180 likes | 332 Views
Student Application System. SNA Step 3 Attacker Profiles and Scenarios. 11.14.2001. Student Application System. Timothy Mak (Team Leader) James Zujie Chi Dali Wang Maria Stattel Andy Teng Hyoungju Yun John Rinderie Ron Urwongse. Team Activities. Project Timeline.
E N D
Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001
Student Application System • Timothy Mak (Team Leader) • James Zujie Chi • Dali Wang • Maria Stattel • Andy Teng • Hyoungju Yun • John Rinderie • Ron Urwongse
Essential Services and Assets • Marketing and Recruiting • Student Application for Admission • Acceptance Notification • Financial Aid • Billing • E-Grades • Graduation Eligibility Verification • Degree Certification • Academic Audit
Intrusion Usage Scenarios • Legal login by unauthorized user • Unauthorized access by insider • Unauthenticated access by outsider • Malicious code attack
IUS1: Legal Login by unauthorized user • How to attack • An unauthorized user logins using password by sniffing or social engineering and then views, modifies or deletes private student data • Who is the attacker • Employees, CMU students, Hackers, Non-CMU students • What are their objectives • View, modify or delete private student data • Category of attack pattern • User access
Web server 2 Web server 1 Architecture Node Attacker Trace Communication Link Compromised Component IUS1: Legal Login by unauthorized user Web browser Acceptance Notification Student Application Degree Certification Authentication Server Financial Aid Marketing and Recruiting Academic Audit E-Grades Graduation Eligibility Verification Billing Terminal Firewall Database server Database server
IUS2: Unauthorized access by insider • How to attack • Inside intruder accesses servers (Web/Database) physically to view, modify or delete the data • Inside intruder accesses servers via system administrator access rights to view, modify or delete data • Who is the attacker • Insider (employees, specifically those holding system administrator rights) • What are their objectives • View, modify or delete private student data • Category of attack pattern • User access
Web server 2 Web server 1 Architecture Node Attacker Trace Communication Link Compromised Component IUS2: Unauthorized access by insider Web browser Acceptance Notification Student Application Degree Certification Authentication Server Financial Aid Marketing and Recruiting Academic Audit E-Grades Graduation Eligibility Verification Billing Terminal Firewall Database server Database server
IUS3: Unauthenticated access by outsider • How to attack • An outsider intruder accesses SA servers by sending loads of improper requests • Who is the attacker • Outsider (hackers, students from competitive universities) • What are their objectives • To bring down the servers and applications via overloading them and crashing them • Disclose private student data to embarrass and obtain the personal gain • Category of attack pattern • Component access
Web server 2 Web server 2 Web server 1 Web server 1 Architecture Node Attacker Trace Communication Link Compromised Component IUS3: Unauthenticated access by outsider Web browser Acceptance Notification Student Application Degree Certification Authentication Server Authentication Server Financial Aid Marketing and Recruiting Academic Audit E-Grades Graduation Eligibility Verification Billing Terminal Firewall Database server
IUS4: Malicious code attack • How to attack • Users download malicious code (e.g. trojan horses, viruses, worms) from outside the network accidentally or intentionally • Intruder installs malicious code directly • Who is the attacker • Employees, CMU students, Hackers, Non-CMU students • What are their objectives • Break data integrity, privacy and availability • Category of attack pattern • Application content
Coming up next… • SNA Step 4 • Softspots • Resistance, Recognition, Recovery • Survivability Map