The solutions you wrote for me: Dr Palmer and his staff are upset by the many security elements provided in the health record system. Instead of inactivating the security features, a possible solution for their upset is to allow the security system to go to sleep after 15 minutes of no operation. This way, if the system will not be accessed for a given period of time, it shall be redirected into idle mode and health records shall not be rendered into jeopardy. This solution is practical because it gives the working staff enough time to have a break and go back in a manageable time-frame without having to log out. The drawback of this solution is that, within the set time frame, an intruder can access the system and possibly expose patient records. In addition of accessing the system through a username and a password, the system could be opened by fingerprint. This technique would only need an employee to place their respective finger in the identification system, then they would be granted full access to the system. The solution is practical since it will eradicate passwords and usernames granting the user simple and easy access to the system (Jamoom et al., 2013). The negative part of this solution is embedded on the cost of the finger-print system. In other words, every computer must be fitted with the system and this calls of additional costs. However, when all areas are put into consideration, I believe that this is the best solution for the problem. Simply, the fingerprint system will eliminate the tedious access of records through usernames and passwords. Furthermore, security of the system shall be increased since fingerprints cannot be leaked or copied like usernames and passwords. a. Identify any areas of weakness within your chosen solution. b. Identify hidden assumptions and beliefs you may harbor about your choice of solution. ISOL 536 Security Architecture and Design Threat Modeling Session 6a “Processing Threats” Agenda • When to find threats • Playing chess • How to approach software • Tracking threats and assumptions • Customer/vendor • The API threat model • Reading: Chapter 7 When to Find Threats • Start at the beginning of your project – Create a model of what you’re building – Do a first pass for threats • Dig deep as you work through features – Think about how threats apply to your mitigations • Check your design & model matches as you get close to shipping Attackers Respond to Your Defenses Playing Chess • The ideal attacker will follow the road you defend – Ideal attackers are like spherical cows — they’re a useful model for some things • Real attackers will go around your defenses • Your defenses need to be broad and deep “Orders of Mitigation” Order Threat Mitigation 1st Window smashing Reinforced glass 2nd Window smashing Alarm 3rd Cut alarm wire Heartbeat signal 4th Fake heartbeat Cryptographic signal integrity By Example: • Thus window smashing is a first order th.

1. The solutions you wrote for me:
Dr Palmer and his staff are upset by the many security elements
provided in the health record system. Instead of inactivating the
security features, a possible solution for their upset is to allow
the security system to go to sleep after 15 minutes of no
operation. This way, if the system will not be accessed for a
given period of time, it shall be redirected into idle mode and
health records shall not be rendered into jeopardy. This solution
is practical because it gives the working staff enough time to
have a break and go back in a manageable time-frame without
having to log out. The drawback of this solution is that, within
the set time frame, an intruder can access the system and
possibly expose patient records.
In addition of accessing the system through a username and a
password, the system could be opened by fingerprint. This
technique would only need an employee to place their
respective finger in the identification system, then they would
be granted full access to the system. The solution is practical
since it will eradicate passwords and usernames granting the
user simple and easy access to the system (Jamoom et al.,
2013). The negative part of this solution is embedded on the
cost of the finger-print system. In other words, every computer
must be fitted with the system and this calls of additional costs.
However, when all areas are put into consideration, I believe
that this is the best solution for the problem. Simply, the
fingerprint system will eliminate the tedious access of records
through usernames and passwords. Furthermore, security of the
system shall be increased since fingerprints cannot be leaked or
copied like usernames and passwords.
a. Identify any areas of weakness within your chosen solution.
b. Identify hidden assumptions and beliefs you may harbor

2. about your choice of solution.
ISOL 536
Security Architecture and Design
Threat Modeling
Session 6a
“Processing Threats”
Agenda
• When to find threats
• Playing chess
• How to approach software
• Tracking threats and assumptions
• Customer/vendor
• The API threat model
• Reading: Chapter 7
When to Find Threats
• Start at the beginning of your project

3. – Create a model of what you’re building
– Do a first pass for threats
• Dig deep as you work through features
– Think about how threats apply to your mitigations
• Check your design & model matches as you
get close to shipping
Attackers Respond to Your Defenses
Playing Chess
• The ideal attacker will follow the road you
defend
– Ideal attackers are like spherical cows — they’re a
useful model for some things
• Real attackers will go around your defenses
• Your defenses need to be broad and deep
“Orders of Mitigation”
Order Threat Mitigation
1st Window smashing Reinforced glass

4. 2nd Window smashing Alarm
3rd Cut alarm wire Heartbeat signal
4th Fake heartbeat Cryptographic signal integrity
By Example:
• Thus window smashing is a first order threat, cutting
alarm wire, a third-order threat
• Easy to get stuck arguing about orders
• Are both stronger glass & alarms 1st order
mitigations? (Who cares?!)
• Focus on the concept of interplay between
mitigations & further attacks
How to Approach Software
• Depth first
– The most fun and “instinctual”
– Keep following threats to see where they go
– Can be useful skill development, promoting “flow”
• Breadth first
– The most conservative use of time
• Best when time is limited

5. – Most likely to result in good coverage
Tracking Threats and Assumptions
• There are an infinite number of ways to
structure this
• Use the one that works reliably for you
• (Hope doesn’t work reliably)
Example Threat Tracking Tables
Diagram Element Threat Type Threat Bug ID
Data flow #4, web
server to business
logic
Tampering Add orders without
payment checks
4553 “Need
integrity controls on
channel”
Info disclosure Payment
instruments sent in
clear
4554 “need crypto”
#PCI

6. Threat Type Diagram Element(s) Threat Bug ID
Tampering Web browser Attacker modifies
our JavaScript order
checking
4556 “Add order-
checking logic to
server”
Data flow #2 from
browser to server
Failure to
authenticate
4557 “Add enforce
HTTPS everywhere”
Both are fine, help you iterate over diagrams in different ways
Example Assumption Tracking
Assumption Impact if it’s
wrong
Who to talk
to
Who’s
following up
Follow-up

7. by date
Bug #
It’s ok to
ignore
denial of
service
within the
data center
Availability
will be
below spec
Alice Bob April 15 4555
• Impact is sometimes so obvious it’s not worth filling out
• Who to talk to is not always obvious, it’s ok to start out blank
• Tracking assumptions in bugs helps you not lose track
• Treat the assumption as a bug – you need to resolve it
The Customer/Vendor Boundary
• There is always a trust boundary when:
– Your code goes to someone else’s (device/premises)
– Their data comes to your code
• All about human trust issues
• You need to think about it while deciding what

8. happens over the data flow shown
Your software
Customer device
Your software
Your data center
Generic API Threat Model
• Perform security checks inside the boundary
• Copy before validation for purpose
– Is http://evil.org/pwnme.html “valid”?
• Define the purpose for data, validate near that
definition
• Manage error reporting
• Document what checks happen where
• Do crypto in constant time
• Address the security requirements for your API
Recap
• When to find threats

9. • Playing chess
• How to approach software
• Tracking threats and assumptions
• Customer/vendor
• The API threat model
Scenario: Security at All Pine Medical Center
All Pine Medical Center is a 250 bed trauma hospital in
Indianapolis, Indiana. All Pine is a Joint Commission approved
Medicare, Medicaid facility and houses a separate large
inpatient, outpatient cardiology building adjacent to the main
hospital. Palmer Cardiology Associates manages the cardiology
center with Dr. Robert Palmer as the medical director. Dr.
Palmer’s group has been affiliated with All Pine Medical Center
for the past fifteen years and generates a vast amount of revenue
for the facility.
Ten months ago, All Pine moved totally away from paper
medical records and implemented an electronic health record
(EHR) system. The move was completed in two phases over an
eighteen month time span. Dr. Palmer’s group was ecstatic
about the move to an EHR and was fully onboard with the
change. Today, Dr. Palmer and his colleagues are frustrated
over all of the security features associated with All Pine
Medical Center’s new EHR. Dr. Palmer wants some of the
security features disabled so he can get faster access to his
patient’s data and not be limited on the time spent with a
patient’s record. The current process in place for all physician’s
and hospital employees is to first log on to All Pine Medical
Center’s main system with a user name (assigned by the hospital
IT department) and password (selected by the physician or

10. employee); second, then log on to the electronic health record
using the main user name but a different password along with an
access code (again assigned by the hospital IT department).
Dr. Palmer and his associates want to sign on one time and
access anything they want within the main system and
electronic health record for as long as they want. He has assured
the hospital risk management and health information
management departments his group will sign off once they have
completed what they needed to do or access in the patient
record.
Due to the State and Federal rules and regulations in regards to
confidentiality and security of patient health information, the
health information management department is at a loss as to
how to accommodate Dr. Palmer’s request. The Chief Executive
Officer (CEO) and the Chief Information Officer (CIO) of All
Pine have said, “Just make him happy”. The health information
management director along with risk management, quality
assurance, and the facilities IT department have formed a task
force to find a way to modify Dr. Palmer and his groups access
to the hospital’s main system and the EHR. The task force has
reviewed the following documents for guidance on
confidentiality and security of patient health information.
The task force has reviewed:
1. All Pine’s internal policy and procedures on confidentiality,
security, and access to patient health records.
2. Joint Commission Accreditation rules and regulations for
confidentiality, security, and access to patient health records.
3. HIPAA rules and regulations on confidentiality, security, and
access to patient health records.

11. They are at a standstill on a concrete resolution for Dr. Palmer’s
request. Your task, utilizing the 6 goals of the ARC, is to assess
the issue/problem between Dr. Palmer and his group and All
Pine Medical Center.