HW1 - Threat Assessment
Objectives
Learning to think like an attacker is a critical part of cybersecurity. In this project, you will observe a system and consider how you might exploit it. You will also gain experience using the DREAD and STRIDE models discussed in class.
Requirements
In this homework, you should work in teams of 2 or 3 people. If you really want to, you are permitted to work alone. You should only work with other students in your same section, e.g., those in the undergraduate section and those in the graduate section.
With your partners, observe people in a public place using a computerized system. For example, you might observe people using a public transit ticket machine (e.g., in the Metro), a parking garage pay station, a grocery store self-checkout machine, a library self-checkout machine, or an airport self-check-in kiosk. Stay long enough to observe 3–5 people use the system. Also, if possible, try using the system at least once yourself to understand how it works.
Based on your observations, write a report about the system containing the following sections:
- System description
- What was the system?
- Who is supposed to use the system? What are their tasks? What are their goals?
- Diagrams
- Diagram the user workflow.
- Produce a data flow diagram for the system.
- As you don’t have access to the inner workings of the system, make reasonable guesses to fill in this diagram.
- Asset analysis
- What assets exist in this system?
- What assets are most valuable?
- Adversary analysis
- Who might try to attack the system? (hint: remember Table 1.2 in the book)
- Are they an insider or outsider?
- What are their objectives?
- What are their methods?
- What are their capabilities?
- You should identify at least three adversaries.
- Who might try to attack the system? (hint: remember Table 1.2 in the book)
- Attack trees
- Create 1–2 attack trees for each of the adversaries you identified.
- Your analysis must have at least two adversaries and five attack trees.
- Defender analysis
- Who is trying to defend the system?
- What resources do they have access to?
- As you don’t have access to the inner workings of the system, make reasonable guesses about this information.
- Risk analysis
- Use the DREAD model to evaluate the risk for five of the attack trees.
- Make sure you take into account all relevant information, including attacker capabilities and defender resources.
- As you don’t have access to the inner workings of the system, make reasonable guesses to fill in the model.
- Use the DREAD model to evaluate the risk for five of the attack trees.
- Mitigations
- Propose three mitigations that could lower the calculated risk for any of the attack trees.
- Recalculate risk using DREAD taking into account these mitigations. Identify which of the DREAD calculations
- you updated from the previous section.
- Reflect
- Reflect on what you have learned in this assignment.
- What did you learn about the system?
- How does this impact how you think of security?
- This should be 2–3 paragraphs.
- Reflect on what you have learned in this assignment.
- Proof of observation
- You and your team should submit a photo of yourselfs at the observation location to prove you did the task at hand. Please include an image of someone’s phone screen that shows the date.
Grading Rubric
- 10 points for the system description section.
- 10 points for the diagrams section.
- 10 points for the asset analysis section.
- 10 points for the adversary analysis section.
- 10 points for the attack tree section.
- 10 points for the defender analysis section.
- 10 points for the risk analysis section.
- 10 points for the mitigation section.
- 15 points for the reflection section.
- 5 points for proof you did the observation (like a photo of the group there)
For each section, we will be looking to see that the report covers all the requested items and that an honest effort has been made. I am not looking for perfection, especially since you are new to threat analysis and do not have access to all the information about the system.
Use of AI
As a reminder, any use of AI technology in generating the solutions to this homework assignment will result in a grade of 0 on the assignment. I will be checking.
Submission Requirements
You should submit a single PDF document via Blackboard link.
Late Policy
As outlined in the syllabus homework late policy, this homework assignment is due on the date specified. One-time throughout the whole semester, you may request a three-day extension without any explanation for any homework assignment. If you have already used your three-day extension on a different assignment, you may submit this assignment three days late for 25% credit. If you cannot do so, you may submit the assignment anytime by the final lecture for 50% credit.
Acknowledgement
This assignment is adopted from Scott Ruotti and Daniel Zappala. Thank you!