As a CISSP working for a direct bank based in Taiwan that relies entirely on internet banking, you are participating in a development meeting for threat modeling the customer relationship management (CRM) system, a web application. A member identifies an attack vector that malicious users might manipulate query parameters in the URL resulting in a server buffer overflow. Which of the following should be conducted first?
A. Replace the static array as the buffer with a dynamic one
B. Refer to OWASP Top 10 for suggested solutions
C. Evaluate how easy for a malicious user to make it
D. Authenticate every user input
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Evaluate how easy for a malicious user to make it.
Threat modeling in nature is a practice of risk management, so it follows the basic risk management processes:
- risk identification
- risk analysis
- risk evaluation
- risk response
An attack vector is a threat or a risk, that should be analyzed before taking any actions to handle it. DREAD is a typical means used to analyze a threat in threat modeling.
- Damage – how bad would an attack be?
- Reproducibility – how easy is it to reproduce the attack?
- Exploitability – how much work is it to launch the attack?
- Affected users – how many people will be impacted?
- Discoverability – how easy is it to discover the threat?
Evaluating how easy for a malicious user to make it is part of the DREAD analysis.
Other options A, B, and D are actions to handle risks.
References
- Fuzzy Logic Approach for Threat Prioritization in Agile Security Framework using DREAD Model
- DREAD (risk assessment model)