Lab Exercise: Threat Modelling for the ACME University Student Portal

Objective: To develop an attacker's mindset, understand how to proactively identify security risks in a system, and propose mitigation strategies.

Scenario

You are a security consultant hired by ACME University. They have recently deployed a student portal with the following features: $-$

$$ Access Class Schedules and Grades $-$ View current courses, transcripts, and grade history.

$$ Financial Information $-$ Pay tuition online, see outstanding balances, and apply for financial aid.

$$ Personal Profile $-$ Update address and phone number and choose emergency contacts.

$$ Messaging $-$ Basic system for communication with professors and other students in classes.

Your Tasks

$[1].$Identify the Assets

$$ What sensitive data does this system handle?

$$ Are there other less obvious assets that might be attractive to an attacker?

$[2].$Brainstorm Attack Vectors

$$ Consider web application vulnerabilities, network attacks, phishing, social engineering, and insider threats.

$$ Be specific! How exactly might an attacker exploit each weakness?

$[3].$Prioritise the Risks

$$ Which threats are most likely to happen?

$$ Which would have the most severe consequences if successful?

$[4].$Propose Mitigations

$$ For each major threat, describe how the university could: $-$

o Make the attack less likely to succeed.

o Reduce the potential damage if it does succeed.

Submission

$$ A document outlining your findings under headings: $-$ Assets, Attack Vectors, Risk Prioritization, Mitigations.

$$ Include a simple diagram of the system if it aids your explanation.