Cavirin Blog

The first step in building a secure infrastructure is to understand the threats. Threats are potential events which lead to something useful for the attacker. It could be money, it could be bragging rights, or it could just be pure fun mutilating the reputation of a business entity. Threat risk modelling is an essential exercise to categorize threats and determine strategies for mitigating them. One such threat assessment model is STRIDE.

STRIDE is an acronym for six threat categories as outlined below:

  • Spoofing Identity – An attacker could prove that she is an authorized user of the system
  • Tampering with Data – An attacker could successfully add, modify or delete data
  • Repudiation – An attacker could deny or make it impossible to prove his delinquency
  • Information disclosure – An attacker could gain access to privileged Information
  • Denial of Service – An attacker could make the system unresponsive to legitimate usage
  • Elevation of privilege – An attacker could elevate her privileges

The STRIDE threat model forces you to think about securing your infrastructure from a threat perspective.

0
0
0
s2sdefault

 No security means you will likely have no business in the cloud

For an engineer such as myself, who is involved in cloud computing, and generally excited about being in the middle of nothing short of a “computing revolution”, attending AWS re:invent 2016 is akin to making an annual pilgrimage. The experience of being among the fellow travelers at the expo hall, listening to keynote addresses that set the tone for next phase of cloud computing, and walking by the myriad of booths with solutions that vie with each other pushing the envelope, was nothing short of transformational.

0
0
0
s2sdefault

THE ISO/IEC 27002:2013 CHALLENGE

ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls

You might think that implementing an ISO 27002 ISMS program is fairly straight forward, and even an easy sell to the business and supporting enterprise.  After all, Information Security is defined by the the C-I-A triad, the most well-known model for security policy development.  Who can resist a tried and true C-I-A triad?

0
0
0
s2sdefault

Docker is a framework making it easy to create, deploy, run, and orchestrate applications by using containers. Basically, a container is another form of virtualization. A minimal image contains functionality of an operating system, but depends on the host for all of its system calls. For a complete overview tutorial on Docker and for Docker security, we recommended more reading from the Docker Inc. site.

0
0
0
s2sdefault

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.