T-1.8.

1_v3

Details of Assessment

Writing questions
Room
Details of Subject

Cyber Security
Details of Unit(s) of competency
Unit Code (s)
ICTICT424 Address Cyber Security Requirements
and Names
Details of Student

Student ID
Student Declaration: I declare that the work submitted is my
own and has not been copied or plagiarised from any person or Student’s
source. I acknowledge that I understand the requirements to Signature:
complete the assessment tasks. I am also aware of my right to
appeal. The feedback session schedule and reassessment Date:
procedure were explained to me.
Details of Assessor
Assessor’s Name

Assessment Outcome
Assessm
ent Result Competent Not Yet Competent
Marks /40
Feedback to Student
Progressive feedback to students, identifying gaps in competency and comments on positive improvements:

Assessor Declaration: I declare that I have conducted

a fair, valid, reliable and flexible assessment with this
student. Assessor’s
Signature:
Student attended the feedback session.
Date: //
Student did not attend the feedback session.

Purpose of the Assessment

The purpose of this assessment is to assess the student

Not Yet
in the following learning outcomes: Competent (C)
Competent

(NYC)
Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 1
 T-1.8.1_v3

Knowledge Evidence

Knowledge of common cyber security threats and risks Knowledge

of common cyber security controls

Knowledge of Cyber security control implementation processes and

procedures
Knowledge of Industry standards relevant to cyber security

Knowledge of Testing procedures and processes

Knowledge of Legislative and regulatory requirements relevant to

cyber security
Assessment/evidence gathering conditions

Each assessment component is recorded as either Competent (C) or Not Yet Competent (NYC). A student can only
achieve competence when all assessment components listed under “Purpose of the assessment” section are recorded
as competent. Your trainer will give you feedback after the completion of each assessment. A student who is
assessed as NYC (Not Yet Competent) is eligible for re-assessment.
Resources required for this Assessment

• Computer with relevant software applications and access to internet

• Weekly eLearning notes relevant to the tasks/questions

Instructions for Students

Please read the following instructions carefully
• This assessment must be completed In class At home
• The assessment is to be completed according to the instructions given by your assessor.
• Feedback on each task will be provided to enable you to determine how your work could be improved. You will
be provided with feedback on your work within two weeks of the assessment due date. All other
feedback will be provided by the end of the term.
• Should you not answer the questions correctly, you will be given feedback on the results and your gaps in
knowledge. You will be given another opportunity to demonstrate your knowledge and skills to be deemed
competent for this unit of competency.
• If you are not sure about any aspect of this assessment, please ask for clarification from your assessor.
• Please refer to the College re-assessment for more information (Student handbook).

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 2

 Assessment 2 – Writing Questions

Assessment type:
• Written Questions

Assessment task description:

• The Knowledge Test is comprised of eight (8) written questions.
• You must respond to all questions and submit them to your Trainer/Assessor.

Applicable conditions:
• This knowledge test is untimed and are conducted as open book tests (this means you are
able to refer to your textbook during the test).
• You must read and respond to all questions.
• You may handwrite/use computers to answer the questions.
• You must complete the task independently.
• As you complete this assessment task you are predominately demonstrating your written
skills and knowledge to your trainer/assessor.

Instructions for answering written questions:

• Complete a written assessment consisting of a series of questions.
• You will be required to correctly answer all the questions.
• Do not start answering questions without understanding what is required from you. Read the
questions carefully and critically analyse them for a few seconds, this will
help you to identify what is really needed.
• Your answers must demonstrate an understanding and application of relevant concepts,
critical thinking, and good writing skills.
• Be concise to the point and write answers according to the given word-limit to each question
and do not provide irrelevant information. Be careful, quantity is not quality.
• When you quote, paraphrase, summaries or copy information from the sources you are using
to write your answers/research your work, you must always acknowledge the source.

Purpose of the assessment

This assessment task is designed to evaluate student’s knowledge regarding the following:
• Knowledge of common cyber security threats and risks
• Knowledge of common cyber security controls
• Knowledge of Cyber security control implementation processes and procedures
• Knowledge of Industry standards relevant to cyber security
• Knowledge of Testing procedures and processes
• Knowledge of Legislative and regulatory requirements relevant to cyber security
Question 1
What is the difference between a threat and a vulnerability? Identify the common Cyber Security risks
and threats. Write your answer in 200-250 words.

Vulnerabilities refer to weaknesses in a system or program that can be exploited

by threats to gain unauthorized access to an asset. Cyber threats refer
to cybersecurity circumstances or events that can result in harm to the target
organization.

The common Cyber Security risks and threats are:

Ransomware Attacks: Hackers can gain access to your computer encrypt your
files and demand a payment in return for your files back.

Vulnerability exploits on Windows cool down as other platforms heat up:

Exploiting client‐side software vulnerabilities has become significantly more difficult
in recent years, thereby increasing the development cost of generic and reliable
exploits.

Hardware and firmware threats an increasing target for sophisticated attackers.

‘Dronejacking’ places threats in the sky: a drone outfitted with a full hacking
suite that would allow it to land on the roof of a home, business, or critical
infrastructure facility and attempt to hack into the local wireless network.

Mobile threats to include ransomware, RATs, compromised app markets:

This malware will combine mobile device locks and other ransomware features
with traditional man‐in‐the‐middle attacks to steal primary and secondary
authentication factors, allowing attackers to access banks accounts and credit
cards.

IoT malware opens a backdoor into the home

IoT and DDoS Hacks

Machine learning accelerates social engineering attack.

The explosion in fake ads and purchased “likes” erodes trust.

Escalation of ad wars boosts malware delivery

Hacktivists expose privacy issues

Law enforcement takedown operations put a dent in cybercrime

 Question 2
What are the two most common Cyber Security controls implemented in an organization? What are
the advantages having such controls in place and explain the disadvantages should they be not
implemented? Write your answer in 200-250 words.

Security controls play a foundational role in shaping the actions cyber security professionals take to protect an
organization.

1. Antivirus
Antivirus Software is a data security utility which is installed in a computer system with a purpose of
protection from viruses, spyware, malware, rootkits, Trojans, phishing attacks, spam attack, and other online
cyber threats

Advantages

Protect your data and files

Block spam and ads
Protects your data and files
Defense against hackers and data thieves
Ensures protection from removable devices

Disadvantages
In case your computer is attacked by a virus, it can affect your computer in the following ways:
Slow down the computer
Damage or delete files
Reformat hard disk
Frequent computer crashes
Data loss

2. Backups And System Recovery

• the advantages of data backup

• Higher Reliability – Perhaps the biggest benefit of regular remote data backup is its
great reliability. Remote backup can be automated and updated on a daily basis, or you
can even back up your data at a set time. Plus, since this is done via the Internet, you will
always be able to recover any files you need quickly.
data encryption can stop sensitive details from unknowingly going live on the internet
data encryption applies both to information at rest and in transit, it provides consistent protection
that could lead to peace of mind for the people who handle information.

Disadvantages
Losing data is one of the worst things that can happen to an organization. This loss will represent a big step
backwards in all aspects: from the economic one due to the loss of profits, development time, fines and
penalties and the associated direct costs.
 Question 3

One of the consultants working at Devon Accounting was offered a job at a larger accounting firm. The
consultant had access to clientele list, information on network drive and customer data. Should this
information be used in a wrong way, it would have dire consequences to the company’s image.
Privacy and data integrity would be compromised.

Using a threat classification method, conduct a threat and risk assessment. What controls could the
company use to prevent this situation from occurring? Write your answer in 200- 250 words.

For companies, data integrity is essential, data privacy measures must be taken to avoid data corruption, so that
the company's image is not damaged due to misuse of company information. In the database, controls must
be implemented to guarantee the integrity of the information, since it is sensitive information that can have
serious consequences.

It is necessary to guarantee the integrity of the data, against unauthorized access or corruption of employees, it is
important to incorporate the use of systems, processes and procedures that keep the data inaccessible to
people who may use it in a harmful or unintentional way.

This is accomplished through a variety of data protection methods, including backup and replication, database
integrity constraints, and validation processes. The company should monitor the user database and look for
suspicious changes or attacks in the databases and remove access.

Risks to data integrity can be easily minimized or eliminated by doing the following:
 Limit access to data and change permissions to restrict changes to information by unauthorized parties
 Validate data to make sure it is correct both when it is collected and when it is used
 Make a backup of your data
 Use logs to keep track of when data is added, modified, or deleted
 Patch applications and run security updates and scans
 Protect devices and accounts with complex, limited time passwords with multi-factor authentication.
 Protect systems by limiting application control and limit administrative accounts.
 Question 4

What are cyber assets and define vulnerable assets? List and explain three security control mechanisms to protect
valuable assets. Write your answer in 200-250 words.

Cyber assets include hardware, software, data, and peopleware (the people who interact
with them). ... Vulnerabilities are flaws or weaknesses that can be exploited by an
adversary to successfully attack an asset

Cyber asset is any data, device, or other component of the environment that supports information-related
activities. Assets generally include hardware (e.g. servers and switches), software (e.g. mission critical
applications and support systems) and confidential information. Assets should be protected from illicit
access, use, disclosure, alteration, destruction, and/or theft, resulting in loss to the organization.

Security for your devices.

Take care of physical assets. When you store information on devices, there are further steps to ensure its safety.
the 3 types of security controls
There are three primary areas or classifications of security controls. These include management security,
operational security, and physical security controls.

Controls can be implemented through technical means, such as hardware or software, encryption, intrusion
detection mechanisms, two-factor authentication, automatic updates, continuous data leak detection, or
through nontechnical means like security policies and physical mechanisms like locks or keycard access.

Controls should be classified as preventative or detective controls. Preventative controls attempt to stop attacks
like encryption, antivirus, or continuous security monitoring, detective controls try to discover when an
attack has occurred like continuous data exposure detection.
Question 5
In past eras, cybersecurity wasn’t an issue for business owners. But now, the internet defines many
corporate activities. Some businesses operate entirely online, and even the ones that don't typically
include the internet in their operations somehow use it - whether it’s marketing to customers or
keeping accurate records.

If company leaders do not understand the cybersecurity laws that relate to their operations, they may
be subjected to substantial fines. Moreover, substantial costs could result from having to achieve
compliance after regulatory bodies discover shortcomings and order remedies. But awareness is the
first step to avoiding issues.

What are the main legislative and regulatory requirements to Cyber Security inside Australia? Write
your answer in 200-250 words.
AUSTRALIA’S CYBER SECURITY STRATEGY 2020

Vision
A more secure online world for Australians, their businesses and the essential services upon
which we all depend.

Approach
This vision will be delivered through complementary actions by governments, businesses and the community.

Cyber threats continue to evolve rapidly

— Cyber security threats are increasing. Nation states and state-sponsored actors and criminals are exploiting
Australians by accessing sensitive information and for financial gain.
— Criminals are using the dark web to buy and sell stolen identities, illicit commodities, and child exploitation
material, as well as to commit other crimes.
— Encryption and anonymising technologies allow criminals, terrorists and others to hide their identities and
activities from law enforcement agencies.
— Cyber criminals want to take advantage of the fact that Australians are more connected than ever before.

Strong foundations
This Strategy builds on the 2016 Cyber Security Strategy, to advance and protect Australia’s interests online.

Highlights
This includes:
— Protecting and actively defending the critical infrastructure that all Australians rely on, including cyber
security obligations for owners and operators.
— New ways to investigate and shut down cyber crime, including on the dark web.
— Stronger defences for Government networks and data.
— Greater collaboration to build Australia’s cyber skills pipeline.
— Increased situational awareness and improved sharing of threat information.
— Stronger partnerships with industry through the Joint Cyber Security Centre program.
— Advice for small and medium enterprises to increase their cyber resilience.
— Clear guidance for businesses and consumers about securing Internet of Things devices.
— 24/7 cyber security advice hotline for SMEs and families.
— Improved community awareness of cyber security threats.
Question 6
Research has shown that the majority of information security attacks stem from human error, not from
malicious intent. What controls can the company put in place to manage the human errors to
minimize the risk of cyber-attacks or data lost? Write your answer in 150-200 words.

Employees occasionally make mistakes without realizing how dangerous they can be to the organization’s
cybersecurity.
The most common and dangerous mistakes employees make when handling data are:

• Accidentally deleting essential files with sensitive data or security information

• Purposefully removing files without understanding their importance
• Sending emails with sensitive data to the wrong recipients
• Accidently making changes in documents due to carelessness
• Sharing sensitive data with colleagues using unsecured messengers
• Using unsecured email attachments when sending sensitive data
• Not backing up critical data

Practices and solutions:

Update your corporate security policy. This should clearly outline how to handle critical data and passwords,
who can access them, which security and monitoring software to use, etc.
Educate your employees. Make your employees aware of potential threats and explain how dangerous and
expensive the consequences of their mistakes can be.
Use the principle of least privilege. The easiest and most reliable way to secure data access is to deny all
access by default. Allow privileged access only when needed on a case-by-case basis.
Monitor your employees. User activity monitoring tools are needed to detect malicious activity and secure
your system from data leaks and malicious attacks.
Using strong password. It has to establish clear rules about using strong passwords and define
procedures for properly handling, storing, and sharing passwords
 Question 7

What are the Industry standards relevant to cyber security in Australia? Write your answer in 150-200
words.

Cyber security is more than just an information technology problem. It is a broader business and
societal issue that needs to be managed by economies all around the world.
In response, the International Organization for Standardization (ISO) and International
Electrotechnical Commission (IEC) developed the ISO/IEC 27000 series, Information security
management systems standards.
Fundamentally, these standards are designed to assist any entity, regardless of size, keep
information systems and data secure.
Cyber security standards aim to support and protect expanding digital economies across the Pacific.
Standards Australia has released a report focused on cyber security in the Pacific region. Pacific
Islands Cyber Security Standards Cooperation Agenda sets out recommendations on how to
strengthen cyber security in the Pacific Islands with the use of standards.
This scope of work is delivered in support of Australia’s International Cyber Engagement Strategy
and aimed at encouraging innovative cyber security solutions.
Cyber security standards can protect business data, which in turn helps build confidence in clients,
customers and partners.
Question 8

One of the tests conducted during cyber security is called Penetration Testing, define the term.
Explain 5 stages of Penetrating Testing and list and elaborate the penetration testing methods. Write
your answer in 200-250 words.

Penetration test, also known as a pen test, is a simulated cyber-attack against your
computer system to check for exploitable vulnerabilities.

Stages:

1. Planning and reconnaissance

Defining the scope and goals of a test, including the systems to be addressed and the
testing methods to be used.
Gathering intelligence (e.g., network and domain names, mail server) to better
understand how a target works and its potential vulnerabilities.

2. Scanning
The next step is to understand how the target application will respond to various intrusion
attempts. This is typically done using:
Static analysis – Inspecting an application’s code to estimate the way it behaves while
running.
Dynamic analysis – Inspecting an application’s code in a running state.

3. Gaining Access
This stage uses web application attacks, such as cross-site scripting, SQL injection and
backdoors, to uncover a target’s vulnerabilities. Testers then try and exploit these
vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to
understand the damage they can cause.

4. Maintaining access
The goal is to see if the vulnerability can be used to achieve a persistent presence in the
exploited system— long enough for a bad actor to gain in-depth access. The idea is to
imitate advanced persistent threats, which often remain in a system for months in order to
steal an organization’s most sensitive data.

5. Analysis
The results of the penetration test are then compiled into a report detailing:

Specific vulnerabilities that were exploited

Sensitive data that was accessed
The amount of time the pen tester was able to remain in the system undetected.
 Marking Sheet for Trainers

Marking List Marks

out
of
/5
Question 1

/5
Question 2
/5
Question 3
/5
Question 4

/5
Question 5
/5
Question 6
/5
Question 7
/5
Question 8

TOTAL /40

Introduction to Cyber Security .