STRIDE – Part 2/3

Keeping in mind that the occurred threats on the system might attest the different areas of your system. The table below shows what area might be affected when an attack occurs.

screen-shot-2017-03-06-at-12-34-54-pm

Prioritisation is a process of rating the actions with the highest priority or determine first things first. STRIDE can be prioritised as the following:

  • Chance of an attack occurring:
    • 1 – high.
    • 10 – low.
  • What’s the cost or damage if attack occurs:
    • 1 – little.
    • 10 – massive.
  • Risk:
    • the caused damage that might occur / the chance of the attack occurring.
Advertisements

STRIDE – Part 1/3

There are several techniques can be implemented to find the vulnerabilities and the threats of the system. These techniques are known as threat modelling in which it is a technique that mitigate the vulnerabilities on your system. One way to determine the threats of your system is via the STRIDE technique. STRIDE is a shorthand for:

  1. S – Spoofing identity.
  2. T – Tampering with data.
  3. R – Repudiation.
  4. I – Information disclosure.
  5. D – Denial of service.
  6. E – Elevation of privilege.

 

Spoofing identity: It allows the attacker to pose as another user or allow a rogue server to pose as a valid server.

Tampering with data: It involves malicious modification of data.

Repudiation: When the users deny performing an action (without other parties having any way to prove otherwise).

Information disclosure: Is the process of exposing the individual information to other people who are not supposed to have access to this information.

Denial of service: Denial of service (DoS) attacks, which is the process of denying the services to valid users.

Elevation of privilege: An unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system

 

In conclusion, STRIDE technique assets the following:

STRIDE technique

Assets

Spoofing identity Configuration Data
Tampering with data Authentication data
Repudiation Persistent Data
Information disclosure Data “on the wire”
Denial of service State Data
Elevation of privilege Temporary Data