Computer Security (CSI1101)
Case Study: Computer Security Vulnerabilities and Countermeasures
Weighting: 40% of the final mark of the unit
Due Date: Check Blackboard under Assessment à Assignments à Assessment Overview
Word count: 3500 words excluding the Title Page, Table of Contents, Reference list, and Appendices (if you wish to add). A 10% increase in word count is acceptable. Anything in excess will not be taken into consideration. You should not submit an ECU cover sheet with the assignment.
Important Instructions:
Before you read the assignment task instructions, please complete the following activities available on Blackboard under Assessment:
- Watch the academic integrity video from the Associate Dean Teaching and Learning (ADTL), School of Science.
- Read the academic integrity requirement for commencing students.
- Carefully read the ‘Academic Integrity Tick-Before-Submit Checklist’ to ensure you are fully aware of your responsibilities. Remember to complete this before you submit your final attempt. This checklist is also available towards the end of this document.
- Read the academic integrity document related to this unit.
- Review the ‘Exemplar Assignment’. This exemplar should enable you to better understand how a report could be structured.
Do not use any of the written content from the exemplar. This constitutes academic misconduct and will result in serious penalties. Also, the exemplar assignment addresses a different task(s). Your final submission/work should be your own incorporating your own perspective and creative aspect. This is further explained on Blackboard under the Assignment Exemplar link.
- Read and ensure you understand the rubrics available under ‘My Grades’ on Blackboard (also available at the end of this document).
The first criterion is ‘Originality and Student Voice (Academic Integrity)’. A low score in this criterion can reduce your marks in the other rubric criteria. i.e. getting a similar or lower score than what you have been awarded in the Academic Integrity section and being reported for Academic Misconduct.
Assignment Overview:
This assessment requires you to write a report on the given scenario which investigates the existing security issues (technical and non-technical) and propose countermeasures to overcome the identified problems. The scenario has been developed after observing various real-world security vulnerabilities that organisations face, which cyber criminals can leverage.
The assessment will develop your understanding of analysing security issues and applying the knowledge acquired throughout the semester to provide solutions to these issues. The assessment will also require you to seek guidance from various security forums/manuals such as ‘Australian Government Information Security Manual’, ‘The Australian Signals Directorate (ASD) Top 35 Mitigation Strategies’, ‘Essential Eight’, several ‘NIST Standards’, SANS resources, and others. You will be provided reference to these resources throughout the semester. You should also apply feedback from your Report assessment to improve your writing skills according to the industry standards.
The assessment will enable you to achieve Unit Learning Outcomes (ULO) 3, 4 and 5 and the Course Learning Outcomes (CLO) 2, 4, 5, and 8.
Scenario/Situation:
Top Gear Autos (TGA) is a medium-sized organisation manufacturing and selling automobile parts in Australia for many years. The company has multiple offices within Australia’s metropolitan and regional areas and has been doing significantly well over the last three years. TGA is reliant on its IT infrastructure to run daily operations, which was developed through stopgap arrangements. All IT services are currently being operated from a central site located in Melbourne, which is well below the data centre’s standards. In January 2021, the company met with multiple cyber security breaches. There were two prominent breaches. The first was a ransomware attack due to a successful spear- phishing attack, and the second was due to the execution of suspicious executable files on a number of client computers. This second breach caused TGA to stop its operations for 4-weeks which impacted the company’s market revenue due to disruption followed by rudimentary rebuild and recovery activities.
Both incidents alerted TGA’s owner, Sophie, to review the following existing IT setup:
- The computers/laptops being used by TGA employees are running Windows 10 version which was released in 2015. All of the systems are running on default settings.
- The employees are allowed to use USB flash drives on computers/laptops. Moreover, the employees can bring their personal computing devices and connect them to TGA’s network without any authentication.
- TGA employees have administrative rights on the devices they use. Moreover, there is no password policy, and employees can choose any password that is easy to remember.
- TGA is using an anti-virus solution which requires the employees to update the latest virus definitions.
- Data backup is undertaken using a Network Attached Storage (NAS) device housed in the company’s main premises and always connected to its network. Moreover, the NAS device can be accessed using the default settings.
- To ensure confidentiality, the data is encrypted using the Ceaser Cipher encryption technique.
- TGA uses a custom-built/user application which is web-based to run its daily operations. The application stores user passwords in the database using the MD4 cryptographic hash function. Moreover, the application has contents developed in Flash embedded in various webpages of this application.
- For remote working primarily due to the on and off COVID mandated lockdowns, TGA employees connect to the company network using a simple Remote Desktop Protocol (RDP).
- There is no physical security mechanism to safeguard TGA’s central site housing all of the IT infrastructure. Any employee can enter this site and physically access the servers, switches, routers, storage devices, etc. Moreover, the environment is not conducive to hosting servers or storage devices due to regular power surges.
- Hardware firewall/intrusion detection systems (IDS) currently being used at TGA are running an outdated version of the system software.
Core Tasks:
- Sophie has approached you to analyse the current IT setup and practices being followed by her organisation along with the security issues discussed above. You are required to prepare a succinct report addressing six critical cyber security issues that should be dealt with as a priority by TGA. In devising the security solutions, you should address the following requirements:
- Identify the six critical issues (threats and vulnerabilities) currently being faced by TGA.
- Provide a rationale as to why your chosen/identified cyber security issues should be addressed immediately. Justify the potential impact(s) of each of the issues identified in terms of the Confidentiality, Integrity, and Availability (CIA) triad.
- Provide a detailed explanation/demonstration/justification of how you propose to address (application of current security solutions) the identified issues. In doing this, you are required to propose a minimum of two solutions for each of the identified issues.
- Among the proposed solutions (for an issue), identify which one is the preferred solution. You are to justify why your chosen/preferred solution is better than alternative approaches(s) (i.e. clearly compare/contrast your solution to the proposed alternative(s)). Depending on the vulnerability being discussed, a situation may arise where you find it challenging to discuss or find an alternative solution. In such a case, you could attempt this section as short-term vs long-term solution where both solutions would be similar, but your proposed implementation would differ with reference to the accrued benefits.
- Relate your recommended and proposed solutions to approaches available in the ‘Strategies to Mitigate Cyber Security Incidents’ document owned by the Australian Cyber Security Centre (ACSC) providing appropriate justifications. Here, you are required to support your solutions with the information available in the strategies document with different categories, colour codes, etc.
- Provide a detailed breakdown/assessment of hardware, software, and training requirements necessary to implement the proposed solution (Note: one solution may or may not involve fulfilling all the requirements, i.e. hardware, software, and training. Further, you are not required to propose the specific brand/model of any of the three breakdown elements. You are only required to outline what hardware, software, and training components are essential in implementing your proposed solution).
- In addition to the above, Sophie has categorically requested you to prepare a comprehensive data backup strategy for TGA which will enable the company to recover from future cyber intrusions in the shortest possible time. In doing so, you are to compare/contrast different data backup options available, possible sites for the data backup, and your recommended strategy that will benefit TGA in the future.
Note: As Sophie has little understanding and knowledge of the prominent threats that could target TGA, she needs to be convinced that your chosen security issues and the proposed/recommended solutions are most appropriate for TGA to run its operations in a secure manner.
See also the Required Report Structure section to ensure you include all required sections.
Suggested approaches to complete the Task:
- Communicate your report outcomes in a simple manner (novice end-users). Using complex descriptions or terminology will result in a loss of marks. Use acronyms correctly. You can make use of analogies if it enables you to communicate the identified issue in a simple way.
- Use adequate in-text references to support your ideas and discussion throughout your entire report. It is recommended that you use EndNote to manage your sources and for your referencing.
- Not all solutions need to be of a technical nature. Think outside the box about what needs to be rectified within this expanding organisation. There are some explicit weaknesses, and a few are implicitly mentioned in the given situation. You are allowed to make assumptions on these implicit weaknesses using a separate ‘Assumptions’ section in your report, but these must be logical.
- Be creative in how you choose to communicate your findings. The report does not have to be a large collection of paraphrased text. Diagrams can be a much more effective way of communicating an idea or a concept. Tables and charts are also an effective way to draw comparisons or contrast different ideas. However, make sure diagrams, tables and charts are referred to in your text, i.e. correctly referenced and/or labelled and referred/discussed in your text.
Required Report Structure:
| Component | Broad Description and Guidelines |
| Title Page | Unit code and title, assignment title, your name, student number, campus and tutor’s name |
| Table of Contents | This must accurately reflect the content of your report and should be generated automatically in Microsoft Word with page numbers. |
| Introduction | A good introduction provides an overview of the topic and its significance as well as the purpose and structure of the report. A few guidelines to consider for your introduction are: An outline of the purpose of the report.An overview of the given scenario with emphasis on the current security posture.What did you discover?An overview of the proposed solutions and how its implementation would benefit the company.What approach did you use to undertake your research (databases, security forums, etc.) into the subject matter?An outline of the structure – what are you covering within your report? |
| Assumptions | An optional component. Use this section only if you are making assumptions around the implicit issues in the given scenario. The assumptions should have a rationale and related to the scenario. |
| Main Content/ Use appropriate headings/sub- headings | This section should be divided into subsections for each of the six chosen/identified issues. Each component should clearly address the report requirements as described in the task outline. A suggested approach to address a single issue is as follows:Identify and justify the issue in terms of CIA triad and why it should be addressed immediately.Your proposed/devised solutions along with an explanation.Your recommended solution with its benefits over the alternative approach(es).Relate your recommended and proposed solutions with approaches available in the ‘Strategies to Mitigate Cyber Security Incidents’ document owned by the Australian Cyber Security Centre (ACSC) with appropriate justification.Assessment of the hardware, software, and training requirements to implement your proposed solution. Include a separate section for the comprehensive data backup strategy. Think of how you can address some of the above pointers using tables. You may use diagrams/graphs/pie-charts/etc. to reinforce your findings. |
| Summary | This section should briefly draw together the main points raised in the report and sum-up your understanding of the importance of cyber security for the industry. You should not introduce or discuss any new information. A suggested approach here is as follows: inform the reader about the threats and vulnerabilities of the existing arrangements in the organisation.consolidate the issues identified with your recommended solutions and essential requirements for their implementation.highlight the benefits that will be accrued once the proposed strategy is implemented. |
| References | All evidence and ideas from sources must be written in your own words and must be acknowledged using in-text references in the body of the report and end-text references (reference list) at the end of the report.Correct APA 7th edition style referencing conventions both for in-text and end-text references should be used.Aim for 15-20 references at the minimum that include books, scholarly journal articles, and conference papers, white papers, government and professional organisation reports. You may also use Internet sites (websites, news articles, blog posts, but they should be reputable.DO NOT USE WIKIPEDIA. |
Top Tips:
- Start early and plan ahead. You will be required to read the given situation multiple times and engage with and apply weekly concepts covered in class. This approach will ensure the correct identification of the company’s security issues and enable you to find appropriate solutions.
- Study the marking rubric, paying particular attention to the grade related descriptors as you will be evaluated against them. If in doubt, ask your lecturer or tutor or learning adviser before the submission.
- Use the structure provided with clear, concise headings. Ideas must flow logically.
- The style of writing should be appropriate for the purpose, audience and context. Use third-person objective voice to avoid the use of first-person (‘I’, ‘my’, ‘we’) and second-person (‘you’).
- Appropriate discipline-specific terminology and vocabulary must be used in the report.
- Sentence structure, spelling, punctuation and grammar should be correct for the report.
Deliverable: A single PDF or Microsoft Word Document uploaded through Turnitin. The ECU Assignment Cover Sheet must not be included with the PDF document.
Ensure that your work complies with ‘Academic Integrity Tick-Before-Submit Checklist’.
Common Observations in the Submissions from Previous Semester:
The following pointers are presented to make you aware of the common mistakes that students have made in the previous semesters. You should read and understand all of these common mistakes to avoid making them in your submissions. Note that some of the points may not be relevant to the task given to you for this semester:
- Repetition of mistakes from the first report assessment. Some students did not apply the feedback given as part of the first report assessment, resulting in repeating the same mistakes again.
- Introduction and Summary were not written according to guidelines.
- The comparison and contrast to alternative solutions lacked proper discussion. In some instances, two solutions were provided, but there was little discussion or justification of why one solution was better than the other.
- Some of the alternative solutions did not mitigate the issue/weakness being addressed.
- Insufficient discussion in relation to the CIA triad.
- In most cases, students who opted to use the ‘Assumptions’ section were making assumptions that were explicitly mentioned in the given scenario.
- Tables not labelled or given improper headings or not referred to within the discussion.
- Figures not adding value to the report, i.e. figures not explicitly referred to within the discussion, such as
‘As represented in Figure 1….’.
- Broken or inaccessible hyperlinks to references.
- Incorrect in-text and end-text formatting, according to APA 7th edition conventions. It was evident that students have not used EndNote or any other referencing software. While this was not a mandatory requirement, using a referencing software saves an ample amount of time and lets you focus on your core work.
- Some surprising submissions where unusual font sizes (16/18) or styles were used as a standard font. Make sure you use an easy-to-read font (such as Calibri or Times New Roman) at size 12.
- ‘Table of Contents’ was not auto-generated using MS Word. This was a requirement of the assessment brief. Manually typing this takes a significantly longer time and often results in pages not aligning as indicated in the table of contents with specific topics within a report.
Referencing, Plagiarism and Collusion:
The entirety of your assignment must be your own work (unless the ideas are taken from sources, in which case you must reference and paraphrase) and produced for the current instance of the unit. Any use of unreferenced content you did not create constitutes plagiarism and is deemed an act of academic misconduct. It is also important to understand that if you have attempted this unit before, you may not re-use your previous assessment work or related work from any other unit you have studied previously, as this is classified as self-plagiarism.
Remember that this is an individual assignment. Never give anyone any part of your assignment – even after the due date or after results have been released. Do not work together with other students on individual assignments – helping someone by explaining a concept or directing them to the relevant resources is fine, but doing the assignment for them or alongside them, or showing them your work is not appropriate. An unacceptable level of cooperation between students on an assignment is collusion and is deemed an act of academic misconduct. If you are uncertain about plagiarism, collusion or referencing, simply contact your Senior Learning Adviser at the following link and seek support. You should also review the information about academic integrity at the following link.
You may be asked to explain and demonstrate your understanding of the work you have submitted. Your submission should accurately reflect your understanding and ability to apply the unit content.
Academic Integrity Tick-Before-Submit Checklist:
You must ensure that your work complies with the below checklist before submitting your final attempt on Blackboard for marking.
Marking Key/Rubrics:
Please read, understand, and do your best to apply each of the criterion and the requirements to score a good grade. Criterion number 1 is of particular importance as scoring low here may negatively impact your scores in other criteria and create issues relating to breaches of Academic Integrity.
| Criterion | Fail (<50%) | Pass (>=50%) | Credit (>=60%) | Distinction (>=70%) | High Distinction (>=80%) |
| Originality and Student Voice (Academic Integrity) (4 marks) | No or little attempt to adequately integrate evidence from quality sources with integrity to support student argument or discussion. Inappropriate use of others’ work which is not acknowledged. Lack of or inadequate paraphrasing and in-text referencing constituting plagiarism. | An attempt has been made to use sources to integrate evidence with integrity to support student argument or discussion. Satisfactory use of others’ work and with some attempt to acknowledge sources, but more work needed on how to adequately and correctly paraphrase in-text references. | An attempt has been made to use credible/relevant sources to integrate evidence with integrity to support student argument or discussion. Good use of others’ work which is mostly acknowledged. Mostly good paraphrasing and in-text referencing skills, but some work still needed. | Consistent use of credible/relevant sources to integrate evidence with integrity to support well-developed student argument or discussion. Very good use of others’ work which is acknowledged. Good evidence of sound paraphrasing and in-text referencing skills. | Highly skilful use of quality, credible sources to integrate evidence to support highly developed critical argument or discussion. Excellent synthesis of others’ work which is adequately and correctly acknowledged. Highly developed paraphrasing and in-text referencing skills. |
| Identification of | Poor or no analysis of the threats and | Minimal analysis of the threats and | Effective analysis of the threats and | Highly effective analysis of the threats | Insightful analysis of the threats and |
| threats and | vulnerabilities that may compromise | vulnerabilities that may | vulnerabilities that may compromise | and vulnerabilities that may | vulnerabilities that may compromise |
| vulnerabilities. | assets. Poor or no justification as to why | compromise assets. Minimal | assets. Effective justification for why | compromise assets. Highly effective | assets. Insightful and persuasive |
| (8 marks) | the selected issue should be addressed | justification as to why the selected | the selected issue should be addressed | and persuasive justification for why | justification for why the selected |
| immediately. Each issue has not been | issue should be addressed | immediately. Effective explanation and | the selected issues should be | issue should be addressed | |
| sufficiently explained and justified for | immediately. Minimal explanation | justification of the issues with some | addressed immediately. Highly | immediately. Outstanding | |
| inclusion within the overall solution. | and justification of some of the | gaps and inconsistencies in the | effective explanation and justification | explanation and justification of the | |
| Poor or no justification for the identified | issues, but with significant gaps and | reasons why they should be addressed | of the issues, with almost no gaps and | issue, with no gaps, clearly | |
| issues under CIA triad. | inconsistencies in the reasons why | immediately. Satisfactory coverage of | inconsistencies in the reasons why | demonstrating its importance and the | |
| the issues should be addressed | potential impacts of identified issues | they should be addressed | reasons it should be addressed | ||
| immediately. Brief coverage of | under CIA triad. | immediately. Effective coverage of | immediately. Outstanding analysis of | ||
| potential impacts of identified | potential impacts of the identified | the potential impacts under CIA triad. | |||
| issues under CIA triad. | issues under CIA triad. | ||||
| Application of | Poor or no explanation and | Minimal explanation and | Effective explanation and | Highly effective explanation and | Outstandingly detailed explanation |
| contemporary cyber | demonstration of how you propose to | demonstration of how you propose | demonstration of how you propose to | demonstration of how you propose to | and demonstration of how you |
| security solutions and | address the issue. Absence of attempt | to address the issue. An attempt | address the issue, producing a solution | address the issue, producing a solution | propose to address the issue, |
| use of Strategies to | to explain and justify an appropriately | has been made to explain and | or strategy that is mostly complete, | or strategy that is complete, | producing a solution or strategy that |
| Mitigate Cyber | designed solution or strategy. The | justify the designed solution or | technically correct, and appropriate | technically correct, and appropriate for | is complete, technically correct, and |
| Security Incidents. | solution or strategy has not been | strategy but with significant gaps. | for the context of the scenario. An | the context of the scenario. The | appropriate for the context of the |
| (10 marks) | sufficiently compared between | Some comparisons and contrasts | effective attempt has been made to | solution or strategy has been clearly | scenario. An appropriately designed |
| alternatives. Strategies to Mitigate | between alternatives, but with | explain and justify the solution or | explained and justified for each issue, | solution or strategy has been clearly | |
| Cyber Security Incidents have not been | significant gaps and | strategy, but with some gaps in the | with very few gaps or inconsistencies | explained and justified for each issue. | |
| used. | inconsistencies. Strategies to | justification and explanation. Effective | in the explanation. Highly effective | Outstanding and insightful | |
| mitigate Cyber Security Incidents | comparisons and contrasts between | comparisons and contrasts between | comparisons and contrasts between | ||
| have barely been used for the | alternatives, but with some gaps and | alternatives, with few gaps or | alternatives. Strategies to mitigate | ||
| proposed and recommended | inconsistencies. Strategies to mitigate | inconsistencies. Strategies to mitigate | Cyber Security incidents have been | ||
| solutions. | Cyber Security Incidents have been | Cyber Security Incidents have been | used for the proposed and | ||
| used for the proposed and | used for the proposed and | recommended solutions and are the | |||
| recommended solutions in an effective | recommended solutions in a highly | result of Insightful analyses | |||
| manner. | effective manner. |
| Criterion | Fail (<50%) | Pass (>=50%) | Credit (>=60%) | Distinction (>=70%) | High Distinction (>=80%) |
| Assessment and documentation of hardware, software, and training requirements in addressing each issue. (4 marks) | Poor or no assessment, documentation, explanation and justification of hardware, software, and training requirements for implementing, maintaining and/or training associated staff for each solution or strategy. No attempt has been made to support the proposals with relevant information sources. | Effective assessment, documentation, explanation and justification of hardware, software, and training requirements for implementing, maintaining and/or training associated staff for each solution or strategy, but there are significant gaps and inconsistencies. A few of the proposals are supported with relevant information sources. | Effective assessment, documentation, explanation and justification of hardware, software, and training requirements for implementing, maintaining and/or training associated staff for each solution or strategy, but there are some gaps and inconsistencies. Some of the proposals are supported with relevant information sources. | Highly effective assessment, documentation, explanation and justification of hardware, software, and training requirements for implementing, maintaining and/or training associated staff for each solution or strategy. Most of the proposals are supported with relevant information sources. | Outstanding assessment, documentation, explanation and justification of hardware, software, and training requirements for implementing, maintaining and/or training associated staff for each solution or strategy. All proposals are supported with relevant information sources. |
| Report structure and written communication skills appropriate for novice end-user (4 marks) | Poor structure, presentation and communication. Report has been formatted poorly or not at all. Report uses technical/advanced ICT language unsuitable for a novice target audience. There are errors that often impede meaning. | Satisfactory structure, presentation and communication. Some of the components of the report requirements have been met with significant improvements or corrections to be made. The language used includes significant technical/ advanced ICT centric language unsuitable for a novice target audience. | Effective structure, presentation and communication. Most of the components of the report requirements have been met with some improvemen or corrections to be made. The languag used encompasses both technical and non-technical elements. Further work is required on communicating the intended message to the novice target audience. | Highly effective structure, presentation and communication. Nearly all of the components of the report requirements have been met with few improvements or corrections to be made. The report has been communicated using language suitable for the novice target audience. | Outstanding structure, presentation and communication. All the components of the report requirements have been met at a high-level with no further improvements or corrections to be made. The report has been communicated using language suitable for the novice target audience. |
| Data Backup Plan (6 marks) | Poor or no explanation on the data backup issue. No explanation or justification for an appropriately designed solution or strategy for the data backups or backup sites has been provided. | Sound explanation and demonstration on the data backup issue. A sound attempt has been made to explain and justify the data backup solution, but with significant gaps. Sound comparisons and contrasts between alternatives are provided, but with significant gaps and inconsistencies. | Effective explanation and demonstratio on the data backup issue. The solution o strategy is mostly complete, technically correct, and appropriate for the context of the scenario. An effective attempt ha been made to explain and justify the recommended data backup strategy, bu with some gaps. Effective comparison and contrast between alternatives are provided, but with some gaps and inconsistencies. | Highly effective explanation and demonstration on the data backup issue. The solution or strategy is complete, technically correct, and appropriate for the context of the scenario. The data backup solution or strategy has been clearly explained and justified, with very few gaps or inconsistencies. Highly effective comparisons and contrasts between alternatives are provided, with few gaps or inconsistencies. | Outstandingly detailed explanation and demonstration on the data backup issue. The solution or strategy is complete, technically correct, and appropriate for the context of the scenario. An appropriately designed data backup solution or strategy has been clearly explained and justified. Outstanding and insightful comparisons and contrasts between alternatives are provided. |
| Referencing (APA 7th) (4 marks) | In-text and end-text references are either not included or not formatted according to APA 7th style. | Few in-text and end-text references used to acknowledge ideas and topics taken from sources, and the format is not always according to APA 7th style. | In-text and end-text references used accurately and appropriately to acknowledge the ideas and topics taken from sources and formatted according t APA 7th style. | In-text and end-text references used accurately and appropriately to acknowledge most ideas and topics taken from sources and formatted according to APA 7th style. | In-text and end-text references accurately and appropriately used to acknowledge all ideas and topics taken from sources and formatted according to APA 7th style. |
Note: During marking, you may be given some general comments not related to the marking for improvement in future assignments/studies.
Get expert help for Computer Security Vulnerabilities and many more. 24X7 help, plag free solution. Order online now!
