This homework will allow you to demonstrate the generation of misuse/abuse cases for ATM system that allows a user to enter swipe their card and enter a pin. Then they can check balances, withdraw funds, deposit and transfer funds.
Image Reference: http://www.math-cs.gordon.edu/courses/cs211/ATMExample/UseCases.html
In addition, you will investigate the use/misuse of PII data. As mentioned in the NIST SP800-122 document, PII data can be used to distinguish an individual is to identify an individual. Some examples of information that could identify an individual include, but are not limited to, name, passport number, social security number, or biometric data.
Assignment Details
Your assignment includes two parts: ATM abuse/misuse case and PII research.
ATM abuse/misuse case:
This week several documents were provided that described the requirements elicitation and gathering process. Several techniques were listed for gathering security requirements including misuse/abuse cases, general processes, attack patterns and architectural risk analysis. For this assignment we focus on misuse/abuse cases.
Although, you can use UML diagrams to document use case and misuse diagrams, for this effort, we will use text demonstrating the flow of the misuse case. Using the flow as described above and the information provided in this week’s reading on misuse cases, describe possible misuse cases for a typical ATM application.
You should include a description of possible mitigations for threats and attacks.
PII research:
Based on your readings from this week, find several examples either online in your daily lives (forms you have to complete) where possibly more information is gathered and stored on you than is needed. Describe PII data and provide specific examples and list the PII data that is gathered. Discuss why this is an issue and possible ways you can mitigate these issues. If you worked for the vendor, how could you mitigate these issues? For example, sometimes a vendor may have the option to not store your credit card or your personal information. Show screen shots of the vendors who are collecting this data where possible.
