SCIT School of Computing and Information Technology ISIT437/ ISIT937 Information Technology Security and Risk Management Autumn 2017 Individual Research Report Due date: Soft copy: Midnight, Sunday, March 26th, 2017 Mark: 10% Length: 2000 – 2500 words The topic for the individual research report should be selected from the list of research topics listed at the end of this specification. You can also select a specific topic of your own interest; however, the suitability of the topic has to be discussed with and to be approved by your tutor. Please present your solution in a formal consulting report using the outline provided below. Make full use of the knowledge and techniques acquired in this subject, as well as your prior knowledge and skills. The body of the text in your report must be no more than 2500 words. Quickly-prepared reports, plagiarized reports, reports with excessive grammatical errors, and reports without all of the required components will not be accepted. Incomplete reports will receive zero grades. You must submit a hard copy of the report to your tutor at Week 5 tutorial session. You also need to submit one soft copy of the report to eLearning Space by the due date above. Outline of the Report 1. Title/Cover Page 2. Table of Contents, including page numbers of all report sections, tables, and figures 3. Abstract 4. Introduction 5. Research methods and approach 6. Results 7. Discussions, including discussion about scope and limitations 8. Conclusions 9. ReferencesIndividual Research Report Assessment Criteria (10 marks) 1. Length of the report: 2000 - 2500 words [0.5] 2. Originality, i.e., your own interpretation, analysis and synthesis of other people’s work [1.5] 3. The quality of references (the relevancy and credibility of the references) [0.5] 4. The results are evidence-based [1.5] 5. The reasoning is logically sound and of high clarity [1.5] 6. Consistency of referencing style [0.5] 7. The accuracy and comprehensiveness of the answers or solutions [1.5] 8. Clarity and structure of written work [1] 9. The language is accurate, concise and readable [1.5] Notes on Report Presentation 1. Your work must be typed. Number your pages. 2. Always keep a copy of your work. 3. An analytical essay should be an evidence-based argument. It should present a case. You should discuss a problem and not simply narrate events. It may be necessary to devote some space to narrative or description, but the major task will be the weighing and the assessing of evidence and arguing from that evidence to a solution of the problem. Have a clear idea of what the problem is and what it involves. Remember that there will seldom be a single clear-cut answer to it. 4. Read and take notes in your own words, taking care to acknowledge the source exactly (full citation including page numbers or URL). 5. Sources vary in quality and not all works on a topic will be relevant or suited to your purpose. Wherever possible, work out your own solutions and interpretations. Do not accept without question the views and interpretations of any author. Part of your task is to assess and criticise the work of other writers. Do not rely on a single source of information or ideas; you should try to find a range of relevant writings. Where there is some disagreement among the experts, discuss this fact. 6. Plan your essay carefully; spend time getting a logical organisation. When you are taking notes from a book or an article, record the page numbers so that you can refer to them exactly when you are writing your paper. Write it in clear, simple and grammatical prose. Do not submit your first attempt; give yourself time to revise and improve your paper. 7. As far as possible, you should use your own words. It is a good idea when you have done your preliminary reading for the paper, to write your first draft without having your source material in front of you. Then you can decide what material to draw on to support your arguments and how to use it. Use quotations only to illustrate or back up a point in your argument – for example, if your purpose is to discuss the style or argument that author exemplifies. Do not use a quotation simply because you think the author is better at phrasing a point than you are. Try to avoid long quotes; they are seldom necessary. 8. Keep direct quotes to a minimum and only to make a point that cannot be made in your own words. It is preferable not to conclude with a quote. It's your argument, why use someone else's word? It is important to understand what is, and is not, acceptable practice when using other people's material. You should avoid paraphrasing passages closely. If you copy phrases or sentences word for word, you must make it clear that they are quotes, by enclosing the words in quotation marks, or, if you are using apassage of several lines, by separating it out as a block quote, indented for clarity. If you express an idea or argument that is neither your own nor an item of common knowledge, you must also attribute this. In both cases, acknowledge the source in the approved manner. The boundary between your words and ideas, and those borrowed from another person, must always be clear to the reader, otherwise you will be plagiarising. Plagiarism can lead to a grade of zero for the essay. 9. Optional: On the first page of the text should appear an abstract of not more than 200 words in continuous prose (not note form) which outlines the arguments of the essay. An abstract is not an introduction to the essay. 10. Do not use conversational style or colloquialisms. Use the third person as a general rule. Check spelling and use the computerised "spell check" if it is available on the word processing package you are using. Also use a thesaurus to help in choice of words and to avoid too much repetition. An integral part of your essay structure is the construction of proper sentences and writing good paragraphs. Good, logical argument construction is essential in making clear your point of view. You must provide evidence if you are to be convincing. 11. Use appropriate punctuation. Many common essay problems involve punctuation. Refer to this section of this guide, for the correct usage of punctuation. 12. If you use non-textual material (eg. tables, figures, etc.), you MUST refer to these in the assignment. The reader needs to understand why this material was built into the piece of work. 13. References should be made in the form of either numbered footnotes on each page or numbered notes at the end of the text. They should be numbered consecutively through the entire essay; numbering of footnotes should not start again from 1 on each page. References should appear in an accepted style (refer to earlier sections of this booklet). 14. Provide a bibliography in alphabetical order by author. SITACS Style Guide Page 41, http://www.sitacs.uow.edu.au/info/current/styleguide.pdf * The above notes were adapted from those used in the Department of Science and Technology Studies, University of Wollongong. Submission of the research report The soft copy of the report is to be submitted to Moodle by the due date. Marked assignments Marked assignments will be handed-out in tutorial sessions. Referencing Style The Harvard system of referencing is used.Plagiarism Plagiarism will not be tolerated and may result in the imposition of severe penalties. At the least, you will receive a zero grade for the piece of work concerned. Plagiarism is the use of another person’s work as if it is your own. The other person may be an author, a lecturer or another student. The work may previously have been published in print form or on the Web. The University of Wollongong’s policy on plagiarism is available on the University Online Calendar. http://www.uow.edu.au/handbook/courserules/plagiarism.html To avoid plagiarism when using other people’s work, take care to reference appropriately. See the Referencing guidelines in the School website http://www.sitacs.uow.edu.au/info/current/styleguide.pdfA List of Topics for Individual Research Report The graduate attributes of University of Wollongong include (a) informed; (b) independent learners; (c) problem solvers; (d) effective communicators; (e) responsible; and (f) a flexible approach for faculties. This individual research report is designed for you to develop the above attributes. To complete it successfully, it requires you to have a sound knowledge of the topic you choose. It requires independent learning and critical thinking about the issues related to information technology security and risk management. Although all relevant topics in the subject area are welcomed, reports that offer strong empirical focus (evidence-based) will be preferred. What must be discouraged is opinion piece without evidence, data or evidence-based arguments. The index of your topic for your private report is the last digit in your student number. For example, if your student number is 12345678 then the topic you should work on is Topic 8 (the last digit number in your student number). You can also select a specific topic of your own interest; however, the suitability of the topic has to be discussed with and to be approved by your tutor. You need to inform your tutor about your selection in the lab session in Week 3. 1. Offshore software development security Increasingly, Australian organizations are outsourcing software development activities to countries like India, Pakistan, China and other emerging economies to gain the benefits of reduced costs and faster turnaround times. But these efforts come at a price. Please analyse: a. What security issues does overseas development of software raise in commercial and custom systems intended for use in Australia? b. What privacy issues are raised? c. How are these issues being addressed? d. What trends can you determine on the future of offshore development? e. What is the IT security industry doing to counter the threats from offshore development? (Hint: Visit www.fdic.gov/regulations/examinations/offshore/ for more information.) 2. Hackers come in many colours Open disclosure of software vulnerabilities is often associated with gray-hat hackers, described as security researchers who aren’t particular about who learns of their findings. Research the three types of hackers (white hat, gray hat and black hat) and try to determine their typical positions on full disclosure of software problems prior to patches or new versions of the software being made available in the marketplace. Use Google.com or your favourite Internet search engine with a query of “Open Disclosure of Software Vulnerabilities” to help you formulate your answers. 3. Information privacy and information security Information privacy and information security are two sides of the same coin. You can’t have privacy without security. a. Using an Internet search engine, distinguish between those issues related to privacy versus those related to security. b. What overlapping issues do you find? c. Why are U.S. lawmakers seemingly more concerned with privacy controls and protections than requiring U.S. companies to maintain effective IT security programs?d. What are some of the controls being mandated through legislation? e. Do you believe these controls are (will be) effective? 4. Security testing for obvious vulnerabilities a. Research the Internet for several common software vulnerabilities (example: bufferoverflow conditions, cross-site scripting). b. Describe several ways that security testing can uncover the conditions. c. Describe the limitations of security testing. d. To what degree should testing be performed if the software is intended for commercial uses? e. To what degree should testing be performed if the software is intended for commercial, governmental and military uses? 5. Compare off-site services a. Using the Internet, identify two or more off-site companies providing third-party backup services and compare their services and costs. b. What kind of common services do they offer? c. How do their costs compare? d. Does one company offer services that another doesn’t? e. How do you account for this difference? 6. Investigate the complexities of Intellectual Property Law a. Research the topic of intellectual property as related to copyright law. b. What are some of the difficulties in proving a copyright infringement case, such as that brought by the RIAA against those who download free MP3 files? c. What are some of the other recent and famous cases related to copyright, trademark, or trade secret infringements? d. Who should govern the Internet to prevent intellectual property law infringements? e. Can anyone or any one country govern how the Internet is used (and abused)? 7. Smart card access controls a. Research the Internet for information about using smart card for access controls. b. Where are they being used most often? c. What are some of the complications in implementing smart cards for network access? d. Which access control model seems most appropriate for smart cards? e. What changes to infrastructure would be necessary for an enterprise implementation of smart cards for PC access control? 8. Research In-depth Intrusion Detection Systems Intrusion detection systems look for attacks originating from outside and inside the network. a. Visit the distributed intrusion detection system called DShield at www.dshield.org/. b. Which types of attacks are more prevalent at the time of your visit to the site? c. Where is the origin of most of the attacks? d. What is the status of the Internet Storm Center at the time of your visit? e. What is the FightBack program all about? 9. Privacy on the Internet a. What is privacy in information technology context? b. What are some of the conflicting interests between a business and the individual related to privacy matters? c. What privacy concerns do you have as a buyer in e-Bay or Amozon.com?d. What privacy concerns do you have as a seller in e-Bay or Amozon.com? e. What privacy concerns do you have as a member of social networks such as Facebook or LinkedIn? f. What other privacy concerns general public have related to Internet and Web? 10. Ethics and information security a. What is due care? Why should an organization make sure to exercise due care in its usual course of operation? b. How doe due diligence differ from due care? Why are both important? c. What is a policy? How does it differ from a law? d. What are the three general categories of unethical and illegal behavior? e. What is the best method for preventing an illegal or unethical activity?