-
Notifications
You must be signed in to change notification settings - Fork 26
/
index.html
437 lines (305 loc) · 35.1 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
<!-- BEGIN HEADER -->
<!DOCTYPE html>
<html>
<head>
<title>Introduction to Cyber Security</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="https://fonts.googleapis.com/css?family=Roboto" rel="stylesheet">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<link rel="stylesheet" href="/assets/css/mooc-icon/style.css"/>
<link rel="stylesheet" href="/assets/css/csa.css"/>
<link rel="stylesheet" href="/assets/css/csa-mooc.css"/>
</head>
<body>
<!-- BEGIN NAV -->
<header role="navigation">
<h1>
<a href="http://mooc.fi" alt="MOOC" target="_blank">
<span class="icon-mooc"></span>
</a>
<button type="button" data-toggle="collapse" data-target=".bs-navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
</h1>
<nav class="collapse bs-navbar-collapse" role="navigation">
<ul>
<li>
<a href="#" class="table-of-contents-trigger">
Table of contents
</a>
</li>
</ul>
<ul class="pull-right side-nav">
<li>
<a href="#" class="login-trigger">
Log in
</a>
</li>
</ul>
</nav>
</header>
<!-- // END NAV -->
<article>
<!-- END HEADER -->
<!-- BEGIN CONTENT -->
<section class="no-toc weeklimit hidden" data-week-id="0">
<h1>Assignments</h1>
<ul class="nav nav-pills nav-pills-fixed-width nav-pills--no-border" id="assignments-toc"></ul>
</section>
<!-- END CONTENT -->
<!-- BEGIN INTRODUCTION -->
<section class="weeklimit" data-week-id="1">
<aside class="warning">
<br />
<h1>How to pass the course</h1>
<p>In order to pass the course you will need to return all the essays and give at least 3 peer reviews for each essay.
Also, you will need to pass all the multiple choice questions.
</p>
<p>
Essays must be within 20% of the proposed length. If they're not within this limit you will not get any points for your answer.
We also may reject your answer if it's flagged too many times as spam or if it doesn't contain deep enough discussion. Also, we may reject your peer reviews if you haven't put genuine effort into them.</p>
<p>If you want ECTS credits you will need to register here AFTER completing the course:
<a href="https://cyber-points.mooc.fi">https://cyber-points.mooc.fi</a>
</p>
<p>The course has been graded! see the results here: <a href="https://cyber-points.mooc.fi">https://cyber-points.mooc.fi</a></p>
</aside>
<aside class="info">
<br/>
<h1>How to get started?</h1>
<p>This material contains the introduction part of the course series called "Cyber Security Base with F-Secure". In order to answer the questionnaires and essays, you will need a MOOC.fi account that you can create at <a href="https://tmc.mooc.fi/user/new" target="_blank" onclick="trackOutbound('https://tmc.mooc.fi/user/new'); return false;">https://tmc.mooc.fi/user/new</a>. Once you've signed up, you can login to this page (click on the top right corner).</p>
<p>Once you have created the account, please answer a background questionnaire at <a href="https://elomake.helsinki.fi/lomakkeet/74256/lomake.html" target="_blank">https://elomake.helsinki.fi/lomakkeet/74256/lomake.html</a>. Answering the questionnaire should take less than 10 minutes and will be very valuable for the research conducted on this course.</p>
<p>When answering the short essay questions in this course, please answer them carefully and with thought. Other participants in the course will review them and may give you feedback.</p>
</aside>
<header>
<h1 id="part-intro">Introduction to Cyber Security</h1>
</header>
<p>Cyber security can be seen as group of defensive processes, technologies, and practices that are specifically designed to protect internet connected machines. More specifically *software* on those machines. Conventional approaches to cyber defense are firewalls, authentication tools, and network software that monitors, tracks, and blocks viruses and other malicious cyber attacks. These methods create a protective shield for the infrastructure. However, threats are created by the vulnerabilities in applications. Which in turn are caused by bugs in the design and implementation of software and networks.
Fixes have been and are being developed to protect the systems from threats, but attackers continuously exploit newly discovered flaws. The attack landscape is constantly evolving new threats. Which means that if you build your protection against discovered attacks it is simply not going be enough. New methodologies are also required to discover the embedded and lurking intrusions, so that a more reliable security infrastructure can be taken into use. Machine learning and data mining play significant roles in the future of cyber security.</p>
<p>It is safe to say that software is everywhere, and it needs to be secure. Security can be hard to achieve, but many methodologies for securing systems exist today. All try to answer the same fundamental set of questions.</p>
<ul>
<li>What is being protected?</li>
<li>Are there any known threats and vulnerabilities?</li>
<li>What are the impacts to the organization if the data is lost or leaked?</li>
<li>What is the value of the data to the organization?</li>
<li>What can be done to mitigate the risks?</li>
</ul>
<p><em>Asset, threat, vulnerability,</em> and <em>exploit</em> are the most commonly-used terms in the cyber security lingo. Depending on the literature some of these terms overlap and are sometimes used synonymously.</p>
<ul>
<li>An <em>asset</em> is what is being protected, something that has some value to its owner. Its value can be tangible (e.g. gold or a running server) or intangible (data)</li>
<li>A <em>threat</em> is an intention to cause damage. For cyber security this can be defined as a hostile act aimed by an attacker at an asset. Regardless of the attacker's intent to do no harm, a threat is still a threat. The attacker posing a threat is commonly called a <em>threat actor</em>.</li>
<li>A <em>vulnerability</em> is a defect in the target system. This defect may be a bug in application code, or a flaw in the design of the system. A vulnerabilities can also be a consequence of improper configuration or user action.</li>
<li>An <em>exploit</em> is a way to take advantage of a known vulnerability. The usual objective is to take control over the asset. (Social engineering, commonly considered a simple scam, is one kind of exploit.)</li>
</ul>
<aside class="info">
<br/>
<h1>The risk</h1>
<p>One cannot build a perfect defence system against all threats. The question is what amount of risk is acceptable given the cost of mitigating the threats. If more effort is put into protection, there will be less risk to tolerate. The risk can be minimized but not removed completely!</p>
</aside>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b3c"></div>
<h1>What is Cyber Security and Why Should We Care About it?</h1>
<p>Software is literally everywhere. Initially software resided on mainframes and only few people were in contact with it. Somewhat later the personal computer was invented and thanks to its popularity, software moved to our homes. (That said, in the home software was still restricted and an attacker would need physical access to the target.)</p>
<p>One day the Internet spawned and began globally connecting personal computers. The Internet is incredibly useful to non-attackers but it made things easier for attackers as they no longer needed to physically visit targets. The evolution of computers kept rolling on and one day we were introduced to cellular phones and eventually smart phones, which are basically small scale computers with wireless connectivity.</p>
<p>Currently we are on the brink of Internet of things, which promises to connect every device to the Internet. For example, we have smart TVs, smart locks, smart cars, and smart toasters. The software ranges from large, such as the operating system, to small, such as the USB driver.</p>
<p>There is going to be an explosion in the number of devices needing software. It has been said that by the year 2020 there will be 50 billion connections and devices. This poses a growing need for code and software developers, who will have great pressure to write both functional and secure code in a limited timeframe. Developers may face unrealistic time pressure to rush code to production.</p>
<aside class="info">
<br/>
<h1>What about the number 50?</h1>
<p>50 billion seems to be too much and it seems that it is not going to be reached before 2020. But still the number of devices is staggering.</p>
<p><em>“I think people do tend to latch onto numbers that seem really hard to fathom,” he says. “Fifty billion is pretty staggering.”</em> - Even Evans, <a href="https://spectrum.ieee.org/tech-talk/telecom/internet/popular-internet-of-things-forecast-of-50-billion-devices-by-2020-is-outdated" target="_blank" onclick="trackOutbound('https://spectrum.ieee.org/tech-talk/telecom/internet/popular-internet-of-things-forecast-of-50-billion-devices-by-2020-is-outdated'); return false;">Popular Internet of Things Forecast of 50 billion devices by 2020 is Outdated.</a>
</p>
</aside>
<p>In addition to the growing need for more code, the code base has gotten more complex. Every machine is connected and larger systems are now distributed. Different parts of the systems may be developed by different vendors, but need to interoperate. Moreover, most current systems are based on software frameworks which enlarge the code footprint of even small applications, and/or are extensible with/via plugins and addons.</p>
<p>Combining the connectivity, complexity, and extensibility of the software, we get a comfortably-sized attack surface for the attacker. It is perhaps not surprising, therefore, that the number of vulnerabilities in software has steadily risen over the years. Vulnerabilities and their statistics can be queried from the National Vulnerability Database and from the Common Vulnerability and Exposure database (<a href="https://web.nvd.nist.gov/view/vuln/statistics" target="_blank" onclick="trackOutbound('https://web.nvd.nist.gov/view/vuln/statistics'); return false;">NVD statistics query page</a> and <a href="http://cve.mitre.org/cve/cve.html" target="_blank" onclick="trackOutbound('http://cve.mitre.org/cve/cve.html'); return false;">CVE</a>). </p>
<p>For the attackers the attacking will stay easier than defending as long as the attacker can attack anywhere and the latter have to defend everywhere. With a successful security analysis, however, many of the obvious vulnerabilities -- in other words, the low hanging fruit -- can be found. This doesn't necessarily make a system totally secure, but rather that it makes the system able to withstand attack attempts by unskilled attackers, automated attacks.</p>
<aside class="info">
<br/>
<h1>Vulnerabilities are hard to find</h1>
<p>Even though the software or/and the protocol it implements is at its mature phase it may still hold surprises. Below are some examples of some "recent" vulnerabilities found in well-known and highly-used pieces of software.</p>
<ul>
<li><a href="https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat" target="_blank" onclick="trackOutbound('https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat'); return false;">Beast</a></li>
<li><a href="http://www.codenomicon.com/news/pressrelease/2014/04/09/codenomicon_advising_internet_community_on_serious_internet_vulnerability_dubbed_heartbleed.html" target="_blank" onclick="trackOutbound('http://www.codenomicon.com/news/pressrelease/2014/04/09/codenomicon_advising_internet_community_on_serious_internet_vulnerability_dubbed_heartbleed.html'); return false;">Heartbleed</a></li>
<li><a href="http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/" target="_blank" onclick="trackOutbound('http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/'); return false;">Heist</a></li>
<li><a href="https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/" target="_blank" onclick="trackOutbound('https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/'); return false;">Krack</a></li>
</ul>
</aside>
<p>The world is changing and cyber security is a rapidly-growing global issue. Adversaries come in many shapes and sizes, ranging from script kiddies to foreign governments to organized crime. Regardless of the adversary, all have easy access to very sophisticated and powerful technologies. Moreover, some attacks are so sneaky that they become evident only after the attack has happened.</p>
<p>Attacks can result in much mayhem and harm with significant monetary losses, but the business impact of a security breach can be difficult to tell. This is an area where it is hard to reach definitive and representative figures or findings. At least one study, however, from <a href="https://www.oxfordeconomics.com/my-oxford/projects/276032" target="_blank" onclick="trackOutbound('https://www.oxfordeconomics.com/my-oxford/projects/276032'); return false;">Oxford Economics</a>, provides a set of findings based on surveys and case studies. Those findings show that cyber attacks do indeed result in major business impact on victims.</p>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b3d"></div>
<p>The job of a vulnerability researcher is to come up with recommendations for minimizing the risk to an organization. The tasks of protecting enterprise systems and data include establishing policies, practices and tools that lower the risk of illicit behaviour. The technical security assessments performed by vulnerability researchers include the identification of vulnerabilities, misconfigurations, and weaknesses.</p>
<aside class="info">
<br/>
<h1>TED - a source of infinite goodness</h1>
<p>Watch Dan Cornell's talk <a href="https://www.youtube.com/watch?v=fi44mL7mcq0" target="_blank" onclick="trackOutbound('https://www.youtube.com/watch?v=fi44mL7mcq0'); return false;">It's all about the coders</a></p>
<p>Watch Paul Carugati's talk <a href="https://www.youtube.com/watch?v=knLDY7hRm5I" target="_blank" onclick="trackOutbound('https://www.youtube.com/watch?v=knLDY7hRm5I'); return false;">Cyber Self-Defense</a></p>
<p>Watch James Lyne's talk <a href="https://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it?language=en" target="_blank" onclick="trackOutbound('https://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it?language=en'); return false;">"Everyday cybercrime -- and what you can do about it"</a> on TEDTv.</p>
</aside>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b3e"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b3f"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b48"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b4c"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b49"></div>
<h2>Media Reports only the Tip of the Iceberg</h2>
<p>Security-related news has become more and more common. Media reports about breaches are no longer minor items buried in miscellaneous news, but instead are prominent front-page material. Everything, from baby monitors to security cameras, from cars to luxury yachts, has been targeted and hacked. The threats news agencies talk about have become more complex and more professional. Stolen password lists have become sought-after merchandise and news about targeted ransomware attacks have been seen at an unprecedented rate. This reveals the grim truth that our lives online, and by extension our lives offline, have become an easy way for criminals to make money, and that this threat affects all industries, countries, and social spaces.</p>
<p>Although the media is beginning to take breach news seriously, and studies such as the <a href="http://www.crimesurvey.co.uk/" target="_blank">Crime Survey of England and Wales</a> from the Office of National Statistics show that the frequency of incidents is increasing, it is still commonly believed that cyber crime is an underreported area of illegality.</p>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b40"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b41"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b4a"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b4b"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b42"></div>
<p>The above conveys a bleak picture of the current state of things. At the same time, however, governments, organizations, corporations and institutions are funnelling more and more money, research and effort into improving the situation.</p>
<aside class="info">
<br/>
<h1>Additional links to breach news</h1>
<ul>
<li><a href="http://www.telegraph.co.uk/news/2016/05/04/millions-of-email-accounts-compromised--in-massive-data-breach-t/" target="_blank" onclick="trackOutbound('http://www.telegraph.co.uk/news/2016/05/04/millions-of-email-accounts-compromised--in-massive-data-breach-t/'); return false;">"Millions of email accounts compromised in massive data breach that includes Google and Yahoo"</a></li>
<li><a href="http://www.telegraph.co.uk/technology/internet-security/11788184/Android-security-breach-puts-millions-at-risk-of-smartphone-hijacking.html" target="_blank" onclick="trackOutbound('http://www.telegraph.co.uk/technology/internet-security/11788184/Android-security-breach-puts-millions-at-risk-of-smartphone-hijacking.html'); return false;">"Android security breach puts millions at risk of smartphone hijacking"</a></li>
<li><a href="http://money.cnn.com/2016/08/05/technology/ransomware-study-malwarebytes-hackers/" target="_blank" onclick="trackOutbound('http://money.cnn.com/2016/08/05/technology/ransomware-study-malwarebytes-hackers/'); return false;">"Ransomware hackers are targeting U.S. execs"</a></li>
<li><a href="https://www.wired.com/2014/04/hikvision" target="_blank" onclick="trackOutbound('https://www.wired.com/2014/04/hikvision'); return false;">"Hackers Turn Security Camera DVRs Into Bitcoin Miners"</a></li>
</ul>
</aside>
<h2>Cyber Security Is Not Only A Tech Problem</h2>
<p>The news of security breaches is full of reports of hackers using their own radio setups to wreak havoc, such as the misdirection of yachts or the reprogramming of the firmware of an USB device to hide malicious code. News reports have a tendency to sound technical when trying to explain the root cause of an exploited vulnerability. Security is multidisciplinary, however, in the sense that effective security comes from understanding the vulnerabilities that may come either from the physical environment, the technology, or from the human element in the mix. Threats from the physical environment may include fires, natural disasters, theft of computing resources, or exposed cables. Technical threats are what this course considers in more detail, but it bears remembering that there is a strong human element in cyber security. The best security safeguards in the world count for very little in the following situations:</p>
<ul>
<li>An bank employee accidentally emails out a file of bank details to a wrong address.</li>
<li>A corporate employee copies a set of sensitive documents to a memory stick which is then stolen.</li>
<li>A company-supplied portable devices such as a phone, laptop, or tablet has sensitive data on it, and is stolen, or accidentally left behind in a public place by the employee to whom it is assigned. (It is surprisingly common for people to forget laptops on planes, in coffee houses, etc. Encrypting devices and enforcing a policy of hard-to-crack passwords goes a long way towards protecting against data theft in such circumstances, but strong passwords are hard for humans to remember.)</li>
<li>Company staff use their private email addresses--which may or may not be protected--for corporate communication.</li>
<li>Staff receive attachments that are dubious and open them, or visit a dangerous website and are the target of a drive-by download of a malicious piece of code.</li>
<li>Staff discuss a work-related matter in social media, or publish a photo of the workplace, which then leaks to the wrong people due to improper privacy settings.</li>
<li>...all of the above by a very disgruntled employee doing it on purpose.</li>
</ul>
<p>It is evident, from the list above, that human actions in the office are potential threats, but threats that can be mitigated by educating staff and providing knowledge about correct cyber security procedures. Care must be taken in communicating proper procedures as the audience is broad and may or may not be technically aware.</p>
<p>In short, cyber security is everyone's business. Designers and implementers build systems that have no holes (well, as few as possible), operations staff build and maintain secure networks, administrators keep systems properly updated and configured, users should prefer secure software, and executives should make early investments in security.</p>
<aside class="info">
<br/>
<h1>Physical attacks</h1>
<p>Let's not forget the building and the doors. Here is a talk by Deviant Ollam titled <a href="https://www.youtube.com/watch?v=rnmcRTnTNC8">I'll Let Myself In: Tactics of Physical Pen Testers</a> showing some common problems with doors.</p>
</aside>
<h2>Responsibilities and Liabilities</h2>
<p>This course will not delve deeply into the law, but note that companies and corporations have responsibilities and liabilities for the data they gather. Most have made a commitment, whether legally enforceable or not, to treat data gathered with the utmost care. In addition, laws and regulations govern the way these entities must secure their data and dictate the correct procedure to follow after a breach has occurred.</p>
<p>For example, the General Data Protection Regulation (GDPR) (Regulation (EU) <a href="http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679#d1e6226-1-1" target="_blank" onclick="trackOutbound('http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679#d1e6226-1-1'); return false;">2016/679</a>) unifies and simplifies the regulations for data protection within the European Union. The GDPR replaces the current directive in this area, and has as its main objective in giving people control over their personal data. Furthermore, the regulation covers matters such as the export of personal data outside of the EU, sanctions for non-compliant parties, the right to erasure, and data breach reporting procedure. This regulation is in force as of the 25th of May, 2018.</p>
<p>The GDPR provides the first economical grounds for data protection: just as environmental regulations have internalized the cost of environmental damage to production, we may see the same happening with data protection. Insurance companies have also noticed the impending GDPR and have introduced various types of cyber security insurance which would cover some costs caused by a breach (for example a loss of profit).</p>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b43"></div>
<p>However, the law is for the law abiding; for a criminal it is just a deterrent. The Internet provides anonymity and distances the attacker from the victim, making it easier to step into the world of crime via the Internet. The commission of crimes via the Internet is commonly known as <i>hacking</i>. (When discussing hacking we do have to mention <i>ethical hacking</i>. An ethical hacker, like his criminal counterpart, is an expert who tries to penetrate a computer system, but the former does it with permission from the system owner in order to reveal security vulnerabilities that malicious actors could potentially exploit.)</p>
<aside class="info">
<br/>
<h1></h1>
<p>TL;DR Breaking into computers is illegal, use common sense.</p>
<p>This information is provided for educational purposes and not for causing malicious or damaging attacks. Again, performing any penetration testing requires permission from the owner of the target. Moreover, it should be noted that the target may reside on the same server as other services, so permission from the service provider may also be needed.</p>
</aside>
<h2>STRIDE and DREAD</h2>
<p>When beginning development of a new application, there are few factors that should immediately be considered. From the point of view of this course series, we naturally take the stance that security is the biggest one. It is essential to apply some kind of threat modelling in the design phase. If not, the application may have serious flaws or the effort to maintain security is wasted on the wrong part of the application. In the process of threat modelling one examines the application and deconstructs it to smaller parts--features and modules--that do a certain thing. From these parts threats are identified and from these threats the vulnerabilities. This process can continue, with each of part being further deconstructed to even smaller parts.</p>
<p>Threats can be revealed by a variety of actors. For example, an ordinary user may stumble on a flaw in an application; a script kiddie running automated tools may discover a flaw; or a truly motivated attacker may find a flaw in the application through manual analysis. A threat's impact on an application might include unauthorized access being granted due to authorization failure, the browser cache being poisoned with malicious data, or private data being revealed via eavesdropping.</p>
<p>To simplify modelling, multiple ways exist of classifying threats. Two examples are the STRIDE and DREAD checklists. Neither one is exhaustive, but both provide good structures for determining the type of a given threat.</p>
<h3>The STRIDE Threat Model</h3>
<p>The STRIDE Threat Model is a useful checklist of questions that can help in the threat-modelling of an application. 'STRIDE' is an acronym for the following threat categories: <i>Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service,</i> and <I>Elevation of Privilege</i>. <i>Spoofing</i> covers cases where someone is illegally accessing a system using another user’s authentication information. <i>Tampering</i> covers cases such as unauthorized changes made to persistent data, whether inside a machine or in the transport. <i>Repudiation</i> specifies that a system should be able to trace user operations to provide evidence of what has happened in case of a breach. <i>Information Disclosure</i> covers the exposure of information to unauthorized individuals. (This category of threat can also occur within a machine or during transport.) <i>Denial of Service</i> refers to cases where the server or service is made temporarily unavailable. Lastly, <i>Elevation of Privilege</i> is a threat type in which an unprivileged user finds a way to gain sufficient privileges to compromise the system.</p>
<h3>The DREAD risk assessment model</h3>
<p>DREAD is a mnemonic checklist for prioritizing threats based on their severity, and stands for <i>Damage, Reproducibility, Exploitability, Affected Users,</i> and <i>Discoverability</i>, all of which are fairly self-explanatory. (There has been a fair amount of discussion concerning Discoverability, and whether encouraging security professionals to minimize discoverability would in turn favor the deprecated approach of security through obscurity.) A scale from 0-10 is usually used in all categories, save for discoverability which is commonly set to 10 on the grounds that any threat will eventually be discovered.</p>
<h2>Read and reflect</h2>
<p>Read the following article and answer the following question: "Do you find mnemonic lists meaningful or not?" Justify your opinion in about 300 words.</p>
<ul>
<li>Iván Arce, Kathleen Clark-Fisher, Neil Daswani, Jim DelGrosso, Danny Dhillon,
Christoph Kern, Tadayoshi Kohno, Carl Landwehr, Gary McGraw, Brook Schoenfield,
Margo Seltzer, Diomidis Spinellis, Izar Tarandach, and Jacob West, AVOIDING THE TOP 10 SOFTWARE SECURITY DESIGN FLAWS <a href="https://web.archive.org/web/20180306191329/https://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf" target="_blank" onclick="trackOutbound('https://pdfs.semanticscholar.org/b291/be7d567d63dc60043a8cb1fbbfcfe8d18c83.pdf'); return false;">https://web.archive.org/web/20180306191329/https://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf</a></li>
</ul>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b44"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b45"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b46"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b4d"></div>
<div class="quiznator-plugin" data-quiz-id="5bd74cd7b40615fd8fa14b47"></div>
</section>
<!-- END INTRODUCTION -->
</article>
<!-- LOGIN MODAL -->
<div class="modal fade" id="tmc-login-modal" tabindex="-1" role="dialog">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">×</span></button>
<h4 class="modal-title">Log in with your MOOC.fi account</h4>
</div>
<div class="modal-body">
<div class="alert alert-info">
Don't have a MOOC.fi account? <a href="https://tmc.mooc.fi/user/new" target="_blank">Sign up</a>.
</div>
<div class="alert alert-danger" id="tmc-login-error" style="display: none">
</div>
<div class="form-group">
<label>Username or email</label>
<input type="text" id="tmc-login-username" class="form-control" placeholder="Username or email"/>
</div>
<div class="form-group">
<label>Password</label>
<input type="password" id="tmc-login-password" class="form-control" placeholder="Password"/>
</div>
<div class="form-group">
<a href="https://tmc.mooc.fi/password_reset_keys/new">I forgot my password</a>
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
<button type="button" class="btn btn-primary" id="tmc-login-submit">Log in</button>
</div>
</div>
</div>
</div>
<!-- TABLE OF CONTENTS -->
<div class="table-of-contents-layer">
</div>
<div class="table-of-contents">
<h1 class="table-of-contents__heading">
Table of contents
</h1>
<div class="table-of-contents__content">
<ul class="nav" id="material-toc"></ul>
</div>
</div>
<!-- PROGRESS -->
<div class="content-progress">
<div class="content-progress__label">
</div>
<div class="content-progress__bar">
</div>
</div>
<!-- QUIZNATOR DASHBOARD -->
<div class="quiznator-dashboard"></div>
<!-- BROWSER SUPPORT WARNING -->
<div class="browser-support-warning">
Some parts of this page might not work on your current browser. Consider switching to either <a href="https://www.google.com/chrome/browser/desktop/" target="_blank">Chrome</a> or <a href="https://www.mozilla.org/en-US/firefox/new/" target="_blank">Firefox</a>.
<a class="pull-right browser-support-warning__close">Got it!</a>
</div>
<script src="https://quiznator.mooc.fi/javascripts/plugin-loader.min.js"></script>
<script src="https://code.jquery.com/jquery-3.1.1.min.js"
integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8="
crossorigin="anonymous"></script>
<script src="https://code.jquery.com/ui/1.12.0/jquery-ui.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<script src="/assets/js/tmc-client-js/dist/tmc-client.min.js"></script>
<script src="/assets/js/bowser/bowser.js"></script>
<script src="/assets/js/csa.js"></script>
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-86250620-1', 'auto');
ga('set', 'anonymizeIp', true);
ga('require', 'linkid');
ga('send', 'pageview');
var trackOutbound = function(url) {
ga('send', 'event', 'outbound', 'click', url, {
'transport': 'beacon',
'hitCallback': function(){ window.open(url); }
});
}
</script>
<!-- COOKIES -->
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.1/cookieconsent.min.css" />
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.1/cookieconsent.min.js"></script>
<script>window.cookieconsent.initialise({"palette":{"popup":{"background":"#000"},"button":{"background":"#f1d600"}}});</script>
</body>
</html>