ASSIGNMENT 1 Frontsheet

Qualification BTEC HND Diploma in Computing and Systems Development

Unit number and title Unit 5: Security

Assignment due Assignment submitted

Learner’s name Do Hai Nguyen Assessor name Hoang Duc Quang

Learner declaration:
I certify that the work submitted for this assignment is my own and research sources are fully acknowledged.

Learner signature Date

Grading grid

P1 P2 P3 P4 M1 M2 D1
Assignment title Assignment 1: Security introduction

In this assignment, you will have opportunities to provide evidence against the following criteria.
Indicate the page numbers where the evidence can be found.

Assessment criteria Expected evidence Task Assessor’s

no. Feedback

LO1: Assess risks to IT security

Explains what IT security is and why it is
P1 Identify types of security important today. Also include who is 1
risks to organizations responsible for attacks and attack
techniques

P2 Describe organizational Outlines general principles that can be 2

security procedures used to protect valuable assets.

LO2: Describe IT security solutions

Use the Internet to research some of the

different ransomware attacks that have
P3 Identify the potential impact occurred recently. Identify at least three
to IT security of incorrect attacks that are current. What do they do? 3
configuration of firewall policies Why are they so successful? How are they
and third-party VPNs being spread? What can users do to protect
themselves? How can ransomware be
removed from a computer?

Attacks that exploit previously unknown

vulnerabilities are considered some of the
P4 Show, using an example for
most dangerous attacks. Use the Internet to
each, how implementing a DMZ,
research these attacks. How are the 4
static IP and NAT in a network
vulnerabilities discovered? What are some
can improve Network Security.
of the most recent zero-day attacks? What
defenses are there against them?

Assessment criteria Expected Evidence Feedback

Merit descriptor No. (M1)
Propose a method to assess and treat IT
security risks

Merit descriptor No. (M2)

Discuss three benefits to implement
network monitoring systems with
supporting reasons.
Distinction descriptor No. (D1)

Summative feedbacks:

Assessor’s Signature: Date:

 Assignment 1 Brief

Unit Number and Title 5: Security

Academic Year 2018
Unit Tutor Hoang Duc Quang
Assignment Title Assignment 1: Security introduction
Issue Date
Submission Date
IV Name & Date

Learning Outcomes and Assessment Criteria

Pass Merit Distinction

LO1: Assess risks to IT security

P1 Identify types of security M1 Propose a method to assess LO1 & 2

risks to organisations and treat IT security risks. D1 Investigate how a ‘trusted
network’ may be part of an IT
P2 Describe organisational security solution.
security procedures.

LO2 Describe IT security solutions

P3 Identify the potential impact M2 Discuss three benefits to

to IT security of incorrect implement network monitoring
configuration of firewall policies systems with supporting
and third-party VPNs. reasons.

P4 Show, using an example for

each, how implementing a DMZ,
static IP and NAT in a network
can improve Network Security.

Assignment Brief
Scenario:
Bay Pointe Security Consulting (BPSC) provides security consulting services to a wide range of
businesses, individuals, schools, and organizations. Because of its reputation and increasing demand
for its services, BPSC has partnered with a local college to hire technology students
close to graduation to assist them on specific projects. This not only helps BPSC with their projects but
also provides real-world experience to students who are interested in the security field. A local
business organization is conducting a series of iceTea Hacking meetings during the month for citizens
and small business owners to learn more about security. BPSC has been asked to present sessions on
some topics such as the fundamentals of security, network security and business continuity. Because
you are completing your degree, BPSC has asked you to prepare training materials for the class.

Submission Format
The submission is in the form of an individual written report. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of headings,
paragraphs and subsections as appropriate, and all work must be supported with research and
referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard
referencing system. The recommended word limit is 2,000–2,500 words, although you will not be
penalised for exceeding the total word limit.
LO1. ASSESS RISKS TO IT SECURITY 7

P1. IDENTIFY TYPES OF SECURITY RISKS TO ORGANIZATIONS 7

1. MALWARE ATTACKS 7
2. SOCIAL ENGINEERING ATTACKS 9
3. APPLICATION ATTACKS 11
4. NETWORKING-BASED ATTACKS 13
P2. DESCRIBE ORGANIZATIONAL SECURITY PROCEDURES 14
1. SECURING THE HOST 15
2. SECURING THE OS SOFTWARE 15
3. SECURING STATIC ENVIRONMENTS 16
4. APPLICATION SECURITY 16
5. SECURING DATA 17
P3. IDENTIFY THE POTENTIAL IMPACT TO IT SECURITY OF INCORRECT CONFIGURATION OF
FIREWALL POLICIES AND THIRD-PARTY VPNS. 17

REFERENCES 18

6|Page
LO1. Assess risks to IT security

P1. Identify types of security risks to organizations

The term Information Security sometimes shortened to InfoSec or IS can be viewed as a goal
and a process at the same time. The examination of its goal and the process how it is accomplished
together will help create a solid definition of what InfoSec is. It commonly refers to the task of
protecting the integrity, confidentiality and availability (a.k.a. the CIA triad) of information that is
stored in digital format. It forfends illegitimate access, exposure, alteration or any intentional and
unintentional actions that may do harm to the information.
However, it can not completely remove the risk of being attacked or guarantee that a system is
totally safe. The goal of InfoSec is to ensure that protective procedures are properly implemented to
avoid attacks minimize the damage to an acceptable degree if a successful attack occurs.
InfoSec can be thought of as a never-ending war between 2 sides where attackers are the people
who exploit weaknesses of a system while defenders are who must respond with an improved
defense. Since this war is endless, instead of trying to achieve a complete victory, it is better to
maintain the equilibrium between 2 sides.

Like a real battlefield where the attackers consist of different forces like army, navy, air force,
marines, etc. the InfoSec war zone is no different. There are different types of threats that require
different defensive tactics to successfully prevent them from doing harm to the system.
1. Malware Attacks

Malware, or malicious software, is any program intentionally designed to perform unwanted and
harmful operations on a computer, server or a network. It is the collective name for a vast range of

7|Page
threats that includes viruses, worms, trojan horses, spyware, ransomware, adware, etc.
These malicious programs can perform a variety of different functions such as stealing, encrypting
or deleting sensitive data, altering or hijacking core computing functions and monitoring users'
computer activity without their permission. They can be categorized by their infection methods and
actions.
 Infection
 Virus: Have ability to replicate themselves by secretly attaching to other files or
programs on the host computer and they will execute when any infected file is opened.
 Worm: Share the ability to self-replicate with viruses but worms can do this without
hooking themselves to other files. Typically, they also exploit security vulnerabilities to
quickly spread themselves without any human interaction or directives from the malware
authors.
 Trojan: Like ancient Greek soldiers hid in a giant horse to deliver their attack, this type
of malware, despite not having ability to replicate, can disguise as legitimate software
and trick users into activating it so it can cause damage and spread.

 Bots: “Bot” is derived from the word “robot” and is an automated process that interacts
with other network services over the Internet. Malicious bots are self-propagating
malware that infects its host and connects back to a central server which functions as a
command and control center for the botnet. In reality, bot is also used for good intent like
gathering information or instant messaging. In those cases, bots cannot be considered as
a type of malware.

 Actions
 Adware: Adware is not very destructive, but they do breach privacy of users. By secretly
track users’ browser and download history, they continuously display relevant pop-up or
banner advertisements on infected computers’ screen.
 Spyware: This term refers to a program that silently spies on users. It hides in the
shadow, observes users’ activities on their computer without their permission, then
reveals collected information to interested parties. The most common spyware is
KEYLOGGER. It stealthily captures user keystrokes with timestamp to collect sensitive
information like username, passwords, credit card details etc.
 Ransomware: The type of malware that is designed to infect users’ system and encrypt
the data. It is able to lockdown the system partially or wholly until the victim pay a
ransom to the attacker. WannaCry is one of the most destructive ransomware attacks in
history. It started in mid-2017 and was reported to cost almost $4 billion.
 Rootkit: A collection of software tools that is designed to help a threat agent gain remote
access and administrative privileges in the user system.

 Logic bomb: A malicious program that is set inactive after installation but will cause
harm when being triggered by some specific event like launching an application or
8|Page
 reaching a specific date/time. Sometimes it can be used to prohibit users
from using an application after its trial period.

2. Social Engineering Attacks

Social Engineering is term used to refer to a broad range of malicious activities accomplished
through exploiting weaknesses of individuals and it may not require technology. It may include
psychological manipulation as well as physical procedures.
 Psychological
Social Engineering attacks largely relies on psychology, which is the mental and emotional
approach rather than the physical. In essence, psychological manipulation in social engineering is
that the attacker sophisticatedly manipulates human nature in order to persuade the victims to give
out confidential information or take actions that may be not in their best interests. This approach
applies 6 key principles listed below to increase effectiveness.

9|Page
 Social engineering psychological approaches often involve impersonation,
phishing, spam, hoaxes, typo squatting, and watering hole attacks
 Impersonation: This technique means to disguise as another figure, real or imaginary,
especially someone in authority, and then play out the role of that character on a victim.
This type of social engineering plays on our natural tendencies to believe that people are
who they say they are, and to follow instructions when asked by an authority figure.
 Phishing: One of the most common forms of social engineering attacks all over the
world. Phishing is typically delivered in form of an email, chat, or web announcement
that falsely claims to be from a legitimate enterprise in an attempt to trick the users into
providing sensitive information or downloading some applications that have no actual
benefit.
 Spam: Spam, which is also known as junk email or trash email, has steadily grown since
the early 1990s and it still continues to escalate until now. It is estimated that 90% of
email message sent through the Internet is spam. Not stop at being annoying, spam also
drastically reduces work productivity as users spend time reading and deleting these
nonsense messages. Another threat of spam is that it can quickly spread malware on a
mass scale.
 Hoaxes: A hoax refers to a fake warning that often claims to come from the IT
department. It deceives users into thinking their system is infected with some kinds of
deadly malware and ask the users to take some specific actions to secure their system
such as downloading an application or changing security configurations. Hence, it allows
the attacker to cause actual damage to the system.

 Some other techniques like typo squatting, watering hole attacks, spear phishing, vishing,
etc.

 Physical
Although most social engineering attacks heavily depend on psychological manipulation, there
are still other attacks that are based on physical acts. Two of the most common physical procedures
are dumpster diving and tailgating.
 Dumpster Diving: It involves digging through or garbage looking for items that were
discarded but may provide useful information for an attack. While the term literally
refers to looking through trash, it often applies almost any method, especially physical
ones, to obtain benefits. Here are several items that can be retrieved through this process
and how useful they can be.

10 | P a g e
  Tailgating: In a social engineering sense, tailgating is when someone without
appropriate authentication gains unwanted entry into a restricted area by exploiting an
authorized employee of the organization. For example, a tailgater waits at the end of the
sidewalk until an authorized user opens the door and then calls out to him to “Please hold
the door!” and hurries up to the door. In most cases, good etiquette wins out over good
security practices.

3. Application Attacks

Above is an illustration for the concept of a networked computer system which represents that
network is used to connect different clients and servers together. These clients and servers run on an
operating system that has several different applications inside which control their own data
consecutively. The illustrated system, despite proving useful all around the world, do raise a number
of security concerns stemming from improper coding. These vulnerabilities create many

11 | P a g e
opportunities for hackers to gain access to databases and exploit sensitive data – this
is known as a web application attack. The attacks on the application in a networked system can be
directed toward the server, the client, or both at the same time.

 Server-side Web Application Attacks

As its name indicates, a server provides services to clients which are implemented into a web
server as web applications. That is to say, the content that users surf on the Web is generated by a
software application running on a server. These applications have an important trait is that they
produce dynamic content based on users’ inputs. Many server-side web application attacks target the
input that the applications accept from users. Organizations should not allow direct access to server
ports from untrusted networks such as the Internet, unless the systems are hardened and placed on
DMZ networks, which will be discussed later. Some common web application attacks are cross-site
scripting, SQL injection, XML injection, and command injection/directory traversal.
 Cross-site scripting (XSS): This type of attack has the server act as a platform to launch
attacks on other computers that access it. XSS injects malicious scripts into a web
application server to direct attack at unsuspecting clients. XSS attacks usually occurs
when web applications do not verify users’ inputs and automatically add them to a code
segment that become part of an automated response.
 SQL injection: This technique targets data-driven applications which are based on SQL
servers. It inserts malicious SQL commands into the server when the targeted websites
do not filter users’ inputs. This injection exploits the security vulnerabilities in some
applications to manipulate data that is stored in a relational database.
 XML injection: This attack shares some characteristics with SQL injection. As XML
does not have its own predefined set of tags, an attacker can inject his set of tags into the
database when a website does not validate user input data. Hence, he will be able to
modify the source code of XML. A specific type of this attack is XPath injection, which
attempts to exploit the XML Path Language (XPath) queries that are built from user
input.
 Directory traversal/Command injection: A directory traversal attack uses malformed
input or exploits vulnerabilities in the web server OS software or the security
configuration to gain access to some directories which are originally restricted. Thus, the
attacker can inject and execute some commands which are outside the scope of the root
directory of web server. Below is an illustration of a path of a directory traversal attack.

12 | P a g e
  Client-side Application Attacks
While server-side web application attacks seek to breach the data and applications which are on
servers, client-side application attacks explicitly aim at the vulnerabilities in applications on the
desktop environment such as web browsers and other applications that may initiate connection to a
malicious server or process malicious data. Simple opening an instant messaging application
possibly results in an attack since client are usually configured to automatically log into a remote
server. Common client-side attacks include header manipulation, cookies, attachments, session
hijacking, and malicious add-ons.
 Header manipulation: It is the insertion of malicious data, which has not been
validated, into a HTTP response header. HTTP header manipulation is more of vehicle
through which other attacks than an actual attack. An attacker can modify the headers to
pass malicious instruction from a malicious website to the web browser via HTTP
headers.
 Cookies:
 Attachments:
 Sessions hijacking:

 Malicious add-on:

4. Networking-based Attacks

13 | P a g e
Instead of targeting applications, the term refers to a type of attacks that places a
higher priority on damaging the network systems as exploiting a single vulnerability in the system
can allow an attacker to proceed with attacking thousands of devices in the network. There are
several types of attacks that target a network including denial of service, interception, poisoning, and
attacks on access rights.

 Denial of services (DoS)

DoS is a cyber attack in which the perpetrator will overwhelm the targeted network with
superfluous requests in an attempt to prevent authorized users from accessing the network and its
resources. Most DoS attacks today are actually distributed denial of service (DDoS) attacks which
use a botnet that consists of hundreds or thousands of zombie computer to flood the target with
traffic instead of using only one computer. Some typical DoS attacks includes ping flood attack,
smurf attack and SYN flood attack.

 Interception
This is the type of attack which is meant to intercept the communication among devices in a
network. One of the most common attacks in this category is man-in-the-middle attack.
 Man-in-the-middle: This type of attack intercepts legitimate communication and forges
a fictitious response between the sender and receiver in a network. It makes it seem like
two devices are communicating with each other, but they actually transmit data to a 3 rd
computer without recognizing this situation.

P2. Describe organizational security procedures

14 | P a g e
 Security procedures are detailed step-by-step instructions, which are followed as
a consistent and repetitive approach, on how to implement, enable, or enforce security controls as
enumerated from your organization’s security policies. Security procedures should cover the
multitude of hardware and software components to provide best protection for your organization.
Although building a defense system against sophisticated attacks can be a complex process, but
not all defenses are necessarily complicated or difficult to implement. Attacks often succeed due to
the lack of proper basic security measures.
Basic security procedures involve providing protection to the host, the application and the data.
Each of these is an ideal target for attackers and demands necessary safeguard. A proper security
system should be established based on both physical means and technology.

1. Securing the host

The task of securing the host includes protecting the physical device itself and securing the OS
software running on the host with the help of antimalware software. Some of the methods that
should be applied to increase safety of the host device are using security control, building external
perimeter defenses, installing internal physical security and hardware security
 Security Control: Any device or process that is used to mitigate the risk of being exposed to
danger is called a security control. Typically, there is two layers constituting a complete
security control system. First level called administrative controls are processes that develop
policies on what users can do, must do, and cannot do. The second layer called technical
controls are those that are carried out and managed by devices.
 External Perimeter Defenses: This is a defense layer that is designed to restrain access to
the area where the host device is located. This type of defense usually includes building
fence or barrier, hiring guards and installing CCTV and motion detection devices to improve
security.
 Internal Physical Security: This is the next level in the entire defense system that will block
an intruder who is able to bypass the external perimeter defense. It primarily focuses on
protecting the interior of the area by using hardware locks, proximity readers, mantraps, etc.

 Hardware Security: The last layer that has the duty of protecting the hardware of the host
system and preventing them from being damaged or stolen. It often uses prewired safes or
cabinets to store the devices that need protection.

2. Securing the OS software

Not only the hardware but also the OS software runs on the host must be properly protected.
Below are some methods to secure the OS.
 Security through configuration: This approach enhances the security of an OS through
proper configuration of its built-in security features and hence fortifies the system.

15 | P a g e
  Security through design: Instead of fortifying an existing OS, it tightens
security policies from the initial design and coding of the OS. This process is also called OS
hardening and any OS that is produced in this way is called a trusted OS.
 Securing with Antimalware: Third-party antimalware software can be installed to provide
more security to the system. Antimalware software includes antivirus, antispam, popup
blockers and antispyware, and host-based firewalls.

3. Securing Static Environments

Static environment refers to the devices that have microprocessors like traditional computers but
lack the ability to install additional hardware or remove hardware. These types of devices are also
ripe targets for attackers, which means traditional computers are not the only devices that need
protection.
Common devices fall into this category includes:
 Embedded systems: Is a computer system with dedicated function that is embedded
within a larger electrical or mechanical system such as: printers, smart TVs, HVAC
(heating, ventilation, and air conditioning) controllers, and bank automated teller
machines (ATMs).
 Mainframe: A mainframe is a super large computer system that has extremely powerful
processing capabilities.
 Some other systems like game consoles, smartphones, in-vehicle computer systems,
SCADA, etc.

The table below list some basic defensive procedures against direct attack toward devices in
static environment.

4. Application Security

Applications are also important components of the system that have an equal need be protected
along with the OS software on hosts and in static environments. Application Security procedures
16 | P a g e
includes application development security and application hardening and patch
management

 Application development security: The core idea of this method is that the security
development should be integrated into all phases of the software development life cycle
including design, development, testing and maintenance of the applications

 Application hardening and patch management: This approach attempts to mitigate the
vulnerabilities in software applications and hence reduces the risk of them being exposed
to attackers. Fewer flaws in the applications means that the chance of being attacked will
be greatly minimized.

5. Securing Data

Data is one of the most important parts of any organizations. Specifically, Big Data, which
refers to a collection of data sets so large and complex that it is difficult to process using on-hand
database management tools or traditional data processing applications, is controlling the flow of our
modern world. It is through data collection that a business or management has the quality
information they need to make informed decisions from further analysis, study, and research.
Without data collection, companies would stumble around in the dark using outdated methods to
make their decisions. Data collection instead allows them to stay on top of trends, provide answers
to problems, and analyze new insights to great effect.
In order to protect all of this data from falling into the wrong hands, security expert employs
data loss prevention (DLP). It is a system of security tools that is used to determine which data is
critical to the organization and ensure that it is properly protected from being breached. This
protection involves monitoring who is using the data and how it is being accessed. It put data upon
inspection as data resides in any of three states: in-use, in-transit or at-rest. DLP system often uses
several technique and technologies to achieve its ultimate goal such as content inspection, index
matching, etc.

P3. Identify the potential impact to IT security of incorrect configuration of firewall policies
and third-party VPNs.

Misconfiguration of firewall policies and VPN potentially lead to several serious threats to
security of user system. Recently, these vulnerabilities were exploited by cybercriminals to spread
ransomware all over the Internet and the consequence is that governments and organizations had to
spend over billions on repairing the damage. Also, global productivity significantly declined due to
those attacks. Below are some of the biggest ransomware attacks in history.

1. WannaCry
It is a ransomware worm that took place in mid-2017 in Europe. In two weeks, WannaCry spread
like wildfire, infected almost every corner of the globe. According to a report, more than 250.000
systems in 150 countries were corrupted. It is considered as one of the most aggressive and
widespread cyber attacks in history. The total damage that WannaCry caused was approximately $4
billion.
17 | P a g e
 The main targets of WannaCry were computers running Microsoft Windows OS. It
successfully infected through the EternalBlue, which is an exploit developed by the U.S. National
Security Agency. The exploit was leaked by a hacker group called Shadow Brokers a few months
prior to the attack.
As the EternalBlue exploit works over the Internet without requiring any user interaction,
WannaCry was able to distribute itself so quickly to a mass scale that the InfoSec community did
not have time to make response and deliver patch until WannaCry caused a massive deal of damage.
It also cannot be denied that the lack of security practice amongst the employees of affected
organization was a major reason why WannaCry was so effective.

18 | P a g e
 REFERENCES

Ciampa, M. (2015). Security+ guide to network security fundamentals. 5th ed. Boston, MA: Course
Technology, Cengage Learning.
Oriyano, S. and Shimonski, R. (2012). Client-side attacks and defense. [Waltham, MA]: Syngress,
pp.1-3.
En.wikipedia.org. (n.d.). Email spam. [online] Available at:
https://en.wikipedia.org/wiki/Email_spam [Accessed 22 Apr. 2019].
En.wikipedia.org. (n.d.). Information security. [online] Available at:
https://en.wikipedia.org/wiki/Information_security [Accessed 20 Apr. 2019].
En.wikipedia.org. (n.d.). Logic bomb. [online] Available at:
https://en.wikipedia.org/wiki/Logic_bomb [Accessed 22 Apr. 2019].
En.wikipedia.org. (n.d.). Malware. [online] Available at: https://en.wikipedia.org/wiki/Malware
[Accessed 21 Apr. 2019].
En.wikipedia.org. (n.d.). Social engineering (security). [online] Available at:
https://en.wikipedia.org/wiki/Social_engineering_(security) [Accessed 22 Apr. 2019].
The Counterintelligence Team (2018). Social Engineering Attacks and Mitigations Part IV:
Tailgating. [Blog] Binary Defense. Available at: https://blog.binarydefense.com/social-engineering-
tailgating [Accessed 22 Apr. 2019].
THORNTON, K. (2018). 5 Types of Social Engineering Attacks. [online] Datto.com. Available at:
https://www.datto.com/blog/5-types-of-social-engineering-attacks [Accessed 22 Apr. 2019].
GeeksforGeeks. (n.d.). Threats to Information Security - GeeksforGeeks. [online] Available at:
https://www.geeksforgeeks.org/threats-to-information-security/ [Accessed 21 Apr. 2019].
En.wikipedia.org. (n.d.). Virus hoax. [online] Available at: https://en.wikipedia.org/wiki/Virus_hoax
[Accessed 22 Apr. 2019].
Acunetix. (n.d.). Web Application attack: What is it and how to defend against it?. [online]
Available at: https://www.acunetix.com/websitesecurity/web-application-attack/ [Accessed 22 Apr.
2019].
Techopedia.com. (n.d.). What is a Logic Bomb? - Definition from Techopedia. [online] Available
at: https://www.techopedia.com/definition/4010/logic-bomb [Accessed 22 Apr. 2019].
WhatIs.com. (n.d.). What is data loss prevention (DLP)? - Definition from WhatIs.com. [online]
Available at: https://whatis.techtarget.com/definition/data-loss-prevention-DLP [Accessed 23 Apr.
2019].
Techopedia.com. (n.d.). What is Dumpster Diving (in IT)? - Definition from Techopedia. [online]
Available at: https://www.techopedia.com/definition/10267/dumpster-diving [Accessed 22 Apr.
2019].
19 | P a g e
Cisco. (n.d.). What Is the Difference: Viruses, Worms, Trojans, and Bots? [online]
Available at: https://www.cisco.com/c/en/us/about/security-center/virus-differences.html [Accessed
21 Apr. 2019].
Raconteur. (n.d.). WannaCry: the biggest ransomware attack in history - Raconteur. [online]
Available at: https://www.raconteur.net/infographics/wannacry-the-biggest-ransomware-attack-in-
history [Accessed 23 Apr. 2019].

20 | P a g e