Threat LS.L.RSSH-P.3

URI: LS.L.RSSH-P.3

Package: Network

< prev | next >

Description: Access to subnet LogicalSubnet from space Space: someone with access to space Space where radio subnet LogicalSubnet is accessible can connect their own device unless access is restricted by security measures. Note that access only to the local subnet serving Space.

Threat Type: Primary Threat

Matching Pattern:

LS.L.RSSH-P.3
MP-RSSH-P

Finds a Radio Subnet with no controlling process, provided by a Gateway host and accessible from a Space, plus optionally the manager of the Gateway.

        (empty)

        (empty)

        (empty)

        (empty)

CSG-DisableRadioSubnet

Indicates provision of network RadioSubnet is disabled at device Gateway, meaning the subnet is not available to potential attackers. This strategy does not represent a contingency plan, but a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. The most common situation where provision of a subnet is possible but would not be used in practice is where a mobile device provides a WiFi hotspot. The control applies to the hotspot implementation, so affects provision of the hotspot in one location, making it possible to indicate that the user would keep the hotspot functionality switched off in that location.

CSG-IgnorePhysicalThreatsFromWorld

Indicates that threats from as well as to the space Space can be ignored, i.e. that the risk model intentionally does not consider physical attacks from Space. This is only permitted if Space is the inferred global public space (the World) used when no locations are asserted in the model. This control strategy is a way to specify that physical security is out of scope for devices with no explicitly specified location(s), i.e. that they are considered physically secure.

CSG-NetworkEAP-AAA

Control access to subnet LogicalSubnet using a (usually remote) AAA service that verifies keys provisioned in SIM cards to authorised supplicants. You should also specify SIM cards be used by supplicant devices or they will be unable to connect.

CSG-NetworkEAP-PSK

Control access to subnet LogicalSubnet using a pre-shared key. This is installed at the device Gateway providing the network, which also verifies that supplicants have the same key, preventing unauthorised access. You should also specify shared keys for supplicant devices or they will be unable to connect.

CSG-NetworkEAP-TLS

Control access to subnet LogicalSubnet using authentication via X509 or otherwise trusted public-private key pairs. The gateway device Gateway providing the network has an (X509 certified) key, and a means to verify (X509 certified) keys registered by authorised supplicants. You should also specify that supplicant devices have (X509 certified) key pairs or they will be unable to connect.