Today I’d like to share a couple great resources with you. These are websites with information on categorizing and avoiding vulnerabilities. There is a lot of reading here, and to be honest, much of it is reference material, but it’s good to peruse so you are familiar with it.
This is a DHS (US Department of Homeland Security) website about, well, building security into designs. The description on the site says:
Build Security In is a collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.
I’ve mentioned before how important it is to design securely from the start. One of the site’s FAQs makes it clear that it is designed for software developers. That’s OK, but lots more folks can benefit from the ideas. The point is to think securely from the start. Learning to think securely is a goal of Learning Tree Course 468, System and Network Security, as I’ve noted before.
This site is another one with a name accurately describing its goal: the site describes and classifies cyberattacks. The detail this site provides is quite extensive. Let’s look at “Pharming,” attack pattern number 89.
The description begins with a definition: “A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to his site rather than the originally intended one.” The definition is followed by a description of how the attack works, what methods it uses, how likely it is, what level of experience is requires, examples and more.
Two especially valuable fields are the “Solutions and Mitigations” and “Attack Motivation-Consequences” fields. The first describes how to avoid the issue and how to mitigate its effects. An example from this vulnerability is “End users must ensure that they provide sensitive information only to websites that they trust, over a secure connection with a valid certificate issued by a well-known certificate authority.” This is great advice and something 468 participants hear often in the course.
The motivation and consequences field ties the attack to a security fundamental or fundamentals – in this case Confidentiality. This is especially valuable to those new to security to help them understand those fundamentals.
The attacks are classified by severity from Low to Very High. The list is extensive and the information is thorough. We discuss many of these attacks in more detail in Course 468, but we don’t have time for all of them in only four days.
There are other sites listed on the “Related Activities” page but some have not been updated in many years. Check the dates of any pages before you rely on the content as current…
These two resources are valuable for many security professionals. What other sites have you found valuable? Let us know in the comments.