DFD Based Threat modelling | Set 1
Prerequisite – Threat Modelling
DFD based Threat Modelling is one of the methods to visually represent the system being modelled with the other being Process Diagram based Threat Modelling. By using this approach threat modelling team will be able to identify the key processes in the system and threats to those processes by systematically following the flow of data through the system. This approach has the following steps:
- View System as an adversary
- Characterize the system
- Identify the threats
Let’s discuss these steps in detail one by one.
1. View System as an adversary:
This is the first and the foremost thing to do while modelling a system using DFD Based approach.
This step involves analyzing the system from the eyes of the adversary. Which processes and functions are visible and accessible to the attacker. Using these exposed services adversary formulates the goals to attack the system.
Following are the series of steps:
- Identify the Entry/Exit points – Entry point means the point from where the data enters the application and Exit point means the point from where the data leaves the application. For the purpose of threat modelling following things need to be recorded for Entry/Exit points:
- Numerical ID: Assign a numerical id to each entry point and to each exit point for cross-referencing with threats and vulnerabilities.
- Name: Each entry and exit point should be assigned a name and also identify its purpose.
- Description: write a description explaining what exactly happens at that entry/exit point and also identify the trust levels that exits at that point.
- Identify the assets – The main goal of an adversary is to gain access to an asset. Assets also act as a pass-through point for an adversary, as one asset often interacts with other assets in the system. Thus it is important to identify the assets that need to be protected in a system from unauthorized access. This task is done by a team of security experts. In order to document the list of assets they collect the following data:
- Numerical Id: Each asset should be assigned a numerical Id for cross-referencing with threats and vulnerabilities.
- Name: Assign a name to the asset identified.
- Description: Write an explanation about why an asset needs protection.
- Identify the trust levels – Each entry/exit point are assigned trust values in order to define the privileges that an external entity has to access and affect the system. Following data need to be recorded while identifying trust levels:
- Numerical Id: A numerical Id should be assigned to each trust level for cross-referencing with threats and vulnerabilities.
- Name: Assign a name to each trust level.
- Description: Write a description explaining trust levels in more detail with outlining its purpose.
2. Characterize the system:
Characterizing the system means gathering background information about the system and identifying the areas that need to be addressed. Following background information need to be gathered:
- Use scenarios – Identifying use scenarios is very important as neglecting these can result in a vulnerability. Use scenarios are generally identified by architects and end-users. These can be used by the security testing team for security testing and identifying the attack paths. Use scenario means the situation/ environment that how a system will be used or not used or not used in terms of configuration and security goals and non-goals. Following data need to be recorded for use scenarios:
- Numerical Id: Each use scenario should be given a unique identification number.
- Description: write a description explaining the following two points. First, a description of the use scenario and the second is to mention whether the use scenario is supported or not.
- External dependencies – External dependencies means the dependencies on outside resources and security policies. Identifying these is very important as if a threat from an external dependency is ignored it may become a valid vulnerability. Following data need to be recorded:
- Numerical Id: Each external dependency should be assigned a numerical id.
- Description: write a description giving details about an external dependency.
- External Security notes reference: External security notes from one component can be cross-referenced with external dependencies from other components within the application.
- External security notes – External security notes act as a means to provide users information about the security and integration of the system. External security notes are used to validate external dependencies and can be used as mitigation against a threat
. The following information needs to be recorded in case of an external security note:
- Numerical Id: Each security note should be assigned a unique identification number.
- Description: Write a description explaining details about the note.
- Internal security notes: These explains the compromise made while designing and implementing system security. The following information needs to be recorded while identifying internal security notes:
- Numerical Id: Each identified internal security note should be assigned a unique numerical id.
- Description: Write a description explaining what security compromise was done and why compromise has been done
- Implementation assumptions – These are collected during the design phase, listing the details of features that will be implemented later. Following data need to be recorded while identifying internal implementation assumptions:
- Numerical Id: Each identified internal implementation assumption
- Description: Write a description explaining the procedure to implement the features.
- Modelling the system – Most important point to keep in mind while threat modelling a system is to view the system through the adversary’s eyes. Visual representation allows viewing the operation of subsystems and how they work together. This section deals with how to model a system using a Data Flow Diagram (DFD).