102 Copyright © 2009 Open Geospatial Consortium, Inc. information. The likelihood drops dramatically further if interactions to other service are required for the gathering of required information. For example, for all SS actually all OGC Web Services the GetCapabilities request can be submitted by reading the OWS Common specification. The only information required is the service URL, which can often be obtained from a catalogue service or a Google search. But the cancellation of an assignment with the SPS requires knowing a valid task ID. In order to gather a valid task ID, the attacker has to eavesdrop communication with the service with the goal of fetching task IDs. As the attacker cannot know if the wire-taping attack will unveil a task ID at all, an alternative approach might be challenged: By submitting a number of Submit requests to the SPS with invalid parameters, each response will contain a task ID and ―rejected‖. From those responses, the attacker might guess task IDs with a good certainty and start exercising the actual attacks. Another factor is determined by the difficulty of gathering the required information. The easiest way is to read the specification as it is publically available and does contain many examples. If those examples e.g. for task IDs are screenshots from inputoutput from prototype implementations, the attacker has ease of use. If other attacks need to succeed, it is certainly easier to succeed with attacks that do not require compromising the network than attacks that require a specific network configuration tampering.

9.8.2 Impact Discussion

For the outlined attacks from the previous sections, different impacts on the asset can be outlined: No affect on asset but its unveiling The success of the attack does not change the values or state of the affect but makes its values content available to the adversary. For security domains that are required to be protected against sabotage, the attacks with this impact can be tolerated. For a security domain that shall be protected against espionage, this impact is not acceptable. Affect to asset effective immediately or at a later time The success of the attack does change the value or state of the asset at the time when the attack is exercised or at a later time after the attack has succeeded. For the identified attacks of this ER, an example of an attack with later affect is RenewSubscription if the tampered time is further in the future than the actual time. Affect to asset effective to one entity, some entities or all entities The success of the attack does change the value or state of the asset and is effective to a different number of entities. An example where the attack success is affecting one entity is the tampering of the response from the service to the client. For example if the response of the GetStatus of the SPS is tampered by the attacker, the result becomes visible to the active client only. Attacks that use an operation with write characteristics have potential to affect all other clients interacting with the service. However, some attacks might only be effective to some clients only. The success of tampering the Advertise request of the SAS Copyright © 2009 Open Geospatial Consortium, Inc. 103 has influence to all clients that are subscribed to that particular alert. Tampering the InsertSensor request of the SOS is effective to all clients as he SOS cannot provide offerings for the sensor.

9.8.3 Risk discussion

The opening questions is: How long can an attacker exercise attacks before he gets unveiled and how many attacks can an attacker exercise and how many succeeding attacks can an attacker undertake before he gets unveiled?Exercising attacks always carries a certain risk for the attacker to be unveiled. Depending on the kind of the attack and its affect on the asset and its effectiveness, the potential to be unveiled can be determined by the following factors: Does the exercising of an attack require the tampering of the underlying network as it is relevant to attacks leveraging Man-in-The-Middle or ARP spoofing. In these cases, it is very likely that the adversary cannot exercise too many attacks, as he must expect the unveiling at almost any time. For attacks that can be carried out by just executing the service Adversary’s client can execute SS it is much harder for the network admin to differentiate between a normal request and an attack. For a certain attack to succeed, how many other requests must be exercised successfully. The higher that number, the more likely it is that the attacker gets unveiled and suspended from the network, before the actual devastating attack can be exercised. All attacks that are related to espionage typically carry less risk to be unveiled than attacks that are related to sabotage. Therefore attacks that do not result in a change of the asset or its state are perhaps less risky than attacks that affect the asset and is also be effective to more than one user.

9.8.4 Overall Rating