Corona Virus Threat Modelling

Post originally created on github.io on March 2020

Intro

Well, we are doomed. And to add that, we are having the CORONA-19 virus around. Some of you might be familiar with the Threat Modelling in IT security but today I would like to make a Threat Modelling for your daily activity but with corona virus as main threat.

DISCLIMER
This post should NOT be treated as real measurement for preventing virus, neither it's a good representation of threat modelling of IT systems. This post reflects NONE medical value beside link to WHO. Treat it as mind puzzle.

Technical intro

For those, not familiar with Threat Modelling: it is the structured and continuous process of identifying security threats in the software. The definition is not really precise about, what kind of processes and techniques we should use, so let's free solo it!

Story

As you are in self-quarantine mode, but eating is quite essential, you need to get out and go out to nearest shop. Not favourite, nearest. To achieve goal of buying some pasta and tomatoes, you need to get from you flat, go thru corridor, ride elevator, walk 600m to nearest shop, buy stuff and survive on same way back.

Actors

• You,
• Unintentional attacker (person who is a carrier or sick, unintentional attacker in our puzzle),
• Intentional attacker (person who is not sick, but tries to, based on panic, gain something),
• Other people,
• Dogs.

'Technology' stack

• Human body - with a limited immune system (dependent on Multiple factors),
• CORONA-19 - easy spreading virus with the middle level of deadlines,
• Hand sanitizers, soap, water etc.,
• Door knobs, handles, baskets etc.

Environment

• Corridor,
• The elevator,
• 1,2 km way,
• Shop.

Threat Modelling

As I am alone, I will guide you thru the story with marks, where the threats are.

On the beginning, let's take a look on STRIDE, Microsoft methodology:

• Spoofing - an attacker pretending to be someone else (unintentional attacker tries to look like healthy person)

• Tampering - attacker force user to perform action (make handshake, hug you)

• Repudiation - attacker performing attack without being noticed/ proved (yup, it won't be easy to prove that, some sneaky sneeze etc.)

• Information disclosure (privacy breach or data leak) - everyone, especially in Poland, wants to know your PESEL number, also intentional attackers

• Denial of a service - attack that will limit or disable your usability

• Elevation of the privilege - intentional attacker pretending to have access to data/ privilege to some action (all kind of phishing attacks for your data or virus trying to take over your immune system).

Clearly, we should divide these problems for two groups: the main about threats connected with the virus itself and the second, phishing or other activities.

Getting out from flat to corridor should be safe, especially with face mask, only one handle form apartment door. And we have a first threat on our list, that might be pretty popular - door knob/ handle with virus on it. Then we need to pass one door from our neighbour (potential unintentional attacker), but we have a luck, no one is there - however we can think that meeting our beloved neighbourhood/friend/family member might give us threat number two - the physical contact with unintentional attacker. Next is the elevator, small area, without sufficient ventilation with little separation between people - obvious threat and increasing factor for unintentional attacker. On the way back we will use the stairs. Walk to the shop might not be as extreme as it seems, but we need to be careful on the cross walk, potential car hit might result in hospital care, which sure it's another threat for us - being in hospital during pandemic! In the shop we are putting pasta and tomatoes to small hand handled basket. Aaaand we have a next threat - similar to that one with door handle, make it as one: touching things. Also, in the shop there is more people than anywhere else in our scenario, the risk for getting sneezed by unintentional attacker increasing - so threat number two, meeting with unintentional attacker is having prime role here. You are paying - getting change in coins or bills triggers threat number one, paying with card or phone touch-less will minimalize it. If you have clean phone :). As you are environmentalist you have your own bag (from IT conference) and probably not taking the bill. On the way home you meet friendly dog, and thanks to WHO, we know, that consent belly rub for good boy is 100% safe for you and for him (in terms of COVID-19, make sure, that good boy is good boy). Next, getting your pin on pin pad (classified as door handle) and we are in staircase. A little bit of training and we are at our door. We have made it! But the phone is ringing and we are answering (with our dirty hands) - someone, that present herself as Sanitary - Epidemiological worker and tries to confirm our identity (threat number n). Now wash your hands, products that you bought and your phone!

Identified threats

1. Getting contact with, potentially, virus contaminated surfaces,
2. Physical contact with unintentional attacker,
3. Sharing small closed area with others,
4. Communication accident with high risk of hospitalisation,
5. Staying unnecessary in crowded places,
6. Phishing attempt.

Short walk for tomato gives you 6, quite obvious and general threats, but quite dangerous. Make something similar by yourself with your daily activities and see.

Recommendations

But let's see how we can limit the risk: https://www.who.int/health-topics/coronavirus#tab=tab_2
And about phishing: do not give any confidential information to person, whose identity cannot be proved.

Outro

Read about Corona Virus from WHO pages. Stay strong and stay home!