Now that you have had the opportunity to review various Cyber Attack Scenarios, it is now your turn to create one. As a Group you will identify a Scenario plagued with Cyber Threats. Each team will then be required to create a Threat Model (Logic Diagram) with various options. Selections will result in another option.
Below are some examples of possible Threat Modeling activities.
https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
Each team will be required to present their Threat Model via Powerpoint and present to the class on Day 3. Each member of the team will be required to submit a copy of their teams powerpoint.
Subject :
Spring 2020 – Emerging Threats & Countermeas (ITS-834-25) – Full Term
Documentation : https://www.cs.montana.edu/courses/csci476/topics/threat_modeling
Example :
https://www.helpsystems.com/blog/break-time-6-cybersecurity-games-youll-love
1. Targeted Attack: The Game
2. Cybersecurity Lab
3. Cyber Awareness Challenge
4. Keep Tradition Secure
What you need to do:
Write one page abstract
DO one page PPT
Write 2 pages main paper for this two topics( Library users and librarian & User credentials )
Draw a diagram if possible
User DB read access:
Libraries are the critical knowledge sources for any educational institution where there is a collection of multiple books in various subjects and languages. Each institution has its Libraries, both Digital and print libraries. The access permissions to the library restrict to users based on the roles and designations. Most of the users are students, professors where they are permitted to have read access to the library database. Nowadays, most of the universities are moving to digital libraries, but they are not entirely removing the print collections. All universities are providing the opportunity to the students to access the library database to check the stock of books available and to order them. This user access to the library database helps students to review the availability easily and quickly with our searching in person at the library. Students save a lot of time with the user access to the Library database. There are some disadvantages if the students are not following security principles. There would be a possibility of a cyber threat if the student access credentials to the library database hacking. Many hackers are trying to get access to the university database for stealing the student and professor’s information. If anyone of the students in the university is not following the security principles, then the hackers get a chance to hack the library website. University Library DB admin should follow strict security policies and provide limited permissions to users and should also implement secure access and login process like Two-Factor Authentication. Admin should also implement breach detection technology for the university database and to monitor the breach detection system logs to check if in case of any data misuse or breach occur. The users are assigned with the Read only access permissions for the university library website.
Database security issues are generally significant for some applications. Customarily, investigation in the database network in the territory of information security can comprehensively characterize in to get to control research, and information protection examine (Chaudhuri, S., Kaushik, R., & Ramamurthy, R. (2011, January)). Shockingly, there is little cover between these two zones. Right now, open a conversation that inquires as to whether there is a reasonable center ground between these territories. Given that the primary foundation gave by database frameworks where much delicate information lives should be control, we pose the inquiry how the database frameworks foundation can step up to help with security needs.
Notwithstanding, the leading help gave by database frameworks where much delicate organized information lives is the system forget to control. Quickly, the thought is to approve a client to get to just a subset of the information. The approval is upheld by expressly reworking questions to restrain access to the recommended subset (Chaudhuri, S., Kaushik, R., & Ramamurthy, R. (2011, January)).
Librarian/Admin DB read/write access:
The database access permissions set to an individual based on their role and designation to protect the secured personal information from misuse. Hackers always try to hack and access the database to steal the data from abuse. So proper security methods and permissions need to follow to protect the data from cybercriminals. The university librarian is a user who has given the Read/write permissions because he has the information about the stock of the books coming into the library and going out of the library. He always needs to update the inventory whenever the stock arrives. The students and professors have given only read access because they use to check only the availability of the books and place the order; there is no need to have write access. But for the Librarian/Admin, there should have both read/write permissions for updating the inventory.
The development of database innovation has additionally altogether expanded security concerns Byun, J. W., & Li, N. (2008)). The present database innovation causes it conceivable to gather to and store a gigantic measure of individual explicit information. The utilization of inventive information extraction methods joined with cutting edge information combination. Relationship systems make it conceivable to naturally extricate a considerable assortment of data from the accessible databases and a massive variety of data vaults available on the web (Byun, J. W., & Li, N. (2008)). Even though the immediate casualties of security infringement are customers, numerous undertakings and associations are profoundly worried about protection issues too (Byun, J. W., & Li, N. (2008)).
References:
https://online.visual-paradigm.com/app/diagrams/#diagram:proj=0&type=ThreatModelDiagram&gallery=/repository/b025dca9-184d-4f18-9d80-abfadb176ec3.xml&name=Website%20Threat%20Modeling
Byun, J. W., & Li, N. (2008). Purpose based access control for privacy protection in relational database systems. The VLDB Journal, 17(4), 603-619.
Chaudhuri, S., Kaushik, R., & Ramamurthy, R. (2011, January). Database access control and privacy: Is there a common ground?. In CIDR (pp. 96-103).
Summary:
Database access permissions assigned to the persons based on the individual designation and their role at the workplace. Students and Professors of University are given read-only access for the library website, whereas the Librarian/Admin has both the Read and Write access.
Conclusion:
Database access permissions should allocate according to the person’s role and designation to protect data from cyber threats and hackers.
User DB read access
Librarian/Admin DB read/write access
Week 13 – Residency
Spring 2020
Group 3
002835518 – Chalamalasetty, Srinivas
002826551 – Ganji, Umakumar
002849521 – Karra, Ravi Sastry
002838332 – Kukkala, Indrakaran Reddy
002826761 – Malineni, Srinivas
002837463 – Namburu, Krishna Chaitanya Chowdary
University of the Cumberlands
Website system
The security threat identification for a university based library system is considerably significant under the minimal knowledge of danger it could pose. However, it is brought to our attention that the university library website systems have really a good threat model.
Nevertheless, the library management and the administrator have carefully analyzed the library website system and made a unrealistic assumptions with respect to what are the components that align with the access of the webpage for both send request and received response. The components include both the Graphical
User
interface that allows user to login or create account and access the books and other material from the library database system. The work to make a threat model has directed us to make assumptions that could either be developed or cannot be developed. Based on the assumptions prepared on threat model for the library website system helped us in understanding and the stimulated upgrades required for improving the security of those components (Shostack, 2014).
STRIDE and its associated derivations
The properties of the STRIDE threats would be generally to see if a system has the assets that are involved before building and accessing a library website system, like proper authentication and authorization to respective roles and availability of the resources like books and other materials. STRIDE signifies the properties of
Spoofing
, tampering,
Repudiation
,
Information disclosure
,
Denial of service
, and
Elevation of privilege
(Montana State University, n.d.).
|
Threat |
Property |
Mitigation strategy |
|
| Spoofing |
Modify a link |
Occurs for link check and link access. |
Leverage the server path |
|
Assign any role |
Create a fake account |
Identification and authentication |
|
|
Tampering |
Modify files on server |
External files on private server domain |
Use directory from arbitrary protection |
|
Modify data over network |
External file access through wifi |
Cryptography |
|
| Repudiation |
Clicked the link |
Directed to the page that looks almost like original webpage |
Protect the logs |
|
Clicked the link and got response |
Downloads a file onto your system |
Specify rubrics to logs |
|
| Information disclosure |
Throws error message with user details |
No rules to the database tables with senstive information |
Encryption |
| Denial of service |
Multiple requests sent |
Slows down the server system |
Maintain usable resources |
| Elevation of privilege |
Inappropriate read/write access to a user |
Corrupts the information display to user |
Incorporate tools to maintain and authenticate data flow |
The above STIDE properties apply to the user scenarios depending on the external factors the library website system can have impacting the following servers (Montana State University, n.d.),
|
User scenarios |
External dependencies |
|
Students can search the database |
Web server |
|
Staff can search the database |
Database server |
Database system
The university library database system has been expecting that these links between the Graphical User Interface of the website and the database of the library resources should be posted and administered on a reliable network system. Under the security circumstance it is needed by the
admin
user to maintain the performance and the accessibility of resources accurately. The operating system, encryption and decryption of the user information helps to secure the components of both the website and database system (Shostack, 2014).
By limiting the set of connections with controlled permissions either run through in-network or out-network of campus it would address the trusted data stores and network to control the access of information. The respective assets and roles would mitigate the threats when structured as per standard IT rules (Montana State University, n.d.).
|
Asset |
Role |
Role description |
||
| Website system |
guest user |
the guest user can access the database but cannot perform any action |
||
| Database system |
unknown user |
the user is not available in the system |
||
| User |
user is authenticated as student |
|||
| Staff |
user is authenticated as staff |
|||
|
Website and Database system |
admin |
user is authenticated as administrator with full read and write privileges |
References
Shostack, A. (2014). Threat Modeling Designing for Security. pp 14-21, 62-74
Montana State University. (n.d.).CSCI – Threat Modeling. Retrieved from: https://www.cs.montana.edu/courses/csci476/topics/threat_modeling
LIBRARY WEBSITE SYSTEM
Scenario
Graphical User interface that allows user to login
Graphical User interface that allows user to create account
Graphical User interface that allows user to access the books and other material from the library database system
Threat Model
Website outsourced tools and security firewalls are not completely reliable for website development.
Encrypt and decrypt the data sent ad received from and to the user.
Mitigations
Identification
Authentication
LIBRARY WEBSITE SYSTEM
LIBRARY DATABASE SYSTEM
Scenario
Database tool and architecture that allows user to CRUD information
Database tool and architecture that allows user to that links between the Graphical User Interface of the website and the database of the library resources
Database tool and architecture that allows user to post and administer on a reliable network system
Threat Model
Modify data over public network like WiFi.
Load on the database system for multiple threads of requests.
Mitigation
Identification and authentication of user.
Use approved database tools and reviewed architecture for uninterrupted data flow.
Residency Paper By
Group 3
2
Week 13 – Residency
Spring 2020
Group 3
002835518 – Chalamalasetty, Srinivas
002826551 – Ganji, Umakumar
002849521 – Karra, Ravi Sastry
002838332 – Kukkala, Indrakaran Reddy
002826761 – Malineni, Srinivas
002837463 – Namburu, Krishna Chaitanya Chowdary
University of the Cumberlands
Abstract
Website system
The security threat identification for a university-based library system is considerably significant under the minimal knowledge of danger it could pose. However, it is brought to our attention that the university library website systems have really a good threat model.
Nevertheless, the library management and the administrator have carefully analyzed the library website system and made a unrealistic assumptions with respect to what are the components that align with the access of the webpage for both send request and received response. The components include both the Graphical
User
interface that allows user to login or create account and access the books and other material from the library database system. The work to make a threat model has directed us to make assumptions that could either be developed or cannot be developed. Based on the assumptions prepared on threat model for the library website system helped us in understanding and the stimulated upgrades required for improving the security of those components (Shostack, 2014).
STRIDE and its associated derivations
The properties of the STRIDE threats would be generally to see if a system has the assets that are involved before building and accessing a library website system, like proper authentication and authorization to respective roles and availability of the resources like books and other materials. STRIDE signifies the properties of
Spoofing
, tampering,
Repudiation
,
Information disclosure
,
Denial of service
, and
Elevation of privilege
(Montana State University, n.d.).
|
Threat |
Property |
Mitigation strategy |
|
| Spoofing |
Modify a link |
Occurs for link check and link access. |
Leverage the server path |
|
Assign any role |
Create a fake account |
Identification and authentication |
|
|
Tampering |
Modify files on server |
External files on private server domain |
Use directory from arbitrary protection |
|
Modify data over network |
External file access through wifi |
Cryptography |
|
| Repudiation |
Clicked the link |
Directed to the page that looks almost like original webpage |
Protect the logs |
|
Clicked the link and got response |
Downloads a file onto your system |
Specify rubrics to logs |
|
| Information disclosure |
Throws error message with user details |
No rules to the database tables with senstive information |
Encryption |
| Denial of service |
Multiple requests sent |
Slows down the server system |
Maintain usable resources |
| Elevation of privilege |
Inappropriate read/write access to a user |
Corrupts the information display to user |
Incorporate tools to maintain and authenticate data flow |
The above STIDE properties apply to the user scenarios depending on the external factors the library website system can have impacting the following servers (Montana State University, n.d.),
|
User scenarios |
External dependencies |
|
Students can search the database |
Web server |
|
Staff can search the database |
Database server |
Database system
The university library database system has been expecting that these links between the Graphical User Interface of the website and the database of the library resources should be posted and administered on a reliable network system. Under the security circumstance it is needed by the
admin
user to maintain the performance and the accessibility of resources accurately. The operating system, encryption and decryption of the user information helps to secure the components of both the website and database system (Shostack, 2014).
By limiting the set of connections with controlled permissions either run through in-network or out-network of campus it would address the trusted data stores and network to control the access of information. The respective assets and roles would mitigate the threats when structured as per standard IT rules (Montana State University, n.d.).
|
Asset |
Role |
Role description |
||
| Website system |
guest user |
the guest user can access the database but cannot perform any action |
||
| Database system |
unknown user |
the user is not available in the system |
||
| User |
user is authenticated as student |
|||
| Staff |
user is authenticated as staff |
|||
|
Website and Database system |
admin |
user is authenticated as administrator with full read and write privileges |
Availability of the webserver
In this use case scenario, an anonymous user may send multiple service request packets to the library web server which will lead to overwhelming the capability of the library web server, which intern results in denial of service attack on the webserver.
When the credentials are not sanitized properly then an attacker may inject some SQL strings which will be then executed by the webserver. In this way the attacker may store some unwanted data on the website, so when some authorized person accesses the website then he can see some irrelevant information on the website. In some other cases, like where the staff and students will have access to a web server and somehow if those people can access beyond their limit and in those cases, they might execute some OS commands and they can get some restricted data and directories of the library. To avoid this kind of threat, various tools will scan your web server and all the applications currently running on it. This will show you all kinds of threats and vulnerabilities on your web server, later you can remove those by using tools.
Availability of the DB server
Databases are the most important for any organization or university or hospital because they will store their data in those db servers only, so protection of db server is a very essential thing. In our use case scenario library, db server will have whole information related to all books. In some scenarios, say like students and staff will have default database access which exceeds their requirement then that might cause some threats to db server. So, while providing the default access to anyone, we need to check whether the user needs that level of access.
Usually, every db sever has their back up (duplicate copy), those backup data should be protected as well because if the protection level for the backup data is not up to the level then the anonymous user or user have access to original db server will try to access this duplicate db server and they will steal sensitive information. The attacker may attack during patch up db servers, because that was the time the db sever remain vulnerable.
To avoid these kinds of attacks on your web server, a couple of things you need to do like update and patch web servers and do not use the default configuration at all for your web server. You need to store configuration files very safely and scan the applications running on the webserver for all vulnerabilities and use IDS and firewall with updated signatures and block all unnecessary protocols and services and use secure protocols., and disable default accounts, follow strict access control policy and install Anti-virus, and update it regularly and all OS and software used should be latest and updated.
User DB read access
Libraries are the critical knowledge sources for any educational institution where there is a collection of multiple books in various subjects and languages. Each institution has its Libraries, both Digital and print libraries. The access permissions to the library restrict to users based on the roles and designations. Most of the users are students, professors where they are permitted to have read access to the library database. Nowadays, most of the universities are moving to digital libraries, but they are not entirely removing the print collections. All universities are providing the opportunity to the students to access the library database to check the stock of books available and to order them. This user access to the library database helps students to review the availability easily and quickly with our searching in person at the library. Students save a lot of time with the user access to the Library database. There are some disadvantages if the students are not following security principles. There would be a possibility of a cyber threat if the student access credentials to the library database hacking. Many hackers are trying to get access to the university database for stealing the student and professor’s information. If anyone of the students in the university is not following the security principles, then the hackers get a chance to hack the library website. University Library DB admin should follow strict security policies and provide limited permissions to users and should also implement secure access and login process like Two-Factor Authentication. Admin should also implement breach detection technology for the university database and to monitor the breach detection system logs to check if in case of any data misuse or breach occur. The users are assigned with the Read only access permissions for the university library website.
Database security issues are generally significant for some applications. Customarily, investigation in the database network in the territory of information security can comprehensively characterize in to get to control research, and information protection examine (Chaudhuri, S., Kaushik, R., & Ramamurthy, R. (2011, January)). Shockingly, there is little cover between these two zones. Right now, open a conversation that inquires as to whether there is a reasonable center ground between these territories. Given that the primary foundation gave by database frameworks where much delicate information lives should be control, we pose the inquiry how the database frameworks foundation can step up to help with security needs.
Notwithstanding, the leading help gave by database frameworks where much delicate organized information lives is the system forget to control. Quickly, the thought is to approve a client to get to just a subset of the information. The approval is upheld by expressly reworking questions to restrain access to the recommended subset (Chaudhuri, S., Kaushik, R., & Ramamurthy, R. (2011, January)).
Librarian/Admin DB read/write access
The database access permissions set to an individual based on their role and designation to protect the secured personal information from misuse. Hackers always try to hack and access the database to steal the data from abuse. So proper security methods and permissions need to follow to protect the data from cybercriminals. The university librarian is a user who has given the Read/write permissions because he has the information about the stock of the books coming into the library and going out of the library. He always needs to update the inventory whenever the stock arrives. The students and professors have given only read access because they use to check only the availability of the books and place the order; there is no need to have write access. But for the Librarian/Admin, there should have both read/write permissions for updating the inventory.
The development of database innovation has additionally altogether expanded security concerns Byun, J. W., & Li, N. (2008)). The present database innovation causes it conceivable to gather to and store a gigantic measure of individual explicit information. The utilization of inventive information extraction methods joined with cutting edge information combination. Relationship systems make it conceivable to naturally extricate a considerable assortment of data from the accessible databases and a massive variety of data vaults available on the web (Byun, J. W., & Li, N. (2008)). Even though the immediate casualties of security infringement are customers, numerous undertakings and associations are profoundly worried about protection issues too (Byun, J. W., & Li, N. (2008)).
Conclusion
Database access permissions should allocate according to the person’s role and designation to protect data from cyber threats and hackers.
References
Byun, J. W., & Li, N. (2008). Purpose based access control for privacy protection in relational database systems. The VLDB Journal, 17(4), 603-619.
Chaudhuri, S., Kaushik, R., & Ramamurthy, R. (2011, January). Database access control and privacy: Is there a common ground?. In CIDR (pp. 96-103).
J.D. Meier and others, Improving Web Application Security. Threats and countermeasures, Microsoft press, 2003
https://securitytrails.com/blog/top-10-common-network-security-threats-explained
https://online.visual-paradigm.com/app/diagrams/#diagram:proj=0&type=ThreatModelDiagram&gallery=/repository/b025dca9-184d-4f18-9d80-abfadb176ec3.xml&name=Website%20Threat%20Modeling
M. Howard, Reviewing Code for Integer Manipulation Vulnerabilities, Secure Windows nitiative, 2003
Montana State University. (n.d.).CSCI – Threat Modeling. Retrieved from: https://www.cs.montana.edu/courses/csci476/topics/threat_modeling
Shostack, A. (2014). Threat Modeling Designing for Security. pp 14-21, 62-74
002835518 – Chalamalasetty, Srinivas
002826551 – Ganji, Umakumar
002849521 – Karra, Ravi Sastry
002838332 – Kukkala, Indrakaran Reddy
002826761 – Malineni, Srinivas
002837463 – Namburu, Krishna Chaitanya Chowdary
University of the Cumberlands
THREAT MODELING FOR LIBRARY RESOURCE BY GROUP 3
LIBRARY WEBSITE SYSTEM
Scenario
Graphical User interface that allows user to login
Graphical User interface that allows user to create account
Graphical User interface that allows user to access the books and other material from the library database system
Threat Model
Website outsourced tools and security firewalls are not completely reliable for website development.
Encrypt and decrypt the data sent ad received from and to the user.
Mitigations
Identification
Authentication
LIBRARY WEBSITE SYSTEM
LIBRARY DATABASE SYSTEM
Scenario
Database tool and architecture that allows user to CRUD information
Database tool and architecture that allows user to that links between the Graphical User Interface of the website and the database of the library resources
Database tool and architecture that allows user to post and administer on a reliable network system
Threat Model
Modify data over public network like WiFi.
Load on the database system for multiple threads of requests.
Mitigation
Identification and authentication of user.
Use approved database tools and reviewed architecture for uninterrupted data flow.
WEB SERVER ATTACKS & COUNTERMEASURES
DOS attack
Website Defacement
Misconfiguration attacks
Phishing Attack
Vulnerability Scanning
DB SERVER ATTACKS & COUNTERMEASURES
Excessive privileges
Database injection attacks
Storage media exposure
Exploitation ofdatabases vulnerable
DFD DIAGRAM FOR WEB/DB SERVER
USER DB READ ACCESS
LIBRARIAN/ADMIN DB READ/WRITE ACCESS
THANK YOU
002835518 – Chalamalasetty, Srinivas
002826551 – Ganji, Umakumar
002849521 – Karra, Ravi Sastry
002838332 – Kukkala, Indrakaran Reddy
002826761 – Malineni, Srinivas
002837463 – Namburu, Krishna Chaitanya Chowdary
University of the Cumberlands
THREAT MODELING FOR LIBRARY RESOURCE BY GROUP 3
LIBRARIAN CREDENTIALS:
Librarian credentials should have the strong passwords polices
least minimum length 8 characters and password should contain numerical and special characters, Uppercase and Lowercase letters.
Password retention polices
Use the password retention for every few months
Librarian Username should be more complex logical private identity
Last four digits of SSN or DOB or employee Id number
Librarian must have more privileges than library user
Add or remove inventory and access to write complex quires to filter or search the books
Librarian permission create new library user
Librarian must have Ability to audit system events
who logged in website and what all activities user performed on the library site
USER PERSONAL INFORMATION:
User personal information include
Name, address, email address, phone number, race, nationality, ethnicity, origin, color, age, sex, identifying number, passcode, fingerprints, and educational details.
User data can help to build better products
Product design, implementing iterative solutions and resource allocation
User personal information Privacy
The United States’ privacy law
User personal data protection
Implement strong password policies
Password retention
Encrypted the data transportation policies
Multiple layer application infrastructure to protect from DDoS attacks
Implement the web application firewall (WAF)
LIBRARY WEBSITE SYSTEM
Scenario
Graphical User interface that allows user to login
Graphical User interface that allows user to create account
Graphical User interface that allows user to access the books and other material from the library database system
Threat Model
Website outsourced tools and security firewalls are not completely reliable for website development.
Encrypt and decrypt the data sent ad received from and to the user.
Mitigations
Identification
Authentication
LIBRARY WEBSITE SYSTEM
LIBRARY DATABASE SYSTEM
Scenario
Database tool and architecture that allows user to CRUD information
Database tool and architecture that allows user to that links between the Graphical User Interface of the website and the database of the library resources
Database tool and architecture that allows user to post and administer on a reliable network system
Threat Model
Modify data over public network like WiFi.
Load on the database system for multiple threads of requests.
Mitigation
Identification and authentication of user.
Use approved database tools and reviewed architecture for uninterrupted data flow.
WEB SERVER ATTACKS & COUNTERMEASURES
DOS attack
Website Defacement
Misconfiguration attacks
Phishing Attack
Vulnerability Scanning
DB SERVER ATTACKS & COUNTERMEASURES
Excessive privileges
Database injection attacks
Storage media exposure
Exploitation ofdatabases vulnerable
DFD DIAGRAM FOR WEB/DB SERVER
USER DB READ ACCESS
LIBRARIAN/ADMIN DB READ/WRITE ACCESS
THANK YOU
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
