Geekly Articles each Day
📜 ⬆️ ⬇️

Information security of bank non-cash payments. Part 4 - Overview of Threat Modeling Standards



What research
Links to other parts of the study


In the previous publication of the cycle, we formed the basic requirements for the system of information security of non-cash payments and said that the specific content of protective measures will depend on the threat model.

To form a qualitative threat model, it is necessary to take into account existing practices and practices on this issue.
')
In this article, we will conduct an express review of about 40 sources describing the processes of modeling threats and managing information security risks. Consider both GOSTs and documents of Russian regulators (FSTEC of Russia, the Federal Security Service of Russia, the Central Bank of the Russian Federation) and international practices.

Brief description of the threat modeling process


The end result of the threat modeling process should be a document - a threat model containing a list of significant (relevant) for the protected object information security threats.

When modeling threats, protected objects are usually considered:


By and large, the threat model does not have to be represented in the form of a list. This may be a tree (graph), mayndcard, or some other form of recording, which allows specialists to work with it conveniently.

The specific composition of threats will depend on the properties of the protected object and the business processes implemented with it. Accordingly, one of the initial data for modeling will be the description of the protected object itself.

If a hypothetical object is considered, a typical (basic) threat model is formed . If a real object is considered, then a private threat model is formed.

When modeling threats, in addition to the description of the protected object, specialists must have knowledge of the threats themselves.

In practice, this knowledge can be gleaned from:


The initial stage of the modeling process will be the identification of threats , that is, the selection of the largest possible list of threats that can at least theoretically affect the protected object.

At the implementation of this stage, nature plays a cruel joke with information security specialists. The problem is that human memory is associative, and we cannot take and extract all content from it, for example, remember all possible threats.

In order to form a list of all possible threats, various tricks are used, allowing specialists to ask themselves certain questions or use the principles according to which threats will be extracted from memory and recorded. Examples of such techniques can be threat classifiers, threat trees or patterns of typical computer attacks . We will discuss these methods below.

After the formation of a list of all possible threats, it begins to be filtered so that, ultimately, only significant (topical) threats to the organization remain. The filtering process, as a rule, is performed in several iterations, at each of which threats on one or another basis are discarded.

Begin with the sign of the availability of opportunities (resources) for violators to implement threats. To determine it, first form a special document - the model of the offender , in which the potential offenders are identified and their capabilities determined. Then, the previously obtained threats are correlated with the model of the offender and discard all threats, the realization of which goes beyond the capabilities of potential violators.

The next sign to filter threats is a sign of insignificance of risk . At first, an organization determines the level of risk that it considers insignificant. Then he assesses the risk from the realization of each threat and, if it is less than or equal to the given level, the threat is discarded.

Thus, after the end of filtering, a threat model will be obtained, containing significant (relevant) for the organization of information security threats.


Threat Identification Technique - “Threat Classifiers”


Most information security threats can be grouped (categorized) by a particular attribute. The resulting classification schemes can be used by experts as questionnaires to their memory from which they will extract threats.

Take, for example, the task of modeling threats to the security of personal data (PD) processed in personal data information systems (ISPD).

In 2008, the FSTEC of Russia issued a methodological document for this purpose - the Basic Model of PD Threats. This document contains many classification schemes, of which we consider the only one - the classification of threats by “source of threat”.



A specialist, building a private model of threats, can use this scheme, ask himself the question: “What threats to personal data will come from the actions of an internal violator?” - and record these threats. Then ask the following question: “How can an external intruder attack personal data?”, Etc. This series of questions allows the specialist to describe all the threats known to him, without forgetting about anything.


Threat Identification Technique - “Threat Tree”


When using this technique, the information security specialist puts himself in the place of the intruder and begins to think about how he would attack the protected object.

In the beginning, a high-level threat is formulated, which will be the root of the future tree.

Then the specialist begins to decompose this threat into low-level ones, the implementation of which can lead to the realization of the threat in question. To do this, he may ask questions, how or by what the investigated threat can be realized.

The resulting threats are affiliated with respect to the one under consideration and are written into the tree as its descendants. Then they, in turn, are also decomposed, and so on until the required level of detail is achieved.

A similar approach has long been known in the art and is used to build fault trees, the formation of which is standardized in GOST R 51901.13-2005 (IEC 61025: 1990) Risk Management. Fault tree analysis .

To illustrate the use of “threat trees”, we consider the formation of a threat model for an information object that is an isolated computer that is not connected to a computer network. Suppose that at this facility important information is being processed, the security of which is required to be ensured.

We define the following as a high-level threat: violation of security properties of protected information.

Common security properties are confidentiality, integrity, availability. Thus, child threats will be:


Decomposing the threat of “breach of confidentiality of protected data”.
Let us ask ourselves the question: “Due to what can this threat be realized?” - and as a response we will write the following options:


We will do the same with the threat of “violation of the integrity of protected data”. It can be decomposed into:


The decomposition of the threat to “violation of the accessibility of protected data” can be represented by the following threats:


As a result, we obtain the following tree:



As we can see, even such a primitive model that we have just built is rather cumbersome when it is graphically displayed. Therefore, “threat trees” are mainly documented in hierarchical lists.


Methods of identifying threats "patterns of typical attacks"


The basis of this technique is the idea that in carrying out computer attacks, attackers every time make some similar sequence of actions, which can be called a typical attack pattern.

One of the most well-known patterns of computer attacks at the moment is the kill chain pattern described by Lockheed Martin, which includes 7 steps:



Stage 1 . Intelligence (Reconnaissance) - the collection of data about the attacked object.
Stage 2 . Weaponization - the development of tools (malicious code) to conduct an attack.
Stage 3 . Delivery (Delivery) - delivery of malicious code to the attacked object.
Stage 4 . Exploitation - the use of any vulnerability of the attacked object node to launch malicious code.
Stage 5 . Installation (Installation) - installation of hidden remote access on a compromised node.
Stage 6 . Gaining Control (C2) - the organization of a remote access channel of attackers to a compromised node.
Stage 7 . Actions (Actions) - performing actions for which the attack was carried out.

The research organization MITER , having slightly changed the names of the stages, called this template Cyber ​​Attack Lifecycle .



In addition, MITER expanded the description of the various stages and formed a matrix of typical tactics of intruders at each stage. This matrix was named ATT & CK .


(clickable)

Although the matrix is ​​not universal, it still allows you to describe the actions taken by attackers when making a large number of real attacks.

From the point of view of threat modeling, a typical attack pattern can be considered as a classifier of threats, and a matrix of typical tactics as a significant fragment of the threat model.

Clarifications will require only the last stage of the template - “Actions”, then, for the sake of which the attack was carried out, well, the stages themselves can be supplemented by unaccounted tactics.

Documents of FSTEC of Russia on modeling threats to personal data of 2008.


  1. Basic threat model for PDN FSTEC, 2008
  2. Methods for determining actual threats to PD 2008

Both documents are methodical, that is non-binding to use, but reveal how, according to the FSTEC of Russia, the task of modeling threats to personal data security should be addressed.

The basic model of PDD threats, FSTEC, 2008, contains a single source data on PD security threats processed in an ISPD, related to:


Specifies a formal description of the threats:


Formal description of threats used the following abbreviations:
ISPDn - personal data information system.
NSD - unauthorized access.
WWW - software and mathematical influence (the introduction of malware).

The document provides classification signs of threats and vulnerabilities, and malicious programs. A small catalog of typical threats associated with technical channel leaks and unauthorized access is provided. A typical model of offenders is given and their capabilities are determined.

The method for determining actual PD threats in 2008 defines an algorithm by which it is possible to filter threats based on the insignificance of risk. To this end, the methodology presents methods for determining the feasibility of a threat (probability), a hazard (damage) hazard indicator and the rules for classifying a security threat as not relevant (with little risk).



Documents of the FSTEC of Russia on modeling threats in state information systems (GIS) and the database of threats to the FSTEC of Russia.


  1. Methodical document FSTEC of Russia. Measures to protect information in the state information systems (approved by the FSTEC of Russia on February 11, 2014)
  2. Draft methodological document of FSTEC of Russia. Methods for determining information security threats in information systems
  3. FSTEC of Russia Threats Data Bank (bdu.fstec.ru) .

Methodical document FSTEC of Russia. Measures to protect information in the state information systems (approved by the FSTEC of Russia on February 11, 2014) . Information security threats (UMI) are determined based on the results of assessing the capabilities (potential, equipment and motivation) of external and internal violators, analyzing possible information system vulnerabilities, possible ways to implement information security threats and the consequences of violation of information security properties (confidentiality, integrity, availability).

Formal description of information security threats:
Ubi: = [the possibility of the offender; information system vulnerabilities; method of threat realization; consequences from the realization of the threat].

Opportunities (potential) of violators are divided into three groups:

  1. Intruder with basic potential.
  2. Infiltrator with Basic Enhanced Potential
  3. High potential offender

The interpretation of the capabilities of violators is given in the draft methodological document of the FSTEC of Russia. The method for determining information security threats in information systems .

The description and classification of vulnerabilities is carried out using national standards:


Vulnerabilities themselves, ways of realizing threats and possible damage are listed in the FSTEC of Russia threat database .

Methodical recommendations of the Federal Security Service of Russia on modeling threats to the security of personal data


  1. “Methodical recommendations on the development of regulatory legal acts defining threats to the security of personal data that are relevant in the processing of personal data in personal data information systems operated in the implementation of relevant activities” (approved by the Federal Security Service of the Russian Federation on March 31, 2015 N 149/7/2 / 6- 432) .

Guidelines identify the main threats to PD, which can be neutralized only with the help of SKZI. These include:

  1. transfer of personal data via communication channels that are not protected from interception by the violator of information transmitted through it or from unauthorized impacts on this information (for example, when transmitting personal data over public information and telecommunication networks);
  2. storage of personal data on storage media, unauthorized access to which by the offender cannot be excluded using non-cryptographic methods and techniques.

The document also defines the classification of opportunities for violators:

NGeneralized opportunities for attack sources
oneThe ability to independently carry out the creation of methods of attack, preparation and conduct of attacks only outside the controlled area
2Opportunity to independently create methods of attack, prepare and conduct attacks within the controlled area, but without physical access to hardware (hereinafter - AS), on which the SKZI and the environment of their functioning are implemented
3The ability to independently create methods of attack, preparation and conduct of attacks within the controlled area with physical access to the AU, which are implemented SKZI and the environment of their operation
fourThe ability to attract professionals with experience in the development and analysis of SKZI (including experts in the field of analysis of linear transmission signals and signals of side electromagnetic radiation and interference SKZI)
fiveOpportunity to attract specialists with experience in the development and analysis of CIPF (including specialists in the field of use for implementing the attacks of undocumented capabilities of application software)
6Opportunity to attract specialists with experience in the development and analysis of SKZI (including specialists in the field of using for implementing the attacks undocumented capabilities of hardware and software components of the environment of functioning of SKZI)

Bank of Russia Documents on Information Security Risks


  1. Letter No. 197-T of the Central Bank of the Russian Federation of December 7, 2007 “On Risks in Remote Banking Services”
  2. Bank of Russia Ordinance No. 3889-U, dated December 10, 2015, “On the Identification of Threats to the Security of Personal Data Actual in the Processing of Personal Data in Personal Data Information Systems”
  3. Recommendations in the field of standardization of the Bank of Russia RS BR IB IBBS-2.2-2009. "Methodology for risk assessment of information security breaches"

The letter of the Central Bank of the Russian Federation dated December 7, 2007 No. 197-T “On the risks of remote banking services” contains a list of typical threats to remote banking services and their customers, including:


Bank of Russia Ordinance No. 3889-U dated December 10, 2015 “On the Identification of Threats to the Security of Personal Data Actual in the Processing of Personal Data in Personal Data Information Systems” contains a sectoral list of security threats to personal data, including the following threats:


Recommendations in the field of standardization of the Bank of Russia RS BR IB IBBS-2.2-2009. "Methodology for risk assessment of information security breaches"

The document proposes the following risk assessment procedures:
Procedure 1. Determining the list of types of information assets for which procedures for assessing the risks of information security violations are performed (hereinafter referred to as the area of ​​information security risks assessment).
Procedure 2. Determining the list of types of environment objects corresponding to each of the types of information assets in the area of ​​information security risk assessment.
Procedure 3. Identification of sources of threats for each of the types of environment objects defined as part of procedure 2.
Procedure 4. Determination of the IS of IS threats in relation to the types of environment objects determined under the procedure 2.3.
Procedure 5. Determination of an ITF violation of information security for information types of information about risk assessment of information security violations.
Procedure 6. Risk assessment of information security breaches.

The degree of risk acceptability is proposed to be assessed using a “classical” table of risk assessment, taking into account the likelihood and possible damage.


Here SVR - the degree of possibility of realization of the threat, STP - the severity of the consequences

The recommendations also contain a small catalog of threats, broken down by classes.
Class 1. Sources of information security threats associated with adverse events of a natural, man-made and social nature.
Class 2. Sources of information security threats related to the activities of terrorists and persons committing crimes and offenses
Class 3. Sources of information security threats associated with the activities of suppliers / providers / partners
Class 4. Sources of information security threats associated with failures, failures, destruction / damage of software and hardware
Class 5. Sources of IS threats associated with the activities of internal violators of IS
Class 6. Sources of IS threats associated with the activities of external violators of IS
Class 7. Sources of information security threats associated with non-compliance with the requirements of supervisory and regulatory authorities and current legislation.

National standards of the Russian Federation (GOST)


  1. GOST R 51275-2006. Protection of information. The object of informatization. Factors affecting information. General provisions
  2. GOST R ISO / TO 13569-2007. Financial services. Information Security Recommendations
  3. GOST R 56545-2015 Information security. Vulnerabilities of information systems. Vulnerability Guidelines
  4. GOST R 56546-2015 Information security. Vulnerabilities of information systems. Classification of Information System Vulnerabilities
  5. GOST R 53113.1-2008 Information Technology (IT). Protection of information technologies and automated systems from information security threats implemented using hidden channels. Part 1. General Provisions
  6. GOST R 52448-2005 Information Security. Securing telecommunication networks. General provisions
  7. GOST R ISO / IEC 27005-2010. Information technology. Methods and means of security. Information Security Risk Management

GOST R 51275-2006. Protection of information. The object of informatization. , . General provisions
50922-2006 . , « (-)» () . , , .

/ 13569-2007. .
«C» - . , , , , , . , , .



56545-2015 . . 56546-2015 . . . GOST R 50922-2006 Information Security. Basic terms and definitions .

The standards provide a classification of information systems vulnerabilities, containing three classification characteristics:

  1. by area of ​​origin;
  2. by types of IP deficiencies;
  3. at the place of occurrence (manifestation).

The vulnerabilities themselves are proposed to be described in the form of a passport containing the following sections:

  1. The name of the vulnerability.
  2. Vulnerability ID.
  3. Identifiers of other vulnerability description systems.
  4. Brief description of the vulnerability.
  5. Vulnerability class.
  6. The name of the software and its version.
  7. Service (port), which (which) is used for software operation.
  8. Software programming language.
  9. Type of fault.
  10. Place of occurrence (manifestation) of vulnerability.
  11. Fault type identifier.
  12. The name of the operating system and the type of hardware platform.
  13. .
  14. , .
  15. () .

OVAL .

53113.1-2008 (). , . 1.

, , , .



52448-2005 . . General provisions
, :



51275-2006. . . , . . .

, , , , , .

, . — (, ) (, , ).

/ 27005-2010. . .

, ISO 27K . .



Appendix C provides examples of typical threats, and Appendix D presents typical vulnerabilities.

NIST Special Publications


  1. NIST SP 800-30. Guide for Conducting Risk Assessments
  2. NIST SP 800-39. Managing Information Security Risk

NIST SP 800-30. Guide for Conducting Risk Assessments The
document focuses on risk management at the level of an organization’s management.


NIST SP 800-39. Managing Information Security Risk The
document describes an enterprise-level information security risk management methodology. The main goal of the methodology is to connect the information security system with the mission and objectives of the organization


OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)


OCTAVE , , . 8 :



  1. (Establish Risk Measurement Criteria).
  2. (Develop an Information Asset Profile).
  3. / / (Identify Information Asset Containers).
  4. (Identify Areas of Concern)
  5. (Identify Threat Scenarios)
  6. (Identify Risks)
  7. (Analyze Risks)
  8. Select Information Security Risk Handling Measures (Select Mitigation Approach)

The threat tree methodology is used to identify the threats carried out in step 5.

Trike Methodology


Trike is based on a risk-based approach to building information security and is intended for conducting information security audits and building threat models.

Distinctive features of this methodology are:


Microsoft threat modeling techniques and publications


Microsoft Security Development Lifecycle . «» – («waterfall») , , . « (design)» .



:


The STRIDE methodology is a classification scheme for describing attacks depending on the type of exploits used for their implementation or the motivation of the intruder.

STRIDE is an acronym for first letters:


After identifying the threats, the SDL suggests assessing the risks they engender. For this, the DREAD technique can be used .

The name of the DREAD methodology is also an acronym for the first letters of the categories for which the risk is assessed:


:

Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5 ,

0 10. , Damage Potential :




  1. OWASP Top10
    Web-.
  2. OWASP Testing project
    Web-.
  3. WASC Threat Classification
    , Web-.
  4. Bluetooth Threat Taxonomy
    Bluetooth.
  5. ENISA Threat Landscape
    , .
  6. ENISA Threat Taxonomy
    , .
  7. BSI Threat catalogue
    , (, , . .).
  8. Open Threat Taxonomy
    , JSON , .
  9. US DoD Comprehensive Military Unmanned Aerial Vehicle smart device ground control station threat model
    , .
  10. VoIP Security and Privacy Threat Taxonomy
    , VoIP.
  11. Mobile Threat Catalogue
    NIST, , .
  12. ATT&CK
    , .
  13. -2.2-2009. « »
    , .

  14. . .
  15. 51275-2006. . . , . General provisions
    , . , .
  16. , 2008 .
    , , .

Source: https://habr.com/ru/post/351326/

More articles:


All Articles