This section is about threat modeling. There are a number of factors to consider when discussing threat modelling. For example, look to your objectives. First is the security objectives and then also there are other drivers of your team’s objectives such as requirements from the legislative body and your contractual. For example, do you have to be HIPPA compliant? Do you have to follow and adhere to Sarbanes-Oxley? There’s others where it’s a legal obligation and you are mandated to follow the objectives. Other things to consider of course, is the business objectives and how does the modelling involve the CIA triad? The C is for confidentiality, the I is for integrity, and the A is for availability. There are several tools which can be used to help us with threat modelling, like data flow diagrams, use/ misuse cases, and the understanding of the acronym STRIDE to represent some of the different ways we receive threats in the first place.
Data flow diagrams are a way for processing elements as the data flows from the elements to the storage of the data. This is like mapping to show a flow and understand its weaknesses, vulnerabilities, and potential possibilities for an attacker. As we look at data flow, the use/ misuse cases come into mind. So, there’s the normal functioning where username and password provide authentication. Then, as a preventative, what’s the escape plan. In terms of threats coming in trying to swipe your username and password, and then the question becomes “How do we mitigate that?” Another deals more with lessening the opportunity for misuse.
So, when we‘re doing threat modelling, there’s an acronym which helps as a way to remember many of the ways from which we receive threats. The acronym is STRIDE. S is for spoofing, T is for tampering, R for repudiation, I for information disclosure, D is denial of service and E is for escalation of privilege. A big threat is when a person is spoofing. Spoofing is basically an impersonation.
For example, you get that email that looks all official and says it’s from your bank and there is a link in the email to click for fixing some dire problem. Hopefully, first of all people aren’t still clicking links in emails. This is a very dangerous policy. There’s been all kinds of phishing issues, viral uploads, and so on. It’s an open invitation to whatever might be imbedded in at that link to your information. Many cases of these emails are fraudulent and they’re trying to capture your password. Authentication is the solution to Spoofing. You want assurances that the message is from an actual entity that you trust and that the link, the message hasn’t been modified. So a way for authentication to occur could be with a digital signature. Spoofing is the S for the first letter of the STRIDE acronym. The second letter is T. The T is for tamper.
Tampering is when someone has modified a file or a system, and how you prevent against tampering is through CRC’s , checksums, message digests, and digital signatures. Actually, digital signatures provide more than a check on an entity’s integrity. There is also a characteristic known as non-repudiation. Non-repudiation is like a combination of authentication and integrity. This is the answer to the next problem of the STRIDE acronym, which is repudiation.
Repudiation is where the user is arguing that either the message didn’t actually come from them – somebody spoofed them, or that there was tampering with the contents and that the person hadn’t sent the contents of the message. So, we want assurances against that – to prevent them from disputing either of two possibilities. So, how we prevent that is through the use of digital signatures. The next letter of the STRIDE is I and that stands for information disclosure.
Information disclosure is when information like private secrets, are no longer a secret. This is where we are trying to protect privacy through encryption. The D is the next letter and denial of service is what the D stands for.
Denial of service is when for whatever reasons our product is not available for the user to access. So, the way to prevent against this or at least reduce it down significantly, is redundancy, fault tolerance and so on associated with having a high availability. The E of STRIDE is escalation of privilege.
The escalation of privilege is when a person has additional, and escalating rights or privileges or permissions from working a job and keeping the access from that job, not deleting and getting a different set of rights. Instead, continuing to add until have a much higher grade of information and allowances than position really calls for. How we avoid this issue is to make sure the user account is only authorized to the lowest common denominator, or has the least privilege.
So, when you are doing threat modeling, you look at the six main elements of threat.These are spoofing, tampering, repudiation, information disclosure, denial of service, escalation of privileges. That’s STRIDE.