Threat Modelling Report: Identifying Threat Types and Key Factors Involved

Task

You are required write a Threat modelling report in response to a case scenario by identifying the threat types and key factors involved. This assessment is intended to build your fundamental understanding of these key threats so that you will be able to respond/mitigate those factors.

Task Instructions

1. Carefully read the attached the case scenario to understand the concepts being discussed in the case.

2. Review your subject notes to establish the relevant area of investigation that applies to the case. Re-read any relevant readings that have been recommended in the case area in modules. Plan how you will structure your ideas for the threat model report.

3. Draw a use DFDs (Data Flow Diagrams):

• Include processes, data stores, data flows

• Include trust boundaries (Add trust boundaries that intersect data flows)

• Iterate over processes, data stores, and see where they need to be broken down

• Enumerate assumptions, dependencies

• Number everything (if manual)

• Determine the threat types that might impact your system

• STRIDE/Element: Identifying threats to the system.

• Understanding the threats (threat, property, definition)

Case Scenario

The Business & Communication Insurance (B&C Insurance) began business as a private health insurer, established by Gary RT.L & family in 1965 through the Health Insurance Commission. This company was set up to compete with private "for-profit" funds. The company’s headquarters is located in New York and has offices in various other countries including Spain, Australia and Hong Kong. The CEO of the B&C Insurance recently received a ransom email from an unknown company claiming that they have access to the company strategic plans and personal details of 200,000 clients. A sample of personal details of 200 clients was included in the email as a ‘proof’.

Ransom emails are normally sent through unreliable external networks that are outside the company’s security boundary. The CEO consulted the senior management and they acted promptly to investigate and contain the threat with the aid of forensic computer specialists. The first step was to validate the threat. The management team found a discussion on a hacker site in the dark net that had personal information of 200,000 clients of B&C Insurance for sale. This also included the details of the 200 clients, provided in the ransom email as ‘proof’. The investigation also confirmed that the details of the 200 customers are genuine.

The senior management considered the need to identify threats and give practical guidance on how to manage the risks of identity fraud to be of utmost importance. Therefore, a team of consultants was appointed to prepare a series of reports to identify various threats and to develop cybersecurity crisis management plans in order to respond to potential threats/ risks of sophisticated hackers penetrating into the internal systems of the company and accessing client information.

As the cybersecurity specialist in the team, you have been asked to write a report to identify the threat types and key factors involved. In doing so, you are required to identify the most ‘at-risk’ components, create awareness among the staff of such high-risk components and how to manage them. In addition, this report is to help key stakeholders, including the executive managers, to make decisions on what course of actions must be undertaken to mitigate potential threats.