Download presentation
Presentation is loading. Please wait.
Published bySuzan Blake Modified over 9 years ago
1
Threat Analysis Natalie Podrazik February 27, 2006 CS 491V/691V
2
Natalie Podrazik – natalie2@umbc.edu2 Overview Definitions Representation Challenges “The Unthinkable” Strategies & Recommendations
3
Natalie Podrazik – natalie2@umbc.edu3 Background What is threat analysis? – Potential Attacks/Threats/Risks – Analysis – Countermeasures – Future Preparations NIST’s “Introduction to Threat Analysis Workshop”, October 2005
4
Natalie Podrazik – natalie2@umbc.edu4 Stakes People – Voters – Candidates – Poll Workers – Political Groups – Developers – Board of Elections – Attackers – More... Voting: A System of... – IT – American Politics – Duty – Trust – Inclusion – Safety – Process – Precedence...if it works
5
Natalie Podrazik – natalie2@umbc.edu5 Means of Representation General tactic: – Identify possible attackers – Identify goals of attacker – Enumerate possible ways to achieve goals – Locate key system vulnerabilities – Create resolution plan
6
Natalie Podrazik – natalie2@umbc.edu6 Bruce Sheneier, Dr. Dobb’s Journal, 1999: – Used to “model threats against computer systems” Continual breaking down of goals and means to achieve them Attack Tree Simple Example Cost propagationMultiple Costs
7
Natalie Podrazik – natalie2@umbc.edu7 Attack Tree Evaluation Creation – Refining over time – Realistic costs Advantages – Identifies key security issues – Documenting plans of attack and likelihood – Knowing the system Disadvantages – Amount of documentation – Can only ameliorate foreseen circumstances – Difficult to prioritize/quantize factors Shortened version of an Attack Tree for the interception of a message send with a PGP header.
8
Natalie Podrazik – natalie2@umbc.edu8 Other Means of Representation Threat Catalog – Doug Jones – Attacks -> vulnerabilities -> analysis of defense – Challenges Organization Technology Identity Scale of Attack Fault Tree Analysis – Ensures product performance from software – Attempts to avoid single-point, catastrophic failures
9
Natalie Podrazik – natalie2@umbc.edu9 Challenges Vulnerabilities – System – Process Variety of possible attacks New Field: Systems Engineering Attack Detection Attack Resolution -> too many dimensions to predict all possibilities, but we’ll try to name a few…
10
Natalie Podrazik – natalie2@umbc.edu10 “The Unthinkable”, Part 1 1.Chain Voting 2.Votes On A Roll 3.The Disoriented Optical Scanner 4.When A Number 2 Pencil Is Not Enough 5....we found these poll workers where?
11
Natalie Podrazik – natalie2@umbc.edu11 “The Unthinkable”, Part 2 6.This DRE “fell off the delivery truck”... 7.The Disoriented Touch Screen 8.The Confusing Ballot (Florida 2000 Election) 9.Third Party “Whoopsies” 10.X-ray vision through walls of precinct
12
Natalie Podrazik – natalie2@umbc.edu12 “The Unthinkable”, Part 3 11.“Oops” code 12.Do secure wireless connections exist? 13.I’d rather not have your help, thanks... 14.Trojan Horse 15.Replaceable firmware on Optical Scanners
13
Natalie Podrazik – natalie2@umbc.edu13 “The Unthinkable”, Part 4 16.Unfinished vote = free vote for somebody else 17.“I think I know what they meant by...” 18.Group Conspiracy: “These machines are broken.” 19.“That’s weird. It’s a typo.” 20.Denial of Service Attack
14
Natalie Podrazik – natalie2@umbc.edu14 My Ideas... Write-in bomb threat, terrorist attack, backdoor code Swapping of candidate boxes (developers) at last minute on touch-DRE; voters don’t know the difference Children in the voting booth
15
Natalie Podrazik – natalie2@umbc.edu15 Strategies & Recommendations Create Fault Trees to counter Attack Tree goals using the components set forth in Brennan Study Tamper Tape Use of “independent expert security team” – Inspection – Assessment – Full Access Use of “Red Team Exercises” on: – Hardware design – Hardware/Firmware configuration – Software Design – Software Configuration – Voting Procedures (not hardware or software, but people and process)
16
Natalie Podrazik – natalie2@umbc.edu16 Conclusions Attack Trees – Identify agents, scenarios, resources, system-wide flaws Challenges: dimensions in system analysis Unforeseen circumstances Independent Team of Experts, but how expert can they be?
17
Natalie Podrazik – natalie2@umbc.edu17 Works Cited 1.All 20 “The Unthinkable” scenarios available at: http://www.vote.nist.gov/threats/papers.htm http://www.vote.nist.gov/threats/papers.htm 2.Goldbrick Gallery’s 25 Best Editorial Cartoons of 2004. Online: http://www.goldbrickgallery.com/bestof2004_2.html http://www.goldbrickgallery.com/bestof2004_2.html 3.Jones, Doug. “Threat Taxonomy Overview” slides, from the NIST Threats to Voting Workshop, 7 October 2005. Online: http://www.vote.nist.gov/threats/Jonesthreattalk.pdf http://www.vote.nist.gov/threats/Jonesthreattalk.pdf 4.Mell, Peter. “Handling IT System Threat Information” slides, from the NIST Threats to Voting Workshop, 7 October 2005. Online: http://www.vote.nist.gov/threats/mellthreat.pdf http://www.vote.nist.gov/threats/mellthreat.pdf 5.“Recommendations of the Brennan Center for Justice and the Leadership Conference on Civil Rights for Improving Reliability of Direct Recording Electronic Voting Systems”: http://www.brennancenter.org/programs/downloads/voting_systems_final_recomme ndations.pdf: http://www.brennancenter.org/programs/downloads/voting_systems_final_recomme ndations.pdf 6.Wack, John, and Skall, Mark. “Introduction to Threat Analysis Workshop” slides, from the NIST Threats to Voting Workshop, 7 October 2005. Online: http://www.vote.nist.gov/threats/wackthreat.pdf http://www.vote.nist.gov/threats/wackthreat.pdf 7.Wikipedia Entry for fault tree: http://en.wikipedia.org/wiki/Fault_treehttp://en.wikipedia.org/wiki/Fault_tree
18
Natalie Podrazik – natalie2@umbc.edu18 Attack Tree: Open Safe The goal of the attacker here is to Open Safe. The means by which he/she accomplishes this is described by each subsequent box. The dotted lines denote the most likely possibilities. Attack Tree…
19
Natalie Podrazik – natalie2@umbc.edu19 Attack Tree: Likelihood by Cost The goal of the attacker here is to Open Safe. The dollar amounts for each box are propagated from the leaf node(s) of each branch, making the most likely estimate along the dotted line, costing $10K to cut open the safe. Note that each parent-child relationship is an implied OR, unless explicitly noted, as in the Eavesdrop action. Attack Tree…
20
Natalie Podrazik – natalie2@umbc.edu20 Attack Tree: Multiple Factors The goal of the attacker here is to Open Safe. Two factors are considered when calculating the most likely (efficient) approach an attacker would take: the use of special equipment and monetary cost to carry out the job. The dotted lines show the best plan of action. Attack Tree…
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.