辅导 program、讲解 Java/python设计编程
Coursework Assignment (70%)
This assignment will show you some real world scenarios and ask you to elaborate and justify a solution. You will be given a budget and a few items/solutions to chose from. You will need to explain your decisions within 500 words per scenario.
You will need to explain your decisions in 2 scenarios. You have to consider that you are talking to an hypothetical CEO or CTO and, as a consequence, you should avoid jargon and academic references unless strictly necessary. Concepts, such as security principles, can be mentioned without the need of citing the related literature.
You will submit the two scenarios you completed on Moodle as the submission tool is divided in two different tabs, one for each scenario.
Scenario 1 – Video streaming platform
You are the Information Security Manager for a video streaming renowned platform. This platform has users all over the world and different services as some profiles can only be accessed by paying the user. They are planning the following years and, as the world is coming out of the pandemic, they are trying to prepare themselves to different scenarios due to flexible working, popularity of the platform and type of clients and services. You will need to use the budget available to choose the defenses you think are the most functional ones.
Flexible working: the offices will still be active but flexible working will be implemented. For this reason we will need to set the remote access in a functional manner to allow the employees to work from home.
Work laptop: the employees who lead teams and are in managerial positions will be given a laptop that is strictly controlled by the IT services: no software can be installed by the employee and the connection is automatically through VPN to avoid MitM and blacklist websites.
VPN settings: the VPN will be mandatory to all employees to access work documents and the company internal network to avoid MitM and blacklist websites.
Antivirus and Firewall software: the employees will be given a specific antivirus and firewall software that will protect their PC and/or smartphone used for remote work.
Data Storage: all the data from the company can only be accessed from the company network and will be stored in a cloud facility; data saving on personal devices is strictly forbidden.
Network compartmentalization: the network will be divided in subnetworks that can be accessed by employees according to a RBAC policy.
Platform popularity: the platform is used for different live straming services, from e-sports to art and music events as well as paid services. At the moment, the first two are still limited to small events that, although in large quantity, do not constitute a risk for overloading the systems, but the hope for the future is to manage bigger events that host thousands of people in their streaming events.
Bandwidth increase: predicting an increase of the audiences, especially for events that require high quality video (such as e-sports), we will increase the capability of the system to manage the demand.
Anti DDoS defenses: given the risks of attacks that aim at limiting our streaming capabilities, setting up defenses tailored against DDoS attacks may be necessary
Anti Ransomware defenses and backups: Ransomware may halt our systems if undetected and protecting from it as well as using backups should mitigate this issue
Quality of Service systems: these systems use adaptable quality of videos as well as specific tools to manage the connections and reduce the load on the bandwidth.
2FA for content creators: anyone who creates content on the platform has mandatory 2FA settings to limit the risk of their channels being hijacked and mitigate reputational risks.
Clients, content creators and services (CCS): the platform allows people to access using a classic login interface. It is necessary to evaluate the opportunity for implementing more security features.
Minors policy implementation: Users below 18 years of age will not be allowed to access any service that may target adult audiences
Allowing 2FA for everyone: Implementation of 2FA using their mobile phone to receive a one-time password
DDoS features for paid services: We may want to implement anti DDoS features that would prioritise paid services to ensure customers satisfaction when they pay for content
Secure payment: Mandatory 2FA for payments and metadata tracking to ensure traceability of the payments in case it is not the actual client paying for the services.
You have 25 as the total budget and these are the costs of the different measures:
Use the template to write the document that will be evaluated. Explain which measures you have adopted in the different intervention areas and justify your choices according to the information available in the scenario explanation as well as data and figures available on the Internet.
Scenario 2 – Grocery shop data management
You have been asked to consult a grocery shop on setting up their systems to be secure and manageable for their purposes. The shop has 20 employees, considering the front end as well as the two administrators managing supplies and finances and the owners, two brothers who manage all the interactions with stakeholders. You will need to consider a limited budget (as mentioned below) to carry out the essential works in three areas: clients’ payments, suppliers management, and data protection.
Clients’ payments: The shop is cashless overnight therefore you will need to consider two aspects: secure card payments and cash movement at the end of the working day. You can implement one or more out of these different protections:
PoS substitution: The current tools for card payments are good but are not the latest technology.
Secure protocol connection: The PoS communicate with routers in the supermarket wireless using quite old protocols. It is possible to manage an upgrade towards more secure encryption.
Secure cash collection: Using a tracked professional transit that will take the money from the shop to the bank every working day.
Community managed cash collection: the grocery shop and the shops close to it would work together towards collecting their money in one secure place (in another shop) every end of the working day, the secure transit is called twice a week.
Suppliers management: the shop is proud of their punctuality in paying providers, suppliers, and employees, however, for such a small shop it is vital to minimize the waste while avoiding shelves being empty. Here is what you can implement:
Data access: the data should not be accessed by everyone: an access control policy should limit what employees can see on the company website.
Secure communications: setting up certified emails for the finance and administration that are accessible only by the administrators
Contracts management: Implementation of online contract signing systems to speed up the process and maintain digitalized copies stored on the certified email inbox.
Data protection: although the shop is not big enough to have a website and tailored advertisements, data related to most popular products, frequency of when orders are needed and graphic user interfaces to manage the orders are available for the employees. There is a system for front end ones to upload which elements were sold when they are scanned and paid as well as for the administrators to evaluate when new orders to the suppliers are needed.
Dedicated Firewall: The servers containing the data should be in a specific network protected by a customized firewall that will drop unexpected connections.
Secure communications: Clients as well as lawyers and stakeholders may need to communicate with the two owners directly. Setting up a certified owners email and a cloud storage area may facilitate this.
Advanced Anti XSS and XSRF: To avoid disgruntled employees from finding ways to attack the customized parts of the data management system you can upgrade the protection against XSS and XSRF.
You have 15 as the total budget and these are the costs of the different measures:
Use the template to write the document that will be evaluated. Explain which measures you have adopted in the different intervention areas and justify your choices according to the information available in the scenario explanation as well as data and figures available on the Internet.