Project 3: Mobile Application Threat ModelingStart HereTranscriptThreat modeling

Project 3: Mobile Application Threat ModelingStart HereTranscriptThreat modeling begins with a clear understanding of the system in question. There are several areas to consider when trying to understand threats to an application. The areas of concern include the mobile application structure, the data, identifying threat agents and methods of attack, and controls to prevent attacks. The threat model should be created with an outline or checklist of items that need to be documented, reviewed, and discussed when developing a mobile application.In this project, you will create a threat model. There are seven steps that will lead you through this project, beginning with the scenario as it might occur in the workplace, and continuing with Step 1: “Describe Your Mobile Application Architecture.” Most steps in this project should take no more than two hours to complete, and the project as a whole should take no more than two weeks to complete.The following are the deliverables for this project:DeliverablesThreat Model Report: An eight- to 10-page double-spaced Word document with citations in APA format. The report should include your findings and any recommendations for mitigating the threats found. The page count does not include figures, diagrams, tables, or citations.
Lab Report: A Word document sharing your lab experience along with screenshots.
CompetenciesYour work will be evaluated using the competencies listed below.1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
1.4: Tailor communications to the audience.
2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
2.2: Locate and access sufficient information to investigate the issue or problem.
2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.
6.3: Specify security solutions based on knowledge of principles, procedures, and tools of data management, such as modeling techniques, data backup, data recovery, data directories, data warehousing, data mining, data disposal, and data standardization processes.
THE FOLLOWING TEMPLATES PROVIDED AND REQUIRED TO FOLLOW TO ASSIST WITH THE ABOVE PROJECT: Threat Model Report In your introduction describe the reason for this report such as the following: You are a cyber threat analyst for a mobile applications company. You have been assigned lead of a mobile application security project and have been tasked to prepare a report of threat models for this technology. This threat model report will discuss mobile application architecture, mobile data, threat agent identification, methods of attack, and possible controls. It is intended to provide senior management a greater understanding of mobile application security and its implementation. Mobile Application Architecture Architecture Considerations Discuss architecture considerations for mobile applications and architecture. What is the design of the architecture (network infrastructure, web services, trust boundaries, third-party APIs, etc.)? Mobile Application Select and describe a mobile application. What are the common hardware components? What are the authentication specifics? Which architecture considerations are relevant to your mobile application you chose? What should or shouldn’t the app do? Describe device-specific features used by the application, wireless transmission protocols, data transmission mediums, interaction with hardware components, and other applications. Mobile Application Security Identify the needs and requirements for application security, computing security, and device management and security. Describe the operational environment and use cases, and identify the operating system security and enclave/computing environment security concerns, if there are any. This can be fictional or modeled after a real-world application. Mobile Data Business Requirements Define what purpose the mobile app serves from a business perspective. In LEO Step 2, you will find a lengthy list of questions – consider them as you define this area as well as your data requirements below. Data Define what data the app will store, transmit, and receive. Include a data flow diagram to determine exactly how data is handled and managed by the application. You can use fictional information or model it after a real-world application. Please put your Figures at the bottom of this report in the “Figures” section. Refer to Figure X (assign a number) and discuss the data flow. Threat Agent Identification Discuss common security threats to the mobile application. Also identify the threat agents. Examples provided in LEO Step 3 include reverse engineering, weak passwords, outdated encryption algorithms, and lack of multifactor authentication. Please be sure to research others that may be more significant and relevant to the mobile application you choose. In a separate paragraph discuss the process for defining what threats apply to your mobile application. Your LEO tutorials talks about Open Web Application Security Project (OWASP) as a resource, but again please be sure to research others – the idea here is to not just discuss threat but the process behind determining what those threats are. Methods of Attack Identify and discuss different methods an attacker can use to reach the data. This data can be sensitive information to the device or something sensitive to the app itself. Provide senior management with an understanding of the possible methods of attack of your selected mobile application. Possible Controls Discuss the controls to prevent attacks. In LEO Step 6, you will find a lengthy list of questions – consider them as you define this area. Conclusion This threat model report covered mobile application architecture, mobile data, threat agent identification, methods of attack, and possible controls. From here discuss your overall conclusions and recommendations… References Aleisa, N. (2015). A comparison of the 3DES and AES encryption standards. International Journal of Security and Its Applications 9(7). doi: 10.14257/ijsia.2015.9.7.21 Defense Human Resource Activity. (n.d.). Common Access Card (CAC) Security. Retrieved from http://cac.mil/common-access-card/cac-security Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Computer Security: Guide to integrating forensic techniques into incident response: Recommendations of the National Institute of Standards and Technology (Special Publication 800-86). Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspe… Reith, M., Carr, C., & Gunsch, G. (2002). An examination of digital forensic models. International Journal of Digital Evidence, 1(3), 1-12. Retrieved from http://www.just.edu.jo/~Tawalbeh/nyit/incs712/digi…
Requirements:

Leave a comment

Your email address will not be published. Required fields are marked *