Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Threat Modeling Gameplay with EoP
  • Table Of Contents Toc
  • Feedback & Rating feedback
Threat Modeling Gameplay with EoP

Threat Modeling Gameplay with EoP

By : Brett Crawley
4.9 (7)
Buy this Book
close
close
Threat Modeling Gameplay with EoP

Threat Modeling Gameplay with EoP

4.9 (7)
By: Brett Crawley
Buy this Book

Overview of this book

Are you looking to navigate security risks, but want to make your learning experience fun? Here's a comprehensive guide that introduces the concept of play to protect, helping you discover the threats that could affect your software design via gameplay. Each chapter in this book covers a suit in the Elevation of Privilege (EoP) card deck (a threat category), providing example threats, references, and suggested mitigations for each card. You’ll explore the methodology for threat modeling—Spoofing, Tampering, Repudiation, Information Disclosure, and Elevation of Privilege (S.T.R.I.D.E.) with Privacy deck and the T.R.I.M. extension pack. T.R.I.M. is a framework for privacy that stands for Transfer, Retention/Removal, Inference, and Minimization. Throughout the book, you’ll learn the meanings of these terms and how they should be applied. From spotting vulnerabilities to implementing practical solutions, the chapters provide actionable strategies for fortifying the security of software systems. By the end of this book, you will be able to recognize threats, understand privacy regulations, access references for further exploration, and get familiarized with techniques to protect against these threats and minimize risks.
Table of Contents (18 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Get in touch
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book
Free Chapter
1
Chapter 1: Game Play
chevron up
Icon
Chapter 1: Game Play
Icon
What you’ll need to play the EoP game
Icon
Who should participate?
Icon
How to play EoP
Icon
Summary
2
Chapter 2: Spoofing
Icon
Chapter 2: Spoofing
Icon
2. of Spoofing
Icon
3. of Spoofing
Icon
4. of Spoofing
Icon
5. of Spoofing
Icon
6. of Spoofing
Icon
7. of Spoofing I
Icon
7. of Spoofing II
Icon
8. of Spoofing
Icon
9. of Spoofing I
Icon
9. of Spoofing II
Icon
10. of Spoofing
Icon
Jack of Spoofing
Icon
Queen of Spoofing I
Icon
Queen of Spoofing II
Icon
King of Spoofing I
Icon
King of Spoofing II
Icon
Ace of Spoofing I
Icon
Ace of Spoofing II
Icon
Ace of Spoofing III
Icon
Ace of Spoofing IV
Icon
E. of Spoofing
Icon
Summary
Icon
References
3
Chapter 3: Tampering
Icon
Chapter 3: Tampering
Icon
2. of Tampering (2022 deck) I
Icon
2. of Tampering (2022 deck) II
Icon
2. of Tampering (2022 deck) III
Icon
2. of Tampering (2022 deck) IV
Icon
3. of Tampering
Icon
4. of Tampering I
Icon
4. of Tampering II
Icon
5. of Tampering I
Icon
5. of Tampering II
Icon
6. of Tampering
Icon
7. of Tampering I
Icon
7. of Tampering II
Icon
8. of Tampering
Icon
9. of Tampering I
Icon
9. of Tampering II
Icon
10. of Tampering I
Icon
10. of Tampering II
Icon
Jack of Tampering
Icon
Queen of Tampering
Icon
King of Tampering I
Icon
King of Tampering II
Icon
Ace of Tampering I
Icon
Ace of Tampering II
Icon
E of Tampering I
Icon
E of Tampering II
Icon
Summary
4
Chapter 4: Repudiation
Icon
Chapter 4: Repudiation
Icon
The importance of repudiation and its role in security
Icon
2. of Repudiation
Icon
3. of Repudiation
Icon
4. of Repudiation
Icon
5. of Repudiation
Icon
6. of Repudiation I
Icon
6. of Repudiation II
Icon
7. of Repudiation
Icon
8. of Repudiation
Icon
9. of Repudiation
Icon
10. of Repudiation
Icon
Jack of Repudiation
Icon
Queen of Repudiation I
Icon
Queen of Repudiation II
Icon
King of Repudiation I
Icon
King of Repudiation II
Icon
King of Repudiation III
Icon
Ace of Repudiation
Icon
E. of Repudiation
Icon
F. of Repudiation
Icon
G. of Repudiation
Icon
H. of Repudiation I
Icon
H. of Repudiation II
Icon
Summary
5
Chapter 5: Information Disclosure
Icon
Chapter 5: Information Disclosure
Icon
Understanding password management, key management, and cryptography
Icon
2. of Information Disclosure
Icon
3. of Information Disclosure I
Icon
3. of Information Disclosure II
Icon
4. of Information Disclosure
Icon
5. of Information Disclosure
Icon
6. of Information Disclosure
Icon
7. of Information Disclosure
Icon
8. of Information Disclosure I
Icon
8. of Information Disclosure II
Icon
9. of Information Disclosure I
Icon
9. of Information Disclosure II
Icon
10. of Information Disclosure
Icon
Jack of Information Disclosure
Icon
Queen of Information Disclosure
Icon
King of Information Disclosure
Icon
Ace of Information Disclosure I
Icon
Ace of Information Disclosure II
Icon
E of Information Disclosure
Icon
F of Information Disclosure
Icon
Summary
6
Chapter 6: Denial of Service
Icon
Chapter 6: Denial of Service
Icon
2. of Denial of Service I
Icon
2. of Denial of Service II
Icon
3. of Denial of Service I
Icon
3. of Denial of Service II
Icon
3. of Denial of Service (alternative 2022 deck)
Icon
4. of Denial of Service
Icon
4. of Denial of Service (alternative 2022 deck)
Icon
5. of Denial of Service I
Icon
5. of Denial of Service II
Icon
5. of Denial of Service (alternative 2022 deck)
Icon
6. of Denial of Service I
Icon
6. of Denial of Service II
Icon
7. of Denial of Service
Icon
8. of Denial of Service
Icon
9. of Denial of Service
Icon
10. of Denial of Service
Icon
Jack of Denial of Service I
Icon
Jack of Denial of Service II
Icon
Queen of Denial of Service I
Icon
Queen of Denial of Service II
Icon
King of Denial of Service
Icon
Ace of Denial of Service
Icon
E of Denial of Service
Icon
Summary
7
Chapter 7: Elevation of Privilege
Icon
Chapter 7: Elevation of Privilege
Icon
Some important concepts
Icon
2. of Elevation of Privilege (2022 deck)
Icon
3. of Elevation of Privilege (2022 deck) I
Icon
3. of Elevation of Privilege (2022 deck) II
Icon
4. of Elevation of Privilege (2022 deck)
Icon
5. of Elevation of Privilege I
Icon
5. of Elevation of Privilege II
Icon
6. of Elevation of Privilege
Icon
7. of Elevation of Privilege
Icon
8. of Elevation of Privilege
Icon
9. of Elevation of Privilege
Icon
10. of Elevation of Privilege
Icon
Jack of Elevation of Privilege
Icon
Queen of Elevation of Privilege I
Icon
Queen of Elevation of Privilege II
Icon
King of Elevation of Privilege I
Icon
King of Elevation of Privilege II
Icon
Ace of Elevation of Privilege
Icon
Summary
8
Chapter 8: Privacy
Icon
Chapter 8: Privacy
Icon
References used in the chapter
Icon
2 of Privacy
Icon
3 of Privacy
Icon
4. of Privacy
Icon
5. of Privacy
Icon
6. of Privacy
Icon
7. of Privacy
Icon
8. of Privacy
Icon
9. of Privacy
Icon
10. of Privacy
Icon
Jack of Privacy
Icon
Queen of Privacy
Icon
King of Privacy
Icon
Ace of Privacy
Icon
Summary
9
Chapter 9: Transfer
Icon
Chapter 9: Transfer
Icon
References used in the chapter
Icon
2. of Transfer I
Icon
2. of Transfer II
Icon
3. of Transfer
Icon
4. of Transfer
Icon
5. of Transfer
Icon
6. of Transfer
Icon
7. of Transfer
Icon
8. of Transfer I
Icon
8. of Transfer II
Icon
8. of Transfer III
Icon
9. of Transfer
Icon
Ace of Transfer
Icon
Summary
10
Chapter 10: Retention/Removal
Icon
Chapter 10: Retention/Removal
Icon
2. of Retention/Removal
Icon
3. of Retention/Removal I
Icon
3. of Retention/Removal II
Icon
4. of Retention/Removal
Icon
5. of Retention/Removal
Icon
6. of Retention/Removal
Icon
7. of Retention/Removal
Icon
8. of Retention/Removal
Icon
9. of Retention/Removal
Icon
10. of Retention/Removal
Icon
Jack of Retention/Removal
Icon
Ace of Retention/Removal
Icon
Summary
11
Chapter 11: Inference
Icon
Chapter 11: Inference
Icon
2. of Inference
Icon
3. of Inference
Icon
4. of Inference
Icon
5. of Inference
Icon
6. of Inference
Icon
7. of Inference
Icon
8. of Inference
Icon
9. of Inference
Icon
10. of Inference
Icon
Ace of Inference
Icon
Summary
12
Chapter 12: Minimization
Icon
Chapter 12: Minimization
Icon
2. of minimization
Icon
3. of minimization
Icon
4. of minimization
Icon
5. of minimization
Icon
6. of minimization
Icon
Ace of minimization
Icon
Summary
13
Glossary
Icon
Glossary
14
Further Reading
Icon
Books and papers
Icon
Games
15
Licenses for third party content
Icon
CAPEC:
Icon
CWE:
16
Index
Icon
Index
Icon
Why subscribe?
17
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book

Game Play

In this chapter, I’m going to walk you through what you need to play Elevation of Privilege (EoP) to threat model your software design. We are going to talk about how the participants should be selected to get the best results from threat modeling and why participants should have different roles in the project. Last but not least, we will see how to play the game and understand what’s the end goal of playing the game – finding out as many threats as possible. However, before we get started with all these, I would like to begin with a couple of words on what threat modeling is, as well as when you should threat model and why.

Threat modeling is a process to identify threats to and design flaws in the system you are designing. A threat is something that could go wrong in the system you are designing; it may be open to attack, it may be subject to some failure, or it may be open to human error. A mitigation is a safeguard or protection you can put in place to protect against a threat or at least reduce the risk a threat poses. So, when we threat model, we are looking for what could go wrong, how we can improve the system to stop that from happening, and finally, deciding whether we’re happy that even if the worst happened, it wouldn’t be all that bad because we’ve done a pretty good job.

When should we start? You should be able to begin threat modeling from the moment you are able to draw what your system will do and what parts it is made up of. Threat modeling is not a one-off exercise; it should be performed continually as your system evolves and it should be performed during the design phase of each version, and if the design changes during development, the process should be repeated to reflect those changes. Now, let’s look at why it should be performed so early in the software development life cycle (SDLC).

When you build a house, it’s built on foundations, and it could be extremely complicated if you need to change those foundations halfway through construction. Design flaws are usually very difficult and costly to remediate once a project is underway.

Implementation flaws, on the other hand, are not necessarily difficult to fix after the fact. Using the housing analogy again, fixing an error in the foundations may mean tearing down parts of a construction and starting again from the foundations, whereas using a faulty or weak lock in a door is simple to fix because doors are designed to support standard lock fittings, you can just change the component.

So, we can conclude that it is always a wise choice to threat model early as it’s an upfront investment that pays dividends.

Threat modeling can be used as a process for finding or eliciting security flaws in the design of a software system, although you could threat model any system. EoP is a category of threat and it is from this that the EoP card game for threat modeling takes its name. The EoP game was invented to facilitate threat modeling in teams as it prompts the participants with types of threats too.

As such, we will be covering the following main topics in the chapter:

  • What you’ll need to play the EoP game
  • Who should participate?
  • How to play EoP

By the end of the chapter, you will be familiar with the EoP card game, you will know where you can find useful resources to facilitate threat modeling with the game both remotely and in a single location, and you’ll know who to invite.

End of Section 1
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY