“XYZ” is a manufacturer of components for the automotive industry. They used to run IT services inhouse until 4 years ago, when in a cost-cutting exercise the activities done by the IT department were outsourced to an external provider called “TCE”.
Therefore, the computers currently used by the company are setup, configured and managed by the external provider. “XYZ” has still a small IT department, which mostly works on maintaining end-user applications. Additionally, the IT department also carries out a range of onsite interventions, sometimes under guidance of “TCE”.
The IT department does not include any security specialist, but it has raised a concern regarding the security of the systems currently managed by “TCE”. In particular, they are worried about potentially vulnerable software installed on the systems despite updates being available for some time.
They raised the issue to the management, which initially ignored the concern. However, after a formal consultation with the workers representatives, they agreed that an independent audit should be carried out. They were convinced by the fact that the initial 5-year contract with “TCE” is going to expire in 12 months.
The company has agreed to appoint two security analysts, who will work independently. As one of the two auditors, you are asked to analyse a number of systems and make an assessment about their security. The systems provided are clones of existing ones and there is no concern of damage you could cause because of your analysis. You are only subject to a standard non-disclosure agreement (NDA).
The choice of systems is beyond your control. The main output of your analysis will be a report made available to the company, including the IT department. A third independent security advisor will help the stakeholders to understand the technical parts of the reports, and to progress with the next phases of the decision-making.
Although you are allowed to use automated tools, the company made a specific request to use whenever feasible manual (or scripted) examples in order to demonstrate the attacks, as they provide clearer explanation of the vulnerability exploited. In some cases, you are provided credentials to access the systems. They are given to you in order to study the system. Therefore, you should carefully consider both black box and white box attacks and under which circumstances attacks are feasible. Your report should also include an advice on the implementation and evaluation of appropriate security measures to be applied as a follow-up of your investigation. The report (approximately 3000 words, submitted in PDF format), should include at least the following elements (xx% indicates the weight in the mark allocation, total 70%):
1. An executive summary
2. Demonstration of understanding of the scenario and discussion of about to carry out the security analysis, in consideration also of ethical and legal aspects.
3. Investigate the given environment, in order to identify security issues (15%) 4. Attacks demonstrating vulnerabilities
5. Select and justify appropriate security measures informed by appropriate research
The remaining 8% of the final grade is allocated based on the overall quality of the report: formatting, completeness, readability, and appropriate referencing.
This ICA component will assess these learning outcomes:
3. Select and justify appropriate security measures informed by appropriate research to satisfy stated objectives.
6. Synthesise and evaluate appropriate data for a given scenario to make informed computer security judgements.
7. Operate ethically and legally when conducting simulated investigations to evaluate whether a network design meets the business objectives for a given scenario. 8. Act autonomously with limited supervision when investigating simulated computer security scenarios.