Finalize Writeup Lab 3

This commit is contained in:
Michael Chen 2022-06-07 12:25:47 +02:00
parent a6ee250635
commit b65cd6a99b
No known key found for this signature in database
GPG Key ID: 1CBC7AA5671437BB

View File

@ -1,17 +1,25 @@
# Lab 3 # Lab 3: Security Risk Assessment
## Stride examples ## Security Threats
| DFD-Element | Concern | Example | Likelihood | Impact | Below is a list of security threats identified from applying STRIDE to the metaverse system DFD. After that we analyzed likelihood and impact (in-class discussion) to assess the risk of each threat. From the lab slides we also selected possible mitigations.
| -- | -- | -- | -- | -- |
| User | Spoofing | Send a chat message in the name of another user | Possible | Moderate | | DFD-Element | Concern | Example | Likelihood | Impact | Mitigation |
| User | Spoofing | Stolen credentials might be used to login | Unlikely | Severe | | -- | -- | -- | -- | -- | -- |
| User Login | Tampering | Modify HTTP login header | Very Likely | Severe | | User | Spoofing | Send a chat message in the name of another user | Possible | Moderate | Cookie Authentication |
| Login | Denial of Service | Flood server with login requests | Unlikely | Minor | | User | Information Disclosure | Stolen credentials cookie might be used to login | Unlikely | Severe | Input Validation (XSS) |
| Login | Spoofing | Domain spoofing to impersonate server | Very Unlikely | Severe | | User Login | Tampering | Modify HTTP login header | Very Likely | Severe | HTTP over TLS or Digital signatures |
| Login | Tampering | Tamper the credentials of the user | Unlikely | Significant | | Login | Denial of Service | Flood server with login requests | Unlikely | Minor | ACL (Fail2Ban) |
| Database | Information Disclosure | SQL Injection | Likely | Severe | | Login | Spoofing | Domain spoofing to impersonate server | Very Unlikely | Severe | PKI & DNSSec |
| Login | Tampering | Tamper the credentials of the user | Unlikely | Significant | 2FA |
| Database | Information Disclosure | SQL Injection | Likely | Severe | Validation |
Notes: Notes:
- At this point in modeling we have to assume, we have no security features. - At this point in modeling we have to assume, we have no security features.
- Modifying HTTP headers thus results in a risk treatment that we require secure connections - Modifying HTTP headers thus results in a risk mitigation that we require secure connections
## Possible Attacks
- [Phishing](https://attack.mitre.org/techniques/T1566/) can be used to steal another users credentials
- [Password Guessing](https://attack.mitre.org/techniques/T1110/001/) can be used to try to gain access to the system
- [Credentials from Password Stores](https://attack.mitre.org/techniques/T1555/)