Week 12 - The Final Words


Finally, I get to take a week of break.  This is the busiest Term so far.  Lots of demands from work plus things keep breaking at home made it tough.  I am glad it over.  With that said, I learned much from this class.

In the first four weeks, I got to understand the threat modeling process and different threat modeling tools.  In a nutshell, threat modeling is about understanding your current state of the network; find all vulnerabilities, threats, and risks; formulate action plan and priority.  The process is carried out in a systematic way.  Initially, I thought the threat modeling is a process for finding the threats.  The name sounds small, but it also covers asset identification and action planning, as I realized after the comment on my assignment. 

I spent the following weeks working on a security project where I apply the threat modeling process.  The first phase in threat modeling is the asset assessment, where I found all assets along with their interconnections, existing security conditions, and identify the potential vulnerability.  Coming out from the first phase is the network diagram showing the current infrastructure, the criticality of each asset, and the list of vulnerability.  The second phase is finding threats.  The starting of this phase is a data flow diagram that would allow me to understand where data would reach.  Using the STRIDE model (one of the methods to find threats), I walked through each vulnerability and identify whether it is vulnerable to spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privileges, or a combination of some of them.  There are other methods of identifying the threats, but we didn’t have a chance to go into details.  After threat identification is the assignment of severity, impact level, risk analysis.  The third phase is the action plan, where solutions are formulated, and prioritization is computed.

In general, I like the way the class assignment is set up, where each assignment is divided into two weeks.  The first week is for students to leave opinions and the second week is the final submission.  This arrangement allows students to learn better and understand more about the subject.  I also like the fact that students get to pick what topic to write on their blog.  I used that opportunity to pick the subjects that I want to know more about.  The last thing I like about this class is that students get useful comments from the professor.  The comments helped them learn the mistakes as well as gaining knowledge about the subject.


When I signed up for the course, I thought it would emphasize on security trend.  I found out that it is about threat modeling.  However, if it were to talk about the trends, it wouldn’t have academic benefit, in my opinion.  I am glad it is about threat modeling.  I found it difficult to keep up with the assignment sometimes.  Part of it was because I had lots of other things demand my time at the same time.  If I were to take this class again, I would make use of the winter break to get some of the work done.
 

Comments

Post a Comment

Popular posts from this blog

Week 4 - STRIDE: Spoofing

Image
On week one, I briefly mentioned STRIDE as a method for threat identification. From this week, I want to go into a little more detail on each of its Mnemonic.  First, let's talk a little more about STRIDE.  In security , there are three fundamental aspects of the asset when speaking of security.  They are Confidentiality, Integrity, and Availability, which are referred to as the CIA triad.  To protect the asset means to protect its confidentiality, integrity, and availability.  STRIDE provides six ways to identify threats that would target the three areas. Spoofing: pretend to be someone or something that has legitimate permission to access the asset.  It is one of the ways to break the confidentiality . Tampering: ways to change the integrity of the asset. Repudiation: ways to obtain proves of violation Information Disclosure: access restricted information without permission (confidentiality) Denial of Service: ca...
Read more

Week 7 - STRIDE: Repudiation

Image
In 2000, couple individuals at Signal Lake were sued for $25 million by a man named Suni Munshani.   He alleged that Signal Lake’s officers promised him a large amount of asset.     Munshani provided an email that purportedly sent from the dependents as the proof for his allegation.   The court ordered security professional to investigate and concluded that the plaintiff altered one of the emails the dependent sent to him.   Although this does not relate to repudiation, it brings an important aspect of non-repudiation.   (memecrunch.com) Repudiation, in short, is the denial of any wrongdoing , which is the very first thing anyone would do when they get caught doing something illegal.   Professional hackers learn to cover their track very well.   Likewise, security professionals learn to track.   For the email tampering case I mentioned, the defendant would not win the lawsuit if old emails weren’t available for invest...
Read more