203
wherein the attacked service can be altered, e.g. making a search
service return false results, without the legitimate users being able to
notice it); Elevation of privilege may occur in systems that feature different
classes of users, each class being mapped to a specific set of rights.
Illegitimate elevation of privilege occurs when an attacker manages to
acquire rights that would normally only be granted to more privileged
class(es). In the most critical case, an attacker may obtain administration
rights for the entire system, or part of it, which means that the attacker
may perform arbitrary actions on the elements the attacker has access
to, thereby being able to destroy the system or entirely change its
behaviour.The risk sources considered here are restricted according to the following rules:
Non-human risk sources either global (flood, lightning, fire, electrical,
heat) or local (individual device failure) are not considered. Only human
risk sources are. Note that a human forging a faked device identity in
order to impersonate another device fits within the category of "human
risk"; Among human risk sources, only theft/loss and hacker-initiated attacks
are considered. Technical staff errors or accidents are not considered. In
other words we are only addressing malicious attacks and not involuntary
attacks.The STRIDE classification is used below in Table 14 , immediately afterwards,
on STRIDE classification] to identify risks, as intersections between a STRIDE
item (column) and an element to protect (row).