From the readings and lessons of the last couple weeks, I had a chance to learn about the STRIDE model. This model was developed by Microsoft in order to help security engineers understand and classify all possible threats. Each letter of STRIDE represents one type of threat as follow:
S stands for Spoofing, which is an act of pretending to be something or someone you're not.
T stand for Tampering, which is an act of modifying something you're not supposed to modify.
R stands for Repudiation, which is an act of claiming you didn't do something.
I stands for Information Disclosure. It is the exposure information to people who are not authorized to see it.
D stands for Denial of Service. It is one type of attack that prevents valid users from accessing the system due to the system being flooded and running into a very low or critical resource that can't validate valid or invalid users anymore.
E stands for Escalation of privilege. It is a threat related to either a program or any operation within the company doing things that they are not supposed to do.
In this particular post, I am going to talk about the first threat, which is the Spoofing threat. As I have mentioned above, Spoofing is the threat of someone pretending to be something or someone they are not. Most security systems rely on the identification and authentication of users. How can the security system could tell if a user is a valid user? For example, when student A using the login credentials of student B to log into the class website, the security system would not be able to identify the valid user in this case. I would say the security system would fail.
We are living in the age of technology now, and this helps many businesses be able to expand their businesses, services, and increase the number of customers so quickly and successfully. For example, we see so many companies taking advantage of technology to shop online. Amazon is one of the most successful examples. Almost every other big brands have also expanded their business and services through online service as well, such as BestBuy, Walmart, Target, Sears, and many universities too. Twenty years ago, online classes might not have been available but now, it is common and helps both students and professors to learn and teach at their most convenient time. Now, here is a different type of Spoofing threat that I would like to bring up and challenge all the universities, including Bellevue University.
How are you going to know if the student who is taking an online class is really the one who does all the assignments, quizzes, and exams? For example, a student can "hire" someone to do all the work for them, this includes the weekly posting, assignments, and tests. When hiring someone to do the work for them, the students give their login credentials to the person who they hire to do their work to login into the class website and perform all the work. In this case, how are the school, the security system, and the professors able to identify if the user is valid and authorized to log into the website and perform the work?
I brought this concern up and ask you, as a reader a question. Do think this is a Spoofing threat? If you think it is a Spoofing threat, then what do you think the best ways to defend against for this threat? When I was thinking about this threat, I had two different thoughts. First, an online class might not reflect the best quality and value of the students. Second, the online program has some security holes. With that, how do you think to fix these security issues?
Here is just one way to fix this security threat that I could think of. Each week, a professor can schedule a 30 minutes online meeting face to face with students through webcam to review/test the student. I personally like the SYNC & Telephone meeting option that the Writing Center has. This option allows students and the Writing Center staffs talk face to face about the papers. Bellevue University should also have this option available for professors and students to meet online face to face and review the material. The professors can use SYNC & Telephone meeting option to test students on the lessons that he/she teaches the students. When doing the exams, students also need to log into the SYNC & Telephone meeting to do the test with verification from the professor or any staffs from the school.
Above is one specific Spoofing threat, which might be very different from the Spoofing threats of information technology. Do you think it is a Spoofing threat? It could be one threat that I am not sure if the school and professors ever thought about. I hope this threat never happens, but if it happens, how the school could handle this threat?
Reference:
Shostack, Adam. Threat Modeling: Designing for Security (p. 10). Wiley. Kindle Edition.
No comments:
Post a Comment