1. Company LOGO http://cs.york.ac.uk/~xundong User Authentication Threat Modelling from User and Social Perspective “Defending the Weakest Link: Intrusion via Social Engineering” EPSRC Grant EP/D051819/1 All Hands Meeting Edinburgh 2008 Xun Dong （ xundong@cs.york.ac.uk ）, John A. Clark and Jeremy L. Jacob University of York

2. Company LOGO http://www.cs.york.ac.uk/~xundong Motivation: Attacking Trend Shift Grid users may become the focus of attack: –The technical barrier to hack the systems has been increased significantly; protection for users is less well developed. –Valuable information such as authentication credentials sought by attackers are possessed by users as well. –Many system designs do not help the general user to achieve security goals. Existing threat modelling techniques do not deal with users (though general purpose e.g. Microsoft’s TM, and various domain specific threat modelling techniques and models have been developed) The complexity of identifying user side vulnerabilities is significant, however, there is no method designers can rely on.

3. Company LOGO http://www.cs.york.ac.uk/~xundong Simple Attack Taxonomy Passive attacks: They do not require active victim involvement, often achieving their goal by analysing information available to attackers (e.g. that from public databases or websites, or even rubbish bin contents). Many are launched by insiders or people who have close relationships with the victims. Active attacks: They exploit the user’s difficulty in authenticating External Entities (EEs), requesting the user’s authentication credentials whilst posing as trustworthy parties. Typical examples are phishing and pharming attacks.

4. Company LOGO http://www.cs.york.ac.uk/~xundong Overview Threat Modelling Passive Attacks Identify AC Properties Check the Exposure Level Identify the Dependency Relationships Active Attacks Identify the Lifecycle of AC Identify the Impersonating Targets Entry Points Analysis

5. Company LOGO http://www.cs.york.ac.uk/~xundong Dependency Relationships The authentication systems may be designed and implemented independently, but the choices of the user authentication credentials may connect different systems into complex and unpredictable networks. Examples: Access to an secondary email account is used to recover/reset the password. Institutional photo ID such as student card is accepted as authentication credentials to prove one’s identity.

6. Company LOGO http://www.cs.york.ac.uk/~xundong Dependency Relationships Compromise of the security of the current authentication system: –The security of the current system is equal to the security of the weakest system reachable in the graph. –Obtaining authentication credentials to the weakest system propagates access back up the chain.

7. Company LOGO http://www.cs.york.ac.uk/~xundong Dependency Relationships Identify its existence by the properties of user authentication credentials: –users have access to; –assigned by third parties; Represent them in graph: –Three Components in the graph Node : represents a system Directed Edges: an edge from Node ‘A’ to Node ‘B’ means Node ‘A’ depends on Node ‘B’. Special symbol ‘R’ : Represent random systems, and edge towards R from Node ‘A’ means the system which A is depends on is unpredictable. –The start node of the graph is the system being designed.

8. Company LOGO http://www.cs.york.ac.uk/~xundong Impersonating Targets May be wider than the system being considered: the entities that the user has shared authentication credentials with; the entities that are entitled to request users’ authentication credentials or initiate user-to-EE authentication; and the entities that exist in the authentication dependency graph.

9. Company LOGO http://www.cs.york.ac.uk/~xundong Lifecycle of Authentication Credentials

10. Company LOGO http://www.cs.york.ac.uk/~xundong Attack Entry Points Active attacks can only obtain user’s authentication credentials when they are exchanged. By using the lifecycle analysts can identify in which states and in which transitions this occurs: 1.Synchronisation State; 2.Operation State; 3.State transition from operation to assignment; 4.State transition from operation to synchronisation; 5.State transition from suspension to assignment; 6.State transition from suspension to operation.

11. Company LOGO http://www.cs.york.ac.uk/~xundong Entry Points Analysis Reliability and Sufficiency of Authentication Information: The successful EE-to-user authentication users must have reliable and sufficient authentication credentials. Knowledge: Users need both technical and contextual knowledge to decide whether to release the credentials requested by an external entity. Assumptions: The security of EE-to-user authentication depends on the strength of the assumption on users can perform certain required actions correctly and consistently.

12. Company LOGO http://www.cs.york.ac.uk/~xundong Communication Channels (CC) Active attacks need to engage user victims on a communication channel, and the trust, expectation and perception constructed in communications could reduce users’ ability to authenticate the EE in the following authentication session. Analysts should identify and analyse the vulnerabilities within the CC with the same method as used in analysis for the attack entry points.

13. Company LOGO http://www.cs.york.ac.uk/~xundong Conclusion User–side threat modelling is as important as system–side threat modelling, but it is much less well studied. Our method is an initial effort towards developing a threat modelling method that can be used by system designers with moderate security knowledge. Your suggestions are appreciated. An extended version will be delivered at ICICS 2008: Birmingham 20-22 October 2008

14. Company LOGO http://www.cs.york.ac.uk/~xundong Questions & Answers If you have a system that would like us to study, we are very happy to hear from you! Defending the Weakest Link Intrusion via Social Engineering EPSRC Grant EP/D051819/1