Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped found the CVE and many other things. He's currently helping a variety of organizations improve their security, and advising and mentoring startups as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.View the profile
About the talk
Adam Shostack, President, Shostack and Associates Compliance checklists inhibit thinking, and make it hard for security to influence across the organization. Threat models can help. Join this session to learn a simple approach to threat modeling, and how backing up from the control to the threat helps us understand and meet goals. Security can move from being the department of "no" to a helpful collaborator through threat modeling.
Hello and welcome to using track modeling to improve compliance on Adam shostak. And before we get started, let me tell you a little bit about myself. I'm often known for having written a book on track model and do a lot of work in front modeling including creating the elevation of privilege card game. Advising a company irias wristlet in this space. I created earlier the Microsoft sdl threat modeling tool review board for black Hannah helped to create the CVA and I run a little company that helps people improve the security of their systems.
And so let me tell you what this talk is about. What it's really about is that compliance is painful. For many reasons. The reasons that it is. So painful. Some of them are self-inflicted. Some of them are result of engineering constraints. The standards have to be both precise and flexible, but almost do standard really starts with Y in a meaningful way, and that creates a tremendous problem for all of us, and we're going to talk about it today, and I'll give you some examples and they will close out by talking about how we can make it better
for both companies and for standards bodies. So the way in, which were the Jews that is, will start out with some levelset, understanding compliance. We'll talk about the PCI standard. We'll talk about that model and I'll give you a quick introduction to. And in case you're not familiar. How to track model. I will show you a threat model that I created from PCI and explain how it relates to the standard and then we'll talk about how to make the world a better place one crap model at a time. So let's start
out with compliance. And what I mean, when I say compliance is work to demonstrable meet some standard and insecurity. We often described this as checklist security. Okay. Yep, that's true. When you but I believe we can do better than that. And that's really why we're here today is to move beyond that checklist to something that's higher value. Now, compliance requires a standard. It can be set by law. Something like the California Privacy Act, by regulation that comes from the agency by industry practice, or by
contract. All of these impose on you, some requirement to comply with something and the standards tend to be written by experts, and we'll come back to that. And lastly, they require some degree of assurance work, some demonstration that your meeting with standard. Now the PCI Data security standard was created by the payment card companies and is imposed by contract before you can get paid by credit card. Check by these companies, these qsas disqualified security. Advisors.
Let's be honest. Arguments with York, USA are pretty darn common and the PCI DSS standard has had a number of effects since it was promulgated. Demands for new laws have fallen away. And this gives us some simplification. We don't have to worry about complying with one line in the US for credit card security, one line, the UK one line, Germany. One line in China. We have a single set of standards that we can fly with globally and that's useful. PCI. Assigns both
liability and cost and the people to whom it's assigned off and don't like that. Blast effect of PCI is the creation of new companies that used to be 10-15 years ago, that small companies would process credit cards themselves. And that was a source of problem. Now by enlarged, it gets outsourced to companies like stripe and Square Lake bigger investments in security to protect the card numbers and that's an effect of PCI coming out and being imposed. I'm looking at PCI today because it's
a useful example. I want to talk about a medical device standard. None of you would tune out. Now, you're not in the medical device space. What is this have to do with me? So PCI is useful cuz it's Broad. If useful because it's broad is also a source of frustration and lastly its useful because it is relatively freely available. There are many standards that you have to pay hundreds or thousands of dollars. Get a copy of PCI is not one of them. And what I'm going to say may sound, like I'm here to criticize the PCI
Council and that is not my intent. Those folks have a hard job and they're working to deal with the challenges that they face and I'm using PC. I respectfully because of its familiarity in accessibility rather than to be here to criticize the PCI Council. The things I'm going to point out apply to a great many standards because of the nature of Stanford. So what is PCI pci-x? As you probably know has 12 main requirements, like install and maintain a firewall and avoid default
password and it has a hundred and twenty nine pages that look like this. And what's digging. So this is are randomly chosen page of PCI. If that's three columns, you've got your description of group is me. You got your requirements. For example, description of groups, roles and responsibilities for management, Network components, and documentation of business justification, your testing procedures that are associated with this, and you have some guidance. And the Diamonds is the closest that we get to. Why is this hearing?
Sometimes it actually comes pretty close. It's pretty explanatory. For example on this page we can see her on the lower. Right compromise has often happened to the unused or insecure services and Courts at cetera. This is the reason, this is the one that's not always present. This page happens to have it. So, let me see us from here for a moment and talk about software development, the context in which the conflict occurs. And so, if you're a software engineer, you want to be doing this work because
you have to solve customer problems. You write code. You build cool stuff. You change the world. It's awesome. That's the ideal. That's why people get into software, engineering in practice. What it entails is dealing with cautious. And mitigation accessibility compatibility, configurability manageability, all of this stuff that we have to do. And by the way, this is more product that I've worked on that you use from the specification framework that every developer has work on. It's not
a random list. That I created and this stuff gets pretty overwhelming. If you're a software developer. I just want to ride some food. I want to build some cool stuff. And so what happens is that when the developer tries to work with security security, often act as an inhibitor, a blocker their songs standard that's put in the way of the work that they're trying to do. Why is it the standard box of standard? You've got to comply with water now? And then I asked why I don't have to do that. And there's this bunch of folks over on the side here who are sort of anonymous. We don't know a lot about
them and there's this week. Stuff is happening in a standard process. And this produces a standard would sort of falls on the developer to Gogi with falls on the OPP's engineer should go juice and I just want to write some code. I just wanted to help my features. I want to I want to get through this splint requirements. Compliance Creed's conflict. It creates conflict between Security in operations, where operations wants to leave things open for availability
or performance reasons. And security, says, no, you have to figure this, and you have to figure out how to do you have to check this compliant? Create conflict with security priorities. There may be things that you as a security professional here at the RSA conference want to go to do. But your time and energy is absorbed by the compliance demands, a little story. I was working on one of my startups. And I called buddy. And I said, Dave, I've got this great idea. I'm really excited about. I want to do this and that, and the other thing and
he said, Adam, let me walk you through my boxers. Walk me through his budget for a line item by line item. And at the end, he said, I have about. And by the way, he had a budget that was in the, I don't know, a nine-figure range and at the end of this. He said, Adam, I've got $50,000 of discretionary budget. Do you think this is the best use of it? So, I didn't realize your life was not constrained by compliance. I thought you had more discretion in what you were
doing. But this is the reality in which a lot of us find ourselves. Is these demands. First priorities on to us, that might not be the priority that we think are the most important compliance first, right? It's, it's table Stakes. This creates conflict within the organization because people have different goals. They have different priorities ation. And you might say we all work for the same company, but the bonuses are different. The developers bonus. Give me the developers bonus comes from Shipping. The cool
features Securities bonus. Might, come from, not being breached and that creates conflict in what we're trying to accomplish. Now, to clients, as I'm cruising these different goals, listen to me, important for an ecosystem. Like a payment ecosystem. It can be important for a society. For example, the way the European Union have imposed gdpr because they say privacy is important to us as a society. Even if your company has a different view, even if your company is somewhere else, you're improving this, on our European services. Easy to lose sight of that. If
you're in the weeds, this never-ending stream of Demands really draws us away from actually are reasons to do this. It's okay with that. Let me build the next piece in our setup, which is an introduction to threat modeling. I'm not talk about threat modeling versus intelligence because people off and get a little confused there. And then I'll talk about what is drop modeling? Give you a cubit introduction to how to do it. So threat modeling versus Drive intelligence. What do we mean by trash in front modeling? It's the promise of
future violence. He said he would beat me up if I didn't give him my lunch money. There's a problem that the API can be overwhelmed by a Brute Force attack. These are Promises of future violence that the meaning of scrap in scrap modeling in Scott intelligence were talking about attackers or attack her groups. Forgotten modeling often happens very early in the development process sometimes before, there's even a design when it's on a whiteboard threat intelligence is once the system is built and deployed where Finance hacks against, if
the goal of threat modeling is to find issues. The goal of threat intelligence is to find attackers and then the vendor support is very difference in front modeling is Consulting. It's training, It software in present, halogens. It's much more focused around speeds of information. And so, we're focused on Stratton model that middle column. What we're going to do is apply threat, modeling, shoe compliance. And when I talk about threat modeling, a lot of ways to trap model and eye, focusing on 40 questions, those questions are, what are we working on? What can go wrong? What
are we going to do about it? And if we do a good job, And we can ask those questions app. Incredibly simple level, we can apply tools and I'll show you some in just a second that help us think about each of these questions. These questions allows us to be systematic in the way in which we think about the question of what are we working on, and what can go wrong? So that we can be structured and comprehensive in the security design of our systems and that is a really powerful tools. That is why I do what I do
is because these four questions unlock a more strategic approach to security. So, how do we do this? Often will use data flow diagrams to represent our systems. And for this talk, I'm not going to delve really deeply into what the data flow diagram is, but you'll see diagrams like this, as ways to represent what were working on. As we talked about what can go wrong. We often talk about stride Streisand's. First Booth Tavern in information is closed in auto service
in elevation of privilege. I said a long stride methodology or the stride, taxonomy, not a taxonomy, are methodology in and of itself. It's a structure that helps us. Think about the question. What can go wrong and in doing so we can get you a set of things were going to do about these threats. We get to a set of controls 02 mitigation systems that help us address the problem. And so threat modeling works is a framework for thinking about the threats and how we deal with
them that we can apply to compliance. So, how do we do that? This diagram is something I created while I was working on my threat modeling book, and there's an interplay between each of the elements, the requirements threats and controls. So if we say, for example, of a credit card number that I can inform, we're worried about the shred of information disclosure or we can go the other way. The Sprint can inform the requirement if I'm thinking about going to walk through my front door. I have a control. I put a lock on it and that control comes under threat. Someone
could pick the lock, they could drill it. They could kick the door down and so, I can start by thinking that the control and what can go wrong with the controller. I can think about the scratch and say, how I need to control here until there's none back and forth. And that was God. We got a Jonathan line from requirements to control. When I talk about threat modeling out often. You should soak that. The dotted line is there cuz it doesn't make a lot of sense. What what's the point of a requirement to have a control? If there's no threat involved sounds like a
good definition of compliance. Hahaha was all Pokemon a compliance. Also sorta, true, funny, not funny. And this talk is really about this line in this relationship work, science regimes require that we put controls in place without going through the trash and I think that that creates needless conflict, needless ambiguity, needless anxiety and leaves us less secure than we would be. If we talked about the Trap models. So what I want to do and what we'll do in just a minute as well.
Take that opaque box that you saw the stuff happens here box and make it transparent will make it more explicit. What's Adidas, what's entailed in? And asked the question? What is PCI Stratton model? and, Only start off in this. This was sort of a funny accident and I'm really glad that the reviewer made this one of the reviewers at the RSA conference made. This comment is looking at an early draft of this deck and they said the standard is concerned with a single Fred actor. Generally
sophisticated motivated organized crime, wanting to affect the single Factor confidentiality or single asset payment cards, and we'll we'll come back to this cuz I think it was straight the point really well. Before we get into, what I'm going to say. I'm going to show you is my best effort, understand PCI, but I don't represent PCI. I don't work for them. I'm not a q I say. So please, this is not official. Thank you for understanding. What I went where I went and did
and I took my knowledge of threat modeling and I went through the PC high standard. I looked at each and every long, and I said, for what is the, what is this line mean? Going to imagine a threat here? And when I got to something like this description of groups, roles and responsibilities for management of network components, to integrated into the front list. I'm telling you this story politely. Let me tell you what I actually did. I jumped up and down and I yelled and I said, this isn't a frat. What is this?
it was frustrating because this doesn't relate to that promise of a future problem. It's okay. So where does this play in? And to eventually what I got, you was a realization that there are processes shoes and there are technology issues represented and instead of just building out of threats list. I realize what I really needed was a set of models representing what PC I was thinking or what the PCI experts were thinking about. And so I started iterating on boot loose system models and a Stressless and that
led me to something that I think is actually very interesting. And so the Beast rats, or the controls, the mitigations, npci the things you have to do the answers to these questions of what are we going to do about it? That's part of threat. Modeling are a bronsted there. Prevent detective respond controls there often threats of information disclosure, but they're also unusually threats to management or threats to the management of the system. They're not threats directed at management
or their threats to our bill. We need to comply with the standard in. This is an unusual thing. It compared to how we often set model systems, as we ask, what can go wrong as we asked, what are we working? And what can go wrong? We don't often come to the answer. What can go wrong is laxidasical management, oversight or insufficient. Applied processes, we much more often. Come to an attacker, can send an exploit that takes over my computer or the attacker could
engagement, denial-of-service, attack, etc. Etc. And so the process model, which I created for PCI is Up on the top, right? There's a set of change management activities. Some of these are interrupted when this occurs due, this quarter to that. She was that a review processes approval and execution, which influences your Technical Systems, and there's a tracking database, you knew about that did Rich, right? But there's a tracking database for all of this stuff is supposed to flow to so that it can be audited. There is a set of standards
for system appointment. There's a set of standards. And their standard Drive configuration on deployment, end of the gray numbers, the C1, the c7.r system element, identifier to help us relate, the tables of products, which will show you in a minute into the system models. So this is their process model. This is their system model and their sister model starts with a credit card number over on the far left that talks to a point-of-sale system which in their model connects via a wireless
network to the card data environment that trust boundary with the 8 C, D, E and F is where all the processing happens and then from there. Data flows out to inquire credit card. Jargon. The acquirer is the bank that acquires the charges from a merchant and sends them to the issuing bank that's gives you as an individual, your credit card. And so this is my aunt again with God. The gray numbers here and I did this model first. Before I realized, we also
needed a cyst a model of the process and beast on vignes's models. And based on the standard. We can create a set of threats to processes. So for example, we've got a threat, the firewall rules that will go out of date. So management strap. And this is a threat, which is manic, which is a dress, controlled mitigated, by PCI. Requirement 117. There's a threat that old data isn't the weird, which is covered by three. One bullet. So we can go through the PCI standard and I'll give you a link at the End by the way, to this whole set of Li's, but
right now I don't want to focus on a line-by-line analysis in the interest of time. When I want to say is we have threats to process and we have threats to technology. And a couple of interesting things come out here one is that in the PCI standard itself? There are no threats to your credit card. Your credit card in your wallet is not something that is addressed by the standard. About the other thing that came out. I was talking to someone. About this work and he said, strong authentication data isn't a scratch so you're right. It's not, it's a,
it's a name of a future problem. If you don't store the data, you can tweak you. And so pci's approach is a little unusual in that. They consider the storage to be, the problem. It's a violation of the requirements even if it never leaks. And getting to that understanding, how to understand the why behind PCI so that we can actually address it better so that we can communicate with our colleagues when there's conflict over what we need to do and why we need to do is going to come
back to what that reviewer said and what they said. Was that the PCI standard is about a single Factor confidentiality? And it turns out when we go through this exercise, Integrity is important auditability is important to a cutie. A shin is important and I was talking to a friend who's close to the whole process. And they told me that. Actually, you know, the logs are not there for the victim of the break-in. They're there for the card companies when they go in and do an analysis of the big creatures.
They were finding a lack of logs and that didn't even come out. As I was reading. The PCI standard came out of a later conversation, but it's important to understand why were storing and protecting these logs in this way. The other thing, they said the other thing the reviewer said is that the standard is concerned with a single thread actor. That's not something that I saw a reading standard now. Does not matter. Well, if we're trying to reduce conflict and help people get value out of doing this work, delete problem is not
me, disagreeing collegiately with a reviewer. The problem is that we have that space in which to disagree the opportunity for disagreement between myself and one of the smart folks who serves as a member of the RSA conference program committee. That is a problem. We are smart. People ought to be in agreement about what it is we're doing. and so, I believe that we can improve security by your organization doing better shot model of your unique needs. You got a whole bunch of standards that you have to look at. You have to
look at PCI DSS. You have to look at the cybersecurity framework. Summer. Very specific. If you pick up all of these standards and you threaten model and you see, these are the threats were going to address. You get to the point where you can be structured systematic and comprehensive in what you address and then you can tie your mitigation back to the standards. And this is really important in limiting. The run-around limiting, the treadmill that you're on by understanding where you're going.
Start modeling Shine, the Light into this opaque box. And in shining that light, what we do is we improve security because we're focused on the tracks and we're focused on making sure. We're not just picking up controls and slapping them in, but we're picking up controls and using them to address in understood. They were using them to mitigate a real problem. This informs our priorities yishun, which of these we do first. It can also reduce conflict between teams
reduce conflict with Auditors, maybe, but it's a lot of work. so, The conflict comes from different goals in different priority and when compliance is imposing fees, new and different goals. There's no understanding of the Y threat modeling, gives us a language. What are we working on? What can go wrong, the Same by line control that the compliance standards demand of us? Are informed by this a joint understanding of what we're working on and what can go wrong and therefore what we need to do about
it. So fat modeling also gives us a vehicle to create collaborative spaces and hear. The journey is really the reward. I want you to think about forgotten model, one more than I want you to think about that models and I want you to think about these in terms of schemes working together. Across organizational boundaries to generate the shared understanding and a space for listening to the concerns of the other teams, but I get it security. Scenes are almost always too busy. It's hard to make the time to listen but listening is so important. It creates
space for the people you're working with to help you discover solutions to make smarter solutions to the problems that are in front of you. And when you found that solution together, there's a joint ownership of what the solution is and why you're doing it. And Social Security gets billed in, not bolted on. Don't get left behind on the Shelf because you made time to listen. so, I also think that there's work to be done by standards bodies. Why is every organization doing this analysis? This was really hard work. This was
challenging work. I think we ought to demand that the standards bodies show. They're trapped models. And I'm talking to someone. I'd be happy to talk to more about exactly how to do this. This will improve the standard, it will improve the impact of the standards because when their model doesn't represent your system, it's more visible. So, the controls are going to get adjusted Bill getting validated in that creates intention that we need to deal with and think about intelligent. Why There's some complexity here. Oh my game standard. The cost of assessment will change will
need to retrain the Assessor's about what to do in these situations, but that's worthwhile. So again, the review process was really interesting. One of the reviewers asked can we create a single threat model independent of detail? Great question, the one-size-fits-all PCI standard covers, the very largest e-commerce stores. It covers that are small retailers, using something like Shopify. It covers a brick, and mortar store. and So, my answer to the review, harass, this
great question was Yet, the PCI standard says, they've created a single thread model independent of these details. And I think that that has created some problems. So some short-term wins, go on a little on the next slide and I want you to focus in on what you're working on right now. What are the CEOs key priorities and frankly today in 2021 that is pandemic coming out of the pandemic focus on things that are being changed right now because that is where the fluidity exist, it makes change easier. There's a trap of
falling into the high-risk areas. Areas, where you been fighting. Don't go there, you will mess up your threat modeling initiative. Before it starts to go to what is being changed now and use threat modeling to frame a new conversation. When we learn to trap model, the four question framework, what are we working on? What can go wrong? What are we going to do about it? If we do a good job is super useful. Elevation of privilege is a card game. I created Microsoft has released it under a Creative, Commons license. You can buy copies on
Amazon. Now use it as a conversation. Starter lastly, a group of fifteen of us experts in front modeling, have released a Manifesto, which is all about how to get going. The four questions there. They're so simple. It's been on a Wallet card. They are the way to get started, to go. Learn Trump modeling in the next week. Go build some trap models demonstrate that having truck models helps share them out. So case these new ways of working and demand that your standards bodies show their truck models in. That is going to take some time, but it's a
worthwhile thing to do. In Destin. I want to say, thank you. If everything went as planned, I've been answering some of your questions in the chat box here. If you're watching this later on my email address, admits show staff. Org is right there. And so again, thank you for your time and attention. I want to close out with some resources. Again, the Manifest, my truck, modeling book website has a set of free resources. There's elevation of privilege links and copies of it on GitHub. Last but not least
on Associates. Org. Threat modeling is a copy of a white paper. I did really know reg wall that shows that PCI trap model that we've been talking about it. With that. Again. Thank you for your time and attention and have a great day. Thank you.
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.