Föreläsning 8 - Planning for and Mitigating the Impact of Attacks Targeting IoT-Based Systems Flashcards
(15 cards)
Threat modelling -
is the process of analyzing systems to identify potential attacks or failures and deciding on the right controls to reduce risk. It helps detect security issues early, supports risk management, clarifies security requirements, and leads to better, more secure products.
Threat -
A threat represents a potential security harm to an asset, modification of device credentials, compromise software components in cloud services, denial of specific services. A threat materalizes when an attack succeeds. Threats exploit vulnerabilities. E.g., deliberate attempt to violate the access policy of a server.
Asset -
Assets are anything valuable in an IoT (Internet of Things) system.
• IoT Devices – Send and receive data
• Users – People who use or control the system
• Facilities – Physical locations that house system operations
- Tangible assets: hardware, laptops, tablets, network devices.
- Intangible assets: reputation, information and data, software, capability, function.
What is the systematic approach in threat modelling? -
- Step 1: Decompose the application/system.
- Step 2: Determine and rank threats.
- Step 3: Determine countermeasures/mitigation
Describe Step 1: Decompose the application/system -
Break down the system to understand how it works and where risks may exist. First, basic information to understand the system being analyzed:
- Application name: name of the system.
- Application Version: version of system.
- Description: high-level description of system.
- Document owner: owner of threat model document.
- Participants: individual involved in the process.
- Reviewer: person reviewing threat model.
Describe Step 1: Decompose the application/system -> external dependencies, trust level, entry points, assets and data flow diagrams.
- External dependencies: map external dependencies using ID and description.
- Trust Levels: Define access rights for external users or systems. Used to map required privileges at entry points and for accessing assets. Include ID, name, and description.
- Entry points: show where data enters the system, map entry points using ID, name, description and trust level.
- Exit Points: Identify where data leaves the system. Threats may be triggered by entry point events, potentially exploited by attackers.
- Assets: are items of interest to the threat agent, document assets using ID, name, description and trust level.
- Data Flow Diagrams (DFD): Help model and understand how data flows in the system. Provide a visual representation of data processing. Common notations: Yourdon & De Marco, Gane & Sarson, SSADM, Unified.
Describe Step 2: Determine and rank threats -
- Threat Identification/Categorisation: Use a methodology (e.g., PATA, STRIDE) to identify threats in a structured, repeatable way.
- Ranking of threats → DREAD (Damage, reproducibility, exploitability, affected users, discoverability). DREAD provides a subjective process to rank threats. It is a risk assessment model that helps assign values to different factors or threats that can affect a system.
- Disadvantages of DREAD: DREAD’s subjective ratings limit its adoption. While it helps prioritize risks, it lacks objectivity.
- Alternative Model: A qualitative risk model ranks threats as Low, Medium, or High, useful when costs are hard to quantify.
- Risk Assessment Method: The qualitative risk assessment matrix is an alternative, combining severity and likelihood to rank risks.
STRIDE threat list -
- Spoofing: Pretending to be someone else to misuse authority. Violates authentication.
- Tampering: Altering asset settings to gain more privileges. Violates integrity.
- Repudiation: Denying actions to avoid responsibility. Violates non-repudiation.
- Information Disclosure: Exposing sensitive data, risking penalties. Violates confidentiality.
- Denial of Service: Making assets temporarily unavailable. Violates availability.
- Elevation of Privilege: Gaining unauthorized privileges. Violates authorization
DREAD -
DREAD helps rank threats based on five factors:
- Damage - how big would the damage be if the attack succeded?.
- Reproducibility - how easy is it to reproduce an attack?.
- Exploitability - how much time, effort, and expertise is needed to exploit the threat?.
- Affected users - if the threat were exploited, what percentage of users would be affected?.
- Discoverability - how easy is it for an attacker to discover this threat?. Rank threats with numbers (1-3) to calculate score and compare threats.
Describe step 3: Determine countermeasures/mitigation -
Application security frame (ASF) threat and countermeasures. Focuses on identifying actions or strategies to reduce or eliminate the risks identified.
- Countermeasures: Authentication (protect credientials with encryption, strong passwords). Authorization (using strong ACLs, role-based access). User and session management (no sensitive information stored in clear text in cookie, content of authentication cookies is encrypted).
- Use STRIDE to detect threats and connect mitigation techniques.
Firmware reversing -
The process of analyzing and understanding the inner workings of an IoT device. It involves examining the device’s filesystem and interfaces. This can reveal critical information like hardcoded data, security flaws, and login credentials. Many IoT devices use Linux-based systems. A common vulnerability is weak or hardcoded passwords, which can lead to unauthorized access.
Protecting password file -
The password file (/etc/passwd, /etc/shadow) stores usernames and passwords, and attackers may target it.
- Protection Methods: Cryptographic protection and OS-enforced access control.
- Hash functions: Easy to compute but hard to reverse. Instead of storing passwords, the hash of the password is saved. When a user logs in, the system hashes the entered password and compares it with the stored hash. To prevent dictionary attacks, a salt is added to the password before hashing, making identical passwords appear different in the file.
Rainbow table attack -
A rainbow table is a large table of precomputed hash values used to quickly reverse hashes into their original passwords. It relies on a space-time tradeoff: it saves time by storing precomputed hashes but uses a lot of space. Rainbow tables are specific to the hash function they were created for.
Password selecting strategy -
- user education,
- reactive password checking,
- system generated password and
- complex password policy.
Main password cracking strategies -
- Exhaustive search (brute force): try all possible combinations of valid symbols, up to a certain length, e.g try 4-digit numbers to guess a device pin code.
- Intelligent search: search through a restricted name space e.g., using a wordlist, dictionary attack is an example of this approach.
