Assignment Overview

This assignment must be completed individually by each student. The submission deadline is 3pm, 06 Sep 2023. This assignment requires a student to answer 4 questions (each with sub-parts) that cover the course content of the first 4 teaching weeks. Assignment 1 is worth 40% of the overall course marks. A student’s answer to each of the 4 questions (that is, each question and all its sub-parts) cannot exceed 300 words (+10% tolerance per UQ policy). This word limit per question requires a student to soundly  analyse/research  each  question  and  then  structure  a   response  in  a  concise,   business- informative  fashion.  There  is  no   need  to  reference  an  answer  unless  referencing  is  specifically requested in the question. A student must construct each answer in her/his own words – and in ‘plain English’ business language (using the language we use in class and not too technical language that would be more suited to computing science/engineering contexts). Please note that each question in this assignment may well span work covered across the first 4 weeks (and not simply relate to one specific week).

This assignment assumes that a third-year student is capable to assimilate information from not only this course, but also many other courses and reputable sources on the Internet as would be required in a business setting. Students are advised that the use of AI technologies to develop responses is strictly prohibited and may constitute student misconduct under the Student code of Conduct. Each assessment question evaluates students’ abilities,skills and knowledge without the aid of AI.

•    PDF submission via the Blackboard BISM3205 site and Turnitin. We will mark using the Blackboard link and use Turnitin link for plagiarism check only (full details and links closer to submission date).

•    Please ensure your student details (name, number, email address) are contained on each page of the submission in a suitably designed footer.

•    Clearly  label which  question and if relevant subquestion you answer (e.g., Question  1a)). You don‘t have to repeat the question.

•    Answer in full sentences but you may want to use bullet points, numbering, or headers to help structuring your answer.

•    Read each question carefully for additional formatting requirements specific to the question.

Question 1

Objective: The objective of this Question 1 is to analyze a real-world security breach in terms of its   impact on confidentiality, integrity, availability, authentication, and non-repudiation. This exercise   will help you understand the practical implications of security breaches and the importance of each of these security principles.

Instructions:

Write a concise analysis of the Twitter 2020 security breach, focusing on the following aspects:

•    Confidentiality: Discuss how the breach impacted the confidentiality of sensitive information. Identify the type of data compromised and the potential consequences of unauthorized access to that data.

•    Integrity: Analyze the impact of the breach on the integrity of the affected systems or data. Consider  whether  any   data  tampering  or   unauthorized  modifications  occurred  and  the potential consequences of such actions.

•    Availability:  Assess  the  effect of the  breach on the availability  of the affected systems or services. Discuss any downtime experienced, disruptions in service, or denial of access that resulted from the breach.

•    Authentication:  Examine the  breach  in terms of authentication vulnerabilities.  Identify any weaknesses in the authentication mechanisms that allowed the breach to occur or facilitated unauthorized access.

•    Non-repudiation:  Evaluate  whether  the  breach  had  any  implications  for  non-repudiation. Discuss  any  challenges   in  establishing  the  authenticity  and  accountability  of  actions  or transactions due to the breach.

In your research, you may want to consider multiple credible Web sources, including but not limited to Twitter Investigation Reports or security news articles. You don’t have to reference them in text but include a link or reference to them at the end of your submission (references are excluded from word count).

Structure your answer using the 5 security principles in the same order as above. (10%)

Question 2

Concisely describe the 2020 Twitter security breach as follows:

•    What was the initial attack vector of this attack (you should use the specific security term and explain clearly but concisely what happened)?

•    Which vulnerability did the attackers target and why this one?

•    Which controls could have Twitter employed that could have mitigated or prevented the security breach? Propose up to three specific recommendations and explain how each recommendation could address the identified vulnerability. (10%)

In your research, you may want to consider multiple credible Web sources, including but not limited to Twitter Investigation Reports or security news articles. You don’t have to reference them in text but include a link or reference to them at the end of your submission (references are excluded from word count).

Question 3

Your business manager has asked you to provide suggestions on how to improve the following password policy of your company. Don’t create an actual new policy (this exercise is for identifying   weaknesses and suggesting improvements). Use the same numbering and headers to structure your suggestions.

(10%)

Question 4

You area business analyst participating in the risk assessment process for your business. You have completed many different coursesat UQ and are therefore familiar not only with how to do this but you are also an expert insetting up spreadsheets. Senior management has devised a Weighted Factor Analysis policy for the valuations of all assets within the risk assessment process and your business uses acombination of quantitative and qualitative risk data points to describe impact. All relevant data is contained in a spreadsheet already that your predecessor Lennart has created (this spreadsheet is available to you on Blackboard). However, you have found out the reason for Lennart not working in your company anymore is  because he made too many errors in his spreadsheet formulas.

As part of an overall risk assessment process, you are asked to assess the risk in relation to two information assets using a version of this spreadsheet corrected by you.

The assets under investigation are:

(1)  An Oracle SQL database containing  product information. You have assessed that the database has a moderate impact on revenues earned by your business, and a medium business impact on the public image of your business.  The most likely attack against this database is insider abuse,and this is estimated to be 15% probable. The current controls in place to counter this attack are estimated to be 75% effective. You are 95% certain of your assumptions and data.

(2)  A  UNIX  transaction  server  for  the  business  organisation  is  hosted  in-house  and  those transactions have high impact on revenue, and a very high impact on the public image of your business. The  server can  be  attacked  using  malware  with  a  likelihood  of  a single  attack estimated to  be  0.25. A  control  has  been  implemented  that  reduces  the  impact  of  any vulnerability by 30%. You are 90% certain of your assumptions and data.

You are now required to do the following: