• Title/Summary/Keyword: Threat Modeling

Search Result 134, Processing Time 0.023 seconds

Study on the Femtocell Vulnerability Analysis Using Threat Modeling (위협 모델링 기법을 이용한 펨토셀 취약점 분석에 대한 연구)

  • Kim, Jae-ki;Shin, Jeong-Hoon;Kim, Seung-joo
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.5 no.8
    • /
    • pp.197-210
    • /
    • 2016
  • Lately smartphone uasage is increasing and many Internet of Things (IoT) devices support wireless communications. Accordingly, small base stations which called femtocells are supplied to prevent saturation of existing base stations. However, unlike the original purpose of the femtocell with the advanced hacking technologies, Vulnerability such as gaining the administrator authority was discovered and this can cause serious problems such as the leakage of personal information of femtocell user. Therefore, identify security threats that may occur in the femtocell and it is necessary to ways for systematic vulnerability analysis. In this paper, We analyzed the security threats that can be generated in the femtocell and constructed a checklist for vulnerability analysis using the Threat Modeling method. Then, using the constructed checklist provides a scheme that can improve the safety of the femto cell through the actual analysis and taken the results of the femtocell vulnerabilities analysis.

Trustworthy Smart Band: Security Requirements Analysis with Threat Modeling (위협 모델링을 통한 스마트밴드 보안 요구사항 분석)

  • Kang, Suin;Kim, Hye Min;Kim, Huy Kang
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.6
    • /
    • pp.1355-1369
    • /
    • 2018
  • As smart bands make life more convenient and provide a positive lifestyle, many people are now using them. Since smart bands deal with private information, security design and implementation for smart band system become necessary. To make a trustworthy smart band, we must derive the security requirements of the system first, and then design the system satisfying the security requirements. In this paper, we apply threat modeling techniques such as Data Flow Diagram, STRIDE, and Attack Tree to the smart band system to identify threats and derive security requirements accordingly. Through threat modeling, we found the vulnerabilities of the smart band system and successfully exploited smart bands with them. To defend against these threats, we propose security measures and verify that they are secure by using Scyther which is a tool for automatic verification of security protocol.

Analysis of Security Requirements for Secure Update of IVI(In-Vehicle-Infotainment) Using Threat Modeling and Common Criteria (위협모델링과 공통평가기준을 활용한 인포테인먼트의 안전한 업데이트 보안요구사항 분석)

  • Kang, Soo-young;Kim, Seung-joo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.3
    • /
    • pp.613-628
    • /
    • 2019
  • In-Vehicle Infotainment provides navigation and various functions through the installation of the application. And infotainment is very important to control the entire vehicle by sending commands to the ECU. Infotainment supports a variety of wireless communication protocols to install and update applications. So Infotainment is becoming an attack surface through wireless communcation protocol for hacker's access. If malicious software is installed in infotainment, it can gain control of the vehicle and send a malicious purpose command to the ECU, affecting the life of the driver. Therefore, measures are needed to verify the security and reliability of infotainment software updates, and security requirements must be derived and verified. It must be developed in accordance with SDL to provide security and reliability, and systematic security requirements must be derived by applying threat modeling. Therefore, this paper conducts threat modeling to derive infotainment update security requirements. Also, the security requirements are mapped to the Common Criteria to provide criteria for updating infotainment software.

A Study on Security Requirments Analysis through Security Threat Modeling of Home IoT Appliance (Home IoT 가전의 보안위협모델링을 통한 보안요구사항 분석에 관한 연구)

  • Yun, Suk-Jin;Kim, Jungduk
    • The Journal of Society for e-Business Studies
    • /
    • v.24 no.2
    • /
    • pp.113-124
    • /
    • 2019
  • Today many companies are offering IoT-enabled products and place emphasis on security from the planning stage to protect their products and user information from external threats. The present security levels, however, remain low because the time and resources invested in developing security requirements for each device are far from enough to meet the needs of a wide range of IoT products. Nevertheless, vulnerabilities of IoT devices have been reported continuously, which calls for more detailed security requirements for home IoT devices. In this context, this research identified threats of home IoT systems by using Microsoft Threat Modeling Tool. It then suggested measures to enhance the security of home IoT devices by developing security assessment items through comparative analysis of the identified threats, domestic and global vulnerability assessment standards and related research. It also verified the effectiveness of the developed security requirements by testing them against the existing ones, and the results revealed the security requirements developed in this research proved to be more effective in identifying vulnerabilities.

Security Threat Analysis for Remote Monitoring and Control Functions of Connected Car Services

  • Jin Kim;Jinho Yoo
    • Journal of Information Processing Systems
    • /
    • v.20 no.2
    • /
    • pp.173-184
    • /
    • 2024
  • The connected car services are one of the most widely used services in the Internet of Things environment, and they provide numerous services to existing vehicles by connecting them through networks inside and outside the vehicle. However, although vehicle manufacturers are developing services considering the means to secure the connected car services, concerns about the security of the connected car services are growing due to the increasing number of attack cases. In this study, we reviewed the research related to the connected car services that have been announced so far, and we identified the threats that may exist in the connected car services through security threat modeling to improve the fundamental security level of the connected car services. As a result of performing the test to the applications for connected car services developed by four manufacturers, we found that all four companies' applications excessively requested unnecessary permissions for application operation, and the apps did not obfuscate the source code. Additionally, we found that there were still vulnerabilities in application items such as exposing error messages and debugging information.

IP-CCTV Risk Decision Model Using AHP (Cloud Computing Based) (AHP를 활용한 IP-CCTV 위험 결정 모델 (클라우드 컴퓨팅 기반으로))

  • Jung, Sung-hoo;Lee, Kyung-ho
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.1
    • /
    • pp.229-239
    • /
    • 2018
  • This paper analyzes the problems of existing CCTV and discusses cyber security problems of IP-CCTV in cloud computing environment. In order to reduce the risk of simply removing the risk associated with the provision of cloud services, the risk analysis and counter-measures need to be carried out effectively. Therefore, the STRIDE model as the Threat Risk Modeling is used to analyze the risk factors, and Analytic Hierarchy Process(AHP) is used to measure risk priorities based on the analyzed threats.

STRIDE-based threat modeling and DREAD evaluation for the distributed control system in the oil refinery

  • Kyoung Ho Kim;Kyounggon Kim;Huy Kang Kim
    • ETRI Journal
    • /
    • v.44 no.6
    • /
    • pp.991-1003
    • /
    • 2022
  • Industrial control systems (ICSs) used to be operated in closed networks, that is, separated physically from the Internet and corporate networks, and independent protocols were used for each manufacturer. Thus, their operation was relatively safe from cyberattacks. However, with advances in recent technologies, such as big data and internet of things, companies have been trying to use data generated from the ICS environment to improve production yield and minimize process downtime. Thus, ICSs are being connected to the internet or corporate networks. These changes have increased the frequency of attacks on ICSs. Despite this increased cybersecurity risk, research on ICS security remains insufficient. In this paper, we analyze threats in detail using STRIDE threat analysis modeling and DREAD evaluation for distributed control systems, a type of ICSs, based on our work experience as cybersecurity specialists at a refinery. Furthermore, we verify the validity of threats identified using STRIDE through case studies of major ICS cybersecurity incidents: Stuxnet, BlackEnergy 3, and Triton. Finally, we present countermeasures and strategies to improve risk assessment of identified threats.

Security Requirements Analysis on IP Camera via Threat Modeling and Common Criteria (보안위협모델링과 국제공통평가기준을 이용한 IP Camera 보안요구사항 분석)

  • Park, Jisoo;Kim, Seungjoo
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.6 no.3
    • /
    • pp.121-134
    • /
    • 2017
  • With rapid increasing the development and use of IoT Devices, requirements for safe IoT devices and services such as reliability, security are also increasing. In Security engineering, SDLC (Secure Development Life Cycle) is applied to make the trustworthy system. Secure Development Life Cycle has 4 big steps, Security requirements, Design, Implementation and Operation and each step has own goals and activities. Deriving security requirements, the first step of SDLC, must be accurate and objective because it affect the rest of the SDLC. For accurate and objective security requirements, Threat modeling is used. And the results of the threat modeling can satisfy the completeness of scope of analysis and the traceability of threats. In many countries, academic and IT company, a lot of researches about drawing security requirements systematically are being done. But in domestic, awareness and researches about deriving security requirements systematically are lacking. So in this paper, I described about method and process to drawing security requirements systematically by using threat modeling including DFD, STRIDE, Attack Library and Attack Tree. And also security requirements are described via Common Criteria for delivering objective meaning and broad use of them.

Threat Unification using Multi-Sensor Simulator of Battlefield Helicopter and Its Implementation (전장 헬기의 다중센서 시뮬레이터를 통한 위협통합 및 구현)

  • Park, Hun-Woo;Kang, Shin-Bong;Noh, Sang-Uk;Jeong, Un-Seob
    • Journal of Internet Computing and Services
    • /
    • v.10 no.3
    • /
    • pp.35-49
    • /
    • 2009
  • In electronic warfare settings, battlefield helicopters identify various threats based upon threat data, which are acquired using their multi-sensors of aircraft survivability equipment (ASE). To continually function despite of potential threats and successfully execute their missions, the battlefield helicopters have to repeatedly report threats in simulated battlefield situations. Toward this ends, the paper presents threat unification using multi-sensor simulator and its implementation. The simulator consists of (1) threat attributes generator, which models threats against battlefield helicopters and defines their specific attributes, (2) threat data generator, which generates threats, being similar to real ones, using normal, uniform, and exponential distributions, and (3) graphic display for threat analysis and unification, which shows unified threat information, for example, threat angle and its level. We implement a multi-sensor threat simulator that can be repeatedly operable in various simulated battlefield settings. Further, we report experimental results that, in addition to tangibly modeling the threats to battlefield helicopters, test the capabilities of threat unification using our simulator.

  • PDF

Study of Security Requirement of Smart Home Hub through Threat Modeling Analysis and Common Criteria (위협 모델링 분석 및 국제공통평가기준을 통한 스마트홈 허브의 보안요구사항에 관한 연구)

  • Park, Jae-Hyeon;Kang, Soo-young;Kim, Seung-joo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.2
    • /
    • pp.513-528
    • /
    • 2018
  • In a smart home environment that integrates IoT technology into a residential environment, the smart home hub provides convenience functions to users by connecting various IoT devices to the network. The smart home hub plays a role as a gateway to and from various data in the process of connecting and using IoT devices. This data can be abused as personal information because it is closely related to the living environment of the user. Such abuse of personal information may cause damage such as exposure of the user's identity. Therefore, this thesis analyzed the threat by using LINDDUN, which is a threat modeling technique for personal information protection which was not used in domestic for Smart Home Hub. We present evaluation criteria for smart home hubs using the Common Criteria, which is an international standard, against threats analyzed and corresponding security requirements.