The process of Threat Modeling when developing Medical Software begins with identification of possible and common threats. Claricode has adopted industry techniques and uses the STRIDE check list to aid in our threat modeling process. The STRIDE checklist stands for: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. The elements of this checklist are further defined below.
Spoofing
Security Property: Authentication
A spoofing attack is when a person or application successfully masquerades as another by falsifying data and thereby gaining illegitimate access.
Spoofing Types
- Man-in-the-middle attack and internet protocol spoofing
- URL Spoofing
- Phishing
- Referrer Spoofing
- Email Address Spoofing
Examples: Basic HTTP authentication sends credentials in the clear Credentials or tokens stored in HTTP cookies Authentication tokens in the clear on the wire Intercepting DNS requests – DNS Spoofing
Tampering
Security Property: Integrity
A tampering attack is when an unauthorized person or program modifies data or code.
Examples: SQL injection to modify database data Modifying data on the wire, in transit Unsecured access to pages and components HTTP cookies
Repudiation
Security Property: Non-repudiation
A repudiation attack is when a person or program denies performing an action and there is no evidence or log to prove that person or program did in fact breach security.
Examples: User performs an illegal operation and there is no trace of what happened Attacker gets a prescription drug ordered without an audit trail
Information Disclosure
Security Property: Confidentiality
An Information Disclosure attack is when a person or program gained exposure of information and was not authorized to see it.
Examples: Reading on the wire Unsecured pages and components Error messages that reveal implementation details
Denial of Service
Security Property: Availability
A Denial of Service attack is when a program degrades service to users.
Examples: DDoS attacks Poorly behaved components that can be exploited Disabling a credential store
Elevation of Privilege
Security Property: Authorization
An Elevation of Privilege attack is when a person or program gains privileged access without authorization.
Examples: Install an .exe and wait for an admin logon Unsecured components that communicate to other services with admin rights Impersonation
Threat Matrix
These application threats are documented into a Threat Matrix and ranked. This document is a living document and should never be frozen in time. The risks are rated and evaluated for risk exposure by calculating probability multiplied by impact (P * I = RE). The results can be sorted by risk exposure to determine priority.
Another useful acronym for documenting threats is DREAD, which is Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.
