Threat Modeling of Internet of Things Health Devices

Omotosho, Adebayo; Haruna, Benjamin Ayemlo; Olaniyi, Olayemi Mikail

doi:10.1080/19361610.2019.1545278

Cited by 29 publications

(15 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In combination with STRIDE, it is used to assess the risk and to provide mitigations and countermeasures. A similar approach is proposed by Reference [149], which describes a system aimed to represent the vulnerabilities and attacks identified through STRIDE and ranked with DREAD. Another work that uses an existing approach is Reference [10], which applies OCTAVE to the smart-home domain by identifying risks and providing countermeasures specific for this domain.…”

Section: Risk Assessment: Analysis and Applicability To The Iot Contextmentioning

confidence: 99%

A Survey of Cybersecurity Certification for the Internet of Things

et al. 2020

View full text Add to dashboard Cite

In recent years, cybersecurity certification is gaining momentum as the baseline to build a structured approach to mitigate cybersecurity risks in the Internet of Things (IoT). This initiative is driven by industry, governmental institutions, and research communities, which have the goal to make IoT more secure for the end-users. In this survey, we analyze the current cybersecurity certification schemes, as well as the potential challenges to make them applicable for the IoT ecosystem. We also examine current efforts related to risk assessment and testing processes, which are widely recognized as the processes to build a cybersecurity certification framework. Our work provides a multidisciplinary perspective of a possible IoT cybersecurity certification framework by integrating research and technical tools and processes with policies and governance structures, which are analyzed against a set of identified challenges. This survey is intended to give a comprehensive overview of cybersecurity certification to facilitate the definition of a framework that fits in emerging scenarios, such as the IoT paradigm.

show abstract

Section: Risk Assessment: Analysis and Applicability To The Iot Contextmentioning

confidence: 99%

A Survey of Cybersecurity Certification for the Internet of Things

et al. 2020

View full text Add to dashboard Cite

show abstract

“…While threats may arise from both accidental and deliberate activities of "legitimate users" (the owner/account holder of a device; Omotosho, Haruna, & Olaniyi, 2019), we assume that an IPV threat actor may be a perpetrator who intentionally abuses specific technical features to monitor, control, or coerce a victim/survivor. Thus, the perpetrator may be an authorized user yet still abuses the system for illegitimate means.…”

Section: A Methods To Threat Model Intimate Partner Violence Tech Abusementioning

confidence: 99%

“…For another, investigating a single device over an assembled system allows for vulnerabilities to pass through undetected (J. R. C. Nurse, Creese, & Roure, 2017). While we accept that one must account for the entire IoT "ecosystem" (Aufner, 2020;Omotosho et al, 2019;Seeam, Ogbeh, Guness, & Bellekens, 2019), a broader investigation is beyond the scope of this chapter.…”

Section: Threat Modeling a Smart Internet-connected Lockmentioning

confidence: 99%

Threat Modeling Intimate Partner Violence: Tech Abuse as a Cybersecurity Challenge in the Internet of Things

Slupska¹,

Tanczer²

2021

The Emerald International Handbook of Technology-Facilitated Violence and Abuse

View full text Add to dashboard Cite

Technology-Facilitated abuse, so-called "tech abuse," through phones, trackers, and other emerging innovations, has a substantial impact on the nature of intimate partner violence (IPV). The current chapter examines the risks and harms posed to IPV victims/survivors from the burgeoning Internet of Things (IoT) environment. IoT systems are understood as "smart" devices such as conventional household appliances that are connected to the internet. Interdependencies between different products together with the devices' enhanced functionalities offer opportunities for coercion and control. Across the chapter, we use the example of IoT to showcase how and why tech abuse is a socio-technological issue and requires not only human-centered (i.e., societal) but also cybersecurity (i.e., technical) responses. We apply the method of "threat modeling," which is a process used to investigate potential cybersecurity attacks, to shift the conventional technical focus from the risks to systems toward risks to people. Through the analysis of a smart lock, we highlight insufficiently designed IoT privacy and security features and uncover how seemingly neutral design decisions can constrain, shape, and facilitate coercive and controlling behaviors.

show abstract

“…1. Although DREAD is an asset-centric threat modelling approach, several of its application in the literature is in combination with STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege) model [8], [9], [10], [11], [12]. In this type of approach, the DREAD scoring scheme is used to identify the likelihood that an attack is able to exploit a particular threat.…”

Section: A Dreadmentioning

confidence: 99%

A Review of Asset-Centric Threat Modelling Approaches

Nweke¹,

Wolthusen²

2020

IJACSA

View full text Add to dashboard Cite

The threat landscape is constantly evolving. As attackers continue to evolve and seek better methods of compromising a system; in the same way, defenders continue to evolve and seek better methods of protecting a system. Threats are events that could cause harm to the confidentiality, integrity, or availability of information systems, through unauthorized disclosure, misuse, alteration, or destruction of information or information system. The process of developing and applying a representation of those threats, to understand the possibility of the threats being realized is referred to as threat modelling. Threat modelling approaches provide defenders with a tool to characterize potential threats systematically. They include the prioritization of threats and mitigation based on probabilities of the threats being realized, the business impacts and the cost of countermeasures. In this paper, we provide a review of assetcentric threat modelling approaches. These are threat modelling techniques that focus on the assets of the system being threat modelled. First, we discuss the most widely used asset-centric threat modelling approaches. Then, we present a gap analysis of these methods. Finally, we examine the features of asset-centric threat modelling approaches with a discussion on their similarities and differences.

show abstract

Threat Modeling of Internet of Things Health Devices

Cited by 29 publications

References 12 publications

A Survey of Cybersecurity Certification for the Internet of Things

A Survey of Cybersecurity Certification for the Internet of Things

Threat Modeling Intimate Partner Violence: Tech Abuse as a Cybersecurity Challenge in the Internet of Things

A Review of Asset-Centric Threat Modelling Approaches

Contact Info

Product

Resources

About