STRIDE Threat model
The STRIDE threat model
threat models. Threat modelling refers to the process of analysis to figure out
what might go wrong with something that you are building. It also involves assessing
what to do in case the process goes wrong by using abstractions. The concept of
threat modelling is helpful in making individuals to find security bugs early.
Individuals are also able to deliver better products while understanding their
security requirements (UcedaVelez & Morana, 2015). It is necessary to ask
questions while considering threats. Example of issues include how the attacker
would change the authentication data; what would happen in case the attacker
accessed data on the user profile and what would happen if a user lacked access
to a database profile. STRIDE is a useful model in threat analysis and is an acronym
for six threat categories (Shostack, 2014).
refers to the act of impersonating something or someone. When you pretend to be
someone or something else, you violate their authentication (Shostack, 2014). When
spoofing happens on a local machine, the attacker may create a file in the
corresponding directory or even use codes to create many files in the target
directory. Other people may spoof over a website while others may place a link
to one of your pages. When this happens, you should be ready. For example,
coming up with a way of user authentication, using a single domain for all file
pages or even checking the Referrer field before taking any action.
is the malicious modification of data. An individual may modify data on files,
links and servers on which you both rely. Programmers may change codes so that
they suit them and also data which they supply. It is difficult to know because
the attacker runs the systems inside the trust boundaries. Some attackers may
tamper on a network where they redirect traffic to their machine. However,
network tampering makes it easier for spoofing attacks to take place.
related to repudiation include programmers who deny performing erroneous acts
without witnesses to prove otherwise (Shostack. 2014). When an attacker realizes that the system has no logs, they may
confuse you by putting data in the records. An attacker must tamper with the
data to perform an act of repudiation. For instance, an angry programmer might
intentionally add a coupon into the system that gives discounts to customers
for every purchase. In case this
happens, non-repudiation is necessary. A system can counter threats of
repudiation. For example, digging into what happened, determining the
protection of the system logs against tampering or whether there is sufficient
logging on of information.
violates confidentiality and involves exposing protected information to people
who were not meant to see. It,
therefore, provides users with the access to data for which they lack access
(UcedaVelez & Morana, 2015). It may
also allow an attacker access to data which is in transit between two computers
that share information. Finding out what would happen if an intruder accessed
the databases or whether intruders may access and tamper databases is
D-denial of service
attacks aim at denying services to the
valid users of a software. Such processes
may absorb the memory of the system or even make enough requests that slow down
the operation (UcedaVelez & Morana, 2015). It also consumes network
resources. Denial of services attacks may also render the system temporarily
unavailable for the attacker to
accomplish their mission. Protecting the system against such threats would
improve the system availability and reliability.
E-elevation of privilege
attacks violate authorization where the
attacker gains capabilities without proper permission. For instance, a limited
user may run the commands of a system administrator. The attacker may use this
privileged access to destroy or even compromise the entire system. In some
dangerous cases, the intruder may successfully gain access to all the system defenses and becomes part of the trusted
network (UcedaVelez & Morana, 2015). Installing a firewall may be a
solution to threats related to elevation of privilege.
Shostack, A. (2014). Threat modeling: Designing for
security. John Wiley & Sons.
UcedaVelez, T., & Morana, M. M.
(2015). Risk Centric Threat Modeling: Process for Attack
and Threat Analysis.
John Wiley & Sons.