Threats: What Every Engineer Should Learn From Star Wars [1 ed.] 9781119895169, 9781119895176, 9781119897699, 1119895162
Secure your applications with help from your favorite Jedi masters In Threats: What Every Engineer Should Learn From St
113 33 4MB
English Pages 352 [354] Year 2023
Table of contents :
Cover
Title Page
Copyright Page
Contents
Preface
Introduction
Who This Book Is For
What You’ll Gain from This Book
A Few Words for the Nonengineer
Security Terminology
How This Book Is Organized
Chapter 1 Spoofing and Authenticity
Identifiers and Authentication
Technical Identifiers
Human Identifiers
Authenticating People to People
Authenticating People to Computers
Authenticating Computers to People
Authenticating Computers to Computers
Spoofing Attacks
Spoofing Files
Spoofing Processes
Spoofing Machines
Spoofing in Specific Scenarios
Internet of Things
Mobile Phones
Cloud
Considerations in Authenticating to Organizations
Mechanisms for Spoofing Attacks
Misrepresentation
Attacks on Authentication Mechanisms
Threats Against Authentication Types
Defenses
Authenticating People
Authenticating Computers
Conclusion
Chapter 2 Tampering and Integrity
Introduction
Targets of Tampering
Tampering with Storage
Tampering with Communications
Tampering with Time
Process Tampering
Tampering in Specific Technologies
Mechanisms for Tampering
Location for Tampering
Tools for Tampering
Defenses
Cryptography
The Kernel
Detection
Conclusion
Chapter 3 Repudiation and Proof
Introduction
The Threat: Repudiation
Message Repudiation
Fraud
Account Takeover
Logging Threats
Repudiation in Specific Technologies
Internet of Things (Including Phones)
Cloud
AI/ML
Crypto and Blockchain
Repudiation Mechanisms
Defenses
Cryptography
Keeping Logs
Using Logs
Antifraud Tools
Conclusion
Chapter 4 Information Disclosure and Confidentiality
Threats to Confidentiality
Information Disclosure, at Rest
Information Disclosure, in Motion
Information Disclosure from a Process
Human Connections
Side Effects and Covert Channels
Information Disclosure Mechanisms
Information Disclosure with Specific Scenarios
Internet of Things
Mobile Phones
Cloud
AI/ML
Blockchain
Privacy
Defenses
Operating System Defenses
Defending Your Process
Cryptography
Conclusion
Chapter 5 Denial of Service and Availability
Resources Consumed by Denial-of-Service Threats
Compute
Storage
Networks
Electrical Power
Money
Other Resources
Denial-of-Service Properties
Bespoke or Generalized
Amplification
Authentication Targets
Ephemeral or Persistent
Direct or Emergent
Denial of Service in Specific Technologies
Authentication Services
Cloud
Protocol Design
IoT and Mobile
Defenses
Abundance and Quotas
Graceful Degradation
Resilience Testing
Conclusion
Chapter 6 Expansion of Authority and Isolation
Expansion Mechanisms and Effects
Authority in Specific Scenarios
Confused Deputies
Internet of Things
Mobile
Cloud
Defenses
Least Privilege and Separation of Privilege
Architecture as Barrier
Code as Barrier
Authority and Privilege
Access Control (Background)
Newer Approaches to Policy
Conclusion
Chapter 7 Predictability and Randomness
Predictability Threats
Guessing and Testing
Cryptographic Threats
Time and Timing Threats
Information Disclosure and Time
Tampering with Time
Predictability in Specific Scenarios
Network Traffic
Local System Threats
Business Processes
Defenses
Preventing Races
Defenses Against Guessing and Searching
Usability
Assume Transparency
Conclusion
Chapter 8 Parsing and Corruption
What Is Parsing?
How Parsers Work
A “Bit” of Context
All Data Is Tainted
Threats to Parsers
SQL Injection Example
Surprising Output
Overly Powerful Input
Denial-of-Service Threats to Parsers
Bad Advice
Chained Parsers
Specific Parsing Scenario Threats
Parsing Protocols + Document Formats
C Code + Memory Safety
Defenses
The Robustness Principle
Input Validation
Memory Safety
LangSec
Conclusion
Chapter 9 Kill Chains
Threats: Kill Chains
Server Kill Chain
Desktop Kill Chains
Acquire or Use Credentials
Kill Chains for Specific Scenarios
Cloud
IoT
Mobile (IoS, Android)
Weaponization as a Subchain
“No One Would Ever Do That”
Ransomware
Elements of Network Kill Chains
History
History of Kill Chains
Defenses
Types of Defenses
Defensive Scenarios
Conclusion
Epilogue
Glossary
Bibliography
Story Index
Episode I: The Phantom Menace
Episode III: Revenge of the Sith
Obi-Wan (Television Series)
Rogue One
Star Wars: A New Hope
The Empire Strikes Back
Return of the Jedi
Index
EULA
Cover
Title Page
Copyright Page
Contents
Preface
Introduction
Who This Book Is For
What You’ll Gain from This Book
A Few Words for the Nonengineer
Security Terminology
How This Book Is Organized
Chapter 1 Spoofing and Authenticity
Identifiers and Authentication
Technical Identifiers
Human Identifiers
Authenticating People to People
Authenticating People to Computers
Authenticating Computers to People
Authenticating Computers to Computers
Spoofing Attacks
Spoofing Files
Spoofing Processes
Spoofing Machines
Spoofing in Specific Scenarios
Internet of Things
Mobile Phones
Cloud
Considerations in Authenticating to Organizations
Mechanisms for Spoofing Attacks
Misrepresentation
Attacks on Authentication Mechanisms
Threats Against Authentication Types
Defenses
Authenticating People
Authenticating Computers
Conclusion
Chapter 2 Tampering and Integrity
Introduction
Targets of Tampering
Tampering with Storage
Tampering with Communications
Tampering with Time
Process Tampering
Tampering in Specific Technologies
Mechanisms for Tampering
Location for Tampering
Tools for Tampering
Defenses
Cryptography
The Kernel
Detection
Conclusion
Chapter 3 Repudiation and Proof
Introduction
The Threat: Repudiation
Message Repudiation
Fraud
Account Takeover
Logging Threats
Repudiation in Specific Technologies
Internet of Things (Including Phones)
Cloud
AI/ML
Crypto and Blockchain
Repudiation Mechanisms
Defenses
Cryptography
Keeping Logs
Using Logs
Antifraud Tools
Conclusion
Chapter 4 Information Disclosure and Confidentiality
Threats to Confidentiality
Information Disclosure, at Rest
Information Disclosure, in Motion
Information Disclosure from a Process
Human Connections
Side Effects and Covert Channels
Information Disclosure Mechanisms
Information Disclosure with Specific Scenarios
Internet of Things
Mobile Phones
Cloud
AI/ML
Blockchain
Privacy
Defenses
Operating System Defenses
Defending Your Process
Cryptography
Conclusion
Chapter 5 Denial of Service and Availability
Resources Consumed by Denial-of-Service Threats
Compute
Storage
Networks
Electrical Power
Money
Other Resources
Denial-of-Service Properties
Bespoke or Generalized
Amplification
Authentication Targets
Ephemeral or Persistent
Direct or Emergent
Denial of Service in Specific Technologies
Authentication Services
Cloud
Protocol Design
IoT and Mobile
Defenses
Abundance and Quotas
Graceful Degradation
Resilience Testing
Conclusion
Chapter 6 Expansion of Authority and Isolation
Expansion Mechanisms and Effects
Authority in Specific Scenarios
Confused Deputies
Internet of Things
Mobile
Cloud
Defenses
Least Privilege and Separation of Privilege
Architecture as Barrier
Code as Barrier
Authority and Privilege
Access Control (Background)
Newer Approaches to Policy
Conclusion
Chapter 7 Predictability and Randomness
Predictability Threats
Guessing and Testing
Cryptographic Threats
Time and Timing Threats
Information Disclosure and Time
Tampering with Time
Predictability in Specific Scenarios
Network Traffic
Local System Threats
Business Processes
Defenses
Preventing Races
Defenses Against Guessing and Searching
Usability
Assume Transparency
Conclusion
Chapter 8 Parsing and Corruption
What Is Parsing?
How Parsers Work
A “Bit” of Context
All Data Is Tainted
Threats to Parsers
SQL Injection Example
Surprising Output
Overly Powerful Input
Denial-of-Service Threats to Parsers
Bad Advice
Chained Parsers
Specific Parsing Scenario Threats
Parsing Protocols + Document Formats
C Code + Memory Safety
Defenses
The Robustness Principle
Input Validation
Memory Safety
LangSec
Conclusion
Chapter 9 Kill Chains
Threats: Kill Chains
Server Kill Chain
Desktop Kill Chains
Acquire or Use Credentials
Kill Chains for Specific Scenarios
Cloud
IoT
Mobile (IoS, Android)
Weaponization as a Subchain
“No One Would Ever Do That”
Ransomware
Elements of Network Kill Chains
History
History of Kill Chains
Defenses
Types of Defenses
Defensive Scenarios
Conclusion
Epilogue
Glossary
Bibliography
Story Index
Episode I: The Phantom Menace
Episode III: Revenge of the Sith
Obi-Wan (Television Series)
Rogue One
Star Wars: A New Hope
The Empire Strikes Back
Return of the Jedi
Index
EULA
![Threats: What Every Engineer Should Learn From Star Wars [1 ed.]
9781119895169, 9781119895176, 9781119897699, 1119895162](https://ebin.pub/img/200x200/threats-what-every-engineer-should-learn-from-star-wars-1nbsped-9781119895169-9781119895176-9781119897699-1119895162.jpg)
- Author / Uploaded
- Adam Shostack
![Threats: What Every Engineer Should Learn From Star Wars [1 ed.]
1119895162, 9781119895169](https://ebin.pub/img/200x200/threats-what-every-engineer-should-learn-from-star-wars-1nbsped-1119895162-9781119895169.jpg)
![Threats: What Every Engineer Should Learn from Star Wars [1 ed.]
1119895162, 9781119895169](https://ebin.pub/img/200x200/threats-what-every-engineer-should-learn-from-star-wars-1nbsped-1119895162-9781119895169-y-4945085.jpg)
![What Every Engineer Should Know About Digital Accessibility [1 ed.]
1032263857, 9781032263854](https://ebin.pub/img/200x200/what-every-engineer-should-know-about-digital-accessibility-1nbsped-1032263857-9781032263854.jpg)
![Reliability and Risk Analysis (What Every Engineer Should Know) [2 ed.]
1032309733, 9781032309736](https://ebin.pub/img/200x200/reliability-and-risk-analysis-what-every-engineer-should-know-2nbsped-1032309733-9781032309736.jpg)
![What Every Engineer Should Know About Risk Engineering and Management [2 ed.]
9781032442105, 9781032439822, 9781003371014](https://ebin.pub/img/200x200/what-every-engineer-should-know-about-risk-engineering-and-management-2nbsped-9781032442105-9781032439822-9781003371014.jpg)