In a threat modeling meeting, the development team identified a couple of attack vectors. Most of them appear in the OWASP Top 10. Which of the following should be done first to address the attack surface?
A. Prioritize and sort the attack vectors
B. Calculate the risk exposure of each attack vector
C. Submit a change request to revise the architectural design
D. Evaluate and determine the scope of the attack surface to be addressed
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Calculate the risk exposure of each attack vector.
Prioritization needs to be based on some criteria. It’s common to prioritize risk based on risk exposure that takes both the likelihood and impact of risk into consideration. For example, a risk with 70% possibility and $100,000 of estimated loss results in a risk exposure of $70,000.
The following is the suggested sequence:
- Calculate the risk exposure of each attack vector
- Prioritize and sort the attack vectors
- Evaluate and determine the scope of the attack surface to be addressed
- Submit a change request to revise the architectural design
Attack Vector
In threat modeling, a threat scenario can be expressed as an attack vector, which is “a segment of the entire pathway that an attack uses to access a vulnerability.” (NIST SP 800-154)
Attack Surface
Attack surfaces of information systems are “exposed areas that make those systems more vulnerable to cyber attacks.” (NIST SP 800-53 R4)
The exposed areas are accessible areas, typically the interfacing points of input and output, where weaknesses or deficiencies in information systems that provide opportunities for adversaries to exploit ขulnerabilities.
In short, the attack surface is the sum of the identified attack vectors.
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
在威脅建模(threat modeling)會議上,開發團隊確定了幾個攻擊向量(attack vector)。 其中大多數出現在OWASP Top 10中。應該最先執行以下哪項操作才能解決攻擊面(attack surface)?
A. 對攻擊向量進行優先級排序
B. 計算每個攻擊媒介的風險暴露 (risk exposure)
C. 提交變更請求以修改架構設計
D. 評估並確定要解決的攻擊面範圍 (scope)