CSIS 643 Threat Model Assignment_Brandon Cook
docx
keyboard_arrow_up
School
Liberty University *
*We aren’t endorsed by this school
Course
643
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
11
Uploaded by pinn16
1
Threat Model Assignment
Threat Model Assignment: Customer Interactive Tracker
Brandon Cook
Liberty University
CSIS 643-D01
Dr. Mary Cecil
11/26/2023
2
Threat Model Assignment
Table of Contents
Abstract
................................................................................................................................
3
Introduction
..........................................................................................................................
3
Threat Models
......................................................................................................................
4
Conclusion and Biblical Analysis
........................................................................................
8
Appendices
..........................................................................................................................
9
References
..........................................................................................................................
11
3
Threat Model Assignment
Abstract
In the dynamic realm of online business, safeguarding sensitive client information and ensuring the trustworthiness of digital transactions are paramount imperatives. This research explores "Shades of Light's" proactive cybersecurity approach, focusing on fortifying its Customer Interactive Tracker (CIT) system through the strategic integration of three prominent threat models—STRIDE, PASTA, and OCTAVE. The STRIDE model, chosen for its maturity and systematic risk reduction methodology, provides a comprehensive framework utilizing data flow diagrams to identify and address cybersecurity threats within the CIT system. PASTA's rigorous seven-step procedure, emphasizing the strategic elevation of threat modeling, aligns business goals with technological specifications, ensuring a comprehensive and attacker-focused risk management approach. OCTAVE, known for scalability and adaptability, suits the CIT system's dynamic nature with a three-step methodology emphasizing asset-centric threat profiles.
This essay concludes by emphasizing the biblical principles of responsible management and conscientiousness, underscoring "Shades of Light's" commitment to cybersecurity preparedness and its alignment with timeless values of diligence, collaboration, and preparedness in the ever-
changing landscape of e-commerce.
Introduction
In the ever-changing world of online business, it is crucial to prioritize the protection of sensitive client information and maintain the trustworthiness and dependability of digital transactions. In recognition of this urgent requirement, "Shades of Light" has adopted a proactive approach by integrating sophisticated threat modeling frameworks to strengthen its Customer Interactive Tracker (CIT) system. The CIT system requires a strong cybersecurity
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
Threat Model Assignment
architecture to handle the intricacies of contemporary online transactions, as it is crucial for the organization's operations. This analysis examines three notable threat models—STRIDE, PASTA, and OCTAVE—
selected for their specific characteristics and applicability to the complex realm of e-commerce. The choice of these models is not random; instead, it is based on their distinct strengths and skills
that perfectly match the operational intricacies of the CIT system. The objective of this study is to examine the complexities of STRIDE, PASTA, and OCTAVE threat models, to get a thorough comprehension of their strategic use in strengthening the CIT system against various cyber threats. This study highlights the dedication of "Shades of Light" to enhance its cybersecurity architecture. The selected threat models are not just abstract concepts but practical instruments that, once put into action, will effectively tackle various threats, prioritize the reduction of risks, and promote cooperation among those involved. As "Shades of Light" embarks on this endeavor to strengthen its cybersecurity measures, the findings of this study are expected to not only enhance the organization's ability to handle cyber threats but also contribute to the wider discussion on cybersecurity in the ever-changing world of online commerce.
Threat Models
STRIDE - See Appendix A
The STRIDE threat model is a fundamental decision for strengthening the cybersecurity position of the Customer Interactive Tracker (CIT) system within "Shades of Light." The model, created by Loren Kohnfelder and Praerit Garg, has evolved and remains applicable because of its thorough method for recognizing and reducing risks (Shostack, 2014). The rationale for employing the STRIDE threat model in the context of the CIT system lies in its capacity to methodically assess and tackle security issues in the system's intricate design.
5
Threat Model Assignment
According to Shevchenko et al. (2018), STRIDE assesses risks by following two main steps: system modeling and threat identification. During the system modeling phase, the model utilizes data flow diagrams (DFDs) to identify entities, events, and system boundaries. Understanding the structure of the CIT system is essential at this stage. The following phase of threat identification uses the STRIDE acronym, which represents Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. These threat categories act as a mnemonic device for identifying threats when navigating the system model. Specific mitigation measures are implemented to handle each identified threat, such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. For example, the model suggests adopting strong authentication techniques to combat
Spoofing threats and applying stringent authorization rules to mitigate Elevation of Privilege. The selection of STRIDE is additionally bolstered by its effective implementation in both
cyber-only and cyber-physical systems (Shevchenko et al., 2018). Although the STRIDE method may require a significant amount of time and provide difficulties in handling an increasing number of threats due to system complexity, it is well-suited to meet the CIT system's requirement for a comprehensive and methodical approach to threat modeling. The use of the STRIDE threat model for the CIT system is justified due to its maturity, methodical approach to identifying threats, and successful application in similar situations. This provides "Shades of Light" with a strong basis for solving cybersecurity concerns.
PASTA - See Appendix B
The choice to utilize PASTA for the CIT system is based on its rigorous seven-step procedure, with each step encompassing numerous tasks. Appendix B depicts the sequential
6
Threat Model Assignment
phases, commencing with the establishment of goals and concluding with the evaluation of risks and impacts. This comprehensive strategy guarantees a meticulous incorporation of business goals with technological specifications, offering a comprehensive perspective of the CIT system's environment. PASTA's emphasis on risk is demonstrated by its elevation of the threat modeling process
to a strategic level. PASTA incorporates important decision-makers from many departments such as operations, governance, architecture, and development to ensure that security considerations are integrated into all aspects of the company. This contributes to a strong approach to managing risks. PASTA stands out for its focus on attackers and their perspective, which is in line with the changing threats in the e-commerce industry. The method generates an output that focuses on assets, making it easier to prioritize solutions for mitigating threats. Although threat modeling can be time-consuming, the comprehensive documentation of PASTA, created by UcedaVélez and Marco Morana, is a significant resource for enterprises as they navigate the intricacies of the process. This documentation facilitates cooperation among parties and fosters a comprehensive comprehension of potential threats. The CIT system successfully incorporates the PASTA model, which offers a strategic and comprehensive framework for managing risks specific to e-commerce cybersecurity.
OCTAVE – See Appendix C
The decision to use the Operationally Critical Threat, Asset, and Vulnerability Evaluation
(OCTAVE) threat model for the Customer Interactive Tracker (CIT) system is based on its capacity to scale, its contribution to risk management, and its adaptability to the ever-changing nature of e-commerce. OCTAVE, created by the CERT Division of the Software Engineering
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
7
Threat Model Assignment
Institute, is a cybersecurity framework that emphasizes corporate risk assessment and offers a strategic approach. OCTAVE's scalability is in line with the dynamic nature of the CIT system, allowing for seamless adaptation to ongoing interactions and evolving demands. The ability to adapt is essential in an e-commerce setting when the operating environment is continuously changing. According to Beyst (2016), it is crucial to choose a threat modeling method that is suitable for the organization's specific needs and scalability requirements. In the case of "Shades of Light" and the CIT system, OCTAVE is considered an appropriate solution. OCTAVE's significance in risk management is emphasized by its three-step methodology:
constructing asset-centric threat profiles, pinpointing infrastructure weaknesses, and formulating security strategies and plans. This systematic procedure assists in detecting, prioritizing, and minimizing potential risks to the important assets of the CIT system. Stanganelli (2016) emphasizes the importance of choosing a threat risk model that is in line with the organization's risk management goals. The author validates the usefulness of OCTAVE for addressing the risks related to e-commerce systems. Although OCTAVE may require a significant investment of time and effort due to its extensive documentation, its ability to consistently produce repeatable results makes it a highly desirable option for enterprises in need of a thorough and dependable risk assessment framework. The decision to implement OCTAVE by "Shades of Light" demonstrates a deliberate dedication to cybersecurity, guaranteeing that the CIT system is adequately prepared to
handle the changing risks in the e-commerce environment.
8
Threat Model Assignment
Conclusion and Biblical Analysis
"Shades of Light's" dedication to enhancing its cybersecurity is in accordance with the biblical values of responsible management and conscientiousness. The Bible promotes the idea of believers being diligent in their job, as mentioned in Proverbs 12:24. This diligence also applies to the responsibility of protecting the resources that have been entrusted to them. Within
the framework of "Shades of Light," safeguarding client data and ensuring the reliability of transactions can be viewed as a conscientious management of the confidence bestowed upon the business. Furthermore, the focus on managing and preparing for risks in response to changing threats aligns with the biblical concept of being watchful and ready for difficulties (Matthew 24:42). "Shades of Light" showcases its dedication to carefully managing resources and information by implementing proactive cybersecurity measures. This reflects the biblical ideals of diligence, collaboration, and preparedness. Within the dynamic realm of e-commerce, "Shades of Light" acknowledges the utmost significance of protecting sensitive client data and assuring the dependability of digital transactions within its Customer Interactive Tracker (CIT) system. The utilization of sophisticated threat modeling frameworks such as STRIDE, PASTA, and OCTAVE demonstrates
a proactive dedication to strengthening cybersecurity measures.
9
Threat Model Assignment
Appendices
Appendix A
Appendix B
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
10
Threat Model Assignment
Appendix C
11
Threat Model Assignment
References
Shevchenko, N., Chick, T.A., O’Raige. P., Scanlon, T.P., & Woody, C. (2018).
Threat Modeling: A Summary of Available Methods. Shostack, A. Threat Modeling: Designing for Security. Wiley, 2014. ISBN 978-1118809990
Stanganelli, J. Selecting a Threat Risk Model for Your Organization, Part Two. eSecurity Planet. September 27, 2016. https://www.esecurityplanet.com/network-security/selecting-athreat-risk-
model-for-your-organization-part-two.html
UcedaVélez, T. & Morana, M. M. Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley. 2015. ISBN 978-0-470-50096-5