Week 2 - Sites for threat and vulnerability information


Threat modeling



Last week, I mentioned briefly about threat modeling and the six steps of STRIDE.  Threat modeling has four steps:

  • Know your network (What do I have?)
  • Know your vulnerabilities, threats, and risks (What are potential problems?)
  • Know your decision (What can I do about them?)
  • Know your result (Are the problems properly fixed?)

A successful threat modeling requires good sources of existing and new threats and vulnerabilities.  Before going into details, let’s get started with information.  No or insufficient information could lead to an inaccurate decision in the modeling process.  I have noted a few links that provide just that can help.  For news, I read Security Week; for vulnerabilities, I visit National Vulnerability Database; for the security updates, I go to Symantec; and for guidelines, I look at National Institute of Standards and Technology.   Those sites provide a decent amount of data point for identifying problem and solution in security.

Security News Feed

Security news is available on many websites.  Typing a couple of words in a search engine will yield many results.  If you are looking for a place to settle, I have two in mind.  Two of the sites that I often visit are Security Week and Network World.  Security Week is a place where you can find general information about malware, threats, risks, compliance, architecture, strategy, and so on.  There are many professionals in different areas sharing their knowledge and experience.  Network World focuses more on new technologies.  You will find fewer talks on security but amble papers on new development and products.  Other than those two sites, The Hacker News is another site where you can find a little more than just the attack information.   This is the place where one can find specific names and links.  

Vulnerabilities

Every known vulnerability is reported and added to the common vulnerabilities and exposures (CVE) list and managed by MITRE.  MITRE started the CVE list in 1999 (About CVE).  Later in 2005, the National Institute of Standard and Technology (NIST) created the National Vulnerability Database (NVD) and synchronized with the CVE list (About CVE).   The third is www.cvedetails.com, which gives a quicker lookup for those who don’t want to go through a series of steps searching for a CVE data.  It displays the latest vulnerabilities in summary table.  However, NVD provides much better CVE’s contents when the impact rating is important.  NVD provides score and severity level for each impacted area, which is very useful for risk assessment.  

Threats and Updates

Symantec security center is one of the good sources of reference when it comes to existing threats, risks, and vulnerabilities.  Each record identifies the type, affected system, discovered date, and protected date in addition to the base information.  Major software providers such as Microsoft, Apple, and Linux like Ubuntu also have their own lists of threats and updates.

Publications and Guidelines

SANS Institute and NIST are the two well-known sources for security guidelines and training.  SANS focuses more on training materials.  This is the best website for everyone, beginners and professionals, to use as a reference.  Its step by step guidelines are invaluable to security professionals.  The NIST Special Publication 800 (SP-800) series has most of what you would need for securing the network.  Those two sites will come in handy when creating solutions for vulnerabilities or threats.


References:

https://www.securityweek.com
https://www.networkworld.com
https://cve.mitre.org
https://cve.mitre.org/about/cve_and_nvd_relationship.html
https://nvd.nist.gov
https://www.symantec.com/security-center
https://www.cvedetails.com/vulnerability-list/
https://thehackernews.com/
https://www.microsoft.com/en-us/wdsi/threats

Comments

Post a Comment

Popular posts from this blog

Week 4 - STRIDE: Spoofing

Image
On week one, I briefly mentioned STRIDE as a method for threat identification. From this week, I want to go into a little more detail on each of its Mnemonic.  First, let's talk a little more about STRIDE.  In security , there are three fundamental aspects of the asset when speaking of security.  They are Confidentiality, Integrity, and Availability, which are referred to as the CIA triad.  To protect the asset means to protect its confidentiality, integrity, and availability.  STRIDE provides six ways to identify threats that would target the three areas. Spoofing: pretend to be someone or something that has legitimate permission to access the asset.  It is one of the ways to break the confidentiality . Tampering: ways to change the integrity of the asset. Repudiation: ways to obtain proves of violation Information Disclosure: access restricted information without permission (confidentiality) Denial of Service: ca...
Read more

Week 12 - The Final Words

Finally, I get to take a week of break.   This is the busiest Term so far.   Lots of demands from work plus things keep breaking at home made it tough.   I am glad it over.   With that said, I learned much from this class. In the first four weeks, I got to understand the threat modeling process and different threat modeling tools.   In a nutshell , threat modeling is about understanding your current state of the network; find all vulnerabilities, threats, and risks; formulate action plan and priority.   The process is carried out in a systematic way .   Initially, I thought the threat modeling is a process for finding the threats.   The name sounds small, but it also covers asset identification and action planning, as I realized after the comment on my assignment.  I spent the following weeks working on a security project where I apply the threat modeling process.   The first phase in threat modeling is the asset assessmen...
Read more

Week 7 - STRIDE: Repudiation

Image
In 2000, couple individuals at Signal Lake were sued for $25 million by a man named Suni Munshani.   He alleged that Signal Lake’s officers promised him a large amount of asset.     Munshani provided an email that purportedly sent from the dependents as the proof for his allegation.   The court ordered security professional to investigate and concluded that the plaintiff altered one of the emails the dependent sent to him.   Although this does not relate to repudiation, it brings an important aspect of non-repudiation.   (memecrunch.com) Repudiation, in short, is the denial of any wrongdoing , which is the very first thing anyone would do when they get caught doing something illegal.   Professional hackers learn to cover their track very well.   Likewise, security professionals learn to track.   For the email tampering case I mentioned, the defendant would not win the lawsuit if old emails weren’t available for invest...
Read more