202
Backend services: Backend services represent server-side applicative
elements (for instance data-collection server communicating with sensor
nodes). Compromising this software or the devices they are deployed on
generally represents a critical threat against specific application systems
and has to be prevented; Infrastructure services: Discovery, lookup and resolution services are
very critical services as they provide worldwide fundamental
functionalities to IoT systems. In the same way, security services
(authorization, authentication, identity management, key management,
and trust and reputation) are essential for a secure interaction between
subjects (as defined above); Global systems / facilities: This last category of elements to protect
considers entire services in a global manner. For example, there might
be a risk that an attack against the smart home scenario results in the
complete disruption of the service, e.g. through the disruption of
underlying communications between devices. The consequences of this
resulting disruption can therefore be considered through this category.5.2.9.2 Risk Sources
The risk sources are categorised following the STRIDE [Microsoft 2003]
classification, which is a widely used way of classifying threats that relate to
information systems. STRIDE stands for Spoofing identity, Tampering with data,
Repudiation, Information disclosure, Denial of service, and Elevation of
privilege. These categories are quickly summarised below – note, however, that
real-world occurrences usually consist of a combination of these threats.
Identity spoofing means that a peer illegitimately uses the identity of
another peer. Spoofing attacks can happen with respect to all kind of
identifiers, irrespective of whether they are used to designate physical
persons, devices, or communication flows; Data tampering means that an attacker is able to alter the content of
data exchanged between two or more peers. Data tampering may
involve subtle attack schemes, wherein the attacker is able to trigger
specific behaviours of recipients by finely modifying original data; Repudiation relates to attacks in which an attacker performs illegitimate
actions and may afterwards deny having performed them, such that other
nodes are unable to prove that the attacker actually behaved maliciously; Information disclosure means that information is disclosed to
unauthorised peers. It is related to the existence of an authorisation
model that defines for each information element a set of peers that are
authorised to access it, possibly under some specific conditions; Denial-of-service attacks are carried out for disabling a service offered
to legitimate users (as opposed, for example, to more subtle schemes