· This is an open book assessment, and you should consult your Learner Resources and other material as needed.
· Your answers should be on a separate document using word processing software such as MS Word & or other software (hand written submissions are only acceptable with prior approval from your Trainer) .
· Your document should be professionally formatted and include o Your Name o Your Student ID o Unit Code
o Assessment Number (i.e. ICTNWK511 Assessment 1)
· Please reference to each question number and retype each question with your answers.
· This is an open book assessment, you must answer every question and provide enough information to demonstrate sufficient understanding of what has been asked to achieve competency. Please ask your Traine
Assessor if you are unsure what is sufficient detail for an answer.
· Ask your traine
assessor if you do not understand a question. Whist your traine
assessor cannot tell you the answer, he/she may be able to re-word the question for you or provide further assistance based on the Institute’s “Reasonable Adjustment Policy”.
· Answers should be your own work, in your own words and not plagiarised, nor copied. However, if an answer is cut & pasted (such as a definition), then the source should be referenced
Answer the questions below. Keep your answers short and to the point – unless specified otherwise, your answers should not exceed 300 words for any individual question (and often can be less – use your judgment). Use your own words in your answers – do not copy large amounts of text from the Internet!
1. Identify the purpose and describe at least one activity performed in each of the following three phases in implementing a network security design: (i) the planning phase; (ii) building phase (iii) managing phase.
2. Describe the purpose of the main elements of risk management, such as (i) risk identification and (ii) risk treatment. Identify at least one activity that is performed in each element.
3. Identify two types of network attacks that could be made on an e-commerce site selling books, and storing credit card information about customers. For each attack, describe the vulnerabilities/weaknesses of network infrastructure that attackers seek to exploit.
4. Give two examples of emerging security threats that have emerged as a result of the popularity of mobile phones. List one example of a countermeasure that can be used to mitigate the threats.
5. Briefly define the purpose of auditing, as it applies to network security.
6. Briefly define the purpose of penetration testing, as it applies to network security.
7. Briefly define how logging analysis can be used to enhance network security
8. List two security measures that can be applied to protect an organisation’s infrastructure of servers and switches.
9. List two capabilities of (i) a hardware firewall and (ii) a software intrusion detection system (IDS)
10. Define what is meant by “defence in depth” in security planning. Describe how could the defence in depth principle be applied to the deployment of hardware and software firewalls in a corporate network
11. Give two examples of network management and security process controls that could be applied to manage the risk represented by BYOD (Bring Your Own Device) to corporate networks.
12. Risk management plans and procedures need to be applied to all stages of network security, including security planning, implementation and budgeting. Give one example of how an understanding of risk can be applied to each of the following phases of a network security implementation (i) the planning phase (ii) the implementation or building phase (iii) the managing or budgeting phase
13. Identify three types of ICT networks (or zones) typically considered in network security planning. Briefly define each of these network zones, and, for each of the three types of network zone, give one example of a configuration I would expect to see in that type of network zone.
Assessor Use Only
Satisfactory (S) Not Satisfactory (NS)
Assessor Signature: _______________________________ Date: _____________
Information for Students
This is a project
eport assessment task. You have the option of doing the task as a group (3 students maximum per group). You should use the Case Study Report Template (see Learner Resources for the unit) to help you structure your assignment. Write your report, making sure to list all the students who are in your group in the Introduction to the report. All students need to hand in a copy of the report as part of their assessment submission.
Read through the scenario below, and write your report addressing the requirements described below
You have been asked to design a comprehensive network security plan for a small e-commerce web site run by the BuyThisShoe company. The website will be hosted on the company’s internal network (as the site needs to access internal databases for prices etc). The company is a bit nervous about hackers, but it also wants a cost-effective solution, so you need to come up with a plan that is both effective and economical.
Interviewing the owners of the business, you have uncovered the following facts:
· The company will be taking credit card payments, so needs to comply with any relevant legislation
· The company is open to taking out insurance, where required, against reputational damage resulting from hacker events
· The company is concerned about conforming with privacy legislation, and wants to know how network security measures can keep the required information confidential, and report on any unauthorised access
· The company would also like to know how a procedure could be designed for employees to report any privacy/ethics violations in a secure manner. They want the employee to be able to send anonymous email about the violation, without having to use the corporate email system
· The company wants to know what testing/ongoing auditing of the plan will be done to ensure the plan remains relevant and up-to-date
· The company wants you to suggest an incident response procedure for reporting of security violations. They are very concerned that, if any security
each does occur, that they are notified immediately. They are suggesting that every Friday the owner of the company meet with the IT manager to review any security
eaches that have occu
ed, and what has been done in response to those
· The company wants to know what countermeasures can be employed against threats to the physical security of their server storing the customer’s credit card information
· The company is most wo
ied about hackers who may want to gain the credit card details of its customers. They want to ensure that the database server that will be storing the credit card details is on the most secure part of the network.
· The company is also wo
ied about ‘for play’ hackers who may want to compromise their website for ‘fun’, so your network security needs to cater for this.
· The company has employed an information auditor as a consultant, who has prepared the following table showing the asset, threat, single loss occu
ence (SLO), and annual rate of occu
Credit card details on database server
For profit hackers
· The company wants to allow web site traffic (HTTP and HTTPS), email traffic (SMTP), remote desktop traffic (RDP), and network support (via SSH) into its network from the internet. The only traffic it wants to allow out of the network is HTTP/HTTPS and SMTP.
· The company has set up an InfoSec working committee, who is overseeing all plans, policies and projects to do with network security in the company. The members of that committee are Mr. Black, the company CEO, Ms. White the IT manager, and Mr. Green the external information auditor consultant.
· The company has also calculated that any downtime on the shared server in use for filesharing and email will, due to the lost productivity, cost the company around $1000 per hour downtime. The company has also been advised by the information auditor that the loss of customer credit card information includes both the ALO figure and reputational damage to the business, would result in lost business of around $5,000 per annum. As such, the company is very concerned to defend itself against these kinds of attacks.
Prepare a report for the company outlining your proposed network security plan that addresses these requirements. At a minimum, your report should include the following:
1. Identify the threats BuyThisShoe faces.
· You should document the threat, likely motivations, and what kind of vulnerabilities each kind of attacker targets, and how the attacks occur.
· You should also assign a threat level of high, medium or low to each of your identified threats.
· You should create a table showing the threat type, the motivations, the vulnerabilities exploited/how attacks occur, and the threat level.
2. Analyse security risks.
· Here you will identify the assets that require their protection, calculate their value to the organisation and create a risk management plan for managing the risks.
· You should create a table showing the asset name, the asset value/outage cost, and the main elements of the risk treatment plan for managing the risk.
3. Create a security design.
· Identify attacker scenarios and threats, and specify security measures to counter those threats.
· You should also describe security policies that can be put