Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Which type of stride threat violates integrity?

22/12/2020 Client: saad24vbs Deadline: 24 Hours

ISOL536 Security Architecture


and Design Week 3


“Privacy Threats”


Agenda


• What is privacy? • Harms • The IETF’s Privacy Considerations • Privacy Impact Assessments • The Nymity Ratchet • Contextual Integrity • Reading: Chapter 6


STRIDE Review


• STRIDE Review


Attack Violates


S Spoofing Authentication


T Tampering Integrity


R Repudiation Non-Repudiation


I Information Disclosure Confidentiality


D Denial of Service Availability


E Elevation of Privilege Authorization


What is Privacy?


• Lots of land with trees & bushes • Curtains or venetian blinds • Unlisted phone numbers, mailboxes • Swiss bank accounts


What is Privacy? (II)


• Freedom from surveillance/NSA • Anonymity • Right to be left alone • “Do not track” in browsers


Privacy vs Confidentiality


• Confidentiality is about the data • Protects data from unauthorized users


• Privacy is about the individual • How the data is used


National


• Freedom from surveillance/NSA • Anonymity • Right to be left alone • “Do not track” in browsers


Harms Approach to Privacy


• Dan Solove (George Washington University law professor)


• Understanding Privacy (2008) • Presented privacy as a family of issues • Presented a taxonomy of harms • Can be used as a basis for looking at a system


Solove’s Harms


• Identifier creation* • Information collection


• Surveillance, interrogation


• Information Processing • Aggregation, identification, insecurity, secondary use, exclusion


• Information dissemination • Breach of confidentiality, disclosure, increased accessibility, blackmail,


appropriation, distortion, [exposure]


• Invasion • Intrusion, decisional interference


* Shostack adds identifier creation in Threat Modeling, see discussion (page 112).


IETF Privacy Considerations


• Set of threats that each new protocol should consider • Likely to change rapidly in post-Snowden world • Combined security/privacy threats


• Surveillance, stored data compromise, misattribution


• Privacy threats • Correlation, identification, secondary use, disclosure, exclusion


(unawareness)


Privacy Impact Assessments


• A privacy analog to security threat modeling • Usually presented as an end-to-end process


• Often more social than technical • Can be very complementary • Typical table of contents:


• Description of the project • Description of the data flows[!] • Analysis against “the” information privacy principles • Analysis against other aspects of privacy • Analysis of privacy controls • Findings and recommendations


Nymity Slider


• Nymity: “the amount of information about the identity of participants that is revealed in a transaction”


• Easy to move left, hard to move right • Measure your system, don’t move accidentally


Contextual Integrity


• Helen Nissenbaum’s Privacy In Context (2009) • A context is an anthropological term for a “sphere of life”


such as “school” or “work”


• Can be more specific — “This university’s CS department expects…” — is a context


• A context has roles, activities, norms and values associated with it (usually implicitly)


• Can be used to understand or predict privacy concerns


Augmented Contextual Integrity


• Simply: 1. Describe the new practice in information flows* 2. Identify the prevailing context 3. Identify information subjects, senders, & recipients* 4. Identify transmission principles* 5. Locate applicable norms, identify significant changes 6. Prima facie assessment 7. Evaluation


1. Moral & political, threats to autonomy/freedom, power structures, fairness, justice, equality, etc.


8. Evaluation 2 1. Does the new directly impinge on values, goals of context?


9. Decide


• * Elements look a lot like other threat modeling


• Can be a lot of work in each step


LINDDUN


• Explicit mirror of STRIDE-per-element for privacy threat modeling • New proposal, unusual terminology • LINDDUN


• Linkability • Identifiability • Non-Repudiation (vs Repudiation as a security threat) • Detectability • Disclosure of Information • Content Unawareness • Policy and consent Non-compliance


Recap


• Privacy can be challenging compared to security • High potential for things to go badly wrong


• Ethically • Public relations


• Tools exist to help • Harms • The IETF’s Privacy Considerations • Privacy Impact Assessments • The Nymity Ratchet • Contextual Integrity


ISOL536 Security Architecture


and Design Week 3


“Processing Threats”


Agenda


• When to find threats • Playing chess • How to approach software • Tracking threats and assumptions • Customer/vendor • The API threat model • Reading: Chapter 7


When to Find Threats


• Start at the beginning of your project • Create a model of what you’re building


• Do a first pass for threats


• Dig deep as you work through features • Think about how threats apply to your mitigations


• Check your design & model matches as you get close to shipping


Attackers Respond to Your Defenses


Playing Chess


• The ideal attacker will follow the road you defend • Ideal attackers are like spherical cows — they’re a useful model for some


things


• Real attackers will go around your defenses • Your defenses need to be broad and deep


“Orders of Mitigation”


Order Threat Mitigation


1st Window smashing Reinforced glass


2nd Window smashing Alarm


3rd Cut alarm wire Heartbeat signal


4th Fake heartbeat Cryptographic signal integrity


By Example:


• Thus window smashing is a first order threat, cutting alarm wire, a third-order threat


• Easy to get stuck arguing about orders • Are both stronger glass & alarms 1st order


mitigations? (Who cares?!) • Focus on the concept of interplay between


mitigations & further attacks


How to Approach Software


• Depth first • The most fun and “instinctual” • Keep following threats to see where they go • Can be useful skill development, promoting “flow”


• Breadth first • The most conservative use of time • Most likely to result in good coverage


Tracking Threats and Assumptions


• There are an infinite number of ways to structure this • Use the one that works reliably for you • (Hope doesn’t work reliably)


Example Threat Tracking Tables


Diagram Element Threat Type Threat Bug ID


Data flow #4, web server to business logic


Tampering Add orders without payment checks


4553 “Need integrity controls on channel”


Info disclosure Payment instruments sent in clear


4554 “need crypto” #PCI


Threat Type Diagram Element(s) Threat Bug ID


Tampering Web browser Attacker modifies our JavaScript order checking


4556 “Add order- checking logic to server”


Data flow #2 from browser to server


Failure to authenticate


4557 “Add enforce HTTPS everywhere”


Both are fine, help you iterate over diagrams in different ways


Example Assumption Tracking


Assumption Impact if it’s wrong


Who to talk to


Who’s following up


Follow-up by date


Bug #


It’s ok to ignore denial of service within the data center


Availability will be below spec


Alice Bob April 15 4555


• Impact is sometimes so obvious it’s not worth filling out • Who to talk to is not always obvious, it’s ok to start out blank • Tracking assumptions in bugs helps you not lose track


• Treat the assumption as a bug – you need to resolve it


The Customer/Vendor Boundary • There is always a trust boundary when:


• Your code goes to someone else’s (device/premises)


• Their data comes to your code


• Lawyers, pretending do not eliminate human trust issues


• You need to think about it while deciding what happens over the data flow shown


Your software


Customer device


Your software


Your data center


Generic API Threat Model • Perform security checks inside the boundary • Copy before validation for purpose


• Is http://evil.org/pwnme.html “valid”?


• Define the purpose for data, validate near that definition • Manage error reporting • Document what checks happen where • Do crypto in constant time • Address the security requirements for your API


Recap


• When to find threats • Playing chess • How to approach software • Tracking threats and assumptions • Customer/vendor • The API threat model


What’s next?


• Quiz • Due Sunday 11:59 PM


• 10 multiple choice questions


• 20 minutes


• You have 2 chances (take highest grade)


• Reach chapters 8 and 9


Applied Sciences

Architecture and Design

Biology

Business & Finance

Chemistry

Computer Science

Geography

Geology

Education

Engineering

English

Environmental science

Spanish

Government

History

Human Resource Management

Information Systems

Law

Literature

Mathematics

Nursing

Physics

Political Science

Psychology

Reading

Science

Social Science

Home

Blog

Archive

Contact

google+twitterfacebook

Copyright © 2019 HomeworkMarket.com

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

University Coursework Help
Helping Hand
Top Essay Tutor
Writer Writer Name Offer Chat
University Coursework Help

ONLINE

University Coursework Help

Hi dear, I am ready to do your homework in a reasonable price.

$77 Chat With Writer
Helping Hand

ONLINE

Helping Hand

I am an Academic writer with 10 years of experience. As an Academic writer, my aim is to generate unique content without Plagiarism as per the client’s requirements.

$75 Chat With Writer
Top Essay Tutor

ONLINE

Top Essay Tutor

I have more than 12 years of experience in managing online classes, exams, and quizzes on different websites like; Connect, McGraw-Hill, and Blackboard. I always provide a guarantee to my clients for their grades.

$80 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Business Intelliegence - The minister's black veil symbolism - Mandy smith mother patsy - Mathematical economics chiang 4th edition - Molecular orbital theory worksheet with answers - Dr.Michelle_Prof1 - Excel independent project 2-5 - Pricing strategy questions and answers - Derby theatre great expectations - Descartes method of doubt sparknotes - My heavenly father watches over me jimmy swaggart - I need 1500 words on Private Business School - Marketing analytics data driven techniques with microsoft excel - Pancakes by joan bauer answers - Behaviour support plan quality evaluation tool - Trouble with the curve song you are my sunshine - 25o words - Kaiser permanente opportunities and threats - Portable air conditioner blaux - Marketing - Danielson domain 1 ppt - A Holistic Response to Crime Victimization - Foro de discusion escrito-introduccion - Information system audit checklist - What is decile rating schools nz - Google slides insert table of contents - Wavelength of sodium light in cm - Reaching out a solution - 2-3 paragraph Discussion - Nursing - Jayco electric awning problems - On going home joan didion essay - 250 words/ two scholarly sources due TODAY! - Midlands caravans & campworld - Hand operated can crusher - What is working scientifically - Enterprise Risk Management - Analyzing Student Data: The RTI Model - Project management simulation tips - Complete the sentence ellos a las ocho - Lodgement reference number nab - Pre intermediate writing tasks - 1002 2 - Advantages of orthographic projection - Feso4 pb no3 2 - Lagard 39e programming instructions - What is survival processing (e.g.,Nairne and Pandeirada, 2011)? How does it work in memory? Is the effect based on the evolutionary mechanisms or more commonplace memory explanations? - Agile Methodology - Highfield awarding body for compliance habc - Difference between pessaries and suppositories - Kmc property tax calculation - Dimensions involved in the development of expertise - Health teaching plan for breastfeeding - Intermediate accounting chapter 21a solutions pdf - What is the orbital diagram for boron - How to make a food web project - Soap note with differential diagnosis - Luck companies case analysis - Standard deep well pump - Statement of purpose ucsd - Cardiff university law school - Module 2 wellness plan flvs answers - 3.2 Group Discussion: Survey Creation - Ista-2a vs astm d4169 - Botox consent form uk - How to create a basic html page in notepad - Aspermia medical terminology - Allen tough self directed learning - Qc makeup academy locations - Corin v patton case summary - Can woodlice breathe underwater - Help - Salary inequities at astrazeneca - Weeek-3 - The lightning tree lyrics - Taboo delicacies - Clinic plus shampoo advertisement - Worldwide paper company case study answer - Genogram explanation - Insider threat - Crestwood high school catchment - Crime Scene Investigation Walk through CRJ499 - Tea tree gully tennis club - Which one of the following best exemplifies unsystematic risk - Security architecture - Kellogg's supply chain case study - Artemisia gentileschi judith slaying holofernes analysis - Ethics essay my sister's keeper - How to pronounce acquiesce in english - Convert word doc to epub calibre - Segmentation criteria used in identification for lemonade - Employment law gcse business - Literacynet org multiple intelligence test - Why abortion should be legal speech - 5902 burnhill dr austin tx 78745 - Electric field hockey activity worksheet answers - Ig words with pictures - Techni Granite - Cvi coffee maker - List of printmaking artists