Cyber

KEEP ALL SECTION AND SUB-SECTION HEADERS AND NUMBERING AS IS

Mobile Application Threat Model Report

[name]

[date]

1.0 INTRODUCTION

Inject yourself into the given scenario and respond as the cyber threat analyst at a company wants to implement an initial specific mobile application. Provide an introduction to your company and work on providing mobile application security advice specific for this application to senior management. The advice might also apply to future mobile applications, but advice only relating to your specific first mobile application should be covered. What assumptions are you making? What is included and what is not included?

2.0 PURPOSE

Describe the purpose of your work as it relates to senior management making a decision to follow your recommendations and proceed with this mobile applications technology. What issue(s) is(are) being addressed? What aspects of security are key for the mobile application? Are there any specific laws, regulations, industry norms, etc. that must be followed? Reference and explain them.

3.0 MOBILE APPLICATION ARCHITECTURE

Integrate the Step1 description of the mobile application architecture in the scenario. Identify, describe and explain areas such as

· The purpose and intent of the specific first mobile application.

· Who and/or what systems are users of this application.

· An architecture diagram for your application should be provided and explained.

· A network diagram(s), including the related system(s) and end devices should be included and explained. Be sure to describe key aspects of the network, systems and devices, as related to this specific mobile application scenario only. Refer to and explain key elements, key OSs and key technologies in your diagram(s).

· My preference would be for you to focus most on the mobile architecture and less so on the networking. However, note that the traffic record analyses in the lab will give you guidance for the application architecture network protocols. So, you will be “forced” to consider the type of networking to be used.

· Provide one or two Use Case Scenarios and trace these scenarios in the architecture/network diagram(s) or any additional diagrams. Use Cases are a collection of separate statements of how the, in this case, mobile application would work in different situations (e.g., banking use cases, not necessarily, mobile application oriented, might be depositing a check to your savings account, transferring money from your savings account to your checking account, applying for a loan, etc.). Tracing involves showing the exact steps involved from beginning to end in the specific use case. If you cover one (two) use case(s), you would have one (two) unique and separate tracings (i.e., one (two) different diagrams).

· Identify the specific areas for security concern.

4.0 SECURITY REQUIREMENTS

Integrate the Step 2 requirements for this mobile application. Starting with a high-level statement of the security required for this mobile application, work your way to more detailed security requirements and identify the specific application architecture, network and system components to which these requirements apply. Note that requirements statements are needs, such as non-repudiation, integrity, etc. for a specific aspect of the application, network, data, etc. The statement does not include specific implementation that achieves these. Also note that you are writing about what is needed and not about what your application, network, etc. already has.

4.0 THREATS AND THREAT AGENTS

Integrate the Step 3 description of threats and threat agents and your relevant Step 5 lab results which specifically pertain to this mobile application’s data. Indicate if the threats and threat agents are dependent on specific OSs, platforms or mobile technology related to the application.

5.0 METHODS OF ATTACK

Integrate the Step 4 methods of attacks and your relevant Step 5 lab results which specifically pertain to this mobile application’s data. A clear and professional presentation of this material might provide threat agent use cases (e.g., a step by step description of how the threat agents conduct their attack) and diagrams to refer to while describing the steps.

6.0 SECURITY CONTROLS

Integrate your Step 6 research into this section. Note that there usually are multiple ways of mitigating or control security issues and to achieve the security requirements and you will need to guide senior leadership in which to select and which selected controls to be implemented first, second, etc. Summarize, explain and discuss

· Specific controls which could achieve your security requirements and/or prevent the attacks you covered for this mobile application

· Cover your controls according to platform (e.g., Apple/iOS, Android, Windows Mobile, BlackBerry)

· What are the controls to achieve the security requirements and/or prevent each attack?

· What are the controls to detect each attack?

· What are the controls to mitigate/minimize the impact of each attack?

· What are the privacy controls which protect users’ private information (e.g., a security prompt before users access an address book or allow geolocation) for your application?

The use of tables could greatly clarify and help with understanding. Your table should map each control to each specific attack you covered, provide a projected level of effectiveness if implemented and indicate some aspect such as cost, complexity, skills required, time required, staff required, etc. for specifying, implementing, operating and maintaining the control. You may find such data in your research and/or create your own reasonable assessments. This data will be useful to senior management in making their decisions based on a desire to achieve a specific level of risk management.

7.0 RECOMMENDATIONS

Summarize only your main points that senior leadership needs to know to do their job and present your specific recommendations. If there are multiple recommendations or several steps, recommend the sequence or roadmap that should be taken. Provide some reasoning for this sequence based on the data in your table.

8.0 SUMMARY OF REFERENCES

Provide your summary list of references using proper APA format. (Use in-line citations with proper APA format throughout the report.)

APPENDIX-LAB REPORT

Provide screenshots of the tools and specific results from your Step 5 lab experience, as well as answer any lab questions. Your specific insights, comparisons and results which are important for confirming your vulnerability discussions, the requirements and controls should be explicitly identified and used in the report, above. Your lab report should demonstrate significant coverage of the lab cases.

Page 3 of 4