Assessment Brief: SBM4304 IS Security and Risk Management

Trimester-1 2021

Assessment Overview
Assessment Task Type Weighting Due Length ULO

Assessment 1: Case Study Individual 30% Week 6 2500 ULO-2

Write a report to discuss recent type words ULO-3
of information security attacks, ULO-4
protection mechanism and risk
management.
Assessment 2: Applied project Group 30% Week 12 2500 ULO-1
Discuss and implement IS security words ULO-2
protection techniques, and ULO-3
implementing access control under ULO-4
Linux.
Assessment 3: Laboratory Individual 40% (30% Week 3, 3000 ULO-1
Practicum quizzes, 10% 4, 6, 8, words ULO-2
Weekly quizzes and lab activities and lab work 10 ULO-3
exercises assess students’ ability to activities) ULO-4
understand theoretical materials.
The quiz will be either multiple
choice questions or short questions
which are relevant to the lecture
materials.

Assessment 1: Case study

Due date: Week 6
Group/individual: Individual
Word count / Time provided: 2500
Weighting: 30%
Unit Learning Outcomes: ULO-2, ULO-3, ULO-4

Assessment Details:

Today’s Internet has its roots all the way back in the late 1960s, but it was only used by
researchers and the military for almost a quarter of a century. The Internet has opened
the door for threat actors to reach around the world invisibly and instantaneously to launch
attacks on any device connected to it.

Read the case study titled: Threat Update COVID-19 Malicious Cyber Activity that available at:

https://apic.instructure.com/files/148461/download?download_frd=1
 Answer the following questions related to the case study:

1. Identify and examine all types of the malicious cyber activities identified by ACSC and
summarize them in a table.
2. Identification and categories assets, including all elements of an organization’s system
(people, procedures, data and information, software, hardware, and networking)
3. Create a table to identifying and prioritizing threats against each type of asset identified in
item (2). You have to demonstrate the way you follow to prioritizing threats with
justification.
4. In general, the security defences should be based on five fundamental security principles:
layering, limiting, diversity, obscurity, and simplicity. The ACSC proposed eight strategies to
prevent malware delivery and limit cyber Security incidents. Analyse these principles with
the strategies proposed by the ACSC. In your analysis, you have to clearly demonstrate how
each mitigation strategy is related to fundamental security principle with justification.

Create a report to answer the above questions, your report must include introduction and report
summarisation in addition to a cover page that includes your details.

Marking Criteria and Rubric: The assessment will be marked out of 100 and will be weighted 30%
of the total unit mark

Not satisfactory Satisfactory Good Very Good Excellent

Marking
Criteria (0-49%) of the (50-64%) of the (65-74%) of the (75-84%) of the (85-100%) of the
criterion mark criterion mark criterion mark criterion mark criterion mark
Introduction Poor Introduction with Introduction is Introduction is Introduction is well Introduction is very
(10 marks) irrelevant details presented briefly generally presented in written with clear well written with very
with some good fashion, discussion. clear background,
relevance and however missing one discussion.
missing elements. element.

Types of the Poor discussion with Brief discussion about Generally good Very clear discussion In-depth and very
malicious cyber irrelevant information some threats with discussion with about threats with clear discussion about
activities identified and table general information in general information in good information in threats with very good
by ACSC and the table. the table. the table. information in the
summarize them in table.
a table
(20 marks)
Identification and Poor discussion with Brief identification Generally good Very clear A very detailed
categories assets irrelevant information and categories assets. identification and identification and and very clear
(20 marks) categories assets categories assets identification and
categories assets
Identifying and Poor identifying and Brief identifying and Generally good Very clear A very clear and
prioritizing threats prioritizing threats prioritizing threats identifying and identifying and in-depth
against each type against each type of against each type of prioritizing threats prioritizing threats identifying and
of asset asset asset against each type of against each type of prioritizing threats
(20 marks) asset asset against each type of
asset
Analysing the five Poor Introduction with Brief discussion of the Generally good Very clear discussion In-depth and very
fundamental irrelevant details. five fundamental discussion of the five of the five clear discussion of the
security principles security principles fundamental security fundamental security five fundamental
with the security with the security principles with the principles with the security principles
mitigation mitigation proposed security mitigation by security mitigation with the security
by the ACSC. the ACSC. proposed by the ACSC.
proposed by the mitigation proposed
ACSC by the ACSC.
(20)
Summary not Brief summary of the Generally good clearly very
relating to the report with some summary of the summarizing the clearly
Summary
report relevance report overall summarizing the
(10 marks)
contribution overall
contribution

Assessment 2: Applied Project

Due date: Week 12
Group/individual: Group
Word count / Time provided: 2500 words
Weighting: 30%
Unit Learning Outcomes: ULO-1, ULO-2, ULO-3, ULO-4, ULO-5

Assessment Details:

This assessment is designed to assess your technical skills in applying information security tools. In
this assignment, you have to study and apply steganography techniques to embedded data within a
file. In addition, you have to understand Linux file systems and apply access control technologies.
The assessment is also assessing your skills to analyses information security principles against
security techniques including steganography and access control. In completing this assessment
successfully, you will be able to investigate IS security, risk threats and propose the suitable security
controls, which will help in achieving ULO-1, ULO-2, ULO-3, and ULO-4.

Task Specifications
This assessment includes three tasks as follows:

Task-1:
Steganography is the practice of concealing a file, message, image, or video within another file,
message, image, or video. Use Steghide tools available in Kali Linux/Linux to hide a text file that
includes your group students IDs on audio file. You have first to create audio file with no more than
30 second to record your group students IDs only. Then, you have to create text file to include group
details include first and last name for each student in your group. Finally, use Steghide tools (use
security as passphrase) to embedded your text file into the created audio file.
In your report, you have to provide screenshot demonstrate the steps with the commands you
followed during the process of installation of Steghide, and the way use used to hide group
information text file into audio file and finally the steps to extract the text file from audio for
verification of your work.

Task-2:
Access control is granting or denying approval to use specific resources. Technical access control
consists of technology restrictions that limit users on computers from accessing data.
In this task you have to work in a group to understand Access Control List (ACL) and files system
security using Linux environment. You have to complete the followings tasks using kali Linux or any
Linux OS:

1. Fill the following table with the information related to all member of your group:
Sn. APIC Student ID First Name Last Name
No
1 {Student-ID1} {FirstName-1} {LastName-1}
2
3
Table 1: Group information

2. Create main directory named BIS3004 and set it permission to full access, fill the following
table:
Task Command/s
Create directory named :BIS3004
Set full access to BIS3004 directory
Table 2: Create Directories APIC

3. Create sub directories within BIS3004 directory according to Table-3:

Task Command/s
- Create directory {FirstName-1}
- Set read and write access permission only
- Create directory {FirstName-2}
- Set read access permission only
- Create directory {FirstName-3}
- Set read and execute access permission
only
Table 3: Create Student ID directories

Please note, {FirstName-x} is the first name of the APIC student according to Table-1.

4. Create users, with names according to the group member student IDs for of your group as
shown in Table-4

Task Command/s
- Create user {Student-ID1}
- Write ACL to enable:
1. full permission to {FirstName-1}
2. read and write permission to
{FirstName-2} and
 3. read permission only to other
directories.
- Create user {Student-ID2}
- Write ACL to enable:
1. full permission to {FirstName-2}
2. read and execute permission to
{FirstName-1}
3. read permission only to other
directories.
Table 4: Create users

4. Create two groups and fill Table-5:

Task Command/s
- Create group {LastName-1}
- Add {Student-ID1} and {Student-ID2} users
to {LastName-1} group
- Write ACL that {LastName-1} group users
will get full access to {FirstName-1}
directory and read access to {FirstName-2}
directory.
- Create group {LastName2}
- Add ‘{Student-ID2} and {Student-ID3} to
{LastName-2} group
- Write ACL that {LastName-2} group users
will get full access to {FirstName-2}
directory and write and execute access to
{FirstName-1} directory.
Table 5: Create groups

Use the commands available in Linux or Kali Linux to complete the above tables. In your report, you
have to provide screenshot to demonstrate the steps you followed during the process of conducting
the assignment tasks and requirements according to your group details provided in Table-1 (student
ID, first name and last name).

Task-3:
Discuss with clear demonstration, how the steganography and access control techniques that you
conducted in Task-1 and Task-2, respectively, can achieve confidentiality, integrity, and availability
(CIA). You have to provide justification during your discussion.

Submission
1. You have to submit a report in word format file include your answers for Task-1, Task-2 and
Task-3 with the required screenshots for Task-1 and Task-2. You have to include cover page
that include group student ID and full name.
2. You have also to submit the created audio file that embedded your group information text
file for Task-1 (make sure to use: security as passphrase)
 The two files must be submitted separately not in single compress file.

Marking Information: The applied project will be marked out of 100 and will be weighted 30% of
the total unit mark.

Not satisfactory Satisfactory Good Very Good Excellent

Marking
Criteria (0-49%) of the (50-64%) of the (65-74%) of the (75-84%) of the (85-100%) of the
criterion mark) criterion mark criterion mark criterion mark criterion mark
Lack of evidence of using Audio file not includes Audio file includes Audio file includes Audio file correctly
Audio file
the Steghide for the embedded test file text file but with text file but didn’t includes group details.
embedded text file
Steganography with no irrelevant information include all the group
(10 mark)
audio file submission to student group. information.
Lack of evidence of Screenshot is provided Screenshot is provided Screenshot is provided Screenshot is provided
Steganography
understanding of the with not complete or using Steghide with using Steghide with using Steghide with
steps and
process of not using Steghide. settings errors some incorrect correct result.
Screenshot
Steganography with no settings.
(15 mark)
screenshot
Lack of evidence of Very brief Evidence of good Very clear Excellent
understanding the Linux demonstration of understanding and understanding and understanding and
Directory creation commands for directory using Linux commands demonstration of demonstration of demonstration of
(15 mark) creation and access. for directory creation using Linux commands using Linux commands using Linux commands
and access. for directory creation for directory creation for directory creation
and access. and access. and access.
Lack of evidence of Very brief Evidence of good Very clear Excellent
understanding of the demonstration of understanding and understanding and understanding and
Users creation process of users creation using Linux commands demonstration of demonstration of demonstration of
(15 mark) and required permission for users creation and using Linux commands using Linux commands using Linux commands
required permission for users creation and for users creation and for users and required
required permission required permission permission
Lack of evidence of Very brief Evidence of good Very clear Excellent
understanding of the demonstration of understanding and understanding and understanding and
Group creation process of group using Linux commands demonstration of demonstration of demonstration of
(15 mark) creation and required for group creation and using Linux commands using Linux commands using Linux commands
permission required permission for group creation and for group creation and for group creation and
required permission required permission required permission
Achieving CIA in Poor discussion with Brief discussion about Generally good Very clear discussion A very detailed
Steganography irrelevant information. achieving CIA in discussion about of achieving CIA in and very clear
(15 marks) Steganography with achieving CIA in Steganography with discussion of
limited demonstration Steganography with clear demonstration achieving CIA in
and justification. good demonstration and justification. Steganography with
and justification. very good
demonstration and
justification.
Achieving CIA in Poor discussion with Brief discussion about Generally good Very clear discussion A very detailed
access control list irrelevant information. achieving CIA in access discussion about of achieving CIA in in and very clear
(15 marks) control list with achieving CIA in in access control list with discussion of
limited demonstration access control list with clear demonstration achieving CIA in in
and justification. good demonstration and justification. access control list with
and justification. very good
demonstration and
justification.
Assessment 3: Laboratory Practicum
Due date: Lab work submission: Weekly; Quiz: Week 3, 4, 6, 8, 10
Group/individual: Individual
Word count / Time provided: 3000
Weighting: 40% (30% quizzes, 10% lab work activities)
Unit Learning Outcomes: ULO-1, ULO-2, ULO-3, ULO-4, ULO-5, ULO-6

Assessment Details:

Practical exercises assess students’ ability to apply theoretical learning to practical, real world
situations on a weekly basis. The practical exercises will improve student’s ability to practice
information security using Linux/Kali Linux platform such as phishing attack, encryption and
steganography and other functions.

This assessment also includes invigilated quiz that will assess your ability to understand theoretical
materials and your knowledge of key content areas. The quiz will be either multiple choice
questions or short questions which are relevant to the lectures of lecture materials. For successful
completion of the quiz, you are required to study the material provided (lecture slides, tutorials, and
reading materials) and engage in the unit’s activities. The prescribed textbook is the main reference
along with the recommended reading materials.

Students will be required to complete the practical exercises and sit the quiz during the workshop
and therefore, attendance is required as part of this assessment. Students will not be assessed on
work that not produced in workshop so that attendance is required as part of this assessment.
Students are required to submit the work that they have completed during the workshop session
only. The details of the lab work and requirements are provided on the online learning system.

Marking information: The assessment will be marked out of 100 and will be weighted 40% that
includes: 30% weight for five quizzes (6 % for each quiz). In addition, 10% lab work participation
and submission for ten weeks ( 1% for each lab work).