Week 8 - STRIDE: Information Disclosure


(inzeed.files.wordpress.com)
 
When protocols like Telnet, FTP, HTTP were introduced, people were not aware of how insecure they are.  Many people thought that the data is secured by the authentication (basic authentication) mechanism.  That was how I thought until eavesdropping and man in the middle attacks came into play.  However, Information Disclosure is not just about communication.  It also expands to things that we do in everyday life.

When you see an executive of a company drives a car with the karate sticker on their car, you may think it just a sticker and there is not anything special about it.  However, to some other people, it is a good piece of information.  If it were a social engineer who tries to get information about the company where the executive works, the little sticker can be very beneficial.  From the sticker, the social engineer can find out about the martial art school, their schedule, the executive’s practice schedule, and other information, which can be used to plan the attack.

In software development, there is one thing that developers overlook (if not ignore), error code and error message.  The error code and error message often tell the user exactly what failed.  Well, we cannot blame them.  At the end of the day, the error message is designed to tell the user about the failure.  Even the standards like HTTP has the list of error code to be returned.  Here are a few examples:

·         Accessing a page without log in will result in a 401 – Unauthorized
·         Accessing a page with insufficient privileged (after logging in) will receive a 403 – Forbidden
·         Accessing a non-existing page will get a 404 – Not found

So there, as you can see, I can get some clues from the error codes.  If I want to know whether a folder or file exists in the server, I will just look for the two error codes: 403 and 404.

Information Disclosure in the digital world focuses on three states: data at rest, data in processing, and data in transit.  Information can be exposed when it is in any of the three states, although the level of exposure risk in each level may be different.

Data at Rest

Files and data that are in the disk drive or storage.  There can be only three ways to gain access to the data and files: local, remote, and malware.  Local access needs physical access with login credentials.  Remote access requires a path from the outside that leads to the target system.  The path can be a direct tunnel or a formation of multiple servers.  Malware can start from a workstation and craw its way to the target machine when there is no antivirus, access control, or firewall in place.

Data in Processing

When data is requested, and it goes through a loading and computing process before being sent.  In that small window, infected files that monitor the system can grab the data for malicious purposes.  

Data in Transit

Data that is being transmitted over a network connection is exposed to more changes of attack comparing to the other two states mentioned above.  When sending over unencrypted protocols like telnet, HTTP, FTP and the like, the data can be easily captured using any network sniffing tools.  Even when encrypted connections like HTTPS, SSH, SCP, SFTP are used, the data can still be captured if the attacker can get to the encryption key.

Among the six types of threats in the STRIDE model, Information Disclosure is broader of all, in my opinion.  I say that because the security defenders will find themselves having a hard time to distinguish between disclosable and non-disclosable information.  The same information can be beneficial to one person and not so useful to another due to the differences in their knowledge and experience.

Comments

Post a Comment

Popular posts from this blog

Week 4 - STRIDE: Spoofing

Image
On week one, I briefly mentioned STRIDE as a method for threat identification. From this week, I want to go into a little more detail on each of its Mnemonic.  First, let's talk a little more about STRIDE.  In security , there are three fundamental aspects of the asset when speaking of security.  They are Confidentiality, Integrity, and Availability, which are referred to as the CIA triad.  To protect the asset means to protect its confidentiality, integrity, and availability.  STRIDE provides six ways to identify threats that would target the three areas. Spoofing: pretend to be someone or something that has legitimate permission to access the asset.  It is one of the ways to break the confidentiality . Tampering: ways to change the integrity of the asset. Repudiation: ways to obtain proves of violation Information Disclosure: access restricted information without permission (confidentiality) Denial of Service: ca...
Read more

Week 12 - The Final Words

Finally, I get to take a week of break.   This is the busiest Term so far.   Lots of demands from work plus things keep breaking at home made it tough.   I am glad it over.   With that said, I learned much from this class. In the first four weeks, I got to understand the threat modeling process and different threat modeling tools.   In a nutshell , threat modeling is about understanding your current state of the network; find all vulnerabilities, threats, and risks; formulate action plan and priority.   The process is carried out in a systematic way .   Initially, I thought the threat modeling is a process for finding the threats.   The name sounds small, but it also covers asset identification and action planning, as I realized after the comment on my assignment.  I spent the following weeks working on a security project where I apply the threat modeling process.   The first phase in threat modeling is the asset assessmen...
Read more

Week 7 - STRIDE: Repudiation

Image
In 2000, couple individuals at Signal Lake were sued for $25 million by a man named Suni Munshani.   He alleged that Signal Lake’s officers promised him a large amount of asset.     Munshani provided an email that purportedly sent from the dependents as the proof for his allegation.   The court ordered security professional to investigate and concluded that the plaintiff altered one of the emails the dependent sent to him.   Although this does not relate to repudiation, it brings an important aspect of non-repudiation.   (memecrunch.com) Repudiation, in short, is the denial of any wrongdoing , which is the very first thing anyone would do when they get caught doing something illegal.   Professional hackers learn to cover their track very well.   Likewise, security professionals learn to track.   For the email tampering case I mentioned, the defendant would not win the lawsuit if old emails weren’t available for invest...
Read more