Assessment Details and Submission Guidelines Unit Code MN604 Unit Title IT Security Management Assessment Type Individual written report–T1 2017 (Assignment 2) Purpose of the assessment (with ULO Mapping) Allow student identify, detect, and analyse the vulnerabilities on computer related devices, systems, and applications. Student also propose the best and suitable solutions of how to rectify the information security problem to existing the future issues. Weight 15% of the total assessments Report Word limit No more than 6 pages excluded cover page, table of contents, and references Due Date Week 10, submit your assignment 2 via assignment 2 link submission on Moodle Submission Guidelines • All work must be submitted on Moodle by the due date along with a completed Assignment Cover Page. • The assignment must be in MS Word format, 1.5 spacing, 11-pt Calibri (Body) font and 2 cm margins on all four sides of your page with appropriate section headings. • Reference sources must be cited in the text of the report, and listed appropriately at the end in a reference list using IEEE referencing style. Extension • If an extension of time to submit work is required, a Special Consideration Application must be submitted directly to the School's Administration Officer, on academic reception level. You must submit this application within three working days of the assessment due date. Further information is available at: http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/specialconsiderationdeferment Academic Misconduct • Academic Misconduct is a serious offence. Depending on the seriousness of the case, penalties can vary from a written warning or zero marks to exclusion from the course or rescinding the degree. Students should make themselves familiar with the full policy and procedure available at:http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/Plagiarism-Academic-Misconduct-Policy-Procedure.For further information, please refer to the Academic Integrity Section in your Unit Description.   Assignment Overview Melbourne Institute of Technology (MIT) is one of the most dynamic and fast-growing Higher Education Institutions in Australia. It specialize in the delivery of undergraduate and postgraduate degree courses in Business and Information Technology, with an accompanying suite of university pathway diplomas and English Language. They have two campuses in Melbourne and Sydney in Central Business District (CBD). MIT has contacted you to be their information security project manager. Additional details about this Institute are: • Since MIT is a huge domestic university, its staff and student are divided into various departments. There are several responsibilities for each one of those departments: marketing, business, human resources, training and education, finance, health, housing, quality assurance, IT security, IT help desk and research and development. Each department has their responsibility and can access their own information and is not allowed to access other department information. While higher people from each department has a privilege to access sensitive information, for example, the marketing manager will have extra privilege to access sensitive information within his department. • As a security manger you have an access to different department documentations. Further, you are liable to coordinate and liaise with different representative from the different department. Your contact is directly with chief information security officer. • The university deals with many off-campus student and staff, which they request to access the university’s resources and VPN. • MIT has a large number of short visiting scholars (2-3 months) who visit the campus during the year. Those visitors have an access to the university’s resources (labs and printers). The aforementioned scenario must be discussed while replying to the below questions: Q1) For the organization MIT, what are the controls (technical, physical or administrative) that you will implement to make it secure and fulfills the CIA triad within the university and departments and when contacting the internet? (Provide a figure for your controls and explain why using them). Please note that you have to mention technical/physical and administrative controls.(10 marks) Q2) What kind of risks that you might accept (not to implement controls for them) and why? For the risks that you either decided to accept, or for the unexpected risk, how do you plan to handle them? (4 marks) Q3) Give an example of a duty of the Incident response planning, Disaster recovery planning and Business continuity planning when having an unexpected event. (4 marks) Q4) Refer back to any resource to explain the difference between Host Intrusion Detection System (HIDS) and Network Intrusion Detection System (NIDS)? (4 marks) Q5) Literature review on signature based detection and anomaly based detection? (You have to write from 500-1000 words.) (4 Marks) Case Study (1): Victim of Social Engineering (12 Marks) Throughout the process, the auditor found countless examples of lax information security throughout the organization. There was a lack of a coordinated security policy, and the policies in place were not being followed. While reviewing the notes, the auditor noticed that a contractor requested the TMS server address over the phone. Further follow up revealed that a system administrator gave out the server address to a contractor because the contractors were in the middle of upgrading servers. The administrator also mentioned that the contractor requested the password, but the administrator didn’t feel comfortable sharing the password on the phone and asked the contractor to stop by the office – but the contractor was a no show. From the description of the events, the auditor felt it was a social engineering attempt. Social engineering is when a hacker attempts to gain access to sensitive information by tricking a person into giving it to them. The immediate recommendation of the auditor was to focus on the contractor’s activity in the organization. Over the next few weeks the story unfolded and all the pieces of the puzzle were put together. It was eventually proven that the contractor stole the information. The contractor was hired to oversee the upgrade of servers on the storage network. While doing this, she learned about the transaction management system. She knew PII could be sold on the black market and thought the lax security at TKU would enable her to get away with stealing data without any repercussions. Her only obstacle was access. Since she only had access to the storage network, she needed a way to get access to the transaction management server. That’s when she called the system administrator and got the IP address and tried to get his login credentials. Once she got the IP address, she was able to utilize the free tools available on the Internet to scan the system and get the username and password with administrative access. It took her only a matter of minutes to get this information. The password was only three characters long and didn’t use any numbers or special characters. With her new administrative permissions, she was able to export the PII. Write a Memo that discusses the serious of the situation and highlight key breaches, including ITSec recommendations. Case Study (2): Data Breach(12 Marks) Early one morning, Don was ushered into a closed door meeting with the Chief Finance Officer, the CIO, and an external security auditor he hadn’t met before. In the meeting Don learned that large amount of data, including the PII, was exported from the system. The previous day Gary was going through the logs to see if the patch he applied worked correctly, and he noticed that someone in the administrator group had exported a large amount of data at an odd time. Gary reasoned that no one should be accessing the system at 2am, and he was concerned because a large amount of data was exported. After bringing up the issue to management, it was decided that the Finance division would investigate the issue. Therefore, the responsibility to figure out exactly what happened fell on Don. He was asked to work with an auditor to find out exactly what happened. Don left the meeting feeling overwhelmed and disconcerted; he knew nothing about security practices and he wasn’t happy about working with the auditor. He had recently inherited the system and didn’t know much about it. He did know that he had to find the source of the leak before more student information was lost and he knew his job might be on the line. Write a report detailing how you would investigate this data breach. Marking criteria: Section to be included in the report Description Marks Q1 - Explain the controls (technical, physical or administrative) that you will implement to make it secure and fulfils the CIA triad within the university and departments - Explain the situation when contacting the internet? 8 2 Q2 -Explorer the kind of risks that you might accept and why? -For the risks that you either decided to accept, or for the unexpected risk, how do you plan to handle them? 2 2 Q3 Give an exampleof a duty of the Incident response planning, Disaster recovery planning and Business continuity planning when having an unexpected event. 4 Q4 -Differentiate between the (HIDS) and (NIDS). -Follow IEEE reference style 3 1 Q5 - Differentiate between signature based detection and anomaly based detection.- Follow IEEE reference style 3 1 Case Study (1): - Outline of the memo ( in 2-4 sentences) -Discusses the serious of the situation and highlight key breaches 2 10 Case Study (2) -Outline of the report ( in 2-4 sentences) -Write (4- 6 sentences) detailing how you would investigate this data breach -Write clear conclusion of the case study. 2 8 2 Total 50 Marking Rubrics Grade Mark HD 80%+ D 70%-79% CR 60%-69% P 50%-59% Fail < 50% Excellent Very Good Good Satisfactory Unsatisfactory Analysis Logic is clear and easy to follow with strong arguments Consistency logical and convincing Mostly consistent and convincing Adequate cohesion and conviction Argument is confused and disjointed Effort/Difficulties/ Challenges The presented solution demonstrated an extreme degree of difficulty that would require an expert to implement. The presented solution demonstrated a high degree of difficulty that would be an advance professional to implement. The presented solution demonstrated an average degree of difficulty that would be an average professional to implement. The presented solution demonstrated a low degree of difficulty that would be easy to implement. The presented solution demonstrated a poor degree of difficulty that would be too easy to implement. Explanation/ justification All elements are present and well integrated. Components present with good cohesion Components present and mostly well integrated Most components present Lacks structure. Demonstration Logic is clear and easy to follow with strong arguments Consistency logical and convincing Mostly consistent logical and convincing Adequate cohesion and conviction Argument is confused and disjointed Reference style Clear styles with excellent source of references. Clear referencing/ style Generally good referencing/style Unclear referencing/style Lacks consistency with many errors Presentation Proper writing. Professionally presented Properly written, with some minor deficiencies Mostly good, but some structure or presentation problems Acceptable presentation Poor structure, careless presentation