Threat Modeling Report

Created on 1/14/2017 6:43:27 PM

Threat Model Name:

Owner:

Reviewer:

Contributors:

Description:

Assumptions:

External Dependencies:

Threat Model Summary:

Not Started 65
Not Applicable 0
Needs Investigation 0
Mitigation Implemented 0
Total 65
Total Migrated 0

Diagram: Diagram 1

Diagram 1 diagram screenshot

Diagram 1 Diagram Summary:

Not Started65
Not Applicable0
Needs Investigation0
Mitigation Implemented0
Total65
Total Migrated0

Interaction: HTTP

HTTP interaction screenshot

1. Elevation by Changing the Execution Flow in Browser Client [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:An attacker may pass data into Browser Client in order to change the flow of program execution within Browser Client to the attacker's choosing.
Justification:<no mitigation provided>

2. Browser Client May be Subject to Elevation of Privilege Using Remote Code Execution [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to remotely execute code for Browser Client.
Justification:<no mitigation provided>

3. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Browser Client may be able to impersonate the context of Firewall in order to gain additional privilege.
Justification:<no mitigation provided>

4. Data Flow HTTP Is Potentially Interrupted [State: Not Started] [Priority: High]

Category:Denial Of Service
Description:An external agent interrupts data flowing across a trust boundary in either direction.
Justification:<no mitigation provided>

5. Potential Process Crash or Stop for Browser Client [State: Not Started] [Priority: High]

Category:Denial Of Service
Description:Browser Client crashes, halts, stops or runs slowly; in all cases violating an availability metric.
Justification:<no mitigation provided>

6. Potential Data Repudiation by Browser Client [State: Not Started] [Priority: High]

Category:Repudiation
Description:Browser Client claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.
Justification:<no mitigation provided>

7. Firewall Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If Firewall is given access to memory, such as shared memory or pointers, or is given the ability to control what Browser Client executes (for example, passing back a function pointer.), then Firewall can tamper with Browser Client. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>

8. Spoofing the Firewall Process [State: Not Started] [Priority: High]

Category:Spoofing
Description:Firewall may be spoofed by an attacker and this may lead to unauthorized access to Browser Client. Consider using a standard authentication mechanism to identify the source process.
Justification:<no mitigation provided>

Interaction: HTTP

HTTP interaction screenshot

9. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to impersonate the context of Web Service in order to gain additional privilege.
Justification:<no mitigation provided>

10. Web Service Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If Web Service is given access to memory, such as shared memory or pointers, or is given the ability to control what Firewall executes (for example, passing back a function pointer.), then Web Service can tamper with Firewall. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>

Interaction: HTTP

HTTP interaction screenshot

11. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Web Service may be able to impersonate the context of Firewall in order to gain additional privilege.
Justification:<no mitigation provided>

12. Firewall Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If Firewall is given access to memory, such as shared memory or pointers, or is given the ability to control what Web Service executes (for example, passing back a function pointer.), then Firewall can tamper with Web Service. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>

Interaction: HTTP

HTTP interaction screenshot

13. Potential Excessive Resource Consumption for Web Service or SQL Database [State: Not Started] [Priority: High]

Category:Denial Of Service
Description:Does Web Service or SQL Database take explicit steps to control resource consumption? Resource consumption attacks can be hard to deal with, and there are times that it makes sense to let the OS do the job. Be careful that your resource requests don't deadlock, and that they do timeout.
Justification:<no mitigation provided>

14. Potential SQL Injection Vulnerability for SQL Database [State: Not Started] [Priority: High]

Category:Tampering
Description:SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.
Justification:<no mitigation provided>

15. Spoofing of Destination Data Store SQL Database [State: Not Started] [Priority: High]

Category:Spoofing
Description:SQL Database may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of SQL Database. Consider using a standard authentication mechanism to identify the destination data store.
Justification:<no mitigation provided>

Interaction: HTTP

HTTP interaction screenshot

16. Weak Access Control for a Resource [State: Not Started] [Priority: High]

Category:Information Disclosure
Description:Improper data protection of SQL Database can allow an attacker to read information not intended for disclosure. Review authorization settings.
Justification:<no mitigation provided>

17. Spoofing of Source Data Store SQL Database [State: Not Started] [Priority: High]

Category:Spoofing
Description:SQL Database may be spoofed by an attacker and this may lead to incorrect data delivered to Web Service. Consider using a standard authentication mechanism to identify the source data store.
Justification:<no mitigation provided>

Interaction: HTTP

HTTP interaction screenshot

18. Browser Client Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If Browser Client is given access to memory, such as shared memory or pointers, or is given the ability to control what Firewall executes (for example, passing back a function pointer.), then Browser Client can tamper with Firewall. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>

19. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to impersonate the context of Browser Client in order to gain additional privilege.
Justification:<no mitigation provided>

Interaction: HTTPS

HTTP interaction screenshot

20. Elevation by Changing the Execution Flow in Firewall [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:An attacker may pass data into Firewall in order to change the flow of program execution within Firewall to the attacker's choosing.
Justification:<no mitigation provided>

21. Firewall May be Subject to Elevation of Privilege Using Remote Code Execution [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Browser may be able to remotely execute code for Firewall.
Justification:<no mitigation provided>

22. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to impersonate the context of Browser in order to gain additional privilege.
Justification:<no mitigation provided>

23. Data Flow HTTPS Is Potentially Interrupted [State: Not Started] [Priority: High]

Category:Denial Of Service
Description:An external agent interrupts data flowing across a trust boundary in either direction.
Justification:<no mitigation provided>

24. Potential Process Crash or Stop for Firewall [State: Not Started] [Priority: High]

Category:Denial Of Service
Description:Firewall crashes, halts, stops or runs slowly; in all cases violating an availability metric.
Justification:<no mitigation provided>

25. Potential Data Repudiation by Firewall [State: Not Started] [Priority: High]

Category:Repudiation
Description:Firewall claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.
Justification:<no mitigation provided>

26. Spoofing the Browser External Entity [State: Not Started] [Priority: High]

Category:Spoofing
Description:Browser may be spoofed by an attacker and this may lead to unauthorized access to Firewall. Consider using a standard authentication mechanism to identify the external entity.
Justification:<no mitigation provided>

Interaction: HTTPS

HTTP interaction screenshot

27. Data Flow HTTPS Is Potentially Interrupted [State: Not Started] [Priority: High]

Category:Denial Of Service
Description:An external agent interrupts data flowing across a trust boundary in either direction.
Justification:<no mitigation provided>

28. External Entity Browser Potentially Denies Receiving Data [State: Not Started] [Priority: High]

Category:Repudiation
Description:Browser claims that it did not receive data from a process on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.
Justification:<no mitigation provided>

29. Spoofing of the Browser External Destination Entity [State: Not Started] [Priority: High]

Category:Spoofing
Description:Browser may be spoofed by an attacker and this may lead to data being sent to the attacker's target instead of Browser. Consider using a standard authentication mechanism to identify the external entity.
Justification:<no mitigation provided>

Interaction: UDP

UDP interaction screenshot

30. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to impersonate the context of DNS Server in order to gain additional privilege.
Justification:<no mitigation provided>

31. DNS Server Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If DNS Server is given access to memory, such as shared memory or pointers, or is given the ability to control what Firewall executes (for example, passing back a function pointer.), then DNS Server can tamper with Firewall. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>

Interaction: UDP

UDP interaction screenshot

32. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:DNS Server may be able to impersonate the context of Firewall in order to gain additional privilege.
Justification:<no mitigation provided>

Interaction: UDP

UDP interaction screenshot

33. Firewall Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If Firewall is given access to memory, such as shared memory or pointers, or is given the ability to control what Browser Client executes (for example, passing back a function pointer.), then Firewall can tamper with Browser Client. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>

34. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Browser Client may be able to impersonate the context of Firewall in order to gain additional privilege.
Justification:<no mitigation provided>

Interaction: UDP

UDP interaction screenshot

35. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to impersonate the context of Browser Client in order to gain additional privilege.
Justification:<no mitigation provided>

36. Browser Client Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If Browser Client is given access to memory, such as shared memory or pointers, or is given the ability to control what Firewall executes (for example, passing back a function pointer.), then Browser Client can tamper with Firewall. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>

Interaction: UDP

UDP interaction screenshot

37. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to impersonate the context of DNS Server in order to gain additional privilege.
Justification:<no mitigation provided>

38. DNS Server Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If DNS Server is given access to memory, such as shared memory or pointers, or is given the ability to control what Firewall executes (for example, passing back a function pointer.), then DNS Server can tamper with Firewall. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>

Interaction: UDP

UDP interaction screenshot

39. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:DNS Server may be able to impersonate the context of Firewall in order to gain additional privilege.
Justification:<no mitigation provided>

Interaction: UDP

UDP interaction screenshot

40. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to impersonate the context of DNS Server in order to gain additional privilege.
Justification:<no mitigation provided>

41. DNS Server Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If DNS Server is given access to memory, such as shared memory or pointers, or is given the ability to control what Firewall executes (for example, passing back a function pointer.), then DNS Server can tamper with Firewall. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>

Interaction: UDP

UDP interaction screenshot

42. Spoofing the DNS Server Process [State: Not Started] [Priority: High]

Category:Spoofing
Description:DNS Server may be spoofed by an attacker and this may lead to information disclosure by Firewall. Consider using a standard authentication mechanism to identify the destination process.
Justification:<no mitigation provided>

43. Spoofing the Firewall Process [State: Not Started] [Priority: High]

Category:Spoofing
Description:Firewall may be spoofed by an attacker and this may lead to unauthorized access to DNS Server. Consider using a standard authentication mechanism to identify the source process.
Justification:<no mitigation provided>

44. Potential Data Repudiation by DNS Server [State: Not Started] [Priority: High]

Category:Repudiation
Description:DNS Server claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.
Justification:<no mitigation provided>

45. Potential Lack of Input Validation for DNS Server [State: Not Started] [Priority: High]

Category:Tampering
Description:Data flowing across UDP may be tampered with by an attacker. This may lead to a denial of service attack against DNS Server or an elevation of privilege attack against DNS Server or an information disclosure by DNS Server. Failure to verify that input is as expected is a root cause of a very large number of exploitable issues. Consider all paths and the way they handle data. Verify that all input is verified for correctness using an approved list input validation approach.
Justification:<no mitigation provided>

46. Data Flow Sniffing [State: Not Started] [Priority: High]

Category:Information Disclosure
Description:Data flowing across UDP may be sniffed by an attacker. Depending on what type of data an attacker can read, it may be used to attack other parts of the system or simply be a disclosure of information leading to compliance violations. Consider encrypting the data flow.
Justification:<no mitigation provided>

47. Potential Process Crash or Stop for DNS Server [State: Not Started] [Priority: High]

Category:Denial Of Service
Description:DNS Server crashes, halts, stops or runs slowly; in all cases violating an availability metric.
Justification:<no mitigation provided>

48. Data Flow UDP Is Potentially Interrupted [State: Not Started] [Priority: High]

Category:Denial Of Service
Description:An external agent interrupts data flowing across a trust boundary in either direction.
Justification:<no mitigation provided>

49. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:DNS Server may be able to impersonate the context of Firewall in order to gain additional privilege.
Justification:<no mitigation provided>

50. DNS Server May be Subject to Elevation of Privilege Using Remote Code Execution [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to remotely execute code for DNS Server.
Justification:<no mitigation provided>

51. Elevation by Changing the Execution Flow in DNS Server [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:An attacker may pass data into DNS Server in order to change the flow of program execution within DNS Server to the attacker's choosing.
Justification:<no mitigation provided>

52. Cross Site Request Forgery [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Cross-site request forgery (CSRF or XSRF) is a type of attack in which an attacker forces a user's browser to make a forged request to a vulnerable site by exploiting an existing trust relationship between the browser and the vulnerable web site. In a simple scenario, a user is logged in to web site A using a cookie as a credential. The other browses to web site B. Web site B returns a page with a hidden form that posts to web site A. Since the browser will carry the user's cookie to web site A, web site B now can take any action on web site A, for example, adding an admin to an account. The attack can be used to exploit any requests that the browser automatically authenticates, e.g. by session cookie, integrated authentication, IP whitelisting, … The attack can be carried out in many ways such as by luring the victim to a site under control of the attacker, getting the user to click a link in a phishing email, or hacking a reputable web site that the victim will visit. The issue can only be resolved on the server side by requiring that all authenticated state-changing requests include an additional piece of secret payload (canary or CSRF token) which is known only to the legitimate web site and the browser and which is protected in transit through SSL/TLS. See the Forgery Protection property on the flow stencil for a list of mitigations.
Justification:<no mitigation provided>

Interaction: UDP

UDP interaction screenshot

53. Firewall May be Subject to Elevation of Privilege Using Remote Code Execution [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:DNS Server may be able to remotely execute code for Firewall.
Justification:<no mitigation provided>

54. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to impersonate the context of DNS Server in order to gain additional privilege.
Justification:<no mitigation provided>

55. Data Flow UDP Is Potentially Interrupted [State: Not Started] [Priority: High]

Category:Denial Of Service
Description:An external agent interrupts data flowing across a trust boundary in either direction.
Justification:<no mitigation provided>

56. Potential Process Crash or Stop for Firewall [State: Not Started] [Priority: High]

Category:Denial Of Service
Description:Firewall crashes, halts, stops or runs slowly; in all cases violating an availability metric.
Justification:<no mitigation provided>

57. Data Flow Sniffing [State: Not Started] [Priority: High]

Category:Information Disclosure
Description:Data flowing across UDP may be sniffed by an attacker. Depending on what type of data an attacker can read, it may be used to attack other parts of the system or simply be a disclosure of information leading to compliance violations. Consider encrypting the data flow.
Justification:<no mitigation provided>

58. Potential Data Repudiation by Firewall [State: Not Started] [Priority: High]

Category:Repudiation
Description:Firewall claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.
Justification:<no mitigation provided>

59. DNS Server Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If DNS Server is given access to memory, such as shared memory or pointers, or is given the ability to control what Firewall executes (for example, passing back a function pointer.), then DNS Server can tamper with Firewall. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>

60. Potential Lack of Input Validation for Firewall [State: Not Started] [Priority: High]

Category:Tampering
Description:Data flowing across UDP may be tampered with by an attacker. This may lead to a denial of service attack against Firewall or an elevation of privilege attack against Firewall or an information disclosure by Firewall. Failure to verify that input is as expected is a root cause of a very large number of exploitable issues. Consider all paths and the way they handle data. Verify that all input is verified for correctness using an approved list input validation approach.
Justification:<no mitigation provided>

61. Spoofing the Firewall Process [State: Not Started] [Priority: High]

Category:Spoofing
Description:Firewall may be spoofed by an attacker and this may lead to information disclosure by DNS Server. Consider using a standard authentication mechanism to identify the destination process.
Justification:<no mitigation provided>

62. Spoofing the DNS Server Process [State: Not Started] [Priority: High]

Category:Spoofing
Description:DNS Server may be spoofed by an attacker and this may lead to unauthorized access to Firewall. Consider using a standard authentication mechanism to identify the source process.
Justification:<no mitigation provided>

63. Elevation by Changing the Execution Flow in Firewall [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:An attacker may pass data into Firewall in order to change the flow of program execution within Firewall to the attacker's choosing.
Justification:<no mitigation provided>

Interaction: UDP

UDP interaction screenshot

64. Elevation Using Impersonation [State: Not Started] [Priority: High]

Category:Elevation Of Privilege
Description:Firewall may be able to impersonate the context of DNS Server in order to gain additional privilege.
Justification:<no mitigation provided>

65. DNS Server Process Memory Tampered [State: Not Started] [Priority: High]

Category:Tampering
Description:If DNS Server is given access to memory, such as shared memory or pointers, or is given the ability to control what Firewall executes (for example, passing back a function pointer.), then DNS Server can tamper with Firewall. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:<no mitigation provided>