Assignment 1
COMPSCI 316: Cyber Security, Semester 2, 2022
This assignment is worth 100 marks. The weight of this assignment is 15% of the course. The deadline to submit this assignment is Thursday, September 15, 23:59 hrs NZ Time. No late submissions are accepted. The assignment must be submitted through Canvas. The only acceptable format is PDF.
For answers containing brief explanations, the answers should not exceed 300 words. You are also expected to use APA or IEEE1 referencing style in this assignment.
Note. Sharing assignment solutions does not help in your learning. Consequently, our academic integrity policy does not permit sharing solutions or source code leading to solutions. Violation of this will result in your assignment submission attracting no marks, and you may also face disciplinary actions. Therefore, please do not share assignments, assignment solutions or source code leading to assignment solutions. Do not publish or make available your assignments or solutions online, for you will be liable if someone copies your solution. Please talk to us if you have any doubts about what is legit and what is not.
Do not leave your computers, devices, and belongings unattended — you must secure these at all times to prevent anyone from accessing your assignments or solutions.
For more information, see our University’s Student Academic Conduct Statute.
Question I. (20 marks) Data Breach. Identify a data breach discovered between October 2021 and July 2022 and answer the following questions.
1. Share the URL reporting this data breach. [1 mark]
2. Briefly describe the impact of this data breach. Briefly describe how many users got
affected, the level of impact (explaining whether it was low, medium, or high), and
financial or other losses. [5 marks]
3. Briefly explain what information was released. [3 marks]
4. Briefly describe the root cause of this data breach. [5 marks]
5. As a cyber security expert, what kind of security measures would you take to reduce
the risk of similar data breaches in the future? Provide a brief explanation. [6 marks]
Question II. (20 marks) CIA Triad. The CIA triad is a standard model that forms the basis for developing security systems. Consider that you are working as a cyber security consultant for a hospital to develop a health care system. It will record, process, and store, patients’ health-related information such as demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.
1. What are the three principles of CIA? [3 marks] 1 https://libguides.victoria.ac.nz/statistics/referencing
2. Briefly explain how to apply the principles of the CIA triad to create an effective security program in the hospital to protect their valuable assets. [5 marks]
3. Briefly explain what measures could help to preserve patients’ healthcare data confidentiality. [4 marks]
4. Briefly explain what measures can help to preserve patients’ health-care data integrity [4 marks]
5. Briefly explain what measures can help to preserve patients’ health-care data availability. [4 marks]
Question III. (25 marks) Vulnerability Analysis. Visit https://cve.mitre.org/cve/search_cve_list.html and search for a CVE ID (CVE, 2022) that contains the last three digits in your UPI (username). If no entry corresponds to the last three digits of your UPI (username), you can increment your UPI by one and repeat the process unless you find a valid CVE ID. If you see multiple CVE IDs, you can choose any one of them. For your CVE entry, which you must write down in your answer, you should be able to find its NVD entry, where you can find detailed information about the vulnerability. Answer the following questions:
1. Briefly explain the vulnerability in your own words. [5 marks]
2. Briefly explain why the confidentiality score is low, medium, or high. [3 marks]
3. Briefly explain why the integrity score is low, medium, or high. [3 marks]
4. Briefly explain why the availability score is low, medium, or high. [3 marks]
5. Consider that you are a cyber security consultant for an organization that uses a
product or service that can be exploited using the vulnerability in question. Briefly describe at least one alternative product or service you can suggest to your organization. [6 marks]
6. Can this vulnerability be identified using static analysis or dynamic analysis? Explain briefly. [5 marks]
Question IV. (8 marks) Usable Security. Assume you are working as a cyber security consultant for the game development industry. You are tasked to develop a game-based app that teaches employees in a financial institution how to protect them from phishing attacks.
1. Briefly explain your advice to develop appropriate teaching content (i.e., what to teach) in the gaming app to combat contemporary phishing attacks. [2 marks]
2. Briefly explain your strategy to get users (i.e., employees in financial institutions) to better interact with the gaming, app to improve their learning experience. [2 marks]
3. Briefly explain how you assess the user’s learning (i.e., employees) through the game
Question V. (12 marks) Software Security. Assume you are working as a cyber security consultant for a military organization. You are tasked to develop a fully working, secure chat application for internal communication purposes within the organization. You have learned the Open Web Application Security Project (OWASP) top-10 most seen application vulnerabilities. You are required to advise your software development team to implement the following security features (i.e., secure login, secure password storage, and secure all chat messages) in the chat application.
1. Briefly explain your advice to develop a secure login for users. [4 marks]
2. Briefly explain your advice on developing secure password storage for individuals. [4 marks]
3. Briefly explain your advice to secure all chat messages in the application. [4 marks]
Question VI. (15 marks) Cyber Security Risk Management. Assume you are working as a cyber security consultant for a Health Network. The Health Network centrally manages patients’ health records. It also handles secure electronic medical messages from its customers, such as large hospitals, routed to receiving customers such as clinics. The senior management at the Health Network has determined that a new risk management plan must be developed. To this end, you must answer the following questions (State any assumptions you have made):
1. Introduce the risk management plan to the senior management at the Health Network by briefly explaining its purpose and importance. [ 3 marks]
2. Create an outline (i.e., visually describe the outline) for the completed risk management plan. [5 marks]
3. How can the CIA triad be applied in cyber security risk management? [7 marks]