Information Technology Reference
In-Depth Information
Table 5. continued
Security Use Case
Ensure Confidentiality (SUC2)
Use C
ase Path
User Message Integrity
Security Threat
A misuser accesses a private message from the user to the system
Preconditions
1)
The misuser has the means to intercept a message from the user to the system
2)
The system has requested private information from the user.
Interactions
1
Interactions
The user sends a private message to the system.
2
System Actions
The system makes the private message illegible while in transit.
3
Misuser Interactions
The misuser intercepts the user's private message.
Postco
nditions
The misuser cannot read the user's private message
Security Use Case
Authenticate (SUC3)
Use Case Path
Attempted Spoofing using Valid User Identity.
The application authenticates a misuser as if the misuser were actu-
ally a valid user.
Security Threat
Preconditions
1)
The misuser has a valid means of user identification.
2)
The misuser has an invalid means of user authentication.
Intera
ctions
The system shall request the misuser's means of identification and
authentication.
1
System Interactions
The misuser provides a valid means of user identity but an invalid
means of user authentication
2
Misuser Interactions
1) The system shall misidentify the misuser as a valid user.
2) The system shall fail to authenticate the misuser.
3
System Actions
4
Misuser Interactions
The system shall reject the misuser by cancelling the transaction
Postco
nditions
1)
The system shall not have allowed the misuser to steal the user's means of authentication.
2)
The system shall not have authenticated the misuser.
3)
The system shall not have authorized the misuser to perform any transaction that requires authentication.
4)
The system shall record the access control failure.
Security Use Case
Authorize Access (SUC4)
Use Case Path
Attempted Spoofing using Social Engineering
Securi
ty Threat
The misuser gains access to an unauthorized resource.
Preconditions
1)
The misuser has a valid means of user identification enabling the impersonation of a valid user that is authorized to use a protected
resource.
2)
The misuser does not have an associated valid means of user authentication.
3)
The misuser has basic knowledge of the organization includ
i
ng the ability to contact the contact center.
Interactions
1
Misuser Interactions
The misuser contacts the contact center.
continued on following page
Search WWH ::
Custom Search