What value does the asset have to the organization

Assignment Help Other Subject
Reference no: EM131547989

Project Assignment: Threat Modeling with STRIDE

Purpose

This project provides an opportunity to apply the concepts of using a Threat Modeling methodology, STRIDE, against a fictitious Healthcare organization's application.

Learning Objectives and Outcomes

You will gain an overall understanding of risk management, its importance, and critical processes required when developing a threat model as a part of risk management for an organization.

Required Source Information and Tools

Article: Threat Modeling with STRIDE by Scott Davis.

Deliverables

As discussed in this course, risk management is an important process for all organizations. This is particularly true in information systems, which provides critical support for organizational missions. Theproject activities described in this document allow you to fulfill the role of an employee participating in the risk management process in a specific business situation, identifying the threats and vulnerabilities facing your organization.

Submission Requirements

All project submissions should follow this format:

- Format: Microsoft Word or compatible
- Font: Arial, 10-point, double-space
- Citation Style: APA style. Any work copied from Internet or other sources will automatically receive a 0.

Scenario

You are an information technology (IT) intern working for Health Network, Inc. (Health Network), a fictitious health services organizationheadquartered in Minneapolis,Minnesota. Health Networkhas over 600 employees throughout the organization and generates $500 million USD in annual revenue. The company has two additional locations in Portland, Oregon and Arlington, Virginia, which support a mix of corporate operations. Each corporate facility is located neara co-location datacenter, where production systems are located and managed by third-party datacenter hosting vendors.

Company Products

Health Network has three main products: HNetExchange, HNetPay, and HNetConnect.

HNetExchangeis the primary source of revenue for the company. The service handles secure electronic medical messages that originate from its customers, such as large hospitals, which are then routed to receiving customers such as clinics over the Internet. Information transmitted over this network include patient health information, xrays, bloodwork, and diagnoses.

HNetPay is a Web portal used by many of the company's HNetExchange customers to support the management of secure payments and billing. The HNetPayWeb portal, hosted at Health Network production sites, accepts various forms of payments and interacts with credit-card processing organizations much like a Web commerce shopping cart. The Web portal is hosted on a Windows IIS Web server. Data from the portal is stored in an Oracle database on a Unix server.

HNetConnectis an online directory that lists doctors, clinics, and other medical facilities to allow Health Network customers to find the right type of care at the right locations. It contains doctors' personal information, work addresses, medical certifications, and types of services that the doctors and clinics offer. Doctors are given credentials and are able to update the information in their profile. Health Network customers, which are the hospitals and clinics, connect to all three of the company's products using HTTPS connections. Doctors and potential patients are able to make payments and update their profiles using Internet-accessible HTTPS Web sites.You have already run a Nessus scan and used nmap to determine vulnerabilities.

Information Technology Infrastructure Overview

Health Network operates in aproduction data center that provide high availability across the company's products. The data center host about 1,000 production servers, and Health Network maintains 650 corporate laptops and company-issued mobile devices for its employees. Employees are allowed to work from home, using their company-issued laptops. There is also a wireless network available at work.

Project

For the project, you must create a threat model, using STRIDE (remember to use the information in the article at the Web link, to understand these sections). To do so, you must analyze the data and create a threat model document that contains the following sections:

1. A section titled Attacker Viewpoint discussing framing the threat from the mindset of the perceived attacker. Address the following questions:

a. Who is likely to attack the system?
b. What are they likely to attack to accomplish their goal?

2. A section titled Asset Viewpointdiscussing the organization's assets from the information provided in the scenario, above. Be sure to also address the following questions (I recommend placing this in a table).

a. What is the asset?
b. What value does the asset have to the organization?
c. How might that asset be exploited by an attacker?

3. A section, titled STRIDE, that will identify the following security threats for six different categories, as discussed in the article in the Web reference you were asked to read, as they apply to this scenario. Include the following:

a. Spoofing - address any spoofing threats that might be present in the applications or systems. Include the ramifications (impact) of a spoofing attack.

b. Tampering - address any data or databases that might be subject to data tampering (applications, for instance, that might be vulnerable to cross site scripting attacks or SQL injection in the healthcare organization scenario, above).

c. Repudiation - address where repudiation attacks might be possible in the organization.

d. Information disclosure - address where there may be the likelihood for a data breach in the organization's assets listed in the scenario that would allow the attacker to access private information (or, worse, patient health information). Discuss the laws and regulations that would be impacted and the ramifications (impact and penalities) that would be incurred by this organization in that event.

e. Denial of Service - discuss the potential for service interruptions for those systems or applications connected to the Internet. Which systems are vulnerable? What would be the impact to the organization for each connected system, if it were to be unavailable?

f. Elevation of Privilege - discuss the systems and applications that might be subject to an attacker elevating his privilege levels (think of a patient database - what would happen if the attacker was able to gain Administrator access to the database?).

4. A section, titled Risk Mitigation Plan, that summarizes your findings for the boss and discusses the security controls that you recommend for each of the potential attacks that you have identified. This can be summarized using the table I've provided for you below for each of your threats. Remember to assign the implementation of the recommended security control to a role within the organization (you can use a generic role, such as System Administrator, Database Admin, Security Officer, etc. - your textbook and other supplemental readings listed different organizational roles responsible for managing risk).

Reference no: EM131547989

Questions Cloud

Enhancement program for current existing program : Write a well-researched grant proposal using NIH grant writing format - enhancement program for current existing program Group Lifestyle Balance
Calculate the effect of waiting on the project risk : calculate the effect of waiting on the project's risk, using the same data. By how much will delaying reduce the project's coefficient of variation?
Explain the origin and development of the texas constitution : Students will write an essay, 500-750 words in length, from the topic below. The purpose of the project is to give students an opportunity.
Would such an agreement be an equilibrium : Would such an agreement improve utility? Would such an agreement be an equilibrium? (explain in approximately 100 words)
What value does the asset have to the organization : What value does the asset have to the organization? How might that asset be exploited by an attacker? What are they likely to attack to accomplish their goal?
Value of growth opportunities : A firm has projected annual earnings per share of $3.90 and a dividend payout ratio of 55%.
Categorize the major sources of costcos strategy : Categorize the major sources of Costco's strategy into three hypotheses - resources, knowledge/ capabilities, and integration/ core competences.
Division of yoruba government : Q1. Which of the following was NOT a division of Yoruba government?
Debate the impact of ideas about globalisation : Explain the cultural, social and political circumstances outlined in the study and examine how these relate to discourses about ‘childhood'.

Reviews

Write a Review

Other Subject Questions & Answers

  U.s. police philosophy

Choose a 10-years time period after 1935 and discuss the historical components of that time period in relation to either domestic or international terrorism.

  Can we identify which actions will cause the greatest amount

Does utilitarian theory require us to--somehow--have certain knowledge about the future? Can we identify which actions will cause the greatest amount of happiness for the greatest number of people without having certain knowledge of the future?

  Discuss antipsychotic drugs

Discuss antipsychotic drugs, and mention a few typical side effects. Briefly explain electroconvulsive therapy and neurosurgery

  What is the ppv using only the cac test

How many true negatives do you get in this population using only the CAC test and what is the PPV using only the CAC test?

  Culture and the elements of its observable culture

Using an organization with which you are familiar, identify its core culture and the elements of its observable culture as defined by Senge. What do you think would need to be changed in order to facilitate learning? What role would organizational de..

  Relevance of the electoral college underlying

Your judgment about the relevance of the Electoral College's underlying rationale to contemporary America. Your judgment about its impact on presidential leadership capacity.

  What areas of need your treatment plan should address

Details of your assessment plan: What areas of need your treatment plan should address, specific instruments selected, along with reasons for selecting them

  Impact of nursing profession to public

Write down the impact to the nursing profession and to the public related to the projected nursing shortage?

  Develop a policy argument or claim that is definitive

Develop a policy argument or claim that is definitive, designative, evaluative, and advocative, using one of these terms: (a) crime, (b) pollution, (c) terrorism, (d) quality of life, (e) global warming, (f) fiscal crisis, (g) human rights, and (h..

  Research on social network technologies

Research on social network technologies which help the Travel & tourism and give an example of it and explain how this technology is beneficial for tourism

  Analyze and describe some of the potential ethical issues

Analyze and describe some of the potential ethical issues which might arise from the use of this personality assessment in the given scenario.

  Qualitative-quantitative and outcomes research

What are the main differences among qualitative, quantitative, and outcomes research? Under what circumstances is each type of research most appropriate? Support your answers with specific examples.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd