Threat modeling of Enterprise Content Management Systems

Transcription

1 Threat modeling of Enterprise Content Management Systems Information Sciences Master Thesis University: Author: Host company: Vrije Universiteit Amsterdam Nick Peterman Unisys B.V. Netherlands De Boelelaan 1081a Tupolevlaan HV Amsterdam 1119 NW Schiphol-Rijk Faculty: Faculty of Science Department: High Performance Center Supervisor: Thomas Quillinan Second Reader: Bruno Crispo Supervisor: Patricia Koppers Ad Laarhoven

2 Preface For the study of Information Sciences at the Vrije Universiteit Amsterdam a student is required to write a master thesis according to a research project. These projects regularly take around 6 months time after which the study is completed. The research project can be done internal at the University or externally at a company of choice. I have chosen to do the research project externally at Unisys Netherlands. During this internship I have conducted research regarding the threats an Enterprise Content Management System carries with it. These threats will be listed and graphically displayed using the Attack Tree model. At Unisys Netherlands I resided at the Business Centre located at Schiphol-Rijk in the Netherlands. I would like to thank my supervisor at the Vrije Universiteit Amsterdam, Thomas Quillinan, for guiding this project, his ideas, his countless comments to my writing and also for providing a listening ear when needed. The sheer optimism every meeting of I think you are doing fine or other than that I think you are doing great have kept me to believe I could finish the project and deliver this dissertation. I would also like to thank my supervisor at Unisys B.V. Netherlands, Patricia Koppers, for her guidance during the project. For her efforts to involve me with the ongoing affairs within Unisys and her enthusiasm every time she gave me a ride home from work. Furthermore, I would like to thank Brahim Haji, Osama Debana, Peter Rietmeijer and Ad Laarhoven for their advice, support and company within the corporation. Finally I would like to thank everybody else that has supported me the last couple of months for their advice and their encouragements to keep me working on this project. Nick Peterman 2

3 Abstract Enterprise Content Management (ECM) systems are used to store and distribute digital content in companies. This digital content consists of different kinds of documents. They are related to organizational processes and can be critical for business processes. ECM systems consist of different modules each of these modules has their own purpose, and focus on different tasks. ECM systems are designed to archive and control correspondence of documents within corporations. They can be used to store documents centrally and these can be accessed by others at the other side of the world. This helps employees communicate and it also helps align business processes, because cooperation is made easier or even automated. ECM systems also help secure electronic documents, within the system can be determined who does or who does not have access or certain privileges. ECM systems have many advantages such as workflow management, increased availability of documents and secured storage of these documents, but also bring new threats and vulnerabilities to the company and their documents. To date these threats have not been thoroughly analyzed and therefore the process of analyzing and repairing the threats must be repeated for every project and/or company. The pitfalls many companies face may have already been solved by others. A framework needs to be developed so it can be used as a guide for new implementations of ECM systems: this can help developers create better systems. This dissertation describes and illustrates an approach for documenting the attack information for Enterprise Content Management systems. The research results provide an overview of the threats and vulnerabilities that emerge in ECM systems. The threats were measured according to their probability and the damage they would cause. The results are displayed as Attack Trees. Attack Trees are designed to graphically display threats. These trees are then used to evaluate and value the threats according to their probability or the damage they could cause. This can be used by security analysts to document and identify regularly occurring security flaws within these systems. Such an analysis allows security professionals to address these reoccurring flaws and, thus, create more survivable systems. Nick Peterman 3

4 Table of Contents Preface... 2 Abstract Introduction Problem statement Research questions Unisys Research design Theoretical Framework Enterprise Content Management History of Document Management systems ECM Architecture Security within ECM Security Security levels The security life-cycle Risk Management Risk analysis Managing Risk Defining Trust Modeling threats Discovering Threats Attacker Profiles Confidentiality of documents within an ECM system Availability of documents within an ECM system Integrity of documents within an ECM system Case Study Classification of Threats Classification of Confidentiality Attack Tree Threats Confidentiality Attack Tree Classification of Availability Attack Tree Threats Availability Attack Tree Classification of Integrity Attack Tree Threats Integrity Attack Tree...47 Nick Peterman 4

5 7 Conclusion Summary: Results: Discussion: Future Work Bibliography Appendix A Interview Results: Participant A: Participant B Participant C: Workshop Results:...69 Nick Peterman 5

6 1 Introduction Enterprise Content Management (ECM) systems are designed to archive and control correspondence of documents within corporations. They can be used to store documents centrally and can be accessed from all over the world. Such systems help employees communicate and it also helps align business processes, as cooperation is made easier, or may even be automated. ECM systems also help secure electronic documents: within the system, it can be determined who does, or does not, have access or certain privileges. An Enterprise Content Management system s most important asset is the content. In order to preserve this asset, steps must be taken to protect the data. ECM is a computer system that involves technologies and services used to capture, store, preserve and deliver unstructured digital content or important documents. If the content becomes compromised, the repercussions can be enormous in some cases the continuity of the company could be at stake. Therefore, it is important that the confidentiality, availability and integrity of this data is guaranteed. In order to make guarantees, the threats and vulnerabilities within such a system have to be determined. These risks can be classified so that the company can determine where countermeasures must be taken. This dissertation illustrates an approach for documenting the attack information for Enterprise Content Management systems. The results are displayed as Attack Trees. These trees give an overview of the threats and vulnerabilities that emerge in ECM systems. This information is then used to evaluate these threats. Using these trees security analysts are able to document and identify regularly occurring security flaws within these systems and help address them. Risk analysis is a broad topic with a large body of existing work. However up to date no conclusive risk classification method has been developed (1) (2). One of the methods, proposed by Bruce Schneier (3), and also implemented by others is Attack Trees (4) (5). Combining Attack Trees and ECM systems has not been tried before. Discovering all threats within ECM systems is an important issue on its own. Individual threats have been researched, but not in the systematic manner that is presented in this study. Furthermore, the combination with Attack Trees allow a more graphical and userfriendly representation of these threats. The second part of this dissertation investigates the classification of the threats. This classification scheme has already been extensively researched. However, no conclusive method has yet been found. The method described in this thesis is a generic model that has been adapted to fit the ECM problem space. This model has been refined to better match the circumstances and the purposes of this dissertation (6) (7). Nick Peterman 6

7 1.1 Problem statement Information has become one of the most important factors in nowadays society, some even call our society: Information Society (8). The world has also become increasingly depended regarding this information flow (9). Companies have also followed this trend. It is becoming increasingly common that employees work from home. They connect to the company, check their and work on their documents remotely. Working at home brings the issue of securing the documents to the forefront. Articles in newspapers regularly appear concerning someone losing privacy sensitive documents in the train or a taxi (10) (11) (12). These documents are taken home by employees. If an employee wants to work at home they often have to take documents with them, exposing them to the dangers of the outside world, rather than keeping them within the secured environment of the company. Companies have started to place their documents online so that employees can have access to them from all over the world and no longer need to take them home. This generates a lot of data traffic as, in companies, about 80% of their knowledge is within unstructured documents (13) (14) and the total amount of data is doubling every 14 months on average. (14) These documents must first be properly structured, so that employees can find the appropriate documents online and work on them. An emerging solution for this problem are Enterprise Content Management (ECM) systems. (15) These systems reduce a large deal of a company s paperwork and documents are more efficiently organized so that employees have easier access to them. These ECM systems have many advantages but also bring new threats and vulnerabilities to the company and the documents. Research in the area of ECM systems is very extensive: there is a large number of papers relating these systems and their implementations (16) (17) (18) (19) (20) (15) (21). There is, however, a lack of research regarding the security issues of these systems. The basic premise of this Thesis is: What are the threats that emerge in Enterprise Content Management systems and how can these be modeled? 1.2 Research questions In order to address the problem, fully understanding the concept of threats is required. It is important to understand what a threat is, and where they come from. Therefore the first research question is: What makes a threat a threat? Nick Peterman 7

8 If it is known what a threat is, a list of these threats can be created. Such a list can give a good overview and can be used for further research. Therefore the second research question is: What threats are there? Knowing the threats is only the first steps, what these threats mean for a company, what damage they could propose, how likely they are about to happen is also a very important topic. Therefore, the third and fourth research questions are: How do these threats affect a company? and What effect do these threats have on the business processes? Finally these results will be used to create a framework or a model to present the threats. This leads us to the final research question: How can these threats best be divided according to their characteristics? 1.3 Unisys The research is conducted at Unisys Netherlands in Schiphol-Rijk at the department Business Centre. Unisys history dates back to 1873, when the first commercially viable typewriter was introduced by E. Remington & Sons. The Burroughs Adding Machine Co was founded in 1905, and the Sperry Gyroscope Co was founded in In 1955 Sperry and Remington Rand merged to form Sperry Rand, and in 1986 Burroughs and Sperry merged to form Unisys Corporation. In 1992 Unisys formed a specific unit to deliver IT services, as opposed to hardware, and by 1994 services and solutions had become the company s largest revenue stream. In 2000 Unisys launched Integrated Payment Systems Ltd (ipsl), a joint venture with three UK Banks. This has resulted in Unisys becoming one of the world s major providers of outsourced financial services. Also in 2000 Unisys also set up Unisys Insurance Services Ltd. (UISL) which is a leading provider of administration services for insurance companies. Unisys is now structured as three business units, Global Industries, Global Outsourcing, and Systems and Technology; each national subsidiary has a subset of this structure. Unisys Netherlands is a small part of Unisys, with only approximately 600 employees and a revenue of 800 million in 1994 and is part of the Northern European department of Unisys (22) (23). 1.4 Research design Regarding Enterprise Content Management systems, significant research has already been conducted. This research has, however, mainly focused on the implementation and the functionality of existing systems. Threats or vulnerabilities within ECM systems have been mostly neglected in research papers to date. Nick Peterman 8

9 A literature review will be described in order to present sufficient background knowledge about ECM systems and threats, as these will be essential key factors in this research. The generation of the threat list has been created with the help of a workshop. The basic premise is that during this workshop the expertise of Unisys was used to generate the results. The main expertise that is required during this workshop was security and ECM. Verification of the threat lists and their impact on companies has been analyzed through interviews with experts in the fields. Nick Peterman 9

10 2 Theoretical Framework 2.1 Enterprise Content Management A substantial part of this research has involved researching Enterprise Content Management systems. Therefore it is important to get a good overview of what an ECM system is and the basic components of ECM systems History of Document Management systems After the internet emerged, the idea of an intranet arose. This is an internet-like environment within the enterprise (16). Since then the intranet market has only increased from an estimated worth of $476 million in 1996 to more than $4 billion in 1997 (24). Intranets are nowadays a very common feature in companies. Intranets are being used to share knowledge, documents and other data throughout companies and between employees. This evolved into different document management systems, that were first released during the 1980 s. ECM have emerged from these Electronic Document Management Systems. In the 1990 s a lot of different products were available that acted as document management systems. For instance the FileNet product allowed users to access any document from any desktop (25) and EMC s Symmetrix products aimed at intelligent storage. Towards the end of the 1990 s however the call came for a more complete solution in one single product, rather than several applications. This complete solution came with the arrival of ECM systems in 2000/2001, as companies started selling their products as ECMS. Päivarinta & Munkvold (15) confirm that ECM systems are the successors of information resource management, electronic document management and knowledge management systems. The ECMS s combined these fields and turn these into a complete single system solution. ECM systems integrate the different perspectives on information management in enterprises. These perspectives and concepts characterize ECM systems. The system has a total solution for life-cycle management to integrate all content including: Capturing content, storage/archiving, versioning, distribution, publishing, retrieval, retention. ECM systems strive to integrate all content structures, including the understanding of these models so they can be used for retrieval. Regardless of the used format. They are especially adopted for enterprise wide integration and take care of user access rights, workflow management and personalization. This also covers the process based and resource based and resource based organizational viewpoints of information management. Nick Peterman 10

11 These tasks represent a large part of the company s infrastructure, from databases, through workflow applications and publishing opportunities to integrated content search and taxonomy tools. This helps reduce duplicate jobs and certain tasks and responsibilities can be combined (15). Nowadays Enterprise Content Management Systems are seen as a framework and a vision for a broad range of content management technologies. It is believed that the ECM market is worth around $2.3 Billion in software and $7 Billion in services (20). As ECM is still fairly new field in information systems there are a lot of different definitions available. The definition that is used in this thesis is: Enterprise Content Management (ECM) is the strategies, methods and tools used to capture, manage, store, preserve, and deliver content and documents related to organizational processes. ECM tools and strategies allow the management of an organization's unstructured information, wherever that information exists. (26) ECM Architecture The term Enterprise Content Management encompasses the framework that enterprises have for a broad range of content management technologies. There are different views on the components and their functionalities, however, in this dissertation the most common definitions will be used. The following are the most common core components: Figure 1: Enterprise Content Management System from (27) Nick Peterman 11

12 The document management component: The main component for most ECM systems. This module is used for check-in/check-out, version control, security and library services for business documents. These library services consist of storing and retrieving of documents. These documents can be retrieved using the also stored meta-data or by doing a full text search. The document imaging component: This module is used for capturing, transforming and managing images of paper documents. A good example is a system that scans paper documents and stores these as images or converts these to editable text. This is mostly used in companies that want to eliminate their paper archives or speed up their business processes. Automatic handling of these documents can be a tremendous time-saver. The records management component: This module is used for long-term archiving, automation of retention and compliance policies, and ensuring legal, regulatory and industry compliance. It tracks documents that are bound to special regulations. It keeps track of who created a document, who can alter it, when it can be altered, when it is final and when it should be deleted. This can be especially useful, for example, for legal documents or criminal records. The workflow component: This module is used for supporting business processes, routing content, assigning work tasks and states, and creating audit trails. It does so by creating automated and obligated routes for documents according to all kinds of restrictions. For example, an invoice appears in the system. It is send to a monitoring department which checks the completeness of the invoice. Then it is send to a department that checks whether the invoice is actually represented by a purchase. The web content management component: This is a module used for managing and controlling a large, dynamic collection of Web material (HTML documents and their associated images). This is achieved through the use of specific management tools based on a core repository. It includes content creation functions, such as templating, workflow and change management, and content deployment functions that deliver prepackaged or on-demand content to Web servers. The document-centric collaboration component: This module is used for document sharing and supporting project teams. It supports two or more people or companies that work together on a single project or document (19). However, this does not include everything there is to ECM. Some vendors have added extended technology components such as digital asset management. This component is used for rich media, electronic forms and for high volume generation of document (16) (21) Security within ECM Security within ECM is an important aspect, documents managed by the system must be secure. Companies can be legally compelled to store their documents securely and access content for defined Nick Peterman 12

13 periods. Security can help protect the company s image and decrease the chance of company trade secrets leaking to other companies. Security within ECM can be viewed from three different areas, people processes and documents. Each of these areas poses a threat to the system and its integrity. All three areas also require a different approach in handling and preventing fraudulent actions. People In every company there are employees who work with documents and systems. As stated in numerous reports people are the weakest link in companies and their security (28). In ECM systems, documents are stored in a central place, implying everyone within the company can view these documents. However some people are not authorized to read some of these documents as they could contain company trade secrets. If such documents fall into the wrong hands, major damage could be done to the company and its market position. People can try to alter documents to change information or data in their favor or at the loss for the company. Processes People can try to execute processes they are not entitled to use. These processes could harm the companies structure or its image. Business processes can ask to protect index information on a document or dossier. Special roles and function can create access to documents, reports and other information that other end-users are not allowed to look at. Documents In an ECM system documents can get different levels of protection (read/write, change, versioning, index change, delete, substitute, render, transfer etc). These various levels of protection must be kept during the life cycle of a document. In practice enforcement of the security policy starts at the creation of a document and only ends at the deletion of the documents and records. However, an access control policy is not only protection. Security also involves authenticity in an ECM project. This means, how can we secure documents in such a manner that at the end we can still trust the authenticity of a document? In ECM, documents can be paper documents scanned, combined with electronic forms and added to dossiers in which there could also be stored different versions of the documents, that were created during the execution of the process. It has to be sure that the various methods of protection of the documents and Nick Peterman 13

14 their content are secure. If these documents cannot be protected their authenticity is at stake and they will not be legally valid. The issues regarding document security can be divided in five different categories: Document integrity: The document must be able to prove that it has not been modified in some way after it has been created and sealed. Document origin authentication: The document has to contain some data to prove the identity of its creator and owner. This is useful for non-repudiation. Document privacy: The document must be only readable by authorized users. This applies even if the document is stolen. Document destination authentication: The document must contain information about its destination user. It has to keep track of the people who have been sent a copy of the document. Secure remote document management: It has to be possible to manage the repository in which the document is stored from a remote location. This includes changing the rights on the document (29). Securing documents can be achieved in many different ways. One of the most important and most used solution is authentication. Authentication of entities is required in order to be able to access the documents. In this manner documents should not be viewed or altered by third parties. Authentication can be done in many different ways, and even a combination of forms can be used. For example, username and password, smart cards, biometrics that can be divided in Iris scanning and fingerprint scanning (and more). Secured delivery of electronic documents can be enforced by using a large number of different methods. Other approaches include digital signatures and watermarking that can ensure a document is authentic. These methods rely on a scheme that checks the authenticity of the sender and receiver. If both are authenticated, the document will be sent (30). 2.2 Security A large portion of this research and thesis accordingly are focused towards security. Therefore it is important to create a baseline and specify certain definitions Security levels Information Security is the creation and maintenance of a package of measures to guarantee the reliability (availability, integrity and confidentially) of the information system (31). Nick Peterman 14

15 Information assurance is based on these three core principles that can be defined as follows: Confidentiality is the prevention of unauthorized disclosure of sensitive information for data at rest, in transit or during transformation. Integrity is the prevention of unauthorized modification, replacement, corruption or destruction of systems or information. Availability is the prevention of disruption of service and productivity, addressing threats that could render systems inaccessible (32). Information Security is an important aspect for companies as the securing important business assets can provide cost savings. It is essential to maintain competitive advantage, cash flow, profitability, legal compliance and the image of the company. Organizations can manage their security on three different levels: Organizational level where security targets the organization as a whole. They security measures consist of written policies, procedures and guidelines. Laws and regulations are also part of this level of security. Companies must abide by these regulations and create policies that follow these rules. Organizational security rules form the basis of the logical and physical security measures. These are also manifestations of organizational rules. Logical level security Logical security is also called technical security as software is used to monitor data, network access and the computer systems. For instance, passwords, firewalls and anti-virus systems. User privileges are also administered in this level. The function separation as proposed in the organizational level is executed here. Physical level security measures control the environment of the workplace and the facilities. For example doors, locks and fire alarms. The separation of duties is also a physical security issue. For example, an employee who submits requests for reimbursements should not be able to authorize this payment. This would lead to conflict of interests. Nick Peterman 15

16 2.2.2 The security life-cycle Figure 2: Security life-cycle from: (33) The security life-cycle is a representation method to display a company and its threats and how it deals with these. Usually the cycle starts with a threat (Bedreiging) that leads to a disruption (Verstoring) that leads to damage (Schade). This leads to recovery (Herstel) which finishes the cycle when there is a new threat. The cycle however is not complete, it also displays the reactions and measures one can take to prevent certain threats from happening or how to keep the damage to a minimum. The measures can be divided along with the steps in the cycle. There is a threat, but to stop this threat from happening prevention measures preventie is added. There are two kinds of prevention measures, permanent and triggered. Permanent measures are for say locks on the door that keep burglars out. Triggered measures only work if the threat actually happens. An example of this is an uninterruptable power supply (UPS). This makes sure that when the power goes down machines keep running. If there is a disruption this can be detected and certain actions can be taken, for instance a virus scanner. This scanner is triggered when a virus enters the system and eliminates this. Detective measures are themselves not operational; they have to be triggered by some other measure. If the disruption does occur and damage is done there are the repression measures. These are implemented to minimize the influence a disturbance has and minimize the damage done. For example, using a second server, if the main server breaks down the second one can take over the most critical applications. In this manner the company can continue to work. Finally, if damage is done, for example data is lost from a server, there is the recovery phase including correction measures. These measures try to recover the objects damaged during an incident. A backup of a document server is maintained so that not all the data is lost during the incident. Nick Peterman 16

17 This finalizes the security life cycle and gives a good overview of how security works within companies and how threats are handled (33) (34). 2.3 Risk Management The measuring of threats and defining these threats is a typical task of risk management. In business terms, a risk is the possibility of an event which would reduce the value of the business were it to occur. (35) Every risk has a cost, the cost of a risk is the chance of an event happening multiplied by the consequences of the event. The consequences of the event are the amount of reduction (in money) in business value if the event occurs. A frequently used formula is the ALE: Annualized Loss Expectation. It is the expected cumulative cost of risk over a period of one year as estimated in advance. Cost*chance = ALE However, it must be noted that the actual cost is never ALE, it is either 0, when the event does not occur, or the total cost. The purpose of risk management is to reduce the risks to a more acceptable level. Completely taking away these risks is not feasible and would simply cost too much. Risk management is a very wide activity that takes place everywhere in an organization (33) Risk analysis Risk management usually starts with a risk analysis. This analysis is used to determine the weak spots in a company and where the threats lie. There are several kinds of risk analysis where some are more concrete and complete than others. Most can be used in conjunction however. 1) Quick scan The quick scan is a very fast and easy method of risk analysis. It consists of a large list of questions that focus on regular risks. This can be used to determine the strengths and weaknesses of a company quickly and a company can see if some aspects of their security have been forgotten. Another benefit is it that if the list has been created once, it can be used again the next year or for another company. This saves time and work. However this is also the largest problem of a quick scan, one size does not fit all ; that is not every company is the same, not every company has the same threats. It also is very beneficial for hackers if a list is used. If someone can get their hands on a list and it is used for every company, a hacker will immediately know where its strengths and weaknesses lie. Therefore, it has to be considered that a new list should be created every time the scan is executed. Nick Peterman 17

18 2) Qualitative risk analysis This analysis focuses on the expected risks and their corresponding losses. It consists of several different parts and analyses: Dependency analysis: this analysis determines the importance of an Information System and the processes it supports. It also determines the importance of the supported process to the organization and so it can determine what the damage will be if the Information System fails. Configuration analysis: determines the objects that are part of the information system and the relations between these objects. Vulnerability analysis: this analysis determines the vulnerability of every object for several threats and the amount of security these objects need. Measure analysis: this analysis determines the security measures that are needed to protect the Information System against threats, in such a way that the risks that remain are acceptable to the organization. 3) Quantitative analysis This analysis resembles qualitative analysis but on important points (threats) a quantification is wanted. It uses the formula Risk = chance of damage * damage. For this formula it is important that all the data, the chances and the actual damage is know. Here lies the problem within ICT, these figures are still unknown. As ICT is still a relatively new business and companies are not very open regarding their security issues, it is very hard to quantify security risks. 4) Baseline checklist A baseline checklist is a checklist of security measures a company always has. This checklist is created within a company and implemented. Then every year this list is checked for completeness and if employees follow the baseline. The largest difference with a quick scan is that the baseline is created by a company itself. A quick scan takes an external norm as a reference (33) (2) Managing Risk The managing of risks can be done in several different methods. The most common options will be briefly explained. Nick Peterman 18

19 1) Liability Transfer Liability transfer transfers liability to another person. This means that the company that built or owns something is no longer responsible for the costs if something happens to it. There are two common methods to transfer liability. Disclaimer: A disclaimer is a document that states that the company is not responsible for the consequences of certain adverse events. This document however gives no specification on who is responsible. Agreement: The business engages in an activity with a third party. This third party is responsible for the costs of the adverse events. 2) Indemnification Indemnification means that a company will provide compensation if adverse events occur. This can be done in several different ways but the two that are often used are: Pooling schemes: This entails several businesses sharing the costs of the risks. For example, insurance policies. If an adverse event occurs, the insurance company pays for the damage. Hedging schemes: This is a gambling scheme; a single business places a bet on risks happening to a company. If they actually happen, the business pays the damage, if not company has to pay a fee to the other business. 3) Mitigation Mitigation is a method of trying to reduce the expected costs of adverse events. Again there are several methods to do this. Changing probability: This method focuses on decreasing the chance of an event occurring. Changing consequences: This method focuses on decreasing the damage cause by the adverse event. 4) Retention Retention simply means taking the costs. A company can either set funds aside, save money, as a buffer to pay for the expenses if the adverse event occurs. Alternatively the company can just take the costs if they actually happen (35). 2.4 Defining Trust To get a clear idea of what threats emerge for Enterprise Content Management systems, we first need to get a clear idea of what a threat exactly poses. There are a number of different definitions, but only a representative sample of three are discussed here. According to RiskInc.com a threat is: (36) Nick Peterman 19

20 A threat is anything (man made or act of nature) that has the potential to cause harm. Another definition comes from ISO (37) Threat. A potential cause of an unwanted impact to a system or organization. Searchsecurity.techtarget.com gives another definition: Threat: someone uncovering a vulnerability and exploiting it. Vulnerability is in this case defined as a weakness in a mechanism that can threaten the confidentiality, integrity or availability of an asset. (38) All definitions are quite broad; they do not give any lead to actual threats or risks. This leads to the conclusion that threats come from a great range of sources it cannot be determined beforehand where the source of the threat comes from or how they will occur. Threat identification is a critical part of risk analysis. It is used to determine the threats and what countermeasures can be taken to prevent them from happening. There are different types of threats because every situation and every company has different issues, systems, and thus, different threats. For example a military base mainframe does not have the same threats as the computer system the grocer on the corner uses. As listing all the threats possible would simply involve too much time and would not be practical, the threats emerging in Enterprise Content Management Systems are emphasized. According to (39), four main types of threats can be found: Human errors, these are the most common and also the hardest to prevent, threats to an organization s resources. Every user that can use the system can make mistakes and each of these mistakes could prove disastrous for the company. Education can help improve the safety of the user environment but entirely rule out mistakes is impossible. System failures, information systems consist of hardware, software and an appropriate architecture. Each of these components have their own varieties of failure points and could therefore pose a threat to the entire system. Natural disasters, this type of disaster is the least predictable and also very location dependent. It varies per country what disasters occur and during which time periods. Disasters are very dangerous and can cause tremendous amounts of damage, there are however appropriate counter measures available. It remains unsure however if these measures are worth the risk. Malicious acts, this is the most well known threat to information systems. These acts are performed by groups or individuals against a certain target system. There are various acts known, but the most common ones are disabling the system and getting information out of the system. A threat can also be divided into two parts, namely the source of the threat and the action to cause the threat. For example, the source of a threat, unauthorized access to the system, could be employees and the action to cause the threat is to find the password that allows access to the system. For example searching for notes with these passwords that employees leave on their desks. This division can be used to better Nick Peterman 20

21 determine the issues and the flaws in the system. As when there are a lot of sources, but the action is highly unlikely, there is not a real necessity to prevent the threat. According to the CISSP school a threat exploits a vulnerability, which leads to a risk. That can damage asset and that could cause exposure. This means that there was a vulnerability and it was exploited (38). By way of definition, a threat is simply a potential violation of the security of a system - an event that may have some negative impact. Vulnerabilities are actual security weaknesses or flaws that make a system susceptible to an attack. An attack is an exploitation of a vulnerability to realize a threat. Countermeasures are defensive architectural mechanisms used for mitigating system vulnerabilities. Nick Peterman 21

22 3 Modeling threats In order to model the threats that emerge in Enterprise Content Management systems it is important to look at different threat modeling techniques. These methods could prove useful as a whole solution or they could provide a handle to creating a more ideal model. We will go through several threat modeling methods and explain how they function and discuss their advantages and disadvantages. Microsoft Threat Modeling Process The threat modeling process developed by Microsoft consists of five iterative steps. 1) Identify Security objective, the application is divided into several categories for which the separate objectives can be determined. 2) Survey the Application, this entails that the application design is analyzed and the different components, data flows and trust boundaries have to be identified. 3) Decompose the application further to review all the components and modules that need a security review. 4) Identify all the threats. 5) Identify the vulnerabilities. The Microsoft model uses a STRIDE/DREAD classification scheme for the different threats. STRIDE is a classification that focuses on the threats by the exploits they use. These exploits are: Spoofing Identity, Tampering with data, Repudiation, Information disclosure, Denial of Service and Elevation of Privilege. DREAD is a classification scheme for quantifying and organizing the amount of risk threats pose. DREAD uses an algorithm which can be used to quantify the risks. DREAD stands for: Damage potential, Reproducibility, Exploitability, Affected users and Discoverability (40) (7). AS/NZS 4360:2004 Risk Management The Australian/New Zealand Standard AS/NZS 4360, first issued in 1999, and revised in 2004, is the world s first formal standard for documenting and managing risk and is still one of the few formal standards for managing it. The five steps of the AS/NZS 4360 process are: Establish Context: Establish the risk domain, i.e., what assets/systems are important? Identify the Risks: Within the risk domain, what specific risks are apparent? Analyze the Risks: Look at the risks and determine if there are any supporting controls in place. Evaluate the Risks: Determine the residual risk. Treat the Risks: Describe the method to treat the risks so that risks selected by the business will be mitigated. Nick Peterman 22

23 AS/NZS 4360 assumes that risk will be managed by a special risk group, and that the organization will be able to identify, analyze and treat the risks correctly. AS/NZS 4360 works well as a risk management methodology for organizations requiring a Sarbanes- Oxley compliance (SOX). The Sarbanes Oxley is a United States federal law enacted in July It introduced major changes to corporate governance and financial practice. This is in reaction to scandals within large US corporations (Enron, WorldCom). It is named after Senator Paul Sarbanes and Representatitive Michael Oxley (41) (42). In Australia using this methodology is a requirement. However the use of AS/NZS 4360 is not perfect, as it is a generic framework for managing risk. It does not provide a structured methodology to look at application security risks. It is better for business or systematic risks than for technical risks, and it does not define a methodology to perform a structured modeling exercise (40) (43). Common Vulnerability Scoring System (CVSS) The US Department of Homeland Security (DHS) established the NIAC Vulnerability Disclosure Working Group, which incorporates input from Cisco Systems, Symantec, ISS, Qualys, Microsoft, CERT/CC, and ebay. One of the group s outputs is the CVSS. One of the largest advantages of CVSS is that it is a well documented and well described methodology. Tables allow users to entirely calculate risks and help them make decisions. The disadvantages include that it is very time-consuming and complex; large tables need to be worked through if a lot of risks are determined. It does not focus on finding or reducing the risks, it is merely a scoring system (40) (44). OCTAVE OCTAVE is a heavyweight risk methodology approach originating from Carnegie Mellon University s Software Engineering Institute (SEI) in collaboration with Carnegie Mellon s University Computer Response Team (CERT) (45). OCTAVE focuses on organizational risk, not technical risk. OCTAVE comes in two versions: Full OCTAVE, for large organizations, and OCTAVE-S for small organizations, both of which have specific catalogs of practices, profiles, and worksheets to document the modeling outcomes. OCTAVE is popular with many sites and is useful when the documenting and measuring of the overall IT security risk becomes necessary. It also accommodates a fundamental reorganization, such as when a new robust risk management methodology needs to be put in place. OCTAVE, however, is a very large and complex methodology. It consists of 18 different volumes with many worksheets and practices to implement. There is also very little literature available outside of the Nick Peterman 23

24 CERT website. However it fails to take threat risk modeling into consideration which is necessary and part of research (40) (46). Goal oriented threat modeling Goal oriented threat modeling focuses on threat analysis procedure to aid decision making during security requirements analysis. Analyze security threats during requirements analysis. Security goals are represented as softgoals which need to be satisficed This means that goals focus on adequacy instead of an optimal solution. That is the softgoals need to be satisfied and suffice. Children have to be fulfilled in order to contribute to their parents. These are recorded in Softgoal Interdependancy Graphs. Under the softgoals the operationalizing softgoals are shown. These are refinements to the softgoals and are capable of satisficing softgoals. N-Softgoals are negative softgoals and are inverse contributions to the softgoals. They are goals that a possible adversary/attacker is perceived to have against a system. This method mainly focuses on solutions of threats and vulnerabilities. Also when used for larger systems, the diagrams could become extremely large and incomprehensible (47). Attack Trees Attack trees are relatives of the Threat Trees, that in turn are closely related to Fault trees. Fault tree analysis is a failure analysis in which an undesired state of a system in is analyzed using Boolean logic to combine a series of lower-level events. Attack Trees were introduced by Bruce Schneier (3) and are a methodology towards categorizing and organizing the ways an organization can be attacked. The trees can be of great value to the security community because of its graphical and structured appearance. A Tree consists of 3 parts: A root, the nodes and the leafs. The root is the goal an attack/threat has. For instance, open a safe. The nodes represent the steps that need to be taken to achieve the goal. To stick with the previous example of opening the safe, pick the lock. The leafs are attacks that can no longer be refined. Example, threaten to get the combination of the safe. Trees have different kinds of connections and choices. They are represented by AND and OR connections. The AND connection represents an event or goal that have to co-occur if they want to succeed. For example if you want to hear the combination of the code for the safe, you have to talk to the owner AND get him to tell the combination. Both events have to happen or you cannot find out the combination. The OR connections are independent of one another and be chosen freely. For example, if you want to open the safe you can either pick the lock or get the combination. Nick Peterman 24

25 Figure 3: Open Safe Attack Tree from (48). Every node and leaf can have values assigned to them ranging from words to Boolean digits. These values are used to make calculations regarding the possibility or plausibility of certain attacks or threats. Using these values it can be determined which attacks are most likely to occur and what the greatest threats are to the company. This information can be used to improve the security policy or determine certain counter measures. The values in the nodes can be adjusted according the threats you expect to face. If a company believes it will encounter large crime syndicates, the attack values will differ majorly from the values if the attack values are based on bored students. In the first case the amount of available money for the attacks is far greater and the damage done can be far greater. The students will likely not be able to really prove a threat and greatly damage the company (3). The creation of an Attack Tree is as follows: 1: Identify the possible attack goals. Each goal forms a separate tree and then try to think of all the attacks against this one goal. Add them to the tree and repeat this until you can think of no more attacks. 2: Add the values to all the attacks and the nodes. 3: Review the tree. This tree can now be used to make security decisions. By examining the values a company can determine the goals, that are vulnerable to attacks (3) (4) (5) (49) (50). Nick Peterman 25

26 Conclusion Once the different threat modeling models were compared it has become apparent that all the methodologies have their benefits and also some downsides. The CVSS model purely focuses on working on numbers and not on solutions or the threats. OCTAVE seems to be too complex and large to use in this context nor does it focus on the threats themselves and is therefore not an appropriate solution. NVS does not have any focus on technical risks but merely on organizational risks. Some threats in ECM systems are most likely also technical of nature, therefore this method is not appropriate. The goal oriented methodology is a pretty sophisticated methodology but mostly focuses on the solutions and not on the threats itself. It also becomes quite large and unorganized if the amount of threats increase. The Attack Tree methodology seems to be the most appropriate method in this context. Different targets can be determined and their possible attacks as well. The methodology can also be combined with another methodology, for instance the goal oriented methodology, or the Microsoft Threat Modeling Process. This allows full optimization of the methodology to represent threats within ECM systems. Nick Peterman 26

27 4 Discovering Threats As a part of the case study, a workshop was organized. In this workshop several experts were invited with expertise in the area of ECM and security. The threats were divided according to three main categories namely: Confidentiality, Integrity and Availability. These three categories have been chosen because they are the considered the fundamental principles of information security (32). 4.1 Attacker Profiles In order to get a good overview of the different type of attackers, Andersson (51) used four profiles from RL Barnard, Intrusion Detection Systems, Buttersworth (1988). These profiles have different interests and different resources. Differences caused the attackers to focus on different possibilities. The profiles help to determine what attacks are possible and where the threats lie in a company, allowing a determination of whether certain counter measures are feasible or not. The different profiles are: Derek (D), unskilled, opportunity criminal. Looking for a low-risk opportunity to obtain funding. He may work as a cleaner and sees a document open on a computer. He prints it and tries to sell it to a competitor. Charlie (C), skilled, has experience from previous jobs and small documentation theft. Takes whatever he can get his hands on. He works for a company on certain projects/documents. He steals these and tries to sell them to the highest bidder. Bruno (B), highly skilled, university degree on computer sciences. He may get an assignment from a rival company to try and steal documents. Either with help from inside (like Charlie or Derek) or he has to try and break into the system himself. Can get funding from this rival company. Abdurrahman (A), leader of a militant group, with military training. PhD support and sufficient funding. He may try to break into system of military of another country to steal secret information about their defenses. He may even use force to achieve his goals. 4.2 Confidentiality of documents within an ECM system A substantial part of the security of an ECM system involves securing the documents stored. Therefore we are going to look at attacks that threaten these documents. First we will look at confidentiality: The confidentiality of a document is compromised when an unauthorized person reads a disclosed document. Nick Peterman 27

28 Figure 4: Shows the Confidentiality Attack Tree The confidentiality of documents is an important aspect of classified documents. Therefore this could be a primary target for attackers to compromise. The essential part of a classified document is that it is not read by an unauthorized person. That is why the first and main attack is read document. The document can be read in many different ways; first the attacker tries to find an already printed version of the Nick Peterman 28

29 document. This includes so called dumpster diving (52). The attacker can open the document himself, but due to the fact that ECM systems are standard equipped with password authorization, this password needs to be found first. The attacker can ask an involved employee for his or her password. The probability for this attack has been classified as low, the chance that an employee will hand over his password is not likely. However, while Mitnick does not give any actual figures on how often it does happen, he does provide plenty of examples to prove otherwise (53). The attacker can try common passwords, this attack has been classified as medium probable. Extensive research has shown that 25% of all passwords is on a list and therefore crack-able (54). The attacker can often simply look for a post-it with the password written on it (55). The attacker can also try to obtain a password by using a key logger. This key logger needs to be installed on a certain machine first, then the program can collect and distribute the password. Installing a keylogger onto the target machine might seem troublesome. Studies have shown that 9.9 million computers in the US are already infected (56). The attacker can try to watch the user type in his password. This can be done by looking over the shoulder of an employee or by using a camera, previously installed in the perimeter (57). Another method of opening and reading a document is by asking an authorized employee to open the document. Reading a document does not only occur digitally; physical copies of documents may be found. Employees can be blackmailed or threatened to open documents. These attacks are very dependent on the employee and the means of the attacker. An attacker can look at an already opened document at a computer. This attack might seem trivial, but it is not likely that a opened document is also a highly classified document. The authorizations of documents may be accidently set incorrectly. In ECM systems, the standard authorization during implementation is read/write all. This is usually updated as soon as the system is used, but it does pose a security threat. It is also possible that an employee makes a mistake and sets the authorizations wrong. Searching documents in the system is an attack that merely focuses on typing in key-words and hoping that an interesting document comes up with the search results. The document can also be copied, either to an or to an external device. This allows the attacker to take the document outside of the system and read it at a later time. Nick Peterman 29

30 4.3 Availability of documents within an ECM system The availability The availability of documents can be attacked in several ways attacker is to ensure that a user is denied access to certain documents or the entire system.. The main idea for an attacker is to ensure that a user is denied access to certain documents or the entire system. Figure 5: This figure shows the Availability Attack Tree. Nick Peterman 30

31 The first attack focuses on adjusting the rights a user has to the system. Users have rights so they can open or alter documents. If these are changed employees who are normally authorized to view and work on certain documents can no longer view or alter these documents. To be able to alter the rights it is required to obtain access to the system and obtain proper rights within this system. This access is acquired the same way one gains access to break the confidentiality of a document, explained in the previous Attack Tree. The rights can be adjusted in several ways. The rights of the user can be altered; they now no longer have access (or do) to certain documents. The rights of the documents can be altered. So that no-one (or everybody) can read them. Alternatively all documents can be checked out. This means that all documents are in use and cannot be altered by other employees. If the attacker has access to the system documents can be removed from the system. Thus can be performed simply by deleting them. The availability of the documents can also be attacked by altering the log-in procedure. The log-in module can be attacked in several different methods. The first is by blocking employees accounts by inserting their password incorrectly 3 times. This disables their account and they need to get a new password from a system manager. If the attacker has access to the system, the usernames of employees can be adjusted ensuring they are not able to log-in normally. The same counts for altering an employee s password. Sabotaging an employee s account is an attack that focuses on the personal information of the employee. The attack focuses on changing the age, work-time or salary of the employee. The attacker can also alter the log-in parameters. For example, the available log-in times, If the log-in times are adjusted to 30 seconds, the employee who logs in must log out every 30 seconds and cannot get any work done. An attacker may also choose to bring down the portal that is accessible to valid users from their homes. If this portal is brought down employees who want to access documents from home can no longer do so. The method used to bring down this portal is hacking this portal. Hacking is a collective term for several attacks or different hacks. Things that can be thought of are SQL-injection attacks (58), spoofing attack (59) or a security exploit. Hacking can be done in a large number of different manners feasible to mention these in this dissertation. The hack typically focuses on using faults and bugs within the system. Another method to bring down the system is by starting the backup system. During the start-up phase any changes to the regular system are discarded and documents are not available. The system can also be overloaded, either by hacking the system or by using a Denial of Service (DoS) attack. The DoS attack focuses on sending so many requests and packages to the system that it is no longer able to respond to regular requests and can no longer function properly (60). A power failure can also disable the system. A power failure would require physical access to the system itself. The system can be crashed, through a bug in the system. These bugs can be found accidentally or actually sought after. For most large systems several large bugs are known. These can often be found on the Nick Peterman 31

32 internet and abused by an attacker. Another method to cause the system to crash is by aiming for a sizing/overflow. This can be achieved by using a buffer overflow (61). Finally the system can be destroyed entirely by using a bomb and destroying the entire system or building. This is a rigorous, yet effective, method. 4.4 Integrity of documents within an ECM system The integrity of document scan be attacked in several different ways. The main idea for an attacker to break the integrity is to ensure that a document s content can no longer be verified or that the document (or its content) is no longer accessible. Figure 6: This figure shows the Integrity Attack Tree. The first attack against the integrity is claiming that an altered copy of a document is actually the original document. This attack can be achieved by copying a document and altering it in a manner suitable for the attacker. The integrity of documents can be altered by changing documents. Changing of documents can, of course, be achieved by simply editing a document. The ECM system however automatically records the changes made to documents, therefore it is always possible to retrieve the original document. This attack is, thus, not taken into account in this work. Nick Peterman 32

33 The changing of documents can be achieved by using a system fault. This system fault can be achieved through hacking (See availability attack tree) the system. The fault can be achieved by creating software that causes the fault. By searching the internet for a known fault or by causing a power failure. These faults cause a document that is in use to be reset. Changes made are discarded. The integrity of documents can be broken when documents are removed. These documents can be removed from the system by simply deleting them. Alternatively they can be removed directly from the server. Removing the documents from the server can be performed in several ways. For example, removing the document from the database, or removing the document from the fileserver. If the file is removed from the fileserver, the attacker can delete the files or remove the entire disc where the documents are stored. For all attacks access to either the system or to the physical perimeter is required. This can be done in the same manner as in the confidentiality attack tree and has already been discussed above. Nick Peterman 33

34 5 Case Study To explain the model we will begin with an example that will show the details and how to use the model. As an example we will use the Attack Tree that Bruce Schneier uses to explain the methodology (48) (see figure 3 in chapter 4).This Tree shows the goal open safe and several attacks to achieve this goal. The opening of the safe can be done in several ways, for starters, by picking the lock. Picking the lock of a safe is hard work and therefore not very probable. The safe can be cut open. This can be done with various tools and methods. Cutting the safe open with the right equipment is quite plausible, it is however very expensive to acquire the right equipment. The safe can also be opened by installing it improperly. This is a very unlikely attack and would require an enormous amount of planning. Finally the most likely method is to learn the combination of the safe. The combination can be found either by finding it written down on paper or by getting the combination directly from the target (the owner). Finding the paper written down is a probable attack, long figure combinations are not easy to remember and people tend to write these down in case they forget the combination. Getting the combination from the target can be done in several different ways. The first is to threaten the target; the chance of success for this attack varies per target and also the attacker. The same accounts for blackmailing and bribing the target. Finally the combination can be acquired from the target by eavesdropping. Eavesdropping consists of two separate attacks, namely Listening to the conversation and Getting the target to state the combination. These attacks both need to be fulfilled in order to succeed the Eavesdrop attack. The first part, listening to a conversation is very probable and can be done. The second, getting the target to state the combination, however, is much harder and very unlikely. Therefore this attack is improbable. (note, above examples are not based on any actual figures. The probability of attacks is merely based on the classification of Bruce Schneier in the original diagram and logic ). To fully interpret the attacks possible for an ECM system the attacks have to be rated and classified. The above descriptions; probable and improbable are too vague and need further specification. To do this, the Damage Potential, Reliability, Exploitability, Affected Users and Discoverability (DREAD) method developed by Microsoft, will be used. This method has been adjusted by Tom Olzak (6) with inspiration from David LeBlanc (7). Then different attacker profiles will be added to the table. The DREAD table as it is provided by Microsoft and adjusted by Tom Olzak (6) did not entirely fit the attacks for ECM systems. The descriptions were either too vague or too specific. These have been altered Nick Peterman 34

35 to better fitting descriptions. Also the keyword Motivation has been added to the model. Motivation focuses on the attacker and the benefits an attack could provide. This is an important aspect of attacks because it is very important to determine the profitability weighed against the costs to perform such an attack. For instance: stealing credit card data from one person is easy and reproducible, the profitable gain however is limited. Building a machine that can create new credit-cards brings high investments costs and is very difficult, it is however extremely profitable if successful. DREAD Letter Rating High Medium/high Medium/ low Low D Damage potential Full disclosure of confidential documents/ Destruction of integrity of all A highly confidential document is made public/ compromised/not Some specific documents confidentiality/ integrity/ availability is Trivial information or a confidential document is leaked/ compromised/not available documents/ nonavailability of all documents. available broken R Reliability The Attack strikes every time the attacker tries to do The Attack succeeds most of the times The attack sometimes succeeds The attack only succeeds in very rare situations so. E Exploitability A novice attacker can attack this vulnerability. Derek A moderately skilled person can attack this vulnerability. Knowledge is A professional can attack this vulnerability. Bruno A team of professionals can attack this vulnerability. Abdurraham required. Charlie A Affected Users All users are affected Some users are affected. Only one person is affected. No users are affected D Discoverability It is common knowledge that this vulnerability is available. It is It is a common vulnerability and it has been shielded poorly. It is a common vulnerability that has been shielded properly. It is an uncommon vulnerability and only people with full access and who Nick Peterman 35

36 left open for an attack M Motivation The attack is easy The attack is easy The attack is hard to perform, to perform, easy to to perform, easy to reproduce and has reproduce and has reproduce and has a high result low results low results (profitability) Table 1: This table shows the adjusted DREAD model with the explained keywords. are looking for it can use it. It is hard to perform the attack, reproduce and it does not create high results (profitability) The risk calculation is divided in probability and business impact. The Probability is divided in Reliability, Exploitability and Discoverability. The Business Impact is divided in Damage Potential and Affected Users. The total risk score is determined by averaging all the different factors. These factors have been weighted in order to determine their importance. In this case the factors have been set to: reliability *1 + exploitability * discoverability * affected users * damage potential * motivation *2. The total is divided by 6 which gives the risk factor per attack. For every situation these weights can be adjusted accordingly. Using weights regarding these factors ensures that for every attack or situation the most important factor can be highlighted. This helps ensure that the risks are classified appropriately. For this case study, the weights have been chosen using empirical testing and analysis. The results were verified, altered and reexamined. Eventually this lead to the weighted factors shown. The weights are also based on the concept that some factors are of less importance than others. For example, the Discoverability and the amount of Affected Users are arguably of less importance for an attack than the Motivation. The Damage potential and Motivation are more heavily weighted, as they deemed more important in this situation. However, these are subjective decisions and are based on expertise rather than scientific results. The exploitability is also linked to the different profiles explained earlier. This helps determine the people that could perform the attack and also the likelihood that a certain attack is performed. The profile can also help determine the possible attackers for an organization. Nick Peterman 36

37 If an attack is an AND-node the score of the attack is determined by averaging the ratings of its children. If an attack is an OR-node the score of the attack is determined by taking the highest rated child as the score. Risk Calculation Probability Business Impact Affected Damage Motiv. Attack Reliabil. Exploit. Disc. Users pot. Risk 1. Open Safe 1.1. Pick the lock , Learn the combination Take the highest of the children ,17 =Find written combination Find written combination , Get combination from target , Threaten , Blackmail , Eavesdrop Take the average of the children Listen to conversation and get target to stage combination because of AND factor , Listen to conversation , Get target to state combination , Bribe , Cut the safe open , Install improperly ,79 Table 2: This table shows the classified attacks for the Open Safe Attack Tree. Nick Peterman 37

38 The outcome of the risk calculation determines the severity of the attack and the risk it poses to the company. This classification helps determine how much attention should be paid to the attack and vulnerability. 3,01-4,00 High Risk 2,01-3,00 Medium Risk 1,00-2,00 Low Risk Table 3: This table shows the division of the three attack level categories. New Attack Tree with risk (figure) inserted. When the risks determined by the table are inserted the attack tree looks something like this. This already gives a better overview of the amount of risk a threat actually poses. Figure 7: This figure shows the Open Safe Attack Tree with classified attacks inserted. Nick Peterman 38

39 New Attack Tree with colored trees When the attacks have been rated and the figures are inserted in the graphs different colors can be added to give a better overview of the scores of the threats. Figure 8: This figure shows the Open Safe Attack Tree with classified attacks and colored leafs. The used colors are: Turquoise: dangerous and high threat level. Yellow: medium threat. Green: Low threat Nick Peterman 39

40 6 Classification of Threats As a part of this thesis it is important to evaluate the model in a real situation. This has will done by interviewing three experts on the subject of ECM or security. These interview results will be averaged and will be displayed in the tables below. The Risk figure is the figure that states whether an attack is either threatening or if it has been classified as a low threat as described in the Case Study. Subsequently these results will be used to alter the graphical Attack Trees. The Risk figures will be inserted into the leafs and later these leafs will be colored according to their classification, as described in the Case Study. The risk factors have been calculated by averaging the previously calculated risk factors per participant. These results of the participants can be found in the Appendix. 6.1 Classification of Confidentiality Attack Tree Threats In this table the attack the classification results will be shown for the confidentiality attack tree threats. Risk Calculation Confidentiality Attack Risk Break confidentiality 1. Read document 1.1. Retrieve password 2, Ask the persons password 2, Try common passwords 2, Find password written down 2, Use Keylogger 2, Install keylogger 2, Use a camera to capture password 2, Look when the password is being typed in 2, Retrieve admin password 3, Ask the admin s password 2, Try common passwords 2, Find admin password written down 2, Use Keylogger 2, Install keylogger 2,68 Nick Peterman 40

41 Use a camera to capture admin password 2, Look when the admin password is being typed in 2, Ask employee to open the document 2, Find printed document 2, Search for lingering document 2, Blackmail the employee 2, Look at already opened document 2, Open the document if the authorizations are set wrong 3, Search for the document in the system 2, Read the document along with someone else 2, Copy the document 2, the document 2, Store the document in a public environment 2,50 Table 4: This table shows the classified attacks for the Confidentiality Attack Tree. Nick Peterman 41

42 6.1.1 Confidentiality Attack Tree This graph shows the Confidentiality Attack Tree with classified and colored attacks. Figure 9: This figure shows the Confidentiality Attack Tree with classified attacks and colored leafs. In this Attack Tree it can be clearly seen that most attacks are labeled as medium threatening. The only two attacks labeled otherwise are the attacks: Retrieve admin password and Authorisation is set wrong. These two threats should be immediately addressed and counter measures should be taken in Nick Peterman 42

43 order to prevent utilization of these vulnerabilities. The first of the two highly classified threats focuses on retrieving the administrator password. Retrieving this password is classified higher than retrieving a regular password (Regular score is 2.92 and Admin password is 3.00). This is due to the fact that the impact of retrieving an admin password is much higher. It may be harder to retrieve, but the results it will yield are also far greater. The second highly classified threat focuses on documents where the authorization is set wrong. During implementation it is important to think of this attack, the system should be set up so that the rights of documents should automatically achieve the rights of the user. Thus becoming inaccessible to unauthorized users. However users can still either by accident or deliberately alter the rights to documents, it is therefore important to educate them and make them aware of the dangers of these actions. 6.2 Classification of Availability Attack Tree Threats In this table the attack the classification results will be shown for the availability attack tree threats. Risk Calculation Availability Attack Break Availability 1.1. Adjust the rights to documents Adjust the rights of the user Adjust rights Retrieve password Adjust rights of the document Adjust the rights Retrieve password Checkout all documents Checkout Retrieve password 1.2. Remove the document Remove Retrieve password 1.3. Adjust the login procedure Block people by wrongly inserting their password 3x Risk 2,62 2,56 2,18 3,00 2,58 2,39 3,00 2,60 2,60 3,00 2,49 2,39 3,00 2,57 2,83 Nick Peterman 43

44 Adjust their usernames Adjust username Retrieve password Adjust their password Adjust password Retrieve password Sabotage their account Sabotage Retrieve password Alter log-in parameters (available time logged in) Alter parameters Retrieve password 1.4. Bring down the portal available from home 1.5. Start backup system Start system Retrieve password 1.6. Cause the primary system to no longer function 1.7. Overload the system Hack the system Commence Dos attack 1.8. Power failure 1.9. Crash the system Sizing/overflow Buffer overflow Bomb Table 5: This table shows the classified attacks for the Availability Attack Tree. 2,44 2,32 3,00 2,44 2,21 3,00 2,40 2,42 3,00 2,43 2,29 3,00 2,49 2,32 2,00 3,00 2,14 2,53 2,42 2,29 2,21 2,47 2,00 2,07 2,97 Nick Peterman 44

45 6.2.1 Availability Attack Tree This graph shows the Availability Attack Tree with classified and colored attacks. Figure 10: This figure shows the Availability Attack Tree with classified attacks and colored leafs. Nick Peterman 45

46 As can be seen in this graph almost all the attacks are classified as medium threatening. The five attacks that are classified as highly threatening are threats that are derived from the previous Attack Tree, the Confidentiality Attack Tree. These threats focus on retrieving the administrator password that was classified as highly threatening. This attack is part several attacks and is therefore reused. Therefore this attack reoccurs frequently. The most likely attack to compromise the availability of the documents within an ECM system is by bombing the system. This would cause entire destruction of all the data in the system and affect every available user. It is the attack that has the best result for its effort. However this attack can easily be negated by installing a backup system in a remote location. This backup system will take over as soon as the primary system is destroyed. 6.3 Classification of Integrity Attack Tree Threats In this table the attack the classification results will be shown for the integrity attack tree threats. Risk Calculation Integrity Attack Break Integrity 1.1. Claim altered copy of document to be original Copy document Alter document Open and change document Retrieve password 1.2. Change document System fault Hack the system Create software that causes system fault Search the internet for faults Cause a power failure 1.3. Remove documents Remove documents in the system Remove file Retrieve password Risk 2,36 2,46 2,43 2,56 3,00 2,69 2,69 2,40 2,04 2,60 2,36 2,64 2,51 2,46 3,00 Nick Peterman 46

47 Remove documents on the server Remove the documents from the database Remove logs (erase tracks) Retrieve password Remove the documents from the file server Delete the file Retrieve password Remove the entire disk Table 6: This table shows the classified attacks for the Integrity Attack Tree. 2,61 2,28 2,22 2,76 2,72 2,63 3,00 2, Integrity Attack Tree This graph shows the Integrity Attack Tree with classified and colored attacks. Figure 11: This figure shows the Integrity Attack Tree with classified attacks and colored leafs. As can be seen in this Attack Tree is that most attacks are labeled as medium threatening. Two threats that are labeled highly threatening are re-used from the confidentiality Attack Tree and are part of certain attacks. The most likely attack an attacker might perform to compromise the integrity of documents is by changing a document, through a system fault which can be found by searching on the internet. Nick Peterman 47

48 Conclusion: A total of 73 attacks were classified using the model. Of these 73 attacks 64 attacks are rated as a medium threat and 9 threats are classified as high threats. Of the Confidentiality Attack Tree 24 threats were rated, where 2 are classified as high threats, a percentage of 8.33%. The Availability Attack Tree has 29 rated attacks, of which 5 are rated as high, a percentage of 17%. Finally the Integrity Attack Tree has 20 rated threats, of which 2 are rated as high threats, a percentage of 10%. These scores can be interpreted as if the availability of the documents is the weakest link within ECM systems. However, the result that can be drawn from these attack trees, is that the attack that focuses on the retrieval of the admin password frequently occurs both in the Availability and Integrity Attack Trees. This result leads to the conclusion that the retrieval of the admin password is the weakest link in the system. If this attack were to be removed, both the Integrity and Availability Attack Trees would have zero threats classified as high threats. Therefore, it could be feasible to install additional security measures protecting the administrator password. Nick Peterman 48

49 7 Conclusion 7.1 Summary: In this dissertation an approach for documenting attack information for Enterprise Content Management systems has been described. These results have been investigated using a workshop. Where several Attack Trees were created that give an overview of the threats and vulnerabilities that emerge in ECM systems. Subsequently, a classification method was developed in order to evaluate these threats. This model has been tested by three different experts on the areas of security and ECM systems. These results were combined and used to create new graphs that graphically illustrate the severity of the researched threats. 7.2 Results: When examining the different classified Attack Trees it can be seen that the majority of the attacks are classified as a medium threat. In fact almost 88% (64 of 73) of all the attacks are classified as medium. The attacks that are classified otherwise are attacks that focus on retrieving the administrator password that is reused a number of times in several trees, and the attack that focuses on utilizing incorrectly set authorizations. These attacks are classified as highly threatening and could suggest that the password protection is the weakest link within the system. This problem might be mitigated by implementing two-factor authentication (62). For example, employees logging on to the system using both a password and a fingerprint. This would require the attacker to take more steps and perform more attacks in order to gain access to the system. Affecting the retrieval of the administrator password and, thus, a large number of other attacks. Logically thus would decrease the risk scores of many of the attacks. New security features can be added by determining the possible attacks to defeat these features. These new attacks can then be added to the original attack trees. The effect of these new measures will differ and is, therefore, also very case specific. In this dissertation a minimal number of security measures were considered, in order to keep the model simple: It is relatively straightforward to add new features at a later stage. 7.3 Discussion: Initially, during the modeling phase of this dissertation a model called DREAD was investigated. Although quite sophisticated it was missing some required features and was, therefore, not entirely Nick Peterman 49

50 suitable. Once altered to add support for these features, the model matched the requirements more closely, although it is still not perfect. On the initial test, the figures in the model all tended to become the same. All attacks were labeled as highly threatening. This of course negates the benefits of the model: not everything can have top priority as there is not enough time and budget to deal with all threats. One significant problem is label creep. Label creep is a term that reflects the observation that all labels tend to creep upwards (63). This is caused by the concept that if an attack is not described properly and the interviewee doubts the ranking, a higher score will be chosen. After an extended period of time this will eventually lead to universally higher scores (64). Another issue with the model occurred when using AND factors. Some attacks consist of two collaborative attacks. The original concept was that these attacks would have one attack that is very straightforward, while the other would be very difficult. For example when examining the availability attack tree, there is an attack that modifies the rights to documents. This attack consists of two subattacks, change the rights and retrieve password. Again, the idea is that the changing of the rights should be very easy, but the password retrieving very difficult. However, when working through the model it appeared that retrieving a password proved to be fairly threatening. It obtained a score so high that it was classified as highly threatening. This high score negated the averaging effect and caused the entire attack to also be classified as highly threatening. This issue occurred for every attack that involved retrieving a password. After some discussion the idea arose that retrieving a password proved to be fairly simple, retrieving an administrator s password should prove harder. Administrators tend to be more knowledgeable and have better passwords. Therefore, a separate attack was added to the confidentiality attack tree, with attacks to retrieve an administrator password. This attack proved more difficult and, therefore, lowered some scores and enabled more variation in the different attack risks. Unisys also had a suggestion regarding the model: The viewpoint of the attacker was not sufficiently taken into consideration. This could be solved by adding another key point to the model. Some discussion lead to the adding of either profitability, in order to purely focus on the financial gain an attacker could achieve by performing a certain attack, or by adding reproducibility, to add how easy it is to perform an attack. A third option entailed adding motivation, that is a combination of several key points namely the reliability, reproducibility and also profitability. Thus the motivation concept proved to be the most appropriate. It was the most complete solution and combined several important factors, including reliability, reproducibility and profitability. Another method to prevent label creep is to change the calculation of the key factors. Initially, it was the intention to average the reliability, exploitability, discoverability and affected users and then add them to Nick Peterman 50

51 the damage potential. This method was organized so that the damage potential, typically the most important factor, was also weighed most heavily. The weight could also be moved to another key point when necessary. However, the model itself was too small in scale to actually bear this weight and constantly returned high threat rankings. Therefore, once the motivation key point, had been added, all the factors were averaged, but some are weighted more heavily than others. For instance, in the model the motivation key point is weighed 2.0, while the discoverability key point is weighed 0.5. These weights can be changed for every single attack or situation to fit accordingly. In the case study, the weights are subjective; they are based on the concept that the Discoverability and the Affected Users key points are less important than the motivation and damage potential key points. They are also based on several tests with the model. These tests are, however, not entirely conclusive and cannot therefore, be considered entirely accurate. Another part of the model that changed during the interviews was the AND factor. Initially it was planned to actually average the two attacks. In practice this resulted in causing only more label creep and it gave very unrealistic results. Therefore, rounding down the average, where necessary, resulted in a more appropriate result. In some cases this causes the total attack score to be lower than the scores of the separate attack. This is actually surprisingly realistic. If two steps are needed to perform one attack, it is arguably logical that it is more difficult than performing a single step-attack. Once the changes were made to the model and the final results of the three interviews were combined, new graphs were created. At this point it appeared that the majority of the attacks (64 of 73) were classified as medium threatening. This is partly caused by the previously mentioned label creep, but these results also hold some truth. The results are for a large portion based on retrieving the password of an administrator. This password retrieval has been classified as a highly threatening attack and causes the scores of the other attacks to rise. Although the model was not designed to cope with these figures, it was realized that the retrieval of the password would be difficult. This attack appears to be easier than anticipated and that it is why the focus to either education or additional security should be emphasized here. Adding additional security measures could be a solution to this problem. This is, however, a subject for further research. Another concept that became clear once the interviews were conducted is that the motivation key factor is not entirely clear. The description is not entirely encompassing and it therefore does not fit for every situation. This was solved by simply choosing a higher figure if the attack was found more threatening or a lower figure if found less threatening. The description in the model should be modified in further studies. Nick Peterman 51

52 7.4 Future Work There is a significant potential in the area of threat modeling. However, it is a broad subject that is very subjective. Therefore, it will take some time before a simple universal model will be developed. If more time was available for this work there are some things that could have been altered. The division of the attacks is now very broad. This causes the Attack Trees to be very broad and difficult to read. More research could also lead to more generalized and reusable trees. The figures and their calculations could be adjusted if more time was available. This could even further prevent the problem of label creep and ensure the diversification of the threats. A problem that occurred during the creation of the Attack Trees is, while Attack Trees themselves are very useful graphs, they are, however, sometimes vague and difficult to create. It is difficult to find a good starting point, where should the focus of the tree lie? What trees need to be created? What does one mean with a certain attack? It also occurs that an attack is thought to be described thoroughly, but more trivial steps are necessary to complete the attack. These steps are sometimes forgotten and can pose a problem when classifying the attacks. The organization of the trees is also difficult, this encompasses the problem of where to start with an Attack Tree. If the start or the view of a tree is not properly thought through, the tree itself could become unstructured and incomprehensible. Finding a method to structure the trees beforehand should be developed during future studies. This can considerably help the adoption of Attack Trees as a classification method and help Risk Analysis mature further. Nick Peterman 52

53 8 Bibliography 1. An Evolutionary Approach for Learning Attack Specifications in Network Graphs. Franqueira, Virginia Nunes Leal, Lopes, Raul H.C. and van Eck, Pascal. Enschede : Universiteit Twente, ISSN Microsoft. Security Risk Management Guide. Microsoft Documents. [Online] 3. Schneier, Bruce. Attack Trees. Bruce Schneier. [Online] 4. Mauw, Sjouke and Oostdijk, Martijn. Foundations of Attack Trees. Nijmegen, Eindhoven : Springer Berlin / Heidelberg, Attack Trees: Door de bomen de bedreigingen zien. s.l. : GvIB Informatiebeveiliging, A Practical Approach to Threat Modeling. Olzak, Tom LeBlanc, David. DREADful. David LeBlanc's Web Log. [Online] 8. Information Society. Webster, Frank. London : s.n. 9. Slevin, James. The Internet and Society. s.l. : Blackwell Publishers Ltd, on+internet&ots=96bqzogya1&sig=qdg1eeb_56heto_jm9yoi_vyvxo#v=onepage&q=&f=false Passagiers op Schiphol verliezen wekelijks 750 laptops. Tweakers.net. [Online] 07 29, [Cited: 05 19, 2009.] laptops.html. 11. Defensie verliest vier usb-sticks met geheime informatie. Tweakers.net. [Online] 11 6, [Cited: 05 19, 2009.] Britse geheime documenten slingeren rond op trein. HBVL.be. [Online] [Cited: 05 19, 2009.] Structuring the unstructured (document). Findarticles.com. [Online] [Cited: 05 19, 2009.] Wood, David and Jones, Tate. A New Type of Data Management System Enterprise Content Management an Integrated Perspective On Information Management. Päivarinta, Tero and Munkvold, Bjorn Erik Hawaii Conference on System Sciences. Vol. 38. Nick Peterman 53

54 16. A Critical Analysis into the Use of Enterprise Content Management Systems in the IT Industry. Kemp, James. s.l. : A Conceptual framework for the implementation of enterprise information portals in large organizations. Scheepers, Rens. 15, s.l. : European Journal of Information Systems, 2006, pp Contemporary Issues of Enterprise Content Management: The case of Statoil. Munkvold, Bjørn Erik, et al. 18(2), s.l. : Scandinavion Journal of Information Systems, 2006, pp EMC2. Enterprise Content Management. EMC2. [Online] contentmanager.net. ECM Market to Reach $9B in Software and Services. Content Manager.net. [Online] Tyrväinen, Pasi, et al. Characterizing the evolving research on enterprise content management. 2006, 15, pp Computer museum. [Online] Unisys Corp - Early History, After The Merger. Free Encyclopedia of Ecommerce. [Online] [Cited: 05 19, 2009.] Unleashing the intranet. Cochrane, R. 1997, BT Technology Journal, Vol. 15(2), pp Business Wire. FileNet Ships. [Online] AIIM. What is ECM? AIIM: Find, Control and Optimize your Information. [Online] [Cited: 10 12, 2009.] Astoria Software. Enterprise Content Management Landscape. [Picture] Besnard, Dennis and Arief, Budi. Computer security impaired by legal users. Newcastle : School of Computing Science, Lioy, Antonio, Maino, Fabio and Mezzelama, Marco. Secure document management and distribution in an open network environment. Torino, Italy : Springer Berlin / Heidelberg, EMC2. EMC Documentum Security. s.l. : EMC2, Soo Hoo, Kevin J. How much is enough, a risk management approach to cocmputer security. Stanford : Consortium for Research on Information Security and Policy (CRISP), Spotlight article: Domain 1, Security Management Practices. Search Security.com. [Online] Nick Peterman 54

55 33. Overbeek, Paul, Lindgreen, Edo Roos and Spruit, Marcel. Informatiebeveiliging onder controle. Amsterdam : Pearson Education, British Standard. Information Technology - Security techniques - Code of practice for information security management BS ISO/IEC 17799:2005 BS : Blakeley, Bob, McDermott, Ellen and Geer, Dan. Information Security is Information Risk Management. s.l. : New Security Paradigms Workshop: Proceedings of the 2001 workshop on New security paradigms, Inc.com, Risk. ISO/IEC Risk Inc. [Online] html. 37. Security Risk Management Guide. Microsoft Documents. [Online] CISSP Essentials training: Domain 1, Security Management Practices. Security.techtarget.com. [Online] Fredsson, Jeanette and Olandersson, Sandra. Threats in Information Security Beyond technical Solutions. Blekinge : Blekinge Institute of Technology, Threat Risk Modeling. OWASP. [Online] [Cited: 07 01, 2009.] Library of Congress. Sarbanes-Oxley Act of 2002 (Enrolled as Agreed to or Passed by Both House and Senate). Library of Congress. [Online] [Cited: 10 12, 2009.] Sarbanes-Oxley. Introduction. Sarbanes-Oxley Act [Online] [Cited: 07 13, 09.] Broadleaf Capital International. Tutorial Notes: The Australian and New Zealand Standard on Risk Management, AS/NZS 4360: Mell, Peter, Scarfone, Karen and Romanosky, Sasha. A Complete Guide to the Common Vulnerability Scoring System Version CERT. Welcome to CERT. CERT. [Online] [Cited: 07 13, 09.] OCTAVE_OMIG.zip. s.l. : CERT, CERT, OCTAVE Method Implementation Guide Oladimeji, Ebenezer A, Supakkul, Sam and Chung, Lawrence. Security Threat Modeling and Analysis: A goal oriented approach. 48. Schneier, Bruce. Attack Tree picture Viega, J and McGraw, G. Risk Analysis: Attack Trees & Other Tricks. Dr. Bobb's Portal. [Online] Nick Peterman 55

56 50. Ingoldsby, Terrance R. Attack Tree Analysis. Red Team Journal. [Online] [Cited: 07 03, 2009.] Anderson, Ross. Security Engineering. s.l. : Wiley, A Guide to Building Dependale Distributed Systems. ISBN Protecting your good name, Identity theft and its prevention. Abdullah, Abdul-Kareem. Kennesaw : Information security curriculum development, Mitnick, Kevin. The art of deception. s.l. : Wiley, Klein, David V. Foiling the Cracker: A Survey of, and Improvements to, Password Security. Northumberland : s.n., Moskalyuk, Alex. IT facts. ZDpage. [Online] March 21, [Cited: September 2, 2009.] Zeller, Tom. Cyberthieves Silently Copy Your Passwords as You Type. New York Times. 2007, Vol. February Reducing shoulder-surfing by using gaze based password entry. Kumar, Manu, et al. Stanford : ACM International Conference Proceeding Series, 2007, Vol Advanced SQL injection in SQL sever applications. Anley, Chris. s.l. : NGSSoftware Insight Security Research (NISR), Attack Class: Address Spoofing. Heberlein, Todd L and Bishop, Matt. s.l. : The 19th National Information Systems Security Conference, A Covariance Analysis Model for DDoS Attack Detection. Jin, Shuyuan and Yeung, Daniel S. Hong Kong : IEEE, 2004, Vol Cowan, Crispin, et al. Buffer Overflows: Attacks and Defenses for the vulnerability of the Decade. s.l. : Oregon Graduate Institute of Science & Technology, Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Jin, Andrew Teoh Beng, Ling, David Ngo Check and Goh, Alwyn Language Based Information Flow Securiy. Sablefeld, Andrei and Myers, Andrew C. s.l. : IEEE, A Virtual Machine Based Information Flow Control System for Policy Enforcement. Crispo, Bruno, et al. Amsterdam : ScienceDirect, 2008, Vols. Electronic Notes in Theoretical Computer Science Nick Peterman 56

57 9 Appendix A 9.1 Interview Results: Participant A: Risk Calculation Confidentiality Probability Attack Reliabil. Exploit. Disc. Break confidentiality Business Impact Affected Damage Users pot. Motiv Risk 1. Read document 1.1. Retrieve password Ask the persons password Try common passwords Find password written down Use Keylogger Install keylogger Use a camera to capture password Look when the password is being typed in 1.2. Retrieve admin password Ask the admin s password Try common passwords Find admin password written down Use Keylogger Install keylogger Use a camera to capture admin password Look when the admin password is being typed in 1.3. Ask employee to open the document 1.4. Find printed document Search for lingering document , , , , , , , , , , , , , , , , , , ,58 Nick Peterman 57

58 1.5. Blackmail the employee 1.6. Look at already opened document 1.7. Open the document if the authorizations are set wrong 1.8. Search for the document in the system 1.9. Read the document along with someone else Copy the document the document Store the document in a public environment Table 7: This table shows the classified attacks for the Confidentiality Attack Tree. Risk Calculation Availability , , , , , , , ,17 Probability Attack Reliabil. Exploit. Disc. Break Availability 1.1. Adjust the rights to documents Adjust the rights of the user Adjust rights Retrieve password Adjust rights of the document Adjust the rights Retrieve password Checkout all documents Checkout Retrieve password 1.2. Remove the document Business Impact Affected Users Damage pot. Motiv Risk , , , , , , , , , , , Remove , Retrieve password 1.3. Adjust the login procedure Block people by wrongly inserting their password 3x , , ,71 Nick Peterman 58

59 Adjust their usernames Adjust username Retrieve password Adjust their password Adjust password , , , , , Retrieve password , Sabotage their account Sabotage Retrieve password Alter log-in parameters (available time logged in) Alter parameters , , , , , Retrieve password , Bring down the portal available from home , Start backup system , Start system , Retrieve password , Cause the primary system to no longer function , Overload the system Hack the system Commence DDos attack 1.8. Power failure 1.9. Crash the system Sizing/overflow , , , , , , Buffer overflow , Bomb Table 8: This table shows the classified attacks for the Availability Attack Tree ,63 Risk Calculation Integrity Probability Attack Reliabil. Exploit. Disc. Break Integrity Business Impact Affected Damage Users pot. Motiv Risk Nick Peterman 59

60 1.1. Claim altered copy of document to be original , Copy document , Alter document , Open and change document , Retrieve password , Change document , System fault , Hack the system , Create software that causes system fault , Search the internet for faults , Cause a power failure , Remove documents , Remove documents in the system , Remove file , Retrieve password , Remove documents on the server , Remove the documents from the database , Remove logs (erase tracks) , Retrieve password , Remove the documents from the file server , Delete the file Retrieve password Remove the entire disk Table 9: This table shows the classified attacks for the Integrity Attack Tree , , ,38 Nick Peterman 60

61 9.1.2 Participant B Risk Calculation Confidentiality Probability Attack Reliabil. Exploit. Disc. Break confidentiality Business Impact Affected Damage Users pot. Motiv Risk 1. Read document 1.1. Retrieve password Ask the persons password Try common passwords Find password written down Use Keylogger Install keylogger Use a camera to capture password Look when the password is being typed in 1.2. Retrieve admin password Ask the admin s password Try common passwords Find admin password written down Use Keylogger Install keylogger Use a camera to capture admin password Look when the admin password is being typed in 1.3. Ask employee to open the document 1.4. Find printed document Search for lingering document 1.5. Blackmail the employee 1.6. Look at already opened document 1.7. Open the document if the authorizations are set wrong , , , , , , , , , , , , , , , , , , , , , ,33333 Nick Peterman 61

62 1.8. Search for the document in the system 1.9. Read the document along with someone else Copy the document the document Store the document in a public environment Table 10: This table shows the classified attacks for the Confidentiality Attack Tree. Risk Calculation Availability , , , , ,83333 Probability Attack Reliabil. Exploit. Disc. Break Availability 1.1. Adjust the rights to documents Adjust the rights of the user Business Impact Affected Users Damage pot. Motiv Risk , , Adjust rights , Retrieve password Adjust rights of the document Adjust the rights Retrieve password Checkout all documents , , , , , Checkout , Retrieve password 1.2. Remove the document Remove Retrieve password 1.3. Adjust the login procedure Block people by wrongly inserting their password 3x Adjust their usernames Adjust username , , , , , , , , Retrieve password ,5417 Nick Peterman 62

63 Adjust their password Adjust password Retrieve password Sabotage their account Sabotage , , , , , Retrieve password , Alter log-in parameters (available time logged in) , Alter parameters , Retrieve password , Bring down the portal available from home , Start backup system , Start system Retrieve password 1.6. Cause the primary system to no longer function 1.7. Overload the system Hack the system , , , , , Commence DDos attack , Power failure 1.9. Crash the system Sizing/overflow Buffer overflow Bomb Table 11: This table shows the classified attacks for the Availability Attack Tree. Risk Calculation Integrity , , , , ,6667 Probability Attack Reliabil. Exploit. Disc. Break Integrity Business Impact Affected Users Damage pot. Motiv Risk 1.1. Claim altered copy of document to be original , Copy document Alter document , ,7083 Nick Peterman 63

64 Open and change document Retrieve password 1.2. Change document System fault , , , , Hack the system , Create software that causes system fault , Search the internet for faults , Cause a power failure , Remove documents , Remove documents in the system , Remove file , Retrieve password , Remove documents on the server , Remove the documents from the database , Remove logs (erase tracks) , Retrieve password , Remove the documents from the file server , Delete the file , Retrieve password , Remove the entire disk ,2500 Table 12: This table shows the classified attacks for the Integrity Attack Tree Participant C: Risk Calculation Confidentiality Probability Business Impact Attack Reliabil. Exploit. Disc. Affected Damage Motiv Risk Nick Peterman 64

65 Break confidentiality Users pot. 1. Read document 1.1. Retrieve password Ask the persons password Try common passwords Find password written down Use Keylogger Install keylogger Use a camera to capture password Look when the password is being typed in 1.2. Retrieve admin password Ask the admin s password Try common passwords Find admin password written down Use Keylogger Install keylogger Use a camera to capture admin password Look when the admin password is being typed in 1.3. Ask employee to open the document 1.4. Find printed document Search for lingering document 1.5. Blackmail the employee 1.6. Look at already opened document 1.7. Open the document if the authorizations are set wrong 1.8. Search for the document in the system 1.9. Read the document along with someone else Copy the document , , , , , , , , , , , , , , , , , , , , , , , , ,50000 Nick Peterman 65

66 the document Store the document in a public environment Table 13: This table shows the classified attacks for the Confidentiality Attack Tree. Risk Calculation Availability , ,50000 Probability Attack Reliabil. Exploit. Disc. Break Availability 1.1. Adjust the rights to documents Adjust the rights of the user Adjust rights Retrieve password Adjust rights of the document Adjust the rights Retrieve password Checkout all documents Checkout Retrieve password 1.2. Remove the document Remove Retrieve password 1.3. Adjust the login procedure Block people by wrongly inserting their password 3x Adjust their usernames Adjust username Retrieve password Adjust their password Adjust password Retrieve password Business Impact Affected Users Damage pot. Motiv Risk , , , , , , , , , , , , , , , , , , , , ,0417 Nick Peterman 66

67 Sabotage their account Sabotage , , Retrieve password , Alter log-in parameters (available time logged in) , Alter parameters , Retrieve password , Bring down the portal available from home , Start backup system , Start system , Retrieve password , Cause the primary system to no longer function , Overload the system , Hack the system , Commence DDos attack , Power failure , Crash the system , Sizing/overflow , Buffer overflow , Bomb ,6250 Table 14: This table shows the classified attacks for the Availability Attack Tree. Risk Calculation Integrity Probability Attack Reliabil. Exploit. Disc. Break Integrity 1.1. Claim altered copy of document to be original Copy document Alter document Open and change document Business Impact Affected Users Damage pot. Motiv Risk , , , ,5417 Nick Peterman 67

68 Retrieve password , Change document , System fault , Hack the system , Create software that causes system fault , Search the internet for faults , Cause a power failure , Remove documents , Remove documents in the system , Remove file , Retrieve password , Remove documents on the server , Remove the documents from the database , Remove logs (erase tracks) , Retrieve password , Remove the documents from the file server , Delete the file , Retrieve password , Remove the entire disk ,2500 Table 15: This table shows the classified attacks for the Integrity Attack Tree. Nick Peterman 68

69 9.2 Workshop Results: Figure 12: Confidentiality Attack Tree: Figure 13: Integrity Attack Tree: Nick Peterman 69

70 Figure 14: Availability Attack Tree: Nick Peterman 70