Reference no: EM133676426

Cybersecurity

Assessment - Case Study Report and Presentation: Identification of the Issues Report

Learning Outcome 1: Investigate and analyse the tenets of cybersecurity

Learning Outcome 2: Identify and communicate a range of threats and vulnerabilities to informational assets

Learning Outcome 3: Recommend and justify robust solutions to identified threats and vulnerabilities to cybersecurity

Learning Outcome 4: Develop own professional practice and ethical standards around security issues and implementation of solutions

Assessment Task

Context

Worthy college (from Assessment 1) has now asked you to investigate their business for cybersecurity flaws.
They are prepared to allow you to view any documents you require, and to analyse any software they employ. You also have access to their servers. You can interview any stakeholders including management, staff, students and other third parties. You can also observe any process in the business you please, if you are not too obtrusive. Worthy College is even prepared to allow pentesting if you need it (beware of doing pentesting without legal agreements and make the business aware of the ethical issues associated with pentesting).
This assessment will be a report on your cyber threat discovery. Again, the assessment will notionally be a business report to Worthy College, but it will require academic rigour. The report will be an outline of the cyber threats you "discover". You can write the report as if your investigation uncovered any threats and vulnerabilities you discuss, including threats inherent in the preliminary description below:
The learning software including the database was implemented many years ago by university graduates. The website was built in PHP and the database queries were written using concatenations of strings, e.g.
string sql = "SELECT * FROM Users where UserID =" + userID;
You find that the network topology is very "flat". Critical services, e.g. email/web/database servers, belong to the same subnet as all other functional departments. Almost all online contact at the physical campus, for both staff, students and visitors, is over Wi-Fi on their privately owned devices. Visitors can find the SSID and password on the manager's office wall and there is no physical access restriction to the office. Students have complained that wireless access is very slow.
All passwords, both for staff and students alike, are transmitted and stored in their databases as plain text. For staff, authentication relies solely and completely on passwords. No company policy requires staff to periodically change their password or stipulate any rules about password length or complexity. The college encourages staff to work from home. They join the company's internal network with a VPN software application.
The management has not invested much in cybersecurity. No firewall or intrusion detection/prevention system is in place, and the operating systems they use on both the servers and the computers for staff have not been upgraded for many years. IT management consists of just two staff, Kramer and George. Therefore, there is no dedicated team to monitor network traffic or perform periodic maintenance on IT systems.
Worthy College does not implement any access control. Staff may install any software on their computer at work. All files, sensitive or otherwise, are hosted on an FTP server and can be accessed by all staff through an FTP application of their choice. There is currently no effort to develop the staff's awareness of cybersecurity and there are no training sessions to educate staff on cybersecurity.
In initial discussions, Elaine says Worthy College is willing to pay up to $1,300,000 for extra security. The CFO, Jerry Seinfield, was not happy with this budget and seems to think $700,000 is a more realistic figure.

Instructions

Assessment 2 consists of three parts. All three parts are based on the same case study and are a group assessment.

For Assessment 2, form groups of 2 to 3 members. Please read the attached Assessment 2 Group Work Guide document for information on group formation, registration and administration.

You, as a group, are required to submit a 1500-word report to the managers, who do not have a technical background.
Note that you have only 1500 words, and the report for Part A must address only security issues, so
DO NOT write any solutions.
Your report must be related to the case study and is not a general discussion on cybersecurity. Statements that are not relevant to the business report will not attract marks.
Structure of the group report:
Title Page: Subject code, subject name, assessment number, report title, word count (actual), student name, student ID, Torrens's email address, learning facilitator's name, and enrolled program (e.g., Bachelor of Business Information Systems). The title page has no page number.
The Table of Contents: It should list the report topics using decimal notation. It needs to include the main headings and subheadings with corresponding page numbers, using a format that makes the hierarchy of topics clear. Create the Table of Contents using Microsoft Word's Table of Contents auto-generator rather than manually typing it out. The table of contents starts on a new page.
Executive Summary (approx. 100 words): This should be a short summary of what was done in the report but written as if to the CEO or board members. It is best written after the rest of the report and should be in the past tense. Often upper management only read the executive summary and so it must be a short overview of what was found and presented in the rest of the report. Long-winded, vague discussions about the importance of cybersecurity in today's world etc. will NOT be accepted.
Body of the report (approx. 1300 words): This is an outline of the structure of the report, but do NOT use generic words such as ‘Body of the reports' as section headings. Create meaningful headings and subheadings that reflect the topic and content of your report. The body of your report must address the following tasks:
Identify and discuss at least six (6) vulnerabilities that exist in the company's IT infrastructure
and operation. For each vulnerability, you will,
Discuss potential threats
Discuss an associated possible attack
Discuss the consequence for the business
Create a Table of Threats and clearly summarise the basic points of identified threats, vulnerabilities, and attacks.
Identify the informational assets that need to be protected and build a business case for management to justify investment in cybersecurity.

Conclusion (approx. 100 words): It briefly states the purpose of the report and the key issues investigated. It is crucial to state major findings based on your research and analysis. Only major findings are needed, and they only need to be covered briefly in the conclusion.
Reference list
All referenced material must be properly cited and referenced, including academic sources, books, magazine sources, web sources, images and any other material that is not your work.
It is expected that students perform additional research and provide a minimum of five additional references in the field of cybersecurity.
At least two of the references MUST be of academic quality (peer-reviewed journal or conference articles).Case Study Report and Presentation: Recommendation of Solutions Report

Instructions

Review your Assessment 2 Part A submission, especially the vulnerabilities identified.
You, as a group, are required to submit a 2500-word report to the managers, who do not have a technical background.
Your report must be related to the case study and is NOT a general discussion on cybersecurity. Statements that are not relevant to the business report will not attract marks. It is a report to the business following Part A.
Ensure that the recommendations made in the report are specific, actionable, and based on the case study.
Note that Assessment 2 Part B is not a general discussion on cybersecurity. It is a report to the business following Part A.
Structure of the group report:

Title Page: Subject code, subject name, assessment number, report title, word count (actual), student name, student ID, Torrens's email address, learning facilitator's name, and enrolled program (e.g., Bachelor of Business Information Systems). The title page has no page number.

The Table of Contents: It should list the report topics using decimal notation. It needs to include the main headings and subheadings with corresponding page numbers, using a format that makes the hierarchy of topics clear. Create the Table of Contents using Microsoft Word's Table of Contents auto-generator rather than manually typing it out. The table of contents starts on a new page.

Executive Summary (approx. 100 words): This should be a short summary of what was done in the report but written as if to the CEO or board members. It is best written after the rest of the report and should be in the past tense. Often upper management only read the executive summary and so it must be a short overview of what was found and presented in the rest of the report. Long-winded, vague discussions about the importance of cybersecurity in today's world etc. will NOT be accepted.

Body of the report (approx. 2300 words): This is an outline of the structure of the report, but do NOT use generic words such as ‘Body of the reports' as section headings. Create meaningful headings and subheadings that reflect the topic and content of your report. The body of your report must address the following tasks:

Identify two more vulnerabilities that you "discovered later". Don't go into deep details about these two vulnerabilities.

Update the Table of Threads from Assessment 2 Part A with two extra vulnerabilities (Note: Now the Table of Threads includes eight vulnerabilities in total).

Propose and discuss specific cybersecurity controls (i.e., solutions) to address all eight vulnerabilities identified in Table of Threads. The cybersecurity controls should focus on the following two areas:

Technical solutions in mitigating against recognised threats and enhancing security

The human factor and a robust company-wide policy framework
Create a Table of Solutions and clearly summarise the cybersecurity control suggestions for all identified vulnerabilities. The resulting table should be short and easy to read as a presentation to management. Make sure to include all eight threats and vulnerabilities in the table with useful headings, including the cybersecurity control techniques. This table will be presented to the business as a recommended future plan.

Conclusion (approx. 100 words): It briefly states the purpose of the report and the key issues investigated. It is crucial to state major findings based on your research and analysis. Only major findings are needed, and they only need to be covered briefly in the conclusion.