The 2021 SFS Research Study: Vulnerabilities in UMBC’s Incident Management System

Cyrus Bonyadi and Enis Golaszewski
CSEE Department, UMBC

12:00noon–1pm Friday, 29 January 2021

remotely via WebEx 

 January 11–15, 2020, UMBC scholars in the CyberCorps: Scholarship for Service (SFS) and the DoD Cybersecurity Scholarship (CySP) programs collaboratively analyzed the security of UMBC’s Incident Management System (IMS). Students found numerous serious issues, including race conditions, code-injection, and cross-site scripting attacks, improper API implementation, and denial-of-service attacks. We present findings, recommendations, and details of these vulnerabilities.

UMBC’s Incident Management System (IMS) is a web application under development by UMBC’s DoIT to supplement their RequestTracker (RT). IMS allows DoIT security staff to supplement the information in RT by linking IMS incidents to RT tickets. IMS incidents store additional information and files regarding existing and potential security campaigns. Using the information in IMS and RT, DoIT generates executive reports, which can influence decisions related to budget, training, and other security concerns. Our study is helping to improve the architecture and implementation of IMS.

Participants comprised BS, MS, MPS, and Ph.D. students studying computer science, computer engineering, information systems, and cybersecurity, including SFS scholars who transferred from Montgomery College (MC) and Prince George’s Community College (PGCC) to complete their four-year degrees at UMBC.

About the Speakers. Cyrus Jian Bonyadi is a Ph.D. Student at UMBC working on distributed computing consensus theory. He is an alumnus of the varsity CyberDawgs team. email:  Enis Golaszewski is a Ph.D. Student at UMBC working on protocol analysis. He is a leading member of the Protocol Analysis Lab under Dr. Sherman. email: 

Host: Alan T. Sherman, . Support for this event was provided in part by the National Science Foundation under SFS grant DGE-1753681. The UMBC Cyber Defense Lab meets biweekly Fridays 12-1 pm.  All meetings are open to the public. Upcoming CDL Meetings:

  • Feb 12, Richard Carback (xxnetwork), Startup lessons learned
  • Feb 26, Vahid Heydari (Rowan University)
  • Mar 12, Chao Liu (UMBC), Efficient asynchronous BFT with adaptive security
  • Mar 26, Jeremy Clark (Concordia)
  • April 9, (UMBC), MeetingMayhem: A network adversarial thinking game
  • April 23, Peter Peterson (University of Minnesota Duluth), Adversarial thinking
  • May 7, Farid Javani (UMBC), Anonymization by oblivious transfer