Principles of Information Security - Assignment 3
Description
Marks out of
Weighting
Due date
Assignment 3 Report and Presentation based on
CASE STUDY: BCX.COM
(A fictitious analysis of a security breach)
Length: 3000 words approx. plus Appendices
100
70%
08 October 2014
This assignment assesses your understanding in relation to the following three course objectives:
1. analyse information security vulnerabilities and threats and determine appropriate controls that can be applied to mitigate the potential risks
2. explain why continual improvement is necessary to maintain reasonably secure information systems and IT infrastructure and to describe the role of disaster recovery and business continuity plans in recovering information and operational systems when systems and hardware fail
4. demonstrate an ability to communicate effectively both written and orally about the management of information security in organisations.
This assignment assesses the following graduate skills: Problem Solving, Academic & Professional Literacy and Oral and Written Communication at level 2.
This assignment relates to the topics covered in modules 1 to 10. This assignment can be completed by groups of two students or as an individual assignment. Details regarding the allocation of students to teams will be provided on the course study desk. Each student team will be allocated their own discussion forum for assignment 3 to specifically work collaboratively as a team in developing and discussing their approach to assignment 3 case study and the required Security report and presentation. Regular participation in each team’s discussion forum by the team members each week from Monday 8th September until Friday 17th October is expected. Each team member will also be required to keep a journal of their activities and progress related to completing this assignment and will form part of the assessment for assignment 3. In date order clearly list the following:
· date of research activity/discussion
· topics researched or discussed
· time duration of activity.
Submit this journal for each team member as an appendix to the assignment 3 Recommendations report. Any reference to web pages and on line resources such as white papers, blogs, wikis etc. should be listed at the end of the journal.
Regular participation on the discussion forums dedicated for this assessment is highly recommended and can assist greatly with this assessment item. Also note that you are expected to do research outside of the course materials provided.
Case Study: BIGCOINX (A fictitious analysis of the importance of Security in the Digital Currency World)
Background:
BigCoinX (BCX) is an Internet bitcoin exchange start-up founded in early 2013 riding on the boom of interest in the bitcoin currency of the last few years.
Established by former work colleagues in the investment banking industry, Mark Buck (current CEO) and Peter Gates (CTO), the company by late 2013 was relatively successful .
Principles of Information Security - Assignment 3 DescriptionM.docx
1. Principles of Information Security - Assignment 3
Description
Marks out of
Weighting
Due date
Assignment 3 Report and Presentation based on
CASE STUDY: BCX.COM
(A fictitious analysis of a security breach)
Length: 3000 words approx. plus Appendices
100
70%
08 October 2014
This assignment assesses your understanding in relation to the
following three course objectives:
1. analyse information security vulnerabilities and threats and
determine appropriate controls that can be applied to mitigate
the potential risks
2. explain why continual improvement is necessary to maintain
reasonably secure information systems and IT infrastructure and
to describe the role of disaster recovery and business continuity
plans in recovering information and operational systems when
systems and hardware fail
4. demonstrate an ability to communicate effectively both
written and orally about the management of information security
in organisations.
This assignment assesses the following graduate skills: Problem
Solving, Academic & Professional Literacy and Oral and
Written Communication at level 2.
This assignment relates to the topics covered in modules 1 to
10. This assignment can be completed by groups of two students
or as an individual assignment. Details regarding the allocation
of students to teams will be provided on the course study desk.
Each student team will be allocated their own discussion forum
for assignment 3 to specifically work collaboratively as a team
2. in developing and discussing their approach to assignment 3
case study and the required Security report and presentation.
Regular participation in each team’s discussion forum by the
team members each week from Monday 8th September until
Friday 17th October is expected. Each team member will also
be required to keep a journal of their activities and progress
related to completing this assignment and will form part of the
assessment for assignment 3. In date order clearly list the
following:
· date of research activity/discussion
· topics researched or discussed
· time duration of activity.
Submit this journal for each team member as an appendix to the
assignment 3 Recommendations report. Any reference to web
pages and on line resources such as white papers, blogs, wikis
etc. should be listed at the end of the journal.
Regular participation on the discussion forums dedicated for
this assessment is highly recommended and can assist greatly
with this assessment item. Also note that you are expected to do
research outside of the course materials provided.
Case Study: BIGCOINX (A fictitious analysis of the
importance of Security in the Digital Currency World)
Background:
BigCoinX (BCX) is an Internet bitcoin exchange start-up
founded in early 2013 riding on the boom of interest in the
bitcoin currency of the last few years.
Established by former work colleagues in the investment
banking industry, Mark Buck (current CEO) and Peter Gates
(CTO), the company by late 2013 was relatively successful and
doing an estimated 1% of all global bitcoin trades.
3. While in the scheme of things, the user base numbers seems
good, both Mark and Peter know, that to achieve a critical mass
of users that will establish BCX as a “player” in the bitcoin
world, they will need to reach numbers upwards of 10% of
global bitcoin trades.
With bitcoin being a hot topic and Internet start-ups springing
up all the time to try to make money from the bitcoin rush, BCX
knows it has to stay ahead of the game.
The company is continually innovating and responding to user
requirements, industry trends and competitive challenges. Mark
and Peter’s 5 person business, based in Sydney’s upcoming
Technology Hub, Redfern, is a busy and dynamic environment.
BCX is aiming to become profitable and self-sufficient by the
end of 2014 at the latest. It is at this time that their capital
funds will be exhausted, but they estimate, once they hit the 3%
global mark, and have deployed into production their new
bitcoin trading software, (both aggressively targeted for
October, 2014), they will have positive financial results.
-----------------
News Release: March 17, 2013: “Largest Global Bitcoin
Marketplace Hacked: Mt Gox, the world’s largest bitcoin
exchange files for bankruptcy. $600M in bitcoins stolen”.
----------------
Waking up to news overnight that their largest competitor has
been hacked (or otherwise – details are sketchy) and that they
have lost over $600M in their customer’s bitcoins has shaken up
the BCX team.
Mark and Peter are nervous. If the world’s largest bitcoin
exchange has gone under, what position does that leave them
in? With little news available and probably no expectation of
knowing what exactly went on at Mt Gox for some time, BCX
must try to assess their own position and risks. There is a lot at
4. stake here. Are they exposed as well? Are their clients going to
be nervous and do a “run” on the exchange? Is their business
secure?
Time is of an essence so an emergency teleconference is
organised between Mark, Peter and Phil Jones, (Technical
Support Manager) at HotHost1 – a cloud services company
where the BCX environment is hosted.
Some resources which may be useful for this assignment 3 Case
Study
At Mt. Gox bitcoin hub, 'geek' CEO sought both control and
escape http://www.reuters.com/article/2014/04/21/us-bitcoin-
mtgox-karpeles-insight-idUSBREA3K01D20140421
Avoiding the next Mt. Gox: Vault of Satoshi bitcoin exchange
launches proof-of-solvency service
http://pando.com/2014/04/22/avoiding-the-next-mt-gox-vault-
of-satoshi-bitcoin-exchange-launches-proof-of-solvency-
service/
Bitcoin Transaction Malleability and MtGox
http://arxiv.org/pdf/1403.6676v1.pdf
Mt.Gox Finds 200,000 Bitcoin In An “Old-Format” Digital
Wallet
http://techcrunch.com/2014/03/20/mt-gox-finds-200000-bitcoin-
in-an-old-format-digital-wallet/
Mt. Gox
http://en.wikipedia.org/wiki/Mt._Gox
March 18, 2014, 9:45am: Offices of HackStop Consulting
A quiet morning for you until a call from a company called
BCX reaches your desk.
As a Senior IT Security Consultant at HackStop Consulting,
5. you’ve had calls like this many times. It’s time to get your game
on again! Time to visit the offices of BCX. Their CEO, CTO
and a Manager from their hosting provider HotHost1 are
desperate to meet with you.
Your Task
On return from your meeting, it’s time to quickly put together a
proposed plan of work and a response for BCX. Given the
nature of your assignment with BCX, an urgent response and
work-plan is required that outlines your approach and
methodologies to:
(1) Assessing what could go wrong – how could someone (a
hacker?) compromise the BCX environment and steal the user
bitcoins?
(2) How does BCX ensure it does not happen?
Student Notes
At present, no other assumptions need to be made about the
actual security issues/breach at Mt Box but an understanding of
how it could have happened will assist with the assignment.
Read about the real Mt Gox episode and the history of bitcoin
and other bitcoin security issues of the past few years. (Google
is your best friend).
This assignment is focused upon seeing if you, the student has
built up an awareness of how security in Internet Websites can
be assessed and analysed to assist businesses in improving their
overall security position.
By being able to outline how you would go about reviewing the
security requirements outlined in the BCX case study and
making recommendations on improving security practices and
the appropriate controls that need to be put place to reduce the
risks to an acceptable level for BCX, the markers will be able to
assess your level of knowledge learned in this course and the
additional research you have undertaken.
Any information not provided in the case study may be
6. assumed, but make sure that your assumptions are stated and
that the assumptions are plausible.
**** NB; Importantly and in addition to your own study and
research, there will be two specific discussion forum threads on
the assignment discussion forum where you can ask questions of
the main players in the scenario:
1. Mark Buck and/or Peter Gates (BCX)
2. Phil Jones (HotHost1)
By actively participating in the forum discussions for this
assignment, you will gain valuable information and insight into
this case study that will be regarded highly by the markers.
(Note: Any questions which are not considered to be appropriate
or professional for the purpose of this assessment may not be
answered)
Deliverables
The success of your engagement is based upon two deliverables:
(1) Development of security audit plan to assess how you would
determine BCX’s security posture at the present time.
(2) A business proposal to BCX Management in the form of a
presentation (based on your proposed security audit plan –
Deliverable 1) that outlines how the organisation should be
better focusing on Information Security.
In detail:
(1) Security Audit Work-plan (WORD Document):
The Security Audit work plan should be included in a
professionally presented document of no more than 10 pages
and be structured to show how each phase of work is to be
undertaken. Your work-plan must include the following at a
minimum:
* Executive Summary: half-page brief outlining purpose;
scope, expectations and outcomes of the proposed plan of work.
(250 words)
Structured and ordered work plan phase description, which for
each section includes:
* Background and problem analysis - What could go wrong?
7. How could a hacker compromise the BCX web site environment
and steal the user information ? (approx. 500 words)
* Threat analysis - What is to be investigated and tested,
how it will be done, what sort of potential issues you are
looking for, and deliverables BCX and/or HotHost1 can expect
for each phase of work – (eg; the “deliverable” for the phase of
work could potentially be a report containing the results of a
vulnerability assessment test on BCX’s server(s)). (approx.
1000 words)
* Dependencies and critical success factors to the job - such
as key stakeholders in this security audit – the key people to be
interviewed or whose involvement in that phase of work is
required. (Remember, you don’t always get free-rein access to
systems and other information and because time is of
importance, you won’t get a long time to master the
environment. But, as you know, you cannot also always believe
everything you are told). What is key to getting this job done
efficiently and what support do you need to get this done, (from
BCX and also the hosting provider). (approx. 500 words)
* Set of recommendations for improving BCX’s current
security practices and ensuring that an appropriate set of
controls are put in place (approx. 750 words)
* Reference list of key sources in particular technical
references which support your approach (Not counted in word
count)
Note in this report and in the accompanying presentation you
are encouraged to make use of appropriate Figures and Tables to
emphasise the key points that you are trying make
* A journal of each team member's (for students completing
this assignment individually – your) activities in participating
and contributing to the completion of the work plan report and
presentation.
(2) Developing a Securer Environment for BCX for the Future
(POWERPOINT):
8. Your strategy presentation should be created as if it were an
actual presentation you were doing for a real client in relation
to your proposed work plan including a set of recommendations
and should contain the following at a minimum:
* 1 Slide for an Introduction outlining your team and the
organisation you work for
* 2-3 Slides covering the Background: A brief summary of
where BCX is today in regards to security practices in their
organisation and controls in place for their web servers.
* 2-3 Slides covering the Threat Analysis: A summary of the
major threats and associated vulnerabilities and the actions
required to reduce the risks associated with these threats and
specific vulnerabilities in their web servers to an acceptable
level.
* 2 Slides covering Dependencies and critical success factors
to the job: i.e. what is key to getting this job done efficiently
and what support do you need to get this done, (e.g. internal
business stakeholders, developers etc.)
* 2 Slides covering your proposed Set of recommendations
for improving security practices at BCX and ensuring
appropriate controls are in place in relation to their web site
which is core to their business
[The following is also to be included. While not part of a
“standard” Industry business presentation, it is there to allow
teaching staff to gauge what level of research has been
undertaken].
* 1 Slide acknowledging the key authoritative reference
sources which underpin the research you have conducted and
your approach in the proposed work plan in your proposed
business report.
------------------
Report and Presentation Format:
* MS WORD and PowerPoint respectively (or a web-based
presentation as an alternative to PowerPoint for (2) of the
9. assignment deliverables) must be used. NB; For the
presentation, you are asked to include a Word document (or
utilise the notes section of PowerPoint) to detail the length of
time expected to be spent on each slide (page) and the details of
what you would expect to discuss with the audience.
* This assignment is focused upon seeing if as a student in
this course you have built up an awareness of how security in an
environment should be set up and operated. By being able to
outline how you would review and test the security of the
fictional organisation, BCX, through assessment of the basics
such as good policies, standards, procedures and controls in
place, in addition to detection of incidents, the markers will be
able to assess your level of knowledge learned from the course
content and from your own additional research in relation to
this case study.
Principles of Information Security - Assignment 3
Description
Marks out of
Weighting
Due date
Assignment 3 Report and Presentation based on
CASE STUDY: BCX.COM
(A fictitious analysis of a security breach)
Length: 3000 words approx. plus Appendices
100
70%
08 October 2014
This assignment assesses your understanding in relation to the
following three course objectives:
1. analyse information security vulnerabilities and threats and
determine appropriate controls that can be applied to mitigate
the potential risks
2. explain why continual improvement is necessary to maintain
reasonably secure information systems and IT infrastructure and
to describe the role of disaster recovery and business continuity
10. plans in recovering information and operational systems when
systems and hardware fail
4. demonstrate an ability to communicate effectively both
written and orally about the management of information security
in organisations.
This assignment assesses the following graduate skills: Problem
Solving, Academic & Professional Literacy and Oral and
Written Communication at level 2.
This assignment relates to the topics covered in modules 1 to
10. This assignment can be completed by groups of two students
or as an individual assignment. Details regarding the allocation
of students to teams will be provided on the course study desk.
Each student team will be allocated their own discussion forum
for assignment 3 to specifically work collaboratively as a team
in developing and discussing their approach to assignment 3
case study and the required Security report and presentation.
Regular participation in each team’s discussion forum by the
team members each week from Monday 8th September until
Friday 17th October is expected. Each team member will also
be required to keep a journal of their activities and progress
related to completing this assignment and will form part of the
assessment for assignment 3. In date order clearly list the
following:
· date of research activity/discussion
· topics researched or discussed
· time duration of activity.
Submit this journal for each team member as an appendix to the
assignment 3 Recommendations report. Any reference to web
pages and on line resources such as white papers, blogs, wikis
etc. should be listed at the end of the journal.
Regular participation on the discussion forums dedicated for
this assessment is highly recommended and can assist greatly
with this assessment item. Also note that you are expected to do
research outside of the course materials provided.
11. Case Study: BIGCOINX (A fictitious analysis of the
importance of Security in the Digital Currency World)
Background:
BigCoinX (BCX) is an Internet bitcoin exchange start-up
founded in early 2013 riding on the boom of interest in the
bitcoin currency of the last few years.
Established by former work colleagues in the investment
banking industry, Mark Buck (current CEO) and Peter Gates
(CTO), the company by late 2013 was relatively successful and
doing an estimated 1% of all global bitcoin trades.
While in the scheme of things, the user base numbers seems
good, both Mark and Peter know, that to achieve a critical mass
of users that will establish BCX as a “player” in the bitcoin
world, they will need to reach numbers upwards of 10% of
global bitcoin trades.
With bitcoin being a hot topic and Internet start-ups springing
up all the time to try to make money from the bitcoin rush, BCX
knows it has to stay ahead of the game.
The company is continually innovating and responding to user
requirements, industry trends and competitive challenges. Mark
and Peter’s 5 person business, based in Sydney’s upcoming
Technology Hub, Redfern, is a busy and dynamic environment.
BCX is aiming to become profitable and self-sufficient by the
end of 2014 at the latest. It is at this time that their capital
funds will be exhausted, but they estimate, once they hit the 3%
global mark, and have deployed into production their new
bitcoin trading software, (both aggressively targeted for
October, 2014), they will have positive financial results.
-----------------
12. News Release: March 17, 2013: “Largest Global Bitcoin
Marketplace Hacked: Mt Gox, the world’s largest bitcoin
exchange files for bankruptcy. $600M in bitcoins stolen”.
----------------
Waking up to news overnight that their largest competitor has
been hacked (or otherwise – details are sketchy) and that they
have lost over $600M in their customer’s bitcoins has shaken up
the BCX team.
Mark and Peter are nervous. If the world’s largest bitcoin
exchange has gone under, what position does that leave them
in? With little news available and probably no expectation of
knowing what exactly went on at Mt Gox for some time, BCX
must try to assess their own position and risks. There is a lot at
stake here. Are they exposed as well? Are their clients going to
be nervous and do a “run” on the exchange? Is their business
secure?
Time is of an essence so an emergency teleconference is
organised between Mark, Peter and Phil Jones, (Technical
Support Manager) at HotHost1 – a cloud services company
where the BCX environment is hosted.
Some resources which may be useful for this assignment 3 Case
Study
At Mt. Gox bitcoin hub, 'geek' CEO sought both control and
escape http://www.reuters.com/article/2014/04/21/us-bitcoin-
mtgox-karpeles-insight-idUSBREA3K01D20140421
Avoiding the next Mt. Gox: Vault of Satoshi bitcoin exchange
launches proof-of-solvency service
http://pando.com/2014/04/22/avoiding-the-next-mt-gox-vault-
of-satoshi-bitcoin-exchange-launches-proof-of-solvency-
service/
13. Bitcoin Transaction Malleability and MtGox
http://arxiv.org/pdf/1403.6676v1.pdf
Mt.Gox Finds 200,000 Bitcoin In An “Old-Format” Digital
Wallet
http://techcrunch.com/2014/03/20/mt-gox-finds-200000-bitcoin-
in-an-old-format-digital-wallet/
Mt. Gox
http://en.wikipedia.org/wiki/Mt._Gox
March 18, 2014, 9:45am: Offices of HackStop Consulting
A quiet morning for you until a call from a company called
BCX reaches your desk.
As a Senior IT Security Consultant at HackStop Consulting,
you’ve had calls like this many times. It’s time to get your game
on again! Time to visit the offices of BCX. Their CEO, CTO
and a Manager from their hosting provider HotHost1 are
desperate to meet with you.
Your Task
On return from your meeting, it’s time to quickly put together a
proposed plan of work and a response for BCX. Given the
nature of your assignment with BCX, an urgent response and
work-plan is required that outlines your approach and
methodologies to:
(1) Assessing what could go wrong – how could someone (a
hacker?) compromise the BCX environment and steal the user
bitcoins?
(2) How does BCX ensure it does not happen?
Student Notes
At present, no other assumptions need to be made about the
actual security issues/breach at Mt Box but an understanding of
how it could have happened will assist with the assignment.
Read about the real Mt Gox episode and the history of bitcoin
and other bitcoin security issues of the past few years. (Google
14. is your best friend).
This assignment is focused upon seeing if you, the student has
built up an awareness of how security in Internet Websites can
be assessed and analysed to assist businesses in improving their
overall security position.
By being able to outline how you would go about reviewing the
security requirements outlined in the BCX case study and
making recommendations on improving security practices and
the appropriate controls that need to be put place to reduce the
risks to an acceptable level for BCX, the markers will be able to
assess your level of knowledge learned in this course and the
additional research you have undertaken.
Any information not provided in the case study may be
assumed, but make sure that your assumptions are stated and
that the assumptions are plausible.
**** NB; Importantly and in addition to your own study and
research, there will be two specific discussion forum threads on
the assignment discussion forum where you can ask questions of
the main players in the scenario:
1. Mark Buck and/or Peter Gates (BCX)
2. Phil Jones (HotHost1)
By actively participating in the forum discussions for this
assignment, you will gain valuable information and insight into
this case study that will be regarded highly by the markers.
(Note: Any questions which are not considered to be appropriate
or professional for the purpose of this assessment may not be
answered)
Deliverables
The success of your engagement is based upon two deliverables:
(1) Development of security audit plan to assess how you would
determine BCX’s security posture at the present time.
(2) A business proposal to BCX Management in the form of a
presentation (based on your proposed security audit plan –
Deliverable 1) that outlines how the organisation should be
better focusing on Information Security.
15. In detail:
(1) Security Audit Work-plan (WORD Document):
The Security Audit work plan should be included in a
professionally presented document of no more than 10 pages
and be structured to show how each phase of work is to be
undertaken. Your work-plan must include the following at a
minimum:
* Executive Summary: half-page brief outlining purpose;
scope, expectations and outcomes of the proposed plan of work.
(250 words)
Structured and ordered work plan phase description, which for
each section includes:
* Background and problem analysis - What could go wrong?
How could a hacker compromise the BCX web site environment
and steal the user information ? (approx. 500 words)
* Threat analysis - What is to be investigated and tested,
how it will be done, what sort of potential issues you are
looking for, and deliverables BCX and/or HotHost1 can expect
for each phase of work – (eg; the “deliverable” for the phase of
work could potentially be a report containing the results of a
vulnerability assessment test on BCX’s server(s)). (approx.
1000 words)
* Dependencies and critical success factors to the job - such
as key stakeholders in this security audit – the key people to be
interviewed or whose involvement in that phase of work is
required. (Remember, you don’t always get free-rein access to
systems and other information and because time is of
importance, you won’t get a long time to master the
environment. But, as you know, you cannot also always believe
everything you are told). What is key to getting this job done
efficiently and what support do you need to get this done, (from
BCX and also the hosting provider). (approx. 500 words)
* Set of recommendations for improving BCX’s current
security practices and ensuring that an appropriate set of
controls are put in place (approx. 750 words)
16. * Reference list of key sources in particular technical
references which support your approach (Not counted in word
count)
Note in this report and in the accompanying presentation you
are encouraged to make use of appropriate Figures and Tables to
emphasise the key points that you are trying make
* A journal of each team member's (for students completing
this assignment individually – your) activities in participating
and contributing to the completion of the work plan report and
presentation.
(2) Developing a Securer Environment for BCX for the Future
(POWERPOINT):
Your strategy presentation should be created as if it were an
actual presentation you were doing for a real client in relation
to your proposed work plan including a set of recommendations
and should contain the following at a minimum:
* 1 Slide for an Introduction outlining your team and the
organisation you work for
* 2-3 Slides covering the Background: A brief summary of
where BCX is today in regards to security practices in their
organisation and controls in place for their web servers.
* 2-3 Slides covering the Threat Analysis: A summary of the
major threats and associated vulnerabilities and the actions
required to reduce the risks associated with these threats and
specific vulnerabilities in their web servers to an acceptable
level.
* 2 Slides covering Dependencies and critical success factors
to the job: i.e. what is key to getting this job done efficiently
and what support do you need to get this done, (e.g. internal
business stakeholders, developers etc.)
* 2 Slides covering your proposed Set of recommendations
for improving security practices at BCX and ensuring
appropriate controls are in place in relation to their web site
which is core to their business
17. [The following is also to be included. While not part of a
“standard” Industry business presentation, it is there to allow
teaching staff to gauge what level of research has been
undertaken].
* 1 Slide acknowledging the key authoritative reference
sources which underpin the research you have conducted and
your approach in the proposed work plan in your proposed
business report.
------------------
Report and Presentation Format:
* MS WORD and PowerPoint respectively (or a web-based
presentation as an alternative to PowerPoint for (2) of the
assignment deliverables) must be used. NB; For the
presentation, you are asked to include a Word document (or
utilise the notes section of PowerPoint) to detail the length of
time expected to be spent on each slide (page) and the details of
what you would expect to discuss with the audience.
* This assignment is focused upon seeing if as a student in
this course you have built up an awareness of how security in an
environment should be set up and operated. By being able to
outline how you would review and test the security of the
fictional organisation, BCX, through assessment of the basics
such as good policies, standards, procedures and controls in
place, in addition to detection of incidents, the markers will be
able to assess your level of knowledge learned from the course
content and from your own additional research in relation to
this case study.