SEC Secure. Usable. Cheap. Data. Applications. Host Internal Network Perimeter Physical Security. People, Policies, & Process.

(1)

Threat Modeling

Networks

Jesper M. Johansson

Senior Security Strategist

Microsoft Corporation

http://

blogs.technet.com/jesper_johansson

Fundamental Tradeoff

Secure

Usable

_Cheap

You get to pick any two!

Perimeters Are Weak

Defense in Depth

Threat Modeling is one part of a Defense in Depth strategy

Supplement it with other measures

People, Policies, & Process

OS hardening, patch management,

authentication, HIDS

Firewalls, VPN quarantine

Guards, locks, tracking devices

Network segments, IPSec, NIDS

Application hardening, antivirus

ACL, encryption

User education

Physical Security

Perimeter

Internal Network

Host

Application

Data

Lessons Learned From Experience

Most security tweaks do not improve

security

Security changes without a threat model do

not improve security

Focus is often on the wrong thing

Analysis of target environment is essential

Threat model must correlate with security

policy

Group policy is a bonus

Careful smoke

-

testing needed

Applying the lessons

-

DSR

Document

Model applications and services

Environment dependent

Segment

Applications

Security requirements

Restrict

Disable services

Close ports

Use IPSec or RRAS filters

Use different passwords

(2)

Document

Modeling Systems with DFDs

Graphic representation showing

communication between objects

Describes activities that process data

Shows how data flows through a system

Shows logical sequence of associations and

activities

Sometimes known as a process model

We are appropriating and modifying this

method

Modified Data Flow Diagram

Conventions

Data Flow

Model The Network

Internet

Domain Controller Client

Corporate Domain Controller Corporate Clients

Client

Web Farm 2 SQL Cluster Web Farm 1 SQL Cluster VPN Server

Corp Servers

Superimpose a DFD

Internet

Domain Controller Client

Corporate Domain Controller Corporate Clients

Client Web Farm 2 Web Farm 1 SQL Cluster

VPN Server SQL Cluster

Corp Servers

Component Segmentation

(3)

Network Segmentation

Segment systems by application and

security requirements

Should you trust systems that are not part

of your application?

Which systems do they trust?

What are their security requirements?

Less sensitive systems may depend on

more sensitive systems

More sensitive systems

MUST NEVER

depend on less sensitive systems

End Goal

Documenting Segments

Domain Controller

Corp Servers Corp Clients Corp DCs Internet Client

W

e

b

F

a

rm

1

S

Q

L

C

lu

s

te

r

1

W

e

b

F

a

r

m

2

S

Q

L

C

lu

s

te

r

2 VPN

Domain Controller 1433

DC Traffic DC Traffic

DC traffic 80, 443

443

1433 3389 3389 3389

Term Serv Term Serv 3389

3389

1723 1433

DC traffic DC traffic DC traffic DC traffic

DC traffic DC traffic 3389 DC Traffic

Trust Boundaries

Systems and entities you trust are included

within your trust boundary

Never share administration and accounts

across boundaries

Should your trust boundary include

databases?

It depends

…

Trust Boundaries

Internet Client

W

e

b

F

ar

m

1

SQL 1

Domain Controller 1433

DC Traffic DC Traffic 80, 443 Trust Boundary

Staging Server 445

1433

Threat Analysis

(4)

Fault Trees

Demonstrate logical paths through a

system

Used to highlight faults in a system

Points out relationships between faults

Allow us to estimate the interactions

between faults

Port 80 open

in firewall

Port 1433 open

in firewall

Write access

to web app

1434 open in

firewall

DLL Loading

Trojan

0.7 0 .8 0.5

Vroots with

Execute

Dump LSA

Secrets

Shared svc accts

with admin privs

Exploit Blank

SA Password

0.3 0.9 0.7 1 .0 0 .5

1434 BO on

SQL

Root SQL

0.0

Blank SA

password

0.0 1 .0

Goal: Root the SQL Server

OR condition

-Probability:

MAX[(0.9*0.7), 0.3] = 0 . 6 3

Probability:

0.5

Aggregate

Probability:

MAX[MIN(0.7,0.0), MIN(0.5,0.0), 1 . 0 * 0 . 5 0 4 ] = 0.504

Pre requisite

-Probability:

0.8*0.63 = 0.504

OR condition

– Probability:

MAX[1.0*0.5, 0.7] = 0.7

Port 80 open

in firewall

Port 1433 open

in firewall

Write access

to web app

1434 open in

firewall

DLL Loading

Trojan

0.7 0 .8 0.5

Vroots with

Execute

Dump LSA

Secrets

Shared svc accts

with admin privs

Exploit Blank

SA Password

0.3 0.9 0.7 1 .0 0 .5

1434 BO on

SQL

Root SQL

0.0

Blank SA

password

0.0 1 .0

Preventative Measures

Break here by

restricting

outgoing traffic

from servers

Break here by

removing

security

dependencies

Break here with

IIS lockdown

Break here

with best

practices

Break here

with SQL

hardening

Restrict

Policies allow nothing but

…

Disable unnecessary services

Remove users

Restrict privileges

Turn on security tweaks

Remove permissions

Set very strong passwords

Restrict communications

IPSec

RRAS filters

Manage Administrative

Dependencies

An administrator on any given machine can

run code as any user logging on to that

machine

What other machines do your

admins

log on to?

Who administers those machines

Administrative dependencies

balloon

–

fast!

Enumerating actual administrators

is hard

(5)

How Many

Admins

Do

You Have?

Limit Service Account Trust

Environment

Any admin can retrieve service account

credentials

Service accounts frequently have

Administrative privileges

…

on several machines

Implements the

“

least common security

denominator

”

Consider security needs

NetworkService

and

LocalService

are

useful, to a point

Dependency Chain Example

Attacker

1. Hacks Test-Host, gets account “Cedric”

2. Uses Cedric’s account to compromise

SQL Server

SQL Server gives up account “Bob”

3. Bob is an Admin on the Web Server

Web server has service account _Svc

4. _Svc is a domain admin!

0wn3d!

Conclusion

Hardening networks requires understanding

the environment

Optimal hardening requires deep

understanding

There is a fundamental tradeoff between

security and usability

Three

-

phase approach to network

hardening

Document

Segment

Restrict

For more information

See Chapters 8 and 9

Order online:

http://www.awprofessio

nal.com/title/032133643

7

7 Use promo code

Use promo code

JJSR6437

Resources

Tools

Registry Monitor, File Monitor, Process

Explorer, et. al.

http://www.sysinternals.com

My Email:

Technical information

Security Guidance Center

http://www.microsoft.com/security/guidance/ http://www.microsoft.com/security/guidance/ MBSA MBSA http://www.microsoft.com/technet/security/tools/mb http://www.microsoft.com/technet/security/tools/mb sahome.mspx sahome.mspx

Open Hack IV Hardening

http://msdn.microsoft.com/library/en

http://msdn.microsoft.com/library/en-

-us/dnnetsec/html/openhack.asp

us/dnnetsec/html/openhack.asp

Jesper

Jesper’’s Security Columnss Security Columns

http://go.microsoft.com/fwlink/?LinkId=28592

Threats and Countermeasures

Security news

Security Bulletin Notification

Security Bulletins

http://www.microsoft.com/

http://www.microsoft.com/technet/security/currenttechnet/security/current

.aspx

Security guidance and training

Windows 2000 Security Hardening Guide

Windows Server 2003 Security Guide

Windows XP Security Guide

Exchange Server 2003 Security Hardening Guide

Microsoft Guide to Security

Patch Management

(6)

SEC Secure. Usable. Cheap. Data. Applications. Host Internal Network Perimeter Physical Security. People, Policies, & Process.

Threat Modeling

Threat Modeling

Networks

Networks

Jesper M. Johansson

Jesper M. Johansson

Senior Security Strategist

Senior Security Strategist

Microsoft Corporation

Microsoft Corporation

[email protected]

[email protected]

http://

http://

blogs.technet.com/jesper_johansson

blogs.technet.com/jesper_johansson

Fundamental Tradeoff

Fundamental Tradeoff

Secure

Usable

Cheap

You get to pick any two!

You get to pick any two!

Perimeters Are Weak

Perimeters Are Weak

Defense in Depth

Defense in Depth

Threat Modeling is one part of a Defense in Depth strategy

Threat Modeling is one part of a Defense in Depth strategy

Supplement it with other measures

Supplement it with other measures

People, Policies, & Process

OS hardening, patch management,

authentication, HIDS

Firewalls, VPN quarantine

Guards, locks, tracking devices

Network segments, IPSec, NIDS

Application hardening, antivirus

ACL, encryption

User education

Physical Security

Perimeter

Internal Network

Host

Application

Data

Lessons Learned From Experience

Lessons Learned From Experience

Most security tweaks do not improve

Most security tweaks do not improve

security

security

Security changes without a threat model do

Security changes without a threat model do

not improve security

not improve security

Focus is often on the wrong thing

Focus is often on the wrong thing

Analysis of target environment is essential

Analysis of target environment is essential

Threat model must correlate with security

Threat model must correlate with security

policy

policy

Group policy is a bonus

Group policy is a bonus

Careful smoke

Careful smoke

-

-

testing needed

testing needed

Applying the lessons

Applying the lessons

-

-

DSR

DSR

Document

_Cheap