Week 7 - STRIDE: Repudiation


In 2000, couple individuals at Signal Lake were sued for $25 million by a man named Suni Munshani.  He alleged that Signal Lake’s officers promised him a large amount of asset.   Munshani provided an email that purportedly sent from the dependents as the proof for his allegation.  The court ordered security professional to investigate and concluded that the plaintiff altered one of the emails the dependent sent to him.  Although this does not relate to repudiation, it brings an important aspect of non-repudiation.


  (memecrunch.com)

Repudiation, in short, is the denial of any wrongdoing, which is the very first thing anyone would do when they get caught doing something illegal.  Professional hackers learn to cover their track very well.  Likewise, security professionals learn to track.  For the email tampering case I mentioned, the defendant would not win the lawsuit if old emails weren’t available for investigation.  So, what are ways to repudiate?  Two words: evidence tampering.

Storage

In the old days, tapes are IT’s savior when it comes to data restoration.  Tapes quickly became obsolete giving ways to hard drive, which will soon change to cloud storage.  Destroying or tampering with backups will no longer need physical access.  In fact, the storage is located at a data center somewhere thousands of miles away and under extreme security protection.  When it is on the cloud, no one knows where and how their data is managed.  So!  Having local backups can be very useful or even save your job some days.

Logs

Log files may be the first thing that an IT person get to first after detecting an intrusion.  And they may also be the last place hackers visit before they leave the premises.  In Windows platforms, there are logs and events that one can look for suspicious activities.  In Linux, most of the logs are stored in /var/log directory.  

Audit

Audit data has lots of sensitive information.  The data often shows who, what, where, when the action was taken.  Audit information is different from log data.  It is designed specifically to track activities that could lead to system failure or malfunction.  Normally, an audit log contains the identity of the user, the machine from which the user login, the time it happened, and the action that was requested. 
More sophisticated hackers make use of encrypted tunnels.  They would connect to many servers using TLS or SSL connections before reaching the target.  When using such technique, the identity and origination information in the logs or audit logs are no longer useful.  

To nail those who are responsible, we need to make sure our tracking mechanisms are protected from tampering.  Backups are always useful when the time comes, although it sounds like a waste of time and space.  Like the case of the Signal Lake lawsuit, the company would have lost the millions of dollars if they weren’t able to prove the email was manipulated.

Comments

Post a Comment

Popular posts from this blog

Week 4 - STRIDE: Spoofing

Image
On week one, I briefly mentioned STRIDE as a method for threat identification. From this week, I want to go into a little more detail on each of its Mnemonic.  First, let's talk a little more about STRIDE.  In security , there are three fundamental aspects of the asset when speaking of security.  They are Confidentiality, Integrity, and Availability, which are referred to as the CIA triad.  To protect the asset means to protect its confidentiality, integrity, and availability.  STRIDE provides six ways to identify threats that would target the three areas. Spoofing: pretend to be someone or something that has legitimate permission to access the asset.  It is one of the ways to break the confidentiality . Tampering: ways to change the integrity of the asset. Repudiation: ways to obtain proves of violation Information Disclosure: access restricted information without permission (confidentiality) Denial of Service: ca...
Read more

Week 12 - The Final Words

Finally, I get to take a week of break.   This is the busiest Term so far.   Lots of demands from work plus things keep breaking at home made it tough.   I am glad it over.   With that said, I learned much from this class. In the first four weeks, I got to understand the threat modeling process and different threat modeling tools.   In a nutshell , threat modeling is about understanding your current state of the network; find all vulnerabilities, threats, and risks; formulate action plan and priority.   The process is carried out in a systematic way .   Initially, I thought the threat modeling is a process for finding the threats.   The name sounds small, but it also covers asset identification and action planning, as I realized after the comment on my assignment.  I spent the following weeks working on a security project where I apply the threat modeling process.   The first phase in threat modeling is the asset assessmen...
Read more