BISM7213 – Securing Business Information - Assignment 1 – Four questions
40% of overall course marks
Assignment Overview
This assignment must be completed individually by each student. This assignment requires a student to answer 4 questions (each with sub-parts) that cover the course content of the first 5 teaching weeks. Assignment 1 is worth 40% of the overall course marks. A student’s answer to each of the 4 questions (that is, each question and all its sub-parts) cannot exceed 300 words. This word limit per question requires a student to soundly analyse/research each question and then structure a response in a concise, business-informative fashion. There is no need to reference an answer unless referencing is specifically requested in the question. A student must construct each answer in her/his own words – and in ‘plain English’ business language (not technical language that would be more suited to computing science/engineering contexts). Please note that each question in this assignment may well span work covered across the first 5 weeks (and not simply relate to one specific week).
• One PDF submission via the Blackboard BISM7213 site (details closer to submission date)
• Please ensure your student details (name, number, email address) are contained on each page of the report of the report in a suitably designed footer
Assignment Marking Guide
Each submission will be marked according to the following criteria:
• The completeness of the answer – does the answer show that the student has grasped the full meaning of the question and that the student has included all relevant points in the answer? (20%)
• Does the answer identify and accurately analyse the interdependencies of the relevant points that are relevant? (10%)
• Is the answer presented in ‘plain English’ business language? The student must present answers (often discussing technical issues) in terminology/language that is clearly and easily understood by a business analyst/business manager (10%)
Question 1
The video “The SolarWinds Hack: The Largest Cyber Espionage Attack in the United States” (on Blackboard under “Assessment”) describes principally a 2020 attack made via malicious software (malware) on SolarWinds Orion system in the United States and affecting thousands of SolarWinds’ customers. Students may refer to other Web sources for information on the SolarWinds hack. There is no need to reference these sources in your answer (but remember – do not copy – analyse and then report in your words).
a) Concisely analyse the SolarWinds 2020 hack via the ‘lenses’ of confidentiality, integrity, authentication, availability, and non-repudiation.
(6%)
b) In 2020, your manager is concerned that your company, which also uses SolarWinds Orion system, could be affected by the SolarWinds hack. He does not want to know how the hackers got into the SolarWinds Orion system, but what happened once they were in.
Concisely describe the SolarWinds hack once the hackers had infiltrated the Orion system as follows: (1) type of malware that was used to infiltrate the SolarWinds’ customers and the
2 BISM7213 assignment 1 – Semester 1, 2022
most worrying significance of this design type, (2) method of infestation, (3) degree of effectiveness and reason why of the existing malware detection in 2020.
(4%)
Question 2
a) The blog post “Tricky Locky ransomware robs American hospitals” from Kaspersky (on Blackboard under Assessment) describes a ransomware attack at two hospitals in the US.
• What was the initial attack vector of this attack (you should use the specific security term and explain clearly but concisely what happened)?
• Which vulnerability did the attackers target?
• Are the controls provided by Kaspersky Lab solutions sufficient to protect the hospitals from future ransomware attacks – Yes/No – why?
(3%)
b) In seminar 2, we have discussed two “decryption laws” (the Access and Assistance 2018 bill and the recently enacted Identify and Disrupt 2021 bill). Please consider the following scenario and question:
Question: You are a corporate business analyst. Your senior management has asked you for a concise description of the decryption laws. This description will be used to update executive managers across the business. Specifically, your description must address the following:
• An explanation of the “going dark” discourse and why “end-to-end” encryption has exacerbated this “going dark challenge”.
• Do the decryption laws aim to impose absolute Australian government control over the digital communications industry in Australia – yes/no – why?
• Do the decryption laws pose worrying implications for the security and privacy of the Australian people – yes/no – why?
(7%)
Question 3
Concisely design an Issue-Specific Security Policy for a university managing email messaging – what information would be in such a policy?
(10%)
Question 4
You are a business analyst participating in the risk assessment process for your business. Senior management has devised the following Weighted Factor Analysis policy for the valuations of all assets within the risk assessment process:
3 BISM7213 assignment 1 – Semester 1, 2022
Information Asset Impact to Revenue Impact to Public Image Weighted Score
Criterion Weight
75
25
100
Additionally, your business uses a combination of quantitative and qualitative risk data points to describe impact. The mappings between the qualitative labels and their quantitative settings are as follows:
Very high
High
Moderate
Medium
Low
Very Low
100%
80%
65%
50%
35%
20%
As part of an overall risk assessment process, you are asked to assess risk in relation to two information assets. These assets have been identified by you as follows:
An Electronic Data Interchange Logistics outbound (to supplier) data set. You have assessed that this document has a high impact on revenues earned by your business, and a medium business impact on the public image of your business. The most likely attack against this data set is insider abuse, and this is estimated to be 35% probable. The current controls in place to counter this attack are estimated to be 45% effective. You are 95% certain of your assumptions and data.
A web server for the business organization is hosted by the organization’s ISP. This server performs e‐commerce transactions that have very high impact on revenues, and a very high impact on the public image of your business. The web server can be attacked by sending it invalid HTTP values. The likelihood of a single attack is estimated to be 0.25. A control has been implemented that reduces the impact of the vulnerability by 15%. You are 80% certain of your assumptions and data.
You are now required to do the following:
a) Explain how you would calculate the asset valuations in the example above. Your answer should clearly explain all valuation criteria involved in the valuation.
(4%)
b) Calculate the relative risk for each of the two assets using the formula (3) from the presentation (Risk = likelihood * asset_value ‐ % controlled + % uncertain). Which asset would you recommend for further security? You must show all working, and concisely list any assumptions you need to make.
(6%)