Inference vs Aggregation
45 views
Skip to first unread message
Anil Kumar K
Jun 10, 2018, 3:18:58 AM6/10/18
to cissp...@googlegroups.com
1. Johnson
Widgets strictly limits access to total sales volume information,
classifying it as a competitive secret. However, shipping clerks have
unrestricted access to order records to facilitate transaction
completion. A shipping clerk recently pulled all of the individual sales
records for a quarter and totaled them up to determine the total sales
volume. What type of attack occurred?
2. A person pulled the old and current employee payslip data to find out the differences and to know the percentage/value of salary hike?
Inference or Aggregation.
CCCure Support
Jun 10, 2018, 8:58:28 AM6/10/18
to CISSPtalks
Good morning Anil,
Let me try to explain those two terms. They seem the same at first
but there are some key differences.
> 1. Johnson Widgets strictly limits access to total sales volume information,
> classifying it as a competitive secret. However, shipping clerks have
> unrestricted access to order records to facilitate transaction completion. A
> shipping clerk recently pulled all of the individual sales records for a
> quarter and totaled them up to determine the total sales volume. What type
> of attack occurred?
This is aggregation for sure. There are a few keywords giving it away
such as telling you the sum of all the data is a Competitive Secret.
This means the clerk should not have access to such data but he was
able to do it simply by doing multiple queries and combining the data.
The sum of the data is higher than each of the part.
For example, when I was in the Department of Defense, an annual
performance report was classified as CONFIDENTIAL. If I would
store the performance report of the 25 specialist working for me in
one place, I had to treat it as SECRET. The sum of all the report
together would give you a classification higher than each of the
parts.
> 2. A person pulled the old and current employee payslip data to find out the
> differences and to know the percentage/value of salary hike?
Inference happen when you compare two sets of data to derive a third
one. You infer new information from what you already have. This
is an attack that is possible in the logical world and also in the
physical world. This is usually use when people wish to commit
crimes.
For example, it happened to my wife Nathalie. She likes to go to
the Gymnasium in the morning before going to work. One day, she got
out of the car with only a keys in her hand. Someone hiding in the
parking lot was able to infer that her purse and change of clothes was
in the car while she was training. They observe the behavior two
days in a row and that how they infer the new information.
Obviously, once she walked out of the gym she had a surprise, the
driver window was broken and her purse and wallet was gone.
Best regards
Clement
Let me try to explain those two terms. They seem the same at first
but there are some key differences.
> 1. Johnson Widgets strictly limits access to total sales volume information,
> classifying it as a competitive secret. However, shipping clerks have
> unrestricted access to order records to facilitate transaction completion. A
> shipping clerk recently pulled all of the individual sales records for a
> quarter and totaled them up to determine the total sales volume. What type
> of attack occurred?
such as telling you the sum of all the data is a Competitive Secret.
This means the clerk should not have access to such data but he was
able to do it simply by doing multiple queries and combining the data.
The sum of the data is higher than each of the part.
For example, when I was in the Department of Defense, an annual
performance report was classified as CONFIDENTIAL. If I would
store the performance report of the 25 specialist working for me in
one place, I had to treat it as SECRET. The sum of all the report
together would give you a classification higher than each of the
parts.
> 2. A person pulled the old and current employee payslip data to find out the
> differences and to know the percentage/value of salary hike?
one. You infer new information from what you already have. This
is an attack that is possible in the logical world and also in the
physical world. This is usually use when people wish to commit
crimes.
For example, it happened to my wife Nathalie. She likes to go to
the Gymnasium in the morning before going to work. One day, she got
out of the car with only a keys in her hand. Someone hiding in the
parking lot was able to infer that her purse and change of clothes was
in the car while she was training. They observe the behavior two
days in a row and that how they infer the new information.
Obviously, once she walked out of the gym she had a surprise, the
driver window was broken and her purse and wallet was gone.
Best regards
Clement
Reply all
Reply to author
Forward
0 new messages