ITSC311 – Assignment specification | V1.0 Page 1 of 13 Assignment specification Qualification Faculty of Information Technology Bachelor of Science in Information Technology Module code ITSC311 Module name Social Practices and Security Semester 1/2017 Year 2017 Module lead Joseph William Internal moderator Alice Zifunzi Copy-editor Chantal Joseph Educational advisor N/A Assignment title Assignment Total mark allocation 160 Issue date 6 February 2017 Submission date 03 – 07 April 2017 Instructions to the student  Remember to keep a copy of all submitted assignments.  All work must be typed.  Please note that you will be evaluated on your writing skills in all your assignments.  All work must be submitted through Turnitin1 and the full Originality Report must be submitted with the final assignment.  Negative marking will be applied if you are found guilty of plagiarism, poor writing skills or if you have applied incorrect or insufficient referencing. (See the table at the end of this document where the application of negative marking is explained.)  Each assignment must include a cover page, table of contents and full bibliography, based on the Harvard Referencing Style as applied at CTI Education Group.  Use the cover sheet template2 for the assignment. This is available from your lecturer.  Students are not allowed to offer their work for sale or to purchase the work of other students. This includes the use of professional assignment writers and websites, such as Essay Box. If this should happen, CTI Education Group reserves the right not to accept future submissions from a student. Assignment format Students must follow the generic requirements when writing and submitting assignments as follows:  Use standard Arial, font size 10.  Include page numbers.  Include a title page.  Print submissions on both sides of the page.  Write no more than the maximum word limit.  Ensure any diagrams, screen shots and PowerPoint presentations fit correctly on the page and are referenced.  Include a table of contents.  Use accurate Harvard referencing throughout the assignment. 1 Refer to the CTI Plagiarism Policy, which is available from your lecturer. 2 Available on myLMS.ITSC311 – Assignment specification | V1.0 Page 2 of 13  Include a bibliography based on Harvard Referencing System at the end of the assignment.  Include completed Assignment Front Cover Sheet and Statement and Confirmation of Own Work (available on myLMS).  Check spelling, grammar and punctuation.  Run the assignment through Turnitin software.  Students must keep copies of all submitted work. Essential embedded knowledge and skills required of students  Report-writing skills  Ability to analyse scenarios/case studies  Understanding of subject field concepts and definitions  Ability to apply theoretical knowledge to propose solutions to real-world problems  Referencing skills (Harvard Referencing Method) Resource requirements  A device with Internet access for research  A desktop or PC for typing assignments  Access to a library or resource centre  Prescribed reading resources Delivery requirements (evidence to be presented by students)  A typed assignment3  A Turnitin Originality Report Minimum reference requirements (At least five references for first year, ten references for second year and fifteen references for third year) Additional reading is required to complete this assignment successfully. You need to include the following additional information sources:  Printed textbooks/e-books  Printed/online journal articles  Periodical articles (e.g. business magazine articles)  Information or articles from relevant websites  Other information sources, e.g. geographic information (maps), census reports, interviews, etc. Note  It is crucial that students reference all consulted information sources, by means of intext referencing and a bibliography, according to the Harvard referencing style.  Negative marking will be applied if a student commits plagiarism (i.e. using information from information sources without acknowledgement and reference to the original source).  In such cases, negative marking, also known as ‘penalty scoring’, refers to the practice of subtracting marks for insufficient/incorrect referencing.  Consult the table at the end of this document, which outlines how negative marking will be applied as well as the way in which it will affect your assignment mark. 3 Refer to the CTI Conditions of Enrolment for more guidance (available on myLMS).ITSC311 – Assignment specification | V1.0 Page 3 of 13 Useful websites 12manage: a knowledge network about management [Online] Available at: http://www.12manage.com/ A database that includes articles as well as dictionary and encyclopaedia entries relevant to the management sciences. Academic Journals [Online] Available at: http://www.academicjournals.org/all_articles Academic Journals is a broad-based publisher of peer-reviewed openaccess journals. Bookboon [Online] Available at: http://bookboon.com/ An online book publishing company that provides students with free access to e-books in a wide variety of subject fields, including Marketing and Human Resources Management. Business Open Learning Archive (BOLA) [Online] Available at: http://business.highbeam.com/137662/article- 1G1-54905587/bola-business-open-learning-archive A database, created by Brunel University (Business Division), containing newspaper, magazine and journal articles related to business studies. Emerald Journals [Online] Available at: http://www.emeraldgrouppublishing.com/products/journals/index.htm An online database of journal and e-journal articles, published by Emerald Group Publishing, on a wide variety of subjects as related to the management sciences, including Marketing, Human Resources Management, Accounting, Finance, Economics, Business Management and Business Strategy. EBSCOhost [Online] Available at: https://www.ebscohost.com/ A research database containing online information resources, including 375 full-text and secondary databases. The Free Management Library: Online Integrated Library for Personal, Professional and Organizational Development [Online] Available at: http://managementhelp.org/ An online library containing information on topics related to business, management and organisational development; each topic has additional recommended books in the library. Google Books [Online] Available at: https://books.google.co.za/ A Google service that searches the full text of books and magazines that Google has converted into digital format, stored on its (digital) database.ITSC311 – Assignment specification | V1.0 Page 4 of 13 Useful websites Google Scholar [Online] Available at: http://scholar.google.co.za/ A search engine that indexes the full text of scholarly (scientific) literature pertaining to a variety of disciplines and in different formats, including online journals and scholarly textbooks. JURN [Online] Available at: http://www.jurn.org/#gsc.tab=0&gsc.q=commerce&gsc.sort= JURN is a unique search-engine primarily dedicated to indexing free and ‘open-access’ e-journals in the arts and humanities. It is a ‘full text finder’ that harnesses all the power of Google to search across quality open access content. NetMBA: a business knowledge centre [Online] Available at: http://www.netmba.com/ Articles in the subject fields related to Business Administration, including both elementary and advanced topics as well as frameworks and theories involved in solving challenging problems. Oxford University Press Journals [Online] Available at: http://www.oxfordjournals.org/en/ Oxford University Press (OUP) publishes the journals and delivers this research to the widest possible audience. ProvenModels [Online] Available at: http://www.provenmodels.com/page/about A web-based library of management models aimed at graduates, executives and management consultants. A word of caution Information available on the World Wide Web (WWW) is not necessarily reliable or of a high academic standard. Therefore, it is essential that you verify online information by comparing such to information in reliable information sources, such as accredited (academic) journals and relevant textbooks written by subject experts.ITSC311 – Assignment specification | V1.0 Page 5 of 13 Assessment criteria assessed The following criteria are assessed in this assignment: LO2 Summarise principles of security Question no. 2.1 Describe the categories of threats 2.1.a 2.2 Describe the sources of attacks 2.1.b LO3 Evaluate legal and ethical issues Question no. 3.1 Describe the law and ethics 2.2.a 3.2 Identify laws relevant to information security 2.2.b 3.3 Identify ethical concepts in IT 2.2.c LO4 Apply, describe, discuss and explain the three steps involved in risk management Question no. 4.1 Describe risk management 1.1.a 4.2 Describe risk identification N/A 4.3 Describe risk control N/A LO5 Apply the three steps involved in risk management to a case study Question no. 5.1 Identify resources and their vulnerabilities 1.1.a 5.2 Apply risk control strategies to mitigate risks 1.1.a LO6 Design a blueprint for a case study, and include continuity in the design Question no. 6.1 Identify the considerations to be taken into account when creating a security blueprint 2.1.c, 2.1.d 6.2 Identify the components of a blueprint 1.1.b 6.3 Describe business continuity strategies N/A 6.4 Explain different ways of recovering from a disaster N/A 6.5 Explain the use of digital forensics in identifying how attacks on assets occur N/A LO7 Critique security technology that is available on the market Question no. 7.3 Describe the functions of firewalls 2.1.b LO8 Assess new technologies Question no. 8.3 Explain the functions of Intrusion Detection and Prevention Systems (IDPSs) 2.1.b LO9 Evaluate cryptography and justify the use for it today Question no. 9.1 Explain how cryptography is used in access control 3.1.a 9.2 Describe asymmetric, symmetric and hybrid cryptographic methods 3.1.b, 3.1.c 9.3 Apply cryptographic methods to secure information 3.1.dITSC311 – Assignment specification | V1.0 Page 6 of 13 Question 1 50 marks Scenario Study the scenario and complete the questions that follow: Mobile devices in the workplace cause more security breaches, say firms The 750 IT and security professionals surveyed by Dimensional Research on behalf of Check Point cited significant security concerns about the loss of sensitive information stored on employee mobile devices, including corporate email (79%), customer data (47%) and network login credentials (38%). The use of personal mobile devices, such as smartphones and tables, is proliferating in the workplace. While businesses are steadily accepting this trend, IT administrators struggle with securing the abundance of devices and operating systems, while also protecting their organization against data loss and the rise in mobile threats, Check Point observed. A full 94% of respondents said their firm has seen a marked increase in the number of personal mobile devices connecting to the corporate network, with 78% of respondents seeing the number of devices more than double in the last two years. Apple (30%) and BlackBerry (29%) were the most common types of mobile devices connecting to corporate networks, followed by Android (21%). Nearly half of respondents believe that Android devices pose a larger security risk to the mobile enterprise than other devices. Personal and corporate-owned mobile devices store and access a variety of sensitive information, including email (79%), customer data (47%) and login credentials (38%) for internal databases or business applications. A full 62% of respondents believe the lack of security awareness among employees is the greatest factor impacting mobile data – followed by mobile web browsing (61%), insecure Wi-Fi connectivity (59%), lost or stolen devices (58%), and malicious mobile application downloads (57%). Surprisingly, a full 72% of survey participants said that careless employees pose a greater security risk to the organization than hackers (28%). “Employee awareness is going to be key for IT professionals moving forward”, said Scott Emo, head of endpoint product marketing at Check Point. “This might mean not just the one security class that employees take when they come into the corporation, but it means ongoing training for employees to increase awareness that these mobile devices have confidential corporate information on them”, Emo told Infosecurity. Emo recommended that companies put in place policies to ensure that the mobile device has a password securing it, that sensitive content is encrypted, that there is a capability to wipe the device if it is lost or stolen, and that security patches are kept up to date on the devices.ITSC311 – Assignment specification | V1.0 Page 7 of 13 “The consumerization of IT is here to stay. It is a problem that IT professionals have to deal with. It is not going away; it is only increasing. It appears that education is going to be a key over the next few years in minimizing the risk that corporations have from this new way of getting corporate data”, he concluded. Source: http://www.infosecurity-magazine.com/news/mobile-devices-in-the-workplace-cause-more/ 1.1 As a newly appointed IT Security analyst, you have been called upon to analyse the scenario. a. Perform a risk assessment for the usage of mobile devices in the workplace, by constructing a table detailing the vulnerabilities, associated threats and risks that need to be understood when dealing with mobile devices in the workplace. (25 marks) b. Suppose you work for an organisation called Code Developers. Develop an Issue Specific Security Policy (ISSP) for the use of mobile devices in the organisation. Include the following headings (topics): i. Statement of policy (5 marks) ii. Applicability (4 marks) iii. Responsibilities (4 marks) iv. Policy and usage of equipment (4 marks) v. Access control (8 marks)ITSC311 – Assignment specification | V1.0 Page 8 of 13 Question 2 80 marks Scenario Study the scenario and complete the questions that follow: The speed of technological change is leaving gaping holes in highly sensitive company IT infrastructure. These vulnerabilities are being targeted by cybercriminals at an increasing rate as South Africa is starting to feel the heat from attackers across the globe. It was revealed at the 2015 Security Summit, in Johannesburg, that South Africa is the most attacked country on the African continent over the past six weeks. Vernon Fryer, Chief Technology Security Officer at Vodacom, presented alarming statistics from the Vodacom Cyber Intelligence Centre revealing a 150% increase in the number of DDoS attacks in the last 18 months in Africa. These attacks occur where multiple compromised systems, usually infected with a Trojan, are used to target a single system causing valuable downtime to assets like websites. Symantec’s Antonio Forzieri says that one in 214 emails sent in South Africa last year was a spear fishing attack. Don’t let the exotic naming fool you. These attacks can cause serious personal distress, financial loss and are achieved by the simple click of a malicious link in an email. Interestingly, the effectiveness of a spear fishing attack rises from three to 70% when private personal info is included. “Most times this information is accessed easily online or hacked through open source websites,” says Ignus Swart from the Council for Scientific and Industrial Research. It is very unfortunate that businesses in South Africa won't take a new local data privacy law seriously until there’s a high-profile hacking breach in the country. This is according to Nader Henein, who is the Regional Director for Product Security at BlackBerry in the Middle East and Africa. This law restricts how companies handle personal data to safeguard individuals from security breaches. The law is intended to close the gap between South Africa and the likes of Europe with regard to data privacy laws. However, Fin24 has previously reported on how adoption of the law is sluggish among local companies. According to research from Trustwave, 51% of South African companies have not made a significant effort to comply with the legislation. And BlackBerry’s Henein, who is in Johannesburg for this week’s IDC CIO Summit, told Fin24 that full adoption of the new law could only be spurred on by public hack attacks. He said that the likes of big banks in the country are currently adopting the law but other businesses still have a way to go. “Breaches are not yet very public,” Henein told Fin24. “It's not going to really grab hold with a lot of companies until you start seeing companies getting fined.” And then it starts ringing true with members of the board and the C-level,” he said. South Africa is still in the process of appointing a regulator to look over the implementation of this new law. But once a regulator is established, companies that experience cyber breaches could face heavy fines.ITSC311 – Assignment specification | V1.0 Page 9 of 13 Custodians of breached data could face a R10m fine or a 10 year jail term. Just five data breaches were registered in South Africa in 2015 but this figure may not show the whole picture, says digital security services company Gemalto. The company has released its Breach Level Index which shows that, globally, 3.6 billion data records have been exposed since 2013. These data breaches are focused on gaining access to personal information that can be sold illicitly for financial gain, said the company. “Because breaches can have high impact on brand reputation, many companies are still tempted not to disclose these as they are not legally required to,” said Cosser. “Based on the above, the need for greater regulation in South Africa has never been clearer – as per trends being seen in the rest of the world,” Cosser added. Companies in SA that do get hacked risk being unaware of it. Just 38% of South African companies have organisational measures in place to prevent unauthorised data loss, according to information security company Trustwave. Source: http://www.fin24.com/Tech/Multimedia/Data-security-yet-to-grab-hold-in-SA-20150324 2.1 According to the article, Africa has seen a 150% increase in the number of DDoS attacks in the last 18 months, and South Africa is the most attacked country on the African continent. a. What is a Distributed Denial of Service (DDoS) attack? In your answer, also explain how is it conducted and how it differs from a Denial of Service (DoS) attack. (9 marks) b. How can you prevent or stop a DDoS attack? Highlight the steps that should be followed in such an event. (15 marks) c. You have been hired as a security specialist by an organisation that has fallen prey to a recent cyber-attack. When analysing the organisation’s systems, you realise that the company does not have a defence strategy in place to prevent unauthorised access to its systems. Describe and analyse two commonly used security strategies. In your answer, also explain the practical implementation of each strategy. (25 marks) d. In what ways are these strategies similar and different from one another? What is their relationship? (6 marks)ITSC311 – Assignment specification | V1.0 Page 10 of 13 2.2 South Africa has implemented a number of data protection laws to protect users from unlawful use of their personal information. a. What is the name of the law being referred to in the above article? (2 marks) b. Describe, in detail, what this law entails. In your answer, also highlight when it was passed into law, what its objective is and why it is important that all organisations adopt the law. (15 marks) c. Evaluate eight principles that are embodied in this law which security personnel should know. (8 marks)ITSC311 – Assignment specification | V1.0 Page 11 of 13 Question 3 30 marks Scenario Study the scenario and complete the questions that follow: James and Ruth want to transmit sensitive business data over the Internet. They are concerned that, in the event of an intrusion by hackers into the system, an outsider may have access to the company’s confidential information. This would be detrimental to the success of the business. James recently learnt that it is possible to encrypt data with a single key; he would need to send the single key to Ruth as well, so that she can decrypt the message. He asks one of the security personnel for advice and is advised to use encryption to hide this information so that if a hacker intercepts this information, he/she will not be able to read its contents. James is also advised to use two different keys – one to encrypt the information and the other for Ruth to access the information. Ruth will have to do the same when she wants to reply to James’s message. The above example highlights at least one obvious concern James must have about the public key he used to encrypt the message, that is – he cannot know with certainty that the key he used for encryption actually belonged to Ruth. It is possible that another party monitoring the communication channel between James and Ruth substituted a different key. Source: William, J., 2016 3.1 Trust is very important when you buy anything online. Due diligence must be taken to establish whether the person or organisation you are doing business with is really who they say they are. Public key infrastructure was implemented to protect the transmission and reception of information. a. What is the name of the encryption method that James and Ruth are using? (2 marks) b. Ruth is still concerned that the communication between her and James is not secure. She feels that there is still a chance that someone could be intercepting/ monitoring their communication. She would prefer a method that allows her to be completely sure that the message she receives is truly from James. Suggest a solution to Ruth. (2 marks) c. Explain to Ruth, in detail, how this implementation (specified in ‘b’ above) really works and how it assures her that the message has not been tampered with. (7 marks) d. Briefly describe each of the components of the solution you specified above. (10 marks)ITSC311 – Assignment specification | V1.0 Page 12 of 13 e. James has sent the following message to Ruth: “QUICKLY SELL YOUR VODAFONE SHARES.” What will the encrypted message be if James had used the following? i. Caesar Cipher with a left key of 5 (3 marks) ii. Transposition Cipher with keyword JAVA and a key of 3421 (6 marks) You have now reached the end of this assignment. Please ensure that you have answered all the required questions before submitting your assignment to your lecturer and ensure that you have adhered to all the instructions within this assignment.ITSC311 – Assignment specification | V1.0 Page 13 of 13 Negative marking Third-year students  A minimum of 15 additional information sources must be consulted and correctly cited.  If no additional information sources have been used, a full 15% must be deducted.  Deduct 1% per missing resource of the required 15. For example: o If only five resources cited, deduct 10% o If only three resources cited, deduct 12%  Markers must interpret the Turnitin Report to determine actual Overall Similarity Index percentage.  Markers to apply the penalties for Category A for insufficient sources and incorrect referencing style.  Markers to apply the penalties/actions for Category B for plagiarism. Category A Minimum reference requirements Deduction of final mark No additional information sources have been used or referenced 15% Category B: Interpretation of Turnitin report Students may not have more than a 15% Overall Similarity Index on Turnitin, after analysis of the report. Interpretation of Turnitin Originality Report Lecturer to capture the following 1. Original Overall Similarity Index (percentage) of Turnitin report 2. Overall Similarity Index (percentage) after lecturer analysis of Turnitin report (to determine legitimate plagiarism) Penalties Action a. Less than 15% of the body of assessment (based on Point 2 above) No action. Mark according to memorandum b. More than 15% of the body of assessment and first offence (based on Point 2 above) Award 0% for the assignment c. If more than 70% of the body of assessment Award 0% and conduct disciplinary hearing