Home Computer Science Securing Systems Applied Security Architecture and Threat Models
In this chapter we walked through a process of architecture risk assessment (ARA) and threat modeling that begins with architecture, uses the concept of a credible attack vector (CAV) to identify attack types and attack surfaces, and then applies security controls, or “mitigations,” to build a defense-in-depth. As a mnemonic, we call this ATASM: “architecture, threat, attack surface, mitigation.” Each of these steps contains a series of sub-steps that when executed produce:
The attack surfaces and CAV can be considered the “threat model” of the system. However, as we found going through the process, we must start with the architecture and the results of a set of investigations that we bring to the analysis.
If possible, an ARA benefits from understanding the “3 S’s”: the strategy for the system, the structures that will support it, and the specifications of the underlying environments:
With this knowledge set in mind, the architecture is decomposed into attackable components and factored to reveal the defensible boundaries. Architecture decomposition and factoring have been discussed at some length in this chapter and in Chapter 3. The unit to use for atomicity, the granularity at which to decompose, is highly context dependent.
Moving from ultimate attack objectives to the system-level goals of specific attack methods, threats are analyzed and then the relevant ones are enumerated into a list. Those threats’ attack methods, now qualified for the system under consideration, are applied to the attack surfaces of the architecture to generate a set of CAVs.
Defenses are applied such that these specifically interrupt each CAV, as was discussed in the chapter on risk. Then, the entire set of defenses is considered as a set of overlapping, interlocking, and supporting defenses to build enough redundancy to create a defense-in-depth. The security requirements should be achievable, relevant, and “real world.”
ATASM has been presented as a series of linear steps. However, in practice, an assessment might proceed to requirements and uncover a previously unknown part of the system, thus returning to the architecture stage of the process. Ultimately, the goal of the ARA and threat model is to achieve a unity between security posture and intended risk tolerance, to achieve balance between defenses and resource limitations.
|< Prev||CONTENTS||Next >|