MPAI 750 Module 1 Assignment – Target Data of Interest Examples

Prenatal Testing Scenario and Reflection
September 9, 2019
Qualitative Mini Proposal
September 9, 2019

Part A. Simple Characterization of Data of Interest from NIST
Part B. Example 1 – List of Workers who have received Workers Compensation
Part C. Example 2 – An Attack on Retail: The Target Stores

Part A. Identify and Characterize the System and Data of Interest
The first step is to identify and characterize the system and data of interest. The system and data should be defined narrowly, pertaining to a particular logical set of data on a particular host or small group of closely related hosts and devices. Once the system and data are defined, they need to be characterized, which refers to understanding the system’s operation and usage to the extent needed for the organization’s data-centric system threat modeling approach. At an absolute minimum, characterization should include the following:
⦁ The authorized locations for the data within the system. This will include some or all of the following:
⦁ Storage: all places where data may be at rest within the system boundaries;
⦁ Transmission: all ways in which data may transit over networks between system components and across the system’s boundaries;
⦁ Execution environment: e.g., data held in local memory during runtime, data processed by virtual CPUs, etc.;
⦁ Input: e.g., data typed in using the keyboard; and
⦁ Output: e.g., data printed to a physically attached printer, data displayed on the laptop screen, etc.
⦁ A basic understanding of how the data moves within the system between authorized locations. For example, a file might be held in memory while it is being created and is only written out to storage when the user directs the system to do so. Depending on the complexity of the system, gaining this understanding may require first understanding the system’s functions and processes, users and usage scenarios, workflows, trust assumptions, and other aspects of people, processes, and technology related to the system.
⦁ The security objectives (e.g., confidentiality, integrity, availability) for the data. In many cases, some objectives are more important than others; in other cases, an organization may want to focus on a single objective for a particular threat model.
⦁ The people and processes that are authorized to access the data in a way that could affect the security objectives. For example, if an organization has selected confidentiality as its sole objective for a particular threat model, the authorized people and processes should include all users, administrators, applications, services, etc. who are allowed to read the data.”

Part B. Simple Example from NIST: List of Workers who have received Workers Compensation
Example Scenario Summary: The data of interest is a spreadsheet containing personally identifiable information (PII) for employees who have received workers’ compensation.
The system of interest comprises:
⦁ a human resource specialist’s laptop (spreadsheet is stored on and used from the laptop);
⦁ a USB flash drive (spreadsheet is backed up onto the USB flash drive); and
⦁ a printer (spreadsheet can be printed from the laptop to the printer).

The authorized locations for the data of interest are as follows:
⦁ Storage: Spreadsheet kept on a laptop hard drive, backup of spreadsheet kept on a USB drive;
⦁ Transmission: Sent to a printer over a wireless network;
⦁ Execution environment: Local laptop memory and processors;
⦁ Input: Typed in using the laptop keyboard; and
⦁ Output: Displayed to the screen.

Description: Data is input through the keyboard into the spreadsheet, which is temporarily held in the execution environment. As the user updates the spreadsheet, the data is displayed to the screen. When the user has completed editing the spreadsheet, the user directs the system to save the spreadsheet to the laptop hard drive. The user may also load the spreadsheet into the execution environment and print the spreadsheet to a nearby printer through a wireless network connection. Finally, the user occasionally copies the latest version of the spreadsheet from the laptop hard drive to a USB flash drive as a backup Although confidentiality, integrity, and availability all matter for the data of interest, confidentiality is considered so much more important that the organization has decided to perform its trust modeling in terms of confidentiality only. In this highly simplified example, the human resource specialist is the only person who is authorized to access the data

Part C. Example 2 – An Attack on Retail: The Target Stores

https://krebsons⦁ ecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target⦁ /
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company⦁ /
http://⦁ krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf
http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware⦁ /

                                                                                                                        EliteHomework