Update v6a6-1-2

Fixes bug in construction pattern DSDPS+DC, as described in issue #149.

Update v6a6-1-1

In this release:

• Refactored software vulnerability discovery by adding a new behaviour 'Vulnerability Discovered' for Host and Process assets, recasting the CVSS v2 related threats to be secondary threats cause by this new behaviour, removing the control strategies for them, and adding new threats that cause the Vulnerability Discovered behaviour, along with the including the mentioned controls on them. This then reduces the number of software vulnerability TWAs affected by threats addressed by software patching and related controls. Whilst system-modeller does not yet do this, this can then allow a future potential update to the system-modeller to filter out irrelevant asset-behaviour-threat-CSG combinations and reduce the size of risk treatment reports that include software vulnerabilities.
• Updated the risk lookup table in the domain model, which became out of date due to the system-modeller currently ignoring it (an update will come to ystem-modeller to address this).
• Improved the user-data interactions to better assert and determine which processes are used to access data and the subsequent correct data flow paths when there are multiple processes involved. Now user-data interactions are expressed via asserted user-process and process-data relationships, and not user-data relationships, which cannot encode which process is used to access the data. A modelling error has also been added that detects cases of Human-Data interaction relationships that have been asserted.

Update 6a5-1-2

This release includes improvements to the data flow modelling to address bugs in related cache generation, surfacing threats, and data flow contextualisation. It also addresses overspecified IoT surfacing threats and a construction error in IoT control input resulting in the control data of an actuator not being stored on that actuator.

Update 6a-5-1-1: Assertable Data for IOT Actuators and Sensors

In this release:

• Added the ability for users to assert the data that is sensed by Sensors and that controls Actuators and Sensors.
• Added modelling errors that warn the user if they are inferring the sensed and control data for actuators and sensors so that they are aware this is general data, as well as adding a description of what to do if a specific data type is wanted to be used and also adding controls to override these modelling errors.
• Deprecated the Health Sensor by use of a modelling error since its functionality is now achieved through use of the Sensor sensing Health Data.

CK4SME Final

Incorporates all new submodels and extensions developed during the EU CyberKit4SME project, including fixes for issues found in regression tests after the project.

Technically this is not backward compatible with older system models, due to the presence of new assertible asset and relationship types associated with Data Fields. In practice, since older system models won't be using these types, it should be possible to upgrade easily.

Data lifecycle update

This release includes improvements in client-service interaction models, especially those involving authenticating or transparent proxies, and improvements in data lifecycle inference.

The data lifecycle improvements include various bug fixes and one new feature - a new Process-Data relationship type 'relays'. This provides a way to 'pin' a data flow to go via the Process even where it may not be on the shortest path between data source and destination.

This can already be done by asserting a Process-serves-Data relationship, but that implies that data requests and possibly data may be processed there, e.g.,

• to encrypt, decrypt or re-encrypt data as it passes through the Process (which may be on an organisational boundary)
• to filter data by pre-processing data requests before forwarding them and returning data (possibly at a DB process, possibly to translate between query languages)

Unlike 'serves', the new 'relays' relationship does not imply any processing of data requests, let alone data. The inference rules convert a relay into a transparent intermediary, with no disturbance of the end-to-end data flow (other than to change its route through the network).

Data centre bug fix

This release contains a bug fix to the inference rules around hosting of virtual hosts at a data centre. There is also an updates to the labelling of laptop PCs.

Usability Update

Changed labels of IOT devices to include IOT in name.

v6a3-2-3: Merge pull request #45 from Spyderisk/43-iot-sensor-control-issue

Minor fixes to the flows of control inputs to an IoT sensor. Some new relationship types added, but the old ones should still work.

Update 6a3-2-2

Incorporates IoT model updates from 6a3-2-1 and corrections for isCurrentRisk and isFutureRisk flags on threats and control strategies.