Table Of ContentSecuring
Systems
Applied Security
Architecture and
Threat Models
Securing
Systems
Applied Security
Architecture and
Threat Models
Brook S.E. Schoenfield
Forewords by John N. Stewart and James F. Ransome
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2015 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Version Date: 20150417
International Standard Book Number-13: 978-1-4822-3398-8 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable
efforts have been made to publish reliable data and information, but the author and publisher cannot
assume responsibility for the validity of all materials or the consequences of their use. The authors and
publishers have attempted to trace the copyright holders of all material reproduced in this publication
and apologize to copyright holders if permission to publish in this form has not been obtained. If any
copyright material has not been acknowledged please write and let us know so we may rectify in any
future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced,
transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or
hereafter invented, including photocopying, microfilming, and recording, or in any information stor-
age or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copy-
right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222
Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro-
vides licenses and registration for a variety of users. For organizations that have been granted a photo-
copy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are
used only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
Dedication
To the many teachers who’ve pointed me down the path; the managers who have sup-
ported my explorations; the many architects and delivery teams who’ve helped to refine
the work; to my first design mentors—John Caron, Roddy Erickson, and Dr. Andrew
Kerne—without whom I would still have no clue; and, lastly, to Hans Kolbe, who once
upon a time was our human fuzzer.
Each of you deserves credit for whatever value may lie herein.
The errors are all mine.
v
Contents
Dedication v
Contents vii
Foreword by John N. Stewart xiii
Foreword by Dr. James F. Ransome xv
Preface xix
Acknowledgments xxv
About the Author xxvii
Part I
Introduction 3
The Lay of Information Security Land 3
The Structure of the Book 7
References 8
Chapter 1: Introduction 9
1.1 Breach! Fix It! 11
1.2 Information Security, as Applied to Systems 14
1.3 Applying Security to Any System 21
References 25
Chapter 2: The Art of Security Assessment 27
2.1 Why Art and Not Engineering? 28
2.2 Introducing “The Process” 29
vii
viii Securing Systems
2.3 Necessary Ingredients 33
2.4 The Threat Landscape 35
2.4.1 Who Are These Attackers? Why Do They Want
to Attack My System? 36
2.5 How Much Risk to Tolerate? 44
2.6 Getting Started 51
References 52
Chapter 3: Security Architecture of Systems 53
3.1 Why Is Enterprise Architecture Important? 54
3.2 The “Security” in “Architecture” 57
3.3 Diagramming For Security Analysis 59
3.4 Seeing and Applying Patterns 70
3.5 System Architecture Diagrams and Protocol Interchange
Flows (Data Flow Diagrams) 73
3.5.1 Security Touches All Domains 77
3.5.2 Component Views 78
3.6 What’s Important? 79
3.6.1 What Is “Architecturally Interesting”? 79
3.7 Understanding the Architecture of a System 81
3.7.1 Size Really Does Matter 81
3.8 Applying Principles and Patterns to Specific Designs 84
3.8.1 Principles, But Not Solely Principles 96
Summary 98
References 98
Chapter 4: Information Security Risk 101
4.1 Rating with Incomplete Information 101
4.2 Gut Feeling and Mental Arithmetic 102
4.3 Real-World Calculation 105
4.4 Personal Security Posture 106
4.5 Just Because It Might Be Bad, Is It? 107
4.6 The Components of Risk 108
4.6.1 Threat 110
4.6.2 Exposure 112
4.6.3 Vulnerability 117
4.6.4 Impact 121
4.7 Business Impact 122
4.7.1 Data Sensitivity Scales 125
Contents ix
4.8 Risk Audiences 126
4.8.1 The Risk Owner 127
4.8.2 Desired Security Posture 129
4.9 Summary 129
References 130
Chapter 5: Prepare for Assessment 133
5.1 Process Review 133
5.1.1 Credible Attack Vectors 134
5.1.2 Applying ATASM 135
5.2 Architecture and Artifacts 137
5.2.1 Understand the Logical and Component Architecture
of the System 138
5.2.2 Understand Every Communication Flow and Any
Valuable Data Wherever Stored 140
5.3 Threat Enumeration 145
5.3.1 List All the Possible Threat Agents for This Type
of System 146
5.3.2 List the Typical Attack Methods of the Threat Agents 150
5.3.3 List the System-Level Objectives of Threat Agents
Using Their Attack Methods 151
5.4 Attack Surfaces 153
5.4.1 Decompose (factor) the Architecture to a Level That
Exposes Every Possible Attack Surface 154
5.4.2 Filter Out Threat Agents Who Have No Attack
Surfaces Exposed to Their Typical Methods 159
5.4.3 List All Existing Security Controls for Each Attack
Surface 160
5.4.4 Filter Out All Attack Surfaces for Which There Is
Sufficient Existing Protection 161
5.5 Data Sensitivity 163
5.6 A Few Additional Thoughts on Risk 164
5.7 Possible Controls 165
5.7.1 Apply New Security Controls to the Set of Attack
Services for Which There Isn’t Sufficient Mitigation 166
5.7.2 Build a Defense-in-Depth 168
5.8 Summary 170
References 171
Part I
Summary 173
