STRIDE is a threat classification model developed by Microsoft detailing computer security threats. It provides a mnemonic for security threats in six categories. Let’s consider an example to understand STRIDE.
Suppose myself and my friend are working for the same company. I asked my friend to deliver a document to a client which contains my signature and name with some valuable information. And my friend accepted my request and he began his travel to the client place. While traveling, some criminal thoughts ran into his mind. He first took a copy of the document and then He changed my name on the document and wrote his name and by this, he took my identity (Spoofing). And later he made some other changes in the content of the document by adding some points to his personal favor and thus modified the original content (Tampering). And then he changed my signature on the document so that there is no trace that I ever did an act of making the document. And when my boss called him and asked if he is out for delivery of the document he told that he didn’t receive any document from me (Repudiation). Later he sold the valuable information in the document to our rival company and therefore the rival company got to know our company secrets (information disclosure). After making the profit, he came back to me and told the document went missing while traveling. I did scold him but the service which was promised to the client didn’t happen because the document they needed for establishing the service never reached them (Denial of service). Now that my friend had some confidential information that would let him have more privileges than what he originally had in my company, started misusing the company resources (Elevation of Privileges).
And From all this I learned to properly protect my data by strictly following the below steps:
• Ensuring that no one could disguise as me (Authenticity)
• The data is hardened so that, it cannot be modified (Integrity)
• Ensuring my signature is unique and complex so that no one could change it (Non-reputability)
• Ensuring that valuable data should be labeled and classified as confidential and treated with high importance (Confidentiality)
• Ensuring that no one could mess with my data and it serves its purpose and ensure that service is available anytime when requested. (Availability)
• Ensure that proper authorization mechanisms are placed in the system so that no one could elevate their privileges to do such actions. (Authorization)