Plese make the drawing in hand writing $*$

CYS$402-$ ACTIVITY $3-$ CHAPTER

The purpose of this activity is to get you acquainted with writing abuse and misuse cases in tandem with writing use cases.

SYSTEM DESCRIPTION

An Internet$-$based information security lab, or lab, is a collection of systems and software used for teaching information security. Laboratory exercises give students practical experience with security vulnerabilities, security testing, and defenses. The students are not physically in the laboratory, but access it through the Internet. The lab comprises four kinds of entities: servers, sources, targets, and exercises. The first three are specially configured host systems in the lab. Servers provide presence for the students in the lab; servers do not participate in the exercises. Sources and targets participate in the exercises, with at least one source and target for each exercise. The exercises are either exploits or defenses, from the student's point of view. Each exercise has two parts: documentation and implementation. The documentation is provided by the instructor and usually consists of files and code samples that explain the exercise. Students are allowed to access the documentation for an exercise and are expected to construct and demonstrate an implementation. The instructor also provides a model solution which is not given to the students until the exercise is completed. Before each exercise, the lab is configured by an administrator. After the exercise is complete, the administrator restores the lab to an appropriate configuration.

SETUP

This is an individual activity. You are in charge of coming up with the system's functionality, as well as specifying the requirements.

ACTIVITY

Start up a document, call it "Requirements Specification for $x"$ where $x$ is the title of your system. Also, place the following headers in the document to be filled out:

Overview

Description

Actors

Security Goals

Use Cases

Primary Actor

Preconditions

Main Flow of Events

$[$Misuse$|$Abuse$]$ Case

Security Requirements

Elaborate on the requirements by outlining two use cases and filling in the Overview section. What is the system, in general? What are the general security goals of the system? Who are the actors $($both regular and malicious$)?$ Write the titles of three use cases, and define the relevant actors for each use case. Don't write the scenarios just yet.

Write the main flow for one use case. Make this about $4-10$ steps. Be specific about what information is being exchanged. You may add alternative flows if you see the need, but they are not required for this exercise.

Now write either a misuse case or abuse case $($your choice$)$ for that use case. A few notes:

Be sure to include both flow of events and harm done.

Make sure the flow affects your main flow, not your preconditions. You may violate a precondition in the process, but this section is for demonstrating how you can abuse$/$misuse the main flow.

Update the header to label each one as either Abuse or Misuse.

Your requirements document should have at least one abuse case and at least one misuse case, and three in total.

Submit the final document to LMS$.$