https://www.hackerspace.gr/wiki/index.php?title=Threat_Modeling_Workshop&feed=atom&action=history
Threat Modeling Workshop - Revision history
2024-03-28T22:52:10Z
Revision history for this page on the wiki
MediaWiki 1.23.13
//www.hackerspace.gr/wiki/index.php?title=Threat_Modeling_Workshop&diff=80497&oldid=prev
Sotiri at 19:16, 10 April 2018
2018-04-10T19:16:57Z
<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 19:16, 10 April 2018</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 24:</td>
<td colspan="2" class="diff-lineno">Line 24:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>We are going to do a series of exercises in creating Threat Models working as a team at first and then in pairs.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>We are going to do a series of exercises in creating Threat Models working as a team at first and then in pairs.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Presentation: https://cryptpad.fr/slide/#/1/view/5+2BFrnLlfCzSJ-u+GF-Yg/up4wWgV0LqXtB7Jqv+aOHNlsjYwCSS5okFUyFX--9L0/present/</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>A preliminary boilerplate for the exercises is published below.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>A preliminary boilerplate for the exercises is published below.</div></td></tr>
</table>
Sotiri
//www.hackerspace.gr/wiki/index.php?title=Threat_Modeling_Workshop&diff=80494&oldid=prev
Sotiri: Created page with "{{Event |logo=Lock.png |what=Threat Modeling Workshop |tagline=Threat Modeling Assessment and Risk Analysis Workshop |eventowner=S |who=S |url= |from=2018/04/11 07:00:00 PM |..."
2018-04-07T13:22:23Z
<p>Created page with "{{Event |logo=Lock.png |what=Threat Modeling Workshop |tagline=Threat Modeling Assessment and Risk Analysis Workshop |eventowner=S |who=S |url= |from=2018/04/11 07:00:00 PM |..."</p>
<p><b>New page</b></p><div>{{Event<br />
|logo=Lock.png<br />
|what=Threat Modeling Workshop<br />
|tagline=Threat Modeling Assessment and Risk Analysis Workshop <br />
|eventowner=S<br />
|who=S<br />
|url=<br />
|from=2018/04/11 07:00:00 PM<br />
|till=2018/04/11 10:00:00 PM<br />
|location=38.01694322164, 23.731269990513<br />
}}<br />
<br />
Threat modeling helps you identify threats to the things you value and determine from whom you need to protect them. When building a threat model, answer these five questions:<br />
<br />
1. What do I want to protect?<br />
<br />
2. Who do I want to protect it from?<br />
<br />
3. How bad are the consequences if I fail?<br />
<br />
4. How likely is it that I will need to protect it?<br />
<br />
5. How much trouble am I willing to go through to try to prevent potential consequences?<br />
<br />
We are going to do a series of exercises in creating Threat Models working as a team at first and then in pairs.<br />
<br />
A preliminary boilerplate for the exercises is published below.<br />
<br />
= Threat Modeling Assessment and Risk analysis =<br />
Create a Threat Model that covers Batman's risks<br />
<br />
== Threat Modeling Assessment ==<br />
Based on https://ssd.eff.org/en/module/assessing-your-risks<br />
<br />
1. Define Assets [https://ssd.eff.org/en/glossary/asset (any piece of data or a device that needs to be protected)]<br />
1. Ast1<br />
2. Ast2<br />
3. Ast3<br />
2. Define [https://ssd.eff.org/en/glossary/adversary Adversaries]<br />
* Adv1<br />
* Adv2<br />
* Adv3<br />
Define their [https://ssd.eff.org/en/glossary/capability Capabilities] (Threats)<br />
* Adv1<br />
* Adv1 Thr1<br />
* Adv1 Tht2<br />
* Adv1 Thr3<br />
* Adv2<br />
* Adv2 Thr1<br />
* Adv3<br />
* Adv3 Thr1<br />
3. Define consequences (severity) of failure<br />
1. Ast1 Svrt = 50%<br />
2. Ast2 Svrt = 50%<br />
3. Ast3 Svrt = 50%<br />
4. Define likelihood of threat occurrence (Risk)<br />
* Ast1<br />
* Ast1 Adv1 Thr1 = 50%<br />
* Ast1 Adv1 Thr2 = 50%<br />
* Ast1 Adv1 Thr3 = 50%<br />
* Ast1 Adv2 Thr1 = 50%<br />
* Ast1 Adv3 Thr2 = 50%<br />
* Ast2<br />
* Ast2 Adv1 Thr1 = 50%<br />
* Ast2 Adv1 Thr2 = 50%<br />
* Ast2 Adv1 Thr3 = 50%<br />
* Ast2 Adv2 Thr1 = 50%<br />
* Ast2 Adv3 Thr2 = 50%<br />
* Ast3<br />
* Ast3 Adv1 Thr1 = 50%<br />
* Ast3 Adv1 Thr2 = 50%<br />
* Ast3 Adv1 Thr3 = 50%<br />
* Ast3 Adv2 Thr1 = 50%<br />
* Ast3 Adv3 Thr2 = 50%<br />
5. Define available resources<br />
* Res1 = 50%<br />
* Res2 = 50%<br />
* Res3 = 50%<br />
* ResAll = sum(Res*) / ResN<br />
<br />
== Risk Analysis (Optional for Workshop) ==<br />
Estimate the chance that threats might succeed [https://ssd.eff.org/en/glossary/risk-analysis (Risk analysis)]<br />
Ast1<br />
Ast1 Adv1 Thr1 * ResAll * Ast1 Svrt = 12.5%<br />
Ast1 Adv1 Thr2 * ResAll * Ast1 Svrt = 12.5%<br />
Ast1 Adv1 Thr3 * ResAll * Ast1 Svrt = 12.5%<br />
Ast1 Adv2 Thr1 * ResAll * Ast1 Svrt = 12.5%<br />
Ast1 Adv3 Thr2 * ResAll * Ast1 Svrt = 12.5%<br />
Ast2<br />
Ast2 Adv1 Thr1 * ResAll * Ast2 Svrt = 12.5%<br />
Ast2 Adv1 Thr2 * ResAll * Ast2 Svrt = 12.5%<br />
Ast2 Adv1 Thr3 * ResAll * Ast2 Svrt = 12.5%<br />
Ast2 Adv2 Thr1 * ResAll * Ast2 Svrt = 12.5%<br />
Ast2 Adv3 Thr2 * ResAll * Ast2 Svrt = 12.5%<br />
Ast3<br />
Ast3 Adv1 Thr1 * ResAll * Ast3 Svrt = 12.5%<br />
Ast3 Adv1 Thr2 * ResAll * Ast3 Svrt = 12.5%<br />
Ast3 Adv1 Thr3 * ResAll * Ast3 Svrt = 12.5%<br />
Ast3 Adv2 Thr1 * ResAll * Ast3 Svrt = 12.5%<br />
Ast3 Adv3 Thr2 * ResAll * Ast3 Svrt = 12.5%<br />
=== Results ===<br />
Divide ResAll by the Sum results from Risk analysis (possible use of thresholds). Multiply the result with each entire in Risk analysis. Sort the output. The result is the resource allocation in order of priority.</div>
Sotiri