Project: Technology Threat Assessment or Organizational Security Incident Report

By Drs. Anthony Vance and Dave Eargle

This is a group project, with teams of up to four. Have each member of your team join one of the already-existing “Project | Threat Assessment” groups on Canvas. Please do not make your own group. Search Canvas groups for “Project | Threat Assessment” and join one of those.

Your team has two choices for this project: either a technology threat assessment, or report on an organizational security incident. Both options are described below.

Approval for Topic

Your team should pitch your proposed topic on the #project_idea_claim on slack. You must obtain my approval for your topic.

Option 1: Technology Threat Assessment Review

This option is adapted from Cryptography Engineering, 2nd edition, by Ferguson, Schneier and Kohno (2010).

This exercise deals with developing your security mindset in the context of real products or systems. Your goal with the security reviews is to evaluate the potential security and privacy issues of new technologies, evaluate the severity of those issues, and discuss how to address those security and privacy issues. This review should reflect deeply on the technology that you’re discussing.

Your security review should contain:

• Summary of the technology that you’re evaluating. You may choose to evaluate a specific product (like a recently introduced wireless implantable drug pump) or a class of products with some common goal (like the set of all implantable medical devices). This summary should be at a high level. Around one or two paragraphs in length. State the aspects of the technology that are relevant to your observations in the following bullets.

  For this exercise, it is acceptable to make some assumptions about how the products work. However, if you do make assumptions about a product, then you should make it clear that you are doing so, and you should explicitly state what those assumptions are.

  Being able to clearly summarize a product (even with explicitly stated assumptions) is very important. If you don’t understand the technology well enough to provide a crisp and clear summary, then you probably don’t understand the technology well enough to evaluate its security and privacy.

• State at least two assets and, for each asset, a corresponding security goal. Explain why the security goals are important. You should produce around one or two sentences per asset/goal.

• State at least two possible threats, where a threat is defined as an action by an adversary aimed at compromising an asset. Give an example adversary for each threat. You should have around one or two sentences per threat/adversary.

• State at least two potential weaknesses. Again, justify your answer using one or two sentences per weakness. For the purposes of this exercise, you don’t need to fully verify whether these potential weaknesses are also actual weaknesses.

• State potential defenses (mitigations). Describe potential defenses that the system could use or might already be using to address the potential weaknesses you’ve identified in the previous bullet.

• Evaluate the risk associated with the assets, threats, and potential weaknesses that you’ve described. Informally, how serious do you think these combinations of assets, threats, and potential weaknesses are?

• Conclusions. Provide some thoughtful reflections on your answers above. Also discuss relevant “bigger picture” issues. (Ethics, likelihood the technology will evolve, and so on).

Some examples of past security reviews are online at https://cubist.cs.washington.edu/Security/category/security-reviews/.

Option 2: Organizational Security Incident

The purpose of this option is to explore the unfolding of a security incident from the perspective of the organization: to analyze how an organization handled it and to look at how the public reacted to the incident (if at all). Teams will choose a security incident and report on the unfolding of events leading up to, during, and after the incident. This report is more than just a summary of one or two news articles. It is a meta- and longitudinal analysis of the incident as it unfolded. For this reason, the incident needs to be sufficiently old for investigations to have been conducted and reports published. For this reason, breaking news will not suffice.

Structure:

• An-upfront abstract of main compromise. Should articulate the compromised asset, the exploited vulnerability, and the attacker motivations.
  • Consider using the Security Cards framework
• Timeline–high-level and also with analyses
  • This should include as many of the following elements as possible
    • Initial incident
    • Movement of attacker through internal organization (if applicable)
    • Management detection of threat and organizational response
    • Organizational restructuring (firing, hirings)
    • Organization public relations statements or actions
    • Public reactions
    • Congressional hearings, FCC or EU sanctions
    • Stock price movements
  • Try to piece together as well as you can the organizational response timeline. How long did it take them to respond, how long was the public outraged, when did the event drop out of the news.
  • Your report should provide a high-level timeline overview, as well as an analysis of the timeline elements where possible from the three information security management domains: Organization, Technology, People
    • Technology: What vulnerabilities existed in the technology that were not mitigated. Could they have been mitigated?
    • Organization: How did organizational policies or culture, or lack thereof, contribute to the compromise, or to a failure to detect the incident
    • People: Was a human element involved in the incident – perhaps a lapse of an organizational insider, or an insider attack?
• Lessons Learned
  • For the organization
    • Where did they do well in handling the compromise?
    • Where did they do poorly?
    • How have they adapted their security posture, and against what threats are they still vulnerable? (Another brief round of threat-modeling here)
  • For the industry
  • For society (recommend regulations?)
• Sources
  • Should include a collection of different sources, as close to original-source as possible (e.g., original reporting, organization press announcements, congressional hearings – not outlet regurgitations of first-hand accounts).

Deliverable

Your final report should be 5-10 pages in the length (not including a timeline of events, if you choose Option 1). Please submit your report in PDF format to Canvas.