Presentation is loading. Please wait.

Presentation is loading. Please wait.

Socializing Attack/Defense Trees to Prevent Misuse

Published byBetty Patrick Modified over 6 years ago

Similar presentations

Presentation on theme: "Socializing Attack/Defense Trees to Prevent Misuse"— Presentation transcript:

1 Socializing Attack/Defense Trees to Prevent Misuse
Özgür Kafalı Postdoctoral Researcher

2 Security Threat Modeling
Attack/defense trees Misuse case diagrams

3 Current Approaches Informal Focus mainly on technical vulnerabilities
Written in natural language Cannot formalize how nodes relate to each other Focus mainly on technical vulnerabilities Less attention to human misuse Intentional or unintentional

4 Goals I fixed 100+ vulnerabilities today, great!
How many humans did you fix though? Enhance attack/defense trees with social factors to understand and prevent misuse Picture credit to

5 Towards Happy Little Attack/Defense Trees
Bob Ross on trees and their significance: Picture credit to “ “Trees don't grow even, they don't grow straight ... Just however it makes them happy”

6 How Prevalent are Misuses?
Investigated 1,600 breaches from HHS Common misuses: Improper disposal Incorrect s

7 HHS Breach Categories Vulnerabilities Misuses 44%

8 Are Policies Enough to Prevent Misuse?
HIPAA clause: Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored Breach: failure to erase patient data on disposed photocopiers’ hard drives

9 How Good is HIPAA? very few Vulnerabilities Misuses

10 Normative Formalization
Commitments Authorizations Prohibitions

11 Representing Requirements
Parents are authorized to access minor’s medical records if they are legal representatives.

12 Representing Breaches
Breach: failure to erase patient data on disposed photocopiers’ hard drives Healthcare workers are committed to erasing any media that might contain sensitive patient data

13 Social Factors Norms regulate interactions of users
State who is accountable to whom, and for what Picture credit to

14 Normative Reasoning Having a normative model enables formal relations among norms Understand conflicts Pairwise comparison of norms Understand what desired security properties our threat models support

15 Normative Attack/Defense Trees
Asset Misuse Malware Phishing Norm Norm Violation Sanction Refine

16 Efforts to Improve Threat Models
Collaborative games for identification and risk based prioritization of vulnerabilities Protection Poker Elevation of Privilege

17 Norm Defense Game Strategy card game for security
Attacker and defender teams New elements: Accountability Forensics Logging Forensics Acc Logging

18 Evaluation Different game modes: experts, novices
Introduce random elements to simulate realistic scenarios Novelty: Outcome holds clues about security of the subject system

19 Benefits For us: More papers For you: Less misuse
For the greater good: raise awareness regarding social factors

20 Collaboration Investigation of breaches Game design and evaluation
Seeking breach reports from organizations Game design and evaluation Seeking players to be involved in our game Our approach will improve your threat models, or your money back!

Download ppt "Socializing Attack/Defense Trees to Prevent Misuse"

Similar presentations

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Confidentiality and HIPAA

Confidentiality and HIPAA
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
Informed Consent.

Informed Consent.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Security Controls – What Works

Security Controls – What Works
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
Steps to Compliance: Risk Assessment PRESENTED BY.

Steps to Compliance: Risk Assessment PRESENTED BY.
Whistleblower Protection Institution Overview of Georgian Legislation and international experience Maia Dvalishvili Deputy Head, Civil Service Bureau of.

Whistleblower Protection Institution Overview of Georgian Legislation and international experience Maia Dvalishvili Deputy Head, Civil Service Bureau of.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google