Below attached the document and need to maintain 10% plagiarism
Microsoft Word - CMP71001_Assignment_1_S3 2018V2 Unit code CMP71001 Assignment 1 Cybersecurity risk management, threat and attack modelling Due Date Learning December 18, 2020 Outcomes Graduate 1, 2, 4, 5 Attributes 3, 4 & 5 Weight 20% of overall unit assessment Suggestion You are strongly advised to start doing this assignment early in your study (week 1). Leaving your starting date to the week before the due date is a very poor strategy for success in the unit. Task Descriptions Task 1: Case Study Task Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF) and Structured Query Language (SQL) Injections are common attacks, exploiting web application vulnerabilities. Your task is to select one case study example of one attack type from either XSS, CSRF or SQL injection as the basis for your report and explain (and graphically depict) all components of the attack by addressing the following three requirements: 1. Develop a detailed walkthrough of how your chosen attack type would theoretically operate in the real-world. This section should clearly represent each stage of the attack with supportive discussions. 2. Select one CVE (Common Vulnerabilities and Exposures) and proceed to identify and explain the intricacies of that real-world incident that eventuated based on your chosen attack type. 3. By explaining your selected real-world incident, you should at a minimum answer the following questions: • What was the outcome of your chosen incident? • What was the impact of your chosen incident? • Identification of the personal identifiable information (PII) that was held, used, and collected by the organisation. • Discuss the C.I.A triad and how these principles relate to the information security breach, i.e., what was breached in relation to C.I.A? • What threats and vulnerabilities to the information exist in the case study? • What protections were in place; what worked and what failed in this particular case? • Discuss the lessons learnt from the breach, for example, legal, financial, risk. • What did the organisation do after the breach, i.e., what happened after the fact? • Why was this breach such an important case to learn from? 2 Task Information • The report should make use of well thought out diagrams or flow charts (where applicable) to demonstrate the procedure by which the attack type would typically be performed. • Your target audience has very little understanding of cyber security. As a result, you must ensure that you communicate your report outcomes in a simple manner. Using complex descriptions or terminology will result in a loss of marks. Use acronyms correctly. Use analogies if it enables you to communicate the identified issue in a simplistic manner. • You must make use of adequate in-text references throughout your entire report. • Be creative in how you chose to communicate your findings. The report does not have to be a large collection of paraphrased text. Diagrams are a much more effective way of communicating an idea or concept. Tables and charts are an effective way to draw comparisons or contrast different ideas. Task 2: Attack Tree on “obtain your friend’s password” Attack (or threat) trees are becoming increasingly popular in many fields as a means of visualising information. As presented by Dekker (2015) attack trees are; flexible, visual and formal, yet provide a means of portraying scenarios, encourage brainstorming activities, and allows organisations to apply a defence in depth approach to the identified threats. Among many things Attack Trees help with visualising all the potential ways any given organisation or system may be attacked. It assists with conceptualising; asset identification/classification, threats, vulnerabilities, exploits and many more aspects of cybersecurity risk management. It is important that you understand how to develop and analyse attack trees for the purposes of not only this assignment (or potential exam questions) but for your future career. Bruce Schneier is a respected cybersecurity expert who has written extensively on the creation of attack trees. You are strongly advised to research this information and ensure you have grasped the concept of attack trees, and its associated characteristics. You should also research more attack tree structures as part of this task. Figure 1:Example of a simple Attack Tree You will attempt to develop your own attack tree. Using the overall goal of "obtain your friend's login password" develop one or more attack trees which demonstrate the different technical and non-technical approaches you could use to acquire ‘the password’. https://www.schneier.com/academic/archives/1999/12/attack_trees.html https://www.schneier.com/academic/archives/1999/12/attack_trees.html 3 For the purposes of this activity, you should aim to have approximately 25 nodes, presented on multiple levels. The above example has approximately 13 nodes, for example. For the first level, try to be creative in how you split your tree up. So, this means you should try to avoid using ‘technical’ and ‘non-technical’ as your top two headings. In addition, you should aim to have 3-6 words per node to ensure that it is explained sufficiently. Microsoft Visio is a popular tool that can be used to develop Attack Trees. However, any brainstorming tools will be equally suitable. There are plenty of freely available brainstorming tools that can be found by doing a simple search on the Internet. However, whenever you download software it is always advisable to scan the product with appropriate anti-virus software beforehand. Finally, briefly discuss in a conclusion for this task how might an attack tree analysis have been helpful for the organisation(s) involve in task 1. Dekker, M. (2015). Using attack trees in #cybersecurity for threat risk modelling. Retrieved from https://www.linkedin.com/pulse/20140529230342-18705719-using-attack-trees-in-cybersecurity-for- threat-and-risk-modeling Format and Presentation You are recommended to present the assignment in a standard report format with the title page that details your name, student-id, unit, course and date/time information. You will also provide a table of contents page for the navigation. There is no report template to be used in this assignment, so you can design your own template or refer to online resources. However, the report should be well presented with clear headings, titles and subtitles. Title page Unit code and title, assignment title, your name and student number, campus, and your tutor’s name. Table of contents This must accurately reflect the content of your report and should be generated automatically in Microsoft Word with page numbers. Introduction A succinct overview of the report. What attack type did you select as the basis for the report? What did you discover? What approach did you use to undertake your research into the subject matter? How did you approach the attack tree task? Main content This section should be divided into clearly distinct tasks and sections. Task 1: The first section should focus on explaining and exploring how your selected attack type functions. The second section should thoroughly explore a real-world incident. Task 2: The attack tree for the functional attack detailed is required. Summary The section should briefly draw together the main points raised in the report for both tasks. You should not introduce or discuss any new information. Reference list A list references formatted according to the SCU requirements using the Endnote software will make this process very easy. Assignment-1 marking rubrics The following marking rubric will be used for the marking of your submission. It contains a detailed breakdown of the marking criteria for this assignment. Make sure you read https://www.linkedin.com/pulse/20140529230342-18705719-using-attack-trees-in-cybersecurity-for-threat-and-risk-modeling https://www.linkedin.com/pulse/20140529230342-18705719-using-attack-trees-in-cybersecurity-for-threat-and-risk-modeling 4 CAREFULLY this to understand how your work would be graded against each of the defined criteria. Task 1 rubric: Marks available Fail Pass Credit Distinction High Distinction Overall presentation 0.5 No genuine attempt made to present the case study in a clear format. Attempted to present the case study but is not clear and is missing key title page and contents page Sound presentation but missing some key formatting and/or title page and contents page Well-presented but missing either a title page or contents page Well presented with clear headings, titles and subtitles. Includes a title page and table of contents page Assignment content 2.0 No genuine attempt made to analyse the case study. Attempted to analyse the case study but missing significant amounts of information that was required in the analysis. Sound analysis but missing up to half of the required analysis that was requested. Analysis is clear and comprehensive. Missing some of the required analysis that was requested. Analysis is clear and comprehensive. Has correctly and explicitly identified the information concerned. 2.0 No genuine attempt made. Attempted to discuss the CIA principles but with no clear analysis and significant information missing. Discussed some of the CIA principles but missed at least one key principle. Discussed and analysed most of the CIA principles but with some missing information. Full analysis of conformance to CIA principles clearly discussed. 1.5 No genuine attempt made. Attempted to discuss threats and vulnerabilities but with significant information missing. Identified some threats and vulnerabilities but missed some of the key threats and vulnerabilities. Identified some threats and vulnerabilities but with some information missing. Clearly identified all threats and vulnerabilities to the information. 5 1.5 No genuine attempt made. Made an attempt to discuss