1
00:00:00,005 --> 00:00:03,002
- After identifying potential
threats to an information

2
00:00:03,002 --> 00:00:06,006
system, security analysts
should move on to the next phase

3
00:00:06,006 --> 00:00:08,006
of the threat modeling process.

4
00:00:08,006 --> 00:00:11,009
Considering a possible
attacks to each system.

5
00:00:11,009 --> 00:00:14,002
Let's take a look at the
various types of attacks

6
00:00:14,002 --> 00:00:17,003
that may be used against
information systems.

7
00:00:17,003 --> 00:00:22,003
Microsoft uses the STRIDE model
to help categorize attacks.

8
00:00:22,003 --> 00:00:24,007
This model is a helpful
starting point when you are

9
00:00:24,007 --> 00:00:27,002
trying to identify the
attacks that may be used

10
00:00:27,002 --> 00:00:29,004
against any particular system.

11
00:00:29,004 --> 00:00:33,000
Each letter in the word
STRIDE represents a different

12
00:00:33,000 --> 00:00:34,009
category of attack.

13
00:00:34,009 --> 00:00:37,004
S stands for spoofing.

14
00:00:37,004 --> 00:00:40,008
Spoofing attacks used
falsified identity information

15
00:00:40,008 --> 00:00:43,000
to gain access to a system.

16
00:00:43,000 --> 00:00:45,007
This may be as simple as a
social engineering attack

17
00:00:45,007 --> 00:00:48,007
that fakes the sender's
name on an email address,

18
00:00:48,007 --> 00:00:51,004
or it may be more complicated
and involve spoofing

19
00:00:51,004 --> 00:00:55,009
IP addresses, MAC addresses,
wireless network names,

20
00:00:55,009 --> 00:00:58,007
or any other claim of identity.

21
00:00:58,007 --> 00:01:00,005
The best control against spoofing

22
00:01:00,005 --> 00:01:03,001
is using strong authentication.

23
00:01:03,001 --> 00:01:05,002
T stands for tampering.

24
00:01:05,002 --> 00:01:08,003
Tampering attacks make
unauthorized changes to systems

25
00:01:08,003 --> 00:01:11,008
or data in an attempt to
gain access or disrupt

26
00:01:11,008 --> 00:01:13,005
data integrity.

27
00:01:13,005 --> 00:01:17,003
For example, a student may
hack into a college database

28
00:01:17,003 --> 00:01:20,005
in an attempt to tamper
with his or her grades.

29
00:01:20,005 --> 00:01:23,000
R stands for repudiation.

30
00:01:23,000 --> 00:01:26,000
Repudiation attacks attempt
to deny responsibility

31
00:01:26,000 --> 00:01:28,009
for an action, and may
go farther and attempt

32
00:01:28,009 --> 00:01:30,007
to blame a third party.

33
00:01:30,007 --> 00:01:33,006
Requiring digital signatures
is a useful control

34
00:01:33,006 --> 00:01:36,005
against repudiation attacks.

35
00:01:36,005 --> 00:01:39,004
I stands for information disclosure.

36
00:01:39,004 --> 00:01:42,006
Information disclosure attacks
attempt to steal confidential

37
00:01:42,006 --> 00:01:46,007
information and disclose it
to unauthorized individuals.

38
00:01:46,007 --> 00:01:50,001
This may be done quietly,
such as a competitor reading

39
00:01:50,001 --> 00:01:53,004
and reacting to an organization's
product development plans

40
00:01:53,004 --> 00:01:57,003
or it may be public, such
as a newspaper disclosing

41
00:01:57,003 --> 00:01:59,007
classified government records.

42
00:01:59,007 --> 00:02:03,004
D stands for denial of service or DOS.

43
00:02:03,004 --> 00:02:06,004
DOS attacks attempt to
deprive legitimate users

44
00:02:06,004 --> 00:02:10,006
access to the information
or systems that they need.

45
00:02:10,006 --> 00:02:13,003
E stands for elevation of privilege.

46
00:02:13,003 --> 00:02:17,003
This is sometimes also known
as privilege escalation.

47
00:02:17,003 --> 00:02:20,006
Elevation attacks attempt to
take a normal user account

48
00:02:20,006 --> 00:02:23,009
and transform it into an
administrative or super user

49
00:02:23,009 --> 00:02:26,009
account that allows the user to exceed its

50
00:02:26,009 --> 00:02:28,007
legitimate privileges.

51
00:02:28,007 --> 00:02:31,004
When thinking through an
attack, it is often helpful

52
00:02:31,004 --> 00:02:34,008
to use a system a diagram
that shows the data flows,

53
00:02:34,008 --> 00:02:37,005
and relationships between systems.

54
00:02:37,005 --> 00:02:41,009
For example, this diagram shows
a simple e-commerce website

55
00:02:41,009 --> 00:02:44,008
where a user interacts with a web server.

56
00:02:44,008 --> 00:02:47,008
That web server then relies
upon an e-commerce database

57
00:02:47,008 --> 00:02:50,004
server to provide product information.

58
00:02:50,004 --> 00:02:52,008
It also depends upon an
authentication server

59
00:02:52,008 --> 00:02:56,007
to verify user identities and
that authentication server

60
00:02:56,007 --> 00:03:00,001
in turn relies upon an
authentication database.

61
00:03:00,001 --> 00:03:03,003
The arrows in this diagram
show the data flows between

62
00:03:03,003 --> 00:03:07,005
systems, and the dotted
lines show firewalls.

63
00:03:07,005 --> 00:03:09,006
Diagrams like this are useful

64
00:03:09,006 --> 00:03:12,002
in determining potential attacks.

65
00:03:12,002 --> 00:03:16,000
For example, if a security
professional is evaluating

66
00:03:16,000 --> 00:03:19,005
the security of the e-commerce
database, it's helpful

67
00:03:19,005 --> 00:03:22,001
to know that legitimate
requests may come from

68
00:03:22,001 --> 00:03:25,007
the web server, which is
accessible to the public.

69
00:03:25,007 --> 00:03:28,003
This would lead the analyst
to consider the possibility

70
00:03:28,003 --> 00:03:30,004
of the SQL injection attack.

71
00:03:30,004 --> 00:03:33,007
Which could be sent by
the user to the web server

72
00:03:33,007 --> 00:03:36,001
and then passed by the web
server to the e-commerce

73
00:03:36,001 --> 00:03:37,005
database.

74
00:03:37,005 --> 00:03:41,007
This type of diagramming is
a form of reduction analysis.

75
00:03:41,007 --> 00:03:44,004
An important threat modeling tool.

76
00:03:44,004 --> 00:03:47,001
Reduction analysis
breaks down a system into

77
00:03:47,001 --> 00:03:50,003
smaller components, and
then performs assessments

78
00:03:50,003 --> 00:03:52,007
of each of those components.

79
00:03:52,007 --> 00:03:55,006
This may mean breaking a
large complex technology

80
00:03:55,006 --> 00:03:59,006
infrastructure into individual
servers, or it might involve

81
00:03:59,006 --> 00:04:01,009
breaking a piece of
software down into modules

82
00:04:01,009 --> 00:04:03,009
and interfaces.

83
00:04:03,009 --> 00:04:07,008
Reduction analysis helps
simplify complex systems

84
00:04:07,008 --> 00:04:10,005
and facilitate thorough security reviews.