ICTNWK511 | Manage network security | Network Security

Home Recent Questions ICTNWK511 | Manage network security | Network Security

Assessment 2: Case Study

Information for Students

This is a project/report assessment task. You have the option of doing the task as a group (3 students maximum per group). You should use the Case Study Report Template (see Learner Resources for the unit) to help you structure your assignment. Write your report, making sure to list all the students who are in your group in the Introduction to the report. All students need to hand in a copy of the report as part of their assessment submission.

Read through the scenario below, and write your report addressing the requirements described below

Scenario

You have been asked to design a comprehensive network security plan for a small e-commerce web site run by the BuyThisShoe company. The website will be hosted on the company’s internal network (as the site needs to access internal databases for prices etc). The company is a bit nervous about hackers, but it also wants a cost-effective solution, so you need to come up with a plan that is both effective and economical.

Interviewing the owners of the business, you have uncovered the following facts:

  • The company will be taking credit card payments, so needs to comply with any relevant legislation
  • The company is open to taking out insurance, where required, against reputational damage resulting from hacker events
  • The company is concerned about conforming with privacy legislation, and wants to know how network security measures can keep the required information confidential, and report on any unauthorised access
  • The company would also like to know how a procedure could be designed for employees to report any privacy/ethics violations in a secure manner. They want the employee to be able to send anonymous email about the violation, without having to use the corporate email system
  • The company wants to know what testing/ongoing auditing of the plan will be done to ensure the plan remains relevant and up-to-date
  • The company wants you to suggest an incident response procedure for reporting of security violations. They are very concerned that, if any security breach does occur, that they are notified immediately. They are suggesting that every Friday the owner of the company meet with the IT manager to review any security breaches that have occurred, and what has been done in response to those breaches
  • The company wants to know what countermeasures can be employed against threats to the physical security of their server storing the customer’s credit card information
  • The company is most worried about hackers who may want to gain the credit card details of its customers. They want to ensure that the database server that will be storing the credit card details is on the most secure part of the network.
  • The company is also worried about ‘for play’ hackers who may want to compromise their website for ‘fun’, so your network security needs to cater for this.
  • The company has employed an information auditor as a consultant, who has prepared the following table showing the asset, threat, single loss occurrence (SLO), and annual rate of occurrence (ARO)

Asset

 

Threat

SLO ($)

ARO

 

 

 

 

 

1.

Network server

Fun hackers

400

5

 

 

 

 

 

2.

Credit card

For profit hackers

20,000

.5

 

details on

 

 

 

 

database

 

 

 

 

server

 

 

 

3.

Router

Fun hackers

1000

.25

 

 

 

 

 

4.

Web server

both

2000

3

 

 

 

 

 

5.

Malware/trojans

both

1000

15

 

 

 

 

 

 

  • The company wants to allow web site traffic (HTTP and HTTPS), email traffic (SMTP), remote desktop traffic (RDP), and network support (via SSH) into its network from the internet. The only traffic it wants to allow out of the network is HTTP/HTTPS and SMTP.
  • The company has set up an InfoSec working committee, who is overseeing all plans, policies and projects to do with network security in the company. The members of that committee are Mr. Black, the company CEO, Ms. White the IT manager, and Mr. Green the external information auditor consultant.
  • The company has also calculated that any downtime on the shared server in use for filesharing and email will, due to the lost productivity, cost the company around $1000 per hour downtime. The company has also been advised by the information auditor that the loss of customer credit card information includes both the ALO figure and reputational damage to the business, would result in lost business of around $5,000 per annum. As such, the company is very concerned to defend itself against these kinds of attacks.

Report Requirements

Prepare a report for the company outlining your proposed network security plan that addresses these requirements. At a minimum, your report should include the following:

 

  1. Identify the threats BuyThisShoe faces.
  • You should document the threat, likely motivations, and what kind of vulnerabilities each kind of attacker targets, and how the attacks occur.
  • You should also assign a threat level of high, medium or low to each of your identified threats.
  • You should create a table showing the threat type, the motivations, the vulnerabilities exploited/how attacks occur, and the threat level.

 

  1. Analyse security risks.
  • Here you will identify the assets that require their protection, calculate their value to the organisation and create a risk management plan for managing the risks.
  • You should create a table showing the asset name, the asset value/outage cost, and the main elements of the risk treatment plan for managing the risk.

 

  1. Create a security design.
  • Identify attacker scenarios and threats, and specify security measures to counter those threats.
  • You should also describe security policies that can be put in place to counter these threats.
  • Also describe who in buythisshoe would review your proposed policies, and thus provide any needed feedback on your proposals.
  • You should also be prepared to role play obtaining feedback about your security design where the trainer plays the role of the client who will question you about your plan. This role play could take place in class or when you present your assignment for assessment
  1. Design and implement responses to security incidents.
  • Describe what information you are proposing to log about any security incidents.
  • Describe also what configurations/technologies and policies would need to be deployed to support your proposed incident response system.
  • How such a plan should be tested, and who would need to review and sign off on the incident response proposals.

 

  1. Design network controls.
  • Describe at least two network controls you would put in place to support your proposed security plan. (These can be technical, administrative or physical controls – you can choose any type, as long as you provide at least two examples of a control to support your plan).

Search Here

Latest Reviews

  • Kannon
    13 Jul, 2019

    I asked for essay help from Assignment Help 4 Me and I am happy that the essay writers completed my task on time. The prices they asked for are worth in comparison to the services rendered.

  • Liam
    13 Jul, 2019

    Assignment Help 4 Me is the best help provider. I took assistance to get my essay completed and I am glad that the writers delivered the quality content as they promised within the time committed.

  • Silas
    12 Jul, 2019

    Accounting is a very interesting subject but when it comes to assignment writing, I feel hard to get through the same. But, since the assignments have to be completed somehow, I preferred to avail online help from Assignment Help 4 Me. All thanks to them that they helped me complete my work on time at reasonable prices.

View All Reviews

Facebook

Assignment Help 4 Me