For example, a user who purchases an item might have to sign for the item upon receipt. Nonrepudiation refers to the ability of a system to counter repudiation threats. Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise-for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet. Data tampering involves the malicious modification of data. An example of identity spoofing is illegally accessing and then using another user’s authentication information, such as username and password. One model you may find useful is STRIDE, derived from an acronym for the following six threat categories: You can group threats into categories to help you formulate these kinds of pointed questions. What happens if access is denied to the user profile database?.What is the impact if an attacker can read the user profile data?.How can an attacker change the authentication data?.When you are considering threats, it is useful to ask questions such as these: Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries.Low level detailed sub-components of features.Very high-level entire component / product / system.Check and add combinations of things that can be broken out.More detail is needed to explain security impact of the design.Iterate over processes, data stores, and see where they need to be broken down.Processes talking across a network always have a trust boundary Threads in a native process are often inside a trust boundary, because they share the same privs, rights, identifiers and access.Machine boundaries, privilege boundaries, integrity boundaries are examples of trust boundaries.Points/surfaces where an attacker can interject.Add trust boundaries that intersect data flows.
Here’s a diagram that highlights this process: The approach involves creating a diagram, identifying threats, mitigating them and validating each mitigation. The purpose of threat modeling is to identify, communicate, and understand threats and mitigations within the context of protecting something of value. Threat modeling is a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized.
0 kommentar(er)
