TECHNOLOGICAL INSTITUTE OF THE PHILIPPINES

Quezon City

INFORMATION TECHNOLOGY DEPARTMENT

STUDENT PORTFOLIO
(IT024 – CYBER THREAT MODELING)
1st Semester / SY-2022-2023

TOBY BRUCE L. SARCIA

 TABLE OF CONTENTS

I. SUMMARY RESULTS OF STUDENT ASSESSMENT

II. ASSESSMENT TASKS
1. Laboratory Activities(Assignment)
1.1 Preliminary
1.1.1 Laboratory Activity 1 – Cyber Security Online Simulation
1.1.2 Laboratory Activity 2 – Cyber Threat Modeling (Part 1)

1.2 Midterm
1.2.1 Laboratory Activity 1 – Cyber Threat Modeling (Part 2)
1.2.2 Laboratory Activity 2 – Cyber Threat Modeling (Part 3)

1.3 Final
1.3.1 Laboratory Activity 1 – Cyber Threat Modeling (Parts 4 and 5)
1.3.2 Laboratory Activity 2 – Final Project Presentation and Evaluation

2. Locally Developed Examination

2.1 Preliminary
2.1.1 Written Examination

2.2 Midterm
2.2.1 Written Examination

2.3 Final
2.3.1 Written Examination

3. Quizzes
3.1 Preliminary
3.1.1 Quiz 1 – Threat Modeling Overview
3.1.2 Quiz 2 – Approach to Threat Modeling

3.2 Midterm
3.2.1 Quiz 1 – Threat Modeling Frameworks and Methodologies
3.2.2 Quiz 2 – Threat Modeling and Risk Management
 3.3 Final
3.3.1 Quiz 1 – PASTA Threat Modeling
3.3.2 Quiz 2 – Cyber Threat Modeling Contribution

4. Discussions
4.1 Preliminary
4.1.1 Discussion 1 – Cyber Security Threat Worksheet
4.1.2 Discussion 2 – Approaches to Threat Modeling
4.1.3 Discussion 3 – Final Project Proposal

4.2 Midterm
4.2.1 Discussion 1 – STRIDE and DREAD Methodology
4.2.2 Discussion 2 – Threat Modeling and Risk Management
4.3 Final
4.3.1 Discussion 1 – Penetration Testing Plan
4.3.2 Discussion 2 - Final Project Members’ Contribution

5. Reflection Paper
5.1 Preliminary

5.2 Midterm

5.3 Final

6. Final Project
6.1 Group: Create an Enterprise-wide Cyber Threat Modeling Proposal
I. SUMMARY RESULTS OF
STUDENT ASSESSMENT
 IT 024 – CYBER THREAT MODELING
TOBY BRUCE L. SARCIA

The following Assessment Tasks support the attainment of the following Student Outcomes
(SOs):

(SO) 2: an ability to design, implement, and evaluate a computing-based solution to meet a

given set of computing requirements in the context of the program’s discipline;

(SO) 6: an ability to identify and analyze user needs and to take them into account in the
selection, creation, integration, evaluation, and administration of computing-based systems.

Prelim Period
Prelim Grade = 50% Class Standing + 50% Prelim Exam (Major Exam)
Class Standing:
Laboratory Activities/Assignment = 20 %
Quizzes/Case Study = 60 %
Discussion = 20 %
TOTAL = 100 %

Midterm Period
Midterm Grade = 33% Prelim Grade + 67% Tentative Midterm Grade
Tentative Midterm Grade = 50% Class Standing + 50% Midterm Exam (Major Exam)
Class Standing:
Laboratory Activities/Assignment = 20 %
Quizzes/Case Study = 60 %
Discussion = 20 %
TOTAL = 100 %

Final Period
Final Grade = 33% Midterm Grade + 67% Tentative Final Grade
Tentative Final Grade = 50% Class Standing + 50% Final Exam (Final Project)
Class Standing:
Laboratory Activities/Assignment = 20 %
Quizzes/Case Study = 60 %
Discussion = 20 %
TOTAL = 100 %
TOTAL = 100 %

Prelim Period
Class Standing Average
Laboratory Activities/ Assignments 100
Quizzes 97.77
 Discussion 100
Class Standing Grade 98.67
Major Exam 98
Prelim Grade: 98.34

Midterm Period
Class Standing Average
Laboratory Activities/ Assignments 100
Quizzes 90
Discussion 100
Class Standing Grade 94
Major Exam 100
Tentative Midterm Grade: 97.45
Midterm Grade: 97.45

Final Period
Class Standing Average
Laboratory Activities/ Assignments 100
Quizzes 98.75
Discussion 100
Class Standing Grade 99.25
Major Exam (Final Project) 98
Tentative Final Grade: 98
Final Grade: 98

The student overall performance in the course – 98.00 is above the acceptable level of
attainment of 60%, thus it is a clear indication that the student obtained the specified SOs
for the course.

Details of Student’s Assessment Tasks:

PRELIM
Laboratory Description Score Rating
Activities
Laboratory Activity 1 Cyber Security Online Simulation 20/20 100
Laboratory Activity 2 Cyber Threat Modeling (Part 1) 24/24 100
AVERAGE: 100
 MIDTERM
Laboratory Activity 1 Cyber Threat Modeling (Part 2) 24/24 100
Laboratory Activity 2 Cyber Threat Modeling (Part 3) 20/20 100
AVERAGE: 100
FINAL
Laboratory Activity 1 Cyber Threat Modeling (Parts 4 and 5) 50/50 100
Laboratory Activity 2 Final Project Presentation and Evaluation 30/30 100
AVERAGE: 100
Laboratory Activity Grade: 100

PRELIM
Locally Developed Description Score Rating
Exams / Major
Exams
Written Exam Prelim Exam (Lecture) 48/50 96
AVERAGE: 96
MIDTERM
Written Exam Midterm Exam (Lecture) 46/50 92
AVERAGE: 92
FINAL
Description Score Rating
Written Exam Final Exam (Lecture) 47/50 94
AVERAGE: 94
Major Exam Grade: 94

PRELIM
Quizzes Description Score Rating
Quiz 1 Threat Modeling Overview 0/15 0
Quiz 2 Approach to Threat Modeling 0/20 0
AVERAGE: 0
MIDTERM
Quiz 1 Threat Modeling Frameworks and 0/15 0
Methodologies
Quiz 2 Threat Modeling and Risk Management 14/15 93
AVERAGE: 46
FINAL
Quiz 1 PASTA Threat Modeling 14/15 93
Quiz 2 Cyber Threat Modeling Contribution /20
AVERAGE: 46
Quiz Grade:
 PRELIM
Discussion Description Score Rating
Discussion 1 Cyber Security Threat Worksheet 20/20 100
Discussion 2 Approaches to Threat Modeling 0/20 0
Discussion 3 Final Project Proposal 20/20 100
AVERAGE: 100
MIDTERM
Discussion 1 STRIDE and DREAD Methodology 0/20 0
Discussion 2 Threat Modeling and Risk Management 0/20 0
AVERAGE: 0
FINAL
Discussion 1 Penetration Testing Plan 0/20 0
Discussion 2 Final Project Members’ Contribution 20/20 100
AVERAGE: 50
Discussion Grade: 50

Course Reflective Journal

Reflection Paper Description Score Rating
Prelim Course Prelim Course Reflection Paper 0/20 0
Reflection Paper
Midterm Course Midterm Course Reflection Paper 0/20 0
Reflection Paper
Final Course Final Course Reflection Paper 20/20 100
Reflection Paper
Reflective Journal Grade: 33

Final Project
Final Project Description Score Rating
Final Project OWASP Juice Shop - SQL injection 20/20 100
attack & Brute force attack
Final Project Presentation 20/20 100
Final Project Question and Answer 20/20 100
Final Project Grade: 100
II. ASSESSMENT TASKS
LABORATORY ACTIVITIES
PRELIM PERIOD
Laboratory Activities/ Assignments
 MIDTERM PERIOD
Technological Institute of the Philippines
College of Information Technology Education

Assignment 1.1 Cyber Security Online Simulation

Score

Name:

SARCIA, TOBY BRUCE L.

IT41S1

Engr. Junnel Avestro

Professor
 IT024 – Cyber Threat Modeling

Assignment 1.1 Cyber Security Online Simulation

1. Intended Learning Outcome (ILO)
At the end of this practice set, the students are expected to:
• In this Laboratory Activity, you’ll defend a company that is the target of increasingly sophisticated
cyber attacks. Your task is to strengthen your cyber defenses and thwart the attackers by completing a
series of cybersecurity challenges. You’ll crack passwords, craft code, and defeat malicious hackers..

2. Discussion:
About the Cybersecurity Lab
Whenever we go online—to shop, chat with our friends, or do anything else—we put ourselves at risk of
cybercrime. Computer viruses can corrupt our files, hackers can steal our data, and criminals can trick us
into revealing sensitive information. But luckily there are simple steps we can take to protect our digital
lives.

NOVA has teamed up with cybersecurity experts to create the Cybersecurity Lab, a game in which players
will discover how they can keep their digital lives safe and develop an understanding of cyber threats and
defenses. Players will advance by using computer coding, logical reasoning, critical thinking, and
vulnerability detection to solve various problems. These are the same skills employed regularly by
cybersecurity professionals. However, players won’t need any prior cybersecurity or coding expertise to
succeed.
Context

In the game, players work for a start-up social network company that is the target of increasingly
sophisticated cyber attacks. Working alongside their friend and colleague—a brilliant, business-savvy
entrepreneur—their goal is to grow their tiny company into a global empire. To do this, players must
complete challenges to strengthen their cyber defenses and thwart their attackers. There are four major
gameplay components: a coding challenge, a password challenge, a social engineering challenge, and a
series of cyber battles.

Coding Challenge

This challenge is an introduction to basic computer programming. Computer code is usually written in text,
but in this challenge we’re using Blockly, a visual computer programming editor created by Google that
uses drag-and-drop blocks that can be stacked together to create a computer program. Players will
program a robot to navigate a maze using Blockly drag-and-drop commands.

Players will program a robot to navigate a maze using drag-and-drop commands.

From the Cybersecurity Lab

Password-Cracking Challenge
A Password is the most common way people prove their identities online, so using a strong password is
essential for keeping digital information safe. In this challenge, players face a series of “password duels”
that teach the basics of how attackers might try to crack their passwords and how they can create
passwords that are more secure.
Social Engineering Challenge
Scammers try to trick people into handing over sensitive information and downloading computer viruses
from emails. In this challenge, players will learn to spot scam emails, websites and phone calls. They will
complete the challenge armed with practical tips that will help them avoid becoming victims of social
engineering scams.
Network Cyber Battles
By completing the challenges, players will earn resources to buy cyber defenses to protect their companies
against a series of cyber attacks that reflect the types of attack that real companies and institutions often
fall victim to. Players will learn about a range of cyber attacks and how to effectively defend institutions from
them.

An in-game cyber attack

From the Cybersecurity Lab

Videos and Cyber Stories

The Lab also features stories of real-world cyber attacks, a glossary of cyber terms, short animated videos,
and video quizzes. The videos explain the need for cybersecurity; privacy versus security; cryptography
(cyber codes); and what exactly hackers are.

Future Cyber Defenders

There is a broad range of jobs in the field of cybersecurity and a severe shortage of people with the
specialized skills required to do them. As our lives become ever more intertwined with the Internet, the
opportunities in this field will expand further. NOVA’s Cybersecurity Lab is a starting point to inspire a new
generation of cyber defenders.

3. Requirements
Click the link to perform the activity: https://www.pbs.org/wgbh/nova/labs/lab/cyber/
Note: you may register of play as a guest
3.1 Briefly discuss the process of how you perform this activity and provide snapshots as proof of your
installation.
The website was working fantastically. There were no installations needed, I just went in and started right
ahead using the browser. The first thing that I did was login using my institute’s gmail account. Then I
picked my avatar and the spoof company of my choice. Tried the different challenges available to
accumulate points in order to upgrade my defenses against cyber attacks.

3.2 Share the video recording link of your work here

https://www.youtube.com/watch?v=UwJaY2d7Hgs

4. Synthesis
I had a lot of fun doing this activity. I have to say that the people that have made the website did an
excellent job in creating the Cyber Lab. It was very intuitive and interesting. It gave me an introductory
explanation of what I would expect CEOs of companies will have to do in case of cyber attacks. In the
game, I was in charge of making sure that our Cyber Security is up to par with potential cyber threats. I did
different challenges in order to accumulate points wherein these points are needed to purchase different
tools and softwares needed to make the company more secure. With the points that I have gathered I used
it on encrypting our users’ information, created a backup, trained our employees not to become victims of
phishing emails. For the challenges, I did three of them. The first one is the coding challenge where I have
to put together different blocks that have different functions. The goal is for the character in the program to
reach the star. The second one was the password cracking challenge. In this challenge I will have to create
a password that should not be obvious and at the same time do this exchange against the AI that
challenges me to crack his password. The last one is the Social Engineering challenge where I must be
able to distinguish which of the two emails is the phishing one and which one is the legitimate one. I also
had to listen to a voice recording where I pointed out 5 things from the transcript that gives away why the
call is a type of phishing. This assignment was amazing and full of things that are highly relatable to what
the course is all about. I am looking forward to more activities or assignments like this.

Honor pledge:
"I affirm that I have not given or received any unauthorized help on this assignment, and that this work is
my own"

6. Reference:
https://www.pbs.org/wgbh/nova/labs/lab/cyber/
 Technological Institute of the Philippines
College of Information Technology Education

Assignment 2.1 Cyber Threat Modeling (Part 1)

Score

Group No.: 6

Name:
ACOSTA, JAMES RYAN
CARAMPOT, ELIJAH
CLEDERA, ANNA MAUREEN
ESTOQUE, GHAR BENEDICT
MERCADO, EUNARD
PACIS, URIEL JEREMIAH
PEREZ, JAMES MARKELY
ROSALES, ALANIS TRIXIE
SARCIA, TOBY BRUCE

IT41S1

Eng. Junnel E. Avestro

Professor
 IT024 – Cyber Threat Modeling

Assignment 2.1 Cyber Threat Modeling (Part 1)

1. Intended Learning Outcome (ILO)
At the end of this practice set, the students are expected to:
Students can discuss some of the unique challenges in the field of cybersecurity that differentiate it from
other design and engineering efforts.
Students can identify the goals and summarize the overall process of threat modeling.
Given a description of a system, students can predict and prioritize some potential threats and the human
impacts of those threats.
2. Discussion:
Threat Modeling

Vulnerability: a software defect with security consequences

Threat: a potential danger to the software
Attack: an attempt to damage or gain access to the system
Exploit: a successful attack
Trust Boundary: where the level of trust changes for data or code
3.1 Briefly discuss the following:
3.1.1 Company Name/System: Cinq Cheesecake Shop
Cinq Cheesecake Shop will offer a unique product that will differentiate them in the industry. The
Cinq Cheesecake Shop is a developed mobile application for the existing website of Cinq Cheesecake
Shop. The application will address issues such as viewing products of different dessert categories, adding
products to a cart, tracking costs, and checkout and payment for the products purchased.
3.1.2. Version: 1.0
3.1.3. Document Owner: Crescent Cyber Group
3.1.4. Description of the company
The Crescent Cyber Group is a company that is responsible for preventing the attacks that may
occur and cause problems in the system. Since the Cinq Cheesecake Shop is a business that receives
orders from the customers, there are a lot of transactions happening between the shop and the customers
and the shop needs to protect the customers’ information they input at the application.
3.1.5. Participants: <members of the group/role ex. Pen tester >

MEMBERS ROLE

Acosta, James Ryan Pen tester

Carampot, Elijah Pen tester

Cledera, Anne Maureen Pen tester

Estoque, Ghar Benedict Pen tester

Pacis, Uriel Jeremiah Pen tester

Perez, James Markely Pen tester

Rosales, Alanis Trixie Pen tester

Sarcia, Toby Bruce Pen tester

3.1.6. Reviewers: <CISO, CSO, CIRT, etc.>

- CISO (Chief Information Security Officer)
3.1.7. External Dependencies
- Server type will be applied.
- XAMPP Database in the package.
- Web Server and Library Server should be secured.
- Backend server storage will be from the XAMPP Database.

4. Group Observation
We, the whole group, should have personal accountability as aspiring cybersecurity IT specialists
to provide our clients with effective, secured and safe systems to resist any threats or issues that could
possibly harm the client’s server or a specific organization, regardless of whether in terms of reputations,
materially or in other ways. We should ensure that networks are protected against external threats including
hackers or crackers looking to get unauthorized access. To separate cybersecurity from some other
engineering and design projects, we must identify some of the difficulties associated with it, be able to
establish the objectives, and explain the full procedure of the threat modelling, or cybersecurity as well.

5. Individual Synthesis
ACOSTA, JAMES RYAN
The fact that cybersecurity focuses primarily on the software side of a company, in my opinion, is
the key distinction between it and other design and engineering endeavors. Without a cyber security plan,
your company won't be able to protect itself from online threats, leaving it open to attack from nefarious
parties who will view it as an easy target. Over time, as technology advanced, the inherent and lingering
risks grew worse. Businesses today operate with more pragmatic methods. To store their important data,
for instance, many companies use cloud services like Amazon Web Services. This is another method of
storing data in the cloud. Although useful, using these cloud services by businesses rarely results in
adequate data protection.

CARAMPOT, ELIJAH
According to our activity above, we, the programmer and developer can define the specific goal,
describe the threat modeling approach, and it also emphasize the challenges that establish cybersecurity
apart from the other design and engineering initiatives. Threat modeling seeks to give attackers a concise
summary of the existing precautions or protections as well.
CLEDERA, ANNA MAUREEN
In this work, our group combined the professor's recommended proposal with the firm description.
This activity will essentially lay out what we are suggesting for the concerned website and what we can do
to enhance its cyber security. Since the business completes several transactions each day, we want to
make sure that we safeguard critical client data against potential dangers.
ESTOQUE, GHAR BENEDICT
In doing this activity, we provided two proposals for our project and our professor chose the specific
proposal, the Cinq Cheesecake Shop. Since our shop is an e-commerce shop and it has transactions, we
need to discuss here what will be done for this application or website to protect from frauds and
vulnerabilities. So, the threat modelling encourages a better knowledge of software and hardware systems,
especially from a risk standpoint. It also provides better threat prioritization, influencing everything from
purchasing choices to mitigation activities and it contributes to the validation and testing of current security
controls and systems.

MERCADO, EUNARD
This activity will assist us in better understanding of cyber security, such as the need for encryption.
Threat modeling is a technique used in this work to improve the security of an application, system, or
business process by identifying goals and vulnerabilities and developing defenses to prevent or mitigate the
effects of attacks.

PACIS, URIEL JEREMIAH

In my opinion, the main difference cybersecurity makes from other design and engineering efforts
is that it mainly focuses on the software side of a business. Without a cyber security plan, your company
will be unable to protect itself from online risks, leaving it open to attack from malevolent parties who will
see it as an easy target. The inherent and residual dangers have steadily increased over time as
technology has advanced. Businesses now use more practical methods to conduct their operations. For
instance, data can be stored in the cloud, or, more specifically, many companies use cloud services like
Amazon Web Services to store their important data. Despite being practical, companies seldom sufficiently
protect their data while using these cloud services. Coupled with an increase in attacker sophistication, this
has increased the danger that your company may fall victim to a successful cyber-attack or data breach.

PEREZ, JAMES MARKELY

In this activity our group wrote down the chosen proposal by our professor, we also included the
company description. This activity will basically explain what we are offering for the website that we have
proposed and what we can do for their cyber security. Since the business is producing a lot of transactions
per day, we plan to make sure that we keep sensitive customer information safe and secure from different
threats.
ROSALES, ALANIS TRIXIE
We submitted two suggestions for our project as part of this activity, and the Cinq Cheesecake
Shop was the one that was selected by our professor. We need to talk about how to safeguard this
application or website from frauds and vulnerabilities as our store is an e-commerce store and it processes
transactions. In order to better understand software and hardware systems, especially in terms of risk,
threat modelling is encouraged. Additionally, it improves threat prioritization, which has an impact on
everything from purchase decisions to mitigation efforts, and it helps validate and test current security
controls and systems.

SARCIA, TOBY BRUCE

As I would see it, the fundamental distinction network protection puts forth from other plan and
designing attempts is that it chiefly centers around the product side of the business. Without a network
safety plan, your organization will not be able to safeguard itself from online threats, leaving it open to go
after vindictive gatherings who will consider it to be an obvious target. The innate and leftover perils have
consistently expanded over long periods of time, have progressed. Organizations now presently utilize
more down to earth strategies to direct their activities. For example, information can be put away in the
cloud, or all the more explicitly, many organizations use cloud administration like Amazon Web Services
(AWS) to store their significant information. In spite of being functional, organizations sometimes
adequately safeguard their information while utilizing these cloud administrations. Combined with an
expansion of aggressor complexity, this expanded the demise that your organization might succumb to and
effective digital assault or leakage of information.
6. Reference:
Honor pledge with signature

“We affirm that we have not given or received any unauthorized help on this assignment and that this work
is our own.”

Acosta, James Ryan Carampot, Elijah Cledera, Anna Maureen

Estoque, Ghar Benedict Mercado, Eunard Pacis, Uriel Jeremiah

Perez, James Markely Rosales, Alanis Trixie Sarcia, Toby Bruce

 Technological Institute of the Philippines
College of Information Technology Education

Assignment 3.1 Cyber Threat Modeling (Part 2)

Score

Group No.: 6

Name:
ACOSTA, JAMES RYAN
CARAMPOT, ELIJAH
CLEDERA, ANNA MAUREEN
ESTOQUE, GHAR BENEDICT
MERCADO, EUNARD
PACIS, URIEL JEREMIAH
PEREZ, JAMES MARKELY
ROSALES, ALANIS TRIXIE
SARCIA, TOBY BRUCE

IT41S1

Eng. Junnel E. Avestro

Professor
 IT024 – Cyber Threat Modeling

Assignment 2.1 Cyber Threat Modeling (Part 1)

1. Intended Learning Outcome (ILO)
At the end of this practice set, the students are expected to:
● Students can discuss some of the unique challenges in the field of cybersecurity that differentiate it
from other design and engineering efforts.
● Students can identify the goals and summarize the overall process of threat modeling.
● Given a description of a system, students can predict and prioritize some potential threats and the
human impacts of those threats.
● Distinguish the Use Scenario, Roles, and Assets in Cyber Threat Modeling
2. Discussion:
Background for all scenarios
Before the main threat model meeting, we collected the following background information. This information
applies to all the usage scenarios we identified for the sample architecture:
● Boundaries and scope of the architecture
● Boundaries between trusted and untrusted components
● Configuration and administration model for each component
● Assumptions about other components and applications
Use Scenarios Examples (online library system)
•Students can search the database(s)
•Students can put holds on some items for checkout
•Staff can search the database(s)
•Staff can place some items on reserve for up to 15 weeks
•Librarians can do anything students or staff can do
•Librarians can place items on an invisible list
•Librarians can access limited account information

Roles (deviation from OWASP) Examples (online library system)

•Anonymous user –connected, but not yet authenticated

•Invalid user –attempted to authenticate and failed
•Student –authenticated student
•Staff –authenticated staff
•Librarian –authenticated librarian
•Site admin –authenticated site administrator with configuration privileges
•DB admin –authenticated database administrator with full privileges
•Web server user –user/process id of web server
•Database read user –dbuser for accessing the database with read-only access
•Database write user –dbuser for accessing the database with read-write access

Assets Examples (online library system)

•Library users and librarian
•User credentials
•Librarian credentials
•User personal information
•Website system
•DB system
•Availability of the web server
•Availability of the DB server
•User code execution on web site
•User DB read access
•Librarian/Admin code execution on the web site
•Librarian/Admin DB read/write access
•Ability to create users
•Ability to audit system events
3.1 Briefly discuss the following:
3.1.1 Use Scenario
● Customer

● Staff

● Admin

● Shop owner

3.1.2. Roles (deviation from OWASP)

● Customer can make orders through online

● Staff can access limited information within the database

● Admin can access database

● Shop owner can assign task to admin and staff

● Shop owner can access database and

3.1.3. Assets
● E-commerce Customers and Admin

● Website system

● Database system

● User Personal Information

● Availability of the web server

4. Group Observation
Within cyber threat modeling for this homework, we specified the circumstances, functions, and capabilities
for our selected business. Risk evaluation aims to provide defenders a comprehensive overview of the
necessary controls or safeguards. We also covered some of the difficulties that set cybersecurity apart from
other design and engineering projects, outlined the objectives, and gave an overview of the threat modeling
process.
5. Individual Synthesis
ACOSTA, JAMES RYAN
In this activity, we provided feedback and made a distinction between Cyber Threat Modeling Scenarios,
Roles, and Assets for this task. Prior to the main threat model conference, we obtained the following
background data, which is relevant to all of the usage scenarios for the sample structure we found. We
must first identify the users and administrators of our system before deciding whether threat modeling and
cyber security is acceptable for us.

CARAMPOT, ELIJAH
In order to complete this assignment, we performed research on how to develop the best threat modeling
procedure for our project. In order to determine which threat modeling and cyber security is appropriate for
us, we must first identify the users and administrators of our system.

CLEDERA, ANNA MAUREEN

Upon performing this activity, we first identified the customers or the users and the administrators that will
use our system. After doing that, we are able to identify the cyber threat modeling scenarios, roles, as well
as the assets that are included in our system which will help us to understand who can access the specific
tasks in operating the application that will be given by the owner of the shop.

ESTOQUE, GHAR BENEDICT

For this activity, we have input and distinguished between Cyber Threat Modeling Scenarios,
Roles, and Assets for our final project. We gathered the following background material prior to the primary
threat model conference and this information pertains to all of the usage cases for the sample structure that
we discovered. Recent history has demonstrated how the key cyber security issues and malicious activity
are adapting their techniques to a changing global environment. To defend against current cyber threat
campaigns, the ability to respond quickly and correctly to continually developing attacks that can strike
anywhere inside an organization's IT infrastructure is required.

MERCADO, EUNARD
Knowing the security's strengths and weaknesses, according to what was done, will help it be
improved further, producing a consistent and reliable result. Cyber Threat Modeling was used in this activity
through the use of scenarios, roles, and assets. Understanding how the system works in real-world
situations boosts the chance that learning is worthwhile. This allows us to improve our skills.
PACIS, URIEL JEREMIAH
In my opinion, this assignment will be a great stepping stone of knowledge for our cybersecurity.
For this work, we differentiated between Cyber Threat Modeling Scenarios, Roles, and Assets and offered
comments. The following background information, which is pertinent to all of the usage scenarios for the
sample structure we discovered, was acquired prior to the main threat model meeting. Before evaluating if
threat modeling and cyber security are appropriate for us, we must first determine who the users and
administrators of our system are.

PEREZ, JAMES MARKELY

This task helped us identify security threats that we might encounter in our system. We also listed
here the possible access point of our customers that we need to secure for the safety of our information.
We also identified our assets and the roles that we have in our system which is vital in knowing how we can
secure the application. We also learned that it is not easy to implement security measures for an
application. You need to go through proper procedures to make sure that everything will go smoothly.

ROSALES, ALANIS TRIXIE

This exercise assisted us in identifying potential security risks to our system. We have also
included a list of potential consumer access points that we may need to protect in order to safeguard our
data. In order to know how to secure the application, we also recognized our assets and the responsibilities
that we have within our system. We also discovered that putting security precautions into place for an
application is difficult. To ensure that everything goes according to plan, you must follow the correct
processes.

SARCIA, TOBY BRUCE

As I would like to think, this task will be an extraordinary venturing stone of information for our
network safety. For this work, we separated between Scenarios about Cyber Threat Modeling, Jobs, and
Resources and offered remarks. The accompanying foundation data, which is relevant to all of the use
situations for the example structure we found, was obtained before the fundamental danger model
gathering. Prior to assessing assuming that danger displaying and digital protection are proper as far as
we're concerned, we should initially figure out who the clients and heads of our framework are.
Honor pledge with signature
“We affirm that we have not given or received any unauthorized help on this assignment and that this work
is our own.”

Acosta, James Ryan Carampot, Elijah Cledera, Anna Maureen

Estoque, Ghar Benedict Mercado, Eunard Pacis, Uriel Jeremiah

Perez, James Markely Rosales, Alanis Trixie Sarcia, Toby Bruce

 FINAL PERIOD
Technological Institute of the Philippines
College of Information Technology Education

Assignment 4.1 Cyber Threat Modeling (Part 3)

Score

Group No.: 6

Name:
ACOSTA, JAMES RYAN
CARAMPOT, ELIJAH
CLEDERA, ANNA MAUREEN
ESTOQUE, GHAR BENEDICT
MERCADO, EUNARD
PACIS, URIEL JEREMIAH
PEREZ, JAMES MARKELY
ROSALES, ALANIS TRIXIE
SARCIA, TOBY BRUCE

IT41S1

Eng. Junnel E. Avestro

Professor
 IT024 – Cyber Threat Modeling

Assignment 2.1 Cyber Threat Modeling (Part 3)

1. Intended Learning Outcome (ILO)
At the end of this practice set, the students are expected to:
Students can discuss some of the unique challenges in the field of cybersecurity that differentiate it from
other design and engineering efforts.
Students can identify the goals and summarize the overall process of threat modeling.
Given a description of a system, students can predict and prioritize some potential threats and the human
impacts of those threats.
2. Discussion:
Activity Matrix (sample only)
The results are much the same as in the OWASP example, but easier to visualize

A = Create if valid name, id, pin provided

B = Only for their own profile information
C = Must be limited to specific files, tables. No access to web site files.
Trust Boundaries (sample only)
Login DFD

Threats (sample only)

Anonymous user evades the authentication system
•Anonymous user gathers information from the authentication system
•Anonymous user can forcefully browse to pages
•Librarian has access to web site pages on the server
•Student or Staff can modify privilege level
•Student or Staff can forcefully browse to restricted pages
•Any user can tamper with critical data on the client
•Student/Staff/Anonymous can inject SQL into the database
•Student/Staff/Anonymous can inject JavaScript into an HTML page
•SSL version is vulnerable or allows vulnerable algorithms

3.1 Briefly discuss the following:

3.1.1 Activity Matrix (based on login and accessing Database only)

ASSET/ROLE Anonymous Registered Staff DB Admin/Manager

C R U D C R U D C R U D C R U D

Customer C - C C - B B B B - B B X X X X

Staff C - C C - B B B A A A A X X X X

Personal Information C - C C B B B B B B B B X X X X

DB System C - C C C C C C B B B B X X X X

Website System C - C C B B B B B B B B X X X X

A = Create if valid name, id, pin provided

B = Only for their own profile information
C = Must be limited to specific files, tables. No access to web site files.
X = Full access
3.1.2. DFD (based on login and accessing Database only)

3.1.3. Identifying Threats

● Customer payment not secure
● User credentials are viewable by staff
● Users can create multiple and spam accounts
● Anonymous customers can forcefully browse to pages.
● The faculty or staff has access to the server side of the website.
● Anonymous and registered customers or staff can inject SQL into the database.
● Anonymous customers may inspect and list all the information from the authentication system.
4. Group Observation
In this third part of the Cyber Threat Modeling, our team talks extensively about the project by
going through some of the distinctive problems in cybersecurity that distinguish it from other design and
engineering endeavors. As a result, it aids in risk assessment, prioritization, and human factors, the effects
of such risks that concern our project.

5. Individual Synthesis

ACOSTA, JAMES RYAN

We focused on the differences between the current threats that could potentially harm our mobile application
for this third section of our Cyber Threat Modeling assignment. These attacks represent high-level threats that may
lead to the demise of our mobile application. Making a hierarchy of our security helps us decide which threats are
most important to focus on first. It's incredible that after actually completing these tasks, I can say with certainty that
the techniques and methods I learn from doing these will significantly help me in my pursuit of a career in cyber
security.

CARAMPOT, ELIJAH

In this 4.1, my group mates and I created the objectives, defined the true threat modeling
approach, established a service's specifics, and evaluated and classified various potential threats and their
effects on people. We were able to do that by going over a selection of the relevant problems that
information security faces that set it apart from all other design and engineering attempts.

CLEDERA, ANNA MAUREEN

In this activity, we were able to discuss some of the unique challenges that set cybersecurity apart from
other design and engineering projects. We also listed the possible threats in the application that might occur. By
doing this activity and with the help of the guide provided, we were able to finish this activity and understand the flow
of our application and to know the features that are needed to improve to prevent threats.

ESTOQUE, GHAR BENEDICT

We discussed some of the particular issues in the realm of cybersecurity that set it apart from other
technological and design efforts for this activity. Moreover, we may define the goals and describe the complete threat
modeling process. We are also able to provide the particular activity matrix, DFD, and threat identification for our final
project. Every organization that wants to strengthen its cybersecurity posture should, in my opinion, engage in threat
modeling on a regular basis.
MERCADO, EUNARD

This activity teaches me that threat modeling is a process that identifies and prioritizes potential threats,
such as structural vulnerabilities or the absence of appropriate safeguards. This cyber threat management was
beneficial because it demonstrated how to record the core aspects of protecting a website or system from hackers.

PACIS, URIEL JEREMIAH

In this assignment, we spoke about a few of the special problems that the field of cybersecurity faces that
make it different from other engineering projects and designs. The objectives were also determined, and the overall
modeling of threats procedure.

PEREZ, JAMES MARKELY

In this activity we continued the documentation of our final project. I learned about the different
vulnerabilities and the threats that our mobile application might be exposed to. We listed those out to make
sure that we prioritize it in the security development of the mobile application. I also learned about the
different features and capabilities that our application can do.

ROSALES, ALANIS TRIXIE

We continued the documentation of our final project in this activity. I gained knowledge of the various
dangers and weaknesses that our mobile application might be subject to. In order to ensure that they receive top
priority throughout the creation of the mobile application's security, we listed those out. I also gained knowledge of the
various functions and features that our application offers.

SARCIA, TOBY BRUCE

For this third part of our assignment in Cyber Threat Modeling, we tackled the differences between the
present threats that could be potentially harmful to our mobile application. These attacks pose as high level threats
which could be the reason for the downfall of our mobile application. We prioritize by making a hierarchy of our
security and if it is on par to deal with these threats. It’s absolutely amazing that by actually performing these tasks, I
can strongly agree that the techniques and methods I learn from doing these will significantly have a positive impact
in my pursuit of being in the field of cyber security.
Honor pledge with signature

HONOR PLEDGE:
“We affirm that we have not given or received any unauthorized help on this assignment and that
this work is our own.”

Acosta, James Ryan Carampot, Elijah Cledera, Anna Maureen

Estoque, Ghar Benedict Mercado, Eunard Pacis, Uriel Jeremiah

Perez, James Markely Rosales, Alanis Trixie Sarcia, Toby Bruce

 Technological Institute of the Philippines
College of Information Technology Education

Assignment 5.1 Cyber Threat Modeling (Part 4)

Score

Group No.: 6

Name:
ACOSTA, JAMES RYAN
CARAMPOT, ELIJAH
CLEDERA, ANNA MAUREEN
ESTOQUE, GHAR BENEDICT
MERCADO, EUNARD
PACIS, URIEL JEREMIAH
PEREZ, JAMES MARKELY
ROSALES, ALANIS TRIXIE
SARCIA, TOBY BRUCE

IT41S1

Eng. Junnel E. Avestro

Professor
 IT024 – Cyber Threat Modeling

Assignment 2.1 Cyber Threat Modeling (Part 4)

1. Intended Learning Outcome (ILO)
At the end of this practice set, the students are expected to:
Students can discuss some of the unique challenges in the field of cybersecurity that differentiate it from
other design and engineering efforts.
Students can identify the goals and summarize the overall process of threat modeling.
Given a description of a system, students can predict and prioritize some potential threats and the human
impacts of those threats.
2. Discussion:
Threat Trees and Abuse Cases

Threat Tree
 Abuse Cases
Plan your mitigations
•OWASP uses the following categories
•Authentication
•All credentialed users require username and password required for authentication
•All pages check authentication
•All credentials communicated only with secure channel
•No backdoor accounts or default accounts can be left available
•Authorization
•Use role-based authentication with unlimited levels, but including anonymous, user, staff, librarian, admin
•All accesses will use least privilege and fail securely
•Cookie Management
•Data/Input Validation
•Error Handling
•Logging/Auditing
•Cryptography
•Secure Code Environment
•Session Management
3.1 Briefly discuss the following:
3.1.1 Threat Trees and Abuse Cases (log-in and accessing database only)

Abuse causes
3.1.2. Plan your mitigations (log-in and accessing database only)
● Implement strong password policies, educate users on the importance of using strong passwords.
● Use two-factor authentication to verify the identity of users before allowing them to access the
system.
● Implement security measures such as antivirus software, firewalls, and intrusion detection systems
to prevent malicious apps from being downloaded and installed on the user's device.
● Implement secure communication protocols, such as HTTPS, to encrypt the communications
between the user and the system.
● Logging/Auditing
● Cryptography
● Cookie Management
● Data/Input Validation
4. Group Observation
In this group activity, we learned the topic about the Threat Trees and Abuse Cases. We showed
our system's Threat Trees in order for us to fully visualize the possible threats that can occur in our
application. As well as the Abuse Case of the application, based on the diagram we showed above, it is an
example of a hacker that is trying to manipulate the system by using different forms of attacks.
5. Individual Synthesis
ACOSTA, JAMES RYAN

In my opinion, this activity is good for getting to know how important threat trees and abuse cases
are. Threat trees have been used in a variety of settings. They are accustomed to threats to computer
systems and possible countermeasures in the field of information technology. This makes it possible for you
to visually and easily simulate system dangers. If we are aware of the methods an attack can take, we can
build defenses to prevent attackers from achieving their goals. It is important to know more about
informations about this topic because it further enhances our knowledge about cyber security

CARAMPOT, ELIJAH

We learned things about the Threat Trees and Abuse Cases through this group activity. To fully understand
the potential hazards that can arise in our application, we displayed the Threat Trees for our system.
According to the diagram we showed above, the application's abuse case is another example of a hacker
attempting to manipulate the system by employing various forms of attacks.
CLEDERA, ANNA MAUREEN

In this group activity, we learned about Threat Trees and Abuse Cases. We presented the Threat
Trees for our system so that users could fully comprehend the potential risks that might exist in our
application. According to the diagram we previously displayed, the abuse case of the application is another
illustration of a hacker trying to manipulate the system by using a variety of attacks.

ESTOQUE, GHAR BENEDICT

We picked up information about threat trees and mishandled cases through this assignment, and
we afterward had to build our own. Based on my own understanding, threat trees are hierarchical, graphical
diagrams that show how low level hostile activities interact and combine to achieve an adversary's
objectives and usually with negative consequences for the victim of the attack. We characterized our
targets and displayed the total risk modeling method and distinguished the assault we were almost to
conduct as well as all the dangers the programmer was competent of doing within the threat tree.

MERCADO, EUNARD

In order to complete this activity, we must complete the threat tree. A threat tree is a graphical
representation of how an asset or target could be attacked. Attack trees have been used in a variety of
situations. They've been used in the field of information technology to characterize computer system
dangers and possible counter-attacks. This also allows you to model the risks to a system in a graphical,
easy-to-understand manner. If we understand how a system can be attacked, we can invent
countermeasures to prevent attackers from achieving their goal.
PACIS, URIEL JEREMIAH

In the computer world, data science is the force behind the recent dramatic changes in
cybersecurity operations and technologies. The secret to making a security system automated and
intelligent is to extract patterns or insights related to security incidents from cybersecurity data and build
corresponding data-driven models. Various scientific techniques, machine learning processes, and systems
are used to comprehend and analyze the actual phenomena with data. One example is threat trees. A
threat tree is a visual depiction of potential attacks on an asset or target. Attack trees have been applied in
many different contexts. They have been used to computer system threats and potential defenses in the
realm of information technology. This enables you to model system risks in an understandable, graphical
manner. We can create defenses to stop attackers from achieving their objectives if we know how a system
can be attacked.

PEREZ, JAMES MARKELY

In this activity I learned how to create a threat tree and its importance in an organization. I also
learned the important things to consider in planning your mitigation strategy because this will help secure
your system and protect your organization’s assets against malicious acts.

ROSALES, ALANIS TRIXIE

We learnt about Threat Trees and Abuse Cases during this group exercise. In order for consumers
to completely understand any potential hazards that could be present in our application, we presented
Threat Trees for our system. The abuse case of the application is another example of a hacker attempting
to manipulate the system by employing a variety of attacks, as shown in the diagram we previously
displayed.

SARCIA, TOBY BRUCE

The idea of abuse cases is beneficial in order to aid in the development of the list of attacks. Abuse
cases are defined as a means of utilizing a feature that the implementer had not anticipated, allowing an
attacker to modify a feature or the result of using the attribute based on an attacker's movement (or input).
Cases of misuse and abuse detail how users abuse or take advantage of the flaws software features'
controls to attack a program. When a direct attack is made against company capabilities that can generate
income or give a favorable user experience, this can have a real-world impact on the firm. In order to
properly safeguard these important business use cases, security needs can be effectively driven by abuse
instances.
Honor pledge with signature
HONOR PLEDGE:
“We affirm that we have not given or received any unauthorized help on this assignment and that this work
is our own.”

Acosta, James Ryan Carampot, Elijah Cledera, Anna Maureen

Estoque, Ghar Benedict Mercado, Eunard Pacis, Uriel Jeremiah

Perez, James Markely Rosales, Alanis Trixie Sarcia, Toby Bruce

6. Reference:
 Technological Institute of the Philippines
College of Information Technology Education

Assignment 5.1 Penetration Test Plan (Part 5)

Score

Group No.: 6

Name:
ACOSTA, JAMES RYAN
CARAMPOT, ELIJAH
CLEDERA, ANNA MAUREEN
ESTOQUE, GHAR BENEDICT
MERCADO, EUNARD
PACIS, URIEL JEREMIAH
PEREZ, JAMES MARKELY
ROSALES, ALANIS TRIXIE
SARCIA, TOBY BRUCE

IT41S1

Eng. Junnel E. Avestro

Professor
 IT024 – Cyber Threat Modeling

Assignment 5.1 Penetration Test Plan (Part 5)

1. Intended Learning Outcome (ILO)
At the end of this practice set, the students are expected to:
Student can create Cybersecurity Penetration Testing Plan
Student can measure if there Penetration Test is successful or not
Students can mitigate the discovered flaws of the system

2. Discussion:
Planning for Information Security Testing
Once approval to perform an information security audit and, most likely, a penetration test (pen-test) of an
organization’s networks and systems has been obtained, then what? Where to start? Planning it requires a
great deal of thought and consideration and, for first timers, this task can be quite daunting.
Poor planning can have serious consequences for the network, causing unwanted business disruption and,
in the worst-case scenario, permanent harm. Depending on the risk appetite of the organization, the scope
of the pen-test could be drastically different.
The first thing one needs to understand is that information security auditing is not a one-size-fits-all type of
engagement. It is reasonable to start small and slowly progress to more complex engagements.
It is also important to note that different networks and applications can progress in different stages.

For example, if an organization has a supervisory control and data acquisition (SCADA) system that has
never been tested, nor even scanned for vulnerabilities, one might want to consider not starting the
information security testing by deploying a full-blown pen-test. It would be prudent to start with a
vulnerability assessment to test the waters and use the results to harden the system for a future pen-test.

Before considering the rules of engagement, it is important to know the types of information security
testing:

• Vulnerability scan— This scan examines the security of individual computers, network devices or
applications for known vulnerabilities. Vulnerabilities are identified by running a scanner, sniffers, reviewing
configurations, etc.
Vulnerabilities identified are never exploited. This test tends to be less disruptive and also inexpensive
when outsourced.
• Security assessment— This builds upon the vulnerability assessment by adding manual verification of
controls to confirm exposure by reviewing settings, policies and procedures. It has a broader coverage.
Assessment of physical security safeguards would be covered here.
• Penetration test— This happens one step ahead of a vulnerability assessment. It takes advantage of the
known and unknown (e.g., zero-day attacks) vulnerabilities. It also makes use of social engineering
techniques to exploit the human component of cybersecurity.
Note that vulnerability assessment is included in pen-testing.
Vulnerability assessment is the starting activity that would be scheduled to look for vulnerabilities. It is
called the discovery phase (or reconnaissance) of the test cycle.
Penetration testers must run a vulnerability scan to identify weak points to be exploited.
• Social engineering— Although social engineering is actually a pen-test technique, many companies not
yet ready for a pen-test might opt to only deploy a phishing email campaign, for example, to verify how
many of their users are vulnerable to this technique and require further training.

The model in figure 1 proposes a guideline for maturing testing activities by correlating different
combinations of the “rules of engagement,” which will be covered in detail in this article, with risk tolerance.
These preset combinations can be used as a starting point.
3. Briefly discuss the following:
3.1. Objective
The project's goal is to use SQL injection and brute force attempts to examine the CinQ system's
security. It will go through a security testing technique that includes a planning phase that must be followed
and information gathering about the website and its database system. When an attacker tries to access the
website through it, this will gauge the security system's capacity. It will examine the website from the
viewpoint of a malicious attacker and identify the areas that need to be strengthened in the system.
Besides that, the significant resources that really need to be kept safe and maintained private will be
distinguished. The assault will then be reviewed, and the detected problems will be fully investigated.

3.2. Scope
3.2.1 in-scope (coverage) - Features to be tested
The features that will be tested in order to make sure that the application has enough functionality
to be protected from security breaches would be the following:
● Reading the sensitive and private information that is stored in the database.
● Bypassing the need to be authenticated before accessing files.
● Modifying/deleting sensitive information in the database.
● Gaining root access to the system.
● Executing line of codes on the system that hosts the database.
3.2.2 out-scope (delimitation) - not part of the testing
With the coverage stated above, here are the parts of the system penetration test that will not be
covered:
● Sanitized data where the code execution is prohibited.
● Validation process where specific characters that are unwanted and are marked as potentially
harmful to the system are blacklisted. While whitelisting the specific characters that are needed in
order to make changes within the system.
3.3. Target Audience
These are the following individuals, group and organization:
● Customer
- This is an individual or business that purchases another company's goods / services. They
reinvent the typical desserts that Filipino consume by ensuring the goodness of the desert.
● Staff/Admin
- This program can contribute to the Cinq Cheesecake Shop employees by allowing them to
transact easily with the customers and display their information and products through the
developed mobile application. The admin will ensure the network's security, protect against
 unauthorized access, modification, destruction, and troubleshoot any access problems to
the application.
● Shop owner
- This program will benefit the Cinq Cheesecake Shop owner as it would provide a more
portable application that will reduce physical interaction between customers and
employees.
● Organizations/Companies
- The program penetrating testing helps businesses develop their weakest parts so they
may take preventive steps to fix those breaches before attackers take full advantage of
them.
● Information Security Manager
- They will use the penetration testing to prevent a business's computer networks,
connections, and databases against cyber threats and security weaknesses.
● Technical Team
- The project will help them improve a system that is strong enough to effectively fight off
threats.
3.4. Test Objectives
3.4.1
The growing number of online applications let users self-authenticate. The use of a test system is
the most frequent problem we will run into when performing web application testing. You would have to
have a properly working user account in order to access the application's internal components. As an
outcome, we will start investigating identity verification configurations and the effectiveness of brute force
attacks on the development's specific webpage.
3.4.2 SQL Injection
SQL injection, often known as SQLI, is a common attack technique that uses malicious SQL code
to access data that was not intended to be shown and change backend databases. This data may consist
of a variety of items, including user lists, sensitive company information, and private consumer information.
3.5. Roles and Responsibility (in tabular form)

Role Responsibilities Contact information

Rosales, Alanis Trixie

- Organize, Coordinate [email protected]
Team Lead and Monitor the progress
in the project. Carampot, Elijah
[email protected]
 Cledera, Anna Maureen
[email protected]
- Responsible for the
application’s UI to Estoque, Ghar Benedict B,
ensure that design [email protected]
requirements are met.
Team Designer Perez, James Markely
- Responsible for the [email protected]
application’s backend.
Mercado, Eunard
- Responsible for the [email protected]
application's database.
Pacis, Uriel Jeremiah
[email protected]

Acosta, James Ryan

- Responsible for the [email protected]
Test Engineer application’s penetration
testing. Sarcia, Toby Bruce
[email protected]

3.6. Assumption for Test Execution

3.7. Success Factor
3.8. Glossary
3.9. References

4. Group Observation
In this group activity, we discussed our system's objective where we are going to implement the
SQL Injection and Brute Force attempt to be able for us to visualize the sample attack that can occur in the
system and examine its security. We created strategies for cyber security penetration testing, determine if
the test is reliable or not, and fix any system faults that are found. The key benefit of these security tests is
that they make it easier to identify any security vulnerabilities in the computer code or program before they
are released to the general public. This could make it easier to prevent negative effects like customer
distrust and knowledge leaks.
5. Individual Synthesis
ACOSTA, JAMES RYAN
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

CARAMPOT, ELIJAH

With this activity, we will discuss temporarily about the upcoming goals and scope statement.
Besides this, we create a plan for cyber security penetration testing, determine whether the test is reliable
or not, and fix any system flaws that are found. The main benefit of these security tests is that they make it
easier to identify any security vulnerabilities in the computer code or application before they are available to
the wide user.

CLEDERA, ANNA MAUREEN

In order to see an example attack that could happen to the system and evaluate its security, we
discussed the purpose of the system as well as how to create SQL Injection and Brute Force attacks in this
group activity. We created procedures for cyber security penetration testing in order to evaluate the test's
dependability and fix any faults in the system that were found. The key benefit of these security checks is
that they make it easier to identify any security holes in the computer code or software before it is made
publicly available. It might be easier to prevent negative effects like customer distrust and information leaks
as a result.

ESTOQUE, GHAR BENEDICT

For this activity, we tend to concisely discuss the subsequent objectives and scope for our final
project. We tend to additionally produce a Cyber Security Penetration Testing plan, measure if their
Penetration take a look at is sure-fire or not and mitigate the discovered flaws of the system. The main
advantage of these security testing is that it will facilitate determining potential security risks within the
computer code or application before it's discharged to the general public. This could facilitate avoiding
devastating consequences, like knowledge breaches and loss of client trust.

MERCADO, EUNARD

In this activity, I learned that the vulnerabilities of a system or website are important because they
will help us identify potential tools that we need to protect. Knowing various hacking tools will assist us in
performing penetration testing on our system or website. It is also important to plan your mitigations,
establish trust boundaries, identify potential vulnerabilities in your website, and create threat trees and
abuse cases.

PACIS, URIEL JEREMIAH

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

PEREZ, JAMES MARKELY

We created procedures for cyber security penetration testing in order to evaluate the test's
dependability and fix any faults in the system that were found. The key benefit of these security checks is
that they make it easier to identify any security holes in the computer code or software before it is made
publicly available. It could be easier to prevent negative effects like client distrust and information leaks as
a result.

ROSALES, ALANIS TRIXIE

In this group activity, we spoke about the system's goal and how to create SQL Injection and Brute
Force attacks so that we can see an example attack that may happen to the system and assess its security.
In order to assess the reliability of the test and correct any system flaws that were discovered, we
developed methodologies for cyber security penetration testing. The main advantage of these security tests
is that they make it simpler to find any security flaws in the program or computer code before it is made
available to the general public. This might make it simpler to stop adverse outcomes like customer mistrust
and information leaks.

SARCIA, TOBY BRUCE

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Honor pledge with signature
HONOR PLEDGE:
“We affirm that we have not given or received any unauthorized help on this assignment and that this work
is our own.”

Acosta, James Ryan Carampot, Elijah Cledera, Anna Maureen

Estoque, Ghar Benedict Mercado, Eunard Pacis, Uriel Jeremiah

Perez, James Markely Rosales, Alanis Trixie Sarcia, Toby Bruce

DISCUSSIONS
 PRELIM PERIOD

TECHNOLOGICAL INSTITUTE OF THE PHILIPPINES

College of Information Technology Education
Information Technology Department
IT 024 – Cyber Threat Modeling

Final Project Proposal

Leader:

Members:
Acosta, James Ryan
Carampot, Elijah
Cledera, Anna Maureen
Estoque, Ghar Benedict
Mercado, Eunard
Pacis, Uriel Jeremiah
Perez, James Markely
Rosales, Alanis Trixie
Sarcia, Toby Bruce

Group No.: 6

Section: IT024 - IT41S1

Instructor: Engr. Junnel E. Avestro

The following activity supports the attainment of these outcomes:

1. Describe and perform a critical evaluation with different exercises.
2. Assess the strengths and weaknesses of the certification and accreditation approach to cybersecurity.
3. Create a good set of information security metrics;
4. Identify and contrast the most common security standards and associated catalogs of security
5. Reflect on personal transformation along the TIP Graduates Attributes.

Student Outcomes Addressed by the Course

(SO) 2: an ability to design, implement, and evaluate a computing-based solution to meet a given set of
computing requirements in the context of the program’s discipline;
(SO) 6: an ability to identify and analyze user needs and to take them into account in the selection,
creation, integration, evaluation, and administration of computing-based systems.

I. Propose title 1:Cinq Cheesecake Shop

II. Description (nature of business and cyber security concerns overview)

Cinq Cheesecake Shop will offer a unique product that will differentiate them in the industry. "Cinq" is a
French word that means five in English, and it represents the business partners who established this
organization. It also describes freshly made cheesecake desserts in different forms such as No-Bake
Cheesecake, Stuffed Waffle Cones, and Waffles. The team offers to develop a mobile application for the
existing website of Cinq Cheesecake Shop. The application will address issues such as viewing products of
different dessert categories, adding products to a cart, tracking costs, and checkout and payment for the
products purchased.

Technology, as we know, has become increasingly important in the past few decades, especially these past
years since the pandemic's beginning, the use and demand for technology are now in high order. This
increase in the demand for the utilization of technology has left a lot of local shops in the dust. Payment,
management, ordering, and the like have all become technologically advanced so that everything can be
done using a mobile phone. One of the local shops that have been affected by this demand is Cinq
Cheesecake Shop. Addressing this problem, the developers proposed a mobile application in support of
their already existing website. This mobile application will handle the display of product details, user
accounts, communication between the shop and the customers, transactions, and the administration side of
the application.

I. Propose title 2: ARTrix Arts and Crafts 2020

II. Description (nature of business and cyber security concerns overview)

This project is about an Online Based Website for ARTrix Arts and Crafts 2020. In this, you can
access it with the use of your personal computers and internet connection. You can view the different types
of services offered by the artists which are watercolor arts, canvas arts, digital arts and also the face
paintings for parties. In order to view that, there are several options in the navigation part above where the
user can select on what page they want to know or view. When the user selects a page in the navigation,
the product page for example, the user can view the products the artists’ sell as well as the description and
its prices.

As the pandemic strikes there has been a rise in e-commerce especially when it comes to online
businesses. ARTrix is a company that sells and provides service in the form of artistic artworks. It has been
hard for us to reach out to our customers due to the fact that physical contact with other people is limited
and prohibited. It has also been hard to obtain feedback and to provide an excellent service that will satisfy
the wants of our customers. That is why this project aims to create a website that will help us reach out to
our customers and provide them with excellent service. This will also help our customers to reach out to us
since everybody is using the internet these days. It will also help our business in terms of promotion and
advertisements.
Honor pledge

"We affirm that we will not give or receive any unauthorized help on this discussion, and that all
work will be our own."
 MIDTERM PERIOD
IT024 – Cyber Threat Modeling
Name: Sarcia, Toby Bruce L. Date: November 19, 2022
Section: IT41S1 Group no.:

Discussion 1.1 Cyber Security Threat Worksheet

Instruction:
1. This is an individual activity
2. Answer the Cyber security threats worksheet
3. Provide synthesis (minimum of 50 words)
4. Include the honor pledge and references

A. Cyber security threats worksheet

Cyber Security Threat Explain the threat Example of the threat
Social engineering techniques The biggest weakness in Baiting: The attacker offers a
a cybersecurity strategy “carrot on a stick” where the
is humans, and social victim must pay money to receive
engineering takes a large payout. The payout could
advantage of a targeted be lottery winnings or a free prize
user’s inability to detect in exchange for a small shipping
an attack. In a social fee. An attacker might also ask
engineering threat, an for charitable donations for a
attacker uses human campaign that does not exist.
emotion (usually fear
and urgency) to trick the
target into performing an
action, such as send the
attacker money, divulge
sensitive customer
information, or disclose
authentication
credentials.
Malicious code is the A computer virus is a type of
term used to describe malicious application that
any code in any part of a executes and replicates itself by
software system or script injecting its code into other
Malicious code that is intended to cause computer programs. Once the
undesired effects, code injection is successful and
 security breaches or the reproduction process is
damage to a system. complete, the targeted areas of
Malicious code is an the system become infected.
application security
threat that cannot be Viruses are one of the most
efficiently controlled by common examples of malicious
conventional antivirus code thanks to popular media.
software alone. One famous illustration of the
Malicious code describes concept is represented by Agent
a broad category of Smith in the Matrix film trilogy,
system security terms where Hugo Weaving plays a
that includes attack renegade program that manifests
scripts, viruses, worms, similarly to a self-replicating
Trojan horses, computer virus.
backdoors and malicious The earliest known virus dates
active content. back to the ARPANET of the
1970s, the Internet’s
predecessor. Known under the
name Creeper, it was not
designed as malicious software,
but rather as part of research
into the topic of self-replicating
code.

Weak and default passwords A weak password is Normal issue with individuals is
short, common, a system utilizing their password that has
default, or something enormously connected with what
that could be rapidly they are. Examples of this are
guessed by executing a their birthdays, shortened form
brute force attack using names, guardians name, and
a subset of all possible pet's name.
passwords, such as
words in the dictionary,
proper names, words
based on the user name
or common variations on
these themes.

Misconfigured access rights Misconfigured Access An example could be a

Rights are when user misconfigured access right to a
accounts have incorrect folder which contains important
permissions. The bigger files that should only be
problem from this could accessed by an administrator but
be giving people who are was rather configured to be
lower down the chain of accessed by just anybody else.
 command access to
private information that
managers could have.
They could wrongly have
access to employee
records or customer
data. This is a breach of
the data protection act
and the business could
get in a lot of legal
trouble. If the employee
were to become
disgruntled they could do
a lot of damage to the
business with this kind of
access.
Removable media Removable media is USB memory sticks
very easily lost, which
External hard drives
could result in the
compromise of large CDs
volumes of sensitive
information stored on it. DVDs
Some media types will Mobile phones and tablet
retain information even
after user deletion, devices
placing information at
risk where the media is
used between systems
(or when the media is
disposed of).
Unpatched and/or outdated software If your outdated software One of the easiest ways for
includes the use, storage cybercriminals to break into
or application of data, enterprise systems is through
that data becomes at outdated software, because
risk. Your systems will be these systems are vulnerable as
more vulnerable to they do not have the latest
ransomware attacks, security updates.
malware and data
breaches. Out of date How it happens: most malware
software, then, can give (malicious software designed to
attackers a backdoor into infect computers, phones, and
the rest of your systems. tablets) targets older versions of
software precisely to exploit
vulnerabilities that have already
been fixed in newer versions.
 So, when you fail to download an
update, keep putting it off, even
after warnings or keep old
software that is not supported by
the manufacturer, your company
is subject to attacks and failures.
It’s very easy for these criminals
to break into your company’s
system, but it can cost you a lot:
loss of strategic data, business
disruptions, leaking of sensitive
information, reputation damage
and loss of credibility.
Therefore, make sure you have
the manufacturer’s support for
your software, so you will receive
every security update. And when
you receive these updates,
install them immediately.

B. Synthesis:
In this worksheet is a collection of different cyber threats that we may face. We live in a digital world and by
that, I mean that we are tipping into the side of our judgment to digitize everything. Before we proceed
however, we have to keep in mind that threats like these exist. Just like how we protect our tangible assets.
We should also be mindful of how we protect our intangible assets. With also the inevitable arrival of Web3,
I strongly believe that the digitization of everything will come swiftly. With that being said, I am thankful that
this Cybersecurity is the track that I chose. I am looking forward to becoming even more knowledgeable in
this field and land a job in the future.

C. References:
https://www.proofpoint.com/us/threat-reference/social-engineering#:~:text=In%20a%20social%20engineeri
ng%20threat,information%2C%20or%20disclose%20authentication%20credentials.
https://www.veracode.com/security/malicious-code#:~:text=Malicious%20code%20is%20an%20application,
backdoors%20and%20malicious%20active%20content.
https://heimdalsecurity.com/blog/examples-of-malicious-code/
https://www.acunetix.com/vulnerabilities/web/weak-password/#:~:text=A%20weak%20password%20is%20
short,common%20variations%20on%20these%20themes.
https://cybersecuritychallenge.org.uk/wp-content/uploads/2019/08/Lesson-Plan-Misconfigured-Access-Righ
ts.pdf
https://coggle.it/diagram/WUJ1pij6ugABqvVS/t/cyber-security-threats#:~:text=Misconfigured%20Access%2
0Rights&text=This%20means%20the%20administrator%20has,write%2C%20create%20and%20delete%2
0files.
https://www.reading.ac.uk/digital-technology-services/cyber-security/removable-media#:~:text=Removable
%20media%20is%20very%20easily,the%20media%20is%20disposed%20of
https://www.parkersoftware.com/blog/the-security-risks-of-outdated-software/#:~:text=So%2C%20if%20you
r%20outdated%20software,the%20rest%20of%20your%20systems.
https://www.business2community.com/tech-gadgets/top-5-risks-of-using-outdated-software-in-your-compan
y-02412185

Honor pledge:
"I affirm that I have not given or received any unauthorized help on this assignment, and that this work is
my own"
 FINAL PERIOD
COLLEGE OF INFORMATION TECHNOLOGY EDUCATION(CITE)
IT024 – Cyber Threat Modeling
Final Project

MEMBERS’ CONTRIBUTION
Name (LN, FN, MI) Picture: Detailed Contributions/Assigned Tasks:

Group no.: 6
● Documentation
Leader's Name: Rosales,
● Chapter 1 - Company Name/System
Alanis Trixie
● Chapter 4 - Description of the Company

● Documentation
Member 1: Acosta, James
● Simulation of the attack
Ryan
● Brute Force Attack

● Documentation
Member 2: Carampot,
● Chapter 11 - Activity Matrix
Elijah B.
● Chapter 14 - Abuse Cases
 ● Documentation
Member 3: Cledera, Anna
● Chapter 6 - Reviewers
Maureen
● Appendix - References

Member 4: Estoque, Ghar ● Documentation

Benedict ● Chapter 9 - Role
● Chapter 10 - Assets

Member 5: Mercado,
● PowerPoint Presentation
Eunard
● Documentation

● Penetration Testing
Member 6: Pacis, Uriel
● Simulation of the attack
Jeremiah
● Debugging

● Documentation
Member 7: Perez, James
● Chapter 14 - Threat Trees
Markely
● Chapter 15 - Plan your Mitigation
Member 8: Sarcia, Toby ● Simulation of the attack
Bruce ● SQL injection
REFLECTION PAPER

Prelim Reflection Paper

Midterm Reflection Paper

 Final Reflection Paper

TECHNOLOGICAL INSTITUTE OF THE PHILIPPINES - QUEZON CITY

IT 024 - Cyber Threat Modeling

Reflection Paper
Finals
NAME: SARCIA, TOBY BRUCE L. SECTION: IT41S1

SUMMARY OF WHAT WAS DONE:

Describe what PASTA is and how we can incorporate it into Threat Modeling.

Identifying the scope of technology that PASTA has.

Be aware of the different kinds of risks that involve the usage and continuous
affiliation with PASTA.

NEW LEARNING:

PASTA stands for Process for Attack Simulation and Threat Analysis.

The different threat models that involve PASTA.

The scale in which PASTA has been used and how it affects the digitized world.

The two sides of the PASTA coin and the career paths I can take when pursuing the
application of it as a professional.

PERSONAL REACTION/REFLECTION:

I had very little knowledge about PASTA. I didn’t know that there was a regulation or
somewhat of a guideline on processes of simulating an attack and analyzing its
threat. The biggest piece of knowledge that I have gotten from this final period while
staying on this topic is how widely it is used by different businesses. PASTA should be
the baseline of any aspiring hacker which I strongly hope that all of them would be
white hat hackers. It is quite limitless, the amount of possibilities there are out there
when incorporating this methodology onto one’s work ethic and practice.

“I affirm that I have not given nor received any unauthorized help on this assignment and that this work is
my own.”

Sarcia, Toby Bruce L.

 FINAL PROJECT
TIP-Quezon City
College of Information Technology Education
Bachelor of Science in Information Technology

Cinq Cheesecake Shop

In Partial Fulfillment of the Requirement of the Course

Cyber Threat Modeling (IT024)

Presented by:
ACOSTA, JAMES RYAN
CARAMPOT, ELIJAH
CLEDERA, ANNA MAUREEN
ESTOQUE, GHAR BENEDICT
MERCADO, EUNARD
PACIS, URIEL JEREMIAH
PEREZ, JAMES MARKELY
ROSALES, ALANIS TRIXIE
SARCIA, TOBY BRUCE

Section:
IT41S1
Group no.: 6

Presented to:
Eng. Junnel E. Avestro
 Adviser

December 2022

TABLE OF CONTENTS

Chapter 1. Company Name/System 1

Chapter 2. Version: 1.0 1

Chapter 3. Document Owner 1

Chapter 4. Description of the Company 1

Chapter 5. Participants 2

Chapter 6. Reviewers 3

Chapter 7. External Dependencies 4

Chapter 8. Use Scenarios 4

Chapter 9. Roles 4

Chapter 10. Assets 5

Chapter 11. Activity Matrix 6

Chapter 12. Trust Boundaries 7

Chapter 13. Threats 8

Chapter 14. Threat Trees and Abuse Cases 9

Chapter 15. Plan your Mitigation 12

Chapter 16. Simulation 12

16.1 Video link for the First Penetration Test Activity (Brute Force Attack) 12

16.2 Video link for the Second Penetration Test Activity (SQL Injection Attack) 12

Chapter 17. Conclusion 13

Chapter 18. Group Observation and Individual Synthesis 14

A. Group Observation 14

B. Individual Synthesis 14

Chapter 19. Honor Pledge with Signature 15

Appendix 16

A. References 16

B. Member’s Contribution 16
 ACKNOWLEDGEMENT

First and foremost, we would like to thank the Almighty God for the wisdom, knowledge, strength

and patience to build this project. Without His guidance, this project will not be possible.

We also acknowledge the help of our family, especially our parents for their unconditional love and

support not only emotionally and physically. To our friends who helped and motivated us to finish this

project, thank you for your comfort, helping hands and someone to lean on. We are also thankful to our

classmates as well as our group members for their support and motivation.

Lastly, we would like to express our sincere gratitude to our professor, Eng. Junnel E. Avestro, for

helping and guiding us throughout the process of this project. His guidance helped us a lot to finish this

project throughout this semester. Thank you for giving us the knowledge that shaped our developing minds

and for the chance to prove that we can accomplish our project in time.
● Chapter 1. Company Name/System

Cinq Cheesecake Shop will offer a unique product that will differentiate them in the industry. "Cinq"

is a French word that means five in English, and it represents the business partners who established this

organization. It also describes freshly made cheesecake desserts in different forms such as No-Bake

Cheesecake, Stuffed Waffle Cones, and Waffles. The team offers to develop a mobile application for the

existing website of Cinq Cheesecake Shop. The application will address issues such as viewing products of

different dessert categories, adding products to a cart, tracking costs, and checkout and payment for the

products purchased.

● Chapter 2. Version: 1.0

● Chapter 3. Document Owner

- Crescent Cyber Group

● Chapter 4. Description of the Company

The Crescent Cyber Group is a company that is responsible for preventing the attacks that may

occur and cause problems in the system. Since the Cinq Cheesecake Shop is a business that receives

orders from the customers, there are a lot of transactions happening between the shop and the customers

and the shop needs to protect the customers’ information they input at the application.
● Chapter 5. Participants

MEMBERS ROLE

Acosta, James Ryan Penetration Tester

Carampot, Elijah CIRT

Cledera, Anne Maureen CSO

Estoque, Ghar Benedict CSO

Mercado, Eunard CSO

Pacis, Uriel Jeremiah Penetration Tester

Perez, James Markely CIRT

Rosales, Alanis Trixie CISO

Sarcia, Toby Bruce Penetration Tester

● Chapter 6. Reviewers

● CISO

- Also known as Chief Information Security Officer (CISO) CISOs work with corporate

officers, business managers, cyber security teams, and IT managers to properly monitor

and maintain the security of their organization's apps, databases, computers, and

websites.

● CIRT

- The Computer Incident Response Team of CNSSI 4009 has released NIST SP 800-137.

(CIRT). a group of individuals, frequently made up of security analysts, who are organized

to develop, recommend, and plan immediate mitigation steps for containment, eradication,

and recovery after computer security occurrences.

● CSO

- The chief security officer is an executive who is in charge of safeguarding the company's

resources, personnel, and data (CSO). To prevent malware, phishing, and data breaches,

CSOs are responsible for developing robust safety procedures and crisis management.

● Penetration Tester

- It is a security examination in which a cyber-security expert searches for and tries to

exploit holes in a computer system. This simulated attack aims to identify any weaknesses

in a system's defenses that an attacker may use.

● Chapter 7. External Dependencies

● Server type will be applied

● XAMPP Database in the package

● Web Server and Library Server should be secured

● Backend server storage will be from the XAMPP Database

● Chapter 8. Use Scenarios

● Unregistered users can only view the front page of the website.

● Customers can register and log in to their account.

● Customers can select and reserve.

● Customers can view the invoice of their booked order.

● Admin can add new and their corresponding schedules.

● Admin can edit the reservation, customer has made, and can edit the whole order.

● Admin can approve, cancel, decline, and mark as pending and paid order.

● Chapter 9. Roles

● Anonymous/Unregistered Users - Can view the website and product but can't order or reserve.

● Invalid user - Attempted to authenticate and failed.

● Customer - Authenticated customer.

● Website Admin - Monitors the website’s usage and UI.

● Database Admin - Authenticated database administrator with full database privileges.

● Invalid user admin - Attempted to authenticate and failed to login to Admin Gateway.
● Web Server User - User/process id of the web server.
● Chapter 10. Assets

● Customers

● Administrator

● User credentials

● Admin credentials

● Customer Payment Credentials

● User personal information

● Website system

● Database system

● File Maintenance

● Database of Scheduled order

● Database of registered payment methods and credit.

● Availability of the web server

● Availability of the Database server

● User code execution on website

● Admin code execution on the website

● Admin DB read/write access

● Ability to register and create users.

● Ability to edit prices, availability, and order schedules

● Chapter 11. Activity Matrix

The results are much the same as in the OWASP example, but easier to visualize

Figure 1. Activity Matrix

Figure 1 shows the Activity Matrix which displays the many access levels that are related with each

function or asset. Each access level for a role is divided down into CRUD, which stands for "create," "read,"

"update," and "delete." The administrator has the highest imaginable access levels, and an X next to their

name implies that they are able to carry out any and all actions. The presence of the activity matrix might

function as a guidance when creating a system and preventing against prospective cyber threats.

A = Create if valid name, id, pin provided

B = Only for their own profile information

C = Must be limited to specific files, tables. No access to web site files.

● Chapter 12. Trust Boundaries

Login DFD

Figure 2. Trust Boundaries

The total "flow" of data on the project is depicted in the DFD (Data Flow Diagram) for the Login and

Registration System. It is employed to record how data is transformed (input-output) for project

development. Levels 0, 1, and 2 of the DFD system for login and registration are available. To define the

entire system, it also makes use of entities, processes, and data.

● Chapter 13. Threats

Listed below are the threats that can occur in the system:
● Customer payment not secure

● User credentials are viewable by staff

● Users can create multiple and spam accounts

● Anonymous customers can forcefully browse to pages.

● The faculty or staff has access to the server side of the website.

● Anonymous and registered customers or staff can inject SQL into the database.

● Anonymous customers may inspect and list all the information from the authentication system.
● Chapter 14. Threat Trees and Abuse Cases

Figure 3. Threat Trees

Figure 3 shows our system's Threat Trees in order for us to fully visualize the possible threats that

can occur in our application. Attack trees have been used in a variety of applications. In the field of

information technology, they have been used to describe threats on computer systems and possible attacks

to realize those threats.

 Figure 4. Brute Force

Figure 4 shows the diagram of a Brute Force Attack where the hacker uses trial-and-error to guess

login info, encryption keys, or find a hidden web page. Hackers work through all possible combinations

hoping to guess correctly.

 Figure 5. SQL Injection

Figure 5 shows the diagram of the SQL Injection, which is a common attack vector that uses

malicious SQL code for backend database manipulation to access information that was not intended to be

displayed. This information may include any number of items, including sensitive company data, user lists

or private customer details.

● Chapter 15. Plan your Mitigation

● Implement strong password policies, educate users on the importance of using strong passwords.

● Use two-factor authentication to verify the identity of users before allowing them to access the

system.

● Implement security measures such as antivirus software, firewalls, and intrusion detection systems

to prevent malicious apps from being downloaded and installed on the user's device.

● Implement secure communication protocols, such as HTTPS, to encrypt the communications

between the user and the system.

● Logging/Auditing

● Cryptography

● Cookie Management

● Data/Input Validation

● Chapter 16. Simulation

○ 16.1 Video link for the First Penetration Test Activity (Brute Force Attack)

https://www.youtube.com/watch?v=PkfU_52WOqA

○ 16.2 Video link for the Second Penetration Test Activity (SQL Injection Attack)

https://www.youtube.com/watch?v=knnrMqFj_bw
● Chapter 17. Conclusion
● Chapter 18. Group Observation and Individual Synthesis

A. Group Observation

B. Individual Synthesis
ACOSTA, JAMES RYAN

I was tasked to do a brute force attack on a live website. I had the same problem for SQL injection.

My application doesn't work on a live website. That is why I chose to perform it on OWASP also. Brute

Force Attacks involve attempting each conceivable combination of letters, numbers, and symbols one at a

time until you find the one that works in an effort to find a password. Your website is a prime target for a

brute-force assault if user authentication is required. A brute-force assault can always be used to crack a

password, but the drawback is that it can take years to accomplish it. There may be billions of different

password combinations, depending on the length and difficulty of the password. This requires the use of a

good.

CARAMPOT, ELIJAH

In the process of doing this project, we learned things about the Threat Trees and Abuse Cases

through this group activity. To fully understand the potential hazards that can arise in our application, we

displayed the Threat Trees for our system. According to the diagram we showed above, the application's

abuse case is another example of a hacker attempting to manipulate the system by employing various

forms of attacks.
CLEDERA, ANNA MAUREEN

Through this final project, I gained knowledge on how to create threat models and

countermeasures against SQL Injection and Brute Force. It provided me with knowledge on how to handle

simple to moderate threats. Creating parameters to guard against any potential SQL statement errors is

akin to developing parameterized SQL executables and programs. During my research on brute force, I

found that techniques that rely on trial and error may be thwarted by employing authentication mechanisms

like CAPTCHA. Through the prevention of bots and cookie weaknesses, it prevents brute force attacks. It

was a lot of fun to work on this final project, and I learned a lot about website and database security.

ESTOQUE, GHAR BENEDICT

For this final project, I realized that it’s not easy to use SQL Injection and Brute Force for our

website but we gained some knowledge if penetration testing is applicable to that site. SQL injection is a

popular sort of injection attack. An attacker uses the program to deliver malicious SQL statements. These

are the servers that run the backend database. For the Brute Force, this may be used to solve a wide range

of challenges. It is used for trial and error tasks, searching for a number, sorting the supplied input unsorted

lists, finding the integers between specified ranges given any condition, finding the greatest number, and so

on. It is highly beneficial for resolving small-scale issues. At the end, we already know what their purpose is

in our final project and we learned what are the steps to prevent these kinds of attacks.

MERCADO, EUNARD

I had the opportunity to watch how a web system called a Threat Model was created for this
project. Since the final project also makes use of the activities finished for the course, we were able to cut

back on the work we needed to do for the documentation. Another thing that my final project taught me is

the effectiveness of frameworks in terms of the security of an application or web system.

PACIS, URIEL JEREMIAH

In my opinion, this project will serve as a great milestone for us since this is the most final project

for our security track. Although in the past prerequisites, I wasn’t able to learn much because of the

pandemic and the online classroom setup wasn't effective for me. This subject gives it all because it is the

actual hacking. Cybersecurity is important because penetration testing doesn't just point out flaws; it

simulates actual attacks to illustrate how your personnel, financial assets, and sensitive data would fare in

the case of an actual attack. It examines how well your system can identify breaches when they happen,

whether they are internal or external. Pen-testing relies significantly on qualified, experienced individuals

who can analyze systems in the same manner that hackers can, even though some tasks may be

automated. In actuality, many are licensed, ethical hackers. To know one, one must be one. I plan to utilize

this knowledge as a future cybersecurity IT.

PEREZ, JAMES MARKELY

ROSALES, ALANIS TRIXIE

SARCIA, TOBY BRUCE

My experience during this project isn’t as pleasing as it should be. I was tasked to do the

penetration testing, which in my opinion, is the hardest. One problem I encountered is that my applications
won't work on live sites except OWASP. Since I only have a short time frame to perform the task, I chose to

do it on OWASP. This penetration testing is relevant for me. In my opinion, In focused testing, your

information technology team collaborates with the pen testers to run tests and analyze the outcomes. In the

course of external testing, intrusions into publicly accessible systems including web servers, email servers,

and domain name servers are attempted. The objective is to determine if these organizations are

vulnerable to outside assaults. External tests can show the extent to which a hacker may get into your

system once they have it. Internal testing's goal is to identify security holes in your firewall. The same

degrees of access and authorization are granted to testers as are to employees. This test will reveal any

flaws that can provide unauthorized access to data.

● Chapter 19. Honor Pledge with Signature

Honor Pledge

“We affirm that we have not given or received any unauthorized help on this assignment and that this work

is our own.”

Acosta, James Ryan Carampot, Elijah Cledera, Anna Maureen

Estoque, Ghar Benedict Mercado, Eunard Pacis, Uriel Jeremiah

Perez, James Markely Rosales, Alanis Trixie Sarcia, Toby Bruce

● Appendix

A. References
Chief Security Officer (CSO): Definition, Requirements, Duties. (2022, November 7). Investopedia.

https://www.investopedia.com/terms/c/cso.asp

computer incident response team (CIRT) - Glossary | CSRC. (n.d.).

https://csrc.nist.gov/glossary/term/computer_incident_response_team

How to Become a Chief Information Security Officer. (2021, December 9). Western Governors

University. https://www.wgu.edu/career-guide/information-technology/CISO-career.html

Just a moment. . . (n.d.).

https://www.cloudflare.com/learning/security/glossary/what-is-penetration-testing/

B. Member’s Contribution

Name (LN, FN MI) Picture Detailed Contribution/Assigned

Tasks

● Documentation
● Simulation of the attack
Acosta, James Ryan
● Brute Force Attack
 ● Documentation
● Chapter 11 - Activity Matrix
Carampot, Elijah
● Chapter 14 - Abuse Cases

● Documentation
● Chapter 5 - Participants
Cledera, Anna Maureen L. ● Chapter 6 - Reviewers
● Appendix - References

● Documentation
Estoque, Ghar Benedict ● Chapter 9 - Role
● Chapter 10 - Assets

● PowerPoint Presentation
Mercado, Eunard ● Documentation
● Chapter 14 - Abuse Cases

● Penetration Testing
● Simulation of the attack
Pacis, Uriel Jeremiah
● Debugging
 ● Documentation
● Chapter 14 - Threat Trees
Perez, James Markely M. ● Chapter 15 - Plan your
Mitigation

● Documentation
● Chapter 1 - Company
Rosales, Alanis Trixie H. Name/System
● Chapter 4 - Description of the
Company

● Simulation of the attack

Sarcia, Toby Bruce ● SQL injection