Threat Analysis

Lunar Security Services

2

Overview

• Definitions• Representation• Challenges• “The Unthinkable”• Strategies & Recommendations

3

Background

• What is threat analysis?– Potential Attacks/Threats/Risks– Analysis– Countermeasures– Future Preparations

• NIST’s “Introduction to Threat Analysis Workshop”, October 2005

4

Stakes• People– Voters– Candidates– Poll Workers– Political Groups– Developers– Board of Elections– Attackers– More...

• Voting: A System of...– IT– American Politics– Duty– Trust– Inclusion– Safety– Process– Precedence...if it

works

5

Means of Representation

General tactic:– Identify possible attackers– Identify goals of attacker– Enumerate possible ways to achieve goals– Locate key system vulnerabilities– Create resolution plan

6

• Bruce Sheneier, Dr. Dobb’s Journal, 1999:– Used to “model threats against computer

systems”

• Continual breaking down of goals and means to achieve them

Attack Tree

Simple Example

Cost propagation

Multiple Costs

7

Attack Tree Evaluation• Creation

– Refining over time– Realistic costs

• Advantages– Identifies key security issues– Documenting plans of attack

and likelihood– Knowing the system

• Disadvantages– Amount of documentation– Can only ameliorate

foreseen circumstances– Difficult to prioritize/quantize

factorsShortened version of an Attack

Tree for the interception of a message send with a PGP

header.

8

Other Means of Representation

• Threat Catalog – Doug Jones– Attacks -> vulnerabilities -> analysis of defense– Challenges

• Organization• Technology• Identity• Scale of Attack

• Fault Tree Analysis– Ensures product performance from software– Attempts to avoid single-point, catastrophic

failures

9

Challenges• Vulnerabilities– System– Process

• Variety of possible attacks• New Field: Systems Engineering• Attack Detection• Attack Resolution

-> too many dimensions to predict all possibilities, but we’ll try to name a few…

10

“The Unthinkable”, Part 1

1. Chain Voting2. Votes On A Roll 3. The Disoriented Optical Scanner4. When A Number 2 Pencil Is Not

Enough5. ...we found these poll workers where?

11

“The Unthinkable”, Part 2

6. This DRE “fell off the delivery truck”...

7. The Disoriented Touch Screen8. The Confusing Ballot (Florida 2000

Election)9. Third Party “Whoopsies”10.X-ray vision through walls of precinct

Natalie Podrazik – natalie2@umbc.edu 12

“The Unthinkable”, Part 3

11.“Oops” code12.Do secure wireless connections

exist?13.I’d rather not have your help,

thanks...14.Trojan Horse15.Replaceable firmware on Optical

Scanners

Natalie Podrazik – natalie2@umbc.edu 13

“The Unthinkable”, Part 4

16.Unfinished vote = free vote for somebody else

17.“I think I know what they meant by...”

18.Group Conspiracy: “These machines are broken.”

19.“That’s weird. It’s a typo.”20.Denial of Service Attack

Natalie Podrazik – natalie2@umbc.edu 14

My Ideas...

• Write-in bomb threat, terrorist attack, backdoor code

• Swapping of candidate boxes (developers) at last minute on touch-DRE; voters don’t know the difference

• Children in the voting booth

15

Strategies & Recommendations

• Create Fault Trees to counter Attack Tree goals using the components set forth in Brennan Study

• Tamper Tape• Use of “independent

expert security team”– Inspection– Assessment– Full Access

• Use of “Red Team Exercises” on:– Hardware design– Hardware/Firmware

configuration– Software Design– Software Configuration– Voting Procedures (not

hardware or software, but people and process)

16

Conclusions

• Attack Trees– Identify agents, scenarios, resources,

system-wide flaws• Challenges: dimensions in system

analysis• Unforeseen circumstances• Independent Team of Experts, but how

expert can they be?

17

Works Cited1. All 20 “The Unthinkable” scenarios available at:

http://www.vote.nist.gov/threats/papers.htm2. Goldbrick Gallery’s 25 Best Editorial Cartoons of 2004. Online:

http://www.goldbrickgallery.com/bestof2004_2.html 3. Jones, Doug. “Threat Taxonomy Overview” slides, from the NIST

Threats to Voting Workshop, 7 October 2005. Online: http://www.vote.nist.gov/threats/Jonesthreattalk.pdf

4. Mell, Peter. “Handling IT System Threat Information” slides, from the NIST Threats to Voting Workshop, 7 October 2005. Online: http://www.vote.nist.gov/threats/mellthreat.pdf

5. “Recommendations of the Brennan Center for Justice and the Leadership Conference on Civil Rights for Improving Reliability of Direct Recording Electronic Voting Systems”: http://www.brennancenter.org/programs/downloads/voting_systems_final_recommendations.pdf:

6. Wack, John, and Skall, Mark. “Introduction to Threat Analysis Workshop” slides, from the NIST Threats to Voting Workshop, 7 October 2005. Online: http://www.vote.nist.gov/threats/wackthreat.pdf

7. Wikipedia Entry for fault tree: http://en.wikipedia.org/wiki/Fault_tree