security architecture

ISOL 536 Security Architecture and Design

Threat Modeling Session 5a

“Privacy Threats”

Agenda

• Review STRIDE • What is privacy? • Harms • The IETF’s Privacy Considerations • Privacy Impact Assessments • The Nymity Ratchet • Contextual Integrity • Reading: Chapter 6

STRIDE Review

Attack Violates

S Spoofing Authentication

T Tampering Integrity

R Repudiation Non-Repudiation

I Information Disclosure Confidentiality

D Denial-of-Service Availability

E Elevation of Privilege Authorization

“Once you've lost your privacy, you realize you've lost an extremely valuable thing.”

Billy Graham

“Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.”

John Perry Barlow

What is Privacy?

• Lots of land with trees & bushes? • Curtains or venetian blinds? • Unlisted phone numbers, mailboxes? • Swiss bank accounts?

What is Privacy? (II)

• Freedom from surveillance/NSA? • Anonymity? • Right to be left alone? • “Do not track” in browsers?

• Well, none of these are really complete definitions of privacy, just parts of the whole

Privacy and Confidentiality

• Common terms in the legal and medical domains

• Often confused • Worse yet, interchanged!!

• Don’t be fooled – they are different

• Information Security perspective

• Subtle differences from commonly accepted meanings

• It may change your approach to protecting data .

Back to basics

• Confidentiality is about the data • Access to data

• Intention is to keep data secret

• Allow access only to authorized users

• Privacy is about the individual • Access to the person (or organization)

• Appropriate use of information

• More than just access to data

• Being free from public attention

• Ability to be left alone .

Information Privacy is the ability of an individual to control the use and dissemination of information that relates to himself or herself.

Confidentiality is a tool for protecting privacy. Sensitive information is accorded a confidential status that mandates specific controls, including strict limitations on access and disclosure. These controls must be adhered to by those handling the information.

Security is all the safeguards in a computer-based information system. Security protects both the system and the information contained within it from unauthorized access and misuse, and accidental damage.

According to the National Information Infrastructure Advisory Council

Information privacy

• It’s all about the individual

• What information leaves your system? • Reports • Extracts / exports / exchanges

• Query details / exposed parameters

• Can your data disclose secrets about an individual?

• Not just raw data!

• Status • Personal / Health / Financial

• Location / travel habits

• Trends • Changes in status .

Harms Approach to Privacy

• Dan Solove • George Washington University law professor

• Understanding Privacy (2008) • Presented privacy as a family of issues • Presented a taxonomy of harms

– STRIDE-like set of privacy harms – Can be used as a basis for looking at a system

Solove’s Harms

• Identifier creation* • Information collection

– Surveillance, interrogation

• Information Processing – Aggregation, identification, insecurity, secondary use, exclusion

• Information dissemination – Breach of confidentiality, disclosure, increased accessibility, blackmail,

appropriation, distortion, [exposure]

• Invasion – Intrusion, decisional interference

* Shostack adds identifier creation in Threat Modeling, see discussion (page 112).

IETF Privacy Considerations

• Set of threats that each new protocol should consider

• Likely to change rapidly in post-Snowden world

• Combined security/privacy threats – Surveillance, stored data compromise,

misattribution

• Privacy threats – Correlation, identification, secondary use,

disclosure, exclusion (unawareness)

Privacy Impact Assessments

• A privacy analog to security threat modeling – Usually presented as an end-to-end process

• Often more social than technical • Can be very complementary • Typical table of contents:

– Description of the project – Description of the data flows[!] – Analysis against “the” information privacy principles – Analysis against other aspects of privacy – Analysis of privacy controls – Findings and recommendations

Nymity Slider • Nymity: “the amount of information about the

identity of participants that is revealed in a transaction” • Closely related to linkability

• Nymity slider used to measure • System transactions for privacy leakage

• Easy to move left, hard to move right • Measure your system, don’t move accidentally

Contextual Integrity

• Helen Nissenbaum’s Privacy In Context (2009) • A context is an anthropological term for a

“sphere of life” such as “school” or “work” – Can be more specific — “This university’s CS

department expects…” — is a context

• A context has roles, activities, norms and values associated with it (usually implicitly)

• Can be used to understand or predict privacy concerns

Augmented Contextual Integrity • Simply:

1. *Describe the new practice in information flows* 2. Identify the prevailing context 3. *Identify information subjects, senders, & recipients* 4. *Identify transmission principles* 5. Locate applicable norms, identify significant changes 6. Prima facie assessment 7. Evaluation

Moral & political, threats to autonomy/freedom, power structures, fairness, justice, equality, etc.

8. Evaluation 2 Does the new directly impinge on values, goals of context?

9. Decide

• * Elements look a lot like other threat modeling • Can be a lot of work in each step

LINDDUN • Explicit mirror of STRIDE-per-element for privacy

threat modeling • New proposal, unusual terminology • LINDDUN

• Linkability • Identifiability • Non-Repudiation (vs Repudiation as a security

threat) • Detectability • Disclosure of Information • Content Unawareness • Policy and consent Non-compliance

Recap

• Privacy can be challenging compared to security

• High potential for things to go badly wrong – Ethically – Public relations

• Tools exist to help – Harms – The IETF’s Privacy Considerations – Privacy Impact Assessments – The Nymity Ratchet – Contextual Integrity