interaction based privacy threat
play

Interaction-Based Privacy Threat Elicitation Laurens Sion , Kim - PowerPoint PPT Presentation

Interaction-Based Privacy Threat Elicitation Laurens Sion , Kim Wuyts, Koen Yskout, Dimitri Van Landuyt, Wouter Joosen 27 th April 2018 IWPE2018 London, United Kingdom Importance of Considering Privacy by Design Number of Data Breaches


  1. Interaction-Based Privacy Threat Elicitation Laurens Sion , Kim Wuyts, Koen Yskout, Dimitri Van Landuyt, Wouter Joosen 27 th April 2018 – IWPE2018 – London, United Kingdom

  2. Importance of Considering Privacy by Design Number of Data Breaches › Data breaches 40 30 20 10 0 5 (full bank account details) 4 (E.g., health records) 3 (E.g., creditcard info) 2 (SSN, personal details) 1 (E.g., email, online info) Data: Information is beautiful: World's Biggest Data Breaches 2

  3. Importance of Considering Privacy by Design Number of records lost › Data breaches 10000 Millions 1000 100 10 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Data: Information is beautiful: World's Biggest Data Breaches 3

  4. Importance of Considering Privacy by Design › Data breaches › Users’ view inconsistent with collection/usage 4

  5. Importance of Considering Privacy by Design › Data breaches › Users’ view inconsistent with collection/usage › Increasingly legislated GDPR mandates privacy by design 5

  6. Realizing Privacy by Design › GDPR mentions risk ≫ 70 times 6

  7. Realizing Privacy by Design › GDPR mentions risk ≫ 70 times › Appropriate technical measures Identify issues 7

  8. Realizing Privacy by Design › GDPR mentions risk ≫ 70 times › Appropriate technical measures Identify issues › Accountability Demonstrate compliance 8

  9. Privacy Threat Modeling Steps Model Map Elicit and Document Model the system Map the LINDDUN threat Elicit and document types to the model privacy threats 9

  10. Privacy Threat Modeling Steps Model 1. User Model › DFD model of 2. 3. Portal Service Model the system the system 4. Social network data 10

  11. Privacy Threat Modeling Steps Map Elicit and Document Model the system Map the LINDDUN threat Elicit and document types to the model privacy threats 11

  12. Privacy Threat Modeling Steps Map Map Map the LINDDUN threat types to the model 12

  13. Privacy Threat Modeling Steps Map L I N D D U N 1. User Map Data store X X X X X X TEMPLATE MAPPING Data flow X X X X X X Process X X X X X X 2. 3. Entity X X X Portal Service Map the LINDDUN threat types to the model Threat target L I N D D U N Social network db X X x x X X* Data store 4. Social network data Data flow User data stream (user- portal) ... 13

  14. Privacy Threat Modeling Steps Map L I N D D U N 1. User Map Data store X X X X X X TEMPLATE MAPPING Data flow X X X X X X Process X X X X X X 2. 3. Entity X X X Portal Service Map the LINDDUN threat types to the model Threat target L I N D D U N Social network db X X x x X X* Data store 4. Social network data Data flow User data stream (user- portal) ... 14

  15. Privacy Threat Modeling Steps Map L I N D D U N 1. User Map Data store X X X X X X TEMPLATE MAPPING Data flow X X X X X X Process X X X X X X 2. 3. Entity X X X Portal Service Map the LINDDUN threat types to the model Threat target L I N D D U N Social network db X X x x X X* Data store 4. Social network data Data flow User data stream (user- portal) ... 15

  16. Privacy Threat Modeling Steps Map L I N D D U N 1. User Map Data store X X X X X X TEMPLATE MAPPING Data flow X X X X X X Process X X X X X X 2. 3. Entity X X X Portal Service Map the LINDDUN threat types to the model Threat target L I N D D U N Social network db X X x x X X* Data store 4. Social network data Data flow User data stream (user- portal) ... 16

  17. Privacy Threat Modeling Steps Map L I N D D U N 1. User Map Data store X X X X X X TEMPLATE MAPPING Data flow X X X X X X Process X X X X X X 2. 3. Entity X X X Portal Service Map the LINDDUN threat types to the model Threat target L I N D D U N Social network db X X x x X X* Data store 4. Social network data Data flow User data stream (user- portal) ... 17

  18. Privacy Threat Modeling Steps Elicit and Document Model the system Map the LINDDUN threat Elicit and document types to the model privacy threats 18

  19. Privacy Threat Modeling Steps Elicit Threat target L I N D D U N Social network db X X x x X X* Data store Elicit and Document Data flow User data stream (user- portal) ... Elicit and document privacy threats MITIGATION TAXONOMY MITIGATION TAXONOMY THREAT TREE CATALOG 19

  20. Privacy Threat Modeling Steps Elicit Threat target L I N D D U N Social network db X X x x X X* Data store Elicit and Document Data flow User data stream (user- portal) ... Elicit and document privacy threats MITIGATION TAXONOMY MITIGATION TAXONOMY THREAT TREE CATALOG 20

  21. Privacy Threat Modeling Steps Model Map Elicit and Document Model the system Map the LINDDUN threat Elicit and document types to the model privacy threats 21

  22. The LINDDUN Privacy Framework › Linkability › Disclosure of Information › Identifiability › Unawareness Non-repudiation Non-compliance › › Detectability › 22

  23. Issues with Element-Based Elicitation › Undiscovered threats Process B A 23

  24. Issues with Element-Based Elicitation › Undiscovered threats Process B A 24

  25. Issues with Element-Based Elicitation › Undiscovered threats Process B Single Threat? A 25

  26. Issues with Element-Based Elicitation › Undiscovered threats Process B A 26

  27. Issues with Element-Based Elicitation › Undiscovered threats Process B A 27

  28. Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats 28

  29. Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats Client Server 29

  30. Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats Client Server Detectability threats on processes 30

  31. Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats Client Server Detectability threats on processes 31

  32. Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats Client Server Detectability threats on processes 32

  33. Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats Client Server Detectability threats on processes 33

  34. Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats › Redundant threats 34

  35. Issues with Element-Based Elicitation › Undiscovered threats › Inapplicable threats › Redundant threats Client Server Detectability threats on processes 35

  36. Element- vs. Interaction-based Elicitation › Take local context into account More explicit and precise › Threats not caused by elements but through interactions › # 𝑗𝑜𝑢𝑓𝑠𝑏𝑑𝑢𝑗𝑝𝑜𝑡 < #{𝑓𝑚𝑓𝑛𝑓𝑜𝑢𝑡} › Less or more threats? › Lack of consensus on the most appropriate approach 36

  37. Interaction-based LINDDUN Client Server

  38. Interaction-based LINDDUN Client Server

  39. Interaction-based LINDDUN Client Server

  40. Interaction-based LINDDUN Client Server

  41. LINDDUN Examples › Full LINDDUN table of threats 45

  42. LINDDUN Examples › Full LINDDUN table of threats › Concrete examples 46

  43. LINDDUN Examples Website (S) showing incorrect password error reveals account existence. 47

  44. Qualities › Expressivity 48

  45. Qualities › Expressivity › Elimination of inapplicable threat types 49

  46. Qualities › Expressivity › Elimination of inapplicable threat types › Finding undiscovered threats 50

  47. Qualities › Expressivity › Elimination of inapplicable threat types › Finding undiscovered threats › Effort-precision trade-off 51

  48. Discussion › Semantics and ambiguities of privacy threats 52

  49. Discussion › Semantics and ambiguities of privacy threats › Threat trees 53

  50. Discussion › Semantics and ambiguities of privacy threats › Threat trees › Usage & tool support 54

  51. Discussion › Semantics and ambiguities of privacy threats › Threat trees › Usage & tool support › Granularity for threat elicitation 55

  52. Conclusion › Element-based elicitation is sub-optimal 56

  53. Conclusion › Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension 57

  54. Conclusion › Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension › Provide detailed LINDDUN interaction examples 58

  55. Conclusion › Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension › Provide detailed LINDDUN interaction examples › Beyond interaction-based: to DFD patterns 59

  56. Conclusion › Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension › Provide detailed LINDDUN interaction examples › Beyond interaction-based: to DFD patterns 60

  57. Questions? Thank you!

  58. Interaction-Based Privacy Threat Elicitation Laurens Sion, Kim Wuyts, Koen Yskout, Dimitri Van Landuyt, Wouter Joosen

Recommend


More recommend