20 Copyright © 2009 Open Geospatial Consortium, Inc. 7 The Threat Model, Vulnerabilities and Attacks Protecting a system against all kinds of threats is almost impossible. And, the statement ―we are secure, we have a firewall‖ is dangerous as it limits the view towards possible threats to disallow communication typically from the outside world to your internal applications. The unfortunate with this limited view is that when you provide web services, you have to open firewall port 80 and optionally 443, otherwise the outside world cannot execute your service. Therefore, the firewall is just one component in the big picture, when trying the holistic security approach. In order for this approach to meet the expectations, it needs to cover aspects such as securing the network, the computer that hosts the applications, in particular the web services available to the outside world and the applications itself. Securing the applications includes securing the presentation, business and data access logic. In addition, care needs to be taken with maintaining the operating system of the host computers, the runtime services other than the web services and the platform specific services. The firewall actually belongs to the elements that need to be secured under the network category; Router and Switches also fall under this category. Securing the host basically deals with appropriate configuration of user accounts, operating system services, directory and file access as well as file shares. Securing the applications deal with implementing countermeasures or prevention of vulnerabilities towards input validation, authentication, authorization, protection of sensitive data, cryptography, exception handling as well as auditing and logging.

7.1 Defining the Threat Model

One of the first things to do when describing a secure architecture is to define the threat model to expect. CCITT X.800 defines threat as ―A potential violation of security‖ and it separates into passive and active threats. For this ER, we understand ―security‖ as outlined in section 6. X.800 defines an active threat to be ―a deliberate unauthorized change to the state of the system‖. They define a passive threat as ―unauthorized disclosure of information without changing the state of the system‖. A vulnerability is defined to be ―any weakness that could be exploited to violate a system or the information it contains.‖ and an asset is explained to be anything in the system that has value. An attack is the action taken that exploits vulnerability or enacts a threat with the purpose to harm an asset. A thread model basically describes, which resources are directly available to an attacker or become available as a result of a previously succeeded attack. Even the safest system whatever that might be is vulnerable to one thread or another. Let’s take the example of the safest safe on this planet that keeps your secret documents. This is great, but not very helpful as you cannot work with the documents, locked up in the safe. Working with the documents requires to open the safe and take the documents out. Here, two aspects are important: First, in order to get the documents out, you have to enter a secret code to open the safe. How can you be sure that no one has installed a hidden camera that frames you whilst entering the secret code and will re-use the code after you are gone to obtain unauthorized access? Second, after you have taken the documents out of the safest environment, they might also become available to spy cameras in your office. What we Copyright © 2009 Open Geospatial Consortium, Inc. 21 wanted to emphasize here is that is extremely difficult to imagine all possible attacks before hand. But nevertheless, when describing a secure distributed system, we need to carefully think about all possible attacks and if the system shall either prevent, detect or can tolerate certain attacks. In order to determine which attacks fall into which category, attack tree analysis can be used. But let’s go back to the threat model. For this Engineering Report, we assume the commonly known Internet Threat Model as defined in RFC 3552 of the IETF see [68]. This model basically assumes three things: The end systems used for communication have not been compromised Attackers have full access to the network and can therefore read the traffic and most likely also forge it Attackers have reasonable computational ability and computing power and are willing to use it to succeed From this threat model, we can directly derive vulnerabilities to exercise espionage and sabotage, as they are the main concerns for this security architecture: Espionage, understood as ―… to obtain information about the plans and activities especially of a foreign government or a competing company‖ 1 focuses on the fact to obtain confidential information without being recognized. Therefore, for example the wire taping attack can be exercised to gain information without notice. In later sections, we will layout possible and potential attacks for the baseline. Sabotage, understood as ―deliberate subversion‖ 2 can in the context of this ER be exercised by shutting down communication or systems. Compared to espionage, the attackers are willing to take risks that might exploit them. For Service Oriented Architectures and the assumed Internet Threat Model, as they define the baseline for this ER, typical attacks towards sabotage can be summarized as denial-of-service attacks. In addition to the assumptions undertaken by the Internet Threat Model, we also need to face possible attacks towards unauthorized disclosure by re-play attacks using modified requests to a service with fraudulent authentication or authorization information.

7.2 Threat Modeling Techniques