SamSuka
The Hated One
The Hated One

patreon


Privacy Threat Modeling Step 2: Threat Intelligence [Work in Progress]

Linkability

The first threat LINDDUN address is linkability. It’s the ability of an attacker to find the link between two items of interests, even without knowing the actual identity of the subject. Linkability leads to profiling.

The most common link between two data items is going to be user credentials. Whenever you re-use the same email address or a phone number for multiple service, your services will be linked to these credentials. Unless you anonymous/ one-time credentials are used, assume your credentials are linked. Linkability can lead to identifiability and inference. Linkability is going to be impacted by data minimization and anonymization.

Even without credentials, your behavioral patterns will also be linkable. Any system you sent data to could potentially hold other data which could be linked to your profile. Any contextual data could lead to linkability in sufficient amount. This metadata could be collected by the service provider as well as external observers. Since metadata is almost always available, this threat is extremely likely. Many services will share your data with third parties and even with basic de-identification, third parties could use their own data sets to link the items of interest to your profile. Most services, even the ones marketed as ‘private’ will store personal data without sufficient aggregation. For instance, Apple’s differential privacy that’s supposed anonymize personal data is so poorly implemented it leads to re-identification of the entire data set. Any data collected could also be retrieved. The more data can be retrieved, the more unique it becomes which will to identifiability.

Identifiability

Identifiability is the ability of an adversary to identify a subject within a data set. It happens when you can’t hide the link between and item of interest and your identity. Identifiability leads severe privacy violation. It is impacted by data minimization and linkability and it’s mitigated by anonymization.

Organizations will try to identify users with credentials, patterns of actions, personal data and metadata. All non-anonymous credentials allow identification of a user. Much of your usage data and behavior is also going to be sufficiently unique so as to link to your identity. Most of online communication has embedded metadata that’s identifying and external observers can collect. When your data is shared with third parties, quasi-identifier combinations will lead to your identity. Unless an organization can sufficiently prove the data they store is anonymized, assume it will be linked to your identity, username, email address or an internal identifier. Personal data retrieved by third parties can also easily lead to identification or contain an identifier.

Non-repudiation

LINDDUN considers non-repudiation to be a privacy threat. Non-repudiation means not being to deny a claim. In terms of privacy, it’s the opposite of plausible deniability. Plausible deniability is required when the communication is sensitive, such as during whistleblowing. However, non-repudiation is required for payment systems, as holding a purchase receipt is usually desirable.

When using identifiable credentials, it makes it a lot more difficult to repudiate authentication than using anonymous credentials. Communication metadata will almost always contain sender and recipient information, which will serve as proves of these actions. Assume that organizations or entities will try to log both sender metadata and message receipts. Unless deniable encryption is used, data stores will log or authenticate access requests which leads to non-repudation at data storage.

Detectability

External adversaries will almost always be able to detect contextual data. Login credentials and metadata are usually detectable with passive observation. Detectable outliers and detectable storage lead to inference without having access to the actual content. The more sensitive data can be detected, the more sever privacy violation.

Disclosure of information

LINDDUN recommends to do a full security analysis alongside privacy threat modeling. The threat model of choice is STRIDE. Disclosure of information happens as a breach of confidentiality, authentication or authorization. A threat actor could gain access to sensitive information if encryption is improperly implemented, they acquired privileged access to a system, or compromised your login credentials. Other attempts can include spoofing, where a phishing website or app would try to trick a user into submitting personal or login data to the attacker. The severity of this threat depends on the skills of your adversary, ease of vulnerability exploitation and reward level. The higher the value of the target data, the more likely this threat is to occur and the stricter security controls need to be implemented.

Unawareness

Users are often unaware of the impact of data sharing. Bad data practices lead to the unawareness threat. They can manifest through lack of transparency and privacy controls about data collection and sharing. Many services are trying to build ecosystems where it’s harder to port your data to other services and make data erasure process difficult.

Non-compliance

Organizations or malicious employees can often violate regulations and corporate policies. Non-compliance is more sever the more data is collected. Often, data is processed beyond the needs of the service to train machine learning algorithms or rank users by scores. Users should not assume organizations will always act in a compliant manner, especially if sanctions lack severity.

Comments

I was thinking of getting into OWASP risk scoring methodology. Although I am not sure if I can reasonably cram into to this tutorial as risk scoring could be its own video.

The Hated One

Also, for each section of the LINDDUN model (e.g.. Linkability, Identifiability, etc) creating a list of relevant threats for mobile communications would be ideal and very helpful for people. I don't think the average person would be able to do that very successfully. That would set them up for identifying appropriate mitigating and compensating controls to help reduce or eliminate the identified threat. Creating a library of mitigating and compensating controls for each threat would be the way to go. So, for the average person that would play out like this. For example, if they were looking at Linkability, here are the 7 threats that you should consider and under each threat, here are the compensating and mitigating controls that will help reduce or eliminate each threat.

Jose Vanduka

In regards to your section "Disclosure of information", using STRIDE for your audience would be a very difficult hurdle in my opinion. I have been using STRIDE along with DREAD to do threat modeling and scoring in the commercial enterprise sector for over 15 years and even most cyber professionals are lost when it comes to using STRIDE correctly. If you go down that path, I think you would have to really dumb that down or create some type of simplified model to make it applicable to your audience. I share my thoughts in an effort to help you create the best results for your audience because I believe in what you are doing and it is important work. Effectively, I want you to be very successful.

Jose Vanduka


More Creators