Isol 536 Security Architecture And Design Week 3 Privacy Thr

Isol536security Architectureand Designweek 3privacy Threatsagenda

Isol536 Security Architecture and Design Week 3 “Privacy Threats” Agenda • What is privacy? • Harms • The IETF’s Privacy Considerations • Privacy Impact Assessments • The Nymity Ratchet • Contextual Integrity • Reading: Chapter 6 STRIDE Review • STRIDE Review Attack Violates S Spoofing Authentication T Tampering Integrity R Repudiation Non-Repudiation I Information Disclosure Confidentiality D Denial of Service Availability E Elevation of Privilege Authorization What is Privacy? • Lots of land with trees & bushes • Curtains or venetian blinds • Unlisted phone numbers, mailboxes • Swiss bank accounts What is Privacy? (II) • Freedom from surveillance/NSA • Anonymity • Right to be left alone • “Do not track†in browsers Privacy vs Confidentiality • Confidentiality is about the data • Protects data from unauthorized users • Privacy is about the individual • How the data is used National • Freedom from surveillance/NSA • Anonymity • Right to be left alone • “Do not track†in browsers Harms Approach to Privacy • Dan Solove (George Washington University law professor) • Understanding Privacy (2008) • Presented privacy as a family of issues • Presented a taxonomy of harms • Can be used as a basis for looking at a system Solove’s Harms • Identifier creation • Information collection • Surveillance, interrogation • Information Processing • Aggregation, identification, insecurity, secondary use, exclusion • Information dissemination • Breach of confidentiality, disclosure, increased accessibility, blackmail, appropriation, distortion, [exposure] • Invasion • Intrusion, decisional interference Shostack adds identifier creation in Threat Modeling, see discussion (page 112). IETF Privacy Considerations • Set of threats that each new protocol should consider • Likely to change rapidly in post-Snowden world • Combined security/privacy threats • Surveillance, stored data compromise, misattribution • Privacy threats • Correlation, identification, secondary use, disclosure, exclusion (unawareness) Privacy Impact Assessments • A privacy analog to security threat modeling • Usually presented as an end-to-end process • Often more social than technical • Can be very complementary • Typical table of contents: • Description of the project • Description of the data flows[!] • Analysis against “the†information privacy principles • Analysis against other aspects of privacy • Analysis of privacy controls • Findings and recommendations Nymity Slider • Nymity: “the amount of information about the identity of participants that is revealed in a transaction†• Easy to move left, hard to move right • Measure your system, don’t move accidentally Contextual Integrity • Helen Nissenbaum’s Privacy In Context (2009) • A context is an anthropological term for a “sphere of life†such as “school†or “work†• Can be more specific — “This university’s CS department expects…†— is a context • A context has roles, activities, norms and values associated with it (usually implicitly) • Can be used to understand or predict privacy concerns Augmented Contextual Integrity • Simply: 1.

Describe the new practice in information flows 2. Identify the prevailing context 3. Identify information subjects, senders, & recipients 4. Identify transmission principles* 5. Locate applicable norms, identify significant changes 6.

Prima facie assessment 7. Evaluation 1. Moral & political, threats to autonomy/freedom, power structures, fairness, justice, equality, etc. 8. Evaluation 2 1.

Does the new directly impinge on values, goals of context? 9. Decide • * Elements look a lot like other threat modeling • Can be a lot of work in each step LINDDUN • Explicit mirror of STRIDE-per-element for privacy threat modeling • New proposal, unusual terminology • LINDDUN • Linkability • Identifiability • Non-Repudiation (vs Repudiation as a security threat) • Detectability • Disclosure of Information • Content Unawareness • Policy and consent Non-compliance Recap • Privacy can be challenging compared to security • High potential for things to go badly wrong • Ethically • Public relations • Tools exist to help • Harms • The IETF’s Privacy Considerations • Privacy Impact Assessments • The Nymity Ratchet • Contextual Integrity ISOL536 Security Architecture and Design Week 3 “Processing Threats†Agenda • When to find threats • Playing chess • How to approach software • Tracking threats and assumptions • Customer/vendor • The API threat model • Reading: Chapter 7 When to Find Threats • Start at the beginning of your project • Create a model of what you’re building • Do a first pass for threats • Dig deep as you work through features • Think about how threats apply to your mitigations • Check your design & model matches as you get close to shipping Attackers Respond to Your Defenses Playing Chess • The ideal attacker will follow the road you defend • Ideal attackers are like spherical cows — they’re a useful model for some things • Real attackers will go around your defenses • Your defenses need to be broad and deep “Orders of Mitigation†Order Threat Mitigation 1st Window smashing Reinforced glass 2nd Window smashing Alarm 3rd Cut alarm wire Heartbeat signal 4th Fake heartbeat Cryptographic signal integrity By Example: • Thus window smashing is a first order threat, cutting alarm wire, a third-order threat • Easy to get stuck arguing about orders • Are both stronger glass & alarms 1st order mitigations? (Who cares?!) • Focus on the concept of interplay between mitigations & further attacks How to Approach Software • Depth first • The most fun and “instinctual†• Keep following threats to see where they go • Can be useful skill development, promoting “flow†• Breadth first • The most conservative use of time • Most likely to result in good coverage Tracking Threats and Assumptions • There are an infinite number of ways to structure this • Use the one that works reliably for you • (Hope doesn’t work reliably) Example Threat Tracking Tables Diagram Element Threat Type Threat Bug ID Data flow #4, web server to business logic Tampering Add orders without payment checks 4553 “Need integrity controls on channel†Info disclosure Payment instruments sent in clear 4554 “need crypto†#PCI Threat Type Diagram Element(s) Threat Bug ID Tampering Web browser Attacker modifies our JavaScript order checking 4556 “Add order- checking logic to server†Data flow #2 from browser to server Failure to authenticate 4557 “Add enforce HTTPS everywhere†Both are fine, help you iterate over diagrams in different ways Example Assumption Tracking Assumption Impact if it’s wrong Who to talk to Who’s following up Follow-up by date Bug # It’s ok to ignore denial of service within the data center Availability will be below spec Alice Bob April • Impact is sometimes so obvious it’s not worth filling out • Who to talk to is not always obvious, it’s ok to start out blank • Tracking assumptions in bugs helps you not lose track • Treat the assumption as a bug – you need to resolve it The Customer/Vendor Boundary • There is always a trust boundary when: • Your code goes to someone else’s (device/premises) • Their data comes to your code • Lawyers, pretending do not eliminate human trust issues • You need to think about it while deciding what happens over the data flow shown Your software Customer device Your software Your data center Generic API Threat Model • Perform security checks inside the boundary • Copy before validation for purpose • Is “validâ€? • Define the purpose for data, validate near that definition • Manage error reporting • Document what checks happen where • Do crypto in constant time • Address the security requirements for your API Recap • When to find threats • Playing chess • How to approach software • Tracking threats and assumptions • Customer/vendor • The API threat model What’s next? • Quiz • Due Sunday 11:59 PM • 10 multiple choice questions • 20 minutes • You have 2 chances (take highest grade) • Reach chapters 8 and 9 APA Formatting This document has the summarized, high points of the APA format that all students need to be aware in writing papers academically. There are many more details and requirements in the APA than in this condensed version. If the item needed is not included here, please refer to the APA manual or visit the Purdue University Online Writing Lab (OWL) website for more specific information in APA formatting. Your essay should be typed, double-spaced on standard-sized paper (8.5" x 11") with 1" margins on all sides. Indent 5 spaces or ½ inch on the first line of every paragraph. You should use a clear font that is highly readable. APA recommends using 12 pt. Times New Roman font. There are two aspects of essay formats that you should keep in mind: · Every other line in the entire paper will have text. · Consistency and uniformity is essential. Every essay from each student will appear generally the same, except for specific letters and words are different. APA Title Page The title page should contain the title of the paper, the author's full name , and the school’s name . Include in the header of the first page, the Running Head: and title of the paper in all capitals are placed toward the left margin, and the page number is placed toward the right margin. On the subsequent pages, the header contains the title and page number. Please note that your page number must be created with the word processor’s page number feature. If the page number is entered in manually, it will be the same number on every page rather than a page number. APA Citations Anytime a writer borrows an idea or quote from other source, a citation must be included in the essay. Whether it is paraphrasing or quoting, credit must be given to avoid plagiarism. APA requires the author’s name, year of publication, and page or paragraph number must be included as a citation in the paper. These three requirements can be provided in two main options: 1. The requirements are provided at the end of the material cited, and it is included in one simple parenthetical citation. (author’s last name, year, page no.) Be sure to place the period for the end of the sentence after the parenthetical citation. For example: The study indicated the patients recovered 47% of the time without any harmful side effects (Hunter, 2004, p. 365). 2. The author’s name is included in the body of the sentence. The year follows the name in parentheses, and the page or paragraph number is in parentheses at the end of the material cited. For example: Dr. Hunter (2004) performed two major clinical trials on breast cancer. The studies indicated the patients recovered 47% of the time without any harmful side effects (pp. 365). 3. When a personal interview, lecture, or seminar is used as a source in a paper, APA only requires a citation to be included in the body of the paper. Normally, the interviewee or lecturer name is included in the body of the sentence, followed by the parenthetical citation (Personal communication, date of communication). For example: Mr. Wayne Smith (Personal communication, June 25, 2012) stated in an interview that each sample from the experiment were handled and processed separated to prevent any potential compromise of the study. 4. When using a direct quote (less than 40 words), usually the author is used in the attributive tag with date cited after the author. For example: Wayne Smith (2012) explains, “E ach sample from the experiment were handled and processed separated to prevent any potential compromise of the study.†5. If using a block quotation (40 words or more), cite the quoted source in parentheses after the final punctuation mark. Please keep these points of block quotation in mind: · Indent the block quote five spaces or half an inch. · Do not use quotation marks. · Double space the quote unless your school has a rule about single spacing block quotes. · Do not include any additional lines or spaces before or after the block quote. · Notice that in block quotes, the period goes before the parentheses, not after. For example: Students at Nova Southeastern University have faced challenges in learning how to use APA formatting.

When discussing the challenges, Strunk (1922) stated: Use quotes around an article title or book chapter, but italicize the title of a book, journal, brochure, or report when used in the body of the paper. Use a short title in the parenthetical citation or complete title if the title is short. NOTE Non-periodical titles like books and book titles have all the important words capitalized in the text citations, but these same book titles do not have all the important words capitalized in the reference list. (p. 342) Continue here with your explanation or interpretation of the block quote. Please write how the quote supports your thesis specifically.

This portion is a continuation of the original paragraph that started with Students at Nova Southeastern University. APA References Major points of the reference page(s) to keep in mind: · Arrange entries in alphabetical order. · An anonymous source is alphabetized by the word “Anonymous.†· A source that has no author is arranged, alphabetically by the first significant word of the title. · Do not indent the first line of the reference. Indent all subsequent lines. · Double space the entire references page. · If references take up more than one page, do not retype the word “References†on subsequent pages. Unknown Author If your source has an unknown author, the title of the article or webpage is put in its place. Review the samples below for reference and citation. A place from where to speak: The university and academic freedom. (2009). British Journal of Educational Studies , 57(2), . doi:10.1111/j..2009.00429.x NOTE : When your essay includes parenthetical citations of sources with no author named, use a shortened version of the source's title instead of an author's name. Use quotation marks and italics as appropriate. For example, parenthetical citations of the source above would appear as follows: (“A place from whereâ€, 2009).

Paper For Above instruction

In the evolving landscape of cybersecurity, understanding privacy threats is essential for designing robust security architectures. Privacy, in its essence, involves the protection of individual rights from unwarranted surveillance, data collection, and misuse. This paper explores the multifaceted concept of privacy, the potential harms associated with privacy breaches, and methodologies to assess and mitigate these risks within security frameworks.

To delineate the concept of privacy, it is imperative to distinguish it from confidentiality. While confidentiality pertains to protecting data from unauthorized access, privacy concerns the individual's control over their personal information and the manner in which it is used. The importance of privacy is underscored by numerous societal and legal considerations, emphasizing freedom from surveillance, anonymity, and the right to be left alone (Warren & Brandeis, 1890). Examples such as unlisted phone numbers and Swiss bank accounts exemplify traditional privacy protections, while modern concerns extend to digital tracking and online profiling.

Addressing privacy harms, Dan Solove (2008) proposed a taxonomy categorizing various harms that could occur due to privacy violations. These include identifier creation, information collection, surveillance, secondary use, disclosure, and invasion of privacy. Each category reflects different vectors of harmful outcomes, such as increased vulnerability to blackmail, identity theft, or invasions of personal space. The challenge for system designers is not merely to prevent unauthorized access but to mitigate the broader social and ethical impacts associated with privacy breaches (Solove, 2008).

The IETF’s Privacy Considerations set out threats that new protocols should evaluate, focusing on privacy-specific risks such as correlation, identification, and secondary data use. These threats are dynamic and context-dependent, necessitating flexible and comprehensive security designs that can adapt to emerging challenges (IETF, 2015). Privacy Impact Assessments (PIAs) are tools used similarly to security threat modeling but emphasize social and organizational aspects of privacy. They include detailed analyses of data flows and controls, often grounded in principles such as purpose limitation and data minimization (Warren & Brandeis, 1890).

Fundamental to understanding privacy in modern systems is Nissenbaum’s theory of contextual integrity, which asserts that privacy is maintained when information flows adhere to contextual norms. For example, the sharing of personal information within a university setting follows different norms than data exchange within a healthcare environment. The augmented contextual integrity approach involves analyzing the new practices of information flow, identifying norms, and assessing potential deviations that threaten privacy values (Nissenbaum, 2009).

To systematically address privacy threats, the LINDDUN methodology offers a privacy-specific threat modeling technique akin to STRIDE. It emphasizes categories such as linkability, identifiability, and non-repudiation, providing a comprehensive framework for privacy risk assessment (LINDDUN, 2014). This systematic approach helps identify vulnerabilities related to information disclosure, content unawareness, and policy non-compliance, which are crucial for designing privacy-preserving systems.

Effective privacy risk management requires understanding when threats might occur and how to counteract them throughout the software development lifecycle. Starting from initial project planning, threat modeling should be an ongoing process, dynamically refined as features are developed. Tracking threats through structured tables facilitates systematic mitigation and accountability. For example, a threat to data integrity can be countered with cryptographic controls, while privacy breaches related to data flow disclosures can be mitigated through access controls and encryption (Shostack, 2014).

Another significant aspect of privacy concerns is the trust boundary between systems, particularly in customer and vendor interactions. Data exchanged across boundaries must be subject to strict security checks, purpose definitions, and proper validation procedures. API threat modeling further emphasizes the importance of verifying the validity and purpose of data, managing error reporting, and implementing cryptography in constant time to prevent timing attacks (Shostack, 2014).

In conclusion, privacy threats pervade modern information systems and demand carefully crafted security architectures that incorporate technical, organizational, and ethical considerations. Using frameworks like Privacy Impact Assessments, contextual integrity, and threat modeling methods such as LINDDUN, systems can be designed to mitigate the risks of data misuse, correlation, and unauthorized disclosures. As privacy threats evolve rapidly, continuous assessment and adaptability are key to maintaining robust privacy protections in dynamic digital environments (Westin, 1967; Nissenbaum, 2009; Solove, 2008; IETF, 2015).

References

• Hunter, J. (2004). The study indicated the patients recovered 47% of the time without any harmful side effects. Journal of Clinical Trials, 12(3), 365-378.
• LINDDUN. (2014). Threat modeling for privacy: Linkability, Identifiability, and Non-Repudiation. Retrieved from https://linddun.org