7. Formal threat analysis
The STRIDE model
Also see
• OWASP https://www.owasp.org/
• https://www.owasp.org/index.php/Threat_Risk_Modeling#STRIDE
• Common Criteria https://www.commoncriteriaportal.org/
8. Spoofing (of user identity)
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
37 Million customer records
Posted records of people who really wanted to be anonymous…
Also exposed Ashely madison as frauds – so maybe not all bad
US office Personnel – forms submitted by intelligence and military personnel for security clearances
Korea Credit bureau – 20 Million bank and credit card users data was leaked including names, SSN, credit card number
Australian immigration dept. sent the visa details , passport numbers of world leaders (Obama, Putin, Merkel etc.) to organizers of a football tournament
IRS – gamed the IRS refund system requesting tax refunds with other people’s details
Uber – had a database open to the world – 50K drivers details
”bob” payed < fifth of his 6 figures salary
Had VPN logs contacting from China
He physically sent his RSA card to the consulting firm he used
Information Disclosure (privacy breach or data leak)
Information Disclosure (privacy breach or data leak)
Phishing vs. SpearPhising
Blended/multi-vector threat. Spear phishing uses a blend of email spoofing, zero-day application exploits, dynamic URLs, and drive-by downloads to bypass traditional defenses.
Leverages zero-day vulnerabilities. Advanced spear phishing attacks leverage zero-day vulnerabilities in browsers, plug-ins, and desktop applications to compromise systems.
Multi-staged attack. The initial exploit of systems is the first stage of an APT attack that involves further stages of malware outbound communications, binary downloads, and data exfiltration.
Lack characteristics of spam. Spear phishing email threats are targeted, often on an individualized basis, so they don’t bear a resemblance to the high-volume, broadcast nature of traditional spam. This means reputation filters are unlikely to flag these messages minimizing the likelihood of spam filters catching them.
The attacks targeting RSA, the security division of EMC Corp., in 2011 provide a very clear pictureof the way spear phishing can set the stage for a devastating and incredibly far-reaching assault on a corporation — and its customers.
The assault began with spear phishing attacks that sent targeted users an email with a Microsoft Excel file attachment that leveraged a zero-day flaw in Adobe Flash. It is clear that not only was RSA the focus of the attack, but only four individuals within RSA were the recipients of the malicious emails. It took just one user to open the email and attachment, which downloaded a Trojan onto the user’s PC.
This successful spear phishing attack was part of a much more complex advanced targeted attack. With this malware installed on the victim’s PC, criminals were able to search the corporate network, harvest administrator credentials, and ultimately gain access to a server housing proprietary information on the SecurID two-factor authentication platform.
The attack didn’t end there. In fact, all this was a precursor to the ultimate objective: Gaining entry to the networks of RSA’s customers, focusing on those in the defense industrial base. With the stolen data, the criminals then targeted numerous high-profile SecurID customers, including defense contractors Lockheed Martin, L-3, and Northrop Grumman.
The takeaway for enterprises is that this example makes clear that even seemingly rudimentary attacks may be just the first in a series of advanced, coordinated, and devastating crimes. In addition, advanced targeted attacks against seemingly low level resources or employees without particularly sensitive roles or permissions can still open the door to vital information and huge consequences.
Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizationson your own to avoid falling for a scam.
Don’t let a link in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
Most common passwords
Consider a password manager lastpass, 1passowrd, Dashlane
Don’t reuse passwords across sites
At least have categories of passwords
Important, semi, everything else -> most sites everything else is fine
Two factor authentication
Çanakkale Turkey (appeared in the movie Troy)
Trojans, Spyware, Ransomware
Antivirus,
Firewalls
Be wary
Email hijacking is rampant. Hackers, spammers, and social engineerers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control someone’s email account they prey on the trust of all the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
Foreign offers are fake. If you receive email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.
Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or third party to alert you to risks.