299-Article Text-492-1-10-20160203.pdf

3 threat model for telehealth systems in this section

Info icon This preview shows pages 3–5. Sign up to view the full content.

3 Threat Model for Telehealth Systems In this section, the main threat components are identified: assets, users, threat agents and threats to the system. The process of threat modeling is divided into the three main phases as following: (1) identifying assets and access points, (2) listing all potential threats and (3) building a mitigation plan. 1. Identifying assets and access points: An asset is something valuable, owned by an entity, and that attackers are interested in, and wish to access, control or destroy. Identifying assets is the primary, most critical step in threat modeling, because assets are essentially threat targets. Access (or entry) points are interfaces through which potential attackers can interact with the system to gain access to assets. Examples of access points include user login interfaces, file systems and hardware ports. Upon identifying the access points, it is very important to define the trust boundaries in the system. A trust boundary is a boundary across which there are varied levels of trust [12]. Trust levels indicate how much trust is required to access a component of the system. 2. Listing all potential threats: Threats may come from authorized users (insiders) or unauthorized users (outsiders). All the information gathered from phase 1 will help to identify all possible threats and threat sources. Adversaries goals, capabilities and what they might do to the system are all defined as threats. Threats to the system can be identified by reviewing each asset and access point in the system, and creating threat hypotheses regarding violations of asset confidentiality, integrity or availability. In general, threats can be classified into six classes, following the Microsoft STRIDE model [12, 19]: Spoofing is attempting to gain access to a system by using a false identity. Tampering is the unauthorized modification of data. Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Information disclosure is the unwanted exposure of private data. Denial of service is the process of making a system or application unavailable. Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an asset.
Image of page 3

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

3. Building a mitigation plan of countermeasures: Once the basic assets and all potential threats are understood and identified, setting a control mechanism to prevent or mitigate threats is proposed in phase 3 of the mitigation plan. System Description: Telehealth Reference System Overview In Figure 1 the system architecture of the studied telehealth reference system is illustrated. The reference system includes the following main system domains: cine Deployment for European HEALTH care ” ( Unit- ed4Health, or just U4H), and especially at the solution devel- oped for the specific Norwegian requirements [9]. The aim to support a close cooperation of professional health and care providers from different organizations, and to involve even
Image of page 4
Image of page 5
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern