• PDF / 282,239 Bytes
• 9 Pages / 439.37 x 666.142 pts Page_size
• 52 Downloads / 225 Views

DOWNLOAD

REPORT

---

GMV, Madrid, Spain Consult Hyperion, Guildford, UK University of Luxembourg, SnT, Esch-sur-Alzette, Luxembourg [email protected] 4 University of Twente, Enschede, Netherlands 2

3

Abstract. Securing automated teller machines (ATMs), as critical and complex infrastructure, requires a precise understanding of the associated threats. This paper reports on the application of attack-defense trees to model and analyze the security of ATMs. We capture the most dangerous multi-stage attack scenarios applicable to ATM structures, and establish a practical experience report, where we reflect on the process of modeling ATM threats via attack-defense trees. In particular, we share our insights into the benefits and drawbacks of attack-defense tree modeling, as well as best practices and lessons learned.

Keywords: Attack-defense trees

1

· Security modeling · ATM security

Introduction

Worldwide, the compromise of automated teller machines (ATMs) is a very lucrative criminal business. One of the prime reasons is the monetary incentive, allowing successful attackers to take money instantly. Moreover, their geographical spread, dependence on human interactions, and integration of local and external networks make ATMs a very accessible target for exploitation, vulnerable to a large variety of attack scenarios. Thus, criminals constantly invent new ways to circumvent protections and compromise the machines. The European ATM Crime Report (EAST)1 evaluates the loss in 2015 due to ATM Related Fraud Attacks in Europe was around 300 millions Euro. The security of individual ATMs concerns both banks and the organizations hosting the machines. In this context, security risk management, being a critical activity for any enterprise, becomes essential. To support risk analysts, many methodologies have been developed. These include security methods, such

1

The research leading to the results presented in this work received funding from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement number 318003 (TREsPASS). https://www.european-atm-security.eu/tag/european-atm-crime-report/.

c IFIP International Federation for Information Processing 2016  Published by Springer International Publishing Switzerland 2016. All Rights Reserved J. Horkoff et al. (Eds.): PoEM 2016, LNBIP 267, pp. 326–334, 2016. DOI: 10.1007/978-3-319-48393-1 24

Using Attack-Defense Trees to Analyze Threats and Countermeasures

327

as NIST SP800-30, standards for the risk management process (e.g. ISO/IEC 27005), and modeling techniques and formalisms (for example, misuse cases [13], anti-goal refinement [10], and attack trees [18]). These methodologies aim at providing structure to the risk assessment process, facilitating interactions among stakeholders, and cataloguing the identified threats. Furthermore, some of these techniques enable advanced quantitative risk analysis with security metrics, e.g. expected time of attack or worst case impact. In this paper, we report on the application of attack-defense trees to security ris