What is the STRIDE threat model?
Are you preparing for IT certification? With practice questions, study notes, interactive quizzes, tips and technical articles, uCertify PrepKits ensure that you get a solid grasp of core technical concepts to
ace your certification exam in first attempt.
The STRIDE threat model is a security threat modeling technique used to identify and categorize threats that an application may have to encounter. Each letter of the word STRIDE denotes a particular type of security threat. This threat model helps a developer identify vulnerabilities and certain potential attacks. STRIDE is an acronym that stands for Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. Each of these is described below:
- S - Spoofing identity: In spoofing, a distrusted user uses the identity of some trusted user by obtaining the user's username and password in order to access restricted areas of information. The distrusted user can even send emails to individuals that may appear to have come from a trusted user.
- T - Tampering with data: Data tampering means modification of data, maliciously or accidentally, by some unauthorized user. There are some cases in which a user deletes some data files accidentally on the network or makes some unnecessary changes in a database.
- R - Repudiation: Repudiation refers to performing any illegal operation in a system, with malicious intention, without the knowledge of the system administrator or the security agent.
- I - Information disclosure: Information disclosure refers to those data that have been exposed to unauthorized users. For example, a non-privileged user has the ability to view data containing some confidential information such as credit card number.
- D - Denial of service: Denial of service refers to a particular network that becomes unavailable when there is huge amount of network traffic at its interfaces. It becomes a security attack when a server is overloaded with spurious requests. When the server is strained by fake requests, the legitimate users are denied the services that the target computer provides.
- E - Elevation of privilege: In this type of threat, a user can have access to some higher privileges that the system administrator has not provided to him. In this way, the user can have the opportunity to access every possible area of data in which he has no access privileges.
Other articles
