STRIDE – Part 3/3

Let’s take an example, where it is possible to implement STRIDE techniques to mitigate the threats. Note: Threats should be displayed as the highest priority. The figure below is an example of a server that is connected to many clients via the insecure network.

Screen Shot 2017-03-06 at 2.51.19 pm

 

Implementing STRIDE technique will help to find and fix the vulnerabilities of the system before they can be exploited by the attacker. Below are some of the vulnerabilities, that might be exploited by the attacker, which might cause threats to the system.

Attack the server STRIDE 1

  • Attacker intercepts the data, where the attacker can Tampering with data and Information disclosure or he/she can Spoofing identity.
    • Chance of occurring: (1 = very high).
    • The damage it causes: (10 = massive).
    • Risk: 10/1 = (10).

 

 

Attack the server STRIDE 2

  • Attacker floods server with bad data (Denial of service).
    • Chance of occurring: (1 = very high).
    • The damage it causes: (7 = high).
    • Risk: 7/1 = (7).

 

 

Attack the server STRIDE 3

  • Attacker accesses the configuration data, where the he/she can Tamper with data, Information disclosure and implement a Denial of service.
    • Chance of occurring: (5 = medium).
    • The damage it causes: (10 = massive).
    • Risk: 10/5 = (2).

 

 

Attack the server STRIDE 4

  • Attacker access persistent data or the audit log, where the he/she can Tamper with data, Information disclosure and implement a Denial of service.
    • Chance of occurring: (4 = medium).
    • The damage it causes: (8 = high).
    • Risk: 8/4 = (2).

 

There are several techniques that can be implemented to the STRIDE to mitigate these above threats such as;

  1. S – Strong authentication; and never store secrets.
  2. T – hashes, digital signatures; and tamer resistant protocols.
  3. R – Digital signature, time stamps; and secure logging.
  4. I – Strong access control mechanisms (ACLs), encryption; and never store secrets.
  5. D – Filtering, throttling; and QoS.
  6. E – Run with least privilege.

Screen Shot 2017-03-06 at 9.10.31 pm

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s