Key Threat 3

Unauthorized Access

Since the client application that interfaces with the company LLM is run on user endpoints there is a possibility that the endpoint is compromised in some manner. If an endpoint is compromised and the client application is open and available for use by the attacker, then the attacker can use the solution even though they are not authorized to.

STRIDE Model for Client Application

Threat

Possible Threat Scenarios

Spoofing Identity

  • Client application compromised allowing for unauthorized persons to access the LLM

Tampering

  • Session Hijack

  • Use of stolen credentials to log in as a legitimate user.

  • MITM attack

Repudiation

  • Tampering with the local chat logs between the user and the LLM

Information Disclosure

  • Unauthorized user able to obtain any information from LLM.

  • Not necessarily sensitive information, however LLM may disclose other information that may be insightful knowledge to an outsider.

Denial of Service

  • Threat actor has access to client application and prompt, may force LLM to use all resources available on threat actors prompts(flooding).

Elevation of Privilege

  • Threat actor may gain other privileges within network due to having unauthorized access to client application (user may have same username/password across multiple company resources)

Potential Negative Impacts (Risks)

The risks for this key threat revolve around the unauthorized disclosure of data, privacy policy violations, and data theft.

Risk Rating - High

The impact of an unauthorized user obtaining access to the client application possesses great potential to be highly adverse. As such a scenario could allow the user to commit data theft from the organization or launch a denial of service attack against PropScreen. These events do not interfere with PropScreen's ability to perform its operation however and for that reason it is rated a high. In theory PropScreen can still perform interdiction operations and curb the impact of the malicious actions of the threat actor.

Appropriate Defenses and Security Controls

Client application should be implemented with role-based access control (RBAC), where users have a certain amount of accesses and permissions on what they can ask the model. Moreover, MFA/2FA should also be administered to authorize sign in for the client application before they can send requests to the Company LLM/PropScreen. Best practices for developing web applications should be followed, such as the OWASP Developer Guide in order to ensure the client application is developed securely.

Prioritization Rationale

Confidentiality of LLM responses needs to be ensured as they are the property of the organization implementing the solution. Developing a secure client is one way to help ensure confidentiality of the responses. Additionally, a more secure client application strengthens the security posture of PropScreen as PropScreen will be less likely to encounter malicious actors than if the client application was unsecured or developed in a manner against best practices.

PreviousKey Threat 2NextSecure by Design

Last updated