Page 260 - Trust in ICT 2017
P. 260
5 Trust in ICT
Appendix I
Detailed potential risks in ICT infrastructures and services
(This appendix does not form an integral part of this Recommendation.)
This appendix provides detailed potential risks in ICT infrastructures and services with respect to physical,
cyber, and social worlds.
I.1 Risks at the physical world
– Natural threats [b-Brauch]
Natural threats such as earthquakes, hurricanes, floods, and fire could cause severe damages to physical
components and computer systems. It is hard to predict and prevent natural disasters in advance, and few
safeguards can be implemented against them.
– Physical threats
Outbreaks caused by physical threats tamper with hardware components and device protocols such as
insertion of positive reputation and recommendation values into a untrustworthy device, inserting and
booting with fraudulent or modified software, and environmental/side-channel manipulation, both before
and after of the device’s deployment.
Trust and privacy are also issues in the physical world due to the broadcast nature of the communication
media. Confidential information communication is vulnerable over a network in the presence of
eavesdroppers that may intercept the information exchange between legitimate terminals and interrupt the
desired behaviour of the legitimate users and devices.
On the other hand, inadequate and unreliable information or physically unstable devices themselves can
make potential risks to the proper behaviour of the system. Furthermore, due to interdependencies, the
system structure (e.g., cascade or parallel) and compatibility issues among systems can do more harm than
expected.
I.2 Risks at the cyber world
a) Cyber/Information security threats [b-Wilson]
1) Threats on the core network such as delivery of fake trust information, impersonation of
devices, traffic tunnelling between impersonated devices, and mis-configuration of the firewall
in the network equipment could be the target of several kinds of hazards.
2) Configuration vulnerabilities such as fraudulent software update/configuration changes, mis-
configuration by the software agents, subscribers, users, or the owner, and mis-configuration
or compromise of the access control lists.
3) Compromise of credentials comprising brute force attacks on authentication tokens and
algorithms, physical intrusion, or side-channel attacks, and malicious cloning of authentication
tokens.
4) User data and identity privacy attacks including eavesdropping for other users or devices data
sent over the systems; masquerading as other user/subscribers device; user’s network identifier
or other confidential data revealed to unauthorized third parties.
5) Access vulnerabilities is that unauthorized persons gain access to networks or devices to which
they have no right to access. There are two different types of access vulnerabilities; the first is
physical access, whereby the intruder can gain access to a physical device. The second is remote
access, which is done to Internet-connected devices.
b) Privacy threats [b-Weber]
Privacy protection, especially in Internet of Things (IoT) environments, has become increasingly challenging
due to large volumes of information easily available through remote access mechanisms.
252