Comp427, Spring 2018, Homework 1

Rational Paranoia

The homework specifications, as well as the corresponding course slide decks, can be found on the Comp427 Piazza. This assignment is due Thursday, January 17 at 6 p.m.

You will do this homework by editing the README.md file. It's in MarkDown format and will be rendered to beautiful HTML when you visit your GitHub repo.

Student Information

Please also edit README.md and replace your instructor's name and NetID with your own:

Student name: Kyungchan Koh

Student NetID: kk49

Your NetID is typically your initials and a numeric digit. That's what we need here.

If you contacted us in advance and we approved a late submission, please cut-and-paste the text from that email here.

Problem 1

• Scenario: TSA
• Assumptions:
  • None
• Assets:
  • People
    • The safety of the people are the most important, whether it's airport personnel or passengers. Without the people actually using the airport, the TSA would have no purpose. Also, human lives are definitely the most important asset that needs to be protected by the TSA.
  • Public Property
    • The preservation of the airport facilities, buildings, and infrastructure, as well as the commercial airplanes, is vital. Without the airport and the airplanes, the TSA would not have any business there.
  • Personal Property
    • The properties of all passengers and personnel should be treated with care. Privacy should not be violated as much as possible. Loss or damange to personal property is something we want to avoid at all times.
  • Order
    • As the airport is usually a crowded place, we want to ensure that there is order at all times. We want to prevent any situations that might cause chaos.
  • Time
    • Many people use the airport daily. Many flights fly in and out daily. People are usually on a tight schedule, not looking to waste a lot of time to go through screenings. We also do not want a long line as that is more likely to cause chaos and impatience among people.
  • Privacy
    • Privacy of every individual is very important. We do not want people to feel violated in any way, physically and with respect to their belongings. We want to respect as much privacy as we can from each individual, avoiding unnecessary and/or excessive procedures that violate more privacy than we need to.
  • Sanitation / Health
    • Sanitary procedures should be enforced at all times. We do not want to spread illnesses and bacteria from one person to the other. We also do not want TSA officers to catch illnesses from local or foreign sources. We want all our officers to be healthy, as well as all the passengers and personnel.
  • Satisfaction
    • Although this asset is covered by some of the assets listed above, the satisfaction of people going through the screening process should be something the TSA should keep in mind. We want people to be safe and happy with the system that is set in place.
• Threats:
  • Bombs
    • Bombs are a huge threat to the airport and a bigger threat if found / activated during in-flight. The damage that can be caused by a bomb in the airport or in a plane will be devastating that could lead to the loss of lives or loss of property. The emotional trauma, along with the physical damages, are lasting consequences.
  • Theft
    • Passengers could lose their bags or belongings if someone were to choose to walk away with their item in line waiting for screening. Although not common or usual, someone could lose their belongings if they were to stay away from their belongings for too long during a screening.
  • Uncooperative / Not Sober People
    • Having people who won't cooperate with the rules will cause delays for other passengers, as well as cause chaos for the moments they're in line. If someone is being belligerant in line to other passengers, it would cause for customer satisfaction to decrease.
  • Government Shutdown
    • When the government shuts down, the TSA officers cannot be paid for doing their job. This causes the officers to not want to take their job seriously or to not want them to perform their duties. This, in turn, can affect the experience of people going through the screenings.
  • People who are not familiar with TSA proceedings
    • People who fly infrequently or are first-time flyers might not be familiar with the rules that are set, which can cause delays or them being searched in more detail.
• Countermeasures:
  • X-Ray scanner
    • We should utilize an X-Ray scanner for people's belongings to ensure that there is nothing within their luggage that are suspicious or could cause damage (such as bombs or sharp objects). All bags should be scanned in this manner. Although the cost of such a machine might be high, the time saved by not manually searching through each bag is a benefit that overweighs the cost of the machine.
  • Manual scan
    • All belongings that pose some suspicion should be manually scanned by an officer to ensure that all items that pass through the checkpoint are safe. However, manual search of belongings can take time and violate an aspect of privacy. Therefore, we should only search bags that are suspicious. The cost of this is the time and attention it requires, but benefits are the extra confirmation of the safety of contents.
  • Quick body screening
    • We should buy the necessary technology to search each person quickly, such as the millimeter scanner or metal detector that are used commonly in airports. The benefits are that many people will not have to be physically searched and get through the checkpoint faster. This allows them to get to their belongings soon, reducing the risk of lost or stolen belongings. It also preserves their privacy as much as possible and reduce delays in the screening process.
  • Reject all uncooperative / not sober people
    • This is a process that all people must go through. Therefore, if someone is uncooperative or not in the capacity to go through the checkpoint, they should be turned back so that other passengers and personnel can get through to their destinations as soon as possible. The cost of this is that there will be opposition from people that are turned away, but the benefits would include faster screening times, as well as higher satisfaction from others that are following all procedures.
  • Make rules simple and easy to remember
    • By the time people get to the checkpoints, we want them to be ready to go through. All the rules, such as liquids being out and having IDs ready, should be posted well before the checkpoint so that people can prepare for it for a speedy screening. Also, posting what is allowed and not allowed very clearly repeatedly will allow people to know ahead of time whether they should throw away certain things. There wouldn't necessarily be a cost to this other than having to post these signs, but the benefits would include better satisfaction, as well as quicker screening and order.

Problem 2

• Scenario: Documents
• Assumptions:
  • The documents are stored digitally on the cloud.
• Assets:
  • Documents
    • The documents are the biggest assets. We do not want them to be leaked, as they contain sensitive material that are confidential. In the wrong hands, they could be detrimental to people or organizations.
  • People working at the law firm
    • We want to ensure that everyone who is working at the law firm are safe. We do not want anyone to get hurt just so that attackers can gain access to these documents. The safety of the people is a top priority.
  • Reputation
    • The reputation of the law firm is important. One leak could cause entities to not trust us in their next business. We want to provide an image that is trustable and respectable to our clients and potential clients in the future.
• Threats:
  • Break-in
    • Even though our documents will be stored digitally on the cloud, attackers may try to break into the law firm in order to gain access to the documents. They may attempt to steal the physical machines to get information about credentials or get access to the documents.
  • Cyberattack
    • We must be careful of attacks that are targeting the digital store of the documents. Potential attacks include denial-of-service attacks to disallow access even by authorized people or for a man-in-the-middle / eavesdropper attack to gain access to these documents. There could also just be an attempty to break into the digital store of the documents.
  • Lost Laptops / Phones
    • Employees who have access to these documents through their laptops or portable devices might lose their items, causing whoever to pick it up to potentially have easier access to the documents. Whether it is due to theft or simple misplacement of the items, the loss is still a potential threat.
• Countermeasures:
  • Alarms and security system for the office
    • The physical building and office should be secured with security alarms, cameras, and locks to ensure that if a break-in happens or is attempted, the local enforcement force is notified. Most buildings and offices come with security so the additional cost should not be too high, but the benefits of having a secure building include protection against break-ins or physical attempts to take the office hostage to gain access to the documents.
  • 2FA
    • Two factor authentication is a common standard in secure login and authentication systems and should be implemented. This ensures that if the wrong person obtains a device to access the documents, they would require a second device. The cost is increased obstacles to log in, but it gives the benefit of protection against lost or stolen devices. This also provides protection from attacks that involve attacking the log in system to obtain credentials to get into the system. Without a second device that has been registered, it would required another step to gain access.
  • Access to documents only through authorized devices
    • All access to documents from authorized personnel should occur on authorized devices so that if an unknown device tries to log in or access the documents, it's easy to reject them. Also, by only having a limited number of access points to the documents, it would make it easier to monitor who has been accessing the documents and what actions they have taken. The cost would be that employees must have an authorized device with them to access the documents, but the benefit is as stated before.
  • Remote Wiping Ability
    • All authorized devices should have software that allows for remote wipe. That way, if a device is lost or stolen, that device can be wiped clean so that no information is lost. The cost is that an additional software would be required on the laptops, but the benefits is the protection from lost or stolen devices. The cost would also include the cost of the lost device if it was actually lost or stolen, but at least the documents would be safe.
  • All authorized devices should be locked
    • Hopefully everyone just does this, but all authorized devices should be locally locked with a password of some sort. That way, if the laptop is left in the open or stolen, someone can't have immediate access to the information stored on the devices. The cost would be an added step in accessing information on the laptop by the employee (which should already have been included), but the benefit is an added step of security in case the wrong person finds the laptop.

Problem 3

• Scenario: You are the owner of a single brick-and-mortar expensive jewelry store.
• Assumptions:
  • Store is only open during normal business hours.
  • Store is located as a standalone store in a plaza, not as part of a giant mall.
• Assets:
  • The Jewelry
    • Obviously, as a jewelry store, there will be a lot of expensive gems and metals in the store. They are worth high-value. As the main profit, we do not want the jewelry to be lost or stolen (not even one).
  • Money
    • The physical cash that might be in the store, front and back, are assets we want to protect. They have as much value as the jewelry, as most of them probably came from selling the jewelry.
  • Employees
    • The employees' safety is also very important. They should not be hurt or injured while working and feel safe at all times.
  • Machinery
    • Handling jewelry requires lost of specific machinery that are expensive. Some of them include for cleaning or polishing or resizing. Since they are expensive and hard-to-replace, we do not want to break or lose any.
  • The physical store
    • The physical store is an asset. Without the actual store, we can't sell the jewelry. Therefore, any damages to the physical store can affect your business and well being.
• Threats:
  • Break-in
    • Many attackers will attempt to break into the store to steal the money and the jewelry. This could happen during, before, or after business hours, and this could lead to bodily injury of other people, including employees and customers.
  • Employees
    • Some thieves might attempt to pass off as a potential employee or an actual employee and wait until the timing is right to steal. As an insider, they are more likely to have the trust and capabilities to pull off a theft / heist.
  • Supplier
    • The supplier may try to give fake or inauthentic goods in exchange for the value of the actual goods. This could result in loss of profit, as well as dissatisfaction from customers, potentially losing respect and reputation.
  • Theft of incoming shipment
    • When incoming shipment comes in, someone might try to steal a box while it has not been unpacked or counted for. This would be different from other thefts, as this would most likely happen in the back of the store instead of the front of the store where the jewelry are on display.
  • Customers who "try on the jewelry" and run off
    • Certain thieves might post as customers who are interested in the merchandise and pretend to try different ones on. Then, they might just rush out of the store with the jewelry that are out of the cases.
  • Crowdedness
    • When the store is crowded, it is hard to keep track of who is doing what, causing a distraction for potential thieves who are trying to steal the jewels.
• Countermeasures:
  • Increased security cameras and alarms
    • The store should be equipped with top-of-the-art security systems so that when a break in is attempted, local enforcement, as well as myself, are notified of the attempt. It should also work to scare off the people breaking in. The cost would be the monetary value to install the equipment, but the benefits include protection against thieves.
  • Metal fencing near glass doors or windows
    • When not open for business, there should be a metal fence or gating that comes behind the glass windows and doors to ensure that if someone tries to break in by breaking the glass, they cannot get through the metal. Again, the cost would be the fees associated with installing the metal bars, but the benefit is protection against theft when no one is in the store.
  • Thorough background checks of employees
    • All employees should go through a thorough background check to ensure that all employees do not have malicious intents to steal the jewelry. Also, they should be put on a training period right after with someone looking over them at the start to ensure that they do not behave in a strange manner. The cost would include extra steps in acquiring new personnel, but the benefit includes being able to trust the employees to keep the store safe and running.
  • Through check of incoming shipment
    • All incoming shipments should be stored in a secure place and checked for authenticity before the supplier leaves. That way, all jewels are shown to be authentic, as well as having them in a secure location that people cannot steal from. Then, the unpacking can happen slowly and thoroughly to ensure that the jewels are not damaged. The added cost would be having to delay the supplier for a little to ensure that the jewels are legit, but the benefit would be knowing that all the jewels have arrived and are real.
  • Limited number of customers in the store
    • There should be a limit on the number of customers in the store itself. The ratio should be around one-to-one employee to customer to ensure that all customers can immediate attention, as well as monitoring by the employee. This way, they cannot attempt to run off all of a sudden. The cost would be limited business, but the benefit would be increased monitoring of customers and no crowdedness within the store.
  • Physical Security Guards by the door
    • There should be one or two security guards by the door to ensure that only a certain number of people are in the store at all times, as well as ensure that no customer leaves without paying whatever is owed. The cost would be hiring these people, but the benefit would be added security and order.