Tag Archives: Threat Modeling


14 February 2015

I just finished a week of hard work. Some application owners asked me to run a (short!) security assessment for a single sign-on module they use in their internal database applications.

With the help of an application manager and a copy of the PLSQL code I started developing a threat model. Thanks to the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) frame developed by Microsoft, I was able to get a good understanding of the system and its weaknesses.

Generally threat modeling does not include a review of the program code. But in this case a closer look at the code was very helpful for understanding of the information flows and for answering the questions posed by STRIDE.

I can only recommend to every system development project: Start threat modeling as early as possible to get the most of it. Software quality and system security will increase dramatically, at no more costs.

Happy Valentine’s Day!

Hacking the Nike+ Fuelband

5 February 2015

Ethan Zonca’s report ‘Hacking the Nike+ Fuelband‘ published on HACKADAY some days ago is somewhat alarming, although the device is just an electronic gadget that makes our daily life hopefully not more complex.

But this hack should make us really worried, if we consider devices in safety relevant systems or devices connected to critical infrastructure.

Consider a mobile phone that connects via Bluetooth to your CAR’s audio system. Today, a car is a computer on 4 wheels, and the audio system is an interface to this computer. Now think about a malware on your phone that shuts down this computer at 200 km/h.
Ok, only crazy guys drive at this speed, and only in Germany. But the impact of a completely uncontrolled crash on other road users and the environment might be catastrophic.

The Internet of Things offers us sheer unlimited opportunities. But IT security comes first, because it’s the basis for safety. The developers of this fuel band didn’t waste a thought on IT security. I bet threat modeling is completely unknown to them. Hopefully they tried harder in the case of your car’s computer, or in the case of sensors controlling the temperature in power plants…

Don’t panic!

The Home Depot Story

13 November 2014

After two month of investigation the reason for the Home Depot data breach appears to be clear: Cyber criminals used stolen credentials from a third-party vendor to enter the Home Depot network. In a report by Mike Davin from November 7, 2014 one could read some more details: ‘The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy “unique, custom-built malware” on its self-checkout systems in the U.S. and Canada.’

It’s a complete mystery to me why companies do not secure the access to business critical data with Two Factor Authentication. TFA would severely hamper such data breaches. I am not overly surprised that the attacker could acquire elevated privileges.

But what really worries me is that the attackers we able deploy software to the company’s point-of-sales devices. It is quite obvious that the software deployment process is not sufficiently secured and could be easily tampered.

From my point of view Home Depot’s IT should invest some time in threat modelling of the software deployment process to avoid such incidents in future. In particular the strict enforcement of the Separation-of-Duties principle will prevent unplanned deployment of critical Software.

Have a good day!

Threat modelling helps identifying the crown jewels

4 October 2014

The crux of the matter with complex application systems is, that they are composed of lots of components which communicate which each other. Most of the users, and sometimes even the IT application administrators, associate a single component, e.g. the web-service they use with their browser application, with the entire application system.

When it comes to information classification this limited view prevents the identification of the really important components, namely those where the critical information is stored and processed. As a result money is wasted for the protection of less relevant system components while critical components remain unprotected.

In these cases the development of a threat model will lead to a far better understanding of the application system.

Just start with the user’s view of the system. Arrange meetings with application developers and administrators, key user’s, system architects and administrators. Show them your model and ask them to add more details. After some time you will get a more detailed model and a much better understanding of the application system, the really important components and the information flow between the components.

Light Bulb Moment

Light Bulb Moment

On Wednesday I had such a light-bulb moment. We discussed information stored in an EH&S system. From this system Material Safety Data Sheets (MSDS) are created for shipment of dangerous goods. The carrier receives a copy and has to show this copy to the authorities on request. Why should we keep this information secret?

After some discussions we identified the system component where the really important information was stored and managed. The EH&S system holds only an extract of the information which is required to create the MSDS.

The threat model was of great help in this case. As soon as we added the new component the STRIDE approach showed us the direction to a stronger protection of the critical information.

Have a good weekend.

The Art of Threat Modeling

18 September 2014

Currently I am very busy with hardening of complex applications. As a starting point I develop a threat model of the application system.

Threat models are powerful tools in the design phase of the software development process. They are the basis for the security design of systems and applications. From the threat model vulnerabilities could be identified and mitigation measures could be designed.

If the threat model is refined in the further development process it could be used for verification, validation and test case creation.

To develop a threat model for an existing application system is a complex communication task. In most cases people of different organizations within a company, e.g. IT operations or application development, must be involved.

However, the main challenge is to develop a complete model to find all potential vulnerabilities and risks. Let me clarify this by the means of a simplified model of the web application.

A simplified web application is built of an application service and some data stores. The user communicates through an internet browser with the application service. The application service stores data in a database and on a file share. Thus the building blocks are two data stores, an application process and the browser process on the client computer. In addition we have one data flow from the users browser to the application service and two data flows from the application service to the data stores.

Threat Model Simplified 3 Tier Application System

Threat Model Simplified Three Tier Application System

The picture above shows this simplified threat model created with Microsoft Threat Modeling Tool 2014 (TMT). TMT uses the STRIDE threat model as a basis for threat identification. STRIDE is an acronym for

Spoofing identity,
Tampering with data,
Information disclosure,
Denial of Service and
Elevation of privilege.

This are commonly used threat categories.

Unfortunately our model is not complete. An attacker would try to bypass the application to get direct access to the data stored in the database and the file share. Thus we have to add two applications and two data flows to our simplified model:

Threat Model Simplified 3 Tier Application System Ext.

Threat Model Simplified Three Tier Application System Extended

TMT generates for each object depending on the object type, e.g. database, application or data flow, threats from the STRIDE categories. This is the main advantage of TMT over manual threat creation because you can focus on the design of mitigation measures.

Threat Model Three Tier System Mitigation

Threat Model Three Tier System Mitigation

You can download TMT from Microsoft download center.