ISYS5005 Assignment 2 – S2 2016 VERSION CONTROL: ISYS5005 Assignment 1 v1.0 Updated 09/08/2016 Assignment 2 Due Date: Mon 17 Oct 2016 (As per Unit Guide) Assignment 2 consists of a written report of your research and analysis of a security vulnerability of your own choice. This is worth 35% of your unit grade. All assignments will be submitted via the Blackboard system and will be scanned by the University plagiarism detection software TurnItIn. The following information explains the assessment requirements and provides the guide to how the assignment will be graded. You are to attempt this assignment in pairs. Tasks In addition to your regular security duties, one of the roles of an InfoSec specialist is to provide training and education to the rest of a team. To develop skills in this area, you will choose security vulnerability, document it and provide a report to educate others about the significance of this issue. The main activities that you will undertake are as follows: 1. Research and discover a security vulnerability that has significant impact and is reasonably widespread. Things that are of low impact or very rare are not of interest here as we want to highlight something that is an important issue. Details about things like impact are commonly included in bug reports and CVE lists so this is a good starting point. For example, you may choose software vulnerability. The CVE resource we discussed in class at the start of semester will give you lists of recent vulnerabilities, for example https://www.exploit-db.com/ or http://www.cvedetails.com would have details of recent software vulnerabilities. You are advised not to choose anything too specific, as this will limit the amount of material you will be able to find for discussion later. On the other hand, you may be more interested in a system that you already know and understand. For example, a ticketing system, or a website that is reasonably widely used. Or you may even consider non-software vulnerabilities, and research physical security and perform a site-review. For this you could perform a survey of theISYS5005 Assignment 2 – S2 2016 VERSION CONTROL: ISYS5005 Assignment 1 v1.0 Updated 09/08/2016 access management system at your school, place of work, or other business location. (NOTE: In order to avoid drawing suspicion, you should first ask for permission to perform this survey beforehand. You should not enter any restricted areas unless you are escorted or have explicit permission.) Observe building entrances and interior doors and note any key card readers or other controls that may be present. Note any areas that appear to be lacking access controls and document the kind of access controls in use. 2. Explain and document the source of this vulnerability and the causes in your own words. (2 page roughly). A copy of a CVE report is not acceptable. 3. Identify a system or systems where this issue exists "in the wild". That is, you must find a vulnerable system that you can document. 4. Identify suitable controls or mitigations that you may employ to prevent the issue. The above are the basic requirements. Once these are complete then you may consider working on the advanced requirement to provide a demonstration of the vulnerability that you have documented. To submit: Submit a SINGLE document with numbered sections reflecting the work for points shown below. As a rough guide for word counts, around 1500 words for Section 1, 500 for Section 2 and around 1000 words for Section 3. You should not exceed these word counts by more than 10%. Mandatory Requirements 1. Explanation and documentation of vulnerability 2. Existence of the vulnerability in production systems. Discuss how widespread it is, and any condition required for exploit 3. Mitigation and prevention strategies for the exploit (this should be more than simply "patch the software". You should refer to your explanation of the vulnerability to explain how and why the mitigations are suitable. Advanced requirement 4. Demonstration of the exploit in action. If this is a software vulnerability you may demonstrate it in class or prepare a screen capture of the software in action. If it is a physical or other vulnerability that cannot be demonstrated in person, then prepare a brief presentation, or photographs or screen captures to submit along with the main report.ISYS5005 Assignment 2 – S2 2016 VERSION CONTROL: ISYS5005 Assignment 1 v1.0 Updated 09/08/2016 To ensure that suitable topics are chosen, you must discuss your plans with your tutor BEFORE you may proceed with the assignment. It is expected that you will also obtain feedback while you are still working on the assignment so that we may guide you. General mark allocation: All sections must be professionally presented, written in your own words and properly reference any sources that were used. Areas of spelling, grammar and presentation are incorporated into all components and are thus not shown as separate items in the table. The breakdown below is indicative of the content that is expected and is a guide rather than a comprehensive list of requirements. For further information you may demonstrate your work to your tutor in class to obtain ongoing feedback. Marks will also be deducted where correct referencing is not used. Plagiarism (presenting other people's work and ideas as your own) will result in a zero mark. You MUST cite all material that is not your own work. Mandatory Requirements Explanation and documentation of vulnerability. -Sensible choice in terms of impact/severity -Documentation in own words -Shows understanding of root causes 35 Existence in production systems -Evidence that vulnerability exists in real systems -Documentation/statistics -Adequate methodology for proof 15 Mitigation -Suitable controls -Identify fixes for root cause 30 Advanced Requirement Demonstration -Screen capture/Presentation/Software demo as appropriate -Evidence of understanding 20