mike1813
commented
1 year ago Sounds good, but this doesn't quite work.
Yes - it means that system modeller users can reduce the TW level for 'Control' or 'UserTW' to represent an intrusion by unknown means. But it also means that users cannot specify an impact level for 'Loss Of Control' or 'Loss Of User TW' because those 'global' behaviours will have a likelihood coming from the least affected context. If a phone is safe at home, but easily hacked when outside the home, the global 'Loss Of Control' would have negligible likelihood.
This may not be a big deal. System modeller doesn't just find threats - it finds threat paths leading to undesirable effects. If the real issue is confidentiality of data stored on the phone, the high impact level should be specified for that, and not for a hack that might be a means to that end.
In most situations, devices are what ISO 27005 terms 'secondary' assets, which do not contribute directly to the system goals or purpose. Their contribution is to support other 'primary' assets directly related to the system goals or purpose, which are usually information assets or information processing assets. In ISO 27005, impact levels for 'secondary' assets are mainly based on how a compromise would affect the primary assets. With SPYDERISK system modeller, threat path analysis determines how the primary assets would be affected, so one only needs to specify direct impact levels for primary assets.
Rights on hosts are represented via Control and UserTW attributes, where UserTW can represent anonymous access or, if associated with a Process, access with the rights of that process. These rights are contextualised, so attacks that acquire rights do so only in the context where the attack takes place. This context is linked to a physical location and/or the host being connected to a specific network.
There are numerous threats to other processes and data stored on a host that can arise in any context. Until recently, to model this explicitly would have needed one threat per context, adding a significant number of extra threats per system model. To avoid creating large numbers of threats, separate 'global' TW attributes were used. The sequence then is:
The problem is that this 'global' attribute looks like it could be used as a risk calculation input, signifying that the system modeller user believes that the host may already be compromised. But that isn't what the global attribute means, because there are no threats that propagate its TW level to each context. If they did, attacks in one context would once again have consequences in another, which would defeat the purpose of having contextualised control and access rights.
To get around this, we introduced 'External Control' and 'External User TW' attributes specifically for use as risk calculation inputs. These cannot be caused by any threats, but they cause threats that propagate their levels to all contexts. While their presence mean users can model situations where they are suspicious about a host or process, their presence does not mean users won't appreciate that the global attributes cannot be used for this. That may lead to a user thinking the suspected compromise doesn't matter, when really it does.
The population modelling enhancements to system-modeller mean we now have extra node types, which can allow for a better solution:
The first two changes means the 'global' attribute will express the highest TW level in any context rather than the lowest. The third means it also acts as an upper limit on the trustworthiness in any context, so it can be used as a risk calculation input. The last change ensures that we still get threats to hosted processes and data that depend on the lowest TW level in any context, but now without going via the 'global' TW level, and (because the contexts match a non-unique node) without adding extra threats.