Chapter 7: Elevation of Privilege | Threat Modeling Gameplay with EoP

Book Overview & Buying
Table Of Contents
Feedback & Rating

Threat Modeling Gameplay with EoP

By : Brett Crawley

4.9 (7)

Buy this Book

Threat Modeling Gameplay with EoP

4.9 (7)

By: Brett Crawley

Buy this Book

Overview of this book

Are you looking to navigate security risks, but want to make your learning experience fun? Here's a comprehensive guide that introduces the concept of play to protect, helping you discover the threats that could affect your software design via gameplay. Each chapter in this book covers a suit in the Elevation of Privilege (EoP) card deck (a threat category), providing example threats, references, and suggested mitigations for each card. You’ll explore the methodology for threat modeling—Spoofing, Tampering, Repudiation, Information Disclosure, and Elevation of Privilege (S.T.R.I.D.E.) with Privacy deck and the T.R.I.M. extension pack. T.R.I.M. is a framework for privacy that stands for Transfer, Retention/Removal, Inference, and Minimization. Throughout the book, you’ll learn the meanings of these terms and how they should be applied. From spotting vulnerabilities to implementing practical solutions, the chapters provide actionable strategies for fortifying the security of software systems. By the end of this book, you will be able to recognize threats, understand privacy regulations, access references for further exploration, and get familiarized with techniques to protect against these threats and minimize risks.

Preface

Who this book is for

What this book covers

To get the most out of this book

Get in touch

Share Your Thoughts

Download a free PDF copy of this book

Free Chapter

Chapter 1: Game Play

What you’ll need to play the EoP game

Who should participate?

How to play EoP

Summary

Chapter 2: Spoofing

2. of Spoofing

3. of Spoofing

4. of Spoofing

5. of Spoofing

6. of Spoofing

7. of Spoofing I

7. of Spoofing II

8. of Spoofing

9. of Spoofing I

9. of Spoofing II

10. of Spoofing

Jack of Spoofing

Queen of Spoofing I

Queen of Spoofing II

King of Spoofing I

King of Spoofing II

Ace of Spoofing I

Ace of Spoofing II

Ace of Spoofing III

Ace of Spoofing IV

E. of Spoofing

Summary

References

Chapter 3: Tampering

2. of Tampering (2022 deck) I

2. of Tampering (2022 deck) II

2. of Tampering (2022 deck) III

2. of Tampering (2022 deck) IV

3. of Tampering

4. of Tampering I

4. of Tampering II

5. of Tampering I

5. of Tampering II

6. of Tampering

7. of Tampering I

7. of Tampering II

8. of Tampering

9. of Tampering I

9. of Tampering II

10. of Tampering I

10. of Tampering II

Jack of Tampering

Queen of Tampering

King of Tampering I

King of Tampering II

Ace of Tampering I

Ace of Tampering II

E of Tampering I

E of Tampering II

Summary

Chapter 4: Repudiation

The importance of repudiation and its role in security

2. of Repudiation

3. of Repudiation

4. of Repudiation

5. of Repudiation

6. of Repudiation I

6. of Repudiation II

7. of Repudiation

8. of Repudiation

9. of Repudiation

10. of Repudiation

Jack of Repudiation

Queen of Repudiation I

Queen of Repudiation II

King of Repudiation I

King of Repudiation II

King of Repudiation III

Ace of Repudiation

E. of Repudiation

F. of Repudiation

G. of Repudiation

H. of Repudiation I

H. of Repudiation II

Summary

Chapter 5: Information Disclosure

Understanding password management, key management, and cryptography

2. of Information Disclosure

3. of Information Disclosure I

3. of Information Disclosure II

4. of Information Disclosure

5. of Information Disclosure

6. of Information Disclosure

7. of Information Disclosure

8. of Information Disclosure I

8. of Information Disclosure II

9. of Information Disclosure I

9. of Information Disclosure II

10. of Information Disclosure

Jack of Information Disclosure

Queen of Information Disclosure

King of Information Disclosure

Ace of Information Disclosure I

Ace of Information Disclosure II

E of Information Disclosure

F of Information Disclosure

Summary

Chapter 6: Denial of Service

2. of Denial of Service I

2. of Denial of Service II

3. of Denial of Service I

3. of Denial of Service II

3. of Denial of Service (alternative 2022 deck)

4. of Denial of Service

4. of Denial of Service (alternative 2022 deck)

5. of Denial of Service I

5. of Denial of Service II

5. of Denial of Service (alternative 2022 deck)

6. of Denial of Service I

6. of Denial of Service II

7. of Denial of Service

8. of Denial of Service

9. of Denial of Service

10. of Denial of Service

Jack of Denial of Service I

Jack of Denial of Service II

Queen of Denial of Service I

Queen of Denial of Service II

King of Denial of Service

Ace of Denial of Service

E of Denial of Service

Summary

Chapter 7: Elevation of Privilege

Some important concepts

2. of Elevation of Privilege (2022 deck)

3. of Elevation of Privilege (2022 deck) I

3. of Elevation of Privilege (2022 deck) II

4. of Elevation of Privilege (2022 deck)

5. of Elevation of Privilege I

5. of Elevation of Privilege II

6. of Elevation of Privilege

7. of Elevation of Privilege

8. of Elevation of Privilege

9. of Elevation of Privilege

10. of Elevation of Privilege

Jack of Elevation of Privilege

Queen of Elevation of Privilege I

Queen of Elevation of Privilege II

King of Elevation of Privilege I

King of Elevation of Privilege II

Ace of Elevation of Privilege

Summary

Chapter 8: Privacy

References used in the chapter

2 of Privacy

3 of Privacy

4. of Privacy

5. of Privacy

6. of Privacy

7. of Privacy

8. of Privacy

9. of Privacy

10. of Privacy

Jack of Privacy

Queen of Privacy

King of Privacy

Ace of Privacy

Summary

Chapter 9: Transfer

References used in the chapter

2. of Transfer I

2. of Transfer II

3. of Transfer

4. of Transfer

5. of Transfer

6. of Transfer

7. of Transfer

8. of Transfer I

8. of Transfer II

8. of Transfer III

9. of Transfer

Ace of Transfer

Summary

Chapter 10: Retention/Removal

2. of Retention/Removal

3. of Retention/Removal I

3. of Retention/Removal II

4. of Retention/Removal

5. of Retention/Removal

6. of Retention/Removal

7. of Retention/Removal

8. of Retention/Removal

9. of Retention/Removal

10. of Retention/Removal

Jack of Retention/Removal

Ace of Retention/Removal

Summary

Chapter 11: Inference

2. of Inference

3. of Inference

4. of Inference

5. of Inference

6. of Inference

7. of Inference

8. of Inference

9. of Inference

10. of Inference

Ace of Inference

Summary

Chapter 12: Minimization

2. of minimization

3. of minimization

4. of minimization

5. of minimization

6. of minimization

Ace of minimization

Summary

Glossary

Threat
	Your application server is launched with an admin user account instead of with a service account and an attacker manages to inject a command that is run in the operating system (OS) as the admin user.
CAPEC	CAPEC-233 – Privilege escalation CAPEC-69 – Target programs with elevated privileges
ASVS	1.2.1 – Ensure you’re not using service accounts with only the permissions they need 2.10.2 – Ensure service to service auth is not performed as root
CWE	CWE-250 – Execution with unnecessary privileges CWE-78 – Improper neutralization...

Threat Modeling Gameplay with EoP

By : Brett Crawley

Threat Modeling Gameplay with EoP

By: Brett Crawley

Overview of this book

King of Elevation of Privilege I

Unlock full access

Continue reading for free

Threat Modeling Gameplay with EoP

By : Brett Crawley

Threat Modeling Gameplay with EoP

By: Brett Crawley

Overview of this book

King of Elevation of Privilege I

Unlock full access

Continue reading for free

Create a Note

Delete Bookmark

Delete Note

Edit Note

Confirmation

Buy this book with your credits?