4.6 Stride Threat Modeling

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7
Video Transcription
00:01
a common threat modelling technique that we use an I t. Particularly for looking at software development, is something called the Stride model, and stride stands for spoofing, tampering, repudiation, information, disclosure, denial of service and escalation of privilege.
00:20
So the idea is, if we're looking at developing an application or piece of software,
00:26
these are threats that are very commonly directed at exploiting software. So when we talk about spoofing, we're looking at impersonation, right? I'm pretending to be someone else.
00:38
Well, the mitigation for that is gonna be requiring strong authentication.
00:43
I don't just let you log in. As an administrator, I make you prove you're an administrator.
00:48
Tampering is modifying a modification, unauthorized modification. So we'll use things like message digests and hash is in order to limit the impact of tampering repudiation. So I love this. The opposite of repudiation is non repudiation.
01:07
But the idea about repudiation is
01:11
we want to make sure that a user can't dispute having sent a message nor the contents of that message. And if we can guarantee that we have non repudiation, one of the best ways that we get non repudiation is through digital signatures, and we'll talk about some of this mawr in greater depth as we move on.
01:30
All right. Information disclosure, Breach of confidentiality.
01:34
Encryption
01:36
is a good solution,
01:37
denial of service, and we've probably heard of denial of service attacks. The goal with a denial of service attack really isn't
01:45
to steal data or to, ah, modify files. It really is just about availability. And the goal of a denial of service attack is to knock your system or server off line, too. Busy it with other bogus request so that it can't respond to legitimate risks.
02:06
It's all about availability.
02:07
So if availabilities the problem, you get high availability through redundancy, eliminating single points of failure, fault, tolerance. All right, and then the last is escalation of privilege.
02:20
I'm Kelly Hander. Han is a user. But if I can find a way to administrative rights to my account, then of course I can do a wide variety of actions. So requiring strong authentication and strong authorization are gonna be the ways that I bring in
02:38
and assurance against escalation of privilege.
02:39
So ultimately, these air control's in their very specific to software development, but it just follows along the lines. This is what I'm analyzing when I'm looking at risks associated with software.
02:53
And I want to find out where my lacking and ultimately we're gonna move into gap analysis next, which is exactly that. These were the things that I need to consider what controls are in place. And where will I be? Where do I want to go and how do I get there?
Up Next