Threat Modeling Report

Created on 6/5/2017 12:19:16 PM

Threat Model Name:

Owner:

Reviewer:

Contributors:

Description:

Assumptions:

External Dependencies:


Threat Model Summary:

Not Started0
Not Applicable0
Needs Investigation0
Mitigation Implemented39
Total39
Total Migrated0


Diagram: Azure PaaS PCI DSS and HIPAA BluePrint

Azure PaaS PCI DSS and HIPAA BluePrint diagram screenshot

Validation Messages:

  1. Error: More than one arc trust boundary of the same type on the same data flow.

Azure PaaS PCI DSS and HIPAA BluePrint Diagram Summary:

Not Started0
Not Applicable0
Needs Investigation0
Mitigation Implemented39
Total39
Total Migrated0

Interaction: HTTPS

HTTPS interaction screenshot

1. Elevation by Changing the Execution Flow in nsg-AppGateway  [State: Mitigation Implemented]  [Priority: High] 

Category:Elevation Of Privilege
Description:An attacker may pass data into nsg-AppGateway in order to change the flow of program execution within nsg-AppGateway to the attacker's choosing.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

2. nsg-AppGateway May be Subject to Elevation of Privilege Using Remote Code Execution  [State: Mitigation Implemented]  [Priority: High] 

Category:Elevation Of Privilege
Description:Browser Client may be able to remotely execute code for nsg-AppGateway.
Justification:Client side connection requires SSL. RBAC managed using AAD, user roles defined in deployment documentation.

3. Elevation Using Impersonation  [State: Mitigation Implemented]  [Priority: High] 

Category:Elevation Of Privilege
Description:nsg-AppGateway may be able to impersonate the context of Browser Client in order to gain additional privilege.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

4. Data Flow HTTPS Is Potentially Interrupted  [State: Mitigation Implemented]  [Priority: High] 

Category:Denial Of Service
Description:An external agent interrupts data flowing across a trust boundary in either direction.
Justification:DDOS prevention provided by Azure services

5. Potential Process Crash or Stop for nsg-AppGateway  [State: Mitigation Implemented]  [Priority: High] 

Category:Denial Of Service
Description:nsg-AppGateway crashes, halts, stops or runs slowly; in all cases violating an availability metric.
Justification:DDOS prevention provided by Azure services

6. Potential Data Repudiation by nsg-AppGateway  [State: Mitigation Implemented]  [Priority: High] 

Category:Repudiation
Description:nsg-AppGateway claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.
Justification:ASE and WAF configured to manage requests from the trust boundries. Data by use valid SSL certificate

7. Spoofing the Browser Client Process  [State: Mitigation Implemented]  [Priority: High] 

Category:Spoofing
Description:Browser Client may be spoofed by an attacker and this may lead to unauthorized access to nsg-AppGateway. Consider using a standard authentication mechanism to identify the source process.
Justification:Connection requires valid SSL certificate, RBAC enforced for users

Interaction: HTTPS

HTTPS interaction screenshot

8. nsg-AppGateway Process Memory Tampered  [State: Mitigation Implemented]  [Priority: High] 

Category:Tampering
Description:If nsg-AppGateway is given access to memory, such as shared memory or pointers, or is given the ability to control what App Services Environment executes (for example, passing back a function pointer.), then nsg-AppGateway can tamper with App Services Environment. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

9. Replay Attacks  [State: Mitigation Implemented]  [Priority: High] 

Category:Tampering
Description:Packets or messages without sequence numbers or timestamps can be captured and replayed in a wide variety of ways. Implement or utilize an existing communication protocol that supports anti-replay techniques (investigate sequence numbers before timers) and strong integrity.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

10. Collision Attacks  [State: Mitigation Implemented]  [Priority: High] 

Category:Tampering
Description:Attackers who can send a series of packets or messages may be able to overlap data. For example, packet 1 may be 100 bytes starting at offset 0. Packet 2 may be 100 bytes starting at offset 25. Packet 2 will overwrite 75 bytes of packet 1. Ensure you reassemble data before filtering it, and ensure you explicitly handle these sorts of cases.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

11. Potential Data Repudiation by App Services Environment  [State: Mitigation Implemented]  [Priority: High] 

Category:Repudiation
Description:App Services Environment claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.
Justification:ASE and WAF configured to manage requests from the trust boundries. Data by use valid SSL certificate

12. Weak Authentication Scheme  [State: Mitigation Implemented]  [Priority: High] 

Category:Information Disclosure
Description:Custom authentication schemes are susceptible to common weaknesses such as weak credential change management, credential equivalence, easily guessable credentials, null credentials, downgrade authentication or a weak credential change management system. Consider the impact and potential mitigations for your custom authentication scheme.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

13. Potential Process Crash or Stop for App Services Environment  [State: Mitigation Implemented]  [Priority: High] 

Category:Denial Of Service
Description:App Services Environment crashes, halts, stops or runs slowly; in all cases violating an availability metric.
Justification:DDOS prevention provided by Azure services

14. Data Flow HTTPS Is Potentially Interrupted  [State: Mitigation Implemented]  [Priority: High] 

Category:Denial Of Service
Description:An external agent interrupts data flowing across a trust boundary in either direction.
Justification:DDOS prevention provided by Azure services

15. Elevation Using Impersonation  [State: Mitigation Implemented]  [Priority: High] 

Category:Elevation Of Privilege
Description:App Services Environment may be able to impersonate the context of nsg-AppGateway in order to gain additional privilege.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

16. App Services Environment May be Subject to Elevation of Privilege Using Remote Code Execution  [State: Mitigation Implemented]  [Priority: High] 

Category:Elevation Of Privilege
Description:nsg-AppGateway may be able to remotely execute code for App Services Environment.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

17. Elevation by Changing the Execution Flow in App Services Environment  [State: Mitigation Implemented]  [Priority: High] 

Category:Elevation Of Privilege
Description:An attacker may pass data into App Services Environment in order to change the flow of program execution within App Services Environment to the attacker's choosing.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

Interaction: HTTPS

HTTPS interaction screenshot

18. Data Store Inaccessible  [State: Mitigation Implemented]  [Priority: High] 

Category:Denial Of Service
Description:An external agent prevents access to a data store on the other side of the trust boundary.
Justification:DDOS prevention provided by Azure services

19. Data Flow HTTPS Is Potentially Interrupted  [State: Mitigation Implemented]  [Priority: High] 

Category:Denial Of Service
Description:An external agent interrupts data flowing across a trust boundary in either direction.
Justification:DDOS prevention provided by Azure services

20. Potential Excessive Resource Consumption for DevOps Engineer or Contoso Database  [State: Mitigation Implemented]  [Priority: High] 

Category:Denial Of Service
Description:Does DevOps Engineer or Contoso Database take explicit steps to control resource consumption? Resource consumption attacks can be hard to deal with, and there are times that it makes sense to let the OS do the job. Be careful that your resource requests don't deadlock, and that they do timeout.
Justification:DDOS prevention provided by Azure services

21. Weak Credential Storage  [State: Mitigation Implemented]  [Priority: High] 

Category:Information Disclosure
Description:Credentials held at the server are often disclosed or tampered with and credentials stored on the client are often stolen. For server side, consider storing a salted hash of the credentials instead of storing the credentials themselves. If this is not possible due to business requirements, be sure to encrypt the credentials before storage, using an SDL-approved mechanism. For client side, if storing credentials is required, encrypt them and protect the data store in which they're stored
Justification:All credentials are managed using Key Vault, all data stores are encrypted.

22. Data Store Denies Contoso Database Potentially Writing Data  [State: Mitigation Implemented]  [Priority: High] 

Category:Repudiation
Description:Contoso Database claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.
Justification:ASE and WAF configured to manage requests from the trust boundries. Data by use valid SSL certificate. All data stored in SQL are encrypted, then once again row level protection provided for CHD data.

23. Potential Weak Protections for Audit Data  [State: Mitigation Implemented]  [Priority: High] 

Category:Repudiation
Description:Consider what happens when the audit mechanism comes under attack, including attempts to destroy the logs, or attack log analysis programs. Ensure access to the log is through a reference monitor, which controls read and write separately. Document what filters, if any, readers can rely on, or writers should expect
Justification:ASE and WAF configured to manage requests from the trust boundries. Data by use valid SSL certificate

24. Insufficient Auditing  [State: Mitigation Implemented]  [Priority: High] 

Category:Repudiation
Description:Does the log capture enough data to understand what happened in the past? Do your logs capture enough data to understand an incident after the fact? Is such capture lightweight enough to be left on all the time? Do you have enough data to deal with repudiation claims? Make sure you log sufficient and appropriate data to handle a repudiation claims. You might want to talk to an audit expert as well as a privacy expert about your choice of data.
Justification:ASE and WAF configured to manage requests from the trust boundries. Data by use valid SSL certificate

25. Data Logs from an Unknown Source  [State: Mitigation Implemented]  [Priority: High] 

Category:Repudiation
Description:Do you accept logs from unknown or weakly authenticated users or systems? Identify and authenticate the source of the logs before accepting them.
Justification:ASE and WAF configured to manage requests from the trust boundries. Data by use valid SSL certificate

26. Lower Trusted Subject Updates Logs  [State: Mitigation Implemented]  [Priority: High] 

Category:Repudiation
Description:If you have trust levels, is anyone other outside of the highest trust level allowed to log? Letting everyone write to your logs can lead to repudiation problems. Only allow trusted code to log.
Justification:ASE and WAF configured to manage requests from the trust boundries. Data by use valid SSL certificate

27. The Contoso Database Data Store Could Be Corrupted  [State: Mitigation Implemented]  [Priority: High] 

Category:Tampering
Description:Data flowing across HTTPS may be tampered with by an attacker. This may lead to corruption of Contoso Database. Ensure the integrity of the data flow to the data store.
Justification:It is recommended only SAW (https://www.microsoft.com/itshowcase/Article/Content/601/Protecting-highvalue-assets-with-secure-admin-workstations) be permitted to connect, preventing direct attacks.

28. Potential SQL Injection Vulnerability for Contoso Database  [State: Mitigation Implemented]  [Priority: High] 

Category:Tampering
Description:SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.
Justification:Auditing and Threat Detection (Prevention mode) is enabled on SQL Database

29. Risks from Logging  [State: Mitigation Implemented]  [Priority: High] 

Category:Tampering
Description:Log readers can come under attack via log files. Consider ways to canonicalize data in all logs. Implement a single reader for the logs, if possible, in order to reduce attack surface area. Be sure to understand and document log file elements which come from untrusted sources.
Justification:It is recommended only SAW (https://www.microsoft.com/itshowcase/Article/Content/601/Protecting-highvalue-assets-with-secure-admin-workstations) be permitted to connect, preventing direct attacks.

30. Spoofing of Destination Data Store Contoso Database  [State: Mitigation Implemented]  [Priority: High] 

Category:Spoofing
Description:Contoso Database may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of Contoso Database. Consider using a standard authentication mechanism to identify the destination data store.
Justification:Connection requires valid SSL certificate, RBAC enforced for users. Cross site scripting attacks are monitored by ASC, and WAF using OWASP rule set.

31. Spoofing the DevOps Engineer Process  [State: Mitigation Implemented]  [Priority: High] 

Category:Spoofing
Description:DevOps Engineer may be spoofed by an attacker and this may lead to unauthorized access to Contoso Database. Consider using a standard authentication mechanism to identify the source process.
Justification:Connection requires valid SSL certificate, RBAC enforced for users

Interaction: HTTPS

HTTPS interaction screenshot

32. Elevation by Changing the Execution Flow in OMS Instance  [State: Mitigation Implemented]  [Priority: High] 

Category:Elevation Of Privilege
Description:An attacker may pass data into OMS Instance in order to change the flow of program execution within OMS Instance to the attacker's choosing.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

33. OMS Instance May be Subject to Elevation of Privilege Using Remote Code Execution  [State: Mitigation Implemented]  [Priority: High] 

Category:Elevation Of Privilege
Description:DevOps Engineer may be able to remotely execute code for OMS Instance.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

34. Elevation Using Impersonation  [State: Mitigation Implemented]  [Priority: High] 

Category:Elevation Of Privilege
Description:OMS Instance may be able to impersonate the context of DevOps Engineer in order to gain additional privilege.
Justification:RBAC managed using AAD, user roles defined in deployment documentation.

35. Data Flow HTTPS Is Potentially Interrupted  [State: Mitigation Implemented]  [Priority: High] 

Category:Denial Of Service
Description:An external agent interrupts data flowing across a trust boundary in either direction.
Justification:DDOS prevention provided by Azure services

36. Potential Process Crash or Stop for OMS Instance  [State: Mitigation Implemented]  [Priority: High] 

Category:Denial Of Service
Description:OMS Instance crashes, halts, stops or runs slowly; in all cases violating an availability metric.
Justification:DDOS prevention provided by Azure services

37. Potential Data Repudiation by OMS Instance  [State: Mitigation Implemented]  [Priority: High] 

Category:Repudiation
Description:OMS Instance claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.
Justification:ASE and WAF configured to manage requests from the trust boundries. Data by use valid SSL certificate

38. Browser Client Process Memory Tampered  [State: Mitigation Implemented]  [Priority: High] 

Category:Tampering
Description:If DevOps Engineer is given access to memory, such as shared memory or pointers, or is given the ability to control what OMS Instance executes (for example, passing back a function pointer.), then DevOps Engineer can tamper with OMS Instance. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.
Justification:It is recommended only SAW (https://www.microsoft.com/itshowcase/Article/Content/601/Protecting-highvalue-assets-with-secure-admin-workstations) be permitted to connect, preventing direct attacks.

39. Spoofing the Browser Client Process  [State: Mitigation Implemented]  [Priority: High] 

Category:Spoofing
Description:DevOps Engineer may be spoofed by an attacker and this may lead to unauthorized access to OMS Instance. Consider using a standard authentication mechanism to identify the source process.
Justification:Connection requires valid SSL certificate, RBAC enforced for users