SlideShare a Scribd company logo

University of the CumberlandsSchool of Computer & Information .docx

Download as DOCX, PDF
J
jolleybendicty

University of the Cumberlands School of Computer & Information Sciences ISOL-536 - Security Architecture & Design Chapter 5 - Prepare for Assessment Chapter 5 - Prepare for Assessment 5.1 Process Review 5.1.1 Credible Attack Vectors 5.1.2 Applying ATASM 5.2 Architecture and Artifacts 5.2.1 Understand the Logical and Component Architecture of the System 5.2.2 Understand Every Communication Flow and Any Valuable Data Wherever Stored 5.3 Threat Enumeration 5.3.1 List All the Possible Threat Agents for This Type of System 5.3.2 List the Typical Attack Methods of the Threat Agents 5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods Chapter 5 - Prepare for Assessment – Cont. 5.4 Attack Surfaces 5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface 5.4.2 Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical Methods 5.4.3 List All Existing Security Controls for Each Attack Surface 5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection 5.5 Data Sensitivity 5.6 A Few Additional Thoughts on Risk 5.7 Possible Controls 5.7.1 Apply New Security Controls to the Set of Attack Services for Which There Isn’t Sufficient Mitigation 5.7.2 Build a Defense-in-Depth 5.8 Summary Chapter 5: Summary Information assurance is achieved when information and information systems are protected against attacks through the application of security services such as availability, integrity, authentication, confidentiality, and nonrepudiation. The application of these services should be based on the protect, detect, and react paradigm. This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these unexpected attacks. 5.1 Process Review At the highest level, an assessment follows the mnemonic, ATASM: Architecture ➤ Threats ➤ Attack Surfaces ➤ Mitigations Figure 5.1 shows the ATASM flow graphically. There are architecture tasks that will help to determine which threats are relevant to systems of the type under assessment. Figure 5.1 Architecture, threats, attack surfaces, mitigations. 5.1.1 Credible Attack Vectors Credible attack vector: A credible threat exercising an exploit on an exposed vulnerability. Recalling the risk term discussion from Chapter 4, a CAV encapsulates the three threat sub-terms into a single expression: Threat Exposure Vulnerability Risk is the critical governing principle that underlies the entire risk assessment and threat modeling process. Ultimately, we must mitigate those computer attacks that are likely to impinge upon the use of the system under assessment and upon efforts to obtain the objectives of the organization. 5.1.2 Applying ATASM Table 5.1 summarizes the typical background info.

Education
1 of 23
University of the Cumberlands School of Computer & Information Sciences ISOL-536 - Security Architecture & Design Chapter 5 - Prepare for Assessment Chapter 5 - Prepare for Assessment 5.1 Process Review 5.1.1 Credible Attack Vectors 5.1.2 Applying ATASM 5.2 Architecture and Artifacts 5.2.1 Understand the Logical and Component Architecture of the System 5.2.2 Understand Every Communication Flow and Any Valuable Data Wherever Stored 5.3 Threat Enumeration 5.3.1 List All the Possible Threat Agents for This Type of System 5.3.2 List the Typical Attack Methods of the Threat Agents 5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods Chapter 5 - Prepare for Assessment – Cont. 5.4 Attack Surfaces
5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface 5.4.2 Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical Methods 5.4.3 List All Existing Security Controls for Each Attack Surface 5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection 5.5 Data Sensitivity 5.6 A Few Additional Thoughts on Risk 5.7 Possible Controls 5.7.1 Apply New Security Controls to the Set of Attack Services for Which There Isn’t Sufficient Mitigation 5.7.2 Build a Defense-in-Depth 5.8 Summary Chapter 5: Summary Information assurance is achieved when information and information systems are protected against attacks through the application of security services such as availability, integrity, authentication, confidentiality, and nonrepudiation. The application of these services should be based on the protect, detect, and react paradigm. This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these unexpected attacks.
5.1 Process Review At the highest level, an assessment follows the mnemonic, ATASM: Architecture ➤ Threats ➤ Attack Surfaces ➤ Mitigations Figure 5.1 shows the ATASM flow graphically. There are architecture tasks that will help to determine which threats are relevant to systems of the type under assessment. Figure 5.1 Architecture, threats, attack surfaces, mitigations. 5.1.1 Credible Attack Vectors Credible attack vector: A credible threat exercising an exploit on an exposed vulnerability. Recalling the risk term discussion from Chapter 4, a CAV encapsulates the three threat sub-terms into a single expression: Threat Exposure Vulnerability Risk is the critical governing principle that underlies the entire risk assessment and threat modeling process. Ultimately, we must mitigate those computer attacks that are likely to impinge upon the use of the system under assessment and upon efforts to obtain the objectives of the organization.
5.1.2 Applying ATASM Table 5.1 summarizes the typical background information an assessor brings to an assessment. These topics have been arranged with the “3 S’s” merely for convenience and to provide an ordering principle. No matter how one may choose to order these topics, it remains that before beginning an ARA and threat model, one will need to have examined the current threat landscape into which the system will be deployed. 5.1.2 Applying ATASM – Cont. Figure 5.2 orders those steps by the high-level ATASM abstraction. That is, architecture steps are followed by threat- related tasks. The results of these are applied to an enumeration of attack surfaces, which, when prioritized, can then be defended by building a set of risk mitigations, a defense-in- depth of security controls. Each of the steps outlined in Figure 5.2 is, of course, what developers call a “nontrivial” activity. Figure 5.2 ATASM procedure steps. 5.2 Architecture and Artifacts Part of understanding a system architecture is to understand the system’s overall functions and what objectives deploying the system is hoping to achieve. An assessment should start at the beginning by determining the system’s intended purpose and how it fits into the overall goals of the deploying organization
and its users. This information will “ground” the architecture into the real world and will place the architecture within its intended context. 5.2.1 Understand the Logical and Component Architecture of the System The logical architecture represents each logical function that will be in the system. These groupings are irrespective of how many individual units of each function get instantiated and irrespective of the physical architecture. Generally, that there are computers (servers?) and operating systems is assumed and not detailed; the physical network addresses assigned to each network interface are unimportant in the logical view. Instead, functions like business logic versus the presentation versus back office accounting systems versus databases are separated out. It is assumed that all of these are connected by some sort of network architecture. 5.2.2 Understand Every Communication Flow and Any Valuable Data Wherever Stored Figure 5.4 AppMaker DFD with data types. Data types have been added to the AppMaker diagram to create Figure 5.4. There is a co-located repository containing various types of static content to be served to users (customers). Moving further back in the architecture, every application server must contain configuration data and metadata about the applications that the server is running. Usually, but not always, there is local disk storage, or readily available storage for this application server–specific data.
5.3 Threat Enumeration We need to understand the attackers in order to know which of them apply to any particular system. And in order to prioritize attack surfaces and attack targets, we need to be able to calculate the risk of any particular attack occurring. These higher-priority areas are characterized by the existence of threat agents who have the motivation and capabilities to take advantage of likely methods that will lead them to their objectives – and will in turn cause unacceptable losses . . . 5.3.1 List All the Possible Threat Agents for This Type of System The motives of these undirected attack sweeps are varied; many of these sweeps are conducted by criminal organizations or independent attackers. But there are many other reasons for running constant vulnerability sweeps, as well. Increasing one’s skill as a security tester is certainly among these reasons. Every sweep is not conducted by criminals, though, in many jurisdictions, conducting such a sweep is illegal. 5.3.1 List All the Possible Threat Agents for This Type of System – Cont. There is one additional threat agent with which most public sites and products must contend. Calling security researchers “threats” is somewhat of a misnomer and might be perceived by researchers as an insult? No insult is intended. Still, if an organization is on the receiving end of vulnerability research, the impact to reputation and brand may be approximately the same as what can occur following a successful compromise of systems or data.
5.3.1 List All the Possible Threat Agents for This Type of System – Cont. Essentially, researchers need to find vulnerabilities. They need to find tricky vulnerabilities and then must publish the research. It doesn’t really matter if the vulnerability can result in significant loss for the organization owning the problem. The actuality of an impact does not play a big part of the research equation. Any organization that has had to deal with a well- publicized stunt hack against one of the organization’s systems will know full well that the media attention of the research did not benefit the public image of the organization, especially if that organization’s customers expect a certain level of security from the organization. 5.3.2 List the Typical Attack Methods of the Threat Agents Spending months or years creating a new method to execute a series of randomly placed instructions in a program to create an attack simply isn’t worth the effort: The research and development costs are too high. At the time of the writing of this book, so called “gadget” programs take too much time. Running gadgets culled by finding bits of code within widely distributed applications is much more likely to fall into the category of “stunt hack.” Cyber criminals are probably not going to waste their time unless there was a readily available tool (even if on the black market) that would make this attack trivial. 5.3.3 List the System-Level Objectives of Threat
Agents Using Their Attack Methods For many exploits there is a system-level objective that must be attained in order to prosecute the attack to its goal. For security researchers, the system-level objective— that is, getting a piece of scripting code (javascript) to execute in the user’s browser, or gaining system-level privileges—will be sufficient to prove vulnerability. No more need be accomplished. 5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods The subsequent entries in Table 5.3 are drawn from OWASP.org Top 10. In order to gain a place in the list, an attack method has to be one of the most popularly executed as well as used on a regular and continuing basis. When we analyzed cyber criminals, we noted their predilection for well-known and proven attack methods. The OWASP Top 10 list is representative of the most often used attacks on the Internet. Since the Web-Sock-A-Rama site is a typical web store, it will be subjected to attacks drawn from the OWASP Top 10 list, at the very least. Security researchers will also attempt well- known attack methods in order to find and report vulnerabilities. 5.4 Attack Surfaces In the ATASM process, we try to enumerate all the attack surfaces before we categorize the importance of each surface. It’s useful to avoid the prioritization process during enumeration. Think of it as an attack surface brainstorm: Any discussion about the legitimacy or fitness of an attack surface tends to bog down the enumeration into too many details. In this
way, the natural flow resulting from nonjudgmental observation is broken. It’s easy to miss an attack surface, especially when it seems inconsequential, or perhaps that function just seems to be “part of the running program.” For that very reason, getting a good flow of nonjudgmental inspection can help to uncover all the attack surfaces. Prioritization can come later, once everything has been uncovered. In the process being described in this chapter, we simply enumerate all the attack surfaces and try to avoid discussion of their importance and exposure until a later step. 5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface An integrated web server collapses the web tier and application server tier into a two-tiered architecture. Following the security principles, defense-in-depth and fail securely, the three-tier architecture is usually considered a more defensible approach. Web-Sock-A-Rama, as depicted in Figure 5.5, demonstrates the more standard three-tier web architecture. Figure 5.5 Web-Sock-A-Rama trust boundaries. 20 5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface – Cont. Figure 5.6 An obvious attack surface.
Figure 5.6 adds an arrow to Figure 5.5 that points at the most obvious attack surface: the Web server’s Internet facing HTTP receiver. The Web server is open to all Internet traffic, which means that any attacker can probe it. The constant “doorknob rattling” sweeps of the Internet will surely find and investigate whatever interfaces are open and available to unrestricted traffic. Once an interested attacker finds and catalogs the open HTTP port, then the fun really begins. Like web vulnerability scanners, the attacker will probe every reachable page with every attack variation possible. 5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface – Cont. The injections for downstream destinations, such as LDAP and databases, are aimed at the application server code because that’s where the capability to pass on these attacks is typically found. These are then attacks against the application code. Contrast these injections with a Cross-Site Request Forgery (CSRF) attack. These attacks can be mitigated at several different layers, depending upon how session management is implemented in the website. Although many would consider this a vulnerability of the custom application code, depending upon how the infrastructure is set up, it may be that the application server handles user and transaction states. If so, then a CSRF vulnerability would lie in front of the application code. 22
5.4.2 Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical Methods Through the process of filling out Table 5.4, we have already filtered out a series of attacks that do not have an appropriate attack surface exposed to them. In fact, by attempting to apply attack methods to attack surfaces, we have even eliminated, or significantly reduced, a threat agent: security researchers. Security researchers’ stunt level hacks are unlikely since the attack surfaces required to execute these attacks are not exposed. 23 5.4.3 List All Existing Security Controls for Each Attack Surface We have made a couple of assumptions for the sake of understanding the process. Namely, we’ve assumed that Web- Sock-A-Rama has a mature website management and administrative function. In previous chapters, we’ve listed what those functions typically are. This assumption provides the usual set of controls to the backend of our website. 24 5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection Authentication is an interesting security control because, although it does reduce exposure to only those who’ve been authenticated, there are plenty of techniques an attacker can use to get an account, depending upon the site: steal or crack weak
credentials, or perhaps simply sign up for the free version. In addition, once a site or system implements authentication, it now has another system that will need protection! Authentication systems are often considered critical, thus requiring tight security control: a high security posture. Implementing authentication adds significant complexity to the security requirements of the system. 25 5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection – Cont. 26 5.5 Data Sensitivity Data classification is a key component of risk, both for assessing impact and for understanding likely targets in a system. As has been explained earlier, attackers often string more than one attack method together in order to achieve their objectives. An attacker might execute an SQL injection against the payment card database, thereby gaining financial information, if applications accepting user input were poorly written such that SQL injection to databases were allowed. Data sensitivity mustn't become the sole measure of CAV or impact. Each of these risk terms are multidimensional; terms shouldn’t be reduced in a simplistic way or assessments will suffer by possibly excluding other key factors.
27 5.6 A Few Additional Thoughts on Risk The goal of risk calculation during ATASM is to identify those CAVs whose lack of mitigation will prevent reaching the intended security posture. Concomitantly, there is an imperative to limit the number of risk treatments to that which is affordable, that which is doable. Few organizations can “do it all.” Hence, there has to be a process to eliminate unlikely attacks while prioritizing the most dangerous ones for mitigation. 28 5.7 Possible Controls Due to the realities of email impersonation and payment card theft, an authentication based upon these factors isn’t really worth much, which leaves our Web-Sock-Arama website without much attack mitigation based upon authentication. Obviously, the organization’s security team will have their hands full with fraud attempts, operationally removing fraudulent and fake accounts as soon as malicious behavior is observed. Still, at account initialization, there isn’t much that can be done. 29
5.7.1 Apply New Security Controls to the Set of Attack Services for Which There Isn’t Sufficient Mitigation Table 5.6 adds defenses to each of the attack methods that we enumerated in previous ATASM steps. These are the five attacks and their associated attack surfaces (the CAVs) that we believe are applicable to this system, in this organizational context. (Continued on following page 167 – Prepare for Assessment) 30 5.7.2 Build a Defense-in-Depth Because the system handles sensitive data from users originating from the untrusted Internet, the Transport Layer Security (TLS), most often implemented as HTTPS, must be used between the user’s browser and the web server, at least for sensitive data transmission. Some architectures would also require TLS (or more properly, communication encryption of some sort) between the web server and the application server, and perhaps even between the application server and the database server? We assumed that the networks in this system are tightly controlled through a mature administrative practice. Therefore, the networks can be considered a trusted infrastructure. Since we’ve separated out three tiers, and there is only a single piece
of trusted networking equipment separating each tier (a new assumption and requirement), the store doesn’t feel the need to encrypt the data as it moves between tiers. 32 5.8 Summary Defenses are applied such that these specifically interrupt each CAV, as was discussed in the chapter on risk. Then, the entire set of defenses is considered as a set of overlapping, interlocking, and supporting defenses to build enough redundancy to create a defense-in-depth. The security requirements should be achievable, relevant, and “real world.” ATASM has been presented as a series of linear steps. However, in practice, an assessment might proceed to requirements and uncover a previously unknown part of the system, thus returning to the architecture stage of the process. Ultimately, the goal of the ARA and threat model is to achieve a unity between security posture and intended risk tolerance, to achieve balance between defenses and resource limitations. 33 Chapter 4: Summary END image4.emf image5.png image6.emf
image7.emf image8.png image9.emf image10.emf image11.png image12.png image13.png image14.png image15.png image1.emf image2.emf University of the Cumberlands School of Computer & Information Sciences ISOL-536 - Security Architecture & Design Chapter 6: eCommerce Website Chapter 6: eCommerce Website 6.1 Decompose the System 6.1.1 The Right Level of Decomposition 6.2 Finding Attack Surfaces to Build the Threat Model 6.3 Requirements Chapter 6 - eCommerce Website 6.1 Decompose the System Ultimately, the point of the architecture factoring exercise isn’t to document a perfect architecture view, but rather, to find
those points in the system that are susceptible to likely attack. An appropriate set of defenses can be built from the attack surfaces. Security is built at many levels, top-to-bottom, side-to-side, and front-to-back. Security is the architecture domain that interacts with every other domain; it is the “matrix” domain and must permeate a system in order to build a defense-in-depth. 6.1 Decompose the System – Cont. Looking at Figure 6.1, do you see anything missing? In the chapter about the ATASM process, there were several views of Web-Sock-A-Rama, adding data types, trust boundaries, and an attack surface. Figure 6.1 AppMaker web architecture. 6.1.1 The Right Level of Decomposition Figure 6.2 adds these two attack surfaces for a more complete picture of the message flow from the Internet and on through to the data tier. Figure 6.2 Attack surfaces touched by requests from the user’s browser. That is, at arrow 2b, the dynamically handled messages are passed from the web server to the Java application server. The application server calls
AppMaker, which in turn passes the message to one of the appropriate applications that were generated by AppMaker. In order to find the appropriate application, AppMaker will have to call the database server (arrow 4) to query the application metadata: data about which application handles which type of message. Then, while handling the request, “other web app” must also query various databases, perhaps customer profiles and the product catalog, in order to build the response for the user. The database server must continue to fetch data (“data fetch to fulfill 4”) as requests come in and responses are built. These systems handle multiple requests in parallel. 5 6.2 Finding Attack Surfaces to Build the Threat Model Since our web store has purchased AppMaker, let’s assume that wherever the injection lies, it would be AppMaker’s maker (the vendor) who would be responsible for the fix. So, in light of this relationship, it probably doesn’t matter whether an XSS lies within AppMaker itself or in a generated application, as long as the vendor is responsive to vulnerability reports and practices rigorous software security. Traffic from various components is allowed into the subnet to perform authentications, but traffic from the Internet is not allowed; the authentication system is “invisible” from the Internet; it is not reachable by Web-Sock-A-Rama’s customers
directly. 6 6.2 Finding Attack Surfaces to Build the Threat Model – Cont. Figure 6.3 Data fetch and management interfaces. The flow in Figure 6.3 is more coherent with the description given. AppMaker loads one of the generated applications, which in turn must generate a query for various types of data. In this web store, every data store will be used. For each dynamically generated HTTP response, AppMaker must first find (and perhaps in part, build) the appropriate application through its metadata. Then, the application must itself consult the web store and customer data. Hence, the database server is an intermediary between the various data stores and applications (AppMaker and the generated web applications), These flows are shown in Figure 6.3 7 6.2 Finding Attack Surfaces to Build the Threat Model – Cont. Figure 6.4 Management interface attack surfaces.
Figure 6.4 has already become visually busy enough. Still, in the real world, every configuration file and any local, running data set is and must be considered an attack surface. In this case, we have already stipulated that, through the infrastructure practices “investigation” (really, an assumption in this fictitious example system), there are a series of existing controls protecting the servers and their local hard disks. Thus, we concentrate on just a portion of the attack surfaces in order to keep the example focused. In the real world, I would absolutely find out what management practices and protections are implemented to defend the configuration files and metadatasets. 8 6.2 Finding Attack Surfaces to Build the Threat Model – Cont. Figure 6.5 Authentication and identity flows. A more complete picture of a management sub-network that is restricted through a jump server is pictured in Figure 6.5. Please refer to this figure for more clarity about the architecture and components used to build this type of management interface protection.) Web authentication can be handled entirely by the web server. The HTTP protocol contains primitives for authentication, which then are implemented in most open source and commercial web servers.
9 6.2 Finding Attack Surfaces to Build the Threat Model – Cont. Figure 6.6 Authentication attack surfaces. Finally, there is an arrow pointing towards Directory, itself, in Figure 6.6. Gaining the directory gives the attacker all the credentials, which are tied to all the user IDs. That very thing happened to a company for which I worked. The attackers compromised every account’s password. In other words, attackers had access to every customer account and the services and equipment for which the highest privileged accounts were entitled. Ouch! 10 6.2 Finding Attack Surfaces to Build the Threat Model – Cont. Figure 6.7 Web-Sock-A-Rama payment processing. For our purposes, everything depicted in Figure 6.7 that lies below the Internet, except the isolated authentication service, would be subject to PCI requirements. Since the authentication service lies within its own restricted network, from a PCI standpoint the authentication service has been separated. The authentication service never handles
payment cards and is not involved in financial transactions. Therefore, it lies outside the PCI boundary. Customer’s user ID are populated from the customer database. That is a “push” function; the directory that lies within the authentication service does not call out to the customer data. 11 6.3 Requirements Table 6.1 outlines the requirements that we uncovered throughout this chapter’s analysis. (Continued on following page 210 - eCommerce Website) Most information security professionals are already familiar with this body of knowledge. For exposed Internet sites, networking restrictions and boundaries can become critically important. Though there are other ways to create trust boundaries, a common way is to use network segments and then control flows between the segments and between the systems in the segments. That’s the essential gist of the networking requirements given in Table 6.1. 12 Chapter 6: Summary As this is the first analysis in our series of six, I caution the reader to understand these requirements fairly well. In order not
to be repetitive, the subsequent analyses will refer back to these wherever they arise. Remember, architectural patterns repeat, and I’ve attempted to use the same solutions consistently throughout the examples. This is not to imply that any of these is the only solution. Hopefully, this is clear. Still, one of the points of this book is that there are patterns and their solution sets that repeat. So some of the same solutions are being reused set rather than introducing new security defense approaches for the same recurring problem. Chapter 6: Summary END image4.emf image5.png image6.emf image7.emf image8.emf image9.png image10.emf image11.emf image12.emf image13.png image1.emf image2.emf

Recommended

Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxhealdkathaleen
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
University of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxUniversity of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxDustiBuckner14
 
F0341026029
F0341026029F0341026029
F0341026029inventionjournals
 
Threat modelling
Threat modellingThreat modelling
Threat modellingRajeev Venkata
 
School of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docxSchool of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docxjeffsrosalyn
 
A Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemA Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemCSCJournals
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 

Recommended

Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxhealdkathaleen
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
University of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxUniversity of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxDustiBuckner14
 
F0341026029
F0341026029F0341026029
F0341026029inventionjournals
 
Threat modelling
Threat modellingThreat modelling
Threat modellingRajeev Venkata
 
School of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docxSchool of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docxjeffsrosalyn
 
A Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemA Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemCSCJournals
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
A Secure Software Engineering Perspective
A Secure Software Engineering PerspectiveA Secure Software Engineering Perspective
A Secure Software Engineering Perspectiveidescitation
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under AttackJPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attackchennaijp
 
Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Papitha Velumani
 
Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attackSecurity evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attackShakas Technologies
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Understanding Vulnerabilities in Software
Understanding Vulnerabilities in SoftwareUnderstanding Vulnerabilities in Software
Understanding Vulnerabilities in SoftwareNicole Gaehle, MSIST
 
Due tomorrow 7122021 at 800pmNo plagiarism Develop thos
Due tomorrow 7122021 at 800pmNo plagiarism Develop thosDue tomorrow 7122021 at 800pmNo plagiarism Develop thos
Due tomorrow 7122021 at 800pmNo plagiarism Develop thosAlyciaGold776
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comamaranthbeg113
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comamaranthbeg73
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comamaranthbeg53
 
Running head Risk Assessment Repot (RAR) .docx
Running head Risk Assessment Repot (RAR) .docxRunning head Risk Assessment Repot (RAR) .docx
Running head Risk Assessment Repot (RAR) .docxSUBHI7
 
46 102-112
46 102-11246 102-112
46 102-112idescitation
 
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...IJNSA Journal
 
Application of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationApplication of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationCSCJournals
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inmaribethy2y
 
Using m365 defender to protect against solorigate
Using m365 defender to protect against solorigateUsing m365 defender to protect against solorigate
Using m365 defender to protect against solorigateMatt Soseman
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Shakas Technologies
 
Research and identify three IT-related Risk Management Plans and lis.pdf
Research and identify three IT-related Risk Management Plans and lis.pdfResearch and identify three IT-related Risk Management Plans and lis.pdf
Research and identify three IT-related Risk Management Plans and lis.pdfRBMADU
 
Which of the following statements regarding components of a time ser.docx
Which of the following statements regarding components of a time ser.docxWhich of the following statements regarding components of a time ser.docx
Which of the following statements regarding components of a time ser.docxjolleybendicty
 
Which of the works we read was used by President Bushs 2002 appoint.docx
Which of the works we read was used by President Bushs 2002 appoint.docxWhich of the works we read was used by President Bushs 2002 appoint.docx
Which of the works we read was used by President Bushs 2002 appoint.docxjolleybendicty
 

More Related Content

Similar to University of the CumberlandsSchool of Computer & Information .docx

A Secure Software Engineering Perspective
A Secure Software Engineering PerspectiveA Secure Software Engineering Perspective
A Secure Software Engineering Perspectiveidescitation
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under AttackJPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attackchennaijp
 
Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Papitha Velumani
 
Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attackSecurity evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attackShakas Technologies
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Understanding Vulnerabilities in Software
Understanding Vulnerabilities in SoftwareUnderstanding Vulnerabilities in Software
Understanding Vulnerabilities in SoftwareNicole Gaehle, MSIST
 
Due tomorrow 7122021 at 800pmNo plagiarism Develop thos
Due tomorrow 7122021 at 800pmNo plagiarism Develop thosDue tomorrow 7122021 at 800pmNo plagiarism Develop thos
Due tomorrow 7122021 at 800pmNo plagiarism Develop thosAlyciaGold776
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comamaranthbeg113
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comamaranthbeg73
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comamaranthbeg53
 
Running head Risk Assessment Repot (RAR) .docx
Running head Risk Assessment Repot (RAR) .docxRunning head Risk Assessment Repot (RAR) .docx
Running head Risk Assessment Repot (RAR) .docxSUBHI7
 
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...IJNSA Journal
 
Application of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationApplication of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationCSCJournals
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inmaribethy2y
 
Using m365 defender to protect against solorigate
Using m365 defender to protect against solorigateUsing m365 defender to protect against solorigate
Using m365 defender to protect against solorigateMatt Soseman
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Shakas Technologies
 
Research and identify three IT-related Risk Management Plans and lis.pdf
Research and identify three IT-related Risk Management Plans and lis.pdfResearch and identify three IT-related Risk Management Plans and lis.pdf
Research and identify three IT-related Risk Management Plans and lis.pdfRBMADU
 

Similar to University of the CumberlandsSchool of Computer & Information .docx (20)

A Secure Software Engineering Perspective
A Secure Software Engineering PerspectiveA Secure Software Engineering Perspective
A Secure Software Engineering Perspective
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under AttackJPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
 
Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack
 
Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attackSecurity evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Understanding Vulnerabilities in Software
Understanding Vulnerabilities in SoftwareUnderstanding Vulnerabilities in Software
Understanding Vulnerabilities in Software
 
Due tomorrow 7122021 at 800pmNo plagiarism Develop thos
Due tomorrow 7122021 at 800pmNo plagiarism Develop thosDue tomorrow 7122021 at 800pmNo plagiarism Develop thos
Due tomorrow 7122021 at 800pmNo plagiarism Develop thos
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.com
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.com
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.com
 
Running head Risk Assessment Repot (RAR) .docx
Running head Risk Assessment Repot (RAR) .docxRunning head Risk Assessment Repot (RAR) .docx
Running head Risk Assessment Repot (RAR) .docx
 
46 102-112
46 102-11246 102-112
46 102-112
 
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
 
Application of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationApplication of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An Implementation
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
Using m365 defender to protect against solorigate
Using m365 defender to protect against solorigateUsing m365 defender to protect against solorigate
Using m365 defender to protect against solorigate
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
 
Research and identify three IT-related Risk Management Plans and lis.pdf
Research and identify three IT-related Risk Management Plans and lis.pdfResearch and identify three IT-related Risk Management Plans and lis.pdf
Research and identify three IT-related Risk Management Plans and lis.pdf
 

More from jolleybendicty

Which of the following statements regarding components of a time ser.docx
Which of the following statements regarding components of a time ser.docxWhich of the following statements regarding components of a time ser.docx
Which of the following statements regarding components of a time ser.docxjolleybendicty
 
Which of the works we read was used by President Bushs 2002 appoint.docx
Which of the works we read was used by President Bushs 2002 appoint.docxWhich of the works we read was used by President Bushs 2002 appoint.docx
Which of the works we read was used by President Bushs 2002 appoint.docxjolleybendicty
 
Which of these articles confirms or negates your view on housing ava.docx
Which of these articles confirms or negates your view on housing ava.docxWhich of these articles confirms or negates your view on housing ava.docx
Which of these articles confirms or negates your view on housing ava.docxjolleybendicty
 
Which of these images represents the following system of equations b.docx
Which of these images represents the following system of equations b.docxWhich of these images represents the following system of equations b.docx
Which of these images represents the following system of equations b.docxjolleybendicty
 
Which of these images tells us the most about the rise, fall and the.docx
Which of these images tells us the most about the rise, fall and the.docxWhich of these images tells us the most about the rise, fall and the.docx
Which of these images tells us the most about the rise, fall and the.docxjolleybendicty
 
Which of the following was a component of the Earths Hadean atm.docx
Which of the following was a component of the Earths Hadean atm.docxWhich of the following was a component of the Earths Hadean atm.docx
Which of the following was a component of the Earths Hadean atm.docxjolleybendicty
 
Which of the following statements was true of the Homestead Strike.docx
Which of the following statements was true of the Homestead Strike.docxWhich of the following statements was true of the Homestead Strike.docx
Which of the following statements was true of the Homestead Strike.docxjolleybendicty
 
Which of the following studies would require a scientist to have e.docx
Which of the following studies would require a scientist to have e.docxWhich of the following studies would require a scientist to have e.docx
Which of the following studies would require a scientist to have e.docxjolleybendicty
 
Which of the following statements is true about the Internet[remo.docx
Which of the following statements is true about the Internet[remo.docxWhich of the following statements is true about the Internet[remo.docx
Which of the following statements is true about the Internet[remo.docxjolleybendicty
 
Which of the following occurred after the Civil WarAnswer.docx
Which of the following occurred after the Civil WarAnswer.docxWhich of the following occurred after the Civil WarAnswer.docx
Which of the following occurred after the Civil WarAnswer.docxjolleybendicty
 
Which of the following statements about bodhisattvas is true..docx
Which of the following statements about bodhisattvas is true..docxWhich of the following statements about bodhisattvas is true..docx
Which of the following statements about bodhisattvas is true..docxjolleybendicty
 
Which of the following statements about Mexican immigration to.docx
Which of the following statements about Mexican immigration to.docxWhich of the following statements about Mexican immigration to.docx
Which of the following statements about Mexican immigration to.docxjolleybendicty
 
Which of the following statements is NOT true of an atomthat.docx
Which of the following statements is NOT true of an atomthat.docxWhich of the following statements is NOT true of an atomthat.docx
Which of the following statements is NOT true of an atomthat.docxjolleybendicty
 
Which of the following is true of chemical properties (2 points).docx
Which of the following is true of chemical properties (2 points).docxWhich of the following is true of chemical properties (2 points).docx
Which of the following is true of chemical properties (2 points).docxjolleybendicty
 
Which of the following is NOT true of dialects (Points 1)       .docx
Which of the following is NOT true of dialects (Points 1)       .docxWhich of the following is NOT true of dialects (Points 1)       .docx
Which of the following is NOT true of dialects (Points 1)       .docxjolleybendicty
 
Which of the following is true in a monopolyA.)Business owner.docx
Which of the following is true in a monopolyA.)Business owner.docxWhich of the following is true in a monopolyA.)Business owner.docx
Which of the following is true in a monopolyA.)Business owner.docxjolleybendicty
 
Which of the following psychological perspectives is most likely to .docx
Which of the following psychological perspectives is most likely to .docxWhich of the following psychological perspectives is most likely to .docx
Which of the following psychological perspectives is most likely to .docxjolleybendicty
 
Which of the following is true a. Economics is the study of the .docx
Which of the following is true a. Economics is the study of the .docxWhich of the following is true a. Economics is the study of the .docx
Which of the following is true a. Economics is the study of the .docxjolleybendicty
 
Which of the following is the net requirement using an MRP program i.docx
Which of the following is the net requirement using an MRP program i.docxWhich of the following is the net requirement using an MRP program i.docx
Which of the following is the net requirement using an MRP program i.docxjolleybendicty
 
Which of the following is not a way managers generally benefit from .docx
Which of the following is not a way managers generally benefit from .docxWhich of the following is not a way managers generally benefit from .docx
Which of the following is not a way managers generally benefit from .docxjolleybendicty
 

More from jolleybendicty (20)

Which of the following statements regarding components of a time ser.docx
Which of the following statements regarding components of a time ser.docxWhich of the following statements regarding components of a time ser.docx
Which of the following statements regarding components of a time ser.docx
 
Which of the works we read was used by President Bushs 2002 appoint.docx
Which of the works we read was used by President Bushs 2002 appoint.docxWhich of the works we read was used by President Bushs 2002 appoint.docx
Which of the works we read was used by President Bushs 2002 appoint.docx
 
Which of these articles confirms or negates your view on housing ava.docx
Which of these articles confirms or negates your view on housing ava.docxWhich of these articles confirms or negates your view on housing ava.docx
Which of these articles confirms or negates your view on housing ava.docx
 
Which of these images represents the following system of equations b.docx
Which of these images represents the following system of equations b.docxWhich of these images represents the following system of equations b.docx
Which of these images represents the following system of equations b.docx
 
Which of these images tells us the most about the rise, fall and the.docx
Which of these images tells us the most about the rise, fall and the.docxWhich of these images tells us the most about the rise, fall and the.docx
Which of these images tells us the most about the rise, fall and the.docx
 
Which of the following was a component of the Earths Hadean atm.docx
Which of the following was a component of the Earths Hadean atm.docxWhich of the following was a component of the Earths Hadean atm.docx
Which of the following was a component of the Earths Hadean atm.docx
 
Which of the following statements was true of the Homestead Strike.docx
Which of the following statements was true of the Homestead Strike.docxWhich of the following statements was true of the Homestead Strike.docx
Which of the following statements was true of the Homestead Strike.docx
 
Which of the following studies would require a scientist to have e.docx
Which of the following studies would require a scientist to have e.docxWhich of the following studies would require a scientist to have e.docx
Which of the following studies would require a scientist to have e.docx
 
Which of the following statements is true about the Internet[remo.docx
Which of the following statements is true about the Internet[remo.docxWhich of the following statements is true about the Internet[remo.docx
Which of the following statements is true about the Internet[remo.docx
 
Which of the following occurred after the Civil WarAnswer.docx
Which of the following occurred after the Civil WarAnswer.docxWhich of the following occurred after the Civil WarAnswer.docx
Which of the following occurred after the Civil WarAnswer.docx
 
Which of the following statements about bodhisattvas is true..docx
Which of the following statements about bodhisattvas is true..docxWhich of the following statements about bodhisattvas is true..docx
Which of the following statements about bodhisattvas is true..docx
 
Which of the following statements about Mexican immigration to.docx
Which of the following statements about Mexican immigration to.docxWhich of the following statements about Mexican immigration to.docx
Which of the following statements about Mexican immigration to.docx
 
Which of the following statements is NOT true of an atomthat.docx
Which of the following statements is NOT true of an atomthat.docxWhich of the following statements is NOT true of an atomthat.docx
Which of the following statements is NOT true of an atomthat.docx
 
Which of the following is true of chemical properties (2 points).docx
Which of the following is true of chemical properties (2 points).docxWhich of the following is true of chemical properties (2 points).docx
Which of the following is true of chemical properties (2 points).docx
 
Which of the following is NOT true of dialects (Points 1)       .docx
Which of the following is NOT true of dialects (Points 1)       .docxWhich of the following is NOT true of dialects (Points 1)       .docx
Which of the following is NOT true of dialects (Points 1)       .docx
 
Which of the following is true in a monopolyA.)Business owner.docx
Which of the following is true in a monopolyA.)Business owner.docxWhich of the following is true in a monopolyA.)Business owner.docx
Which of the following is true in a monopolyA.)Business owner.docx
 
Which of the following psychological perspectives is most likely to .docx
Which of the following psychological perspectives is most likely to .docxWhich of the following psychological perspectives is most likely to .docx
Which of the following psychological perspectives is most likely to .docx
 
Which of the following is true a. Economics is the study of the .docx
Which of the following is true a. Economics is the study of the .docxWhich of the following is true a. Economics is the study of the .docx
Which of the following is true a. Economics is the study of the .docx
 
Which of the following is the net requirement using an MRP program i.docx
Which of the following is the net requirement using an MRP program i.docxWhich of the following is the net requirement using an MRP program i.docx
Which of the following is the net requirement using an MRP program i.docx
 
Which of the following is not a way managers generally benefit from .docx
Which of the following is not a way managers generally benefit from .docxWhich of the following is not a way managers generally benefit from .docx
Which of the following is not a way managers generally benefit from .docx
 

Recently uploaded

Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxNikitaBankoti2
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfChris Hunter
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural ResourcesEnergy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural ResourcesShubhangi Sonawane
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 

Recently uploaded (20)

Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptx
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural ResourcesEnergy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 

University of the CumberlandsSchool of Computer & Information .docx

  • 1. University of the Cumberlands School of Computer & Information Sciences ISOL-536 - Security Architecture & Design Chapter 5 - Prepare for Assessment Chapter 5 - Prepare for Assessment 5.1 Process Review 5.1.1 Credible Attack Vectors 5.1.2 Applying ATASM 5.2 Architecture and Artifacts 5.2.1 Understand the Logical and Component Architecture of the System 5.2.2 Understand Every Communication Flow and Any Valuable Data Wherever Stored 5.3 Threat Enumeration 5.3.1 List All the Possible Threat Agents for This Type of System 5.3.2 List the Typical Attack Methods of the Threat Agents 5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods Chapter 5 - Prepare for Assessment – Cont. 5.4 Attack Surfaces
  • 2. 5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface 5.4.2 Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical Methods 5.4.3 List All Existing Security Controls for Each Attack Surface 5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection 5.5 Data Sensitivity 5.6 A Few Additional Thoughts on Risk 5.7 Possible Controls 5.7.1 Apply New Security Controls to the Set of Attack Services for Which There Isn’t Sufficient Mitigation 5.7.2 Build a Defense-in-Depth 5.8 Summary Chapter 5: Summary Information assurance is achieved when information and information systems are protected against attacks through the application of security services such as availability, integrity, authentication, confidentiality, and nonrepudiation. The application of these services should be based on the protect, detect, and react paradigm. This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these unexpected attacks.
  • 3. 5.1 Process Review At the highest level, an assessment follows the mnemonic, ATASM: Architecture ➤ Threats ➤ Attack Surfaces ➤ Mitigations Figure 5.1 shows the ATASM flow graphically. There are architecture tasks that will help to determine which threats are relevant to systems of the type under assessment. Figure 5.1 Architecture, threats, attack surfaces, mitigations. 5.1.1 Credible Attack Vectors Credible attack vector: A credible threat exercising an exploit on an exposed vulnerability. Recalling the risk term discussion from Chapter 4, a CAV encapsulates the three threat sub-terms into a single expression: Threat Exposure Vulnerability Risk is the critical governing principle that underlies the entire risk assessment and threat modeling process. Ultimately, we must mitigate those computer attacks that are likely to impinge upon the use of the system under assessment and upon efforts to obtain the objectives of the organization.
  • 4. 5.1.2 Applying ATASM Table 5.1 summarizes the typical background information an assessor brings to an assessment. These topics have been arranged with the “3 S’s” merely for convenience and to provide an ordering principle. No matter how one may choose to order these topics, it remains that before beginning an ARA and threat model, one will need to have examined the current threat landscape into which the system will be deployed. 5.1.2 Applying ATASM – Cont. Figure 5.2 orders those steps by the high-level ATASM abstraction. That is, architecture steps are followed by threat- related tasks. The results of these are applied to an enumeration of attack surfaces, which, when prioritized, can then be defended by building a set of risk mitigations, a defense-in- depth of security controls. Each of the steps outlined in Figure 5.2 is, of course, what developers call a “nontrivial” activity. Figure 5.2 ATASM procedure steps. 5.2 Architecture and Artifacts Part of understanding a system architecture is to understand the system’s overall functions and what objectives deploying the system is hoping to achieve. An assessment should start at the beginning by determining the system’s intended purpose and how it fits into the overall goals of the deploying organization
  • 5. and its users. This information will “ground” the architecture into the real world and will place the architecture within its intended context. 5.2.1 Understand the Logical and Component Architecture of the System The logical architecture represents each logical function that will be in the system. These groupings are irrespective of how many individual units of each function get instantiated and irrespective of the physical architecture. Generally, that there are computers (servers?) and operating systems is assumed and not detailed; the physical network addresses assigned to each network interface are unimportant in the logical view. Instead, functions like business logic versus the presentation versus back office accounting systems versus databases are separated out. It is assumed that all of these are connected by some sort of network architecture. 5.2.2 Understand Every Communication Flow and Any Valuable Data Wherever Stored Figure 5.4 AppMaker DFD with data types. Data types have been added to the AppMaker diagram to create Figure 5.4. There is a co-located repository containing various types of static content to be served to users (customers). Moving further back in the architecture, every application server must contain configuration data and metadata about the applications that the server is running. Usually, but not always, there is local disk storage, or readily available storage for this application server–specific data.
  • 6. 5.3 Threat Enumeration We need to understand the attackers in order to know which of them apply to any particular system. And in order to prioritize attack surfaces and attack targets, we need to be able to calculate the risk of any particular attack occurring. These higher-priority areas are characterized by the existence of threat agents who have the motivation and capabilities to take advantage of likely methods that will lead them to their objectives – and will in turn cause unacceptable losses . . . 5.3.1 List All the Possible Threat Agents for This Type of System The motives of these undirected attack sweeps are varied; many of these sweeps are conducted by criminal organizations or independent attackers. But there are many other reasons for running constant vulnerability sweeps, as well. Increasing one’s skill as a security tester is certainly among these reasons. Every sweep is not conducted by criminals, though, in many jurisdictions, conducting such a sweep is illegal. 5.3.1 List All the Possible Threat Agents for This Type of System – Cont. There is one additional threat agent with which most public sites and products must contend. Calling security researchers “threats” is somewhat of a misnomer and might be perceived by researchers as an insult? No insult is intended. Still, if an organization is on the receiving end of vulnerability research, the impact to reputation and brand may be approximately the same as what can occur following a successful compromise of systems or data.
  • 7. 5.3.1 List All the Possible Threat Agents for This Type of System – Cont. Essentially, researchers need to find vulnerabilities. They need to find tricky vulnerabilities and then must publish the research. It doesn’t really matter if the vulnerability can result in significant loss for the organization owning the problem. The actuality of an impact does not play a big part of the research equation. Any organization that has had to deal with a well- publicized stunt hack against one of the organization’s systems will know full well that the media attention of the research did not benefit the public image of the organization, especially if that organization’s customers expect a certain level of security from the organization. 5.3.2 List the Typical Attack Methods of the Threat Agents Spending months or years creating a new method to execute a series of randomly placed instructions in a program to create an attack simply isn’t worth the effort: The research and development costs are too high. At the time of the writing of this book, so called “gadget” programs take too much time. Running gadgets culled by finding bits of code within widely distributed applications is much more likely to fall into the category of “stunt hack.” Cyber criminals are probably not going to waste their time unless there was a readily available tool (even if on the black market) that would make this attack trivial. 5.3.3 List the System-Level Objectives of Threat
  • 8. Agents Using Their Attack Methods For many exploits there is a system-level objective that must be attained in order to prosecute the attack to its goal. For security researchers, the system-level objective— that is, getting a piece of scripting code (javascript) to execute in the user’s browser, or gaining system-level privileges—will be sufficient to prove vulnerability. No more need be accomplished. 5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods The subsequent entries in Table 5.3 are drawn from OWASP.org Top 10. In order to gain a place in the list, an attack method has to be one of the most popularly executed as well as used on a regular and continuing basis. When we analyzed cyber criminals, we noted their predilection for well-known and proven attack methods. The OWASP Top 10 list is representative of the most often used attacks on the Internet. Since the Web-Sock-A-Rama site is a typical web store, it will be subjected to attacks drawn from the OWASP Top 10 list, at the very least. Security researchers will also attempt well- known attack methods in order to find and report vulnerabilities. 5.4 Attack Surfaces In the ATASM process, we try to enumerate all the attack surfaces before we categorize the importance of each surface. It’s useful to avoid the prioritization process during enumeration. Think of it as an attack surface brainstorm: Any discussion about the legitimacy or fitness of an attack surface tends to bog down the enumeration into too many details. In this
  • 9. way, the natural flow resulting from nonjudgmental observation is broken. It’s easy to miss an attack surface, especially when it seems inconsequential, or perhaps that function just seems to be “part of the running program.” For that very reason, getting a good flow of nonjudgmental inspection can help to uncover all the attack surfaces. Prioritization can come later, once everything has been uncovered. In the process being described in this chapter, we simply enumerate all the attack surfaces and try to avoid discussion of their importance and exposure until a later step. 5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface An integrated web server collapses the web tier and application server tier into a two-tiered architecture. Following the security principles, defense-in-depth and fail securely, the three-tier architecture is usually considered a more defensible approach. Web-Sock-A-Rama, as depicted in Figure 5.5, demonstrates the more standard three-tier web architecture. Figure 5.5 Web-Sock-A-Rama trust boundaries. 20 5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface – Cont. Figure 5.6 An obvious attack surface.
  • 10. Figure 5.6 adds an arrow to Figure 5.5 that points at the most obvious attack surface: the Web server’s Internet facing HTTP receiver. The Web server is open to all Internet traffic, which means that any attacker can probe it. The constant “doorknob rattling” sweeps of the Internet will surely find and investigate whatever interfaces are open and available to unrestricted traffic. Once an interested attacker finds and catalogs the open HTTP port, then the fun really begins. Like web vulnerability scanners, the attacker will probe every reachable page with every attack variation possible. 5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface – Cont. The injections for downstream destinations, such as LDAP and databases, are aimed at the application server code because that’s where the capability to pass on these attacks is typically found. These are then attacks against the application code. Contrast these injections with a Cross-Site Request Forgery (CSRF) attack. These attacks can be mitigated at several different layers, depending upon how session management is implemented in the website. Although many would consider this a vulnerability of the custom application code, depending upon how the infrastructure is set up, it may be that the application server handles user and transaction states. If so, then a CSRF vulnerability would lie in front of the application code. 22
  • 11. 5.4.2 Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical Methods Through the process of filling out Table 5.4, we have already filtered out a series of attacks that do not have an appropriate attack surface exposed to them. In fact, by attempting to apply attack methods to attack surfaces, we have even eliminated, or significantly reduced, a threat agent: security researchers. Security researchers’ stunt level hacks are unlikely since the attack surfaces required to execute these attacks are not exposed. 23 5.4.3 List All Existing Security Controls for Each Attack Surface We have made a couple of assumptions for the sake of understanding the process. Namely, we’ve assumed that Web- Sock-A-Rama has a mature website management and administrative function. In previous chapters, we’ve listed what those functions typically are. This assumption provides the usual set of controls to the backend of our website. 24 5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection Authentication is an interesting security control because, although it does reduce exposure to only those who’ve been authenticated, there are plenty of techniques an attacker can use to get an account, depending upon the site: steal or crack weak
  • 12. credentials, or perhaps simply sign up for the free version. In addition, once a site or system implements authentication, it now has another system that will need protection! Authentication systems are often considered critical, thus requiring tight security control: a high security posture. Implementing authentication adds significant complexity to the security requirements of the system. 25 5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection – Cont. 26 5.5 Data Sensitivity Data classification is a key component of risk, both for assessing impact and for understanding likely targets in a system. As has been explained earlier, attackers often string more than one attack method together in order to achieve their objectives. An attacker might execute an SQL injection against the payment card database, thereby gaining financial information, if applications accepting user input were poorly written such that SQL injection to databases were allowed. Data sensitivity mustn't become the sole measure of CAV or impact. Each of these risk terms are multidimensional; terms shouldn’t be reduced in a simplistic way or assessments will suffer by possibly excluding other key factors.
  • 13. 27 5.6 A Few Additional Thoughts on Risk The goal of risk calculation during ATASM is to identify those CAVs whose lack of mitigation will prevent reaching the intended security posture. Concomitantly, there is an imperative to limit the number of risk treatments to that which is affordable, that which is doable. Few organizations can “do it all.” Hence, there has to be a process to eliminate unlikely attacks while prioritizing the most dangerous ones for mitigation. 28 5.7 Possible Controls Due to the realities of email impersonation and payment card theft, an authentication based upon these factors isn’t really worth much, which leaves our Web-Sock-Arama website without much attack mitigation based upon authentication. Obviously, the organization’s security team will have their hands full with fraud attempts, operationally removing fraudulent and fake accounts as soon as malicious behavior is observed. Still, at account initialization, there isn’t much that can be done. 29
  • 14. 5.7.1 Apply New Security Controls to the Set of Attack Services for Which There Isn’t Sufficient Mitigation Table 5.6 adds defenses to each of the attack methods that we enumerated in previous ATASM steps. These are the five attacks and their associated attack surfaces (the CAVs) that we believe are applicable to this system, in this organizational context. (Continued on following page 167 – Prepare for Assessment) 30 5.7.2 Build a Defense-in-Depth Because the system handles sensitive data from users originating from the untrusted Internet, the Transport Layer Security (TLS), most often implemented as HTTPS, must be used between the user’s browser and the web server, at least for sensitive data transmission. Some architectures would also require TLS (or more properly, communication encryption of some sort) between the web server and the application server, and perhaps even between the application server and the database server? We assumed that the networks in this system are tightly controlled through a mature administrative practice. Therefore, the networks can be considered a trusted infrastructure. Since we’ve separated out three tiers, and there is only a single piece
  • 15. of trusted networking equipment separating each tier (a new assumption and requirement), the store doesn’t feel the need to encrypt the data as it moves between tiers. 32 5.8 Summary Defenses are applied such that these specifically interrupt each CAV, as was discussed in the chapter on risk. Then, the entire set of defenses is considered as a set of overlapping, interlocking, and supporting defenses to build enough redundancy to create a defense-in-depth. The security requirements should be achievable, relevant, and “real world.” ATASM has been presented as a series of linear steps. However, in practice, an assessment might proceed to requirements and uncover a previously unknown part of the system, thus returning to the architecture stage of the process. Ultimately, the goal of the ARA and threat model is to achieve a unity between security posture and intended risk tolerance, to achieve balance between defenses and resource limitations. 33 Chapter 4: Summary END image4.emf image5.png image6.emf
  • 16. image7.emf image8.png image9.emf image10.emf image11.png image12.png image13.png image14.png image15.png image1.emf image2.emf University of the Cumberlands School of Computer & Information Sciences ISOL-536 - Security Architecture & Design Chapter 6: eCommerce Website Chapter 6: eCommerce Website 6.1 Decompose the System 6.1.1 The Right Level of Decomposition 6.2 Finding Attack Surfaces to Build the Threat Model 6.3 Requirements Chapter 6 - eCommerce Website 6.1 Decompose the System Ultimately, the point of the architecture factoring exercise isn’t to document a perfect architecture view, but rather, to find
  • 17. those points in the system that are susceptible to likely attack. An appropriate set of defenses can be built from the attack surfaces. Security is built at many levels, top-to-bottom, side-to-side, and front-to-back. Security is the architecture domain that interacts with every other domain; it is the “matrix” domain and must permeate a system in order to build a defense-in-depth. 6.1 Decompose the System – Cont. Looking at Figure 6.1, do you see anything missing? In the chapter about the ATASM process, there were several views of Web-Sock-A-Rama, adding data types, trust boundaries, and an attack surface. Figure 6.1 AppMaker web architecture. 6.1.1 The Right Level of Decomposition Figure 6.2 adds these two attack surfaces for a more complete picture of the message flow from the Internet and on through to the data tier. Figure 6.2 Attack surfaces touched by requests from the user’s browser. That is, at arrow 2b, the dynamically handled messages are passed from the web server to the Java application server. The application server calls
  • 18. AppMaker, which in turn passes the message to one of the appropriate applications that were generated by AppMaker. In order to find the appropriate application, AppMaker will have to call the database server (arrow 4) to query the application metadata: data about which application handles which type of message. Then, while handling the request, “other web app” must also query various databases, perhaps customer profiles and the product catalog, in order to build the response for the user. The database server must continue to fetch data (“data fetch to fulfill 4”) as requests come in and responses are built. These systems handle multiple requests in parallel. 5 6.2 Finding Attack Surfaces to Build the Threat Model Since our web store has purchased AppMaker, let’s assume that wherever the injection lies, it would be AppMaker’s maker (the vendor) who would be responsible for the fix. So, in light of this relationship, it probably doesn’t matter whether an XSS lies within AppMaker itself or in a generated application, as long as the vendor is responsive to vulnerability reports and practices rigorous software security. Traffic from various components is allowed into the subnet to perform authentications, but traffic from the Internet is not allowed; the authentication system is “invisible” from the Internet; it is not reachable by Web-Sock-A-Rama’s customers
  • 19. directly. 6 6.2 Finding Attack Surfaces to Build the Threat Model – Cont. Figure 6.3 Data fetch and management interfaces. The flow in Figure 6.3 is more coherent with the description given. AppMaker loads one of the generated applications, which in turn must generate a query for various types of data. In this web store, every data store will be used. For each dynamically generated HTTP response, AppMaker must first find (and perhaps in part, build) the appropriate application through its metadata. Then, the application must itself consult the web store and customer data. Hence, the database server is an intermediary between the various data stores and applications (AppMaker and the generated web applications), These flows are shown in Figure 6.3 7 6.2 Finding Attack Surfaces to Build the Threat Model – Cont. Figure 6.4 Management interface attack surfaces.
  • 20. Figure 6.4 has already become visually busy enough. Still, in the real world, every configuration file and any local, running data set is and must be considered an attack surface. In this case, we have already stipulated that, through the infrastructure practices “investigation” (really, an assumption in this fictitious example system), there are a series of existing controls protecting the servers and their local hard disks. Thus, we concentrate on just a portion of the attack surfaces in order to keep the example focused. In the real world, I would absolutely find out what management practices and protections are implemented to defend the configuration files and metadatasets. 8 6.2 Finding Attack Surfaces to Build the Threat Model – Cont. Figure 6.5 Authentication and identity flows. A more complete picture of a management sub-network that is restricted through a jump server is pictured in Figure 6.5. Please refer to this figure for more clarity about the architecture and components used to build this type of management interface protection.) Web authentication can be handled entirely by the web server. The HTTP protocol contains primitives for authentication, which then are implemented in most open source and commercial web servers.
  • 21. 9 6.2 Finding Attack Surfaces to Build the Threat Model – Cont. Figure 6.6 Authentication attack surfaces. Finally, there is an arrow pointing towards Directory, itself, in Figure 6.6. Gaining the directory gives the attacker all the credentials, which are tied to all the user IDs. That very thing happened to a company for which I worked. The attackers compromised every account’s password. In other words, attackers had access to every customer account and the services and equipment for which the highest privileged accounts were entitled. Ouch! 10 6.2 Finding Attack Surfaces to Build the Threat Model – Cont. Figure 6.7 Web-Sock-A-Rama payment processing. For our purposes, everything depicted in Figure 6.7 that lies below the Internet, except the isolated authentication service, would be subject to PCI requirements. Since the authentication service lies within its own restricted network, from a PCI standpoint the authentication service has been separated. The authentication service never handles
  • 22. payment cards and is not involved in financial transactions. Therefore, it lies outside the PCI boundary. Customer’s user ID are populated from the customer database. That is a “push” function; the directory that lies within the authentication service does not call out to the customer data. 11 6.3 Requirements Table 6.1 outlines the requirements that we uncovered throughout this chapter’s analysis. (Continued on following page 210 - eCommerce Website) Most information security professionals are already familiar with this body of knowledge. For exposed Internet sites, networking restrictions and boundaries can become critically important. Though there are other ways to create trust boundaries, a common way is to use network segments and then control flows between the segments and between the systems in the segments. That’s the essential gist of the networking requirements given in Table 6.1. 12 Chapter 6: Summary As this is the first analysis in our series of six, I caution the reader to understand these requirements fairly well. In order not
  • 23. to be repetitive, the subsequent analyses will refer back to these wherever they arise. Remember, architectural patterns repeat, and I’ve attempted to use the same solutions consistently throughout the examples. This is not to imply that any of these is the only solution. Hopefully, this is clear. Still, one of the points of this book is that there are patterns and their solution sets that repeat. So some of the same solutions are being reused set rather than introducing new security defense approaches for the same recurring problem. Chapter 6: Summary END image4.emf image5.png image6.emf image7.emf image8.emf image9.png image10.emf image11.emf image12.emf image13.png image1.emf image2.emf