KEEP ALL SECTION AND SUB-SECTION HEADERS AND NUMBERING AS IS
Mobile Application Threat Model Report
[name]
[date]
1.0 INTRODUCTION
Inject yourself into the given scenario and respond as the cyber threat analyst at a company wants to implement an initial specific mobile application. Provide an introduction to your company and work on providing mobile application security advice specific for this application to senior management. The advice might also apply to future mobile applications, but advice only relating to your specific first mobile application should be covered. What assumptions are you making? What is included and what is not included?
2.0 PURPOSE
Describe the purpose of your work as it relates to senior management making a decision to follow your recommendations and proceed with this mobile applications technology. What issue(s) is(are) being addressed? What aspects of security are key for the mobile application? Are there any specific laws, regulations, industry norms, etc. that must be followed? Reference and explain them.
3.0 MOBILE APPLICATION ARCHITECTURE
Integrate the Step1 description of the mobile application architecture in the scenario. Identify, describe and explain areas such as
· The purpose and intent of the specific first mobile application.
· Who and/or what systems are users of this application.
· An architecture diagram for your application should be provided and explained.
· A network diagram(s), including the related system(s) and end devices should be included and explained. Be sure to describe key aspects of the network, systems and devices, as related to this specific mobile application scenario only. Refer to and explain key elements, key OSs and key technologies in your diagram(s).
· My preference would be for you to focus most on the mobile architecture and less so on the networking. However, note that the traffic record analyses in the lab will give you guidance for the application architecture network protocols. So, you will be “forced” to consider the type of networking to be used.
· Provide one or two Use Case Scenarios and trace these scenarios in the architecture/network diagram(s) or any additional diagrams. Use Cases are a collection of separate statements of how the, in this case, mobile application would work in different situations (e.g., banking use cases, not necessarily, mobile application oriented, might be depositing a check to your savings account, transferring money from your savings account to your checking account, applying for a loan, etc.). Tracing involves showing the exact steps involved from beginning to end in the specific use case. If you cover one (two) use case(s), you would have one (two) unique and separate tracings (i.e., one (two) different diagrams).
· Identify the specific areas for security concern.
4.0 SECURITY REQUIREMENTS
Integrate the Step 2 requirements for this mobile application. Starting with a high-level statement of the security requ ...
Play hard learn harder: The Serious Business of Play
KEEP ALL SECTION AND SUB-SECTION HEADERS AND NUMBERING AS IS
1. KEEP ALL SECTION AND SUB-SECTION HEADERS AND
NUMBERING AS IS
Mobile Application Threat Model Report
[name]
[date]
1.0 INTRODUCTION
Inject yourself into the given scenario and respond as the cyber
threat analyst at a company wants to implement an initial
specific mobile application. Provide an introduction to your
company and work on providing mobile application security
advice specific for this application to senior management. The
advice might also apply to future mobile applications, but
advice only relating to your specific first mobile application
2. should be covered. What assumptions are you making? What is
included and what is not included?
2.0 PURPOSE
Describe the purpose of your work as it relates to senior
management making a decision to follow your recommendations
and proceed with this mobile applications technology. What
issue(s) is(are) being addressed? What aspects of security are
key for the mobile application? Are there any specific laws,
regulations, industry norms, etc. that must be followed?
Reference and explain them.
3.0 MOBILE APPLICATION ARCHITECTURE
Integrate the Step1 description of the mobile application
architecture in the scenario. Identify, describe and explain areas
such as
· The purpose and intent of the specific first mobile application.
· Who and/or what systems are users of this application.
· An architecture diagram for your application should be
provided and explained.
· A network diagram(s), including the related system(s) and end
devices should be included and explained. Be sure to describe
key aspects of the network, systems and devices, as related to
this specific mobile application scenario only. Refer to and
explain key elements, key OSs and key technologies in your
diagram(s).
· My preference would be for you to focus most on the mobile
architecture and less so on the networking. However, note that
the traffic record analyses in the lab will give you guidance for
the application architecture network protocols. So, you will be
“forced” to consider the type of networking to be used.
· Provide one or two Use Case Scenarios and trace these
3. scenarios in the architecture/network diagram(s) or any
additional diagrams. Use Cases are a collection of separate
statements of how the, in this case, mobile application would
work in different situations (e.g., banking use cases, not
necessarily, mobile application oriented, might be depositing a
check to your savings account, transferring money from your
savings account to your checking account, applying for a loan,
etc.). Tracing involves showing the exact steps involved from
beginning to end in the specific use case. If you cover one (two)
use case(s), you would have one (two) unique and separate
tracings (i.e., one (two) different diagrams).
· Identify the specific areas for security concern.
4.0 SECURITY REQUIREMENTS
Integrate the Step 2 requirements for this mobile application.
Starting with a high-level statement of the security required for
this mobile application, work your way to more detailed
security requirements and identify the specific application
architecture, network and system components to which these
requirements apply. Note that requirements statements are
needs, such as non-repudiation, integrity, etc. for a specific
aspect of the application, network, data, etc. The statement does
not include specific implementation that achieves these. Also
note that you are writing about what is needed and not about
what your application, network, etc. already has.
4.0 THREATS AND THREAT AGENTS
Integrate the Step 3 description of threats and threat agents and
your relevant Step 5 lab results which specifically pertain to
this mobile application’s data. Indicate if the threats and threat
agents are dependent on specific OSs, platforms or mobile
technology related to the application.
4. 5.0 METHODS OF ATTACK
Integrate the Step 4 methods of attacks and your relevant Step 5
lab results which specifically pertain to this mobile
application’s data. A clear and professional presentation of this
material might provide threat agent use cases (e.g., a step by
step description of how the threat agents conduct their attack)
and diagrams to refer to while describing the steps.
6.0 SECURITY CONTROLS
Integrate your Step 6 research into this section. Note that there
usually are multiple ways of mitigating or control security
issues and to achieve the security requirements and you will
need to guide senior leadership in which to select and which
selected controls to be implemented first, second, etc.
Summarize, explain and discuss
· Specific controls which could achieve your security
requirements and/or prevent the attacks you covered for this
mobile application
· Cover your controls according to platform (e.g., Apple/iOS,
Android, Windows Mobile, BlackBerry)
· What are the controls to achieve the security requirements
and/or prevent each attack?
· What are the controls to detect each attack?
· What are the controls to mitigate/minimize the impact of each
attack?
· What are the privacy controls which protect users’ private
information (e.g., a security prompt before users access an
address book or allow geolocation) for your application?
The use of tables could greatly clarify and help with
understanding. Your table should map each control to each
specific attack you covered, provide a projected level of
5. effectiveness if implemented and indicate some aspect such as
cost, complexity, skills required, time required, staff required,
etc. for specifying, implementing, operating and maintaining the
control. You may find such data in your research and/or create
your own reasonable assessments. This data will be useful to
senior management in making their decisions based on a desire
to achieve a specific level of risk management.
7.0 RECOMMENDATIONS
Summarize only your main points that senior leadership needs
to know to do their job and present your specific
recommendations. If there are multiple recommendations or
several steps, recommend the sequence or roadmap that should
be taken. Provide some reasoning for this sequence based on the
data in your table.
8.0 SUMMARY OF REFERENCES
Provide your summary list of references using proper APA
format. (Use in-line citations with proper APA format
throughout the report.)
APPENDIX-LAB REPORT
Provide screenshots of the tools and specific results from your
Step 5 lab experience, as well as answer any lab questions. Your
specific insights, comparisons and results which are important
for confirming your vulnerability discussions, the requirements
and controls should be explicitly identified and used in the
report, above. Your lab report should demonstrate significant
coverage of the lab cases.
Page 3 of 4