Te Aromatawai Tuatahi- Assignment 1

Due: 23:59 Friday 13 August 2021 (late days apply)

The purpose of this assignment is to develop a threat model of a vending machine using a STRIDE-per-element and DREAD. There is no "right" answer, your model might differ from mine but you must follow the processes as discussed in lectures and make a reasonable attempt at each part to pass this assignment.

Frequently asked questions

System description

This document provides a description of the vending machine:

This is the level 1 DFD diagram of the vending machine with multiple features on the same page:

This a physical view of the vending machine from customer and operator viewpoints:

We assume that the owner will employ others as the operator.

The system is insecure and can have its security improved.

We have provided a spreadsheet to use for your answers (remove the example entries before submission).

You MUST use the spreadsheet provided and submit it as a Microsoft Excel spreadsheet (not PDF or Pages).

Part 1 - Analyze STRIDE-per-element (60%)

Apply STRIDE-per-element to identify threats to the system.

A basic answer would have only one threat per row in the STRIDE-per-element table.

No threat should be discounted, part 2 and 3 considers how to handle the risk and this might include just accepting it.

When considering the threats to different elements, you can apply this rule of thumb for identifying ones that might apply:

  • External entity: Spoofing and repudiation.
  • Data flow: Tampering, information disclosure and denial-of-service.
  • Data store: Tampering, information disclosure and denial-of-service.
  • Process: All threats may apply.

When interpreting potential threats remember that the element is the victim rather than than the attacker, for example spoofing an entity means that attacker is pretending to be them to someone else interacting with them at the other end of a dataflow.

See the textbook for more examples: Oreilly.com.

Each threat should describe the attack and impact, for example consider a spoofing attack "Ian claims to be a cleaner to security and asks them to unlock Harith's office. This allows Ian to steal the exam that is stored in Harith's filing cabinet".

Note that at this point there will be a lot of repetition.

Part 2 - Apply DREAD to rank the threats (20%)

You will have repeating threats from the previous part, now summarise the threats and rank the threats using DREAD.

We will use the following definitions of DREAD.

High = 3, Medium = 2 and Low = 1.

The overall score is D+R+E+A+D.

Damage potential:
  1. Nothing.
  2. A single product or the equivalent value.
  3. All the products and/or money in the coin box.

Reproducibility:
  1. Operator participation is required.
  2. Customer participation is required.
  3. Doesn't require participation from the operator or customer.

Exploitability (remember consider influence of trust boundary):
  1. Deep understanding of the system required or hard to obtain tools or devices.
  2. Requires a common tool to carry it out such as a screwdriver.
  3. Doesn't require any tools to carry out.

Affected clients (customers in this case):
  1. No customers.
  2. Some customers.
  3. All customers.

Discoverability:
  1. Must have access to the design or implementation details.
  2. Guessable vulnerability.
  3. Obvious vulnerability.

Note for the purposes of this exercise we will assume that the vulnerabilities are obvious. This is approach taken by many people who do not want to rely upon security by obscurity.

Part 3 - Mitigate, eliminate, transfer or accept the risks (20%)

Now based upon your results from Part 2 make a decision as to whether you will eliminate, mitigate, transfer or accept the risk and provide a short justification for each. In particular, you must explain how your choice is implemented.

We would expect one sentence for elimination (how will eliminate), two for mitigation (why can't eliminate and how will mitigate), three for transfer (why can't eliminate or mitigate and how risk is transfered) and four for accept (why can't mitigate, eliminate or transfer and what is the potential impact of acceptance and the threat becoming an attack).

Note that mitigation might include changes to the vending machine or procedures carried out by the operator.

Submission

Your spreadsheet should be submitted electronically via the online submission system, linked from the course homepage.

Marking

There are two parts: criteria and indicative letter grades.

Criteria

The criteria for grading are:
  • Completeness: Did you answer all of the questions and how comprehensively? For example, did the analysis consider all elements.
  • Accuracy: How well did you answer the questions? Were your answers reasonable and did you explain your answers?
  • Communication: Use whole sentences, make the document easy to read and avoid spelling mistakes.

Letter grades

What the letter grades mean:
  • A-range: Excellent performance. Complete, accurate, includes all of the external entities and well presented. Shows good knowledge and good understanding of the methods. Well-argued. Where required, contains good original input from the student with outstanding answers doing independent research into methods.
  • B-range: Good performance. Mostly complete, mostly accurate, scope includes most of the external entities and well presented. Shows a good knowledge and fairly good understanding of the methods but either fails to answer some parts of the question or is unclear or is poorly argued.
  • C-range: Satisfactory performance although some errors in accuracy, scope is limited to only one of the external entities and/or problems with presentation. Shows only some basic knowledge of the material or fails to understand some important parts of it, or does not answer a significant portion of the questions.
  • D-range: Poor performance overall, some evidence of learning but very problematic in all aspects mentioned above. [If you receive this grade, come and see us to discuss what went wrong and how we can avoid it happening again.