STRIDE – Part 3/3

Let’s take an example, where it is possible to implement STRIDE techniques to mitigate the threats. Note: Threats should be displayed as the highest priority. The figure below is an example of a server that is connected to many clients via the insecure network.

Screen Shot 2017-03-06 at 2.51.19 pm

 

Implementing STRIDE technique will help to find and fix the vulnerabilities of the system before they can be exploited by the attacker. Below are some of the vulnerabilities, that might be exploited by the attacker, which might cause threats to the system.

Attack the server STRIDE 1

  • Attacker intercepts the data, where the attacker can Tampering with data and Information disclosure or he/she can Spoofing identity.
    • Chance of occurring: (1 = very high).
    • The damage it causes: (10 = massive).
    • Risk: 10/1 = (10).

 

 

Attack the server STRIDE 2

  • Attacker floods server with bad data (Denial of service).
    • Chance of occurring: (1 = very high).
    • The damage it causes: (7 = high).
    • Risk: 7/1 = (7).

 

 

Attack the server STRIDE 3

  • Attacker accesses the configuration data, where the he/she can Tamper with data, Information disclosure and implement a Denial of service.
    • Chance of occurring: (5 = medium).
    • The damage it causes: (10 = massive).
    • Risk: 10/5 = (2).

 

 

Attack the server STRIDE 4

  • Attacker access persistent data or the audit log, where the he/she can Tamper with data, Information disclosure and implement a Denial of service.
    • Chance of occurring: (4 = medium).
    • The damage it causes: (8 = high).
    • Risk: 8/4 = (2).

 

There are several techniques that can be implemented to the STRIDE to mitigate these above threats such as;

  1. S – Strong authentication; and never store secrets.
  2. T – hashes, digital signatures; and tamer resistant protocols.
  3. R – Digital signature, time stamps; and secure logging.
  4. I – Strong access control mechanisms (ACLs), encryption; and never store secrets.
  5. D – Filtering, throttling; and QoS.
  6. E – Run with least privilege.

Screen Shot 2017-03-06 at 9.10.31 pm

Advertisements

Computer Security Terms and Definitions

  • Confidentiality – Is a term in which to ensure that the data should be only read (readable) to/by the authorised people. For example, Cryptography and Encryption methods are an example of an attempt to ensure confidentiality of data transferred from one computer to another.
  • Integrity – This term is given to the data that must not be changed in transit; and the taken steps must be implemented to ensure that data cannot be altered by unauthorised people. In another word, it is the ability to ensure that the data are accurate and unchanged representation of the original secure information.
  • Availability – Is the fact that ensures the system components (Hardware and Software) are available and authorised to people when they need it (at all time). For example, a particular search engine is trying to ensure that their web/services are available (Still running).
  • Accountability – Is the traceability of actions performed on a system, in order to prove if a person did something wrong (with knowing the who did that).
  • Non-repudiation – Is the fact of proving something without denying it. For example, if a person misses with the system, that person cannot deny it.
  • Accessibility – Is the fact that ensures the system components (Hardware and Software) are accessible and available to certain people when they need it. For example, the same search engine’s admin should ensure that the web/services are available (Still running) and accessible to authorised people.
  • Authentication – Is the fact of proving who you say you are (or who he/she claims to be).
  • Authorisation – Refers to the rules that determine who is allowed to do what. For example, Mike (Admin) may be authorised to create and delete databases, while Tom (User) is only authorised to read.

 

Note: In computer security CIA does not refer to Central Intelligence Agency, but it does refer to Confidentiality, Integrity, Availability or Authentication. Some people say the letter “A” refers to the big “A”, which means that it concludes everything that starts with the letter “A” such as, Accountability, Authorisation, Authentication, Accessibility and more.