Architectural Risk Analysis

The Attack Surface is all the different ways a hacker could interact with or attack a system. It includes:

• Entry Points: Places where data or commands enter (e.g., login pages, APIs).

• Exit Points: Where data leaves the system (e.g., logs, database exports).

• Assets: Valuable data or resources hackers might target (e.g., user credentials, financial records).

• Trust Levels: The permissions given to different users or system parts (e.g., admin vs. regular user).

A large attack surface means more security risks, so it's important to reduce it where possible.

Mapping the Attack Surface means identifying all the points where security risks exist. Steps include:

1. Review system design and architecture

   • Look at how the system is built and document potential attack points.

2. Identify entry and exit points

   • Examples:

     • User forms and input fields

     • HTTP headers and cookies

     • APIs and web services

     • Databases and file storage

3. Find valuable assets

   • Interview developers and users to understand what data is critical.

4. Use security tools

   • Automated scanning tools like OWASP ZAP or Burp Suite can help find vulnerabilities.

5. Threat Modelling

   • walk through the main use cases following the flow of control and data to see where information is validated and stored.

6. Track changes in the attack surface

   • Any updates to the system (new features, database changes, etc.) should trigger a security review.

Thread modelling includes identifing any potential thrads document it and find mitigation strategies to prevent them.

1. Understanding the attacker's view (Attack Surface Analysis)

   • Look at the system like a hacker would and identify weak points.

2. Characterizing the security of the system

   • Define how the system is supposed to work and find security risks.

3. Determining threats

   • List all possible attacks and analyze how dangerous they are.

1. Entry Point: Any place where data or commands enter the system (e.g., login page, API).

2. Exit Point: Any place where data leaves the system (e.g., log files, database output).

3. Asset: Anything valuable that hackers might try to access (e.g., passwords, customer data).

4. Trust Level: Defines how much access a user or system component has.

5. Trust Boundary: A point where different trust levels meet (e.g., user input entering a secure database).

1. Define use cases (how the system should and shouldn't be used).

2. Identify assumptions and dependencies (e.g., relying on external services).

3. Model the system (create diagrams to see how data moves and where risks exist -> Data Flow Diagrams).

1. They show how data moves and transforms in a system.

2. Help identify weak points where hackers could attack.

3. Use symbols to represent components like data storage, processes, and trust boundaries.

STRIDE helps identify different types of attacks:

• Spoofing → Pretending to be someone else (e.g., fake login).

• Tampering → Changing data without permission (e.g., modifying bits in memory).

• Repudiation → Denying an action (e.g., deleting logs to hide evidence). There is no way to track unauthorized actions to a specific user.

• Information Disclosure → Leaking private data to people that are not authorized to see it (e.g., unprotected passwords).

• Denial of Service → Making a system unavailable (e.g., crashing a website).

• Elevation of Privilege → Gaining higher access than allowed (e.g., normal user becoming an admin).