1.   Bartik and Spence have created a successful financial start-up in Lilliput, a country not part of the European Union (EU) or the European Economic Area (EEA). The pair have decided to create a branch of the financial start-up company in France, a country that is part of the European Union (EU). The pair are encountering fierce competition, in both France and Lilliput, from various similar financial start-up companies.

Bartik and Spence are keen to ensure they demonstrate a professional, high-quality service that customers will recommend to friends and family. The pair want to use cloud computing to ensure their company can scale, but have limited technical knowledge and experience. Bartik  also highlights that both governments have  strict financial regulations, that while loosening, are likely to change as the countries are in the process of negotiating a wide-spread trade agreement.

a.   The pair have decided to use cloud computing, but the pair are unsure of the optimal cloud deployment model.

Critique FOUR different cloud deployment models in the given context. Argue

for the optimal solution in the given context.

(approximately 400 words)

b.   Spence is concerned about the confidentiality of customer data, specifically personal data leaking from use of cloud computing infrastructure or as the result of a cyber-attack. Spence is also concerned that once data is compromised, unauthorised individuals could infer insight from data, potentially giving an advantage to competitors.  Spence initially considered  encryption to  further protect customer data, but felt it was not realistic or optimal. Bartik agrees, but argues they must still ensure they can efficiently utilise customer data pertaining to profiling repayment habits and transaction history for individual customers. A customer record contains various items of information, such as annual salary and  gender,  as  well  as  sensitive  information,  including  racial  origin  and religious beliefs.

Argue for TWO obfuscation-based inference controls that would be optimal in the given context.

c.   Spence states that they could offer existing French customers better financial products and interest rates, if the pair stored and processed all data at their Lilliput branch. Spence argues all that would be required is to transfer and store all existing customer data at the Lilliput branch. Bartik argues that since Lilliput is not part of the European Union (EU), no such data transfer can occur. Spence argues this is not a problem as the company’s customer data is transited all over

the world, effectively passing through various non-EU networks to their back- up systems in various other EU countries.

Appraise different options for the restricted transfer of customer data in the given context and argue whether the different positions adopted by Bartik and

Spence are accurate.

(approximately 400 words)

2.   The Lena Corporation design various Image Processing Units  (IPUs)  for portable devices, such as smartphones and tablets. The company remains competitive due to a number of valuable trade secrets related to the design of its IPUs. However, many of these trade secrets have now been leaked to the public in a suspected cyber-attack.

The  management  team  are  concerned  that  attackers  have  intruded  into  company systems that were perceived as secure from such threats. The management team have requested Simon, Stallman and Stroustrup to investigate and to determine the anatomy of the suspected cyber-attack as well as suggest appropriate defences.

a.   Simon, Stallman and Stroustrup have reviewed the log of security incidents, that have been reported in the past 12 months within the company. The pair have already determined several relevant incidents:

    Two removable media drives (USB memory drives) with the label  ‘HR

department’ written on them have been discovered in the toilets in separate site offices. The USB memory drives contain various Microsoft Excel files.

    36   suspicious   emails   have   been   reported   within   the   organisation,

specifically in the administration office. Each email has been structured to appear from the immediate  superior to the recipient,  such as their line manager or team leader.

    14 suspicious attachments, specifically Microsoft Excel files, that appear

relevant to the recipient’s role and benign, but contain a malicious payload. An example would be a financial analyst receiving a spreadsheet labelled ‘Annual Budget’ .

    Remote  administration  tools  have  been  located  on  various  employee

systems, that were not present at the previous inspection.

    Several employees report receiving suspicious friend requests and messages

on social networking services from profiles masquerading as colleagues.

The trio agree that the identified incidents alone are not sufficient to gain insight into the anatomy of the cyber-attack. The trio propose using an approach to better understand the cyber-attack, but cannot agree on an optimal approach.

Simon proposes using Attack Trees, Stallman suggests the Cyber Kill Chain approach, while Stroustrup advocates for the STRIDE approach.

Appraise each of the proposed approaches from Simon, Stallman and Stroustrup in the given context. Argue for the optimal approach and formulate the anatomy of the cyber-attack in the given context.

b.   The management team want to ensure that the company is not susceptible to such a cyber-attack in the future.

Argue for THREE distinct defensive steps that could be taken to optimally defend against the attack identified in (a) and at what stage they should be taken.

3.   Perlman and Sammet is a British multinational retailer that specialises in clothing and food products. The company has been established for 150 years with more than 950 stores operating 24 hours a day. In the 1970s, Perlman and Sammet made considerable investment in a bespoke transaction system to manage customer transactions.

The company has 3 million visitors every 24 hours, 1 million of these visits conclude with a transaction and each transaction typically generates £10 of profit. The ageing transaction system has become the backbone of the company and is critical in the sale of goods. Nevertheless,  the management team have become  concerned  about  the dependency of the business on the transaction system.

a.   The management team have determined they can withstand a loss of £5 million profit from transactions, but major business units would be compromised after losses reach £20 million profit from failure of the transaction system. The management team believe the business would be irreparably damaged if the company could not process transactions after 72 hours. The technical support team state the transaction system could be restored within 36 hours from failure and so the business will not become irreparably damaged.

Discuss RPO, RTO and MTPOD in the given context and argue whether the

statement from the technical support team is accurate.

(approximately 300 words)