ISOL 536
Security Architecture and Design
Lab: Threat Modeling Design
Submitted to
Dr. Charles DeSassure, Professor
University of the Cumberlands
Submitted in Partial Fulfillment of the Requirements for
Fall 2019
by
Type your full name (delete this line)
Type the current date (delete this line)
Business Profile
Type using single line spacing.
Delete all information that is typed in red before uploading.
Change your font color to black print.
Create your own business name and provide an overall of the company. Type the information below within paragraph format on this page.
· Include what type of company and services provides.
· Location
· One location or multiple locations
· International company or not
· Web services provided or not
· Number of employees
· Hours of operation
· This should be one page (lose points if more than one page)
Business Mission Statement
Create a Mission Statement for your business. Please research what is a Mission Statement for personal development.
Delete all information that is typed in red before uploading.
Change your font color to black print.
Threat Model Design
This information will depend on your business.
After reviewing video #9, create a design that represents your company. Delete all information that is typed in red before uploading.
Change your font color to black print.
Threat Model Data Flow Diagram
This information will depend on your business.
After reviewing video #10, create a data flow diagram that represents your company.
Delete all information that is typed in red before uploading.
Change your font color to black print.
Threat Modeling Summary for this project.
Provide a summary of your report. Explain how Threat Modeling may help your company.
Single line spacing.
Delete all information that is typed in red before uploading.
Change your font color to black print.
2
REQUIRED ESSAY RESOURCES- COINTELPRO
· (2011). Freedom Archives: Cointelpro 101 [Video file]. MVD Entertainment Group. [Available through Humber’s streaming video collection.]
https://humber.kanopy.com/video/freedom-archives-cointelpro-101
· Khalsa, I. (Director). (2017). WAR / PEACE [Video file]. Monarch Films. [Available through Humber’s streaming video collection.]
https://humber.kanopy.com/video/war-peace
· Shames, S. & Seale, B. (2016). “Free Huey,” in Power to the People: The world of the Black Panthers. New York: Abrams
https://journals.openedition.org/ejas/14273
· (at least) 3 sources you find on your own
WHEN YOU GO ON THE FIRST TWO RESOURCES, YOU WILL NEED MY STUDENT INFORMATION.
STUDENT #: N01164118
PASSWORD: Popanda2
POLS 3003 – Revolutions and Revolutionaries
Final Essay (30%)
Instructions: Please fully answer the essay question below. You will be evaluated based on how much
correct and relevant information you summaries into a coherent argument. Your essay will also be
evaluated on the quality of your research and your sources, as well as the form ...
ISOL 536Security Architecture and DesignLab Threat Mod.docx
1. ISOL 536
Security Architecture and Design
Lab: Threat Modeling Design
Submitted to
Dr. Charles DeSassure, Professor
University of the Cumberlands
Submitted in Partial Fulfillment of the Requirements for
Fall 2019
by
Type your full name (delete this line)
Type the current date (delete this line)
Business Profile
Type using single line spacing.
Delete all information that is typed in red before uploading.
Change your font color to black print.
Create your own business name and provide an overall of the
company. Type the information below within paragraph format
on this page.
· Include what type of company and services provides.
· Location
· One location or multiple locations
· International company or not
· Web services provided or not
· Number of employees
· Hours of operation
· This should be one page (lose points if more than one page)
2. Business Mission Statement
Create a Mission Statement for your business. Please research
what is a Mission Statement for personal development.
Delete all information that is typed in red before uploading.
Change your font color to black print.
Threat Model Design
This information will depend on your business.
After reviewing video #9, create a design that represents your
company. Delete all information that is typed in red before
uploading.
Change your font color to black print.
Threat Model Data Flow Diagram
This information will depend on your business.
After reviewing video #10, create a data flow diagram that
represents your company.
Delete all information that is typed in red before uploading.
Change your font color to black print.
3. Threat Modeling Summary for this project.
Provide a summary of your report. Explain how Threat
Modeling may help your company.
Single line spacing.
Delete all information that is typed in red before uploading.
Change your font color to black print.
2
REQUIRED ESSAY RESOURCES- COINTELPRO
· (2011). Freedom Archives: Cointelpro 101 [Video file]. MVD
Entertainment Group. [Available through Humber’s streaming
video collection.]
https://humber.kanopy.com/video/freedom-archives-cointelpro-
101
· Khalsa, I. (Director). (2017). WAR / PEACE [Video file].
Monarch Films. [Available through Humber’s streaming video
collection.]
https://humber.kanopy.com/video/war-peace
· Shames, S. & Seale, B. (2016). “Free Huey,” in Power to the
People: The world of the Black Panthers. New York: Abrams
https://journals.openedition.org/ejas/14273
· (at least) 3 sources you find on your own
WHEN YOU GO ON THE FIRST TWO RESOURCES, YOU
WILL NEED MY STUDENT INFORMATION.
STUDENT #: N01164118
PASSWORD: Popanda2
POLS 3003 – Revolutions and Revolutionaries
4. Final Essay (30%)
Instructions: Please fully answer the essay question below.
You will be evaluated based on how much
correct and relevant information you summaries into a coherent
argument. Your essay will also be
evaluated on the quality of your research and your sources, as
well as the formatting, spelling and
presentation of your essay.
Top marks will only be given to students who demonstrate
comprehension of the subject matter
through credible and appropriate research , coherent and well-
reasoned arguments, that are presented
with care and attention to detail, and also submitted on or
before the due date.
I will use a rubric to mark your essay. It can be found with the
essay link. Please take a look at that
before writing your essay. I have also uploaded an FAQ sheet
about essays and a template to help you
format your essay correctly and cite your sources correctly.
Please note that each essay has required sources that you must
use to do well on the essay. They are
found below.
Submission rules and due dates:
Please check your Critical Path for the due date of this essay.
Your essay is to be 6-8 pages of written text (not including title
page, or reference page.)
5. The essay is to be in type 12 font, New Times Roman (or Ariel,
Veranda or similarly readable font.)
Your essay is to be submitted through Blackboard’s drop box,
found in the Assignments tab. It musts be
submitted at or before 11:59pm of the due date on the Critical
Path in order be counted as being on
time. A late penalty of 5%/day applies to all essays submitted
late. This includes weekend days.
Please note: Any essay that shows signs of plagiarism will be
given an automatic 0% until we have a
meeting at which point a final penalty will be determined
(which may include removal from the course
and a permanent record on your transcript.)
Essay Question:
Was COINTELPRO justified?
There is a story to be told here! It begins with a group called
‘The Citizens Commission to Investigate
the FBI.’ Who were they and what did they find? There is a
secret operation by the government to spy
on American citizens and disrupt political groups. Why? In
this essay you need to find the answer to
these questions, and explain what COINTELPRO was. You are
to take a position on whether the
government was justified or not when it in conducted the
COINTELPRO operations. You need to provide
a coherent argument for your position based on a logical
presentation of your research. In your essay I
6. will be looking for you to incorporate any relevant course ideas,
concepts, theories and theorists in your
analysis. (Please look at the required resources below).
I will be looking that you included the following in your essay
(not necessarily in this order):
An explanation of the socio-political context of the USA in the
1960s and 1970s
An account of the role and responsibilities of the state, based
on political theories
A summary of the history of COINTELPRO
An argument based on evidence and theories as to why or why
not these operations were
justified
Required resources:
This essay has some required resources that you must use in
order to answer the question. You are to
supplement these resources with at least three sources of your
own. The best sources are chapters
from books written by experts or journal articles. In some
cases, extended magazine articles may be
used. Wikipedia, History.com, SparkNotes, as well as
encyclopedias, dictionaries, blogs and similar
sources are not sufficiently rigorous and useful and therefore
should NOT be used in your essay. If you
have any questions about determining the quality of sources
please check with your professor.
However, a good guide is Humber’ Library, which has many
high quality sources.
7. Required Essay Resources – COINTELPRO
(2011). Freedom Archives: Cointelpro 101 [Video file]. MVD
Entertainment Group. [Available through
Humber’s streaming video collection.]
Khalsa, I. (Director). (2017). WAR / PEACE [Video file].
Monarch Films. [Available through Humber’s
streaming video collection.]
Shames, S. & Seale, B. (2016). “Free Huey,” in Power to the
People: The world of the Black Panthers.
New York: Abrams. [Available online through Humber’s online
catalogue.]
+ (at least) 2 sources you find on your own.
Which Threat Modeling Tool is Right for You?
Microsoft TMT vs. ThreatModelerTM
by Reef Dsouza, Security Consultant at Amazon Web Services
Ubiquitous cyber attackers pose constant challenges to even the
most robust security
fortifications. They add a plethora of new threats daily to the
8. cyber-ecosystem. Cybersecurity
can no longer be just another cost of doing business. Senior
executives are increasingly
considering InfoSec and OpSec as strategic business
components. This is giving rise to
significant increases in security budgets. Market analysts expect
the cyber security market value
to top $201.36 billion by 2021.i To date, though, no matter how
much organizations beef up
their security defenses and big-data analytics capacity, it does
not seem to make a difference.
Malicious actors find a way through the defenses and go
undetected by the analytics.
Furthermore, attacks which at one time were considered
complex, requiring the resources and
commitment of large-scale organized crime or nation-states, are
now possible with freely
available, automated exploit tools. As long as organizations
take a defensive posture with their
IT security, they relinquish the initiative to attackers.
The most effective way for organizations to regain the initiative
and become proactive, rather
than reactive, with their IT security is to engage in threat
modeling. Military strategists have
used the concept of threat modeling for millennia. It is a means
of analyzing one’s security,
assets, and capabilities from the attacker’s perspective –
allowing for the identification and
prioritization of potential threats. Limited resources can then be
applied to the most critical
threats first, significantly enhancing the security posture
without increasing the required
resources.
Threat modeling came into the InfoSec mainstream in the early
9. 2000s.ii The goal was to build
security into applications at the design stage. Compared to the
cost of remediating
vulnerabilities discovered during scanning and pen-testing,
initial secure coding is about 15x
less expensive.iii Moreover, threat modeling reduces enterprise-
wide exposure to application
risk by identifying and recommending mitigating security
controls for potential threats that
vulnerability scanning and pen-testing miss.
Threat Modeling Tools
In response to the growing popularity of threat modeling,
Microsoft developed a free tool,
Microsoft SDL – first released in 2008 – to aid in the
development of threat models. This tool
was later replaced by Microsoft Threat Modeling Tool (TMT),
which has an updated 2016
version. Microsoft’s public domain tools were the only threat
modeling tools widely available
until ThreatModelerTM was first released in 2011.
The Microsoft tools are based on Microsoft’s threat modeling
methodology (sometimes
referred to as the STRIDE methodology) – which is focused on
promoting secure initial coding in
Microsoft’s development environment for the Windows
platform.iv This methodology also
requires users to build threat models using data flow diagramsv
– a throwback to the 1970s-era
system engineering abstraction of how data is moved, stored,
and manipulated by a single
application. As a result, the Microsoft tools have limited
10. functionality as an enterprise-level
threat modeling tool.
ThreatModelerTM, on the other hand, is based on the Visual,
Agile, and Simple Threat modeling
methodology (VAST).vi This methodology was specifically
designed to support DevOps teams
working within Agile methodologies and to allow an
organization to scale its threat modeling
practice across hundreds or even thousands of threat models
without a significant increase in
required resources. Creating an application threat model in
ThreatModelerTM begins with the
creation of a visual representation of the application using a
process flow diagram.vii Process
flow diagrams represent applications in the same way
application architects and developers
whiteboard an application during the design phase This allows
developers or other stakeholders
without specific security expertise can create, update, and
interpret the visual decompositions
of the applications for which they are creating threat models.
Furthermore, well beyond the capabilities of TMT,
ThreatModelerTM also supports creation of
operational threat models.viii Operational threat models allow
the operations teams to create
an end-to-end threat model of the organizations entire IT
infrastructure system.
Moreover, with ThreatModelerTM, individual threat models can
be chained together, or nested
one within another.ix This allows organizations to identify and
contextually prioritize the
mitigating strategies for potential threats inherent to application
interactions, shared
11. infrastructure components, and 3rd party elements.
Features Comparison
Recently, members of the security community have requested a
comparison between
ThreatModelerTM and Microsoft’s TMT. In response, and in
collaboration with independent
sources, I created the following matrix to provide a head-to-
head comparison:
Conclusion
Even though ThreatModelerTM requires an initial investment
and an ongoing subscription, it provides
organizations with far more features and capabilities than
Microsoft’s Threat Modeler Too. These
additional features and capabilities innately enhance the
organization’s threat modeling capacity and
12. provide the outputs organizations need to understand their real-
time risk profile, the most important
threats faced by the organization, and the organization’s
comprehensive attack surface.
Using the “free” Microsoft TMT will cost organizations
significantly more in terms of ongoing labor,
missed opportunities, and lack of necessary information to
reduce risk organization-wide.
i “Cyber Security Market worth 202.36 Billion USD by 2021.”
MarketsandMarkets.com. 2016
http://www.marketsandmarkets.com/PressReleases/cyber-
security.asp
.
ii “Threat Modeling 101.” ThreatModeler.com. 2016.
http://threatmodeler.com/threat-modeling-101/
iii Tassey, Gregory. “The Economic Impacts of Inadequate
Infrastructure for Software Testing.” RTI Health, Social,
and Economics Research. National Institute of Standards and
Technology: Gaithersburg, MD. May, 2002.
https://www.nist.gov/sites/default/files/documents/director/plan
ning/report02-3.pdf
iv “Threat Model.” Wikipedia.com.
https://en.wikipedia.org/wiki/Threat_model
http://www.marketsandmarkets.com/PressReleases/cyber-
security.asp
13. http://threatmodeler.com/threat-modeling-101/
https://www.nist.gov/sites/default/files/documents/director/plan
ning/report02-3.pdf
https://en.wikipedia.org/wiki/Threat_model
v Agarwal, Archie. “Threat Modeling – Data Flow Diagram vs
Process Flow Diagram.” ThreatModeler.com. August
18 2016. http://threatmodeler.com/threat-modeling-data-flow-
diagram-vs-process-flow-diagram/
vi “Threat Modeling Methodology.” ThreatModeler.com. 2016.
http://threatmodeler.com/threat-modeling-
methodology/
vii Agarwal, Archie. “Threat Modeling – Data Flow Diagram vs
Process Flow Diagram.” ThreatModeler.com. August
18 2016. http://threatmodeler.com/threat-modeling-data-flow-
diagram-vs-process-flow-diagram/
viii Agarwal, Archie. “Application Threat Modeling vs
Operational Threat Modeling.” ThreatModeler.com.
September 6, 2016. http://threatmodeler.com/application-threat-
modeling-vs-operational-threat-modeling/
ix “Threat Model Chaining.” ThreatModeler.com. 2016.
http://threatmodeler.com/threat-model-chaining/
http://threatmodeler.com/threat-modeling-data-flow-diagram-vs-
15. threats. Identifying and addressing threats can save
organizations
ISOL 536 – Week 11 Lab Assignment
Threat Modeling Drawing
University of the Cumberlands
From Dr. Charles DeSassure
Fall 2019
millions of dollars in the end and prevent massive brand
corrosion
and operational headaches immediately.
Threat modeling tools have evolved to meet the changing
needs of the threat landscape. Threat modeling tools easier for
all developers through a standard notation for visualizing
system
components, data flows, and security boundaries. It also helps
threat modelers identify classes of threats they should consider
based on the structure of their software design.
ISOL 536 – Week 11 Lab Assignment
Threat Modeling Drawing
16. University of the Cumberlands
From Dr. Charles DeSassure
Fall 2019
For Week 11, you will complete a lab assignment with the
following:
• Use a business profile
• Use Threat Modeling design using correct symbols.
• Use Threat Modeling design using Data Flow symbols.
• Finally, both designs should possess a professional
appearance.