Identify Roles

Identify Roles

The second step in the I-ADD process is to identify the roles associated with the system. Let's review what we mean by roles. A role is simply an individual or group of individuals who plays a role in either protecting or exploiting a target. As we proceed through the process of identifying roles, this should become clear. At this point, the easiest way to proceed is to go through the targets list and identify the roles associated with each target. We will not explain these roles in detail here. As you read through the list, try to identify why each role is listed where it is. We discuss the roles in more detail in the section "Vulnerabilities and Theoretical Attacks" in Chapter 10.

Malicious Users

You will soon notice the ever-present malicious user. The term malicious is used liberally. What we are referring to is an individual or group who has the knowledge, skills, or access to compromise a system's security. Malicious user is a generic category encompassing a variety of roles that deserve additional discussion. A malicious user can be any of the following.

Organized Crime (Financial Motivation)

These malicious users are capable, motivated, well organized, and well funded. They are intent on operations such as cloning cell phones or other wireless devices and stealing money, goods, and services. Organized crime is the most capable category of attackers. Their ability stems from having the resources available to obtain the necessary hardware, software, and knowledge to mount sophisticated attacks quickly if the potential financial benefits justify the effort.

Hackers (Nonfinancial Motivation)

These malicious users are also capable, motivated, and well organized and may be well funded. Although hacker interest in wireless systems may initially be sparked by the financial or proprietary information the system protects, their attacks are generally focused on achieving notoriety. Attacks that can be expected of hackers include small-scale and wide-scale disruption of operations and the collection and release of sensitive information.

Malicious Programmers (Financial or Brand Damage)

These malicious users vary in their technical ability and are usually highly motivated by personal greed, grievance, or grudge. They are usually not well organized but may possess significant knowledge of the wireless system and access to internal processes. Malicious programmers can originate from various sources: a disgruntled employee at a wireless manufacturer; an application programming contractor; operations and support personnel; a knowledgeable programmer who feels wronged by someone associated with the manufacture, distribution, or management of a wireless system or device; a programmer who feels wronged by an individual or a company using wireless systems or devices.

Also in this group we consider attackers with nonmalicious intent whose actions can incur security issues, either inadvertently or because of an interest in improving the system's security. The information and vulnerabilities generated by nonmalicious attackers are capitalized on by malicious attackers if not immediately addressed by the affected wireless component or system.

Academics and Security Researchers

These attackers are capable, motivated, well organized, and often well funded. Academics and security researchers can analyze the security of a wireless component or system from an intellectual standpoint to determine how the system is designed or whether and how potential vulnerabilities have been addressed. They look at both the theoretical and practical implementation of the system, focusing primarily on issues in their area of expertise for the purposes of advancing the field, or their standing in the field. Although this group does not have malicious intent, malicious attackers can use their findings before mitigation or corrections are in place. This group is more likely to inform the vendor when a vulnerability is detected, before publishing their results, although this is not guaranteed.

Inexperienced Programmers and Designers

Although they do not fit most standard definitions of a malicious user, inexperienced programmers and designers can inadvertently create security issues and are considered malicious for this analysis. These inexperienced personnel are motivated to perform a specific task to support a wireless system, but they do not possess the skill or experience necessary to execute the task properly. The mistakes and oversights made by these personnel affect the operation of wireless components and can adversely affect the security of the wireless system. Other attackers exploit the vulnerabilities generated by inexperienced personnel.

Mapping Roles to Targets

Wireless Device

The wireless device itself

Device manufacturer

User

Malicious user

User Interface

The physical interface

Device manufacturer

User

Environment

Access to the user interface

Device manufacturer

Application (app) developer

User

Environment

Offline Functions

Personal data on the PDA

Device manufacturer

Device support personnel

App developer

App support personnel

User

Malicious device support personnel

Malicious app developer

Malicious app support personnel

Malicious user

Corporate or third-party information

Device manufacturer

Device support personnel

App developer

App support personnel

User

Malicious device support personnel

Malicious app developer

Malicious app support personnel

Malicious user

Online Functions

Personal data being sent

Device manufacturer

Wireless service provider (WSP)

WSP operations, maintenance, and support personnel (OMS personnel)

App developer

App support personnel

User

Malicious WSP

Malicious device support personnel

Malicious WSP OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Corporate or third-party information being sent

Device manufacturer

WSP

WSP OMS personnel

App developer

App support personnel

User

Malicious WSP

Malicious device support personnel

Malicious WSP OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

User online activities, usage patterns, location and movement

Device manufacturer

WSP

WSP OMS personnel

App developer

App support personnel

User

Malicious WSP

Malicious device support personnel

Malicious WSP OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Access to network and online services

Device manufacturer

WSP

WSP OMS personnel

App developer

User

Malicious device support personnel

Malicious WSP OMS personnel

Malicious app developer

Malicious user

Transceiver

The transceiver itself

Device manufacturer

Device OMS personnel

User

Malicious device OMS personnel

Malicious user

Service Provider

The transceiver itself

WSP

WSP OMS personnel

Malicious OMS personnel

Malicious user

The transceiver services

WSP

WSP OMS personnel

Malicious OMS personnel

Malicious user

Access to its subscribers

WSP

WSP OMS personnel

Corporate/private servers

Corporate/private server OMS personnel

Content providers

App developer

App support personnel

User

Malicious WSP OMS personnel

Malicious corporate/private servers

Malicious corporate/private server OMS personnel

Malicious content providers

Malicious app developer

Malicious app support personnel

Malicious user

Transceiver

Administrative Server

User-specific data

WSP

WSP OMS personnel

App developer

App support personnel

Malicious WSP OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Corporate proprietary data and resources

WSP

WSP OMS personnel

App developer

App support personnel

Malicious WSP OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Network Server

User data

WSP

WSP OMS personnel

App developer

App support personnel

Malicious WSP OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Corporate proprietary data and resources

WSP

WSP OMS personnel

App developer

App support personnel

Malicious WSP OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Gateway

The physical gateway

Gateway manufacturer

OMS personnel

App developer

App support personnel

Malicious OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

User-specific data

Gateway manufacturer

OMS personnel

App developer

App support personnel

Malicious OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

User data

Gateway manufacturer

OMS personnel

App developer

App support personnel

Malicious OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Corporate proprietary data and resources

Gateway manufacturer

OMS personnel

App developer

App support personnel

Malicious OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Third-party data transiting the gateway

Gateway manufacturer

OMS personnel

App developer

App support personnel

Malicious OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Web Server

The physical Web server

Web server manufacturer

Web server OMS personnel

Content providers

App developer

App support personnel

Malicious Web server OMS personnel

Malicious content providers

Malicious app developer

Malicious app support personnel

Malicious user

User-specific data

Web server manufacturer

Web server OMS personnel

Content providers

App developer

App support personnel

Malicious Web server OMS personnel

Malicious content providers

Malicious app developer

Malicious app support personnel

Malicious user

User data on the Web server

Web server manufacturer

Web server OMS personnel

Content providers

App developer

App support personnel

Malicious Web server OMS personnel

Malicious content providers

Malicious app developer

Malicious app support personnel

Malicious user

Corporate proprietary data and resources on the Web server

Web server manufacturer

Web server OMS personnel

Content providers

App developer

App support personnel

Malicious Web server OMS personnel

Malicious content providers

Malicious app developer

Malicious app support personnel

Malicious user

Aggregate commercial data stored on the Web server

Web server manufacturer

Web server OMS personnel

Content providers

App developer

App support personnel

Malicious Web server OMS personnel

Malicious content providers

Malicious app developer

Malicious app support personnel

Malicious user

User or corporate data in transit

Web server manufacturer

Web server OMS personnel

Content providers

App developer

App support personnel

User

Malicious Web server OMS personnel

Malicious content providers

Malicious app developer

Malicious app support personnel

Malicious user

Backend System

The physical backend system

Backend system manufacturer

Backend system OMS personnel

App developer

App support personnel

Malicious backend system OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

User-specific data on the backend system

Backend system manufacturer

Backend system OMS personnel

App developer

App support personnel

Malicious backend system OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

User data on the backend system

Backend system manufacturer

Backend system OMS personnel

App developer

App support personnel

Malicious backend system OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Corporate proprietary data and resources on the backend system

Backend system manufacturer

Backend system OMS personnel

App developer

App support personnel

Malicious backend system OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

Aggregate commercial data stored on the backend system

Backend system manufacturer

Backend system OMS personnel

App developer

App support personnel

Malicious backend system OMS personnel

Malicious app developer

Malicious app support personnel

Malicious user

As you can see, this can quickly become a long list. Now that we have concluded the identification of the roles, it is worth discussing two observations that will assist you in performing future role identification. First, in general, whenever people are involved in protecting a target, they almost always are also listed in the malicious section against that target. We are not saying that the same people will be involved, but that the category of people or that group's level of access can be used maliciously.

This concludes the I-ADD identify phase. You break down the system into functional blocks and then examine each block to determine which resources or data (targets) require protection at that level. The blocks are then examined to see whether they should be further broken down to lower-level functional blocks, where the process is repeated until you reach the lowest-level functional blocks practical for the type of analysis or design you are conducting. After identifying the targets, you determine the roles that affect the targets. With the roles and targets identified, you are ready to move to the I-ADD analyze phase.

 



Wireless Security and Privacy(c) Best Practices and Design Techniques
Wireless Security and Privacy: Best Practices and Design Techniques
ISBN: 0201760347
EAN: 2147483647
Year: 2002
Pages: 73

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net