Threat Modeling: Information Disclosure in Depth
29mIntermediate2020-08-13
Authors

Adam Shostack
Consultant, Entrepreneur, Technologist, and Game Designer
Course details
STRIDE is a popular threat modeling framework that helps security pros and software developers think strategically about risk. This course addresses the I in STRIDE, which stands for information disclosure. You can learn how to preserve the confidentiality of the data, secrets, and other information you store, and the policies you need to put into place to share that information safely. Topics include classic models such as data at rest and data in motion as well as information disclosure in processes and information disclosure in certain technologies such as cloud, Internet of Things and mobile, and AI and machine learning. Expert Adam Shostack also reviews the side effects of computation, the physical effects of CPUs, and the defenses you can put into place at your organization to manage metadata, secrets, and other sensitive information.
Topics include:
Authorized access
Metadata in motion
Intentional disclosure
Side effects of disclosure
Disclosure in the cloud
Cryptography and other defenses
Topics include:
Authorized access
Metadata in motion
Intentional disclosure
Side effects of disclosure
Disclosure in the cloud
Cryptography and other defenses
Skills covered
Software Development SecurityCybersecurityDeep Dive (X:Y)
Concepts
0. Introduction
- 01 - Allow me to disclose something
- 02 - Four-question framework
- 03 - Information disclosure as a part of STRIDE
1. Data at Rest
- 04 - Authorized access
- 05 - Physical layer
- 06 - Metadata
2. Data in Motion
- 07 - Encrypted and unencrypted
- 08 - Metadata in motion
- 09 - Non-internet data
3. Information Disclosure by Processes
- 10 - Intentional disclosure
- 11 - Metadata and security
4. Side Effects
- 12 - Radios - Intentional and accidental
- 13 - Timing
- 14 - Interpretation
5. Disclosure in Certain Technologies
- 15 - Cloud
- 16 - IoT and mobile
- 17 - AI and machine learning
6. Defenses
- 18 - Metadata management
- 19 - Secrets and secrets management
- 20 - Cryptography
Conclusion
- 21 - Next steps
Related courses
- Learning Threat Modeling for Security Professionals
- CISSP Cert Prep (2021): 1 Security and Risk Management
- CISSP Cert Prep (2021): 6 Security Assessment and Testing
- CompTIA CySA+ (CS0-002) Cert Prep: 1 Threat Management
- CompTIA Security+ (SY0-701) Cert Prep: 1 General Security Concepts
- CompTIA Security+ (SY0-701) Cert Prep: 2 Threats, Vulnerabilities, and Mitigations
- CompTIA Security+ (SY0-701) Cert Prep: 5 Security Program Management and Oversight
- CompTIA Security+ (SY0-701) Cert Prep: 3 Security Architecture
Related learn paths
- Improve Your Threat Modeling Skills
- Become an IT Security Specialist
- Leverage AI as a Cybersecurity Analyst
- Prepare for the CompTIA Cybersecurity Analyst + (CySA+) (CS0-002) Certification Exam
- Prepare for the ISC2 Information Systems Security Professional (CISSP) Certification Exam (2021)
- Prepare for the CompTIA Security+ (SY0-701) Certification
- Become an Ethical Hacker
- Prepare for the ISC2 Systems Security Certified Practitioner (SSCP) Exam