STRIDE : Case study on Life Insurance System
Example 1:
Life Insurance System
The life insurance system is designed in Threat modeling technique. It contains many DFD elements to define security threats. Threat generated report is represented in Table 1.
Table 1. Threat Generated Report
Example 1:
Life Insurance System
With the advent of cloud-computing, the whole
paradigm of computing is at a crossroads. In the next few years, a large part
of computing will shift to the cloud-computing model. However, before that can
happen, some fundamental problems of cloud computing must be solved. Trust in Cloud Computing is a very important
factor. At any instant of time, there must be a trustworthy relationship
between the Cloud Service Provider and the Cloud Customer. Ensuring trustworthiness in the Cloud using three
entities namely a Cloud Broker, Cloud Customer and the Cloud Service Provider.
On the basis of customer feedback mechanisms, points are awarded to service
provider services by the broker and trustworthiness of the service provider is
monitored using this mechanism. So the trust between customer, broker and
service provider is ensured. And also by using cryptographic mechanism trustworthiness of customer -broker and broker-
provider is ensured.
Data flow diagram
STRIDE- Threat modeling
Fig 1. Life insurance system Using STRIDE
No
|
Interaction
|
Threat
Type
|
Category
|
Description
|
Priority
|
|||
1
|
Authentication customer
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Service request may be able to
impersonate the context of Cloud broker in order to gain additional privilege
|
High
|
|||
2
|
Authentication customer
|
Spoofing the Human User External
Entity
|
Spoofing
|
Cloud broker may be spoofed by an
attacker and this may lead to unauthorized access to Service request.
Consider using a standard authentication mechanism to identify the external
entity.
|
High
|
|||
3
|
Authentication process
|
Cross Site Scripting
|
Tampering
|
The web server 'Web Server' could be a
subject to a cross-site scripting attack because it does not sanitize
untrusted input
|
High
|
|||
4
|
Authentication process
|
Spoofing the Customer External
Entity
|
Spoofing
|
Customer may be spoofed by an attacker
and this may lead to unauthorized access to Web Server. Consider using a
standard authentication mechanism to identify the external entity
|
High
|
|||
5
|
Authentication process
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Web Server may be able to impersonate
the context of Customer in order to gain additional privilege
|
High
|
|||
6
|
Authentication process
|
Potential Data Repudiation by Web Server
|
Repudiation
|
Web Server claims that it did not
receive data from a source outside the trust boundary. Consider using logging
or auditing to record the source, time, and summary of the received data
|
High
|
|||
7
|
Authentication process
|
Potential Process Crash or Stop for
Web Server
|
Denial Of Service
|
Web Server crashes, halts, stops or
runs slowly; in all cases violating an availability metric
|
High
|
|||
8
|
Authentication process
|
Data Flow Authentication process Is
Potentially Interrupted
|
Denial Of Service
|
An external agent interrupts data
flowing across a trust boundary in either direction
|
High
|
|||
9
|
Authentication process
|
Web Server May be Subject to Elevation
of Privilege Using Remote Code Execution
|
Elevation Of Privilege
|
Customer may be able to remotely execute
code for Web Server
|
High
|
|||
10
|
Authentication process
|
Elevation by Changing the Execution
Flow in Web Server
|
Elevation Of Privilege
|
An attacker may pass data into Web
Server in order to change the flow of program execution within Web Server to
the attacker's choosing.
|
High
|
|||
11
|
Cust registration details
|
Spoofing of Destination Data Store
Customer Database
|
Spoofing
|
Customer Database may be spoofed by an
attacker and this may lead to data being written to the attacker's target
instead of Customer Database. Consider using a standard authentication
mechanism to identify the destination data store.
|
High
|
|||
12
|
Cust registration details
|
Potential SQL Injection Vulnerability
for Customer Database
|
Tampering
|
SQL injection is an attack in which
malicious code is inserted into strings that are later passed to an instance
of SQL Server for parsing and execution. Any procedure that constructs SQL
statements should be reviewed for injection vulnerabilities because SQL
Server will execute all syntactically valid queries that it receives. Even
parameterized data can be manipulated by a skilled and determined attacker.
|
High
|
|||
13
|
Cust registration details
|
Potential Excessive Resource
Consumption for Customer registration or Customer Database
|
Denial Of Service
|
Does Customer registration or Customer
Database take explicit steps to control resource consumption? Resource
consumption attacks can be hard to deal with, and there are times that it
makes sense to let the OS do the job. Be careful that your resource requests don't
deadlock, and that they do timeout.
|
High
|
|||
14
|
Customer details
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Customer registration may be able to
impersonate the context of Cloud broker in order to gain additional
privilege.
|
High
|
|||
15
|
Customer details
|
Cross Site Scripting
|
Tampering
|
The web server
'Customer registration' could be a subject to a cross-site scripting attack
because it does not sanitize untrusted input.
|
High
|
|||
16
|
Customer details
|
Spoofing the Human User External
Entity
|
Spoofing
|
Cloud broker may be spoofed by an
attacker and this may lead to unauthorized access to Customer registration.
Consider using a standard authentication mechanism to identify the external
entity.
|
High
|
|||
17
|
Customer details
|
Potential Data Repudiation by Customer
registration
|
Repudiation
|
|
High
|
|||
18
|
Customer details
|
Potential Process Crash or Stop for
Customer registration
|
Denial Of Service
|
Customer registration crashes, halts,
stops or runs slowly; in all cases violating an availability metric.
|
High
|
|||
19
|
Customer details
|
Data Flow Customer details Is
Potentially Interrupted
|
Denial Of Service
|
An external agent interrupts data
flowing across a trust boundary in either direction
|
High
|
|||
20
|
Customer details
|
Customer registration May be Subject
to Elevation of Privilege Using Remote Code
|
Elevation Of Privilege
|
Cloud broker
may be able to remotely execute code for Customer registration.
|
High
|
|||
21
|
Customer details
|
Elevation by Changing the Execution
Flow in Customer registration
|
Elevation Of Privilege
|
An attacker may pass data into
Customer registration in order to change the flow of program execution within
Customer registration to the attacker's choosing.
|
High
|
|||
22
|
Customer details
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Insurance process may be able to
impersonate the context of Manage insurance details in order to gain
additional privilege
|
High
|
|||
23
|
Customer details
|
Cross Site Scripting
|
Tampering
|
The web server 'Insurance process'
could be a subject to a cross-site scripting attack because it does not
sanitize untrusted input
|
High
|
|||
24
|
Customer
details
|
Manage insurance details Process
Memory Tampered
|
Tampering
|
If Manage insurance details is given
access to memory, such as shared memory or pointers, or is given the ability
to control what Insurance process executes (for example, passing back a function
pointer.), then Manage insurance details can tamper with Insurance process.
Consider if the function could work with less access to memory, such as
passing data rather than pointers. Copy in data provided, and then validate
it.
|
High
|
|||
25
|
Feedback details
|
Cross Site Scripting
|
Tampering
|
The web server 'Feedback about
provider' could be a subject to a cross-site scripting attack because it does
not sanitize untrusted input
|
High
|
|||
26
|
Feedback
details
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Feedback about provider may be able to
impersonate the context of Service request in order to gain additional
privilege
|
High
|
|||
27
|
Feedback
request
|
Cross Site Scripting
|
Tampering
|
The web server 'Web Server' could be a
subject to a cross-site scripting attack because it does not sanitize
untrusted input
|
High
|
|||
28
|
Feedback
request
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Web Server may
be able to impersonate the context of Feedback about provider in order to
gain additional privilege
|
High
|
|||
29
|
HTTPS
|
Cross Site Scripting
|
Tampering
|
The web server
'Key generation' could be a subject to a cross-site scripting attack because
it does not sanitize untrusted input.
|
High
|
|||
30
|
HTTPS
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Key generation
may be able to impersonate the context of Customer registration in order to
gain additional privilege.
|
High
|
|||
31
|
HTTPS
|
Collision Attacks
|
Tampering
|
Attackers who
can send a series of packets or messages may be able to overlap data. For example,
packet 1 may be 100 bytes starting at offset 0. Packet 2 may be 100 bytes
starting at offset 25. Packet 2 will overwrite 75 bytes of packet 1. Ensure
you reassemble data before filtering it, and ensure you explicitly handle
these sorts of cases.
|
High
|
|||
32
|
HTTPS
|
Replay Attacks
|
Tampering
|
Packets or
messages without sequence numbers or timestamps can be captured and replayed
in a wide variety of ways. Implement or utilize an existing communication
protocol that supports anti-replay techniques (investigate sequence numbers
before timers) and strong integrity.
|
High
|
|||
33
|
HTTPS
|
Weak Authentication Scheme
|
Information Disclosure
|
Custom
authentication schemes are susceptible to common weaknesses such as weak
credential change management, credential equivalence, easily guessable
credentials, null credentials, downgrade authentication or a weak credential
change management system. Consider the impact and potential mitigations for
your custom authentication scheme.
|
High
|
|||
34
|
HTTPS
|
Cross Site Scripting
|
Tampering
|
The web server
'Key generation' could be a subject to a cross-site scripting attack because
it does not sanitize untrusted input.
|
High
|
|||
35
|
HTTPS
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Key generation
may be able to impersonate the context of Provider registration in order to
gain additional privilege.
|
High
|
|||
36
|
HTTPS
|
Weak
Authentication Scheme
|
Information Disclosure
|
Custom
authentication schemes are susceptible to common weaknesses such as weak
credential change management, credential equivalence, easily guessable
credentials, null credentials, downgrade authentication or a weak credential
change management system. Consider the impact and potential mitigations for
your custom authentication scheme.
|
High
|
|||
37
|
HTTPS
|
Replay Attacks
|
Tampering
|
Packets or
messages without sequence numbers or timestamps can be captured and replayed
in a wide variety of ways. Implement or utilize an existing communication
protocol that supports anti-replay techniques (investigate sequence numbers
before timers) and strong integrity.
|
High
|
|||
38
|
HTTPS
|
Collision Attacks
|
Tampering
|
Attackers who
can send a series of packets or messages may be able to overlap data. For
example, packet 1 may be 100 bytes starting at offset 0. Packet 2 may be 100
bytes starting at offset 25. Packet 2 will overwrite 75 bytes of packet 1.
Ensure you reassemble data before filtering it, and ensure you explicitly
handle these sorts of cases
|
High
|
|||
39
|
Provider
details
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Provider
registration may be able to impersonate the context of Cloud broker in order
to gain additional privilege
|
High
|
|||
40
|
Provider details
|
Cross Site Scripting
|
Tampering
|
The web server
'Provider registration' could be a subject to a cross-site scripting attack
because it does not sanitize untrusted input.
|
High
|
|||
41
|
Provider
details
|
Spoofing the Human User External Entity
|
Spoofing
|
Cloud broker
may be spoofed by an attacker and this may lead to unauthorized access to
Provider registration. Consider using a standard authentication mechanism to
identify the external entity.
|
High
|
|||
42
|
Provider
details
|
Potential Data Repudiation by Provider
registration
|
Repudiation
|
Provider
registration claims that it did not receive data from a source outside the
trust boundary. Consider using logging or auditing to record the source,
time, and summary of the received data.
|
High
|
|||
43
|
Provider details
|
Potential Process Crash or Stop for Provider
registration
|
Denial Of Service
|
Provider
registration crashes, halts, stops or runs slowly; in all cases violating an
availability metric
|
High
|
|||
44
|
Provider
details
|
Data Flow Provider details Is Potentially
Interrupted
|
Denial Of Service
|
An external
agent interrupts data flowing across a trust boundary in either direction
|
High
|
|||
45
|
Provider
details
|
Provider registration May be Subject to Elevation
of Privilege Using Remote Code Execution
|
Elevation Of
Privilege
|
Cloud broker
may be able to remotely execute code for Provider registration
|
High
|
|||
46
|
Provider
details
|
Elevation by Changing the Execution Flow in
Provider registration
|
Elevation Of Privilege
|
An attacker
may pass data into Provider registration in order to change the flow of
program execution within Provider registration to the attacker's choosing
|
High
|
|||
47
|
Public keys
|
Spoofing of Destination Data Store SQL
Database
|
Spoofing
|
SQL Database
may be spoofed by an attacker and this may lead to data being written to the
attacker's target instead of SQL Database. Consider using a standard
authentication mechanism to identify the destination data store.
|
High
|
|||
48
|
Public keys
|
Potential SQL Injection Vulnerability for SQL
Database
|
Tampering
|
SQL injection
is an attack in which malicious code is inserted into strings that are later
passed to an instance of SQL Server for parsing and execution. Any procedure
that constructs SQL statements should be reviewed for injection
vulnerabilities because SQL Server will execute all syntactically valid
queries that it receives. Even parameterized data can be manipulated by a
skilled and determined attacker.
|
High
|
|||
49
|
Public keys
|
Potential Excessive Resource Consumption for Key
generation or SQL Database
|
Denial Of Service
|
Does Key
generation or SQL Database take explicit steps to control resource
consumption? Resource consumption attacks can be hard to deal with, and there
are times that it makes sense to let the OS do the job. Be careful that your
resource requests don't deadlock, and that they do timeout.
|
High
|
|||
50
|
Register
provider details
|
Spoofing of Destination Data Store Provider
Database
|
Spoofing
|
Provider
Database may be spoofed by an attacker and this may lead to data being
written to the attacker's target instead of Provider Database. Consider using
a standard authentication mechanism to identify the destination data store.
|
High
|
|||
51
|
Register
provider details
|
Potential SQL Injection Vulnerability for Provider
Database
|
Tampering
|
SQL injection
is an attack in which malicious code is inserted into strings that are later
passed to an instance of SQL Server for parsing and execution. Any procedure
that constructs SQL statements should be reviewed for injection
vulnerabilities because SQL Server will execute all syntactically valid
queries that it receives. Even parameterized data can be manipulated by a
skilled and determined attacker
|
High
|
|||
52
|
Register
provider details
|
Potential Excessive Resource Consumption for
Provider registration or Provider Database
|
Denial Of Service
|
Does Provider
registration or Provider Database take explicit steps to control resource
consumption? Resource consumption attacks can be hard to deal with, and there
are times that it makes sense to let the OS do the job. Be careful that your
resource requests don't deadlock, and that they do timeout
|
High
|
|||
53
|
Registration
request
|
Spoofing the Customer External Entity
|
Spoofing
|
Customer may
be spoofed by an attacker and this may lead to unauthorized access to Web Server.
Consider using a standard authentication mechanism to identify the external
entity.
|
High
|
|||
54
|
Registration
request
|
Cross Site Scripting
|
Tampering
|
The web server
'Web Server' could be a subject to a cross-site scripting attack because it
does not sanitize untrusted input
|
High
|
|||
55
|
Registration
request
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Web Server may
be able to impersonate the context of Customer in order to gain additional
privilege
|
High
|
|||
56
|
Registration
request
|
Potential Data Repudiation by Web Server
|
Repudiation
|
Web Server
claims that it did not receive data from a source outside the trust boundary.
Consider using logging or auditing to record the source, time, and summary of
the received data.
|
High
|
|||
57
|
Registration request
|
Potential Process Crash or Stop for Web
Server
|
Denial Of Service
|
Web Server
crashes, halts, stops or runs slowly; in all cases violating an availability
metric
|
High
|
|||
58
|
Registration
request
|
Data Flow Registration request Is Potentially Interrupted
|
Denial Of Service
|
An external
agent interrupts data flowing across a trust boundary in either direction.
|
High
|
|||
59
|
Registration
request
|
Web Server May be Subject to Elevation of
Privilege Using Remote Code Execution
|
Elevation Of Privilege
|
Customer may
be able to remotely execute code for Web Server.
|
High
|
|||
60
|
Registration
request
|
Elevation by Changing the Execution Flow in Web
Server
|
Elevation Of Privilege
|
An attacker
may pass data into Web Server in order to change the flow of program execution
within Web Server to the attacker's choosing
|
High
|
|||
61
|
Registration
request
|
External Entity Cloud broker Potentially Denies
Receiving Data
|
Repudiation
|
Cloud broker
claims that it did not receive data from a process on the other side of the
trust boundary. Consider using logging or auditing to record the source,
time, and summary of the received data.
|
High
|
|||
62
|
Registration
request
|
Data Flow Registration request Is Potentially
Interrupted
|
Denial Of Service
|
An external
agent interrupts data flowing across a trust boundary in either direction
|
High
|
|||
63
|
Requested
service transaction status
|
Spoofing of the Customer External Destination
Entity
|
Spoofing
|
Customer may
be spoofed by an attacker and this may lead to data being sent to the
attacker's target instead of Customer. Consider using a standard
authentication mechanism to identify the external entity
|
High
|
|||
64
|
Requested
service transaction status
|
External Entity Customer Potentially Denies
Receiving Data
|
Repudiation
|
Customer
claims that it did not receive data from a process on the other side of the
trust boundary. Consider using logging or auditing to record the source,
time, and summary of the received data.
|
High
|
|||
65
|
Requested
service transaction status
|
Data Flow Requested service transaction status Is
Potentially Interrupted
|
Denial Of
Service
|
An external
agent interrupts data flowing across a trust boundary in either direction
|
High
|
|||
66
|
Send service
request
|
Cross Site Scripting
|
Tampering
|
The web server
'Web Server' could be a subject to a cross-site scripting attack because it
does not sanitize untrusted input.
|
High
|
|||
67
|
Send service
request
|
Elevation Using Impersonation
|
Elevation Of Privilege
|
Web Server may
be able to impersonate the context of Service request in order to gain
additional privilege.
|
High
|
|||
68
|
Update
Customer insurance details
|
Spoofing of Destination Data Store Customer
Insurance details
|
Spoofing
|
Customer
Insurance details may be spoofed by an attacker and this may lead to data
being written to the attacker's target instead of Customer Insurance details.
Consider using a standard authentication mechanism to identify the
destination data store.
|
High
|
|||
69
|
Update
Customer insurance details
|
Potential SQL Injection Vulnerability for Customer
Insurance details
|
Tampering
|
SQL injection
is an attack in which malicious code is inserted into strings that are later
passed to an instance of SQL Server for parsing and execution. Any procedure
that constructs SQL statements should be reviewed for injection
vulnerabilities because SQL Server will execute all syntactically valid
queries that it receives. Even parameterized data can be manipulated by a
skilled and determined attacker.
|
High
|
|||
70
|
Update
Customer insurance details
|
Potential Excessive Resource Consumption for
Insurance process or Customer Insurance details
|
Denial Of Service
|
Does Insurance
process or Customer Insurance details take explicit steps to control resource
consumption? Resource consumption attacks can be hard to deal with, and there
are times that it makes sense to let the OS do the job. Be careful that your
resource requests don't deadlock, and that they do timeout.
|
High
|
|||
71
|
Update
feedback info
|
Spoofing of Destination Data Store Feedback
|
Spoofing
|
Feedback may
be spoofed by an attacker and this may lead to data being written to the
attacker's target instead of Feedback. Consider using a standard
authentication mechanism to identify the destination data store.
|
High
|
|||
72
|
Update
feedback info
|
Potential SQL Injection Vulnerability for
Feedback
|
Tampering
|
SQL injection
is an attack in which malicious code is inserted into strings that are later
passed to an instance of SQL Server for parsing and execution. Any procedure
that constructs SQL statements should be reviewed for injection
vulnerabilities because SQL Server will execute all syntactically valid
queries that it receives. Even parameterized data can be manipulated by a
skilled and determined attacker
|
High
|
|||
73
|
Update
feedback info
|
Potential Excessive Resource Consumption for
Feedback about provider or Feedback
|
Denial Of Service
|
Does Feedback
about provider or Feedback take explicit steps to control resource
consumption? Resource consumption attacks can be hard to deal with, and there
are times that it makes sense to let the OS do the job. Be careful that your
resource requests don't deadlock, and that they do timeout.
|
High
|
|||
74
|
Update
insurance details
|
Spoofing of Destination Data Store Insurance
info
|
Spoofing
|
Insurance info
may be spoofed by an attacker and this may lead to data being written to the
attacker's target instead of Insurance info. Consider using a standard
authentication mechanism to identify the destination data store.
|
High
|
|||
75
|
Update
insurance details
|
Potential SQL Injection Vulnerability for
Insurance info
|
Tampering
|
SQL injection
is an attack in which malicious code is inserted into strings that are later
passed to an instance of SQL Server for parsing and execution. Any procedure
that constructs SQL statements should be reviewed for injection
vulnerabilities because SQL Server will execute all syntactically valid
queries that it receives. Even parameterized data can be manipulated by a
skilled and determined attacker.
|
High
|
|||
76
|
Update
insurance details
|
Potential Excessive Resource Consumption for
Manage insurance details or Insurance info
|
Denial Of Service
|
Does Manage
insurance details or Insurance info take explicit steps to control resource
consumption? Resource consumption attacks can be hard to deal with, and there
are times that it makes sense to let the OS do the job. Be careful that your
resource requests don't deadlock, and that they do timeout.
|
High
|
|||
77
|
verify service
provider TM
|
Spoofing of Source Data Store Feedback
|
Spoofing
|
Feedback may
be spoofed by an attacker and this may lead to incorrect data delivered to
Trustworthy monitoring. Consider using a standard authentication mechanism to
identify the source data store.
|
High
|
|||
78
|
verify service
provider TM
|
Cross Site Scripting
|
Tampering
|
The web server
'Trustworthy monitoring' could be a subject to a cross-site scripting attack
because it does not sanitize untrusted input.
|
High
|
|||
79
|
verify service
provider TM
|
Persistent Cross Site Scripting
|
Tampering
|
The web server
'Trustworthy monitoring' could be a subject to a persistent cross-site
scripting attack because it does not sanitize data store 'Feedback' inputs
and output.
|
High
|
|||
80
|
verify service
provider TM
|
Weak Access Control for a Resource
|
Information Disclosure
|
Improper data
protection of Feedback can allow an attacker to read information not intended
for disclosure. Review authorization settings.
|
High
|
No comments:
Post a Comment