Learning outcomes assessed as agreed at the programme level meeting
On successful completion of this module students will be able to:
1. Identify and critically analyse information security threats to computer networks and management information systems. (management of information systems | Managing information systems)
2. Critically evaluate the range of effective security controls used to protect system and user data.
3. Synthesize solutions to security problems through effective information security governance.
4. Create understanding of professional, social, ethical and legal issues associated with cyber security.
Coursework 2 is an individual report and will be submitted as a MS Word document (2000 words in total excluding all diagrams, documentation and description) via Turnitin on Moodle and must include all the required components.
Coursework 2 is worth 60% of the overall assignment. The assignment preparation guidelines are outlined below:
1. All components of the assignment report must be word processed (hand-written text or hand-drawn diagrams are not acceptable), font size must be within the range of 12 point to 13 point including the headings, body text and any text within diagrams.
2. Standard and commonly used fonts such as Times New Roman, Arial or Calibri should be used.
3. Your document must be aligned left or justified with line spacing of 1.5.
4. All figures, graphs and tables must be numbered and labelled.
5. Material from external sources must be properly referenced and cited within the text using the Harvard referencing system.
6. All components of the assignment (e.g. text, diagrams, code etc.) Must be submitted within a single MS Word document.
Attempt all the following tasks set in the assignment. Marks are provided in order to produce a documented system that meets the requirements as specified below. Please specify the task number in your assignment
Task 1: Security vulnerabilities
You are an Information Security officer working on QualityTech novelty products. You have been informed of some vulnerabilities in your company's web server. These can be seen in the following table:
·Download of codes without integrity checks
a.Give a detailed explanation of how each vulnerability from the above list can be exploited and give recommendations on what should be done against each of them.
b.You have been told that one of your application has a "SQL injection" vulnerability. What tool/techniques can be used to detect and exploit "SQL injection"? Explain with detailed examples?
Task 2: Social Engineering
According to Barracuda Networks (2020), phishing emails have spiked by over 600% since the end of February as cyber-criminals look to capitalise on the fear and uncertainty generated by the COVID-19 pandemic. The security vendor observed just 137 incidents in January, rising to 1188 in February and 9116 so far in March. Around 2% of the 468,000 global email attacks detected by the firm were classified as COVID-19-themed. These attacks used widespread awareness of the pandemic to trick users into handing over their log-ins and financial information, and/or unwittingly downloading malware to their computers of the COVID-19 phishing attacks, 54% were classed as scams, 34% as brand impersonation attacks, 11% blackmail and 1% as business email compromise (BEC) [Infosecurity Magazine March 2020].
a. Assess different methods employed by social engineers to ‘trick users into handing over their log-ins and financial information' in terms of their effectiveness.
b. Critically rationalise why hackers might be interested in hacking into large companies with such methods. Evaluate traditional defences against social engineering.
Task 3: Business Continuity Management
Despite the progress made on the implementation of Business Continuity Management (BCM) within organisations over nearly two decades, the depth and breadth of planning in smaller firms remains a cause for concern. Over the past 10 years, there has been a greater focus on the risks associated with supply chains. Also, due to pressure from larger customers, some SMEs have implemented BCM programmes which increase certification and compliance expectations. There is also much scepticism about whether or not international standards for BCM, such as ISO 22301, can be applied to the SME marketplace. Keeping this in mind:
a. Give a detailed explanation of what BCM is and its functions (purpose and benefits).
b. Evaluate the types of sites that an organization can use for backup.
c. “BCM: A key element in the fight against cyber security attacks” – Critically evaluate this statement.
Task 4: Security controls
Now, more than ever, organizations need to strengthen their defences to protect their critical data assets against security incidents and data breaches. Security controls are frequently cited as effective safeguards or countermeasures to avoid, detect, counteract or minimize “security” risks to a company’s assets. Depending on the industry you operate in, your organization may be subject to a specific set of information security controls, such as PCI DSS for payment processors, NIST for federal agencies in the United States, or more broadly applicable security control frameworks such as the 20 CIS Critical Security Controls or ISO 27001. (Hitachi Systems Security, 2018).
a. Evaluate the different types of Security Controls in the concept of ‘countermeasures’ in cyber security.
b. Evaluate the reason why security control is important for an organisation and analyse how the effectiveness of security control can be measured.