Difference between revisions of "Threat Modeling Workshop"
(Created page with "{{Event |logo=Lock.png |what=Threat Modeling Workshop |tagline=Threat Modeling Assessment and Risk Analysis Workshop |eventowner=S |who=S |url= |from=2018/04/11 07:00:00 PM |...") |
|||
Line 24: | Line 24: | ||
We are going to do a series of exercises in creating Threat Models working as a team at first and then in pairs. | We are going to do a series of exercises in creating Threat Models working as a team at first and then in pairs. | ||
+ | |||
+ | Presentation: https://cryptpad.fr/slide/#/1/view/5+2BFrnLlfCzSJ-u+GF-Yg/up4wWgV0LqXtB7Jqv+aOHNlsjYwCSS5okFUyFX--9L0/present/ | ||
A preliminary boilerplate for the exercises is published below. | A preliminary boilerplate for the exercises is published below. |
Latest revision as of 21:16, 10 April 2018
Starts | Organizer | |
---|---|---|
Wed 11 Apr 2018 19:00 | S | |
Ends | Event Owner | |
Wed 11 Apr 2018 22:00 | S |
Threat Modeling Assessment and Risk Analysis Workshop
Threat modeling helps you identify threats to the things you value and determine from whom you need to protect them. When building a threat model, answer these five questions:
1. What do I want to protect?
2. Who do I want to protect it from?
3. How bad are the consequences if I fail?
4. How likely is it that I will need to protect it?
5. How much trouble am I willing to go through to try to prevent potential consequences?
We are going to do a series of exercises in creating Threat Models working as a team at first and then in pairs.
Presentation: https://cryptpad.fr/slide/#/1/view/5+2BFrnLlfCzSJ-u+GF-Yg/up4wWgV0LqXtB7Jqv+aOHNlsjYwCSS5okFUyFX--9L0/present/
A preliminary boilerplate for the exercises is published below.
Contents
Threat Modeling Assessment and Risk analysis
Create a Threat Model that covers Batman's risks
Threat Modeling Assessment
Based on https://ssd.eff.org/en/module/assessing-your-risks
1. Define Assets (any piece of data or a device that needs to be protected)
1. Ast1 2. Ast2 3. Ast3
2. Define Adversaries
* Adv1 * Adv2 * Adv3 Define their Capabilities (Threats) * Adv1 * Adv1 Thr1 * Adv1 Tht2 * Adv1 Thr3 * Adv2 * Adv2 Thr1 * Adv3 * Adv3 Thr1
3. Define consequences (severity) of failure
1. Ast1 Svrt = 50% 2. Ast2 Svrt = 50% 3. Ast3 Svrt = 50%
4. Define likelihood of threat occurrence (Risk)
* Ast1 * Ast1 Adv1 Thr1 = 50% * Ast1 Adv1 Thr2 = 50% * Ast1 Adv1 Thr3 = 50% * Ast1 Adv2 Thr1 = 50% * Ast1 Adv3 Thr2 = 50% * Ast2 * Ast2 Adv1 Thr1 = 50% * Ast2 Adv1 Thr2 = 50% * Ast2 Adv1 Thr3 = 50% * Ast2 Adv2 Thr1 = 50% * Ast2 Adv3 Thr2 = 50% * Ast3 * Ast3 Adv1 Thr1 = 50% * Ast3 Adv1 Thr2 = 50% * Ast3 Adv1 Thr3 = 50% * Ast3 Adv2 Thr1 = 50% * Ast3 Adv3 Thr2 = 50%
5. Define available resources
* Res1 = 50% * Res2 = 50% * Res3 = 50% * ResAll = sum(Res*) / ResN
Risk Analysis (Optional for Workshop)
Estimate the chance that threats might succeed (Risk analysis)
Ast1 Ast1 Adv1 Thr1 * ResAll * Ast1 Svrt = 12.5% Ast1 Adv1 Thr2 * ResAll * Ast1 Svrt = 12.5% Ast1 Adv1 Thr3 * ResAll * Ast1 Svrt = 12.5% Ast1 Adv2 Thr1 * ResAll * Ast1 Svrt = 12.5% Ast1 Adv3 Thr2 * ResAll * Ast1 Svrt = 12.5% Ast2 Ast2 Adv1 Thr1 * ResAll * Ast2 Svrt = 12.5% Ast2 Adv1 Thr2 * ResAll * Ast2 Svrt = 12.5% Ast2 Adv1 Thr3 * ResAll * Ast2 Svrt = 12.5% Ast2 Adv2 Thr1 * ResAll * Ast2 Svrt = 12.5% Ast2 Adv3 Thr2 * ResAll * Ast2 Svrt = 12.5% Ast3 Ast3 Adv1 Thr1 * ResAll * Ast3 Svrt = 12.5% Ast3 Adv1 Thr2 * ResAll * Ast3 Svrt = 12.5% Ast3 Adv1 Thr3 * ResAll * Ast3 Svrt = 12.5% Ast3 Adv2 Thr1 * ResAll * Ast3 Svrt = 12.5% Ast3 Adv3 Thr2 * ResAll * Ast3 Svrt = 12.5%
Results
Divide ResAll by the Sum results from Risk analysis (possible use of thresholds). Multiply the result with each entire in Risk analysis. Sort the output. The result is the resource allocation in order of priority.