Presentation is loading. Please wait.

Presentation is loading. Please wait.

Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001.

Similar presentations


Presentation on theme: "Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001."— Presentation transcript:

1 Student Application System SNA Step 3 Attacker Profiles and Scenarios

2 Student Application System F F Timothy Mak (Team Leader) F F James Zujie Chi F F Dali Wang F F Maria Stattel F F Andy Teng F F Hyoungju Yun F F John Rinderie F F Ron Urwongse

3 Weekly Team Meeting Recurring meetings Every Wednesday, 1-2pm (as necessary) Team Meetings to Date First Team Meeting, assigned project roles Presentation discussion and layout Discussed requirements for part II Reviewed current status of part II Discussed contents of Presentation II Discussed requirements for part III Discussed contents for part III Reviewed current status of part III Discussed contents of Presentation III Team Activities

4 Client Meeting Meeting with Martha Baron (Director of Information Services) Meeting with Martha Baron Meeting with Martha Baron, & Brian Gallew (Principal Software Engineer, ACIS) Class Presentations Project Briefing 1: James Zujie Shi & Timothy Mak Project Briefing 2: Dali Wang & Maria Stattel Project Briefing 3: Andy Teng & Hyoungju Yun Project Briefing 4: John Rinderle & Ron Urwongse Project Timeline

5 Team Leader: Timothy Mak Discussion Leader: Andy Teng Scribe: Hyoungju Yun Reviewers: All team members Roles played for Part III

6 Essential Services and Assets  Marketing and Recruiting  Student Application for Admission  Acceptance Notification  Financial Aid  Billing  E-Grades  Graduation Eligibility Verification  Degree Certification  Academic Audit

7 Attacker Profiles (1 of 2) Attacker InsiderOutsider Employee CMU Student Hacker Non-CMU Student Resources High level of experience on systems & processes High level of experience on systems & processes Diversity Diversity Expert knowledge Expert knowledge Professional skills Professional skills Diversified knowledge Diversified knowledge Tools Readily available tools Readily available tools Social engineering Social engineering Customized tool Customized tool Social engineering Social engineering Readily available tools Readily available tools Customized tool Customized tool Social engineering Social engineering Risk Risk adverse Risk adverse Not risk adverse Not risk adverse Somewhat risk adverse Somewhat risk adverse Access Internal Internal External External Internal Internal External External

8 Attacker Profiles (2 of 2) Attacker InsiderOutsider Employee CMU Student Hacker Non-CMU Student Objectives Personal gain Personal gain Embarrass CMU Embarrass CMU Personal gain Personal gain Embarrass CMU Embarrass CMU Personal Gain Personal Gain Curiosity Curiosity Practicing hacking skills Practicing hacking skills Personal gain Personal gain Embarrass CMU Embarrass CMU Curiosity Curiosity Level of attack Sophisticated Attack Sophisticated Attack Intermediate Attack Intermediate Attack Sophisticated Attack Sophisticated Attack Target-of- Opportunity Attack Target-of- Opportunity Attack Probability Low probability because of good security policy Low probability because of good security policy Medium probability Medium probability High probability High probability Low probability Low probability

9 Intrusion Usage Scenarios 1.Legal login by unauthorized user 2.Unauthorized access by insider 3.Unauthenticated access by outsider 4.Malicious code attack

10 IUS1: Legal Login by unauthorized user   How to attack An unauthorized user logins using password by sniffing or social engineering and then views, modifies or deletes private student dataAn unauthorized user logins using password by sniffing or social engineering and then views, modifies or deletes private student data   Who is the attacker Employees, CMU students, Hackers, Non-CMU studentsEmployees, CMU students, Hackers, Non-CMU students   What are their objectives View, modify or delete private student dataView, modify or delete private student data   Category of attack pattern User accessUser access

11 IUS1: Legal Login by unauthorized user Web browser Graduation Eligibility Verification Acceptance Notification Financial Aid Web server 1 Degree Certification Academic Audit Billing Web server 2 Marketing and Recruiting Student Application E-Grades Database server Firewall Authentication Server Terminal Compromised Component Attacker Trace Communication Link Architecture Node Database server

12 IUS2: Unauthorized access by insider   How to attack Inside intruder accesses servers (Web/Database) physically to view, modify or delete the dataInside intruder accesses servers (Web/Database) physically to view, modify or delete the data Inside intruder accesses servers via system administrator access rights to view, modify or delete dataInside intruder accesses servers via system administrator access rights to view, modify or delete data   Who is the attacker Insider (employees, specifically those holding system administrator rights)Insider (employees, specifically those holding system administrator rights)   What are their objectives View, modify or delete private student dataView, modify or delete private student data   Category of attack pattern User accessUser access

13 IUS2: Unauthorized access by insider Web browser Graduation Eligibility Verification Acceptance Notification Financial Aid Web server 1 Degree Certification Academic Audit Billing Web server 2 Marketing and Recruiting Student Application E-Grades Database server Firewall Authentication Server Terminal Compromised Component Attacker Trace Communication Link Architecture Node Database server

14 IUS3: Unauthenticated access by outsider   How to attack An outsider intruder accesses SA servers by sending loads of improper requestsAn outsider intruder accesses SA servers by sending loads of improper requests   Who is the attacker Outsider (hackers, students from competitive universities)Outsider (hackers, students from competitive universities)   What are their objectives To bring down the servers and applications via overloading them and crashing themTo bring down the servers and applications via overloading them and crashing them Disclose private student data to embarrass and obtain the personal gainDisclose private student data to embarrass and obtain the personal gain   Category of attack pattern Component accessComponent access

15 IUS3: Unauthenticated access by outsider Web browser Graduation Eligibility Verification Acceptance Notification Financial Aid Web server 1 Degree Certification Academic Audit Billing Web server 2 Marketing and Recruiting Student Application E-Grades Database server Firewall Authentication Server Terminal Compromised Component Attacker Trace Communication Link Architecture Node Web server 1 Web server 2 Authentication Server

16 IUS4: Malicious code attack   How to attack Users download malicious code (e.g. trojan horses, viruses, worms) from outside the network accidentally or intentionallyUsers download malicious code (e.g. trojan horses, viruses, worms) from outside the network accidentally or intentionally Intruder installs malicious code directlyIntruder installs malicious code directly   Who is the attacker Employees, CMU students, Hackers, Non-CMU studentsEmployees, CMU students, Hackers, Non-CMU students   What are their objectives Break data integrity, privacy and availabilityBreak data integrity, privacy and availability   Category of attack pattern Application contentApplication content

17 Coming up next… F SNA Step 4 –Softspots –Resistance, Recognition, Recovery –Survivability Map

18


Download ppt "Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001."

Similar presentations


Ads by Google