BISM3205 – Business Information Security Assignment 1
Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit
BISM3205 - Business Information Security
Assignment 1 worth 40% of overall course marks
2023 S2
Assignment Overview
This assignment must be completed individually by each student. The submission deadline is 3pm, 06 Sep 2023. This assignment requires a student to answer 4 questions (each with sub-parts) that cover the course content of the first 4 teaching weeks. Assignment 1 is worth 40% of the overall course marks. A student’s answer to each of the 4 questions (that is, each question and all its sub-parts) cannot exceed 300 words (+10% tolerance per UQ policy). This word limit per question requires a student to soundly analyse/research each question and then structure a response in a concise, business- informative fashion. There is no need to reference an answer unless referencing is specifically requested in the question. A student must construct each answer in her/his own words – and in ‘plain English’ business language (using the language we use in class and not too technical language that would be more suited to computing science/engineering contexts). Please note that each question in this assignment may well span work covered across the first 4 weeks (and not simply relate to one specific week).
This assignment assumes that a third-year student is capable to assimilate information from not only this course, but also many other courses and reputable sources on the Internet as would be required in a business setting. Students are advised that the use of AI technologies to develop responses is strictly prohibited and may constitute student misconduct under the Student code of Conduct. Each assessment question evaluates students’ abilities,skills and knowledge without the aid of AI.
• PDF submission via the Blackboard BISM3205 site and Turnitin. We will mark using the Blackboard link and use Turnitin link for plagiarism check only (full details and links closer to submission date).
• Please ensure your student details (name, number, email address) are contained on each page of the submission in a suitably designed footer.
• Clearly label which question and if relevant subquestion you answer (e.g., Question 1a)). You don‘t have to repeat the question.
• Answer in full sentences but you may want to use bullet points, numbering, or headers to help structuring your answer.
• Read each question carefully for additional formatting requirements specific to the question.
Question 1
Objective: The objective of this Question 1 is to analyze a real-world security breach in terms of its impact on confidentiality, integrity, availability, authentication, and non-repudiation. This exercise will help you understand the practical implications of security breaches and the importance of each of these security principles.
Instructions:
Write a concise analysis of the Twitter 2020 security breach, focusing on the following aspects:
• Confidentiality: Discuss how the breach impacted the confidentiality of sensitive information. Identify the type of data compromised and the potential consequences of unauthorized access to that data.
• Integrity: Analyze the impact of the breach on the integrity of the affected systems or data. Consider whether any data tampering or unauthorized modifications occurred and the potential consequences of such actions.
• Availability: Assess the effect of the breach on the availability of the affected systems or services. Discuss any downtime experienced, disruptions in service, or denial of access that resulted from the breach.
• Authentication: Examine the breach in terms of authentication vulnerabilities. Identify any weaknesses in the authentication mechanisms that allowed the breach to occur or facilitated unauthorized access.
• Non-repudiation: Evaluate whether the breach had any implications for non-repudiation. Discuss any challenges in establishing the authenticity and accountability of actions or transactions due to the breach.
In your research, you may want to consider multiple credible Web sources, including but not limited to Twitter Investigation Reports or security news articles. You don’t have to reference them in text but include a link or reference to them at the end of your submission (references are excluded from word count).
Structure your answer using the 5 security principles in the same order as above. (10%)
Question 2
Concisely describe the 2020 Twitter security breach as follows:
• What was the initial attack vector of this attack (you should use the specific security term and explain clearly but concisely what happened)?
• Which vulnerability did the attackers target and why this one?
• Which controls could have Twitter employed that could have mitigated or prevented the security breach? Propose up to three specific recommendations and explain how each recommendation could address the identified vulnerability. (10%)
In your research, you may want to consider multiple credible Web sources, including but not limited to Twitter Investigation Reports or security news articles. You don’t have to reference them in text but include a link or reference to them at the end of your submission (references are excluded from word count).
Question 3
Your business manager has asked you to provide suggestions on how to improve the following password policy of your company. Don’t create an actual new policy (this exercise is for identifying weaknesses and suggesting improvements). Use the same numbering and headers to structure your suggestions.
1. Purpose: This policy kinda tells you some stuff about passwords. It's supposed to protect user accounts and stuff, but don't worry too much about it. 2. Scope: This policy applies to all employees. 3. Password Complexity: Passwords must consist of at least four characters, including both uppercase and lowercase letters. 4. Password Storage and Transmission: Passwords will be stored in a central database using basic encryption methods. 5. Password Change and Expiration: Users are required to change their passwords every year. 6. Password Management: Users are encouraged to write down their passwords and keep them in a secure location. 7. Multi-Factor Authentication (MFA): Multi-factor authentication is not mandatory but can be enabled if desired. 8. Education and Awareness: Users will receive minimal training on password security during orientation. 9. Compliance and Enforcement: Non-compliance may result in a verbal warning, but no further consequences will beenforced. 10. Policy Review: This policy will be reviewed every three years or as deemed necessary. |
(10%)
Question 4
You area business analyst participating in the risk assessment process for your business. You have completed many different coursesat UQ and are therefore familiar not only with how to do this but you are also an expert insetting up spreadsheets. Senior management has devised a Weighted Factor Analysis policy for the valuations of all assets within the risk assessment process and your business uses acombination of quantitative and qualitative risk data points to describe impact. All relevant data is contained in a spreadsheet already that your predecessor Lennart has created (this spreadsheet is available to you on Blackboard). However, you have found out the reason for Lennart not working in your company anymore is because he made too many errors in his spreadsheet formulas.
As part of an overall risk assessment process, you are asked to assess the risk in relation to two information assets using a version of this spreadsheet corrected by you.
The assets under investigation are:
(1) An Oracle SQL database containing product information. You have assessed that the database has a moderate impact on revenues earned by your business, and a medium business impact on the public image of your business. The most likely attack against this database is insider abuse,and this is estimated to be 15% probable. The current controls in place to counter this attack are estimated to be 75% effective. You are 95% certain of your assumptions and data.
(2) A UNIX transaction server for the business organisation is hosted in-house and those transactions have high impact on revenue, and a very high impact on the public image of your business. The server can be attacked using malware with a likelihood of a single attack estimated to be 0.25. A control has been implemented that reduces the impact of any vulnerability by 30%. You are 90% certain of your assumptions and data.
You are now required to do the following:
Calculate the asset value and the relative risk for each of the two assets. For relative risk
use the formula (3) from the presentation (slide 28). You will have to correct the version of the spreadsheet made available to you. Color the background of asset value cells and relative
risk cells in lightgreen (in Excel “Fill Color”). Highlight the risk of the asset you would recommend for further security in red (in Excel “Font Color”).
You must insert a screenshot of your final spreadsheet created from the template given to you into your document in landscape mode as a picture. All intermediate and final values must be clearly visible (range A1:P18). Do NOT submit your spreadsheet, it will be discarded! (10%)
2023-08-25