Interaction-Based Privacy Threat Elicitation Laurens Sion , Kim Wuyts, Koen Yskout, Dimitri Van Landuyt, Wouter Joosen 27 th April 2018 – IWPE2018 – London, United Kingdom
Importance of Considering Privacy by Design Number of Data Breaches › Data breaches 40 30 20 10 0 5 (full bank account details) 4 (E.g., health records) 3 (E.g., creditcard info) 2 (SSN, personal details) 1 (E.g., email, online info) Data: Information is beautiful: World's Biggest Data Breaches 2
Importance of Considering Privacy by Design Number of records lost › Data breaches 10000 Millions 1000 100 10 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Data: Information is beautiful: World's Biggest Data Breaches 3
Importance of Considering Privacy by Design › Data breaches › Users’ view inconsistent with collection/usage 4
Importance of Considering Privacy by Design › Data breaches › Users’ view inconsistent with collection/usage › Increasingly legislated GDPR mandates privacy by design 5
Realizing Privacy by Design › GDPR mentions risk ≫ 70 times 6
Realizing Privacy by Design › GDPR mentions risk ≫ 70 times › Appropriate technical measures Identify issues 7
Realizing Privacy by Design › GDPR mentions risk ≫ 70 times › Appropriate technical measures Identify issues › Accountability Demonstrate compliance 8
Privacy Threat Modeling Steps Model Map Elicit and Document Model the system Map the LINDDUN threat Elicit and document types to the model privacy threats 9
Privacy Threat Modeling Steps Model 1. User Model › DFD model of 2. 3. Portal Service Model the system the system 4. Social network data 10
Privacy Threat Modeling Steps Map Elicit and Document Model the system Map the LINDDUN threat Elicit and document types to the model privacy threats 11
Privacy Threat Modeling Steps Map Map Map the LINDDUN threat types to the model 12
Privacy Threat Modeling Steps Map L I N D D U N 1. User Map Data store X X X X X X TEMPLATE MAPPING Data flow X X X X X X Process X X X X X X 2. 3. Entity X X X Portal Service Map the LINDDUN threat types to the model Threat target L I N D D U N Social network db X X x x X X* Data store 4. Social network data Data flow User data stream (user- portal) ... 13
Privacy Threat Modeling Steps Map L I N D D U N 1. User Map Data store X X X X X X TEMPLATE MAPPING Data flow X X X X X X Process X X X X X X 2. 3. Entity X X X Portal Service Map the LINDDUN threat types to the model Threat target L I N D D U N Social network db X X x x X X* Data store 4. Social network data Data flow User data stream (user- portal) ... 14
Privacy Threat Modeling Steps Map L I N D D U N 1. User Map Data store X X X X X X TEMPLATE MAPPING Data flow X X X X X X Process X X X X X X 2. 3. Entity X X X Portal Service Map the LINDDUN threat types to the model Threat target L I N D D U N Social network db X X x x X X* Data store 4. Social network data Data flow User data stream (user- portal) ... 15
Privacy Threat Modeling Steps Map L I N D D U N 1. User Map Data store X X X X X X TEMPLATE MAPPING Data flow X X X X X X Process X X X X X X 2. 3. Entity X X X Portal Service Map the LINDDUN threat types to the model Threat target L I N D D U N Social network db X X x x X X* Data store 4. Social network data Data flow User data stream (user- portal) ... 16
Privacy Threat Modeling Steps Map L I N D D U N 1. User Map Data store X X X X X X TEMPLATE MAPPING Data flow X X X X X X Process X X X X X X 2. 3. Entity X X X Portal Service Map the LINDDUN threat types to the model Threat target L I N D D U N Social network db X X x x X X* Data store 4. Social network data Data flow User data stream (user- portal) ... 17
Privacy Threat Modeling Steps Elicit and Document Model the system Map the LINDDUN threat Elicit and document types to the model privacy threats 18
Privacy Threat Modeling Steps Elicit Threat target L I N D D U N Social network db X X x x X X* Data store Elicit and Document Data flow User data stream (user- portal) ... Elicit and document privacy threats MITIGATION TAXONOMY MITIGATION TAXONOMY THREAT TREE CATALOG 19
Privacy Threat Modeling Steps Elicit Threat target L I N D D U N Social network db X X x x X X* Data store Elicit and Document Data flow User data stream (user- portal) ... Elicit and document privacy threats MITIGATION TAXONOMY MITIGATION TAXONOMY THREAT TREE CATALOG 20
Privacy Threat Modeling Steps Model Map Elicit and Document Model the system Map the LINDDUN threat Elicit and document types to the model privacy threats 21
The LINDDUN Privacy Framework › Linkability › Disclosure of Information › Identifiability › Unawareness Non-repudiation Non-compliance › › Detectability › 22
Issues with Element-Based Elicitation › Undiscovered threats Process B A 23
Issues with Element-Based Elicitation › Undiscovered threats Process B A 24
Issues with Element-Based Elicitation › Undiscovered threats Process B Single Threat? A 25
Issues with Element-Based Elicitation › Undiscovered threats Process B A 26
Issues with Element-Based Elicitation › Undiscovered threats Process B A 27
Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats 28
Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats Client Server 29
Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats Client Server Detectability threats on processes 30
Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats Client Server Detectability threats on processes 31
Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats Client Server Detectability threats on processes 32
Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats Client Server Detectability threats on processes 33
Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats › Redundant threats 34
Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats › Redundant threats Client Server Detectability threats on processes 35
Element- vs. Interaction-based Elicitation › Take local context into account More explicit and precise › Threats not caused by elements but through interactions › # 𝑗𝑜𝑢𝑓𝑠𝑏𝑑𝑢𝑗𝑝𝑜𝑡 < #{𝑓𝑚𝑓𝑛𝑓𝑜𝑢𝑡} › Less or more threats? › Lack of consensus on the most appropriate approach 36
Interaction-based LINDDUN Client Server
Interaction-based LINDDUN Client Server
Interaction-based LINDDUN Client Server
Interaction-based LINDDUN Client Server
LINDDUN Examples › Full LINDDUN table of threats 45
LINDDUN Examples › Full LINDDUN table of threats › Concrete examples 46
LINDDUN Examples Website (S) showing incorrect password error reveals account existence. 47
Qualities › Expressivity 48
Qualities › Expressivity › Elimination of inapplicable threat types 49
Qualities › Expressivity › Elimination of inapplicable threat types › Finding undiscovered threats 50
Qualities › Expressivity › Elimination of inapplicable threat types › Finding undiscovered threats › Effort-precision trade-off 51
Discussion › Semantics and ambiguities of privacy threats 52
Discussion › Semantics and ambiguities of privacy threats › Threat trees 53
Discussion › Semantics and ambiguities of privacy threats › Threat trees › Usage & tool support 54
Discussion › Semantics and ambiguities of privacy threats › Threat trees › Usage & tool support › Granularity for threat elicitation 55
Conclusion › Element-based elicitation is sub-optimal 56
Conclusion › Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension 57
Conclusion › Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension › Provide detailed LINDDUN interaction examples 58
Conclusion › Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension › Provide detailed LINDDUN interaction examples › Beyond interaction-based: to DFD patterns 59
Conclusion › Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension › Provide detailed LINDDUN interaction examples › Beyond interaction-based: to DFD patterns 60
Questions? Thank you!
Interaction-Based Privacy Threat Elicitation Laurens Sion, Kim Wuyts, Koen Yskout, Dimitri Van Landuyt, Wouter Joosen
Recommend
More recommend