Reference links: https://zhuanlan.zhihu.com/p/22369557
https://www.secrss.com/articles/3298
Foreword
The purpose of risk assessment are:
识别系统面临的威胁
判断这种威胁转变成现实后可能带来的影响
判断这种转变的可能性或难易度Common risk assessment process:
资产识别/系统分析 > 威胁分析 > 识别风险/安全测试 > 消减措施响应1. asset identification / system analysis
Asset identification means to identify critical assets in the system, that is, answer "what needs to be protected?" Question. In general, the system is a key asset of this system and business data, including core business components, user data, authentication and password for authentication, key and so on.
- System analysis is a prerequisite for threat analysis, the only fully understand the information systems function is to evaluate, structure, traffic flow, etc., based on threat analysis only. Analysis of the system has a high level of understanding, followed by decomposition of the system through a plurality of dimensions, and finally the traffic flow through each of the decomposition components are connected in series, and "global - local - whole" analytical process. Note that, before performing system analysis, system analysis must be carried out according to the purpose of the constraints and limitations of the project, otherwise, the system analysis is the analysis could not finish.
If so, the proposal is to draw the overall system architecture diagram. Generally you can do the following analysis:
networking system (in what position / peripheral systems, etc.)
Software Architecture Analysis (OS / DB / PLAFORM / WEB backstage, etc.)
internal and external structural analysis (maintenance interface, service interface / debug interface, etc.)
typical business process / scenario analysis (business scenario 1/2 business scenario / ...)
management / maintenance scene analysis (proximal maintenance scenarios / remote maintenance scenarios / ...)
critical incident analysis (login / authentication / authentication / data reading / ...)
2. Threat Analysis
What is the threat can be explained from the security triad: the confidentiality, integrity, availability, in general, need to also coupled with a non-repudiation.
Threat classification:
- threats to confidentiality
by sniffing, brute force and other means to steal user identities, authentication information, counterfeit legitimate users to access the system. An attacker obtained illegally stored in the system or confidential data transmission, such as user authentication information, user
- a threat to the integrity
by modifying the data sent to the system or data received from the system, affecting business logic, such as around through authentication mechanisms, cheat billing system, perform unauthorized operations, etc.
- the availability of the threat
Flood, malformed packet attacks and other means to cause the system can not provide normal services through
- against the threat of repudiation
by modifying the system access logs, audit logs hide the traces of the attack, modify the behavior of business recordsThreat analysis is to identify the threat, summed up in a sentence is this:
the attacker (the sources of threats), using the XXX vulnerabilities (vulnerabilities), by XXX (attack surface / attacks) way of XXX (key assets) produces XXX threat (consequences)Many of the routine threat analysis, as long as you can identify threats, the industry also has some of the more mature modeling, such as X.805 stratified analysis, attack tree model, STRIDE threat modeling and other Microsoft
3.STRIDE Threat Modeling
The threat is divided into six dimensions wipe test, as follows:
Security threat definition corresponding attribute
spoofing impersonating an authorized
tampering modify data or code integrity
reputation deny non-repudiation,
information disclosure of information disclosure of confidential
denial of service denial of service availability
elevation of privilege unauthorized access authorization
- spoofing (counterfeit), for example: pseudo base stations, the plug
- tampering (tampering), for example: modify location information anywhere punch time
- reputation (repudiation), which retain the necessary audit logs after the attacks traceable
- elevation of privilege (privilege elevation), vertical unauthorized e.g.
The first step is data flow diagram of an exploded business scenario, drawn modeling business scenarios STRIDE
specifically drawn using microsoft threat modeling tool
core element comprising: a process, data storage, data stream, an external entity
STRIDE threat after six finish drawing data flow diagrams, data flow is the threat may face each element analyzed one by one, but not have to go to each element analysis
- Output threat list and abatement program
components web application user authentication process
threat description attacker to gain authentication credentials by monitoring network
threat type I
attack the use of network monitoring software
abatement scheme uses SSL to provide encrypted channels
danger rating
here is called "mitigation plan" rather than "cancellation scheme" because each threat is actually doing in the analysis of STRIDE threat, we find, for various practical reasons not be able to definitely eradicate.
It is evaluated according to the dangerous threat posed. This can first solve the biggest threat danger, and then to address other threats. In fact, solve all identified threats may be economically feasible, can make decisions, ignore some of the DREAD threat rating model
DREAD are six indicators threat rating of the English initials.
Potential loss (Damage Potential) If the defect is utilized extent of the damage?
The difficulty of reproducibility (Reproducibility) generated repeatedly attack how much?
Difficulty availability (Exploitability) attack how much?
Affected users (Affected users) expressed as a percentage roughly, how many users are affected?
Discoverability (Discoverability) defect is easy to find it?