Threat DS.A.PHHDS.3

URI: DS.A.PHHDS.3

Description: Stored copy of Data on AHost lost due to theft or destruction of Host in Space : an attacker with access to Space can physically steal or destroy device Host, removing it from the system, rendering data stored on AHost unavailable. The threat to data is distinct from the threat to the host, as Host could be replaced if the loss is detected, but that would not restore the lost copy of Data.

Threat Type: Primary Threat

Matching Pattern:

MP-PHHDS

Finds a Physical Host located in a Space, plus data stored on the host or on a virtual host running there, plus optionally a user of the physical host.

(empty)

D.A.DallDS.0

Loss of availability in all copies of Data: the system is supposed to store the data Data, so if there are no available stored copies, the system-level availability of Data is affected.

DF.A.HPDSDADF.0

Service Process cannot serve unavailable data Data to FlowsTo: the locally stored copy of Data on Host used by Process is not available, so cannot be sent in a data flow to FlowsTo.

Hu.T.HuirPvDS.0.2

User Human affected by out of date data Data read by process Process: if a locally stored copy of Data is unavailable, and this would have been loaded by process Process and displayed to user Human, they may make decisions based on out of date information.

P.A.HPuDSDI.0

Process Process cannot access copy of Data stored on Host: since process Process depends on having access to Data via a stored copy on its host device Host , if the stored copy is not available then the availability of Process will be affected.

P.T.HP-uDSDI.0

Lack of stored input Data at Host delays Process: since process Process uses the locally stored copy of data Data but does not depend on it, if that copy is unavailable, the process can continue but will be processing out of date information.

(empty)

LossOfAvailability at Role_DataCopy

CSG-EmbeddedHostSecurity	Host *Host* is locked or built into the physical environment *Space* such that neither it nor any of its internal storage media can be removed or altered without destroying them.
CSG-IgnorePhysicalThreatsFromWorld	Indicates that threats from as well as to the space *Space* can be ignored, i.e. that the risk model intentionally does not consider physical attacks from *Space. This is only permitted if Space* is the inferred global public space (the World) used when no locations are asserted in the model. This control strategy is a way to specify that physical security is out of scope for devices with no explicitly specified location(s), i.e. that they are considered physically secure.
CSG-PersonalDeviceProtection	Device *Host* is a personal device dedicated to one user, who will protect it from some types of attacks involving physical access. This particular strategy relates to threats that are blocked, affording slightly less than perfect protection because the user may be overcome by force or become temporarily less than vigilant.
CSG-PersonalDeviceSecurity	Device *Host* is a personal device dedicated to one user, who has been trained in basic security and will protect it from some types of attacks involving physical access. Similar to personal device protection, but more effective due to the user being able to maintain vigilance and avoid physically uncontrollable situations.

Threat DS.A.PHHDS.3

MP-PHHDS

Triggered by Threat (0)

Triggers Secondary Threats (5)

D.A.DallDS.0

DF.A.HPDSDADF.0

Hu.T.HuirPvDS.0.2

P.A.HPuDSDI.0

P.T.HP-uDSDI.0

Triggered By Control Strategy (0)

Misbehaviour Sets (1)

Control Strategies (4)