Get Cheapest Assignment in Australia, UK, US, UAE, Canada and NZ Order Now

CMP71001 Assignment Help

0 Comments

CMP71001 Cybersecurity risk management, threat and attack modelling Assignment

Below attached the document and need to maintain 10% plagiarism
Microsoft Word – CMP71001_Assignment_1_S3 2018V2
Unit code CMP71001
Assignment 1 Cybersecurity risk management, threat and attack modelling
Due Date
Learning
December 18, 2020
Outcomes
Graduate
1, 2, 4, 5
Attributes 3, 4 & 5
Weight 20% of overall unit assessment
Suggestion You are strongly advised to start doing this assignment early in your study (week
1). Leaving your starting date to the week before the due date is a very poor
strategy for success in the unit.
Task Descriptions
Task 1: Case Study
Task
Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF) and Structured Query Language (SQL)
Injections are common attacks, exploiting web application vulnerabilities. Your task is to select one case
study example of one attack type from either XSS, CSRF or SQL injection as the basis for your report
and explain (and graphically depict) all components of the attack by addressing the following three
requirements:

  1. Develop a detailed walk through of how your chosen attack type would theoretically operate in the
    real-world. This section should clearly represent each stage of the attack with supportive discussions.
  2. Select one CVE (Common Vulnerabilities and Exposures) and proceed to identify and explain the
    intricacies of that real-world incident that eventuated based on your chosen attack type.
  3. By explaining your selected real-world incident, you should at a minimum answer the following
    questions:
    • What was the outcome of your chosen incident?
    • What was the impact of your chosen incident?
    • Identification of the personal identifiable information (PII) that was held, used, and
    collected by the organisation.
    • Discuss the C.I.A triad and how these principles relate to the information security breach,
    i.e., what was breached in relation to C.I.A?
    • What threats and vulnerabilities to the information exist in the case study?
    • What protections were in place; what worked and what failed in this particular case?
    • Discuss the lessons learnt from the breach, for example, legal, financial, risk.
    • What did the organisation do after the breach, i.e., what happened after the fact?
    • Why was this breach such an important case to learn from?

2

Task Information

• The report should make use of well thought out diagrams or flow charts (where applicable) to
demonstrate the procedure by which the attack type would typically be performed.
• Your target audience has very little understanding of cyber security. As a result, you must ensure
that you communicate your report outcomes in a simple manner. Using complex descriptions or
terminology will result in a loss of marks. Use acronyms correctly. Use analogies if it enables you
to communicate the identified issue in a simplistic manner.
• You must make use of adequate in-text references throughout your entire report.
• Be creative in how you chose to communicate your findings. The report does not have to be a large
collection of paraphrased text. Diagrams are a much more effective way of communicating an idea
or concept. Tables and charts are an effective way to draw comparisons or contrast different ideas.

Task 2: Attack Tree on “obtain your friend’s password”
Attack (or threat) trees are becoming increasingly popular in many fields as a means of visualising
information. As presented by Dekker (2015) attack trees are; flexible, visual and formal, yet provide a means
of portraying scenarios, encourage brainstorming activities, and allows organisations to apply a defence in
depth approach to the identified threats.

Among many things Attack Trees help with visualising all the potential ways any given organisation or
system may be attacked. It assists with conceptualising; asset identification/classification, threats,
vulnerabilities, exploits and many more aspects of cybersecurity risk management.

It is important that you understand how to develop and analyse attack trees for the purposes of not only this
assignment (or potential exam questions) but for your future career. Bruce Schneier is a respected
cybersecurity expert who has written extensively on the creation of attack trees. You are strongly
advised to research this information and ensure you have grasped the concept of attack trees, and its
associated characteristics. You should also research more attack tree structures as part of this task.

Figure 1:Example of a simple Attack Tree

You will attempt to develop your own attack tree. Using the overall goal of “obtain your friend’s login
password” develop one or more attack trees which demonstrate the different technical and non-technical
approaches you could use to acquire ‘the password’.

https://www.schneier.com/academic/archives/1999/12/attack_trees.html
https://www.schneier.com/academic/archives/1999/12/attack_trees.html

3
For the purposes of this activity, you should aim to have approximately 25 nodes, presented on multiple
levels. The above example has approximately 13 nodes, for example. For the first level, try to be creative in
how you split your tree up. So, this means you should try to avoid using ‘technical’ and ‘non-technical’ as
your top two headings. In addition, you should aim to have 3-6 words per node to ensure that it is explained
sufficiently.

Microsoft Visio is a popular tool that can be used to develop Attack Trees. However, any brainstorming tools
will be equally suitable. There are plenty of freely available brainstorming tools that can be found by doing
a simple search on the Internet. However, whenever you download software it is always advisable to scan
the product with appropriate anti-virus software beforehand.

Related Article: Database Assignment Help

Finally, briefly discuss in a conclusion for this task how might an attack tree analysis have been helpful
for the organisation(s) involve in task 1.

Dekker, M. (2015). Using attack trees in #cybersecurity for threat risk modelling. Retrieved from
https://www.linkedin.com/pulse/20140529230342-18705719-using-attack-trees-in-cybersecurity-for-
threat-and-risk-modeling
Format and Presentation
You are recommended to present the assignment in a standard report format with the title
page that details your name, student-id, unit, course and date/time information. You will
also provide a table of contents page for the navigation. There is no report template to be
used in this assignment, so you can design your own template or refer to online resources.
However, the report should be well presented with clear headings, titles and subtitles.

Title page
Unit code and title, assignment title, your name and student number, campus, and your
tutor’s name.
Table of contents
This must accurately reflect the content of your report and should be generated
automatically in Microsoft Word with page numbers.
Introduction
A succinct overview of the report. What attack type did you select as the basis for the
report? What did you discover? What approach did you use to undertake your research
into the subject matter? How did you approach the attack tree task?
Main content
This section should be divided into clearly distinct tasks and sections. Task 1: The first
section should focus on explaining and exploring how your selected attack type
functions. The second section should thoroughly explore a real-world incident. Task 2:
The attack tree for the functional attack detailed is required.
Summary
The section should briefly draw together the main points raised in the report for both
tasks. You should not introduce or discuss any new information.
Reference list
A list references formatted according to the SCU requirements using the Endnote
software will make this process very easy.
Assignment-1 marking rubrics
The following marking rubric will be used for the marking of your submission. It contains
a detailed breakdown of the marking criteria for this assignment. Make sure you read
https://www.linkedin.com/pulse/20140529230342-18705719-using-attack-trees-in-cybersecurity-for-threat-and-risk-modeling
https://www.linkedin.com/pulse/20140529230342-18705719-using-attack-trees-in-cybersecurity-for-threat-and-risk-modeling

4
CAREFULLY this to understand how your work would be graded against each of the
defined criteria.
Task 1 rubric:
Marks
available
Fail Pass Credit Distinction High Distinction
Overall presentation

0.5
No
genuine
attempt
made to
present the
case study
in a clear
format.
Attempted to
present the
case study but
is not clear
and is missing
key title page
and contents
page
Sound
presentation
but missing
some key
formatting
and/or title
page and
contents page
Well-presented
but missing
either a title
page or
contents page
Well presented with
clear headings, titles and
subtitles. Includes a title
page and table of
contents page
Assignment
content

2.0
No
genuine
attempt
made to
analyse the
case study.
Attempted to
analyse the
case study but
missing
significant
amounts of
information
that was
required in the
analysis.
Sound analysis
but missing up
to half of the
required
analysis that
was requested.
Analysis is
clear and
comprehensive.
Missing some
of the required
analysis that
was requested.
Analysis is clear and
comprehensive. Has
correctly and explicitly
identified the
information concerned.

2.0
No
genuine
attempt
made.
Attempted to
discuss the
CIA
principles but
with no clear
analysis and
significant
information
missing.
Discussed
some of the
CIA principles
but missed at
least one key
principle.
Discussed and
analysed most
of the CIA
principles but
with some
missing
information.
Full analysis of
conformance to CIA
principles clearly
discussed.

1.5
No
genuine
attempt
made.
Attempted to
discuss
threats and
vulnerabilities
but with
significant
information
missing.
Identified
some threats
and
vulnerabilities
but missed
some of the
key threats and
vulnerabilities.
Identified some
threats and
vulnerabilities
but with some
information
missing.
Clearly identified all
threats and
vulnerabilities to the
information.
5

1.5
No
genuine
attempt
made.
Made an
attempt to
discuss

Leave a Reply

Your email address will not be published. Required fields are marked *