From the course: Learning Threat Modeling for Security Professionals

Unlock the full course today

Join today to access over 22,400 courses taught by industry experts or purchase this course individually.

Information disclosure

Information disclosure

From the course: Learning Threat Modeling for Security Professionals

Start my 1-month free trial

Information disclosure

- The I in STRIDE stands for information disclosure. For example, if someone logs in to the portal to upload ads from a coffee shop, can anyone in that coffee shop see their username and password? Usernames and passwords are supposed to be secret, just like the contents of a new ad campaign. Come on, admit it, isn't that really why you watched the Super Bowl? Contents of logs are also confidential. Who's being shown ads may reveal details of Red30's proprietary StickyEye tracking technology and more of those details are accessible on the media server. Each of these secrets needs to be kept a secret relative to different audiences. No customer gets to learn about StickyEye. Each customer can only see their own specific metrics and they can't have access to other customers' success rates. On the network, the best confidentiality comes via cryptography. In fact cryptography is the best way to protect every secret, but then you have to manage keys, and that's complicated. TLS mostly…

Contents