STRIDE Model Explains 6 Key Types of Cyber Threats
Published by : GrassDew IT Solutions
As no one can assure what number you will get when you roll a dice, same way it is difficult to predict which cyber-attack will be on the way. STRIDE Model is popular in categorizing different types of threats in Cybersecurity world. It was introduced by Microsoft for process of threat modeling, and it is very useful.
Authenticity, Integrity, Non-repudiability, Confidentiality, Availability and Authorization are desired properties which are essential to look for in any Cyber threat modeling process. All these six key areas are considered in STRIDE model.
S – Spoofing
T – Tampering
R – Repudiation
I – Information Disclosure
D – Denial of Service
E – Elevation of Privilege
Spoofing (Refers to Authenticity)
It is a first basic aspect that users accessing any system must be identified and given authorization.
In case of attacks based on Spoofing, credentials of users are being used by cyber criminals. There are chances that even user is not aware of his credentials being used by someone else. To avoid such threats weak authentication mechanisms should be identified and improved. Many users keep simple passwords which are easy to guess, so implementation of strong password policy is one of the measures we can take to avoid Spoofing attacks.
Tampering (Refers to Integrity)
In the simple words Tampering refers to something in order to cause damage or make unauthorized alterations. In other words, it is referring that only authorized users should be able to modify any system or data. If it is not maintained properly, unauthorized user can even delete or update data or functional elements etc.
Repudiation (Refers to Non-repudiability)
Repudiation refers how cybercriminals can either delete or hide the malicious activities performed by them. For example, it should not be the case that anyone is able to erase the logs of any activities performed. In such cyber-attacks, even unauthorized user can modify log by spoofing credentials of other user or even modifying log in such a way that someone else will be victim.
Information disclosure (Refers to Confidentiality)
After successful cyber-attack, most of cybercriminals start gathering the confidential information and then they try to disclose it for different purposes such as blackmail. If you are following any of the cyber news, you must be aware of even recent global cyber-attacks are based with such goals. According to latest cyber news of July 2020 start, Sodinokibi gang begins dark web celebrity data auctions. This group claims to be auctioning confidential legal data on pop stars Mariah Carey, Nicki Minaj and basketball player LeBron James. You can find many such cyber-attacks with similar goals.
Denial of Service (Refers to Availability)
What if you have your data but you cannot access it or it is not available for you. In recent cases, attackers will have interest in preventing regular users from accessing the system. Ransomware is one of the best examples, where user’s data is getting encrypted by cyber criminals. Later they demand money by blackmailing the users. According to one of the recent ransomware attack news in July 2020, the threat actor behind the Sodinokibi (REvil) ransomware is demanding a $14 million ransom from Brazilian-based electrical energy company Light S.A.
Elevation of Privilege (Refers to Authorization)
We being in Cybersecurity business, always say Human is weakest link in any cyber-attacks. Many times, through some techniques cybercriminals gain access to few privileges which their victim had. Later, they try to acquire additional privileges to system by spoofing or tampering methods. You must have seen few recent cases where employee’s credentials were compromised to perform big cybercrimes later.
To summerize these are minimum six key areas which should be taken care by any organization to avoid potential cyber-threats.
Shekhar Ashok Pawar is CEO of GrassDew IT Solutions Pvt Ltd which is primarily focused on Cybersecurity Assessment & Audits, IT Consulting, Customised Software Development and Software Products. With more than 15 years of international experience, he is CISA, CEH, CHFI, MCP, Blockchain Developer, Dip Cyber Laws, CMMi Level 5 ATM & ISO 27001 LA. He is also certified H/W & S/W expert for Mobile Phones, Computers and CCTV cameras. He did Executive Management (SJMSOM, IIT-Bombay), after Engineering in Electronics & Telecommunications, Mumbai. He is also certified for "Digital Signal Processor & Applications" by Analog Devices - DSP Learning Center, IIT Madras.
He is lead contributor to GrassDewPanther @ LinkedIn which is focused on sharing global cyber threats and related news. Shekhar's recent book “Air Team Theory: Understanding 10 Types of Team Mates and Best Practices to Succeed” was published in January 2020 and is a hot-seller on Amazon.