Threat Modeling and Incident Management Flashcards
Self note: from minute 9:00 of this video and onward until the next quiz, I'm just gonna try absorbing as much information as I can w/out taking notes as a ways of maybe decreasing my overall workload. So, if this doesn't work out, you know where you left off: 9 minutes into Lecture: Threat Modeling and Incident Management.
Threat modeling definition:
Threat modeling is an assessment approach used to analyze the security of an application. It is useful for identifying threats to the application, discovering application vulnerabilities, and improving the application’s security.
Note: if an application is found to be compromised, there isn’t much to do expect stop using the application entirely, except in the case that the application is only found to be unsafe when used in a particular way, in which case the application should no longer be used in that way.
If your company created the application or you have access to the source code of the application (to fix fundamental issues in it’s security), then you should consider whether or not it is worth investing the resources required to revise the application.
Steps of threat modeling:
(always to be used loosely)
(this is purely a guiding template)
1: IDENTIFY SECURITY OBJECTIVES
ex. protect data in transit
ex. app must be w/in compliance requirements set by government or company
ex. App fits to quality of service requirements (does as it is advertised)
2: CREATE APPLICATION OVERVIEW
You take a look at the application’s individual components, you understand it’s purpose and it’s capabilities, you are aware of the nature of the data that passes from, to, and through the application.
It is not strictly necessary to have the application’s source code in order to complete your overview (take it from a client’s perspective).
3: DECOMPOSE APPLICATION
Find which component(s) of the application perform which task(s).
4: IDENTIFY THREATS
5: IDENTIFY VULNERABILITIES
Incident management definition:
Incident management refers to the process of identifying, analyzing, prioritizing, and solving security incidents.
(a problem arises and you solve it).
Steps of incident management:
again, always just to used as a general guideline. You got’sta keep flexible, don’t limit yourself
1: PREPARATION FOR INCIDENT HANDLING AND RESPONSE
- in advance, how will you react to something that happens ?
- not having a decent level of preparedness for threatening contingencies will waste a lot of time and allow an attack to do a lot more damage than it otherwise would have
- stay paranoid, buddy-boy
2: DETECTION AND ANALYSIS
- to act on an issue, you first need to detect the issue
- the second thing you need to do is understand the nature of the issue (through analysis) in order to come up with a proper solution
3: CATEGORIZATION AND PRIORITIZATION
- is the issue something that needs to be dealt with immediately or do we have bigger things to worry about ?
4: REPORTING
- notify all personnel who may be affected by this incident or may be able to help solve the issue
5: CONTAINMENT
- think of the issue like a virus or plague: as you search for a cure or solution, you should also make extensive efforts to contain the further spread of the infection
- essentially, keep the issue from doing as much damage as you possibly can
6: FORENSIC INVESTIGATION
- how did it happen ?
- why did it happen ?
- was it accidental or malicious ?
- ect.
- and now what is our solution ?
7: RECOVERY
- recover from what’s occurred
8: POSTINCIDENT ACTIVITIES
- log the incident
- what was it ?
- how did it take place ?
- how did you react to it ?
- how can we keep it from happening again ?
- + anything else that may be noteworthy