CIS2005 Principles of Information
Security - Assignment
3
Description
|
Marks out of
|
Weighting
|
Due date
|
Assignment 3Report and
Presentation based on
CASE
STUDY: BCX.COM
(A
fictitious analysis of a security breach)
Length:
3000 words approx. plus Appendices
|
100
|
30%
|
17th October 2014
|
Get assignment help for this assignment at just USD 150 in 2 days
This assignment assesses
your understanding in relation to the following three course objectives:
1.
analyse information security vulnerabilities and threats and determine
appropriate controls that can be applied to mitigate the potential risks
2. explain why continual
improvement is necessary to maintain reasonably secure information systems and
IT infrastructure and to describe the role of disaster recovery and business
continuity plans in recovering information and operational systems when systems
and hardware fail
4. demonstrate an ability
to communicate effectively both written and orally about the management of
information security in organisations.
This assignment assesses the following graduate
skills: Problem Solving, Academic & Professional Literacy and Oral and
Written Communication at level 2.
This assignment relates to the topics covered in
modules 1 to 10. This assignment can be completed by groups of two students or
as an individual assignment. Details regarding the allocation of students to
teams will be provided on the course study desk. Each student team will be
allocated their own discussion forum for assignment 3 to specifically work
collaboratively as a team in developing and discussing their approach to
assignment 3 case study and the required Security report and presentation.
Regular participation in each team’s discussion forum by the team members each
week from Monday 8th September until Friday 17th
October is expected. Each team member will also be required to keep a journal
of their activities and progress related to completing this assignment and will
form part of the assessment for assignment 3. In date order clearly list the
following:
- date of research activity/discussion
- topics researched or discussed
- time duration of activity.
Submit this journal for each team member as an
appendix to the assignment 3 Recommendations report. Any reference to web pages
and on line resources such as white papers, blogs, wikis etc. should be listed
at the end of the journal.
Regular
participation on the discussion forums dedicated for this assessment is highly
recommended and can assist greatly with this assessment item. Also note that
you are expected to do research outside of the course materials provided.
Case Study:
BIGCOINX (A fictitious analysis of the importance of Security in the Digital
Currency World)
Background:
BigCoinX
(BCX) is an Internet bitcoin exchange start-up founded in early 2013 riding on
the boom of interest in the bitcoin currencyof the last few years.
Established
by former work colleagues in the investment banking industry,Mark Buck (current
CEO) and PeterGates (CTO), the company by late 2013 was relatively successful
and doing an estimated 1% of all global bitcoin trades.
While in
the scheme of things, the user base numbers seems good, both Mark and Peter
know, that to achieve a critical mass of users that will establish BCX as a
“player” in the bitcoin world, they will need to reach numbers upwards of 10%
of global bitcoin trades.
With
bitcoin being a hot topic and Internet start-ups springing up all the time to
try to make money from the bitcoin rush, BCXknows it has to stay ahead of the
game.
The
company is continually innovating and responding to user requirements, industry
trends and competitive challenges. Mark and Peter’s 5 person business, based in
Sydney’s upcoming Technology Hub, Redfern, is a busy and dynamic
environment.
BCX is
aiming to become profitable and self-sufficient by the end of 2014 at the
latest. It is at this time that their capital funds will be exhausted, but they
estimate, once they hit the 3%global mark, and have deployed into production
their new bitcoin trading software, (both aggressively targeted for October,
2014), they will have positive financial results.
-----------------
News Release: March17,
2013:“Largest
Global Bitcoin Marketplace Hacked: Mt Gox, the world’s largest bitcoin exchange
files for bankruptcy. $600M in bitcoins stolen”.
----------------
Waking up to news overnight that their largest competitor has been
hacked (or otherwise – details are sketchy) and that they have lost over $600M
in their customer’s bitcoinshas shaken up the BCX team.
Mark and Peter are nervous. If the world’s largest bitcoin exchange has
gone under, what position does that leave them in? With little news available
and probably no expectation of knowing what exactly went on at Mt Gox for some
time, BCX must try to assess their own position and risks. There is a lot at
stake here. Are they exposed as well? Are their clients going to be nervous and
do a “run” on the exchange? Is their business secure?
Time is of an essence so an emergency teleconference is organised
between Mark, Peter and Phil Jones, (Technical Support Manager) at HotHost1 – a
cloud services company where the BCX environment is hosted.
Some resources which may be
useful for this assignment 3 Case Study
At Mt. Gox bitcoin hub, 'geek' CEO sought both control and escapehttp://www.reuters.com/article/2014/04/21/us-bitcoin-mtgox-karpeles-insight-idUSBREA3K01D20140421
Avoiding the next Mt. Gox: Vault of Satoshi bitcoin exchange launches
proof-of-solvency service
Bitcoin Transaction Malleability and MtGox
Mt.Gox Finds 200,000 Bitcoin In An “Old-Format” Digital Wallet
Mt. Gox
March18, 2014, 9:45am:
Offices of HackStop Consulting
A quiet morning for you until a call from a company called BCX reaches
your desk.
As a Senior IT Security Consultant at HackStop Consulting, you’ve had
calls like this many times. It’s time to get your game on again! Time to visit
the offices of BCX. Their CEO, CTO and a Manager from their hosting provider HotHost1
are desperate to meet with you.
Your Task
On return from your meeting, it’s time to quickly put together a
proposed plan of work and a response for BCX. Given the nature of your
assignment with BCX, an urgent response and work-plan is required that outlines
your approach and methodologies to:
(1) Assessing what could go wrong – how could someone (a hacker?)
compromise the BCX environment and steal the user bitcoins?
(2) How does BCX ensure it does not happen?
Student Notes
At present, no other assumptions need to be made about the actual
security issues/breach at Mt Box but an understanding of how it could have
happened will assist with the assignment.
Read about the real Mt Gox episode and the history of bitcoin and other bitcoin
security issues of the past few years. (Google is your best friend).
This assignment is focused upon seeing if you, the student has built up
an awareness of how security in Internet Websites can be assessed and analysed
to assist businesses in improving their overall security position.
By being
able to outline how you would go about reviewing the security requirements
outlined in the BCX case study and making recommendations on improving security
practices and the appropriate controls that need to be put place to reduce the
risks to an acceptable level for BCX, the markers will be able to assess your
level of knowledge learned in this course and the additional research you have
undertaken.
Any information not
provided in the case study may be assumed, but make sure that your assumptions
are stated and that the assumptions are plausible.
**** NB; Importantly and in addition to your own study and research,
there will be two specific discussion forum threads on the assignment
discussion forum where you can ask questions of the main players in the
scenario:
1. Mark Buck and/or Peter Gates
(BCX)
2. Phil Jones (HotHost1)
By actively participating in the forum discussions for this assignment,
you will gain valuable information and insight into this case study that will
be regarded highly by the markers.
(Note: Any questions which are not considered to be appropriate or
professional for the purpose of this assessment may not be answered)
Deliverables
The success of your engagement is based upon two deliverables:
(1) Development of security audit plan to assess how you would determine
BCX’s security posture at the present time.
(2) A business proposal to BCX Management in the form of a presentation
(based on your proposed security audit plan – Deliverable 1) that outlines how
the organisation should be better focusing on Information Security.
In detail:
(1) Security Audit
Work-plan (WORD Document):
The Security Audit work plan should be included in a professionally
presented document of no more than 10 pages and be structured to show how each
phase of work is to be undertaken. Your work-plan must include the following at
a minimum:
* Executive Summary:
half-page brief outlining purpose; scope, expectations and outcomes of the proposed
plan of work. (250 words)
Structured and ordered work
plan phase description, which for each section includes:
* Background andproblemanalysis -
What could go wrong? How could a hacker compromise the BCX web site environment
and steal the user information ? (approx. 500 words)
* Threat analysis - What is to be investigated and tested, how it
will be done, what sort of potential issues you are looking for, and
deliverables BCX and/or HotHost1 can expect for each phase of work – (eg; the
“deliverable” for the phase of work could potentially be a report containing
the results of a vulnerability assessment test on BCX’s server(s)). (approx.
1000 words)
* Dependencies and critical success factors to the job -such as key
stakeholders in this security audit –the key people to be interviewed or whose
involvement in that phase of work is required. (Remember, you don’t always get
free-rein access to systems and other information and because time is of
importance, you won’t get a long time to master the environment. But, as you
know, you cannot also always believe everything you are told). What is key to
getting this job done efficiently and what support do you need to get this
done, (from BCX and also the hosting provider). (approx. 500 words)
* Set of recommendations for improving BCX’s current security
practices and ensuring that an appropriate set of controls are put in place
(approx. 750 words)
* Reference list of key sources in particular technical references
which support your approach (Not counted in word count)
Note in this report and in
the accompanying presentation you are encouraged to make use of appropriate
Figures and Tables to emphasise the key points that you are trying make
* A journal of each team
member's (for students completing this assignment individually – your) activities
in participating and contributing to the completion of the work plan report and
presentation.
(2) Developing a Securer Environment for BCXfor
the Future (POWERPOINT):
Your
strategy presentation should be created as if it were an actual presentation
you were doing for a real client in relation to your proposed work plan including
a set of recommendations and should contain the following at a minimum:
* 1 Slide for an Introduction outlining
your team and the organisation you work for
* 2-3 Slides covering the Background: A
brief summary of where BCX is today in regards to security practices in their
organisation and controls in place for their web servers.
* 2-3 Slides covering the Threat
Analysis: A summary of the major threats and associated vulnerabilities and the
actions required to reduce the risks associated with these threats and specific
vulnerabilities in their web servers to an acceptable level.
* 2 Slides covering Dependencies and
critical success factors to the job: i.e. what is key to getting this job done
efficiently and what support do you need to get this done, (e.g. internal
business stakeholders, developers etc.)
* 2 Slides covering your proposed Set of recommendations for improving security practices at BCXand ensuring appropriate controls are in place in relation to their web site which is core to their business
* 2 Slides covering your proposed Set of recommendations for improving security practices at BCXand ensuring appropriate controls are in place in relation to their web site which is core to their business
[The
following is also to be included. While not part of a “standard” Industry
business presentation, it is there to allow teaching staff to gauge what level
of research has been undertaken].
* 1
Slide acknowledging the key authoritative reference sources which underpin the
research you have conducted and your approach in the proposed work plan in your
proposed business report.
------------------
Report and Presentation Format:
* MS WORD and PowerPoint respectively
(or a web-based presentation as an alternative to PowerPoint for (2) of the
assignment deliverables) must be used. NB; For the presentation, you are asked
to include a Word document (or utilise the notes section of PowerPoint) to
detail the length of time expected to be spent on each slide (page) and the details
of what you would expect to discuss with the audience.
* This assignment is focused upon seeing
if as a student in this course you have built up an awareness of how security
in an environment should be set up and operated. By being able to outline how
you would review and test the security of the fictional organisation, BCX,
through assessment of the basics such as good policies, standards, procedures
and controls in place, in addition to detection of incidents, the markers will
be able to assess your level of knowledge learned from the course content and
from your own additional research in relation to this case study.
Good site found fruitful for education
ReplyDeleteBUS 475 final exam 2