BYU logo Computer Science
CS 465 Introduction to Security and Privacy

Threat Modeling

Objectives

Learning to think like an attacker is a critical part of cybersecurity. In this project, you will observe a system and consider how you might exploit it.

Requirements

In this project, you should work with up to three partners (groups of 2-3 people). If you really want to, you are permitted to work alone.

With your partners, develop a threat model for the Cougareat. You may not actually conduct any kind of attack or act suspiciously. This is purely a thinking exercise. You may sit and observe the Cougareat or use your prevoius experiences there.

The threat you are examining is someone getting free food at the Cougareat.

Write a report about the system containing the following sections:

  1. What are we working on?
  • System description:
    • Explain how the Cougareat system works.
    • Use sufficient detail so that the attacks then make sense when you describe them.
  1. What can go wrong?

  • Adversary analysis

    • Who might try to obtain free food? Are they an insider or outsider? Are they working in a group or alone?
    • What are their methods or capabilities in general?
    • Describe all the attackers you can think of.

  • Enumerating attacks

    • Completely describe 3 attacks. Explain which attackers are carrying out each attack.
    • Use sufficient detail so that a reader can understand exactly how this attack might work.
  1. What are we going to do about it?

  • Defender analysis

    • Who is trying to defend the system?
    • What resources do they have access to?
      • As you don’t have access to the inner workings of the Cougareat, make reasonable guesses about this information.
      • You may propose resources be purchased at a reasonable cost if they are easily available.

  • Mitigations

    • Propose three mitigations, one that could stop each of the attacks.
    • Explain how each mitigation will help.
  1. Did we do a good enough job?
  • Reflect
    • Reflect on what you have learned in this assignment.
      • What did you learn about the system?
      • How does this impact how you think of security?
      • How would your mitigations affect the customer experience?
    • This should be 2-3 paragraphs.

Turn In

List the full name of all group members in your report. Have one group member submit a PDF with your group’s report. We will give identical grades to all group members.

Grading Rubric

  • 10 points for the system description.
  • 10 points for the adversary analysis.
  • 30 points for the attacks, 10 points for each.
  • 10 points for the defender analysis.
  • 30 points for the mitigations, 10 points for each.
  • 10 points for the reflection.

For each section, we will be looking to see that the report covers all the requested items and that an honest effort has been made. I am not looking for perfection, especially since you are new to threat analysis.

The TA may deduct up to 20% of your grade for poor writing quality. This penalty will only be accessed if the writing is so poor as make it difficult for the TA to read and understand the report. This penalty will not be used to punish minor writing errors. If you run a grammar and spelling check, most students should not need to worry about this penalty.