Threat Model and Attack Plan

By Drs. Anthony Vance and Dave Eargle

With Dr. David Lanter

Financial management involves the aggregate set of accounting practices and procedures that allow for the accurate and effective handling of all a business’ revenues, funding, and expenditures. A financial management information system supports the following business functions and associated datasets:

  • Accounting
  • Funds Control
  • Payments
  • Collections and Receivables
  • Asset and Liability Management
  • Reporting and Information
  • Cost Accounting/ Performance

With respect to the three security objectives:

  • Confidentiality: The impacts of a breach of confidentiality of financial management information are generally associated with the sensitivity of the existence of projects, programs, and/or technologies; and customers, suppliers, contractors and employees that might be revealed by unauthorized disclosure of information.
  • Integrity: The impacts of a breach of integrity of financial management information may result from temporary successful frauds that can affect the business’ image, while corrective actions may disrupt the business’ operations.
  • Availability: The impacts of a permanent loss of availability of financial management information can cripple business operations.

Assignment: Create and document a threat model and attack plan for a financial management information system of a company that you will attack as part of Milestone 2.

Objectives

Your objectives are to:

  1. Identify and describe the types of sensitive information that might reside on the server hosting the financial management information system that you will seek to extract.
  2. Document different attacks your team will try against the server given what you have learned in the class so far.
  3. Create one or more attack trees that documents different types of attacks to the server. Place “Gain access to server” at the base and describe at least five different types of attacks listed as nodes. For each node, indicate the difficulty of the attack (e.g., “easy”, “medium”, “hard”). The attack tree should help you to prioritize your efforts.

Written Report Deliverable

Submit a 2-3 page document via Canvas.