6076 Classification and Prioritization
Explain what STRIDE is in the threat classifactionnsystem
1. **STRIDE:**
is a threat modeling framework used to identify different types of security threats in a system.
- S - Spoofing of identity
- T - Tampering with data
- R - Repudiation (denying involvement in an action)
- I - Information disclosure
- D - Denial of service
- E - Elevation of privilege
It helps developers and security professionals analyze and address potential threats during the design phase of software development.
In summary, STRIDE is a threat modeling framework,
What is CWE Common Weakness Enumeration in the threat classification system
CWE (Common Weakness Enumeration):**
is a community-driven list of common software and hardware weaknesses.
A formal list of weaknesses
A generic flaw that can lead to a uniqe vulnerability or exposure
It provides a common language for identifying, mitigating, and preventing security vulnerabilities.
- **Purpose:** CWE helps developers, testers, and security professionals communicate about security issues and establish a baseline for improving software security.
In summary, CWE identifies weaknesses in software and hardware,
what is Common Vulnerability Scoring System (CVSS) in the threat classification system
CVSS (Common Vulnerability Scoring System)
-is a framework for rating the severity of security vulnerabilities.
It provides a standardized method to assess and communicate the characteristics of vulnerabilities.
- **Purpose:** CVSS scores help organizations prioritize and respond to security vulnerabilities based on factors such as exploitability, impact, and ease of remediation.
In summary, CVSS offers a scoring system for assessing the severity of vulnerabilities.
what is Common Vulnrability and Exposure(CVE) in the threat Classification System
CVE (Common Vulnerabilities and Exposures):
is a dictionary of publicly known information security vulnerabilities and exposures.
its a unique instance of weakness(flaw) that can be used to access a systenm or network
• Purpose: Each CVE entry includes a unique identifier, a description of the vulnerability, and references for further information.
It facilitates the sharing of data across separate vulnerability databases and security tools.
In summary,, CVE provides a standardized naming system for vulnerabilities,
In order to be considered a vulnurability what 4 things must be present
it must :
▪ Allow an attacker to execute a command as
another user
▪ Allow an attacker access to data that is contrary to the specified access restrictions
▪ Allow an attacker to pose as another entry
▪ Allow an attacker to conduct a DoS attack
What is expousure In terms of network security
An exposure is a configuration issue or mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network
▪ it Doesn’t directly allow compromise, but could be an important component of an attack
▪ it can be considered violations of a reasonable security policy
▪ it Is a primary point of entry that an attacker may attempt to use to gain access to the system or data
▪ it Allows attacker to conduct information gathering activities
▪ it Allows an attacker to hide their activities
What is Common Platform Enumeration CPE
Common Platform Enumeration (CPE) is a standardized method for describing and identifying software, hardware, and operating systems in a consistent and structured way.
It provides a common language for specifying product names, versions, and other attributes, making it easier for security professionals, vendors, and systems administrators to communicate about specific IT entities.
CPE is typically used in the context of the Common Vulnerabilities and Exposures (CVE) system, where it helps to uniquely identify and categorize vulnerabilities across different platforms.
what is the relationship between CWE and CVE
A Common Weakness Enumeration CWE will have many CVEs
▪ Common Vulnerability and ExposqurevCVEs relate to a specific vulnerability under the
same CWE umbrella
▪A Common Platform Enumeration CPEs are there to ensure the correct platform is listed in the CVE information
STRIDE is a threat classification system developed by Microsoft, explain the accronym
Spoofing Vulnerabilities
▪ Allows an attacker to impersonate another user
Tampering Vulnerabilities
▪ Involves an attacker changing data they shouldn’t have access to
Repudiation Vulnerabilities
▪ Allows the attacker to deny they performed a given action ▪ Who did the damage?
Information Disclosure Vulnerabilities
▪ Involves an attacker being able to read data they shouldn’t have access to
Denial of Service Attack Vulnerabilities
▪ Prevents valid users from accessing the application
Elevation of Privilege Vulnerabilities
▪ Allows attackers to perform actions they shouldn’t be able to perform
▪ Actions with higher privileges, such as those of an administrator
Explain the Severity ratings of the Common Vulnerability Scoring System
Severity Ratings:
▪ None (0)
▪ Low (01-3.9)
▪ Medium (4.0-6.9)
▪ High (7.0-8.9)
▪ Critical (9.0-10.0)
What is Open Web Application Security (OWASP)
It is a Non-for-profit charitable organization
The purpose of Open Web Application Security (OWASP) is to improve the security of software. It provides resources, tools, and guidelines to help organizations develop and maintain secure web applications, identifying and addressing common security risks and vulnerabilities.
Are Firewalls alone very effective defence against attackersc
Firewalls alone are an ineffective defense for attacks against web applications
most companies spend much more resources on network defense, than on building or configuring their web applications properly
According to OWASP, list the 10 most dangerous Risks
Injection
A1 Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A2:Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
A3:Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII.
Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
A4:XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
A5:Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
A6:Security Misconfiguration
Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
A7:Cross-Site Scripting (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A8: Insecure Deserialization
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
A9:Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
A10:Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
List 4 Web Application Security Risks
Threat Agents
Where will these attacks originate?
Exploitability
How easy is it to perform the attack?
Weakness Prevalence
How Common is the weakness?
Weakness Detectability
How easy is it to detect the weakness?
list 5 Technical skills which threat agents posses
▪ Security penetration skills
▪ Network and programming skills
▪ Advanced computer user
▪ Some technical skills
▪ No technical skills
list 3 things which motivate threat agents
Low or no reward
Possible reward
High reward
what resources and opportunities are required fot threat agents to find and exploit vulnerabilites
Full access or expensive resources required
Special access or resources required
Some access or resources required
No access or resources required
list 4 category of people who are a part of the the threat agent group
▪ Developers
▪ System administrators
▪ Intranet users
▪ Partners
▪ Authenticated users
▪ Anonymous Internet users
list 4 technical impacts of web application security risks
Technical Impacts looks at How severe will the attack be on the infrastructure
Loss of confidentiality
▪ How much data could be disclosed and how sensitive is it
Loss of integrity
▪ How much data could be corrupted and how damaged is it
Loss of availability
▪ How much service could be lost and how vital is it
Loss of accountability
▪ Are the threat agents' actions traceable to an individual
list 4 business impact of web application security risks
Financial damage
▪ How much financial damage will result from an exploit
Reputation damage
▪ Would an exploit result in reputation damage that would harm the business
Non-compliance
▪ How much exposure does non-compliance introduce
Privacy violation
▪ How much personally identifiable information could be disclosed
list and explain the 3 primary defense approaches in respect to Web Application security issues
Input Validation
-- Never trust the user
Access / Attack Surface Reduction
----Don’t give users access to functionality they don’t need,
---- don’t enable functionality that isn’t needed
Classification and Prioritization of Threats
----Know which risks are most relevant to your organization and focus your attention on them
explain the 2 primary types of Input Validation
Blacklist Validation
---- Involves listing out all the input that should not come from a user, then blocking it
Whitelist Validation
--- Involves listing out the input that should come from a user, then allowing it
list the Chalenges which are associated with blacklisting
It is extremely difficult to anticipate everything that should be blocked, especially when you take character encoding into account
All the following inputs reference the same page:
▪ my page.html
▪ My Page.html
▪ MY PAGE.html
▪ my%20PAGE.html
What are the challenges associated with blacklising
It is extremely difficult to anticipate everything that should be blocked, especially when you take character encoding into account
All the following inputs reference the same page:
▪ my page.html
▪ My Page.html
▪ MY PAGE.html
▪ my%20PAGE.html
what are some of tne difficulties associatedwith white list validation
You need to make sure you have whitelisted every potentially valid inputs
Not all valid inputs are easy to define
Usernames, email addresses, etc.
Regular expressions can be used to handle more complicated input validation
-Can be difficult to write
- You can use tools such as Regex Buddy or Regex Magic
Explain the term Attack surface Reduction
Attack Surface Reduction, Involves controlling the code and functionality users can access
▪ If a user doesn’t need access to a feature don’t give it to them
▪ You can allow users to opt into additional functionality as they need it
A non web application example of this would be current versions of Windows Server
- You add roles and features as needed
Explain the purpose of logging and Detection
Ithere shoould be central log server in place
The logs of the following must be reviewed for suspicious activity
--Network Intrusion Detection Systems
-- Firewall / Network Security Appliance
-- Host-Based Intrusion Detection Systems
--OSSEC- this an open-source host-based intrusion detection system which uses “networking stings” to detect suspicious or malicious activity on a network.
logs must be kept for a minimum of 90 days