Chapter 3: Introduction to Technological Aspects of Privacy
The Adversarial Mindset: STRIDE, Zero Trust and Least Privilege
Cybersecurity adopts the adversarial mindset and threat modeling (e.g. the STRIDE framework and MITRE ATT&CK). Key principles include zero trust, least privilege with role-based access controls (required by the HIPAA Security Rule), defense in depth, and security by default.
| Letter | Threat |
|---|---|
| S | Spoofing - undermining authentication |
| T | Tampering - changing hardware/software specifications |
| R | Repudiation - failing to accurately track users' actions |
| I | Information disclosure - loss of private information |
| D | Denial of service - making a service inoperable (e.g. a distributed denial of service attack) |
| E | Elevation of privilege - gaining additional privileges, up to 'root access' |
Zero trust and least privilege
Under zero trust, no actor inside or outside the perimeter is trusted - verify everything, encrypt all traffic. Each user gets least privilege, implemented via role-based access controls - which the HIPAA Security Rule often requires. Defense in depth and security by default add further protection.
Key terms - quick answers
What is “Adversarial mindset”?
The cybersecurity assumption that attackers anywhere may launch a devastating attack at any moment - we live in a 'bad neighborhood.'
What is “Threat modeling”?
Identifying the most salient security risks for an organization, using tools like MITRE ATT&CK and STRIDE.
What is “STRIDE framework”?
A mnemonic for modeling threats: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
What is “Zero trust”?
An approach where no actor, system, network, or service inside or outside the perimeter is trusted; everything must be verified and traffic encrypted and authenticated.