In this video, discover three types of information disclosure: content, metadata, and privacy.
- The I in STRIDE stands for information disclosure.…For example, if someone logs in to the portal…to upload ads from a coffee shop,…can anyone in that coffee shop see…their username and password?…Usernames and passwords are supposed to be secret,…just like the contents of a new ad campaign.…Come on, admit it,…isn't that really why you watched the Super Bowl?…Contents of logs are also confidential.…Who's being shown ads may reveal details…of Red30's proprietary StickyEye tracking technology…and more of those details are accessible…on the media server.…
Each of these secrets needs to be kept a secret relative…to different audiences.…No customer gets to learn about StickyEye.…Each customer can only see their own specific metrics…and they can't have access…to other customers' success rates.…On the network,…the best confidentiality comes via cryptography.…In fact cryptography is the best way…to protect every secret,…but then you have to manage keys,…and that's complicated.…TLS mostly handles key management for you.…
Within a system, it can be easier to use permissions.…
Author
Adam Shostack
Released
1/2/2019Skill Level Intermediate
Duration
Views
-
Introduction
-
Why would you threat model?1m 46s
-
1. The Four Question Framework
-
What are we working on?1m 47s
-
What can go wrong?3m 35s
-
Did we do a good job?3m 29s
-
-
2. STRIDE
-
Spoofing a specific server4m 30s
-
Tampering with a file3m 15s
-
Interlude: Scope and timing2m 15s
-
Repudiating an order4m 10s
-
Information disclosure2m 45s
-
Denial of service3m 35s
-
Elevation of privilege2m 34s
-
-
Conclusion
-
Next steps1m 12s
-
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.
Share this video
Embed this video
Video: Information disclosure