Week 1 - Hi everyone! I am back!

Have you ever read news about security threat and wonder whether your home, business, or work network is vulnerable?  If you do, then you wonder how you would find out if your network is protected or not.  Well, I do, and I intend to figure this out.  So, follow me …

One way to know if your network is vulnerable to a threat is by going through a threat analysis process, which is known as threat modeling.  There are several types of threat models available today, including but not limited to brainstorming, Kill Chain, Common Attack Pattern Enumeration and Classification (CAPEC), and Spoofing Tampering Repudiation Information Disclosure Denial of Service and Elevation of Privilege (STRIDE).  Brainstorming is a traditional method widely used by developers.  Structured methods such as Kill Chain, CAPEC, and STRIDE were adopted later.  Kill Chain is a method adopted from the military strategy.  It involves four steps: find the target, fix the target, attack the target, and finish the target.  CAPEC uses a collection of known attacks as the reference to enhance security protection.  STRIDE focuses on six different type of threats that attack six security properties (authentication, integrity, non-repudiation, confidentiality, availability, authorization).

STRIDE Mnemonic:


  • Spoofing: pretend to be someone or something that has legitimate permission to access the system
  • Tampering: change data or code
  • Repudiation: deny any wrongdoing
  • Information Disclosure: access restricted information without permission
  • Denial of Service: cause the system to halt or slow down to a point that it cannot supply the service
  • Elevation of Privilege: user can perform action beyond the assigned privileges

STRIDE is a sound structured threat model that address most of the aspects of security.  I found it suitable to use without years of practice in security.



https://fedvte.usalearning.gov/courses/RCA/course/videos/pdf/FIM_D03_S04_T01_STEP.pdf
https://securityintelligence.com/capec-making-heads-or-tails-of-attack-patterns
https://users.encs.concordia.ca/~clark/courses/1601-6150/scribe/L04c.pdf

Comments

Post a Comment

Popular posts from this blog

Week 10 - STRIDE: Elevation of Privilege

Image
Elevation of Privilege, in a nutshell, is the act of gaining access to information, data, or code that otherwise not allowed under the current user’s privilege.   Every user account has a set of access right assigned to fit the account holder’s function.   Traditionally, user privileges are divided into groups like administrative, operation, and view only.   Each user is assigned to one or more groups and has the privileges assigned to the groups.   In a more sophisticated system, users in the same groups can have different access rights.   There are two types of privilege elevations, vertical privilege elevation, and horizontal privilege elevation.    Vertical privilege elevation is when a user gains the privileges of another user whose access right is higher than himself or herself.   An example of this is the sudo command in Debian Linux systems.   Normal user can perform superuser operation when added to the sudo list....
Read more

Week 7 - STRIDE: Repudiation

Image
In 2000, couple individuals at Signal Lake were sued for $25 million by a man named Suni Munshani.   He alleged that Signal Lake’s officers promised him a large amount of asset.     Munshani provided an email that purportedly sent from the dependents as the proof for his allegation.   The court ordered security professional to investigate and concluded that the plaintiff altered one of the emails the dependent sent to him.   Although this does not relate to repudiation, it brings an important aspect of non-repudiation.   (memecrunch.com) Repudiation, in short, is the denial of any wrongdoing , which is the very first thing anyone would do when they get caught doing something illegal.   Professional hackers learn to cover their track very well.   Likewise, security professionals learn to track.   For the email tampering case I mentioned, the defendant would not win the lawsuit if old emails weren’t available for invest...
Read more

Week 8. Secure Your Credit Cards

In the past few years, online shopping had increased tremendously.  With the growth of online purchase, the risk of credit card theft also grows proportionally.  To protect consumers, major credit card issuers and those involved in the credit card transaction have worked hard to maintain satisfactory security level.   Credit card issuers, today, provides free services that used to come with a membership fee.  One beneficial service is text, email or phone call notification on credit card transaction.  The feature can be activated in card holder's account settings.  Once activated and set to a desired notification preference, the card holder receives notification of the transaction made to the credit card.  The card holder can also receive notification of suspected transactions.  The mechanism works by studying how and where the credit card is being used.  When the card is used outside of the norm, the transaction will be stopped, and the no...
Read more