Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Which type of stride threat violates integrity?

22/12/2020 Client: saad24vbs Deadline: 24 Hours

ISOL536 Security Architecture


and Design Week 3


“Privacy Threats”


Agenda


• What is privacy? • Harms • The IETF’s Privacy Considerations • Privacy Impact Assessments • The Nymity Ratchet • Contextual Integrity • Reading: Chapter 6


STRIDE Review


• STRIDE Review


Attack Violates


S Spoofing Authentication


T Tampering Integrity


R Repudiation Non-Repudiation


I Information Disclosure Confidentiality


D Denial of Service Availability


E Elevation of Privilege Authorization


What is Privacy?


• Lots of land with trees & bushes • Curtains or venetian blinds • Unlisted phone numbers, mailboxes • Swiss bank accounts


What is Privacy? (II)


• Freedom from surveillance/NSA • Anonymity • Right to be left alone • “Do not track” in browsers


Privacy vs Confidentiality


• Confidentiality is about the data • Protects data from unauthorized users


• Privacy is about the individual • How the data is used


National


• Freedom from surveillance/NSA • Anonymity • Right to be left alone • “Do not track” in browsers


Harms Approach to Privacy


• Dan Solove (George Washington University law professor)


• Understanding Privacy (2008) • Presented privacy as a family of issues • Presented a taxonomy of harms • Can be used as a basis for looking at a system


Solove’s Harms


• Identifier creation* • Information collection


• Surveillance, interrogation


• Information Processing • Aggregation, identification, insecurity, secondary use, exclusion


• Information dissemination • Breach of confidentiality, disclosure, increased accessibility, blackmail,


appropriation, distortion, [exposure]


• Invasion • Intrusion, decisional interference


* Shostack adds identifier creation in Threat Modeling, see discussion (page 112).


IETF Privacy Considerations


• Set of threats that each new protocol should consider • Likely to change rapidly in post-Snowden world • Combined security/privacy threats


• Surveillance, stored data compromise, misattribution


• Privacy threats • Correlation, identification, secondary use, disclosure, exclusion


(unawareness)


Privacy Impact Assessments


• A privacy analog to security threat modeling • Usually presented as an end-to-end process


• Often more social than technical • Can be very complementary • Typical table of contents:


• Description of the project • Description of the data flows[!] • Analysis against “the” information privacy principles • Analysis against other aspects of privacy • Analysis of privacy controls • Findings and recommendations


Nymity Slider


• Nymity: “the amount of information about the identity of participants that is revealed in a transaction”


• Easy to move left, hard to move right • Measure your system, don’t move accidentally


Contextual Integrity


• Helen Nissenbaum’s Privacy In Context (2009) • A context is an anthropological term for a “sphere of life”


such as “school” or “work”


• Can be more specific — “This university’s CS department expects…” — is a context


• A context has roles, activities, norms and values associated with it (usually implicitly)


• Can be used to understand or predict privacy concerns


Augmented Contextual Integrity


• Simply: 1. Describe the new practice in information flows* 2. Identify the prevailing context 3. Identify information subjects, senders, & recipients* 4. Identify transmission principles* 5. Locate applicable norms, identify significant changes 6. Prima facie assessment 7. Evaluation


1. Moral & political, threats to autonomy/freedom, power structures, fairness, justice, equality, etc.


8. Evaluation 2 1. Does the new directly impinge on values, goals of context?


9. Decide


• * Elements look a lot like other threat modeling


• Can be a lot of work in each step


LINDDUN


• Explicit mirror of STRIDE-per-element for privacy threat modeling • New proposal, unusual terminology • LINDDUN


• Linkability • Identifiability • Non-Repudiation (vs Repudiation as a security threat) • Detectability • Disclosure of Information • Content Unawareness • Policy and consent Non-compliance


Recap


• Privacy can be challenging compared to security • High potential for things to go badly wrong


• Ethically • Public relations


• Tools exist to help • Harms • The IETF’s Privacy Considerations • Privacy Impact Assessments • The Nymity Ratchet • Contextual Integrity


ISOL536 Security Architecture


and Design Week 3


“Processing Threats”


Agenda


• When to find threats • Playing chess • How to approach software • Tracking threats and assumptions • Customer/vendor • The API threat model • Reading: Chapter 7


When to Find Threats


• Start at the beginning of your project • Create a model of what you’re building


• Do a first pass for threats


• Dig deep as you work through features • Think about how threats apply to your mitigations


• Check your design & model matches as you get close to shipping


Attackers Respond to Your Defenses


Playing Chess


• The ideal attacker will follow the road you defend • Ideal attackers are like spherical cows — they’re a useful model for some


things


• Real attackers will go around your defenses • Your defenses need to be broad and deep


“Orders of Mitigation”


Order Threat Mitigation


1st Window smashing Reinforced glass


2nd Window smashing Alarm


3rd Cut alarm wire Heartbeat signal


4th Fake heartbeat Cryptographic signal integrity


By Example:


• Thus window smashing is a first order threat, cutting alarm wire, a third-order threat


• Easy to get stuck arguing about orders • Are both stronger glass & alarms 1st order


mitigations? (Who cares?!) • Focus on the concept of interplay between


mitigations & further attacks


How to Approach Software


• Depth first • The most fun and “instinctual” • Keep following threats to see where they go • Can be useful skill development, promoting “flow”


• Breadth first • The most conservative use of time • Most likely to result in good coverage


Tracking Threats and Assumptions


• There are an infinite number of ways to structure this • Use the one that works reliably for you • (Hope doesn’t work reliably)


Example Threat Tracking Tables


Diagram Element Threat Type Threat Bug ID


Data flow #4, web server to business logic


Tampering Add orders without payment checks


4553 “Need integrity controls on channel”


Info disclosure Payment instruments sent in clear


4554 “need crypto” #PCI


Threat Type Diagram Element(s) Threat Bug ID


Tampering Web browser Attacker modifies our JavaScript order checking


4556 “Add order- checking logic to server”


Data flow #2 from browser to server


Failure to authenticate


4557 “Add enforce HTTPS everywhere”


Both are fine, help you iterate over diagrams in different ways


Example Assumption Tracking


Assumption Impact if it’s wrong


Who to talk to


Who’s following up


Follow-up by date


Bug #


It’s ok to ignore denial of service within the data center


Availability will be below spec


Alice Bob April 15 4555


• Impact is sometimes so obvious it’s not worth filling out • Who to talk to is not always obvious, it’s ok to start out blank • Tracking assumptions in bugs helps you not lose track


• Treat the assumption as a bug – you need to resolve it


The Customer/Vendor Boundary • There is always a trust boundary when:


• Your code goes to someone else’s (device/premises)


• Their data comes to your code


• Lawyers, pretending do not eliminate human trust issues


• You need to think about it while deciding what happens over the data flow shown


Your software


Customer device


Your software


Your data center


Generic API Threat Model • Perform security checks inside the boundary • Copy before validation for purpose


• Is http://evil.org/pwnme.html “valid”?


• Define the purpose for data, validate near that definition • Manage error reporting • Document what checks happen where • Do crypto in constant time • Address the security requirements for your API


Recap


• When to find threats • Playing chess • How to approach software • Tracking threats and assumptions • Customer/vendor • The API threat model


What’s next?


• Quiz • Due Sunday 11:59 PM


• 10 multiple choice questions


• 20 minutes


• You have 2 chances (take highest grade)


• Reach chapters 8 and 9


Applied Sciences

Architecture and Design

Biology

Business & Finance

Chemistry

Computer Science

Geography

Geology

Education

Engineering

English

Environmental science

Spanish

Government

History

Human Resource Management

Information Systems

Law

Literature

Mathematics

Nursing

Physics

Political Science

Psychology

Reading

Science

Social Science

Home

Blog

Archive

Contact

google+twitterfacebook

Copyright © 2019 HomeworkMarket.com

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

University Coursework Help
Helping Hand
Top Essay Tutor
Writer Writer Name Offer Chat
University Coursework Help

ONLINE

University Coursework Help

Hi dear, I am ready to do your homework in a reasonable price.

$77 Chat With Writer
Helping Hand

ONLINE

Helping Hand

I am an Academic writer with 10 years of experience. As an Academic writer, my aim is to generate unique content without Plagiarism as per the client’s requirements.

$75 Chat With Writer
Top Essay Tutor

ONLINE

Top Essay Tutor

I have more than 12 years of experience in managing online classes, exams, and quizzes on different websites like; Connect, McGraw-Hill, and Blackboard. I always provide a guarantee to my clients for their grades.

$80 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Warr company is considering a project - Copper carbonate heated equation - Escience lab 1 answers - Safety commitment statement examples - Balance sheet of life - 03334 whos calling me - Purpose of a soliloquy - Health care discussion question - IDM W 2 D - Dc offset removal filter - Strategically Thinking - Fbi cover letter internship - Microeconomics - Learning Strategies for Success - World Civilization and Pre History - Contention in an essay - 5 wire cdi wiring diagram business leaders health and safety forum - Folstein mini mental state exam pdf - Consumer Behaviour - Discussion - Beyond fat city - What is an ethiope - Sample letter of extension of service - Motor electrical time constant - Nfpa 10 2018 edition - Criminal investigations 11th edition by hess and orthmann - Executive planet - Anz card services phone number - Nafta net cost method - Is hank hill autistic - Biozone unit 1 and 2 answers pdf free - Slotted line in microwave - Quiz - 1492 in roman numerals - How many valence electrons does methane have - Group Dynamics Group Development - City of thieves map - Volvo penta v6-240 review - NEED 3+ PAGES WITH 4 PEER REVIEWED REFERENCES CITED IN APA FORMAT - Technology Trends in Global Marketing - Infant sorrow william blake - Advantages and disadvantages of working from home essay - Parton v milk board - How to write a treatment plan social work - How to sanitize owl pellets - Emergency light installation instructions - Is versace publicly traded - Capstone Research Companion - Comparison of h1 and c13 nmr - Exploratory verbs examples - Social stratification - Telecomm Network Security - Case study - Project 3 - Different levels of market segmentation - Inventory coordinator cover letter - Starbucks variable costs - Walden university fnp preceptor commitment form - Example of a proverb - Holy spirit you are welcome in this place omnipotent father - Advance Pathophysiology - Human ecology current events - One Q- 250 words - Health policy and Advanced Practice Nurse - School sport unit nsw - Research Paper - Fair is foul and foul is fair literary technique - The financial statements of lioi steel fabricators - Chapter 11 dna and genes - Physical Security Final Research Project - Alice in wonderland cat name dinah - How many public baths were there in ancient rome - Juvenile justice multilabel question quiz - Chern's case study executive summary - Theoretical basis for nursing 4th edition apa citation - Discussion Study - Great gatsby study guide answers - Chemiluminescence lab answers - Act 3 scene 5 macbeth summary - One component of the ordering cost of inventory is shrinkage - Soap note for crohn's disease - 7th grade science lab procedures - Enterprise cloud computing technology architecture applications pdf - How to calculate true power - Practicum – Week 8 Journal Entry - King david strengths and weaknesses - How to calculate manufacturing plant efficiency - Discussion - Fisa rowing training programme - Which of the following statements describes french service - Should smartphones be allowed in school essay - A role set refers to - How to draw men's moe characters face & body pdf - Passive sign convention explained - Discussion Question - Anne mcarthur notre dame - Medical cover letter template - Boeing 777 power outlets - War weary decide who gets the silver - Addiction research paper outline - Charles frears school of nursing