ABSTRACT
The growing number of storage security breaches as well as the need to adhere to government regulations is driving the need for greater storage protection. However, there is the lack of a comprehensive process to designing storage protection solutions. Designing protection for storage systems is best done by utilizing proactive system engineering rather than reacting with ad hoc countermeasures to the latest attack du jour. The purpose of threat modeling is to organize system threats and vulnerabilities into general classes to be addressed with known storage protection techniques. Although there has been prior work on threat modeling primarily for software applications, to our knowledge this is the first attempt at domain-specific threat modeling for storage systems. We discuss protection challenges unique to storage systems and propose two different processes to creating a threat model for storage systems: one based on classical security principles Confidentiality, Integrity, Availability, Authentication, or CIAA) and another based on the Data Lifecycle Model. It is our hope that this initial work will start a discussion on how to better design and implement storage protection solutions against storage threats.
- P. Ammann, S. Jajodia, C. D. McCollum, and B. T. Blaustein. Surviving Information Warfare Attacks on Databases. In Proc. of the IEEE Symposium on Security and Privacy, 1997. Google ScholarDigital Library
- D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). RFC 3833, AugustGoogle Scholar
- D. Barrall and D. Dewey. Plug and Root, the USB Key to the Kingdom. Presentation at Black Hat Briefings, 2005.Google Scholar
- California Senate. California Database Breach Act (SB 1386). http://info.sen.ca.gov/pub/01-02/bill/sen/sb 1351-1400/sb 1386 bill 20020926chaptered.html, 2002.Google Scholar
- Centers for Medicare & Medicaid Services. The Health Insurance Portability and Accountability Act of 1996 (HIPAA). http://www.cms.hhs.gov/hipaa/, 1996.Google Scholar
- P. M. Chen, E. K. Lee, G. A. Gibson, R. H. Katz, and D. A. Patterson. RAID: High-Performance, Reliable Secondary Storage. In ACM Computing Surveys 26(2), pages 145--185, 1994. Google ScholarDigital Library
- J. Chirillo and S. Blaul. Storage Security: Protecting, SANs, NAS and DAS. Wiley, 2002. Google ScholarDigital Library
- J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding Data Lifetime via Whole System Simulation. In Proc. of 13th Usenix Security Symposium, 2004. Google ScholarDigital Library
- J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum. Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation. In Proc. of 14th Usenix Security Symposium, 2005. Google ScholarDigital Library
- D. D. Cock, K. Wouters, D. Schellekens, D. Singele, and B. Preneel. Threat Modelling for Security Tokens in Web Applications. In Proc. of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security (CMS), pages 183--193, 2004.Google Scholar
- D. Dagon, W. Lee, and R. Lipton. Protecting Secret Data from Insider Attacks. In Proc. of Ninth International Conference on Financial Cryptography and Data Security, 2005. Google ScholarDigital Library
- A. Edmonds. Towards Securing Information End-to-End: Networked Storage Security Update and Best Practices. White Paper, February 2003.Google Scholar
- Federal Trade Commission. Gramm-Leach-Bliley Act of 1999.Google Scholar
- S. Garfinkel and A. Shelat. Remembrance of Data Passed: A Study of Disk Sanitization Practices. IEEE Security & Privacy, pages 17--27, January/February 2003. Google ScholarDigital Library
- E. Goh, H. Shacham, N. Modadugu, and D. Boneh. SiRiUS: Securing Remote Untrusted Storage. In 10th Annual Network and Distributed System Security Symposium (NDSS), 2003.Google Scholar
- I. Griggs. Browser Threat Model. http://iang.org/ssl/browser threat model.html, 2004.Google Scholar
- J. Gruener and M. Kovar. The Emerging Storage Security Challenge. Yankee Group Report, September 2003.Google Scholar
- R. Hasan, J. Tucek, P. Stanton, W. Yurcik, L. Brumbaugh, J. Rosendale, and R. Boonstra. The Techniques and Challenges of Immutable Storage for Applications in Multimedia. In IS&T/SPIE International Symposium Electronic Imaging / Storage and Retrieval Methods and Applications for Multimedia (EI121), 2005.Google Scholar
- E. Haubert, J. Tucek, L. Brumbaugh, and W. Yurcik. Tamper-Resistant Storage Techniques for Multimedia Systems. In IS&T/SPIE International Symposium Electronic Imaging / Storage and Retrieval Methods and Applications for Multimedia (EI121), 2005.Google Scholar
- HP. Understanding Storage Security. RFC 3833, February 2005.Google Scholar
- J. Hughes. Encrypted Storage-Challenges and Methods. In Tutorial, IEEE/NASA Goddard Conference on Mass Storage Systems & Technologies (MSST), 2005.Google Scholar
- J. McDermott, R. Gelinas, and S. Ornstein. Doc, Wyatt, and Virgil: Prototyping Storage Jamming Defenses. In 13th Annual Computer Security Applications Conference (ACSAC), 1997. Google ScholarDigital Library
- J. McDermott and D. Goldschlag. Storage Jamming. In Proc. of the Ninth Annual IFIP TC11 WG11.3 Working Conference on Database Security IX: Status and Prospects, pages 365--381, 1996. Google ScholarDigital Library
- J. P. McDermott. Replication Does Survive Information Warfare Attacks. In IFIP Workshop on Database Security, pages 219--228, 1997. Google ScholarDigital Library
- S. Myagmar, A. J. Lee, and W. Yurcik. Threat Modeling as a Basis for Security Requirements (SREIS). In Symposium on Requirements Engineering for Information Security, 2005.Google Scholar
- N. Nguyen, P. Reiher, and G. Kuenning. Detecting Insider Threats by Monitoring System Call Activity. In Proc. of IEEE Workshop on Information Assurance, 2001.Google Scholar
- A. Pennington, J. Strunk, J. Griffin, C. Soules, G. Goodson, and G. Ganger. Storage-Based Intrusion Detection: Watching Storage Activity for Suspicious Behavior. In Proc. of Usenix Security Symposium, 2003. Google ScholarDigital Library
- G. A. Pluta, L. Brumbaugh, W. Yurcik, and J. Tucek. Who Moved My Data? A Backup Tracking System for Dynamic Workstation Environments. In 18th Usenix Large Installation System Administration Conference (LISA), 2004. Google ScholarDigital Library
- P. Reiher. File Profiling for Insider Threats. Technical Report, February 2002.Google ScholarCross Ref
- A. Roscoe, M. Goldsmith, S. Creese, and I. Zakiuddin. The Attacker in Ubiquitous Computing Environments: Formalising the Threat Model. In Proc. of First International Workshop on Formal Aspects in Security and Trust, 2003.Google Scholar
- D. S. Santry, M. J. Feeley, N. C. Hutchinson, A. C. Veitch, R. W. Carton, and J. Ofir. Deciding When to Forget in the Elephant File System. In Proc. of the Seventeenth ACM Symposium on Operating Systems Principles (SOSP), pages 110--123, 1999. Google ScholarDigital Library
- S. Schechter and M. D. Smith. How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks. In Financial Cryptography, pages 122--137, 2003.Google ScholarCross Ref
- B. Schneier. Attack Trees: Modeling Security Threats. Dr. Dobb's Journal, December 1999.Google Scholar
- B. Schneier. Secrets and Lies: Digital Security in a Networked World. John Wiley and Sons, 2000. Google ScholarDigital Library
- P. Stanton, W. Yurcik, and L. Brumbaugh. Protecting Multimedia Data in Storage: A Survey of Techniques Emphasizing Encryption. In IS&T/SPIE International Symposium Electronic Imaging / Storage and Retrieval Methods and Applications for Multimedia (EI121), 2005.Google Scholar
- J. Steffan and M. Schumacher. Collaborative Attack Modeling. In Proc. of the 2002 ACM symposium on Applied computing (SAC), pages 253--259, 2002. Google ScholarDigital Library
- J. D. Strunk, G. R. Goodson, M. L. Scheinholtz, C. A. Soules, and G. R. Ganger. Self-Securing Storage: Protecting Data in Compromised Systems. In Proc. of the 4th Symposium on Operating Design and Implementation (OSDI), 2000. Google ScholarDigital Library
- F. Swiderski and W. Snyder. Threat Modeling. Microsoft Press, 2004. Google ScholarDigital Library
- J. Tucek, P. Stanton, E. Haubert, R. Hasan, L. Brumbaugh, and W. Yurcik. Trade-offs in Protecting Storage: A Meta-Data Comparison of Cryptographic, Backup/Versioning, Immutable/Tamper-Proof, and Redundant Storage Solutions. In 2nd IEEE - 13th NASA Goddard Conference on Mass Storage Systems and Technologies (MSST), 2005. Google ScholarDigital Library
- U.S. Securities and Exchange Commission. Sarbanes-Oxley Act of 2002. http://www.sarbanes-oxley-forum.com/.Google Scholar
- J. Vijayan. CA Security Hole Points to Data Backup Threats. Computerworld, August 2005.Google Scholar
- J. J. Wylie, M. W. Bigrigg, J. D. Strunk, G. R. Ganger, H. Kilite, and P. K. Khosla. Survivable Information Storage Systems. IEEE Computer, 33(8):61--68, 2000. Google ScholarDigital Library
Index Terms
- Toward a threat model for storage systems
Recommendations
Threat Modeling for CSRF Attacks
CSE '09: Proceedings of the 2009 International Conference on Computational Science and Engineering - Volume 03Cross-Site Request Forgery (CSRF) vulnerability is extremely widespread and one of the top ten Web application vulnerabilities of the Open Web Application Security Project (OWASP). In this paper, we explore the CSRF vulnerabilities, illustrate the real-...
ESSecA: An automated expert system for threat modelling and penetration testing for IoT ecosystems
AbstractDespite the growing spread of Internet of Things (IoT) ecosystems, their security assessment is still an open issue. Identifying threats, vulnerabilities, and attacks is a costly and time-consuming process, incompatible with their time-...
Graphical abstractDisplay Omitted
Highlights- ESSecA, an expert system performing threat-driven penetration testing planning.
Towards a threat model for mobile ad-hoc networks
ISP'06: Proceedings of the 5th WSEAS International Conference on Information Security and PrivacyThe increasing number of mobile devices enabled by wireless communication significantly change security issues and challenge threat modeling research in many ways. Particularly because of the vulnerability of wireless communication channels in addition ...
Comments