LAB: Threat modeling with STRIDE

You're going to do a (very) quick STRIDE analysis of a scenario, to help give you a sense of the flavor of formal threat modeling.

Here's the scenario. You have been asked to do a threat analysis of a door-entry system for an office building containing a medical insurance firm (or a jeweler, or a law firm, or a political campaign, or...). Once an attacker has entered this building, they are one step closer to obtaining people's private medical information (or gemstones, or info about pending lawsuits, or opposition research on candidates, or...). The door-entry system as it stands looks like this.

• At the entrance, there's a locked door.
• Standing next to the door there's a touchscreen kiosk similar to a check-in kiosk at an airport.
• The kiosk has a power cable going through a small hole into the building, where it is plugged into an outlet.
• There's no network cable, because the kiosk uses wifi.
• When a user arrives at the kiosk, they see a username/password login screen and a touchscreen keyboard.
• Once they have entered their credentials, the kiosk contacts a login server to check the password.
• The login server checks with a database running on the same machine. The machine is located in a locked closet in the basement of the building.

• Depending on the server's response, the kiosk will:

  • Print an error "Invalid username"
  • Print an error "Invalid password"
  • Send a wifi signal to the door lock to unlock itself for 5 seconds

---

Your Carleton user name, lower case:

Describe (briefly!) a threat that fits under the Spoofing category, and a design change you could make to mitigate the threat.

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of Privilege

Any threats that don't fit STRIDE categories?

Submit