Threat DF.I.PDFODADFO.0

URI: DF.I.PDFODADFO.0

Description: Corrupt data Data from FlowsFrom forwarded by Process to FlowsTo: if the flow of data Data from process FlowsFrom to process Process is corrupt, so is the forwarded flow to FlowsTo.

Threat Type: Secondary Threat

Matching Pattern:

MP-PDFODADFO

Finds a Process that receives a flow of Data from a data producer that it does not get from local storage, and forwards it towards a data store. The Process is matched twice, so it can be referred to by either role name.

DF.IS.PDFFA.8

Flow of Data from FlowsFrom to FlowsTo is in service: if process FlowsFrom is in service and able to access the data, and all the steps in the chain of processes between FlowsFrom and FlowsTo are in service, then the flow of Data from FlowsFrom to FlowsTo will be in service and potentially subject to attack, unless disabled.

P.IS.HP.8

Process Process in service: if host Host is in service, then Process running on Host will also be in service and subject to attack, unless explicitly disabled.

P.IS.HPsAC.1

Process Process running on Host not disabled: if an attacker has the rights of Process on its host Host, then they can override a policy to disable Process by restarting it.

P.IS.HP.2

Process Process re-enabled on stolen device Host: if an attacker gains access to stolen device Host, they can restart Process, overriding the policy to disable Process.

DF.I.HDBDRDF.0

Loss of reliability at DB corrupts outbound flow of data Data to FlowsTo: if there is a loss of reliability at process DB it may send corrupt output Data to FlowsTo. Normally, this is not considered likely when DB is acting only as a data relay, but DB is a DB process which processes incoming queries before requesting or forwarding data, so a loss of reliability may lead to the wrong data being retrieved or updated.

DF.I.HDBDSDF.0

Loss of reliability at DB corrupts outbound flow of data Data to FlowsTo: if there is a loss of reliability at process DB it may send corrupt output Data to FlowsTo. Normally, this is not considered likely when DB is serving stored data, but DB is a DB process, so it selects data by processes incoming queries, so a loss of reliability may lead to retrieval or update of the wrong data.

DF.I.HDCDF.0

Cached flow of data Data from FlowsFrom to FlowsTo corrupted on Host: if the flow of Data from FlowsFrom to FlowsTo is cached on Host, and the cache is corrupt, the data flow will be affected. This is a secondary threat whereby changes to the cache propagate to the data flow - the cause is whatever caused the cache to lose integrity.

DF.I.HPDSDADF.0

Service Process serves a corrupt stored copy of data Data to FlowsTo: if the locally stored copy of Data on Host served by Process is corrupt, so will the flow of Data served to FlowsTo.

DF.I.HP-iDODF.0

Loss of reliability at Process corrupts outbound flow of data Data to FlowsTo: if there is a loss of reliability at process Process it may send corrupt output Data to FlowsTo.

DF.I.HuirPiDF.0

User Human interacting with Process provides incorrect input Data: user Human provides incorrect input Data to Process, due to having previously received corrupt data from the system.

DF.I.DScSePDmFF.0.1

Corrupt control input causes loss of integrity in output Data from Sensor: if the control input to Sensor is faulty or corrupt, then measurement of the environment by Sensor will be affected, leading to faulty or corrupt sensor output Data.

DF.I.DScSePDmFF.0.2

Out of date control input causes loss of integrity in output Data from Sensor: if the control input to Sensor is out of date, and Sensor depends on real-time updating of this input, then measurement of the environment by Sensor will be affected, leading to faulty or corrupt sensor output Data.

(empty)

LossOfIntegrity at Role_OutFlow

CSG-AutoSuspendCorruptDataFlow	The flow of data *Data* from *FlowsFrom* to *FlowsTo* can be automatically disabled to prevent corrupt or malicious content (including malware) from disrupting the receipient *FlowsTo*. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.
CSG-AutoSuspendCorruptDataFlow-Implementation-Runtime	The flow of data *Data* from *FlowsFrom* to *FlowsTo* has been automatically disabled to prevent corrupt or malicious content (including malware) from disrupting the receipient *FlowsTo. This strategy represents activation of a contingency plan at runtime, and can be enabled to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Activation at runtime requires FlowsTo* to be managed by a suitable adaptation framework. The Disabled Data Flow control should be deselected if and when the flow of data is enabled once again.
CSG-SuspendCorruptDataFlow	The flow of data *Data* from *FlowsFrom* to *FlowsTo* can be temporarily blocked by the manager *ProcessManager* of recipient process *FlowsTo* to prevent corrupt or malicious content (including malware) from disrupting the process. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.
CSG-SuspendCorruptDataFlow-Implementation-Runtime	The flow of data *Data* from *FlowsFrom* to *FlowsTo* has been disabled by the manager *ProcessManager* of *FlowsTo* to prevent corrupt or malicious content (including malware) disrupting the process. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal user *ProcessManager* who is responsible for managing process *FlowsTo*. The Disabled Data Flow control should be deselected only when the flow of data is enabled again.