this step, thse threats are identified, which may affect the system and cmprmise the assets. Threat identificatin is the key t a secure system. Identifying threats cnsists f analyzing each entry/ exit pints, examine the applicatin tier-by-tier, layer-by-layer and feature-by-feature. The fllwing threats culd affect the applicatin: Dictinary based Brute Frce attacks. Netwrk eavesdrpping ccurs between the brwser and Web server t capture client credentials. An attacker may capture ckies t take-ff the identity. SQL Injectin, which enables an attacker t make use f an input validatin vulnerability t execute cmmands in the database and thereby access and/r mdify data. Crss-site scripting thrugh injecting script cde. Infrmatin leakage. An attacker takes cntrl f the Web server, gain unauthrized access t the database, and run cmmands against the database r gain unauthrized access t Web server resurces and static files. Discvery f encryptin keys used t encrypt sensitive data (including client credit card numbers) in the database.

8 3.6 Vulnerabilities Identificatin: T identify weaknesses related t yur threats, layers f applicatin shuld be reviewed. Using vulnerability categries help fcusing n thse areas where mistakes are mst ften made. Cmmn applicatin vulnerabilities are: Authenticatin related vulnerability such as lack f passwrd cmplexity enfrcement r lacks f passwrd retry lgic Invalidated Data & Inputs Is all input validated? Hw is it validated? Is it validated fr type, length, frmat, and range? What des gd data lk like? Where is it validated? Exceptin handling What infrmatin is needed fr trubleshting? What infrmatin shuld be presented t the end user? An attacker may gain useful exceptin details Prviding detail errr message t the end-user/ client Weak Encryptin key r encryptin key is using wrng algrithm Revealing an administratin functin thrugh the Web applicatin Remte Cde Executin vulnerability SQL Injectin r Crss Site Scripting Username enumeratin Parameter Tempering Authrizatin Manipulatin and User Privilege Escalatin Sessin & Ckie

9 3.7 Threat Agent Selectin: Threat agent is the persn r event that has the ability t generate threats. In the abve mentined scenari fllwing are the main threat agent/ event: Insiders and users Hackers and Crackers (Hackers/ Crackers Grup) Wrm, Trjans and Viruses Natural and envirnmental events (Flds, Fire etc) 3.8 Threat Histry Examinatin: Nw we have a cmpiled list f current threats. But it is always better t cnsider future threats, which may arise. The first step twards predicting future threats is t examine the cmpany's recrds and speak with lng-time emplyees abut past security threats that the cmpany has faced. Mst threats repeat themselves, s by catalging the cmpany's past experiences and including the relevant threats n yur threat list yu'll get a mre cmplete picture f yur cmpany's vulnerabilities. 3.9 Priritizing the Assets & Vulnerabilities: We have nw develped a cmplete list f all the assets and security threats that the cmpany may face. It is imprtant t cnsider that every asset r threat des nt have the same pririty level. In this step, we shall priritize the assets and vulnerabilities in rder t knw the cmpany's greatest security risks. Fllwing step shuld be taken t priritize the Assets & Vulnerabilities: Develping a Risk and Prbability Calculatin Matrix Calculate Risk. Calculate Prbability. Calculate Impact The implementatin f the cuntermeasure depends n the criticality f the assets and vulnerabilities. There are varius techniques available t priritize threats and vulnerabilities. Micrsft s DREAD (Damage, Reprducibility, Explitability, Affected Users, and Discverability) mdel f priritizing threats and vulnerabilities seems t be ne f the ppular methds.

10 3.10 Threat Impact Analysis: The term Impact is used t indicate the result f a threat reaching an asset. Threat Impact can be categrized int fllwing: Minr: minr lss f a business asset, n change in business rder Mderate: business disruptin, mderate changes in way f cnducting business Majr: ut f business unless cuntermeasures are deplyed immediately Catastrphic: ut f business frm the mment that the threat was realized The impact f a threat may affect Market Shares, Business Capital, Users, Stakehlders & Business Partners Trust and Cmpany reputatin. The immediate utcme f the threats reaching t an asset culd be disclsure, mdificatin, destructin, lss, interruptin and unauthrized access.

11 4. Develpment f Security Threat Respnse Plan: In this step a primary respnse plan t a particular threat based n the pririty list f assets and vulnerabilities shuld be develped. Althugh these security respnses are nt the nly apprpriate ways t deal with a security threat, but they cver the vast majrity f the threats the cmpany faces. Apart frm the primary respnse plan t the threats, fllwing implementatin is required as security strategy: Implementing Netwrk ACLs Implementing IDS/IPS Implementing IDM Backups Cntent & Filtering Implementing Physical Security

12 Cnclusin: Mdeling the applicatin is imprtant t identify threats and vulnerabilities in the applicatin, which may affect the cmpany business. It prvides an understanding f the cmpany assets and risk t the applicatin, assets and verall business. We have discussed ptential threats t the applicatin and requirement fr the threat mdeling prcess. Threat mdeling prcess prvides a security framewrk t secure the web applicatin. Using the frame is helpful in identifying threats and vulnerabilities in the System. While creating and implementing a Frame fr Web Applicatin security, tw main pints are cnsidered as critical: 1. The mst cmmn mistakes, which the develpers make 2. The mst prficient imprvements Based n the study, it can be cncluded that mdeling the applicatin fr present and future threats and vulnerabilities can prvide great level f security t the cmpany. Security plicies can be a very helpful practice in prtecting netwrks frm the threats vulnerabilities and maintains Cnfidentiality, Integrity and Availability f the system. Finally, being ever cautius and watchful will keep the attackers at hliday. S, it is always better t hide yurself frm Hacker, Cracker and Script Kiddies t survive in the tday's technlgical envirnment.

13 References: 1. Understanding and Develping a Threat Assessment Mdel, Stilians Vidalis and Andrew Blyth, University f Glamrgan. 2. J.D.Nswrthy, A Practical Risk Analysis Apprach: Managing BCM Risk. Cmputers & Security, Pg Analyzing Threat Agents & Their Attributes, Dr. Stilians Vidalis, Dr. Andrew Jnes, University f Glamrgan. 4. Electrnic Warfare Assciatin Australia (URL: An Intrductin t FAIR: The Factr Analysis f Infrmatin Risk (FAIR) Framewrk. (URL: