From the course: Learning Threat Modeling for Security Professionals
Unlock the full course today
Join today to access over 24,000 courses taught by industry experts.
Repudiating an order
From the course: Learning Threat Modeling for Security Professionals
Repudiating an order
- The R in STRIDE stands for repudiation. Repudiation is a little bit different than the other STRIDE threats. It's an uncommon word and it means disclaiming, denying or any way of saying you're not responsible for something. Saying, "I didn't get your email," is an act of repudiation. These threats are also a bit closer to the human meaning or impact than the other threats. Let's say an attacker succeeded at putting unauthorized ads into Topsy Turvy's account. When the bakery looks at their monthly bill they'll notice ads that don't look like theirs. And they'll repudiate. What happens next? Does Red 30 have a complaint mechanism that allows the issue to be tracked and managed or will a complaint spawn a million email threads? When an investigation starts, have the right things been logged? Logs are a way to look into what's already happened and it's hard to add them after the fact. Do the logs show security events…
Contents
-
-
-
-
(Locked)
Spoofing a specific server4m 30s
-
(Locked)
Tampering with a file3m 15s
-
(Locked)
Interlude: Scope and timing2m 15s
-
(Locked)
Repudiating an order4m 10s
-
(Locked)
Information disclosure2m 45s
-
(Locked)
Denial of service3m 35s
-
(Locked)
Elevation of privilege2m 34s
-
(Locked)
Expansion of authority3m 2s
-
(Locked)
-