CMT310 Developing Secure Systems and Applications

Hello, if you have any need, please feel free to consult us, this is my wechat: wx91due

Assessment Proforma 2024-25

Key Information

Module Code

CMT310

Module Title

Developing Secure Systems and Applications

Assessment Title

Technical Report

Assessment Number

1

Assessment Weighting

50%

Assessment Limits

This individual assessment consists of

THREE tasks to be completed and prepare a final report for the submission on

Learning Central. It should be a single report of 2,000 words (maximum,

including all except references). There should not be any appendix attached or included in this report.

The Assessment Calendar can be found under ‘Assessment & Feedback’ in the COMSC-   ORG-SCHOOL organisation on Learning Central. This is the single point of truth for (a) the hand out date and time, (b) the hand in date and time, and (c) the feedback return date for  all assessments.

Learning Outcomes

The learning outcomes for this assessment are as follows:

This individual assignment contributes to the assessment of the following Learning Outcomes (LO) 1, 2, 3, 4, 5 and 6 of the unit:

1. Compare and contrast common technical security controls available to prevent, detect and recover from security incidents and to mitigate risk. [T2]

2. Articulate security architectures relating to business needs and commercial product

development that can be realised using available tools, products, standards and protocols. [T1, T3]

3. Deliver systems assured to have met their security profile using accepted methods and development processes. [T2]

4. Critically analyse the correctness and properties of secure systems. [T1]

5. Justify the selection of different cryptosystems. [T2]

6. Critically analyse recent cyber security case studies. [T1, T2]

Submission Instructions

The coversheet can be found under ‘Assessment & Feedback’ in the COMSC-ORG- SCHOOL organisation on Learning Central.

All files should be submitted via Learning Central.  The submission page can be found under ‘Assessment & Feedback’ in the CMT310 module on Learning Central.  Your submission should consist of multiple files:

Description

Type

Name

Coversheet

Compulsory

One PDF (.pdf) file

Coversheet.pdf

Report

Compulsory

One PDF (.pdf) or Word file (.doc or .docx)

CMT310_[student

number].pdf/doc/docx

If you are unable to submit your work due to technical difficulties, please submit your work via e-mail to comsc-submissions@cardiff.ac.ukand notify the module leader.

Assessment Description

SCENARIO

There has been a major incident for the company ACME.LTD. Their main business is a mixture of manufacturing  and  distribution   management  for  other  organizations.  ACME.LTD   has  the following network infrastructure.

The following services are running within the network:

● Windows Active Directory

●    DHCP

● DNS Servers

● Mail Server (running SMTP & POP3)

● OpenVPN

● MsSQL Databases

● Multiple Samba Servers

● Web Servers

The ACME.LTD's databases were compromised via an internal web server. It was accessible via a lost laptop. The lost laptop only required a username and password to access it. However, the password was at least 16 characters long, SecureBoot and full disk encryption were not in use. All workstations and laptops in use are not part of the Windows Active Directory domain. This means all accounts used are local accounts.

Additionally, the attackers were able to use the access to the MsSQL services to pivot to the companies OT network and deploy ransomware. This resulted in the complete shutdown of the operations that relied upon the OT systems that had been Windows-based.

INSTRUCTIONS

This individual assessment consists of THREE tasks as  mentioned  below.  Please  carefully consider completing all tasks and prepare your final report. You are expected to submit this report on Learning Central which requires coursework submission as a single report of 2,000 words (maximum, including all except references). There should not be any appendix attached or included in this report. The expected font size is 12 and the font type is ‘Arial’ on all pages. There is no need to add a cover page with your submission but write your student number and name on the top of the first page of the report. You’re expected to back your answers with citations. Note, there is no ±10% word count criteria for this coursework. It is expected that your report (excluding references) must be within the 2,000 words count. Anything written beyond the first 2,000 words would be ignored during marking. Indicative word count against each task is mentioned. However, this is not a strict limit for each task, rather this should be used as a baseline for the expected amount of text/explanation against the maximum marks assigned for each task.

Task 1 [T1]: The CEO and CISO of ACME.TLD would like you to review their network architecture as previously presented and identify security issues, potential risks, and insecure properties.

[Indicative word count: 500]

Task 2 [T2]: Provide  recommendations with evidence of the  best  practices and applicable approaches to secure their network. Also, provide reflect on (i) what could be easily prevented and how, (ii) if not prevented, what could be detected and how, and (iii) if not prevented and detected, what could be recovered from security incidents and how. [Indicative word count: 1,000]

Task 3 [T3]: The CEO and CISO are keen to also know what additional technology and tooling could also be used to help future proof the system and justify your choices. [Indicative word count: 500]

References

References are not counted in the word limit. Use the IEEE format references: https://ieee- dataport.org/sites/default/files/analysis/27/IEEE%20Citation%20Guidelines.pdf.

This point will be further discussed in one of the lectures of the module.

and-referencing/citing-and-referencing-support

HELPING NOTES

• Vulnerability: A weakness in any aspect of a system that makes an exploit possible.

• Threat: A potential cause of an unwanted incident that may result in harm to a system.

• Attack: An attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.

• Risk: An intersection of assets, threats and vulnerabilities.

• System or system model: A system that attackers target for attacks.

• Network  Architecture: It  is  defined  as the physical and logical  design  of the software, hardware, protocols, and media of the transmission of data.

• Security Architecture: The  NCSC  define security architecture  as    ‘The    practice of designing computer systems to achieve security goals. ’ These security goals are to make initial  compromise  of  the  system  difficult,  limit  the  impact of  any  compromise, make disruption of the system difficult, and  make  detection  of  a compromise easy. Security architecture must consider all the technology, people and processes relating to a computer system.

• Best  Practices: These are a standard or set of guidelines that is known to produce good outcomes if followed.

• Useful  article for  help: How to Prevent, Detect, and Respond to Cybersecurity Incidents, https://www.eidebailly.com/insights/articles/2020/5/how-to-prevent-detect-and-respond-   to-cybersecurity-incidents

Assessment Criteria

Task 1 Reviewing network architecture (Available Marks - 15)

High

Distinction

80%+

Critically analysed security issues with potential risks and their impact;

listed and defined security vulnerabilities and threats with rationale and

with specific technical details; identified and critically reflected on insecure properties with valid reasons; excellent demonstration of critical thinking, depth analysis, logical arguments, and citations used.

Distinction

70-79%

Critically analysed security issues with potential risks; listed and defined security vulnerabilities and threats with rationale and with specific

technical details; identified and critically reflected on insecure properties; Very good demonstration of critical thinking, depth analysis, logical

arguments, and citations used.

Merit

60-69%

Clearly analysed security issues with potential risks; listed and defined associated security vulnerabilities and threats; clearly identified and

reflected on insecure properties; good demonstration of critical thinking, depth analysis, logical arguments, and citations used.

Pass

50-59%

Some narration on security issues with potential risks; partially explained insecure properties; reasonable demonstration of critical thinking, depth analysis, logical arguments, and citations used.

Marginal Fail

40-49%

Not sufficiently narrated security issues with potential risks; not

adequately explained insecure properties; poor demonstration of critical thinking, depth analysis, logical arguments, and citations used.

Fail

0-39%

Not sufficiently narrated security issues; not explained insecure properties; very poor demonstration of critical thinking, depth analysis, logical

arguments, and citations are not used.

Task 2 Provide recommendations and approaches (Available Marks - 20)

High

Distinction

80%+

Excellent reflection on possible recommendations; appropriate and suitable use of strong and secure security approaches; excellent

demonstration of critical thinking, and logical arguments; excellent - quality and useful citations/references

Distinction

70-79%

Very good reflection on possible recommendations; appropriate use of secure security approaches; very good demonstration of critical thinking, and logical arguments; very good and useful citations/references

Merit

60-69%

Clearly reflected on possible recommendations; adequate use of suitable strong/secure security approaches; good demonstration of critical

thinking, and logical arguments; good citations/references

Pass

50-59%

Some reflection on recommendations; Partial use of suitable

strong/secure security approaches; reasonable demonstration of critical thinking, and logical arguments; some citations/references

Marginal Fail

40-49%

Not adequate reflection on recommendations; Not use of suitable security approaches; not sufficient demonstration of critical thinking, and logical arguments; limited citations

Fail

0-39%

No/limited reflection on recommendations; No use of security approaches; no/limited demonstration of critical thinking, and logical arguments; no

citations

Task 3 Additional technology and tooling (Available Marks - 15)

High

Distinction

80%+

Shown excellency in understanding and presented correct logical

arguments; excellent reflection on employing correct and suitable

technology and tools; excellent reflection on future proof of the system with valid arguments; excellent demonstration of critical thinking, logical arguments, and quality and suitable citations used

Distinction

70-79%

Shown very good understanding and presented correct logical arguments; great reflection on employing correct technology and tools; very good

reflection on future proof of the system; great demonstration of critical thinking, logical arguments, and very good citations used

Merit

60-69%

Shown competency in understanding and presented correct logical

arguments; good reflection on employing correct technology and tools; good and sufficient reflection on future proof of the system; good

demonstration of critical thinking, logical arguments, and good citations used

Pass

50-59%

Logical arguments with some errors, or invalid statements; some reflection on appropriate technology and/or tooling to be used; Some/partial

reflection on future proof of the system; reasonable demonstration of critical thinking, logical arguments, and some citations used

Marginal Fail

40-49%

Many factual or technical errors in arguments; inappropriate technology and/or tooling mentioned; Insufficient reflection on future proof of the system; poor demonstration of critical thinking, logical arguments;

no/limited citations used

Fail

0-39%

Many factual or technical errors in arguments; inappropriate technology and/or tooling mentioned; very limited reflection on future proof of the

system; very poor demonstration of critical thinking, logical arguments; no citations used




发表评论

电子邮件地址不会被公开。 必填项已用*标注