Information engineering ( IT ) Security has become more and more of import today when as e-commerce is going progressively popular. Peoples in developed states like America and throughout European states have been exposed to online trading for a long clip ; this tendency is besides taking off in developing states in other parts of the universe. Besides its importance toward concern activities, IT security besides plays a polar function in protecting persons, organisations assets, which are really parts of the concern operations. Variety methods of procuring concern have been developed and implemented successfully. Attack Trees is one of those. Not merely in Information Technology, Attack Trees is besides applicable to security jobs in a broad scope of Fieldss including: telecommunications, wellness attention, finance, critical substructure, aerospace, intelligence and defence.
To procure your concern against impending hazards, you foremost necessitate to specify all sorts of possible hazards and tracts that those hazards might be realized. Admiting hazards and how they might go on, you will be able to develop steps to contend against or extenuate them. This is besides what Attack Trees helps clear up. Attack Trees is a formal, convenient manner to methodically categorise the different ways ( how the hazards happen ) in which a system can be attacked [ 1 ] ( hazards ) . Attack trees are a graphical and mathematical concept used to
- Identify possible hostile activities that pose the greatest hazard to the guardian ;
- Determine effectual ( and be effectual ) schemes for cut downing the guardian ‘s hazard to an acceptable degree ;
- Describe the possible interactions between the antagonist and the guardian ;
- Supply a communicating mechanism for security analysts ;
- Capture what is known ( facts ) and believed ( premises ) about the system and its antagonists, and store the information in a signifier that can later be retrieved and understood by others [ 2 ]
Attack tree theoretical accounts are graphical diagrams stand foring the picks and ends available to an aggressor. They are represented in a tree construction, in which the root node of the tree is the planetary end of an aggressor and foliage nodes are different ways of accomplishing that end. In an onslaught tree, kids of the root node are polishs of the planetary end, and foliage nodes represent onslaughts that can no longer be refined. A polish can be conjunctive ( AND ) or disjunctive ( OR ) . Figure 1 shows an illustration of an onslaught tree with the end of the aggressor is to obtain a free tiffin [ 3 ] . The tree lists three possible ways to make this end. Lower degrees in the tree explicate how these sub-goals are refined. The discharge linking the kids nodes expresses that this is a conjunctive ( AND ) polish, which means that all sub-goals have to be fulfilled. Polishs without such a connecting discharge are disjunctive ( OR ) , showing that fulfilling one sub-goal suffices
The strength of the onslaught tree methodological analysis lies in the fact that its graphical, structured tree notation is easy to understand to practicians, yet besides assuring for tool builders and theorists trying to partly automatize the menace analysis procedure. More and more research documents have been used onslaught trees in patterning security menace of information system. Over the last twelvemonth, over 15,000 articles on Google & A ; Acirc ; ® Scholar [ 4 ] have been used the onslaught tree technique in some manner. The manner this technique is used now is normally by delegating different sorts of values to the foliage nodes ( for illustration, possible and impossible, expansive and cheap, cost to assail, chance of success of a given onslaught, etc. ) so propagating node values up the tree following some regulations. Based on that computation, people can do some statements about onslaughts, for illustration, what is the cheapest low-risk onslaught or most likely non-intrusive onslaught [ 5 ] .
In retrospect personal experiences, we notice that what we have done in the past and until now are closely related to what is presented in Attack Trees theoretical account, although back by that clip, we were non exposed to concept of Attack Trees, but the attack is fundamentally the same. It was when we worked on a undertaking and had to specify all possible risks/threats that might go on and how we can take mitigate actions against those hazards. The lone thing that we had non paid plenty attending to, and was really really of import thing, was how all those hazards might go on. Failing to make this costs us a batch subsequently on when the hazard did go on in a manner that we had non thought of, so did non develop appropriate cause of actions and we were passively react to it. It was when we were developing an online proving system to assist pupils fix for entryway test to universities [ 6 ] . We would hold a strong squad of first-class instructors from many celebrated schools build the trial content ; and have a squad of people to import those trials, including replies ( multiple pick format ) , into the system. We conducted developing for importing squad. ( Besides, the importing work did take a batch of clip so we could non speak all the instructors into it ) . Thingss went good until the twenty-four hours we really launched the Beta version. We had voluntaries, who were existent students, do the trial ; it was nil better for them to take free trials and receive free feedbacks. But when it came to ensue announce and feedbacks were given to those students, everything was merely wholly incorrect ; many of pupil replies, which were really right, were marked wrong and the must-be-correct replies given by the system were really wrong. Remembering that individual twenty-four hours, it was a BIG shame on us, the squad who worked on the undertaking. We had a individual caput of quality control who would do certain that all the trials designed, including inquiries and replies, are without errors. We were really rigorous on that. We besides had a caput of preparation section who will do certain that our confederates, who performed importing occupation, do their occupation carefully and without errors. Random trial were taken before we launched the first version and things were all traveling really good. We developed hazard monitoring blocks and figure 2 is shown as an illustration. For a hazard that the trial is invalidate, we clarified three possible grounds: design job, importing job and system job. The grounds are so tracked farther along blocks which are colored consequently. So to forestall or extenuate the hazard, we merely need to do certain that our instructor quality is first-class, our preparation and importing occupation are done attractively and our system will non misfunction. But we merely did to the extent that, for illustration, every bit long as our confederates work diligently and carefully, errors would mostly be avoided. Later on, we found out the root of the job was that one of our confederate was individual from our chief rival and he intentionally destroyed our system by altering all right replies merely a dark before the free testing event. This was the thing that we had ne’er thought of. We did non believe that we had job right from the confederates enlisting and that this might had been one of many possible ways that can annul our trial bank. Until so did we cognize that what we called in general “ confederates quality ” is non limited to the fact that whether they were capable of understanding and making the occupation, but besides including their working moral principle. Consequently, we were left with everything get downing from abrasion ; all instructors work was carefully rechecked because we did non cognize right off what precisely caused the job. Almost all the imported work was deleted and restarted. If we had been able to clear up this possibility, though little, we would hold developed action appropriate plenty to forestall it, such as lock the system and deny any entree before we launched the first version, this would hold saved us money and clip and prestigiousness every bit good. We eventually were able to offer a running version but it certainly had cost us much more resources. [ 7 ]
From our personal experience, we see that Attack Trees theoretical account is a really utile tool to assist organisations in menace sensing and appropriate extenuating action development. The theoretical account will hold of import and positive impact on organisation concern operation in that it assist call all possible hazards and specific tracts that those hazards might go existent. From that, it helps find effectual and cost effectual schemes to cut down hazards to an acceptable degree. Organizations should follow Attack Trees theoretical account to procure themselves from any uncertainnesss that may go on.
- Attack trees: Modeling security menaces. Dr. Dobb ‘s diary ; Schneider ( 2005 ) .
- Attack Trees Analysis, Terrance Ingoldsby on January 16, 2009 – hypertext transfer protocol: //redteamjournal.com/2009/01/attack-tree-analysis/
- Mauw, S. , Oostdijk, M. ( 2005 ) Foundations of Attack Trees – Information Security and Cryptology-ICISC 2005 – Springer
- hypertext transfer protocol: //scholar.google.com/scholar? hl=en & A ; q=attack+trees+information+system & A ; as_sdt=2000 & A ; as_ylo=2009 & A ; as_vis=0
- Edge, K. ( 2007 ) The Use of Attack and Protection Trees to Analyze Security for an Online Banking System. HICSS ’07: Proceedings of the fortieth Annual Hawaii International Conference on System Sciences.
- This is how universities in my state enroll prospective pupils, they do non establish on applications but base on consequence of existent trials, which are held by the Ministry of Education yearly for all participants
- Our initial undertaking consequence to day of the month hypertext transfer protocol: //hocmai.vn/