Great Deal! Get Instant $10 FREE in Account on First Order + 10% Cashback on Every Order Order Now

Student Instructions: · This is an open book assessment, and you should consult your Learner Resources and other material as needed. · Your answers should be on a separate document using word...

1 answer below »
Student Instructions:
· This is an open book assessment, and you should consult your Learner Resources and other material as needed.

· Your answers should be on a separate document using word processing software such as MS Word & or other software (hand written submissions are only acceptable with prior approval from your Trainer) .

· Your document should be professionally formatted and include o Your Name o Your Student ID o Unit Code
o Assessment Number (i.e. ICTNWK511 Assessment 1)

· Please reference to each question number and retype each question with your answers.

· This is an open book assessment, you must answer every question and provide enough information to demonstrate sufficient understanding of what has been asked to achieve competency. Please ask your Traine
Assessor if you are unsure what is sufficient detail for an answer.

· Ask your traine
assessor if you do not understand a question. Whist your traine
assessor cannot tell you the answer, he/she may be able to re-word the question for you or provide further assistance based on the Institute’s “Reasonable Adjustment Policy”.

· Answers should be your own work, in your own words and not plagiarised, nor copied. However, if an answer is cut & pasted (such as a definition), then the source should be referenced






Student information:

Answer the questions below. Keep your answers short and to the point – unless specified otherwise, your answers should not exceed 300 words for any individual question (and often can be less – use your judgment). Use your own words in your answers – do not copy large amounts of text from the Internet!


1. Identify the purpose and describe at least one activity performed in each of the following three phases in implementing a network security design: (i) the planning phase; (ii) building phase (iii) managing phase.


2. Describe the purpose of the main elements of risk management, such as (i) risk identification and (ii) risk treatment. Identify at least one activity that is performed in each element.



3. Identify two types of network attacks that could be made on an e-commerce site selling books, and storing credit card information about customers. For each attack, describe the vulnerabilities/weaknesses of network infrastructure that attackers seek to exploit.


4. Give two examples of emerging security threats that have emerged as a result of the popularity of mobile phones. List one example of a countermeasure that can be used to mitigate the threats.


5. Briefly define the purpose of auditing, as it applies to network security.


6. Briefly define the purpose of penetration testing, as it applies to network security.


7. Briefly define how logging analysis can be used to enhance network security

8. List two security measures that can be applied to protect an organisation’s infrastructure of servers and switches.


9. List two capabilities of (i) a hardware firewall and (ii) a software intrusion detection system (IDS)


10. Define what is meant by “defence in depth” in security planning. Describe how could the defence in depth principle be applied to the deployment of hardware and software firewalls in a corporate network


11. Give two examples of network management and security process controls that could be applied to manage the risk represented by BYOD (Bring Your Own Device) to corporate networks.


12. Risk management plans and procedures need to be applied to all stages of network security, including security planning, implementation and budgeting. Give one example of how an understanding of risk can be applied to each of the following phases of a network security implementation (i) the planning phase (ii) the implementation or building phase (iii) the managing or budgeting phase


13. Identify three types of ICT networks (or zones) typically considered in network security planning. Briefly define each of these network zones, and, for each of the three types of network zone, give one example of a configuration I would expect to see in that type of network zone.




Assessor Use Only

Assessor Comments


     Satisfactory (S)                               Not Satisfactory (NS)


    Assessor Signature: _______________________________     Date: _____________

Information for Students

This is a project
eport assessment task. You have the option of doing the task as a group (3 students maximum per group). You should use the Case Study Report Template (see Learner Resources for the unit) to help you structure your assignment. Write your report, making sure to list all the students who are in your group in the Introduction to the report. All students need to hand in a copy of the report as part of their assessment submission.

Read through the scenario below, and write your report addressing the requirements described below

Scenario
You have been asked to design a comprehensive network security plan for a small e-commerce web site run by the BuyThisShoe company. The website will be hosted on the company’s internal network (as the site needs to access internal databases for prices etc). The company is a bit nervous about hackers, but it also wants a cost-effective solution, so you need to come up with a plan that is both effective and economical.
Interviewing the owners of the business, you have uncovered the following facts:
· The company will be taking credit card payments, so needs to comply with any relevant legislation
· The company is open to taking out insurance, where required, against reputational damage resulting from hacker events
· The company is concerned about conforming with privacy legislation, and wants to know how network security measures can keep the required information confidential, and report on any unauthorised access
· The company would also like to know how a procedure could be designed for employees to report any privacy/ethics violations in a secure manner. They want the employee to be able to send anonymous email about the violation, without having to use the corporate email system
· The company wants to know what testing/ongoing auditing of the plan will be done to ensure the plan remains relevant and up-to-date
· The company wants you to suggest an incident response procedure for reporting of security violations. They are very concerned that, if any security
each does occur, that they are notified immediately. They are suggesting that every Friday the owner of the company meet with the IT manager to review any security
eaches that have occu
ed, and what has been done in response to those
eaches
· The company wants to know what countermeasures can be employed against threats to the physical security of their server storing the customer’s credit card information
· The company is most wo
ied about hackers who may want to gain the credit card details of its customers. They want to ensure that the database server that will be storing the credit card details is on the most secure part of the network.
· The company is also wo
ied about ‘for play’ hackers who may want to compromise their website for ‘fun’, so your network security needs to cater for this.
· The company has employed an information auditor as a consultant, who has prepared the following table showing the asset, threat, single loss occu
ence (SLO), and annual rate of occu
ence (ARO)
    Asset
    
    Threat
    SLO ($)
    ARO
    1.
    Network server
    Fun hackers
    400
    5
    2.
    Credit card details on database server
    For profit hackers
    20,000
    .5
    3.
    Router
    Fun hackers
    1000
    .25
    4.
    Web server
    both
    2000
    3
    5.
    Malware/trojans
    both
    1000
    15

· The company wants to allow web site traffic (HTTP and HTTPS), email traffic (SMTP), remote desktop traffic (RDP), and network support (via SSH) into its network from the internet. The only traffic it wants to allow out of the network is HTTP/HTTPS and SMTP.
· The company has set up an InfoSec working committee, who is overseeing all plans, policies and projects to do with network security in the company. The members of that committee are Mr. Black, the company CEO, Ms. White the IT manager, and Mr. Green the external information auditor consultant.
· The company has also calculated that any downtime on the shared server in use for filesharing and email will, due to the lost productivity, cost the company around $1000 per hour downtime. The company has also been advised by the information auditor that the loss of customer credit card information includes both the ALO figure and reputational damage to the business, would result in lost business of around $5,000 per annum. As such, the company is very concerned to defend itself against these kinds of attacks.
.




Report Requirements
Prepare a report for the company outlining your proposed network security plan that addresses these requirements. At a minimum, your report should include the following:
1. Identify the threats BuyThisShoe faces.
· You should document the threat, likely motivations, and what kind of vulnerabilities each kind of attacker targets, and how the attacks occur.
· You should also assign a threat level of high, medium or low to each of your identified threats.
· You should create a table showing the threat type, the motivations, the vulnerabilities exploited/how attacks occur, and the threat level.
2. Analyse security risks.
· Here you will identify the assets that require their protection, calculate their value to the organisation and create a risk management plan for managing the risks.
· You should create a table showing the asset name, the asset value/outage cost, and the main elements of the risk treatment plan for managing the risk.
3. Create a security design.
· Identify attacker scenarios and threats, and specify security measures to counter those threats.
· You should also describe security policies that can be put
Answered Same Day Mar 30, 2020 ICTNWK511 Training.Gov.Au

Solution

Samrakshini R answered on Apr 01 2020
134 Votes
NETWORKING ASSIGNMENT
1. Identify the purpose and describe at least one activity performed in each of the following three phases in implementing a network security design: (i) the planning phase; (ii) building phase (iii) managing phase.
ANS: (i) the planning phase
In the ever increasing technology and growing networks where electronic mails, intranet and extranet expose the security of companies. Planning is an important phase in designing a network security plan in order to allow only legitimate amount of traffic to move in the network. It also involves including the access to different network policies needed.
Activity: Isolate all the confidential information: If the system has any information that should not be allowed access from outside, then all this should be restricted or encrypted a different way. It may also be kept out of the network by storing it in external storage devices.
Prioritization of assets the needs to be secured is also done in this phase.
(ii) building phase: This phase involves putting the network security plan designed into action. The suitable and customized plan developed in planning phase is designed to fit the network.
Activity: Setting up all the virtual devices. The different components of network layer which needs virualization needs to be virtualized. They generally include virtual web application firewalls, virtual network-bsed firewalls and virtual routers.
(iii) managing phase: This phase comes in after the planning phase and the building phases are completed. In this phase, the network security plan will be checked from time to time for flaws and co
ected in the process. In short, the stability of the plan is maintained.
Activity: Updating systems and softwares from time to time is needed because on updation, the newly discovered threats will be co
ected and the loopholes of the previous version covered. Hackers can easily detect network perimeters. Hence continuous vigilance is needed.
2. Describe the purpose of the main elements of risk management, such as (i) risk identification and (ii) risk treatment. Identify at least one activity that is performed in each element.
ANS: (i) risk identification: Risk management is an ongoing, proactive program. The identification and mitigation of risks ensures that evolving threats are identified and thwarted. Companies and organizations can work in peace with the knowledge that their environments are protected against cyberattacks.
(ii) risk treatment: Once the risk is identified, it is vital to treat it and co
ect it in order to secure the network from the newly identified risk. The treatments are different for different types of risks.
Activity:
· Modify the consequences in such a way that it does not affect it’s likelihood.
· Sharing the identified risk with other parties and alerting them to become more vigilant.
· Avoid the risk by canceling, diverting or deciding to stop.
· Develop an action plan for meticulous treatment.
3. Identify two types of network attacks that could be made on an e-commerce site selling books, and storing credit card information about customers. For each attack, describe the vulnerabilities/weaknesses of network infrastructure that attackers seek to exploit.
a. Cross-site scripting: Javascript language is used in websites for manipulating data input by the user, In cross-scripting, the attacker inserts a javascript code snippet on to a vulnerable webpage. This can steal away the data which the user enters. For example, the cookie-based information can be stolen and impersonated. It attacks the website indirectly, by attacking the user’s data posing a security threat to users too.
For an ecommerce site selling books, when the user tends to check out of the billing section, he enters all...
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here