Interaction-Based Privacy Threat Elicitation Laurens Sion , Kim - - PowerPoint PPT Presentation

interaction based privacy threat
SMART_READER_LITE
LIVE PREVIEW

Interaction-Based Privacy Threat Elicitation Laurens Sion , Kim - - PowerPoint PPT Presentation

Feb 25, 2023 423 likes •1.06k views

Interaction-Based Privacy Threat Elicitation Laurens Sion , Kim Wuyts, Koen Yskout, Dimitri Van Landuyt, Wouter Joosen 27 th April 2018 IWPE2018 London, United Kingdom Importance of Considering Privacy by Design Number of Data Breaches

slide-1
SLIDE 1

Interaction-Based Privacy Threat Elicitation

Laurens Sion, Kim Wuyts, Koen Yskout, Dimitri Van Landuyt, Wouter Joosen 27th April 2018 – IWPE2018 – London, United Kingdom

slide-2
SLIDE 2

Importance of Considering Privacy by Design

› Data breaches

2 10 20 30 40

Number of Data Breaches

5 (full bank account details) 4 (E.g., health records) 3 (E.g., creditcard info) 2 (SSN, personal details) 1 (E.g., email, online info) Data: Information is beautiful: World's Biggest Data Breaches

slide-3
SLIDE 3

Importance of Considering Privacy by Design

› Data breaches

3 Data: Information is beautiful: World's Biggest Data Breaches 10 100 1000 10000 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Millions

Number of records lost

slide-4
SLIDE 4

Importance of Considering Privacy by Design

› Data breaches › Users’ view inconsistent with collection/usage

4

slide-5
SLIDE 5

Importance of Considering Privacy by Design

› Data breaches › Users’ view inconsistent with collection/usage › Increasingly legislated

GDPR mandates privacy by design

5

slide-6
SLIDE 6

Realizing Privacy by Design

› GDPR mentions risk ≫ 70 times

6

slide-7
SLIDE 7

Realizing Privacy by Design

› GDPR mentions risk ≫ 70 times › Appropriate technical measures

Identify issues

7

slide-8
SLIDE 8

Realizing Privacy by Design

› GDPR mentions risk ≫ 70 times › Appropriate technical measures

Identify issues

› Accountability

Demonstrate compliance

8

slide-9
SLIDE 9

Privacy Threat Modeling Steps

9

Model

Model the system

Map

Map the LINDDUN threat types to the model

Elicit and Document

Elicit and document privacy threats

slide-10
SLIDE 10

Privacy Threat Modeling Steps

Model

› DFD model of the system

10

  • 1. User

2. Portal 3. Service

  • 4. Social

network data

Model

Model the system

slide-11
SLIDE 11

Privacy Threat Modeling Steps

11

Model the system

Map

Map the LINDDUN threat types to the model

Elicit and Document

Elicit and document privacy threats

slide-12
SLIDE 12

Privacy Threat Modeling Steps

Map

12

Map

Map the LINDDUN threat types to the model

slide-13
SLIDE 13

Privacy Threat Modeling Steps

Map

13

Map

Map the LINDDUN threat types to the model

  • 1. User

2. Portal 3. Service

  • 4. Social

network data

L I N D D U N Data store X X X X X X Data flow X X X X X X Process X X X X X X Entity X X X

MAPPING TEMPLATE Threat target L I N D D U N Data store

Social network db X X x x X X*

Data flow User data stream (user- portal)

...

slide-14
SLIDE 14

Privacy Threat Modeling Steps

Map

14

Map

Map the LINDDUN threat types to the model

  • 1. User

2. Portal 3. Service

  • 4. Social

network data

L I N D D U N Data store X X X X X X Data flow X X X X X X Process X X X X X X Entity X X X

MAPPING TEMPLATE Threat target L I N D D U N Data store

Social network db X X x x X X*

Data flow User data stream (user- portal)

...

slide-15
SLIDE 15

Privacy Threat Modeling Steps

Map

15

Map

Map the LINDDUN threat types to the model

  • 1. User

2. Portal 3. Service

  • 4. Social

network data

L I N D D U N Data store X X X X X X Data flow X X X X X X Process X X X X X X Entity X X X

MAPPING TEMPLATE Threat target L I N D D U N Data store

Social network db X X x x X X*

Data flow User data stream (user- portal)

...

slide-16
SLIDE 16

Privacy Threat Modeling Steps

Map

16

Map

Map the LINDDUN threat types to the model

  • 1. User

2. Portal 3. Service

  • 4. Social

network data

L I N D D U N Data store X X X X X X Data flow X X X X X X Process X X X X X X Entity X X X

MAPPING TEMPLATE Threat target L I N D D U N Data store

Social network db X X x x X X*

Data flow User data stream (user- portal)

...

slide-17
SLIDE 17

Privacy Threat Modeling Steps

Map

17

Map

Map the LINDDUN threat types to the model

  • 1. User

2. Portal 3. Service

  • 4. Social

network data

L I N D D U N Data store X X X X X X Data flow X X X X X X Process X X X X X X Entity X X X

MAPPING TEMPLATE Threat target L I N D D U N Data store

Social network db X X x x X X*

Data flow User data stream (user- portal)

...

slide-18
SLIDE 18

Privacy Threat Modeling Steps

18

Model the system Map the LINDDUN threat types to the model

Elicit and Document

Elicit and document privacy threats

slide-19
SLIDE 19

Privacy Threat Modeling Steps

Elicit

19 Threat target L I N D D U N Data store

Social network db X X x x X X*

Data flow User data stream (user- portal)

...

Elicit and Document

Elicit and document privacy threats

MITIGATION TAXONOMY MITIGATION TAXONOMY THREAT TREE CATALOG

slide-20
SLIDE 20

Privacy Threat Modeling Steps

Elicit

20 Threat target L I N D D U N Data store

Social network db X X x x X X*

Data flow User data stream (user- portal)

...

Elicit and Document

Elicit and document privacy threats

MITIGATION TAXONOMY MITIGATION TAXONOMY THREAT TREE CATALOG

slide-21
SLIDE 21

Privacy Threat Modeling Steps

21

Model

Model the system

Map

Map the LINDDUN threat types to the model

Elicit and Document

Elicit and document privacy threats

slide-22
SLIDE 22

The LINDDUN Privacy Framework

› Linkability › Identifiability › Non-repudiation › Detectability › Disclosure of Information › Unawareness › Non-compliance

22

slide-23
SLIDE 23

Issues with Element-Based Elicitation

› Undiscovered threats

23

Process B A

slide-24
SLIDE 24

Issues with Element-Based Elicitation

› Undiscovered threats

24

Process B A

slide-25
SLIDE 25

Issues with Element-Based Elicitation

› Undiscovered threats

25

Process B A

Single Threat?

slide-26
SLIDE 26

Issues with Element-Based Elicitation

› Undiscovered threats

26

Process B A

slide-27
SLIDE 27

Issues with Element-Based Elicitation

› Undiscovered threats

27

Process B A

slide-28
SLIDE 28

Issues with Element-Based Elicitation

› Undiscovered threats › Inapplicable threats

28

slide-29
SLIDE 29

Issues with Element-Based Elicitation

› Undiscovered threats › Inapplicable threats

29

Client Server

slide-30
SLIDE 30

Issues with Element-Based Elicitation

› Undiscovered threats › Inapplicable threats

30

Client Server

Detectability threats on processes

slide-31
SLIDE 31

Issues with Element-Based Elicitation

› Undiscovered threats › Inapplicable threats

31

Client Server

Detectability threats on processes

slide-32
SLIDE 32

Issues with Element-Based Elicitation

› Undiscovered threats › Inapplicable threats

32

Client Server

Detectability threats on processes

slide-33
SLIDE 33

Issues with Element-Based Elicitation

› Undiscovered threats › Inapplicable threats

33

Client Server

Detectability threats on processes

slide-34
SLIDE 34

Issues with Element-Based Elicitation

› Undiscovered threats › Inapplicable threats › Redundant threats

34

slide-35
SLIDE 35

Issues with Element-Based Elicitation

› Undiscovered threats › Inapplicable threats › Redundant threats

35

Client Server

Detectability threats on processes

slide-36
SLIDE 36

Element- vs. Interaction-based Elicitation

› Take local context into account

More explicit and precise

› Threats not caused by elements but through interactions › # 𝑗𝑜𝑢𝑓𝑠𝑏𝑑𝑢𝑗𝑝𝑜𝑡 < #{𝑓𝑚𝑓𝑛𝑓𝑜𝑢𝑡} › Less or more threats? › Lack of consensus on the most appropriate approach

36

slide-37
SLIDE 37

Interaction-based LINDDUN

Client Server

slide-38
SLIDE 38

Interaction-based LINDDUN

Client Server

slide-39
SLIDE 39

Interaction-based LINDDUN

Client Server

slide-40
SLIDE 40

Interaction-based LINDDUN

Client Server

slide-41
SLIDE 41
slide-42
SLIDE 42
slide-43
SLIDE 43
slide-44
SLIDE 44
slide-45
SLIDE 45

LINDDUN Examples

› Full LINDDUN table of threats

45

slide-46
SLIDE 46

LINDDUN Examples

› Full LINDDUN table of threats › Concrete examples

46

slide-47
SLIDE 47

LINDDUN Examples

47 Website (S) showing incorrect password error reveals account existence.

slide-48
SLIDE 48

Qualities

› Expressivity

48

slide-49
SLIDE 49

Qualities

› Expressivity › Elimination of inapplicable threat types

49

slide-50
SLIDE 50

Qualities

› Expressivity › Elimination of inapplicable threat types › Finding undiscovered threats

50

slide-51
SLIDE 51

Qualities

› Expressivity › Elimination of inapplicable threat types › Finding undiscovered threats › Effort-precision trade-off

51

slide-52
SLIDE 52

Discussion

› Semantics and ambiguities of privacy threats

52

slide-53
SLIDE 53

Discussion

› Semantics and ambiguities of privacy threats › Threat trees

53

slide-54
SLIDE 54

Discussion

› Semantics and ambiguities of privacy threats › Threat trees › Usage & tool support

54

slide-55
SLIDE 55

Discussion

› Semantics and ambiguities of privacy threats › Threat trees › Usage & tool support › Granularity for threat elicitation

55

slide-56
SLIDE 56

Conclusion

› Element-based elicitation is sub-optimal

56

slide-57
SLIDE 57

Conclusion

› Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension

57

slide-58
SLIDE 58

Conclusion

› Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension › Provide detailed LINDDUN interaction examples

58

slide-59
SLIDE 59

Conclusion

› Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension › Provide detailed LINDDUN interaction examples › Beyond interaction-based: to DFD patterns

59

slide-60
SLIDE 60

Conclusion

› Element-based elicitation is sub-optimal › Interaction-based LINDDUN extension › Provide detailed LINDDUN interaction examples › Beyond interaction-based: to DFD patterns

60

slide-61
SLIDE 61

Questions?

Thank you!

slide-62
SLIDE 62

Interaction-Based Privacy Threat Elicitation

Laurens Sion, Kim Wuyts, Koen Yskout, Dimitri Van Landuyt, Wouter Joosen