DOCX

IT Infrastructure Threat Modeling Guide

By Donald Richardson,2014-08-17 16:35
9 views 0
IT Infrastructure Threat Modeling Guide

    IT Infrastructure Threat Modeling Guide

Release 1.0

Published: June 2009

    For the latest information, please see microsoft.com/technet/SolutionAccelerators

Copyright ? 2009 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you agree to the license agreement below.

    If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

    This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user’s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.

    Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.

    Microsoft, ActiveSync, Excel, Microsoft Press, MSDN, SharePoint, Windows, and Windows Mobile are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.

    Solution Accelerators microsoft.com/technet/SolutionAccelerators

    Contents

    Overview ..................................................................................................... 1 Definition ................................................................................................. 2 Purpose of this Guide ................................................................................. 2 Who Should Read this Guide ........................................................................ 3 Microsoft Operations Framework 4.0 ............................................................. 3 How to Use this Guide ................................................................................ 4

    Preparing an IT Infrastructure Threat Model .............................................. 5 Chapter Summaries ................................................................................... 5

    Support and Feedback .................................................. 错误;未定义书签。6 Acknowledgments .............................................................. 错误;未定义书签。6

    Chapter 1: IT Infrastructure Components ..................................................... 9 Vision ...................................................................................................... 9

    Use Scenarios ...................................................................................... 9 Model the Component .............................................................................. 10

    Data Flow ......................................................................................... 10

    Entry Points ...................................................................................... 11

    Trust Boundaries and Levels................................................................. 11

    Protected Resources ........................................................................... 11 Identify Threats....................................................................................... 12 Mitigate Threats ...................................................................................... 14

    Threat Prioritization ............................................................................ 15 Validate ................................................................................................. 17

    Dependencies .................................................................................... 17

    Implementation Assumptions ............................................................... 18 Summary ............................................................................................... 18

    Chapter 2: The IT Infrastructure Threat Model Profile ................................. 19 Add Component Threat Model Information to the Portfolio .............................. 19 Prioritize Components .............................................................................. 19

    Chapter 3: Applied Example The Threat Modeling Process......................... 21 Vision .................................................................................................... 22 Model the Component .............................................................................. 22

    Entry Points ...................................................................................... 25

    Trust Boundaries and Levels................................................................. 25

    Protected Resources ........................................................................... 25 Identify Threats....................................................................................... 26 Mitigate Threats ...................................................................................... 27

    Threat Prioritization ............................................................................ 28 Validate ................................................................................................. 29 Summary ............................................................................................... 30

    Solution Accelerators microsoft.com/technet/SolutionAccelerators

    Overview

    The threat modeling process for commercial software and Web applications has been widely discussed and is reasonably well understood, but little documentation exists for evaluating potential threats to IT infrastructure. The IT Infrastructure Threat Modeling

    Guide describes and considers the extensive methodology that exists for Security Development Lifecycle (SDL) threat modeling and uses it to establish a threat modeling process for IT infrastructure.

    Steve Lipner, Senior Director of Security Engineering Strategy at Microsoft, describes threat modeling as follows:

    "At Microsoft we’ve made threat modeling a fundamental component of the Security

    Development Lifecycleour process for improving the security of the software and

    services we develop. But threat modeling is a general approach to identifying the

    ways that the security of any system might fail and then identifying measures for

    preventing or mitigating those failures. The application of threat modeling to IT

    infrastructure is a natural extension of the concept, and this guide is a great resource

    for organizations that wish to improve the security of their IT systems." For more information about SDL, see Investigating the Security Development Lifecycle at

    Microsoft (pdf) or The Security Development Lifecycle.

    Why should you consider threat modeling for your IT infrastructure? The most important reasons include the viability and reputation of your organization. The consequences of a successful cyberattack would almost certainly affect your organization's ability to conduct its day-to-day business operations. Also, if such an attack exposed confidential information, your organization could be perceived as one that failed to do what was necessary to protect itself, which could affect its ability to conduct business in the future. In addition, failure to protect customer information could subject you and your organization to legal liabilities and potentially significant fines.

    Threat modeling allows you to determine what threats exist that could affect your organization's IT infrastructure, helps you identify threat mitigations to protect resources and sensitive information, and helps you prioritize the identified threats so that you can manage your security efforts in a proactive manner.

    Threat modeling for your IT infrastructure should immediately follow a well-conducted risk assessment that is fully supported by management. "Chapter 4: Assessing Risk" in the Microsoft? Security Risk Management Guide provides an excellent overview of the risk

    assessment phase, including planning, data gathering, and risk prioritization. Your output from this phase should be a detailed analysis and a list of significant risks that a team can use to make the appropriate business decisions. After you complete the first threat model for your IT infrastructure, you might find the information in "Chapter 6: Implementing Controls and Measuring Program Effectiveness" of the Security Risk Management Guide

    to be helpful.

Solution Accelerators microsoft.com/technet/SolutionAccelerators

2 IT Infrastructure Threat Modeling Guide

Definition

    IT infrastructure threat modeling is the practice of considering what attacks might be attempted against the different components in an IT infrastructure. Generally, threat modeling assumes the following conditions:

    ; Organizations have resources (in this case, IT components) that they wish to protect. ; All resources are likely to exhibit some vulnerabilities.

    ; People might exploit these vulnerabilities to cause damage or gain unauthorized

    access to information.

    ; Properly applied security countermeasures help mitigate threats that exist because of

    vulnerabilities.

    The IT infrastructure threat modeling process is a systematic analysis of an organization’s IT components that compiles component information into profiles. The goal of the process is to develop a threat model portfolio, which is a collection of component profiles.

    Purpose of this Guide

    Provide an easy-to-understand method that enables IT professionals to develop threat models for their environments and prioritize their investments in IT infrastructure security.

    IT infrastructure threat modeling should be incorporated into an organization's IT mindset as a matter of policy, much like any other part of the validation, implementation, and installation process. Threat modeling in the name of secure infrastructure should be performed throughout the technology implementation process, much like any other component that is measured for performance, usability, and availability. The three pillars of IT security are confidentiality, integrity, and availability (CIA). One way to establish these pillars as a basis for threat modeling your IT infrastructure is through Microsoft Operations Framework (MOF) 4.0, a framework that provides practical guidance for managing IT practices and activities throughout the entire IT lifecycle. The Reliability Service Management Function (SMF) in the Plan Phase of MOF

    addresses creating plans for confidentiality, integrity, availability, continuity, and capacity, The Policy SMF in the Plan Phase provides context to help understand the reasons for policies, their creation, validation, and enforcement, and includes processes to communicate policy, incorporate feedback, and help IT maintain compliance with directives. The Deliver Phase contains several SMFs that help ensure that project planning, solution building, and the final release of the solution are accomplished in ways that fulfill requirements and create a solution that is fully supportable and maintainable when operating in production.

    Start the IT infrastructure threat modeling process from the onset of any new technology project, because doing so might reveal weaknesses in your architecture or implementation and design planning that could require significant changes to the project. Design changes early in the implementation process are significantly less expensive than a complete reimplementation after a failed attempt that wasn't well planned, or if an insufficiently secured system achieves production status.

    Consider engaging in an IT infrastructure threat model portfolio review process annually, even if no major changes are made to the organization's IT infrastructure. Because threats and risks are dynamic, your threat modeling efforts should be as well. Attackers won’t stop their attempts to exploit vulnerabilities, and your efforts to mitigate potential threats will help make compromise less likely. The IT infrastructure threat modeling process might also improve an organization's audit profile by showing that the process is consistently practiced. In addition, mitigations achieved during the threat modeling Solution Accelerators microsoft.com/technet/SolutionAccelerators

Overview 3

    process might prevent the need to undertake the same effort in the high-pressure spotlight of an audit and its potential mandates.

    The practice of threat modeling can be woven into the fabric of most ongoing IT infrastructure use scenarios. Consider involving administrators, engineers, architects, and project managers, preferably with managerial support as well. Project manager assistance can be especially helpful for focusing on the security aspects of each use scenario.

    Who Should Read this Guide

    This guide is written for IT professionals, including administrators, analysts, architects, engineers, and managers who are responsible for the protection of specific critical resources for their organizations. It is meant for use by IT professionals who handle all aspects of IT for their organizations as well as IT professionals who have specific security-related duties as part of a much larger IT staff.

    In addition, this guide is intended to be transparent to roles and applicable to all who wish to undertake the IT infrastructure threat modeling process.

    Microsoft Operations Framework 4.0

    The IT Infrastructure Threat Modeling Guide is related to a series of materials for the cost

    effective management of IT services. As referenced earlier in the "Purpose of this Guide" section, this guide is related to the Plan and Deliver Phases of MOF 4.0. For more information about MOF and other helpful materials, visit the Microsoft Operations

    Framework page on Microsoft TechNet.

Solution Accelerators microsoft.com/technet/SolutionAccelerators

4 IT Infrastructure Threat Modeling Guide

How to Use this Guide

    A good threat model typically includes good documentation, including a defined process to help ensure that you avoid common pitfalls such as scope creep (a project management term for uncontrolled or poorly managed changes). Consider the following steps to frame the process:

    1. Establish a Vision. Document what purpose or function the component provides to

    the organization. It is important to obtain as many perspectives as possible, so you

    should solicit input from anyone in the organization who has knowledge of the

    component.

    2. Model, or Create a Diagram. The diagram should include processes, data stores,

    data flows, and trust boundaries that separate the components from each other and

    from external entities. The goal of the model (diagram) is to facilitate focused

    discussion by detailing just those parts of an IT infrastructure component that are

    relevant to the threat modeling process.

    3. Identify Threats. For each component, consider what threats it faces. Use a

    malicious mindset from the perspective of an untrusted outsider as well as that of a

    trusted user. This guidance will map parts of the Microsoft STRIDE threat model

    approach to the security concepts of confidentiality, integrity, and availability as a way

    to provide a useful framework you can use to assess exploitability. For more

    information about STRIDE, see Uncover Security Design Flaws Using the STRIDE

    Approach on MSDN? (the Microsoft Developer Network).

    STRIDE is an acronym for

    ; Spoofing identity

    ; Tampering with data

    ; Repudiation

    ; Information disclosure

    ; Denial of service

    ; Elevation of privilege

    4. Mitigate Threats. Mitigation and prevention are key in this step. How and when will

    the infrastructure weakness be resolved? Part of this process should include

    determining your prioritiesfor example, addressing the most severe threats with the

    appropriate mitigation(s) first. Base this effort on both the likelihood of a threat being

    exploited and the potential impact of such an exploit on your infrastructure. The Solution Accelerators microsoft.com/technet/SolutionAccelerators

Overview 5

    guidance focuses on a model of prioritization that follows a High, Medium, Low

    standard to avoid complexity.

    5. Validate. It is essential that you validate the model, the threats list, the mitigations

    and their priorities, as well as all dependencies and assumptions.

    This five-step process should be viewed as an ongoing cycle that is fueled by the purpose stated earlier in the guideto establish a threat modeling process.

    Preparing an IT Infrastructure Threat Model Each infrastructure component that is considered during the threat modeling process is documented separately in a profile. The threat modeling process results in an IT

    infrastructure threat model portfolio, which is a collection or repository of all the individual profiles.

    The applied example in Chapter 3 of this guide makes use of the SDL Threat Modeling

    Tool, whose output can be used to populate the profiles and resulting portfolio. Chapter Summaries

    The IT Infrastructure Threat Modeling Guide consists of this Overview and three chapters.

    Brief descriptions follow for each chapter.

    Overview

    The Overview states the purpose and scope of the guide, defines the guide audience, and describes the guide's structure to help you locate the information that is relevant to you. It also describes the user prerequisites for the guidance.

    Chapter 1: IT Infrastructure Components

    This chapter focuses on understanding the details of the components that the IT infrastructure threat modeling process will consider, including diagramming, identifying threats, mitigating threats, and validating all the information that is acquired during the process. The chapter discusses use scenarios, dependencies, implementation assumptions, entry points, and trust levels.

    Chapter 2: The IT Infrastructure Threat Model Portfolio This chapter describes how to populate the IT infrastructure threat model portfolio with relevant data about your components. The chapter includes information about prioritization and is essential for helping you mitigate threats with the greatest potential impact to your organization.

    Chapter 3: Applied Example The Threat Modeling

    Process

    This chapter uses a fictitious organization's communications system as an example for the IT infrastructure threat modeling process. The rapid introduction of mobile devices into IT infrastructure could make such a system an ideal target for an attacker. You can use the SDL Threat Modeling Tool as described in this guide or another of your own choosing.

Solution Accelerators microsoft.com/technet/SolutionAccelerators

6 IT Infrastructure Threat Modeling Guide

Support and Feedback

    The Solution Accelerators Security and Compliance (SA-SC) team would appreciate your thoughts about this and other Solution Accelerators. Please contribute comments and feedback to secwish@microsoft.com. We look forward to hearing from you.

    Solution Accelerators provide prescriptive guidance and automation for cross-product integration. They present proven tools and content to help you plan, build, deploy, and operate information technology with confidence. To view the extensive range of Solution Accelerators and for additional information, visit the Solution Accelerators page on

    Microsoft TechNet.

    We would appreciate your taking a few moments to complete this short survey. Doing so

    will help us continue to improve the quality of Solution Accelerators and ensure that they address customer needs. Thank you in advance for completing the survey, and thank you for purchasing Microsoft products.

    Acknowledgments

    The Solution Accelerators Security and Compliance (SA-SC) team would like to

    acknowledge and thank the team that produced the IT Infrastructure Threat Modeling

    Guide. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution. Development Team

Author

    Russ McRee

Contributors

    Adam Shostack

    Blake Frantz Center for Internet Security

    Chase Carpenter

    Steve Lipner

Developers

    José Maldonado

    Jeff Sigman

Editor

    Steve Wacker Wadeware LLC

Product Manager

    Shruti Kala

Program Manager

    Kelly Hengesteg

Release Managers

    Karina Larson

    Shealagh Whittle Aquent LLC

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Report this document

For any questions or suggestions please email
cust-service@docsford.com