model a cloud-based storage system. Store a file in a folder on your desktop, and it gets immediately uploaded to the server. Users can share folders, allowing other users or the public view the files. -- 2

Închis Postat la acum 2 luni S-au achitat serviciile după ce au fost prestate
Închis S-au achitat serviciile după ce au fost prestate

The purpose of this activity is to help you enumerate and model the security of your system architecture by looking at it from the point of view of threats. According to the Microsoft Threat Modeling methodology, we treat the word "threat" as a class of exploits. They fall into the following categories (STRIDE):

• Spoofing

• Tampering

• Repudiation

• Information Disclosure

• Denial of Service

• Elevation of Privilege

ACTIVITY

Today, let's model a cloud-based storage system. Store a file in a folder on your desktop, and it gets immediately uploaded to the server. Users can share folders, allowing other users or the public view the files. The context level diagram of the file sharing system is represented in

Figure 1: Context Level Diagram

The aim of this activity is to Identify Threats based on the STRIDE threat modeling using Microsoft Threat Modeling Tool (TMT).

Part I: Model without trust boundaries

1. Open the Microsoft Threat Modeling tool. Before going further, save your file, calling it FileSharing.tm4. The tool can be found here.

2. Start your model by creating processes, interactors and stores.

3. Next, add data flow relationships.

4. Now go to Analyze model.

5. Expand a few of the items. Notice the vast number of potential threats that can arise and their STRIDE category. In your report, provide the number of threats of each category.

6. Not all the threats are meaningful; It depends on the system under consideration. Let's eliminate some threats to be generated with some assumptions. Discuss which threat categories you believe are not possible in the File Sharing system. Change those to "Not Applicable". In your report, provide the list of “Not Applicable” threats and provide your arguments.

7. Now let's revise 2 threats, getting our inspiration from the diagram. Fill in the potential mitigations you might take in the Justification text box.

8. Fill the Model Information from the File Menu; the model name, your names,…..

9. At this point, check the report by going to Generate Reports. Note anything you believe is missing. Name the generated report “Report 1”

10. Save your Model as “Model 1”.

Part II: Model with trust boundaries

1. Open “Model 1”.

2. Add a Trust Box to your Model 1; Put both the File Sharing Application and the File Store inside the box.

3. Save your Model as “Model 2”

4. Analyze the Model. Compare the list of identified threats in Model 1 to the list of identified threats in Model 2.

5. Fill the Model Information from the File Menu; the model name, your names,…..

6. At this point, check the report by going to Generate Reports. Note anything you believe is missing. Name the generated report “Report 2”

7. What do you think about the list of threats in case the Trust Box includes only the File Sharing Application.

Documents to be submitted to the LMS:

● Your word file report with the DFD built in the Microsoft TMT, Part I question 5 and question 6 answers, and Part II question 4 answer.

● Model [login to view URL], Model [login to view URL], [login to view URL], [login to view URL]

MICROSOFT THREAT MODELING TOOL

Download the Microsoft TMT from here.

I. This section describes the steps to create a new threat model.

1. Start TMT. From Home screen.

2. Click on Create a Model from home screen. This brings up the drawing surface where you will create the data flow diagram.

II. Drawing Your Model

Draw your data flow diagram by selecting elements from the Stencils pane. You can select processes, external entities, data stores, data flows, and trust boundaries.

1. To select an element to draw:

● Select an element from the Stencils pane and drag it across the drawing surface.

● Right-click on the drawing surface to bring up a context menu that allows you to add a generic element from each Stencils category

2. To add a data flow between the two most recently selected objects:

● Right-click the drawing surface and select Connect or Bi-Directional Connect.

● Alternatively, select the appropriate data flow from the Flow tab in the Stencils pane and place it on the drawing surface.

III. Modifying Attributes

To modify an element from a generic element into a more specific one:

● Use the Element Properties pane.

● Right-clicking an element to convert it to another element type. If necessary, convert it from a generic element to a specific type of process, data flow, data store, external element, or trust boundary. For example, a generic data flow can be converted to HTTPS. Additionally, you can edit the properties of the element directly in the Properties pane.

IV. Identifying and Analyzing Threats

When you have completed your data flow diagram, switch to the Analysis view by using one of the following methods:

● From the View menu, select Analysis View.

● Click the Analysis View button on the toolbar.

For each of your threats, enter information about how to mitigate the threat:

1. Double click on the threat. A Threat Properties pane appear.

2. Determine if the threat requires mitigation and categorize the mitigation by selecting one of the following options from the Threat Status dropdown list.

1. Not Started

2. Needs Investigation

3. Not Applicable

4. Mitigated

1. Select one of the following threat priorities from the Threat Category dropdown list.

1. High (default)

2. Medium

3. Low

2. Enter your mitigation information in the Justification for threat state change text box.

● NOTE: Justification is required for threats in the Mitigated or Not Applicable states.

V. Reviewing Threats

The threat list is sortable and filterable. You can click on any column header in the threat list to sort by that column. You can click on the triangles on the column headers to filter as many columns as you like. The clear filters button at the bottom of the threat list will clear any filters.

VI. Finish and Create a Report

After all threats have been addressed, finish your threat model:

1. If you have not done so already, enter general information about the threat model by selecting Threat Model Information from the main menu. This information includes:

1.

1. Review participants

2. A brief description

2. To save the model, select File >Save As.

3. To create a report, select Reports >Full Report.

Securitate computer Cloud Computing Google Cloud Storage Cloud Security Cloud Development

ID Proiect: #37500965

Detalii despre proiect

2 propuneri Proiect la distanță Activ acum 1 lună

2 freelanceri plasează o ofertă medie de 60$ pentru proiect

kaindo2017

Hello there! My name is Simon and I am a Bsc degree holder in computer science and a diploma in project management and CCNA certification. I have been doing this for more than you can imagine. I understand that you a Mai multe

$20 USD în 1 zi
(42 recenzii)
5.5
yasiriqbalengr

I trust this message finds you well. I am excited about contributing to your organization's IT infrastructure. As a seasoned cybersecurity professional, I bring expertise in public and private cloud security, enterpri Mai multe

$100 USD în 7 zile
(4 recenzii)
3.9