Inger Anne Tøndel

Combining Misuse Cases with Attack Trees and Security Activity Models

Misuse cases and attack trees have been suggested for security requirements elicitation and threat modeling in software projects. Their use is believed to increase security awareness throughout the software development life cycle. Experiments have identified strengths and weaknesses of both model types. In this paper we present how misuse cases and attack trees can be linked to get a high-level view of the threats towards a system through misuse case diagrams and a more detailed view on each threat through attack trees. Further, we introduce links to security activity descriptions in the form of UML activity graphs. These can be used to describe mitigating security activities for each identified threat. The linking of different models makes most sense when security modeling is supported by tools, and we present the concept of a security repository that is being built to store models and relations such as those presented in this paper.

A Framework for Incident Response Management in the Petroleum Industry

Abstract Incident response is the process of responding to and handling security-related incidents involving information and communications technology (ICT) infrastructure and data. Incident response has traditionally been reactive in nature, focusing mainly on technical issues. This paper presents the Incident Response Management (IRMA) method, which combines traditional incident response with proactive learning and socio-technical perspectives. The IRMA method is targeted at integrated operations within the petroleum industry, but it is also applicable to other industries that rely on process control systems.

Information security incident management: Current practice as reported in the literature

This paper reports results of a systematic literature review on current practice and experiences with incident management, covering a wide variety of organisations. Identified practices are summarised according to the incident management phases of ISO/IEC 27035. The study shows that current practice and experience seem to be in line with the standard. We identify some inspirational examples that will be useful for organisations looking to improve their practices, and highlight which recommended practices generally are challenging to follow. We provide suggestions for addressing the challenges, and present identified research needs within information security incident management.

Cyber security challenges in Smart Grids

The introduction of telecommunication in the energy grid, leading the way towards Smart Grids, challenges the way safe operations have traditionally been assured in the energy sector. New cyber security challenges emerge, especially related to privacy, connectivity and security management, and these need to be properly addressed. Existing cyber security technology and good practice mainly come from the traditional telecommunication environment where the requirements on safety and availability are less strict. For Smart Grids, lessons can be learned from the oil and gas industry on how they have dealt with security challenges in their implementation of integrated operations. Still, Smart Grids face a slightly different reality, due to their extensive geographical distribution and the enormous number of end-users. The contribution of this paper is a survey of cyber security challenges for Smart Grids, together with a roadmap of how these challenges must be addressed in the near future.

An Architectural Foundation for Security Model Sharing and Reuse

Within the field of software security we have yet to find efficient ways on how to learn from past mistakes and integrate security as a natural part of software development.This situation can be improved by using an online repository, the SHIELDS SVRS, that facilitates fast and easy interchange of security artefacts between security experts, software developers and their assisting tools. Such security artefacts are embedded in or represented as security models containing the needed information to detect, remove and prevent vulnerabilities in software, independent of the applied development process. The purpose of this paper is to explain the main reference architecture description of the repository and the more general tool stereotypes that can communicate with it.

Reusable Security Requirements for Healthcare Applications

Healthcare information systems are currently being migrated from paper based journals to fully digitalised information platforms. Protecting patient privacy is thus becoming an increasingly complex task, where several national and international legal requirements must be met. These legal requirements present only high-level goals for privacy protection, leaving the details of security requirements engineering to the developers of electronic healthcare systems. Our objective has been to map legal requirements for sensitive personal information to a set of reusable technical information security requirements. This paper presents examples of such requirements extracted from legislation applicable to the healthcare domain.

How can the developer benefit from security modeling

Security has become a necessary part of nearly every software development project, as the overall risk from malicious users is constantly increasing, due to increased consequences of failure, security threats and exposure to threats. There are few projects today where software security can be ignored. Despite this, security is still rarely taken into account throughout the entire software lifecycle; security is often an afterthought, bolted on late in development, with little thought to what threats and exposures exist. Little thought is given to maintaining security in the face of evolving threats and exposures. Software developers are usually not security experts. However, there are methods and tools available today that can help developers build more secure software. Security modeling, modeling of e.g., threats and vulnerabilities, is one such method that, when integrated in the software development process, can help developers prevent security problems in software. We discuss these issues, and present how modeling tools, vulnerability repositories and development tools can be connected to provide support for secure software development

Idea: reusability of threat models – two approaches with an experimental evaluation

To support software developers in addressing security, we encourage to take advantage of reusable threat models for knowledge sharing and to achieve a general increase in efficiency and quality. This paper presents a controlled experiment with a qualitative evaluation of two approaches supporting threat modelling - reuse of categorised misuse case stubs and reuse of full misuse case diagrams. In both approaches, misuse case threats were coupled with attack trees to give more insight on the attack techniques and how to mitigate them through security use cases. Seven professional software developers from two European software companies took part in the experiment. Participants were able to identify threats and mitigations they would not have identified otherwise. They also reported that both approaches were easy to learn, seemed to improve productivity and that using them were likely to improve their own skills and confidence in the results.

Secure Fast Handover in an Open Broadband Access Network using Kerberos-style Tickets

In an Open Broadband Access Network consisting of multiple Internet Service Providers, delay due to multi-hop processing of authentication credentials is a major obstacle to fast handover between access points, effectively preventing delay-sensitive interactive applications such as Voice over IP. By exploiting existing trust relationships between service providers and access points, it is possible to pre-authenticate a mobile terminal to an access point, creating a Kerberos-style ticket that can be evaluated locally. The terminal can thus perform a handover and be authenticated to the new access point, without incurring communication and processing delays by involving other servers.

Information Security Incident Management: Planning for Failure

This paper reports on an interview study on information security incident management that has been conducted in organizations operating industrial control systems that are highly dependent on conventional IT systems. Six distribution service operators from the power industry have participated in the study. We have investigated current practice regarding planning and preparation activities for incident management, and identified similarities and differences between the two traditions of conventional IT systems and industrial control systems. The findings show that there are differences between the IT and ICS disciplines in how they perceive an information security incident and how they plan and prepare for responding to such. The completeness of documented plans and procedures for incident management varies. Where documentation exists, this is in general not well-established throughout the organization. Training exercises with specific focus on information security are rarely performed. There is a need to create amore unified approach to information security incident management in order for the power industry to be sufficiently prepared to meet the challenges posed by Smart Grids in the near future.