Threat DF.C.AC-iDF-VTC.3.6

URI: DF.C.AC-iDF-VTC.3.6

Description: Compromised client Client reads the encrypted flow of Data from/via Service: if an attacker can compromise client Client, they can they can access its cryptographic key and read data Data flowing to Client from FlowsFrom.

Threat Type: Primary Threat

Matching Pattern:

MP-AC-iDF-VTC

Finds a data flow not encrypted by a key from a vault, flowing to a client from or via a service, and the associated auth channel which must not be to a trust intermediary, the data and data access, and process contexts in which the data flows from the client (of which any can cause the threat). The source of the flow is matched twice, so it can be referred to by either role name (FlowsTo or Client) in control strategies.

(empty)

Co.C.CoPD.0

Data leakage at controller Controller: if the control input data for a controller leaks, it is modelled as a loss of confidentiality for the controller.

Se.C.SePD.0

Data leakage at sensor Sensor: if the onboard data at a sensor leaks, it is modelled as a loss of confidentiality at the sensor.

CSG-DataFlowSharedKeyInbound

LossOfConfidentiality at Role_Data

LossOfConfidentiality at Role_DataField

LossOfConfidentiality at Role_DataFlow

CSG-AutoSuspendSensitiveDataFlow	The sending of data *Data* from *FlowsFrom* to *FlowsTo* can be can be automatically disabled to prevent leaking of data. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.
CSG-AutoSuspendSensitiveDataFlow-Implementation-Runtime	The sending of data *Data* from *FlowsFrom* to *FlowsTo* has been automatically disabled to prevent leaking of data. This strategy represents activation of a contingency plan at runtime, and can be enabled to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Activation at runtime requires *FlowsFrom* to be managed by a suitable adaptation framework. The Disabled Data Flow control should be deselected if and when the flow of data is enabled once again.
CSG-AutoSuspendUntrustworthyClientAccess	Access to service *Service* by client *Client* may be automatically disabled to prevent authenticated attacks by compromised clients, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.
CSG-AutoSuspendUntrustworthyClientAccess-Implementation-Runtime	Access to service *Service* by client *Client* has been automatically disabled to prevent authenticated attacks by compromised clients. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Activation at runtime requires *Service* to be managed by a suitable adaptation framework. The Disable Client Access control should be deselected if and when access by *Client* to *Service* has been enabled once again.
CSG-SuspendSensitiveDataFlow	The flow of data *Data* from *FlowsFrom* to *FlowsTo* can be temporarily blocked by the manager *ProcessManager* of sending process *FlowsFrom* to prevent leaking of data. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.
CSG-SuspendSensitiveDataFlow-Implementation-Runtime	The sending of data *Data* from *FlowsFrom* to *FlowsTo* has been disabled by the manager *ProcessManager* of *FlowsFrom* to prevent leaking of data. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user *ProcessManager* who is responsible for managing process *FlowsFrom*. The Disabled Data Flow control should be deselected only when the flow of data is enabled again.
CSG-SuspendUntrustworthyClientAccess	Access to service *Service* by client *Client* may be temporarily disabled by the process manager *ServiceManager* to prevent authenticated attacks by compromised or impersonated clients, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats. However, it also triggers other threats representing side effects of the policy change, based on how likely it is that the contingency plan will need to be activated.
CSG-SuspendUntrustworthyClientAccess-Implementation-Runtime	Access to service *Service* by client *Client* is disabled by the process manager *ServiceManager* to prevent authenticated attacks by compromised clients. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal the process manager *ServiceManager. The Disable Client Access control should be deselected if and when access by Client* to *Service* has been enabled once again.

Threat DF.C.AC-iDF-VTC.3.6

MP-AC-iDF-VTC

Triggered by Threat (0)

Triggers Secondary Threats (2)

Co.C.CoPD.0

Se.C.SePD.0

Triggered By Control Strategy (1)

Misbehaviour Sets (3)

Control Strategies (8)