OO Threat Modelling (PPT 8.5) Flashcards Preview

Object Oriented Analysis and Design > OO Threat Modelling (PPT 8.5) > Flashcards

Flashcards in OO Threat Modelling (PPT 8.5) Deck (25):
1

How should we approach security?

-Identify valuable assets
-Look at how it could be compromised
-Loom at how to mitigate threats

2

What is threat modelling?

It is a structured approach to address the security of an application

3

Why do we do threat modelling?

-To prevent embarrassing and costly security features
-Raises the profile of security early on, such as communication, early and ongoing tests and can expose problems early
-Deliver better (more secure) products

4

What are some common threats?

-Denial of service
-SQL injection
-Cross-site scripting (XSS)
-Buffer overflows/ memory compromises
-Error-handling
-Spoofing
-Tampering
-Web server config issues
-Infrastructure issues

5

What is Denial of Service?

This is flooding a system with data or requests to slow it down. Can be used as a distraction but often used as a ransom

6

How do we prevent a DoS attack?

-Front end hardware to filter and analyse traffic
-Resource limits/allocations to throttle requests
-Blocking source IP addresses
-SYN cookies (prevents users from leaving a connection half open)

7

What is a SQL Injection?

Injecting malicious code/scripts into a webpage

8

How do we prevent SQL injection attacks?

-Validation
-Don't trust user input
-Validate, don't sanitise
Validate = reject input
Sanitise = remove malicious characters

9

What is Cross Site Scripting?

Injecting malicious code, similar to SQL injection, but it is served up to a legitimate user and may direct them to malicious sites, etc

10

What is a buffer overflow?

Force memory overflows in a running application to crash or compromise it

11

What is poor error handling?

Hackers may force errors on your website, this may cause information to display which is sensitive and shouldn't be viewed.

12

What are web server config issues?

-Out of date software
-Configuration files storing plain text passwords
-Guest accounts not disabled
-File system no restricted

13

What is spoofing?

When something is pretending to be something else, e.g. fake website
Could be
-user
-website
-files

14

How do we prevent spoofing?

Users
-Authentication and validation and strong password policies
-Careful management of session IDs and cookies

URL
-Check security certificates

Files
-Check file signatures and timestamps
-Check privileges

15

What is Information Disclosure?

Sensitive data passing over a network in plain text or stored in plain text or error messages revealing data

16

What is an Insider threat?

This is when a person who is hired compromises the system in some way

17

How can we avoid insider threats?

-Have proper recruitment processes
-Avoid complacency
-Monitor employee morale
-Monitor
-Logging
-Auditing
-Identifying behaviours

18

What are abuse and misuse cases?

They are a way of identifying threats by looking at ways an unscrupulous actor may choose to harm the system

19

What is Microsoft SDF?

Microsoft Security Development Lifecycle
It is a way of approaching threat modelling
Three stages are
-Decompose the application
-Determine and rank threats
-Determine counter measures and mitigation

20

What does the decompose the application stage do?

-identify entities, processes, data stores and data flows between them
-identify trust boundaries

21

What does the determine and rank threats stage do?

-Use STRIDE to determine threats

22

What is Tampering?

-Modifying something you are not supposed to modify
-Countered by: encryption, validation, digital signatures, privileges

23

What is Repudiation?

-Being able to claim you didn't do something, leave no trace of activities
-Countermeasures: Logs and times stamps

24

What is Elevation of privilege?

-Gaining access to things you shouldn't have
-Counter: disable guest accounts, file access privileges, enforcement of user account policies, adopt a least privilege policy

25

What does STRIDE stand for?

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of service
Elevation of privilege