Toward a threat model for storage systems

StorageSS'05 - Proceedings of the 2005 ACM Workshop on Storage Security and Survivability

Volumn , Issue , 2005, Pages 94-102

  Hasan, Ragib ^a   Myagmar, Suvda ^a   Lee, Adam J ^a   Yurcik, William ^a  

^a UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN   (United States)

Author keywords

Security; Storage system; Threat model

Indexed keywords

DATA LIFECYCLE MODEL; STORAGE PROTECTION SOLUTIONS; STORAGE SYSTEM; THREAT MODEL;

DATA STORAGE EQUIPMENT; ELECTRONIC CRIME COUNTERMEASURES; SECURITY OF DATA; SYSTEMS ENGINEERING;

MATHEMATICAL MODELS;

EID: 33244464085     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1103780.1103795     Document Type: Conference Paper

References (42)

1. P. Ammann, S. Jajodia, C. D. McCollum, and B. T. Blaustein. Surviving Information Warfare Attacks on Databases. In Proc. of the IEEE Symposium on Security and Privacy, 1997.
2. D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). RFC 3833, August 2004.
3. D. Barrall and D. Dewey. Plug and Root, the USB Key to the Kingdom. Presentation at Black Hat Briefings, 2005.
4. California Senate. California Database Breach Act (SB 1386). http://info.sen.ca.gov/pub/01-02/bill/sen/sb.1351-1400/sb-1386-bill-20020926- chaptered.html, 2002.
5. Centers for Medicare & Medicaid Services. The Health Insurance Portability and Accountability Act of 1996 (HIPAA). http://www.cms.hhs.gov/ hipaa/, 1996.
6. P. M. Chen, E. K. Lee, G. A. Gibson, R. H. Katz, and D. A. Patterson. RAID: High-Performance, Reliable Secondary Storage. In A CM Computing Surveys 26(2), pages 145-185, 1994.
7. J. Chirillo and S. Blaul. Storage Security: Protecting, SANs, NAS and DAS. Wiley, 2002.
8. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding Data Lifetime via Whole System Simulation. In Proc. of 13th Usenix Security Symposium, 2004.
9. J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum. Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation. In Proc. of 14th Usenix Security Symposium, 2005.
10. D. D. Cock, K. Wouters, D. Schellekens, D. Singele, and B. Preneel. Threat Modelling for Security Tokens in Web Applications. In Proc. of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security (CMS), pages 183-193, 2004.
11. D. Dagon, W. Lee, and R. Lipton. Protecting Secret Data from Insider Attacks. In Proc. of Ninth International Conference on Financial Cryptography and Data Security, 2005.
12. A. Edmonds. Towards Securing Information End-to-End: Networked Storage Security Update and Best Practices. White Paper, February 2003.
13. Federal Trade Commission. Gramm-Leach-Bliley Act of 1999.
14. S. Garfinkel and A. Shelat. Remembrance of Data Passed: A Study of Disk Sanitization Practices. IEEE Security & Privacy, pages 17-27, January/February 2003.
15. E. Goh, H. Shacham, N. Modadugu, and D. Boneh. SiRiUS: Securing Remote Untrusted Storage. In 10th Annual Network and Distributed System Security Symposium (NDSS), 2003.
16. I. Griggs. Browser Threat Model. http://iang.org/ssl/browser. threatjnodel.html, 2004.
17. J. Gruener and M. Kovar. The Emerging Storage Security Challenge. Yankee Group Report, September 2003.
18. R. Hasan, J. Tucek, P. Stanton, W. Yurcik, L. Brumbaugh, J. Rosendale, and R. Boonstra. The Techniques and Challenges of Immutable Storage for Applications in Multimedia. In IS&T/SPIE International Symposium Electronic Imaging / Storage and Retrieval Methods and Applications for Multimedia (EI121), 2005.
19. E. Haubert, J. Tucek, L. Brumbaugh, and W. Yurcik. Tamper-Resistant Storage Techniques for Multimedia Systems. In IS&T/SPIE International Symposium Electronic Imaging / Storage and Retrieval Methods and Applications for Multimedia (EI121), 2005.
20. HP. Understanding Storage Security. RFC 3833, February 2005.
21. J. Hughes. Encrypted Storage-Challenges and Methods. In Tutorial, IEEE/NASA Goddard Conference on Mass Storage Systems & Technologies (MSST), 2005.
22. J. McDermott, R. Gelinas, and S. Ornstein. Doc, Wyatt, and Virgil: Prototyping Storage Jamming Defenses. In 13th Annual Computer Security Applications Conference (ACSAC), 1997.
23. J. McDermott and D. Goldschlag. Storage Jamming. In Proc. of the Ninth Annual IFIP TC11 WG11.3 Working Conference on Database Security IX: Status and Prospects, pages 365-381, 1996.
24. J. P. McDermott. Replication Does Survive Information Warfare Attacks. In IFIP Workshop on Database Security, pages 219-228, 1997.
25. S. Myagmar, A. J. Lee, and W. Yurcik. Threat Modeling as a Basis for Security Requirements (SREIS). In Symposium on Requirements Engineering for Information Security, 2005.
26. N. Nguyen, P. Reiher, and G. Kuenning. Detecting Insider Threats by Monitoring System Call Activity. In Proc. of IEEE Workshop on Information Assurance, 2001.
27. A. Pennington, J. Strunk, J. Griffin, C. Soules, G. Goodson, and G. Ganger. Storage-Based Intrusion Detection: Watching Storage Activity for Suspicious Behavior. In Proc. of Usenix Security Symposium, 2003.
28. G. A. Pluta, L. Brumbaugh, W. Yurcik, and J. Tucek. Who Moved My Data? A Backup Tracking System for Dynamic Workstation Environments. In 18th Usenix Large Installation System Administration Conference (LISA), 2004.
29. P. Reiher. File Profiling for Insider Threats. Technical Report, February 2002.
30. A. Roscoe, M. Goldsmith, S. Creese, and I. Zakiuddin. The Attacker in Ubiquitous Computing Environments: Formalising the Threat Model. In Proc. of First International Workshop on Formal Aspects in Security and Trust, 2003.
31. D. S. Santry, M. J. Feeley, N. C. Hutchinson, A. C. Veitch, R. W. Carton, and J. Ofir. Deciding When to Forget in the Elephant File System. In Proc. of the Seventeenth ACM Symposium on Operating Systems Principles (SOSP), pages 110-123, 1999.
32. S. Schechter and M. D. Smith. How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks. In Financial Cryptography, pages 122-137, 2003.
33. B. Schneier. Attack Trees: Modeling Security Threats. Dr. Dobb's Journal, December 1999.
34. B. Schneier. Secrets and Lies: Digital Security in a Networked World. John Wiley and Sons, 2000.
35. P. Stanton, W. Yurcik, and L. Brumbaugh. Protecting Multimedia Data in Storage: A Survey of Techniques Emphasizing Encryption. In IS&T/SPIE International Symposium Electronic Imaging / Storage and Retrieval Methods and Applications for Multimedia (EI121), 2005.
36. J. Steffan and M. Schumacher. Collaborative Attack Modeling. In Proc. of the 2002 ACM symposium on Applied computing (SAC), pages 253-259, 2002.
37. J. D. Strunk, G. R. Goodson, M. L. Scheinholtz, C. A. Soules, and G. R. Ganger. Self-Securing Storage: Protecting Data in Compromised Systems. In Proc. of the 4th Symposium on Operating Design and Implementation (OSDI), 2000.
38. F. Swiderski and W. Snyder. Threat Modeling. Microsoft Press, 2004.
39. J. Tucek, P. Stanton, E. Haubert, R. Hasan, L. Brumbaugh, and W. Yurcik. Trade-offs in Protecting Storage: A Meta-Data Comparison of Cryptographic, Backup/Versioning, Immutable/Tamper-Proof, and Redundant Storage Solutions. In 2nd IEEE - 13th NASA Goddard Conference on Mass Storage Systems and Technologies (MSST), 2005.
40. U.S. Securities and Exchange Commission. Sarbanes-Oxley Act of 2002. http://www.sarbanes-oxley-forum.com/.
41. J. Vijayan. CA Security Hole Points to Data Backup Threats. Computerworld, August 2005.
42. J. J. Wylie, M. W. Bigrigg, J. D. Strunk, G. R. Ganger, H. Kilite, and P. K. Khosla. Survivable Information Storage Systems. IEEE Computer, 33(8):61-68, 2000.