The assignment is a group task that runs across most of the semester. It involves your group analysing the security mechanisms and threats in SIIT.

Updates

The assignment instructions will be updated over time. Here is the list of updates:

Ethics

This assignment involves you analysing weakness in SIIT and related computer and information systems. Because you will analyse a real system, there are several principles you must follow:

  1. Do not perform any actual attacks (passive or active). You do not need to perform attacks to complete the assignment. Examples of attacks that you must not perform include: capturing SIIT WiFi traffic, SQL injection attacks on web sites, guessing/brute forcing passwords, social engineering attacks to determine confidential information, running malicious software on SIIT computers, using SIIT resources to attack other systems, DoS attacks on SIIT.
  2. If you want to test or learn how attacks work, then do so in your own virtual network (using virtnet). Do not test security software/attacks on live networks (including SIIT Wifi, labs or your friends).
  3. Do not ask SIIT staff (including faculty and computer centre) about SIIT information systems. It is sufficient to use your own general knowledge. If you want details (e.g. the structure of SIIT network) then ask the lecturer.
  4. Do not disclose confidential information to unauthorized people.
  5. Report any problems, e.g. vulnerabilities you discover, to the lecturer. (In fact that is one aim of your assignment - list vulnerabilities).

In general, be good! If you are not sure what is/is not allowed, then ask the lecturer.

Groups

Form a group of 3 students (exchange students may have a group of 2 or 3). All students must contribute to the work and writing of the report.

Tasks

The general aim of this assignment is for your group to analyse security threats at SIIT. There will be several steps involved, including:

  1. Categorize the information systems relevant to SIIT according to their security objectives.
  2. Analyse security risks for different SIIT assets.
  3. Propose security controls to reduce risks.

The tasks aim to give you exposure to real threats, attacks and security mechanisms, as well as the procedures an organisation should follow to reduce the risk of threats.

Further information of the tasks will be added, but to get started you should:

  1. Form your group.
  2. Read the overview of security risk analysis and controls. You may also download and browse the three NIST documents it references: FIPS199, SP800-30, SP800-53
  3. Think about the information and information systems available at SIIT - you will need to categorize them with respect to security objectives in the 1st task.

Task 1 - Categorizing Information Systems

List the different possible information systems within SIIT. For each information system, then list the types of information. Then categorize the information systems according to their security objectives using the approach described in FIPS199 (which is summarized in section 3 of the security risk analysis above). Examples are given in both of these documents.

You don't need to know the details of the actual information systems within SIIT. Some you use (e.g. registration, grading), and others you may guess (e.g. accounting/payroll). List as many information systems and types that you think are relevant for SIIT. Similarly when categorizing the information, use your best judgment when determining the potential impact.

There is no single correct answer for this task. The purpose of the task is for you to think about the information at SIIT, the requirements/impact with respect to security, and be aware of a method (described in FIPS199) for categorizing information systems.

A template document (ODT or DOCX) is provided for you to give your answers for Task 1.

Task 2 - Risk Analysis

Perform a risk analysis for SIIT producing a risk register. The procedure for a risk analysis is described in Section 4 of the overview of security risk analysis. Section 6 lists the fields that may be in the risk register. To simplify the risk register and have consistent information across groups, a template spreadsheet (ODS or XLSX) is provided. Use this template for your risk register.

There is no single correct answer for this task. The number of risks, the assets and vulnerabilities for each risk, and the analysis of each risk, may differ amongst groups.

Note that in the "ThreatOrVulnerability" field of the risk register, you do not need to give details of how to perform the attack. Also, you do not need to give the existing controls in the risk register. The next task will consider the attacks and controls.

Task 3 - Attacks and Security Controls

Select at least 5 risks from the risk register, and for each describe how you could perform an attack, and your recommended security controls to prevent such an attack. With the security controls you select, include an explanation of why you selected them (e.g advantages and disadvantages compared to other possible security controls).

In selecting the risks, preference should be given to those that require significantly different attacks and controls (i.e. don't choose 5 risks that are all subject to the same attack).

As the Ethics section of this assignment points out, do not perform any attacks. Just describe an attack based on your knowledge about IT security.

A template document (ODT or DOCX) is provided for you to give your answers for Task 3.

Submission

Submit the results of each task in a separate document based on the provided template. You may submit in Open Document format (ODT or ODS) or Microsoft Office format (DOCX or XLSX). No other formats are accepted. Name the files based on your group number (e.g. g1, g2) as:

  1. gX-task1.odt (or .docx)
  2. gX-task2.ods (or .xlsx)
  3. gX-task3.odt (ot .docx)

where X is your group number, e.g. 1, 2, 3, ... .