Threat Modeling: Denial of Service and Expansion of Authority

Focused View

Adam Shostack

46:09

0 View

01 Introduction

001 Let me interrupt you.mp4

00:50

002 STRIDE and the four question framework.mp4

01:59

02 DoS Targets

001 DoS in context.mp4

01:03

002 Attackers fill networks.mp4

01:31

003 How attackers redline your CPU.mp4

02:20

004 How attackers fill storage.mp4

01:34

005 How attackers spend your budget.mp4

01:19

006 How attackers drain your battery.mp4

01:04

03 Properties of DoS Attacks

001 Persistence and transience of DoS.mp4

01:07

002 Na239ve to clever Understanding DoS.mp4

02:28

003 Amplified or native Two modes of DoS.mp4

02:03

04 DoS in Various Technologies

001 Mobile and IoT denial of service.mp4

01:13

002 Cloud denial of service.mp4

01:20

05 DoS Defenses

001 Designing for resilience.mp4

01:30

002 Quantity as a defense.mp4

00:46

06 EOP

001 What is elevation of privilege .mp4

01:18

002 Input corrupts.mp4

01:46

003 Main forms of corrupt input.mp4

02:52

07 EOP Defenses

001 Ways to defend against EOP.mp4

01:10

002 Validation to defend against elevation.mp4

01:32

003 Validate for purpose to prevent elevations.mp4

01:56

004 Validation not sanitization for defense.mp4

01:13

005 Attenuation in defense.mp4

02:14

006 Memory safety as a defensive tool.mp4

02:01

007 Stack canaries to protect your code.mp4

02:20

008 Sandboxes and isolation protect your environment.mp4

02:08

009 Bolt-on or built-in defenses.mp4

01:26

08 Conclusion

001 Making great strides.mp4

02:06

Description

In this installment of Adam Shostack’s Threat Modeling series covering the STRIDE threat modeling framework, Adam goes over the D and E parts of the framework: denial-of-service and elevation-of-privilege. For both threats, Adam digs deep into two main questions: “What can go wrong?” and “What are we going to do about it?” He details the many targets of denial-of-service attacks like storage, memory, CPU bandwidth, and budget. Adam explains how elevation-of-privilege exists in basically any running code. He then goes over structured methods for ensuring that your systems are resistant to the various types of DoS attacks and elevation-of-privilege attacks. These attacks affect all manner of systems, and having an understanding of how they work and how to combat them are essential parts of a comprehensive approach to cybersecurity.

More details

User Reviews

Rating

average 0

Total votes0

Focused display

Cyber Security

Adam Shostack

Instructor's Courses

I'm an entrepreneur, technologist, author and game designer, focused on improving security outcomes for my customers and the industry as a whole. To solve these problems, I create a wide variety of companies and organizations, software, new analytic frameworks, as well as books, games and other forms of communication. I've built these at tiny startups and at Microsoft. In my time at Microsoft, I focused on human factors in security, including usable security and measuring how our customers' computers are compromised. I also worked on threat modeling tools and techniques, and have shipped two tools (one software, one a card game) to help software engineers analyze their software designs for security flaws. In that role, I was a key driver for Microsoft's Software Development Lifecycle. I'm the author of Threat Modeling: Designing for Security (Wiley, 2014) and the co-author of The New School of Information Security (Addison-Wesley, 2008). Before Microsoft, I was a leader in 3 successful startups, including Netect (vulnerability management), Zero-Knowledge Systems (privacy) and Reflective (software security). I also helped drive the CVE project, launch the International Financial Cryptography Association and the Privacy Enhancing Technologies Symposium. Specialties: Information security and privacy, especially at the intersection of technology and people. Serious games. Systems design and architecture. User experience design.

Linkedin Learning

View courses Linkedin Learning

LinkedIn Learning is an American online learning provider. It provides video courses taught by industry experts in software, creative, and business skills. It is a subsidiary of LinkedIn. All the courses on LinkedIn fall into four categories: Business, Creative, Technology and Certifications. It was founded in 1995 by Lynda Weinman as Lynda.com before being acquired by LinkedIn in 2015. Microsoft acquired LinkedIn in December 2016.