ICS: Written Homework: Rational Paranoia
Go up to the ICS HW page (md) | view tabbed version
Overview
This assignment will focus on analyzing security in three different scenarios; two of which you choose from the list below, and one of which you create yourself. The deliverable is a typed PDF document. You will need to be familiar with the Security Mindset slide set.
You will want to see the homeworks policies page (md) for formatting and other details. The due dates are listed on the Canvas landing page.
Changelog
Any changes to this page will be put here for easy reference. Typo fixes and minor clarifications are not listed here. So far there aren’t any significant changes to report.
Assignment
For each of the three total scenarios (two from our list, one of your own, as explained below), imagine that you are in charge of security. Apply the security mindset, discussed in the security mindset slide set, to answer these questions:
- What assets are important for you to protect?
- What security threats will you choose to defend against?
- What countermeasures can you justify, in terms of costs and benefits?
Answer each of the above in the form of a bulleted list, with brief justifications or explanations as necessary. State any critical assumptions you decide to make. Your grade will be based on the thoroughness, realism, and thoughtfulness of your analysis. We are more interested in quality than quantity. But if you want a length estimate, then one or two sentences for each “brief_explanation”, below, is reasonable. That being said, as long as you are being concise and not adding in fluff (see here (md) for a definition of fluff), they can be longer.
The following scenario is required:
- UVA is starting to use mobile ID cards, and the company they are contracting with (Atrium Campus Connect) has a sketchy and self-contradictory privacy policy that indicates they will sell the information they collect (see section 2.5: they can disclose your private information to companies with which they have “joint marketing agreements”; also section 2.7). How do you preserve your privacy when UVA is using such a system?
Pick one of the following scenarios.
- You are the chief of police for a university where there are expected to be protests, both peaceful and less than peaceful. How do you keep the students safe while allowing freedom of expression?
- You are trying to secure your home network. You have dozens of IoT devices, and individuals who install a lot of sketchy apps on their mobile phones. How do you secure this home network?
- UVA data breach! The 2FA (two factor authentication) that UVA uses is exploitable. A fix is in the works, but that will take two weeks to implement. In the mean time, how do you secure UVA’s logins?
In addition, come up with another scenario from everyday life that we have not discussed in class. Your choice can be directly related to computer security, but it does not have to be.
Submission Template
Obviously reformat this in your word processor of choice. The file to be submitted MUST BE A PDF DOCUMENT. Please name it paranoia.pdf. The page must be exactly three pages long, and each case must be on a separate page. The case that you come up with must be on page three. This is all to facilitate grading – the document is going to be split by pages, and each page will be graded separately.
1. (name_of_example)
[Assumptions: explain_assumptions]
Assets:
- Asset X: brief_explanation
- Asset Y: brief_explanation
- ...
Threats:
- Threat X: brief_explanation
- Threat Y: brief_explanation
- ...
Countermeasures:
- Countermeasure X: brief_justification
- Countermeasure Y: brief_justification
- ...
----
2. (name_of_example)
...
----
3. Original Scenario
explain_your_scenario
Assets:
...
Threats:
...
Countermeasures:
...File to submit
Submit the above as a PDF document, named paranoia.pdf. Make sure you follow the formatting guidelines mentioned above! In particular, each case should be on its own page, and the document should be exactly three pages long.
The submission is via Gradescope.