Patch me if you can: Cyberattack Series
The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
Training People on Threat Modeling
Adam Shostack here. Blogger Ian Grigg has an interesting response to my threat modeling blog series, and I wanted to respond to it. In particular, Ian says “I then would prefer to see the threat – property matrix this way:”
I wanted to share an additional table from our training, and talk about repudiation a bit more.
Actually, I’d like to repudiate the term “repudiation.” It’s an awful name that most people never run into in day-to-day life. It doesn’t hit the simplification bar the way say, “denial,” would. Unfortunately, STDIDE (Spoofing, Tampering, Denial, Information Disclosure, Denial of Service, Elevation of Privilege) doesn’t make a very memorable acronym. Memorable is important when training people. Our reviewers have raised this as an issue, and ’d love to get feedback from our readers. How can we ensure that the software we build has the right level of logging and audit-ability? What evocative words can we use, and can you help us come up with a word or phrase that starts with R? Let us know!
And then, here’s the chart:
| Threat | Property | Definition | Example |
| Spoofing | Authentication | Impersonating something or someone else. | Pretending to be any of billg, microsoft.com or ntdll.dll |
| Tampering | Integrity | Modifying data or code | Modifying a DLL on disk or DVD, or a packet as it traverses the LAN. |
| Repudiation | Non-repudiation | Claiming to have not performed an action. | “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!” |
| Information Disclosure | Confidentiality | Exposing information to someone not authorized to see it | Allowing someone to read the Windows source code; publishing a list of customers to a web site. |
| Denial of Service | Availability | Deny or degrade service to users | Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole. |
| Elevation of Privilege | Authorization | Gain capabilities without proper authorization | Allowing a remote internet user to run commands is the classic example, but going from a limited user to admin is also EoP. |
(Ian’s post is here https://financialcryptography.com/mt/archives/001013.html . IE users will see a warning about certificate authorities when visiting this site. As I wrote this, Gunnar Peterson added commentary at “Threats, Mechanisms and Standards.”)
Related Posts
-
-
Why endpoint management is key to securing an AI-powered future
With the coming wave of AI, this is precisely the time for organizations to prepare for the future. To be properly ready for AI, Zero Trust principles take on new meaning and scope. The right endpoint management strategy can help provide the broadest signal possible and make your organization more secure and productive for years to come.
-
Cyber Signals: Shifting tactics fuel surge in business email compromise
Business email operators seek to exploit the daily sea of email traffic to lure victims into providing financial and other sensitive business information.
-
Microsoft Security highlights from RSA Conference 2023
At RSA Conference April 24 to 26, 2023, Microsoft Security shared solution news and insights. Watch Vasu Jakkal’s keynote on-demand (video courtesy of RSA conference).