TOPICS FOR THE CIS 4615 EXAM on Threat Modeling $Date: 2015/09/16 01:52:09 $ This exam covers topics from homework 1. It is related to the course outcome [SecurelyConstruct]. REMINDERS The exam will be open book, open notes, but no electronics. If you need electronic material, print it and bring the printout. (Warning: don't expect to learn the material during the exam.) A good idea for studying is to condense your notes to a few pages of ready reference materials. If you need more space, use the back of a page. Note when you do that on the front. Before you begin, please take a moment to look over the entire test so that you can budget your time. Clarity is important; if your answers are sloppy and hard to read, you may lose some points. READINGS We recommend reading the materials referred to in the course syllabus. In particular the following: * Suvda Myagmar, Adam J. Lee, and William Yurcik. "Threat modeling as a basis for security requirements." In IEEE Symposium on requirements engineering for information security (SREIS). Vol. 2005, 2005. https://people.cs.pitt.edu/~adamlee/pubs/2005/sreis-05.pdf If you have time, see the course resources page for other readings. TOPICS In the following, I use + to denote relatively more important topics, and - to denote relatively less important topics. Topics marked with ++ are almost certain to be on the exam. All of these are fair game, but if you have limited time, concentrate on the ones that are more important first (and in those, the ones you are most uncertain about). SKILLS [SecurelyConstruct] ++ Construct a network model of a networked system [HW1, network model of Quicken Bill Pay and Carbonite Backup Service] ++ Identify assets in a networked system [HW1, identify assets of Quicken Bill Pay and Carbonite Backup Service] + Identify access points of a networked system [HW1, identify access points of Quicken Bill Pay and Carbonite Backup Service] ++ Identify threats to a networked system [HW1, identify threats to Quicken Bill Pay and Carbonite Backup Service] ++ Enumerate possible attacks on a networked system and rate their risk [HW1, identify attacks on Carbonite Backup Service] CONCEPTS [SecurelyConstruct] You should understand the following terms and be able to use them in solving problems. ++ confidentiality ++ integrity ++ availability ++ network model ++ asset + access point ++ threat ++ attack ++ risk