EoP Threat Suits - I (Information Disclosure)
Information Disclosure (I) is the fourth suit of threats in the STRIDE threat enumeration.
Information Disclosure describes any threat that allows an attacker (or accidentally causes a user) to see data which the application should not allow them to. Accordingly, the characters on the cards are multi-coloured speech bubbles that indicate speech is occurring – even when you don’t want it to be.
Information Disclosure threats are generally countered through quality implementations of Authorisation and Cryptography.
Another successful way to mitigate Information Disclosure is to not care about disclosing data - this only works if all your data is public (this Wiki is an example of what happens in this model!). Ignoring information secrecy and hoping that attackers will not try to access or read secret data is not a valid mitigation strategy.
The cards in the Information Disclosure suit are as follows
Information Disclosure Suit |
||
Value |
Threat |
Example / Mitigation |
2 |
An attacker can brute-force file encryption because there’s no defense in place (example defense: password stretching) |
Example: Mitigation: |
3 |
An attacker can see error messages with security sensitive content |
Example: Mitigation: |
4 |
An attacker can read content because messages (say, an email or HTTP cookie) aren’t encrypted even if the channel is encrypted |
Example: Mitigation: |
5 |
An attacker may be able to read a document or data because it’s encrypted with a non-standard algorithm |
Example: Mitigation: |
6 |
An attacker can read data because it’s hidden or occluded (for undo or change tracking) and the user might forget that it’s there |
Example: Mitigation: |
7 |
An attacker can act as a ‘man in the middle’ because you don’t authenticate endpoints of a network connection |
Example: Mitigation: |
8 |
An attacker can access information through a search indexer, logger, or other such mechanism |
Example: Mitigation: |
9 |
An attacker can read sensitive information in a file with bad ACLs |
Example: Mitigation: |
10 |
An attacker can read information in files with no ACLs |
Example: Mitigation: |
J |
An attacker can discover the fixed key being used to encrypt |
Example: Mitigation: |
Q |
An attacker can read the entire channel because the channel (say, HTTP or SMTP) isn’t encrypted |
Example: Mitigation: |
K |
An attacker can read network information because there’s no cryptography used |
Example: Mitigation: |
A |
You’ve invented a new Information Disclosure attack |
Example: Mitigation: |
[When completed, each card description above will link to a copy of the card, along with examples of the threat and some specific mitigation steps. Point to Patterns & Practices documents, excerpts from Writing Secure Code, etc, where possible. Emphasise that the information is already out there, so that dev teams widen their horizons.]