Model Basic Security Threats (Activity)

From Foss2Serve
(Difference between revisions)
Jump to: navigation, search
m (Suggestions for the Open Source Project:: Added Learning Activity tag)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{| border="1"
+
__NOTOC__
|-
+
|'''Title''' || Basic Security Threat Modeling Activity 
+
|-
+
|'''Overview''' ||  Provides a starting place to access the security of any system on the Internet.
+
|-
+
|'''Author''' ||  Suzanne Mello-Stark
+
|-
+
|'''Prerequisite Knowledge''' || Basic Linux Command line knowledge.  If you need this knowledge, please complete the Linux Basic Command line activity.
+
|-
+
|'''Learning Objectives''' ||
+
  
Learners will gain a basic understanding of how to start to analyze the vulnerabilities in an open source deployment.
+
{{Learning Activity Overview
Learners will be able to explain the purpose of a threat model.
+
|title=
Learners will have basic knowledge of several tools that exist to look for vulnerabilities in an open source deployment.
+
Basic Security Threat Modeling
 +
|overview=
 +
Provides a starting place to access the security of any system on the Internet.
 +
|prerequisites=
 +
Basic Linux Command line knowledge.
 +
If you need this knowledge, please complete the Linux Basic Command line activity.
 +
|objectives=
 +
* Gain a basic understanding of how to start to analyze the vulnerabilities in an open source deployment.
 +
* Explain the purpose of a threat model.
 +
* Have basic knowledge of several tools that exist to look for vulnerabilities in an open source deployment.
 +
|process skills=
 +
}}
  
|}
+
=== Background ===
 
+
=== Background: ===
+
  
 
Making an open source deployment secure may seem like a daunting task.  
 
Making an open source deployment secure may seem like a daunting task.  
 
Where do you begin to look for vulnerabilities and threats in a system?  This activity gives a starting place.
 
Where do you begin to look for vulnerabilities and threats in a system?  This activity gives a starting place.
  
=== Directions: ===
+
=== Directions ===
  
 
Think about where you live and the surrounding areas around your home.  For example, your home has doors and windows.   
 
Think about where you live and the surrounding areas around your home.  For example, your home has doors and windows.   
Line 46: Line 45:
 
Here are many other tools to deepen your level of understanding about the system.
 
Here are many other tools to deepen your level of understanding about the system.
  
Dig a DNS recon tool - http://www.thegeekstuff.com/2012/02/dig-command-examples/
+
* Dig - a DNS recon tool - http://www.thegeekstuff.com/2012/02/dig-command-examples/
Dirb – a webserver directory enumeration tool - http://tools.kali.org/web-applications/dirb
+
* Dirb – a webserver directory enumeration tool - http://tools.kali.org/web-applications/dirb
Host – a DNS client - just type man host on any linux command line
+
* Host – a DNS client - just type man host on any linux command line
Nmap – a network scanning tool - type man nmap on any linux command line
+
* Nmap – a network scanning tool - type man nmap on any linux command line
Telnet – a network service client - type man Telnet on any linux command line
+
* Telnet – a network service client - type man Telnet on any linux command line
Whois – a domain registry client - http://www.computerhope.com/unix/uwhois.htm  
+
* Whois – a domain registry client - http://www.computerhope.com/unix/uwhois.htm  
Wireshark – a packet capture and analysis tool - https://www.wireshark.org
+
* Wireshark – a packet capture and analysis tool - https://www.wireshark.org
WPScan – a wordPress vulnerability scanner - https://www.randomstorm.com/resources/free-tools/wpscan/
+
* WPScan – a wordPress vulnerability scanner - https://www.randomstorm.com/resources/free-tools/wpscan/
  
 
2. Password Cracking:  A major weakness to any system are the passwords chosen by the people who have access to your system.
 
2. Password Cracking:  A major weakness to any system are the passwords chosen by the people who have access to your system.
 
How secure are the passwords? There are several tools you can use to try and crack your passwords.   
 
How secure are the passwords? There are several tools you can use to try and crack your passwords.   
  
Hydra – a password enumeration tool - http://tools.kali.org/password-attacks/hydra
+
* Hydra – a password enumeration tool - http://tools.kali.org/password-attacks/hydra
John the Ripper – a password cracking tool - http://en.wikipedia.org/wiki/John_the_Ripper
+
* John the Ripper – a password cracking tool - http://en.wikipedia.org/wiki/John_the_Ripper
  
 
3. Writing Secure Code: To make your system less vulnerable, it is important to write code securely.
 
3. Writing Secure Code: To make your system less vulnerable, it is important to write code securely.
Line 66: Line 65:
 
http://cis1.towson.edu/~cssecinj/secure-coding-workshop/workshop-structure/
 
http://cis1.towson.edu/~cssecinj/secure-coding-workshop/workshop-structure/
  
Now that you have a basic overview of some tools that will help you, you can dive deeper into each one. Find and fix your vulnerabilities yourself,  
+
Now that you have a basic overview of some tools that will help you, you can dive deeper into each one.
before someone else takes advantage of them.
+
Find and fix your vulnerabilities yourself, before someone else takes advantage of them.
  
 +
=== Deliverables ===
  
 +
* A list of vulnerabilities found on your system
 +
* A list of next steps
 +
* TBD
  
=== Deliverables: ===
+
=== Assessment ===
  
A list of vulnerabilities found on your system
 
A list of next steps
 
 
TBD
 
TBD
  
=== Assessment: ===
 
TBD
 
  
 
+
=== Comments ===
=== Comments: ===
+
  
 
Disclaimer.  The tools used in this assessment are to be used responsibly. lawfully and ethically.
 
Disclaimer.  The tools used in this assessment are to be used responsibly. lawfully and ethically.
  
 +
{{Learning Activity Info
 +
|acm unit=
 +
SP: Security and Privacy
 +
|acm topic=
 +
|difficulty=
 +
Medium
 +
|time=
 +
4 hours (including the Towson Secure Code activity)
 +
|environment=
 +
Access to a web browser/Internet.  Access to the LINUX command line.  This activity also works on the iOS command line.
 +
|author=
 +
Suzanne Mello-Stark
 +
|source=
 +
This is an original activity.  The secure coding activity was developed by Towson University.
 +
|license=
 +
{{License CC BY SA}}
 +
}}
  
=== Additional Information: ===
+
=== Suggestions for the Open Source Project ===
{| border="1"
+
|-
+
|'''Knowledge Area/Knowledge Unit''' || Security and Privacy
+
|-
+
|'''Topic''' ||
+
|-
+
|'''Level of Difficulty''' || Medium
+
|-
+
|'''Estimated Time to Completion''' ||  4 hours (Including the Towson Secure Code activity)
+
|-
+
|'''Materials/Environment''' || Access to a web browser/Internet.  Access to the LINUX command line.  This activity also works on the iOS command line.
+
|-
+
|'''Author''' || Suzanne Mello-Stark
+
|-
+
|'''Source''' || This is an original activity.  The secure coding activity was developed by Towson University
+
|-
+
|'''License''' || Licensed CC BY-SA
+
|}
+
 
+
 
+
=== Suggestions for the Open Source Project: ===
+
  
 
This activity can be used to begin to access the open source project vulnerabilities.
 
This activity can be used to begin to access the open source project vulnerabilities.
  
--------------------
+
[[Category:Learning Activity]]
This work is licensed under a
+
[[Category:Privacy and Security]]
[http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 International License]
+
[[Category:Minimal Sketch]]
 
+
[[File:CC_license.png]]
+
 
+
[[Category: Learning_Activity]]
+
[[Category: Privacy_and_Security]]
+

Latest revision as of 10:36, 8 September 2018


Title

Basic Security Threat Modeling

Overview

Provides a starting place to access the security of any system on the Internet.

Prerequisites

Basic Linux Command line knowledge. If you need this knowledge, please complete the Linux Basic Command line activity.

Learning
Objectives 		After successfully completing this activity, the learner should be able to:
  • Gain a basic understanding of how to start to analyze the vulnerabilities in an open source deployment.
  • Explain the purpose of a threat model.
  • Have basic knowledge of several tools that exist to look for vulnerabilities in an open source deployment.
Process Skills
Practiced


Background

Making an open source deployment secure may seem like a daunting task. Where do you begin to look for vulnerabilities and threats in a system? This activity gives a starting place.

Directions

Think about where you live and the surrounding areas around your home. For example, your home has doors and windows. Are they all locked? It may have dark outside areas where someone could hide. If you were looking to break in, what would you do? When you think about making your home safer where you feel more secure, you are creating a threat model.

Building a threat model for an online system is very similar. Computers have places of entry just like a home. Are all the ports closed? Is there any data open and exposed without protection? Do any of your users have weak passwords?

To find out more information about the threat modeling process in general, visit The following website: https://www.owasp.org/index.php/Threat_Risk_Modeling

To help you start to analyze your system, below are three steps to get your started.

1. Network Security: What do others see about my system?

To start analyzing your system, you first need to know the IP address. If it has a domain name you can use that. Start with the Host command and see what you can find out. If you don't know this command, type man host on the command line.

Once you know where the system lives, you can find out many things about the system.

Here are many other tools to deepen your level of understanding about the system.

2. Password Cracking: A major weakness to any system are the passwords chosen by the people who have access to your system. How secure are the passwords? There are several tools you can use to try and crack your passwords.

3. Writing Secure Code: To make your system less vulnerable, it is important to write code securely. The following workshop provides 2.5 hours of training in writing secure code.

http://cis1.towson.edu/~cssecinj/secure-coding-workshop/workshop-structure/

Now that you have a basic overview of some tools that will help you, you can dive deeper into each one. Find and fix your vulnerabilities yourself, before someone else takes advantage of them.

Deliverables

  • A list of vulnerabilities found on your system
  • A list of next steps
  • TBD

Assessment

TBD


Comments

Disclaimer. The tools used in this assessment are to be used responsibly. lawfully and ethically.

ACM BoK
Area & Unit(s)

SP: Security and Privacy

ACM BoK
Topic(s)
Difficulty

Medium

Estimated Time
to Complete

4 hours (including the Towson Secure Code activity)

Environment /
Materials

Access to a web browser/Internet. Access to the LINUX command line. This activity also works on the iOS command line.

Author(s)

Suzanne Mello-Stark

Source

This is an original activity. The secure coding activity was developed by Towson University.

License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License

CC license.png


Suggestions for the Open Source Project

This activity can be used to begin to access the open source project vulnerabilities.

Retrieved from "http://foss2serve.org/index.php?title=Model_Basic_Security_Threats_(Activity)&oldid=12646"
Personal tools
Namespaces
Variants
Actions
Events
Learning Resources
HFOSS Projects
Evaluation
Navigation
Toolbox