Use and Misuse Cases

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Hi everybody.
00:00
In addition to the STRIDE Model,
00:00
we can also look at creating use and misuse cases.
00:00
In this case, we start with
00:00
the user who is ultimately going to
00:00
try to access an application server. That's their goal.
00:00
The very first step is that they're going
00:00
to enter their username and password.
00:00
Of course, that password serves as authentication.
00:00
With that first step, what are the threats here?
00:00
Well, a big threat is that there is
00:00
a brute force authentication attempt.
00:00
A brute force attack is where a hacker could try using
00:00
every character combination possible
00:00
to guess the username and password.
00:00
Or the attacker could just
00:00
guess the username and password
00:00
based on what the hacker already knows
00:00
about usernames at the organization,
00:00
in common passwords people use.
00:00
Finally, the hacker could try dictionary attacks.
00:00
Dictionary attacks involve using
00:00
a text file with many gigabytes of possible entries,
00:00
including those that contain special characters.
00:00
Dictionary attacks have become
00:00
much more sophisticated over
00:00
the years since so many users
00:00
include special characters in their passwords now.
00:00
How do we mitigate against these threats?
00:00
One way we do this is to show
00:00
a generic error message when
00:00
the hacker gets the password wrong.
00:00
We don't provide a specific error message
00:00
about what was wrong in the failed attempt.
00:00
Another thing we can do is lock
00:00
an account after a certain number of failed attempts.
00:00
That will prevent an automated program from being
00:00
able to keep running and trying different combinations.
00:00
Another way to mitigate against
00:00
these threats is to require users
00:00
to have passwords that have
00:00
a minimum length and a certain amount of complexity.
00:00
Complexity does not always equal security.
00:00
These days, we recommend that users create
00:00
longer passwords rather than more complex ones.
00:00
This gives you an idea of how use,
00:00
misuse case works and how it
00:00
>> is used for threat modeling.
00:00
>> You could take this same model to look at the case
00:00
of an individual trying to access a file.
00:00
You would consider the threats and
00:00
vulnerabilities and how they could be exploited.
00:00
Then you would consider the mitigation strategies.
00:00
Another way to do threat modeling,
00:00
which is not shown on this slide is risk scenarios.
00:00
This is where you simply list your assets,
00:00
then list all the things that
00:00
could threaten those assets.
00:00
Then you could list the vulnerabilities.
00:00
Many play the what-if game to
00:00
consider the scenarios that could threaten your assets.
00:00
The most important thing is to consistently
00:00
document your risks so you
00:00
can figure out how to mitigate them.
00:00
To wrap up risk identification,
00:00
we started off by talking about risk management and
00:00
reducing residual risk to
00:00
a level acceptable to senior management.
00:00
Then we talked about looking at
00:00
our assets as well as the threats and
00:00
vulnerabilities and where those come
00:00
together. That is our risk.
00:00
The tool we talked about for identifying
00:00
risk is to use threat modeling.
00:00
For this, we can use
00:00
the STRIDE Model or the use misuse cases,
00:00
or it can be risk scenarios.
00:00
The most important thing to
00:00
remember is that with risk management,
00:00
you have to start with the risk identification first.
Up Next