LearnSphere is an online learning platform used by universit…

Questions

LeаrnSphere is аn оnline leаrning platfоrm used by universities and training institutiоns to deliver virtual classes, quizzes, and certifications. Students sign in with their email and password to access course materials, participate in forums, take quizzes, and download certificates upon completion. Key features include: User registration and authentication via a custom login system (not federated). Quiz engine that tracks student scores and triggers automated certificate generation. Instructor dashboard for uploading content and viewing student performance. Certificates are generated as PDFs containing the user’s name and course title, with a QR code that links to a public certificate validation page. The system is hosted on a cloud platform and communicates via a REST API. Recently, a student discovered that: The certificate validation page exposes a sequential certificate ID in the URL. By incrementing the ID, anyone can access the PDFs of other users’ certificates. By modifying API requests, a user can submit fake quiz results without taking the quiz, triggering certificate generation. The system lacks logging for certificate downloads or quiz submission sources.   Task: Using the STRIDE threat modeling methodology, answer the following: A. Threat Enumeration (20 points): Enumerate one specific threat present in this scenario. Your answer should adhere to the structured format for threat statements introduced during class discussions and exercises.   B. STRIDE Classification (10 points): Identify the STRIDE threat class that best corresponds to the threat you described in (A). Briefly justify your answer (maximum length 1 paragraph).   Rubric Task A: Threat Enumeration (20 points) Criteria Excellent (20 points) Good (15-19 points) Developing (10-14 points) Needs Improvement (0-9 points) Structured Format (10 points) The threat statement perfectly adheres to the required structured format. The threat statement largely adheres to the structured format, with minor omissions or slight deviations that do not impede clarity. The threat statement attempts a structured format but has significant deviations or missing components, which impact clarity. The threat statement does not use the structured format, or the attempt is so poor that it renders the statement incomprehensible as a structured threat. Specificity and Accuracy of Threat (10 points) The enumerated threat is particular, directly derived from the scenario, and accurately describes a distinct security concern. The enumerated threat is specific and generally accurate, but may lack a minor detail or have a slight misinterpretation of the scenario. The enumerated threat is too broad, partially inaccurate, or only vaguely related to the scenario. The enumerated threat is incorrect, irrelevant, or absent. Task B: STRIDE Classification & Justification (10 points) Criteria Excellent (10 points) Good (7-9 points) Developing (4-6 points) Needs Improvement (0-3 points) Correct STRIDE Classification (5 points) Accurately identifies the primary STRIDE threat class that best fits the enumerated threat from Task A. Identifies a plausible STRIDE threat class, but it might not be the absolute best fit, or there's a minor nuance missed. Identifies an incorrect STRIDE threat class, but it shows some understanding of STRIDE concepts. Identifies a completely incorrect STRIDE threat class, or no classification is provided. Clear and Concise Justification (5 points) Provides a clear, logical, and concise justification (within one paragraph) that directly explains why the chosen STRIDE class applies to the specific threat identified in Task A, referencing elements from the scenario. Justification is within length limits. Provides a generally clear justification (within one paragraph) that explains the classification, though it might be slightly less precise or comprehensive. Justification is within length limits, or slightly over (no penalty if over by max 1-2 sentences). The justification is weak, contains irrelevant information, or does not connect the STRIDE class to the specific threat. It may significantly exceed the length limit. (If length is the only issue, max -2 points deduction applied here.) The justification is absent, incoherent, contradicts the classification, or shows a fundamental misunderstanding of the STRIDE model about the scenario. If the justification exceeds the limit significantly and the content is also poor, it has a substantial impact on the score.

An infоrmаl grоup in the wоrkplаce is best described аs: