Answered step by step
Verified Expert Solution
Question
00
1 Approved Answer
System Description Consider a carpooling system where users can register, create profiles, list, and book ride. The system uses different matching algorithms to pair the
System Description Consider a carpooling system where users can register, create profiles, list, and book ride. The system uses different matching algorithms to pair the passengers with suitable drivers based on various constraints such as location, time, destination etc. The system provides both a web interface and a mobile application for users to interact with it It also contains three servers: a web server to handle http requests, an application server to implement the business logic and a database server. Thirdpart services including a payment gateway and geolocation services are used by this system. Instructions. Your task is to first identify security requirements for this system and then perform threat analysis. You might need to make some assumptions about the scenario and justify them, eg assume that a specific component has a specific type of vulnerability, or the driver uses a particular type of device with known security weaknesses, etc. Your threat analysis should answer the following three questions: I. Identify three applicationspecific security requirements for this system which directly impact the passengers. Each requirement is meant to ensure a security property corresponding to an aspect of STRIDE. Note: A security requirement is a statement that describes the required security functionalities to ensure certain security properties, such as integrity, availability, confidentiality, etc. An example of a general security requirement is The system should use twofactor authentication to authenticate users II Design a FAIR Loss Scenario involving thirdparty services which violates two of the security requirements identified in I You need to identify all the relevant elements of the loss scenario according to the FAIR methodology See the slides Which requirements are violated by this? III. Draw an attack tree for your scenario which contains at least four levels of nodes and engages with the scenario. Give a brief description of your attack tree and suggest mitigations to protect again this threat using MITRE ATT@CK mitigations. Your attack tree should refine the attack steps as far as possible and include concrete steps. You are advised to consult MITRE ATT@CK framework to develop appropriate tactics and techniques.Rubric The following Rubric will be used for the assessment. 
System Description Consider a carpooling system where users can register, create
profiles, list, and book ride. The system uses different matching algorithms to pair the
passengers with suitable drivers based on various constraints such as location, time,
destination etc.
The system provides both a web interface and a mobile application for users to interact
with it It also contains three servers: a web server to handle http requests, an application
server to implement the business logic and a database server. Thirdpart services
including a payment gateway and geolocation services are used by this system.
Instructions. Your task is to first identify security requirements for this system and then
perform threat analysis. You might need to make some assumptions about the scenario
and justify them, eg assume that a specific component has a specific type of
vulnerability, or the driver uses a particular type of device with known security
weaknesses, etc. Your threat analysis should answer the following three questions:
I. Identify three applicationspecific security requirements for this system which
directly impact the passengers. Each requirement is meant to ensure a security
property corresponding to an aspect of STRIDE.
Note: A security requirement is a statement that describes the required security
functionalities to ensure certain security properties, such as integrity, availability,
confidentiality, etc. An example of a general security requirement is The system
should use twofactor authentication to authenticate users
II Design a FAIR Loss Scenario involving thirdparty services which violates two of
the security requirements identified in I You need to identify all the relevant
elements of the loss scenario according to the FAIR methodology See the slides
Which requirements are violated by this?
III. Draw an attack tree for your scenario which contains at least four levels of nodes
and engages with the scenario. Give a brief description of your attack tree and
suggest mitigations to protect again this threat using MITRE ATT@CK mitigations.
Your attack tree should refine the attack steps as far as possible and include
concrete steps. You are advised to consult MITRE ATT@CK framework to develop
appropriate tactics and techniques.Rubric
The following Rubric will be used for the assessment.
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access with AI-Powered Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started