Skip to content

Latest commit

 

History

History
75 lines (59 loc) · 8.4 KB

threat-modeling.md

File metadata and controls

75 lines (59 loc) · 8.4 KB

Threat Model Analysis for nationalsecurityagency/skills-service

Threat: Unauthorized Data Access via API Exploitation

  • Threat: Unauthorized Data Access via API Exploitation

    • Description: An attacker exploits a vulnerability in the skills-service API (e.g., insufficient input validation, broken authentication, or authorization bypass) to retrieve skill data they are not authorized to access. The attacker might use crafted API requests, fuzzing techniques, or exploit known vulnerabilities in the API framework.
    • Impact: Confidentiality breach; exposure of sensitive skill data, potentially including PII or classified information. This could lead to reputational damage, legal consequences, and compromise of individuals or systems.
    • Affected Component: API endpoints (e.g., /skills, /users/{userId}/skills), authentication and authorization logic (e.g., JWT validation, role-based access control functions), data access layer (functions interacting with the database).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Implement robust input validation: Use a whitelist approach, validating all input against a strict schema (e.g., using JSON Schema). Reject any input that doesn't conform.
      • Strengthen authentication and authorization: Use strong authentication mechanisms (e.g., multi-factor authentication) and enforce granular authorization checks for every API request. Ensure proper session management.
      • Regularly perform security testing: Conduct penetration testing and code reviews specifically targeting the API. Use automated vulnerability scanners.
      • Implement API rate limiting: Prevent brute-force attacks and resource exhaustion by limiting the number of requests from a single source.
      • Use an API gateway: Centralize security policies and enforce consistent access control.

Threat: Data Tampering via Database Injection

  • Threat: Data Tampering via Database Injection

    • Description: An attacker exploits a SQL injection vulnerability in the skills-service to modify or delete skill data directly in the database. This could occur if user-supplied input is not properly sanitized before being used in database queries. The attacker might use specially crafted input to bypass input validation and execute arbitrary SQL commands.
    • Impact: Integrity violation; skill data is corrupted, leading to incorrect decisions, access control failures, or system instability. This could undermine trust in the system and have serious operational consequences.
    • Affected Component: Database access layer (functions that construct and execute SQL queries), any API endpoints that accept user input used in database operations.
    • Risk Severity: High
    • Mitigation Strategies:
      • Use parameterized queries (prepared statements): Never directly embed user input into SQL queries. Use parameterized queries to ensure that user input is treated as data, not executable code.
      • Employ an Object-Relational Mapper (ORM): ORMs often provide built-in protection against SQL injection. However, ensure the ORM is configured securely and used correctly.
      • Implement strict input validation (as above): Validate all input before it reaches the database layer.
      • Database user privileges: The database user account used by the skills-service should have the minimum necessary privileges (e.g., only SELECT, INSERT, UPDATE, DELETE on specific tables). It should not have administrative privileges.

Threat: Denial of Service via Resource Exhaustion

  • Threat: Denial of Service via Resource Exhaustion

    • Description: An attacker sends a large number of requests to the skills-service API, overwhelming its resources (CPU, memory, network bandwidth) and making it unavailable to legitimate users. This could be a simple flood attack or a more sophisticated attack targeting specific API endpoints or database queries.
    • Impact: Availability disruption; the skills-service becomes unresponsive, preventing applications that rely on it from functioning correctly. This could lead to service outages and operational disruptions.
    • Affected Component: API server (e.g., Flask, Spring Boot), database server, network infrastructure.
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement rate limiting (as above): Limit the number of requests per user/IP address/API key within a specific time window.
      • Configure resource limits: Set limits on the resources (CPU, memory, connections) that the skills-service can consume.
      • Use a load balancer: Distribute traffic across multiple instances of the skills-service.
      • Implement caching: Cache frequently accessed data to reduce the load on the database and API server.
      • Monitor resource usage: Track CPU, memory, and network usage to detect and respond to potential DoS attacks.

Threat: Privilege Escalation via Misconfigured Roles

  • Threat: Privilege Escalation via Misconfigured Roles

    • Description: An attacker exploits a misconfiguration in the skills-service's role-based access control (RBAC) system to gain higher privileges than they should have. This could occur if roles are not properly defined, if users are assigned to incorrect roles, or if there are vulnerabilities in the RBAC implementation. The attacker might be a legitimate user with limited access who finds a way to elevate their privileges.
    • Impact: Confidentiality and integrity violation; the attacker gains unauthorized access to data and can potentially modify or delete it. This could lead to a complete system compromise.
    • Affected Component: RBAC implementation (e.g., configuration files, database tables defining roles and permissions), authentication and authorization logic.
    • Risk Severity: High
    • Mitigation Strategies:
      • Follow the principle of least privilege: Grant users only the minimum necessary permissions to perform their tasks.
      • Regularly review and audit role assignments: Ensure that users are assigned to the correct roles and that roles are properly defined.
      • Implement strong password policies: Enforce strong passwords and multi-factor authentication for all users, especially those with administrative privileges.
      • Test the RBAC implementation thoroughly: Ensure that privilege escalation vulnerabilities are not present.

Threat: Insider Threat - Data Exfiltration

  • Threat: Insider Threat - Data Exfiltration

    • Description: A malicious or negligent insider with authorized access to the skills-service (e.g., a developer, administrator, or privileged user) intentionally or unintentionally exfiltrates sensitive skill data. This could involve copying data to external storage, sending it via email, or using other unauthorized channels.
    • Impact: Confidentiality breach; exposure of sensitive skill data, potentially leading to reputational damage, legal consequences, and compromise of individuals or systems.
    • Affected Component: All components, as the insider has authorized access. This highlights the importance of access controls and monitoring.
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement strong access controls (as above): Enforce the principle of least privilege and separation of duties.
      • Monitor user activity: Log all data access and modification events. Implement anomaly detection to identify suspicious behavior.
      • Data Loss Prevention (DLP) tools: Use DLP tools to detect and prevent unauthorized data exfiltration.
      • Background checks and security awareness training: Conduct background checks on personnel with access to sensitive data and provide regular security awareness training.
      • Establish clear policies and procedures: Define clear policies regarding data handling and access, and ensure that all personnel are aware of these policies.