Threat Modeling report We use many different types of risk management methodologies and tools. A part of the process involves identifying the threats to ou

Threat Modeling report We use many different types of risk management methodologies and tools. A part of the process involves identifying the threats to our system, generally by attackers who would harm our systems and data (assets). I’ve included a project that walks you through a simple threat modeling exercise, using STRIDE, which you will apply using a scenario, to understand the basic process. 1. Read the threat modeling article using STRIDE located at and complete a threat model and risk management plan2. Read the attached Project description. you will create a report for your “boss” identifying the threats to your systems/assets in the scenario, who the attackers are, how they will attack (using STRIDE), and will make recommendations for security controls (use your textbook, too). Project: Threat Modeling with STRIDE
This project provides an opportunity to apply the concepts of using a Threat Modeling methodology,
STRIDE, against a fictitious Healthcare organization’s application.
Learning Objectives and Outcomes
You will gain an overall understanding of risk management, its importance, and critical processes
required when developing a threat model as a part of risk management for an organization.
Required Source Information and Tools
Web References:
As discussed in this course, risk management is an important process for all organizations. This is
particularly true in information systems, which provides critical support for organizational missions. The
project activities described in this document allow you to fulfill the role of an employee participating in the
risk management process in a specific business situation, identifying the threats and vulnerabilities facing
your organization.
Submission Requirements
All project submissions should follow this format:

Format: Microsoft Word or compatible

Font: Arial, 10-point, double-space

Citation Style: APA style. Any work copied from Internet or other sources will automatically
receive a 0.
You are an information technology (IT) intern working for Health Network, Inc. (Health Network), a
fictitious health services organization headquartered in Minneapolis, Minnesota. Health Network
has over 600 employees throughout the organization and generates $500 million USD in annual
revenue. The company has two additional locations in Portland, Oregon and Arlington, Virginia,
which support a mix of corporate operations. Each corporate facility is located near a co-location
data center, where production systems are located and managed by third-party data center
hosting vendors.
Company Products
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
Page 1
Project: Threat Modeling with STRIDE
Health Network has three main products: HNetExchange, HNetPay, and HNetConnect.
HNetExchange is the primary source of revenue for the company. The service handles secure electronic
medical messages that originate from its customers, such as large hospitals, which are then routed to
receiving customers such as clinics over the Internet. Information transmitted over this network include
patient health information, xrays, bloodwork, and diagnoses.
HNetPay is a Web portal used by many of the company’s HNetExchange customers to support the
management of secure payments and billing. The HNetPay Web portal, hosted at Health Network
production sites, accepts various forms of payments and interacts with credit-card processing
organizations much like a Web commerce shopping cart. The Web portal is hosted on a Windows IIS
Web server. Data from the portal is stored in an Oracle database on a Unix server.
HNetConnect is an online directory that lists doctors, clinics, and other medical facilities to allow Health
Network customers to find the right type of care at the right locations. It contains doctors’ personal
information, work addresses, medical certifications, and types of services that the doctors and clinics
offer. Doctors are given credentials and are able to update the information in their profile. Health Network
customers, which are the hospitals and clinics, connect to all three of the company’s products using
HTTPS connections. Doctors and potential patients are able to make payments and update their profiles
using Internet-accessible HTTPS Web sites. You have already run a Nessus scan and used nmap to
determine vulnerabilities.
Information Technology Infrastructure Overview
Health Network operates in a production data center that provide high availability across the company’s
products. The data center host about 1,000 production servers, and Health Network maintains 650
corporate laptops and company-issued mobile devices for its employees. Employees are allowed to
work from home, using their company-issued laptops. There is also a wireless network available at work.
For the project, you must create a threat model, using STRIDE (remember to use the information in
the article at the Web link, to understand these sections). To do so, you must analyze the data and
create a threat model document that contains the following sections:
1. A section titled Attacker Viewpoint discussing framing the threat from the mindset of the
perceived attacker. Address the following questions: 5 points.
a. Who is likely to attack the system?
b. What are they likely to attack to accomplish their goal?
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
Page 2
Project: Threat Modeling with STRIDE
2. A section titled Asset Viewpoint discussing the organization’s assets from the information
provided in the scenario, above. Be sure to also address the following questions (I recommend
placing this in a table). 15 points
a. What is the asset?
b. What value does the asset have to the organization?
c. How might that asset be exploited by an attacker?
3. A section, titled STRIDE, that will identify the following security threats for six different categories,
as discussed in the article in the Web reference you were asked to read, as they apply to this
scenario. Include the following: 60 points
a. Spoofing – address any spoofing threats that might be present in the applications or
systems. Include the ramifications (impact) of a spoofing attack.
b. Tampering – address any data or databases that might be subject to data tampering
(applications, for instance, that might be vulnerable to cross site scripting attacks or SQL
injection in the healthcare organization scenario, above).
Repudiation – address where repudiation attacks might be possible in the organization.
d. Information disclosure – address where there may be the likelihood for a data breach in
the organization’s assets listed in the scenario that would allow the attacker to access
private information (or, worse, patient health information). Discuss the laws and
regulations that would be impacted and the ramifications (impact and penalities) that
would be incurred by this organization in that event.
e. Denial of Service – discuss the potential for service interruptions for those systems or
applications connected to the Internet. Which systems are vulnerable? What would be
the impact to the organization for each connected system, if it were to be unavailable?
Elevation of Privilege – discuss the systems and applications that might be subject to
an attacker elevating his privilege levels (think of a patient database – what would
happen if the attacker was able to gain Administrator access to the database?).
4. A section, titled Risk Mitigation Plan, that summarizes your findings for the boss and discusses
the security controls that you recommend for each of the potential attacks that you have
identified. This can be summarized using the table I’ve provided for you below for each of your
threats. Remember to assign the implementation of the recommended security control to a
role within the organization (you can use a generic role, such as System Administrator,
Database Admin, Security Officer, etc. – your textbook and other supplemental readings listed
different organizational roles responsible for managing risk) 20 points.
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
Page 3
Project: Threat Modeling with STRIDE
Risk Mitigation Plan:
Security Control
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
Page 4

Purchase answer to see full

Don't use plagiarized sources. Get Your Custom Essay on
Threat Modeling report We use many different types of risk management methodologies and tools. A part of the process involves identifying the threats to ou
Just from $13/Page
Order Essay
Homework Writings Pro
Calculate your paper price
Pages (550 words)
Approximate price: -

Why should I choose Homework Writings Pro as my essay writing service?

We Follow Instructions and Give Quality Papers

We are strict in following paper instructions. You are welcome to provide directions to your writer, who will follow it as a law in customizing your paper. Quality is guaranteed! Every paper is carefully checked before delivery. Our writers are professionals and always deliver the highest quality work.

Professional and Experienced Academic Writers

We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.

Reasonable Prices and Free Unlimited Revisions

Typical student budget? No problem. Affordable rates, generous discounts - the more you order, the more you save. We reward loyalty and welcome new customers. Furthermore, if you think we missed something, please send your order for a free review. You can do this yourself by logging into your personal account or by contacting our support..

Essay Delivered On Time and 100% Money-Back-Guarantee

Your essay will arrive on time, or even before your deadline – even if you request your paper within hours. You won’t be kept waiting, so relax and work on other tasks.We also guatantee a refund in case you decide to cancel your order.

100% Original Essay and Confidentiality

Anti-plagiarism policy. The authenticity of each essay is carefully checked, resulting in truly unique works. Our collaboration is a secret kept safe with us. We only need your email address to send you a unique username and password. We never share personal customer information.

24/7 Customer Support

We recognize that people around the world use our services in different time zones, so we have a support team that is happy to help you use our service. Our writing service has a 24/7 support policy. Contact us and discover all the details that may interest you!

Try it now!

Calculate the price of your order

Total price:

How it works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.

Our Services

Our reputation for excellence in providing professional tailor-made essay writing services to students of different academic levels is the best proof of our reliability and quality of service we offer.


Essay Writing Service

When using our academic writing services, you can get help with different types of work including college essays, research articles, writing, essay writing, various academic reports, book reports and so on. Whatever your task, has experienced specialists qualified enough to handle it professionally.


Admission Essays & Business Writing Help

An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.


Editing Support

Our professional editor will check your grammar to make sure it is free from errors. You can rest assured that we will do our best to provide you with a piece of dignified academic writing. Homeworkwritingpro experts can manage any assignment in any academic field.


Revision Support

If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.