“ZYX” is a manufacturer of components for bicycles. They used to run IT services in-house until 3 years ago when in a cost-cutting exercise the activities done by the IT department were outsourced to an external provider called “ECT”.
Therefore, the computers currently used by the company are set up, configured and managed by the external provider. “ZYX” still has a small IT department, which mostly maintains end-user applications. Additionally, the IT department also carries out a range of onsite interventions, sometimes under the guidance of “ECT”.
The IT department does not include any security specialist, but it has raised a concern regarding the security of the systems currently managed by “ECT”. They are worried about potentially vulnerable software installed on the systems despite updates being available for some time.
They raised the issue to the management, which initially ignored the concern. However, after a formal consultation with the workers’ representatives, they agreed that an independent audit should be carried out. They were convinced by the fact that the initial 4-year contract with “ECT” is going to expire in 12 months.
The company has agreed to appoint two security analysts, who will work independently. As one of the two auditors, you are asked to analyse several systems and make an assessment of their security. The systems provided are clones of existing ones and there is no concern of damage you could cause because of your analysis. You are only subject to a standard nondisclosure agreement (NDA).
The choice of systems is beyond your control. The main output of your analysis will be a report made available to the company, including the IT department. A third independent security advisor will help the stakeholders to understand the technical parts of the reports, and to progress with the next phases of the decision-making.
You should analyse the given systems (links to virtual machines are available on Blackboard) focusing on the security aspects. Your work will consist not only in identifying existing vulnerabilities and misconfigurations but also in making an earnest effort to practical demonstrations on how such vulnerabilities can be exploited. The report is intended for a technically knowledgeable audience, but it should be introduced by a short executive summary for a broader audience.
Although you are allowed to use automated tools, the company made a specific request to use whenever feasible manual (or scripted) examples in order to demonstrate the attacks, as they provide a clearer explanation of the vulnerability exploited.
In some cases, you are provided credentials to access the systems. They are given to you to study the system. Therefore, you should carefully consider both black box and white box attacks and under which circumstances attacks are feasible.
Your report should also include some advice on the implementation and evaluation of appropriate security measures to be applied as a follow-up of your investigation.
The report (approximately 4000 words, submitted in PDF format), should include at least the following elements (xx% indicates the weight in the mark allocation, total 100%):
- An executive summary (max 300 words) (5%)
- Demonstration of understanding of the scenario and discussion of about to carry out the security analysis, in consideration also of ethical and legal aspects. (10%)
- Investigate the given environment, to identify security issues (25%)
- Attacks demonstrating vulnerabilities (25%)
- Select and justify appropriate security measures informed by appropriate research, considering relevant research papers (25%)
The remaining 10% of the final grade is allocated based on the overall quality of the report:
formatting, completeness, readability, and appropriate referencing.
This ICA will assess these learning outcomes:
- Communicate findings from investigative tasks clearly, fluently, and effectively in a professional manner.
- Demonstrate understanding of the tools and skills employed by network attackers.
- Select and justify appropriate security measures informed by appropriate research to satisfy stated objectives.
- Demonstrate a comprehensive and detailed understanding of information and network security principles.
- Synthesise and evaluate appropriate data for a given scenario to make informed computer security judgements.
- Act autonomously with limited supervision when investigating simulated computer security scenarios.
- Critique appropriate methods of protecting networks and systems that are legal, ethical, and professional.