assignment
Faculty of Computing, Engineering and Media
Coursework Brief 2019/2020
|
Module name: |
Emerging Topics in Security |
|
|
Module code: |
CTEC3753 |
|
|
Title of the Assignment: |
Yahoo and more |
|
|
This coursework item is: (delete as appropriate) |
Summative |
|
|
This summative coursework will be marked anonymously |
No |
|
|
The learning outcomes that are assessed by this coursework are: 1. Critical analysis of cyber security incidents and response. 2. Broad knowledge of and insight into modern threats and controls 3. Independent study and critical analysis of cyber incidents as presented in the press, blogs, and scientific papers 4. Understanding and experience of communication with a variety of audiences regarding cyber security |
||
This coursework is: |
Individual |
|
|
|
||
|
This coursework constitutes 100 % of the overall module mark. |
||
|
Date Set: 31 October 2019 |
||
|
Date & Time Due: 6 Dec 2019 12:00 noon |
||
|
Your marked coursework and feedback will be available to you on: If for any reason this is not forthcoming by the due date your module leader will let you know why and when it can be expected. The Associate Professor Student Experience (studentexperience-tech@dmu.ac.uk) should be informed of any issues relating to the return of marked coursework and feedback. Note that you should normally receive feedback on your coursework by no later than 20 University working days after the formal hand-in date, provided that you have met the submission deadline.
|
17 January 2020 |
|
|
When completed you are required to submit your coursework via: TurnItIn on BlackBoard If you need any support or advice on completing this coursework please visit the Student Matters tab on the Faculty of Technology Blackboard page.
|
||
|
Late submission of coursework policy: Late submissions will be processed in accordance with current University regulations which state: “the time period during which a student may submit a piece of work late without authorisation and have the work capped at 40% [50% at PG level] if passed is 14 calendar days . Work submitted unauthorised more than 14 calendar days after the original submission date will receive a mark of 0%. These regulations apply to a student’s first attempt at coursework. Work submitted late without authorisation which constitutes reassessment of a previously failed piece of coursework will always receive a mark of 0%.” |
||
|
Academic Offences and Bad Academic Practices: These include plagiarism, cheating, collusion, copying work and reuse of your own work, poor referencing or the passing off of somebody else's ideas as your own. If you are in any doubt about what constitutes an academic offence or bad academic practice you must check with your tutor. Further information and details of how DSU can support you, if needed, is available at: http://www.dmu.ac.uk/dmu-students/the-student-gateway/academic-support-office/academic-offences.aspx and
|
|
Task 1: Attack analysis Two of the worst password breaches in recent history were the ones on Yahoo in 2013 and 2014, likely affecting all their customers. https://krebsonsecurity.com/2016/12/yahoo-one-billion-more-accounts-hacked/ https://nakedsecurity.sophos.com/2018/04/23/yahoo-mega-breach-hacker-faces-nearly-8-years-in-prison/ https://www.theguardian.com/technology/2018/jun/12/yahoo-fined-hack-ico-uk-accounts-russia
|
|
|
Answer the following questions in a report.
|
Marks |
|
What information was taken from Yahoo? |
2 |
|
What went wrong and why? Indicate vulnerabilities that were exploited, apply any relevant models |
4 |
|
What can or has been done with the information released? |
8 |
|
How have they recovered from the attack and how have others responded? |
4 |
|
In your opinion should they have done anything differently? |
6 |
|
Discuss any drawbacks of their response and your suggestions. |
6 |
|
Making a sound argument, critical analysis, including introduction of the problem at hand, discussion, conclusions, references, etc. |
15 |
|
|
Total |
|
Word limit for this task: 1500. |
45 |
Task 2: Protecting yourself against cryptojacking“Mining” for cryptocurrencies requires a lot of computing power, so malware criminals have taken up “cryptojacking”, installing code on victims’ machines or websites that helps the criminals with mining. Analyse the risk of cryptojacking malware infection and the best way of protecting an organisation like De Montfort University from it. https://www.ccn.com/cybercriminals-are-moving-from-ransomware-to-cryptojacking-kaspersky-lab/ https://www.computerweekly.com/feature/Businesses-need-to-take-cryptojacking-seriously This involves answering the following questions, using any frameworks and methods covered in the module or others:
|
|
Answer the following questions in a report. |
Marks |
|
What assets are potentially affected by cryptojacking and thus need to be protected? |
4 |
What would the impact of a successful attack on these assets be? |
4 |
|
Through which routes might cryptojacking malware come into your system? |
6 |
|
What measures would you put in place to prevent cryptojacking attacks within your organisation? |
8 |
What measures would you put in place to detect a possible cryptojacking malware infection? |
4 |
What measures would you put in place to minimise the effect of a possible cryptojacking malware infection? |
4 |
Making a sound argument, critical analysis, including introduction of the problem at hand, discussion, conclusions, references, etc. |
15 |
|
|
Total |
Word limit for this task: 1500. |
45 |
|
Answers in this coursework, using the DMU standard policy, are allowed to exceed the word limit by up to 10% without penalty, and then a penalty may be applied of up to 20% of the marks for answers that exceeded the word limit by up to 30%. Any content that exceeds the word limit by over 30% would not be marked and hence not contribute to the final mark.
|
|
Task 3 Seminar Worksheets |
|
|
As part of the appendices of your main document include all completed seminar worksheets in numerical order.
|
|
|
|
Marks |
|
Worksheet 1: Basic Crypto |
2 |
|
Worksheet 2: Attack/Defend the BMW X8 |
2 |
|
Worksheet 3: Usable Security |
2 |
|
Worksheet 4: Symmetric Crypto |
4 |
|
|
Total |
|
The worksheets do not count towards your overall coursework word limit. |
10 |
|
How your work will be marked: In order to achieve a 70%+ (First Class) grade, the work must be excellent in almost all respects, only very minor limitations. In order to achieve a 60-69% (2.1) grade, the work should show strength in most respects. Whilst there may be some limitations in the tasks, it is still a very good piece of work. In order to achieve a 50-59% (2.2) grade, the work should be of a good standard in several respects. In order to achieve a 40-49% (3rd class) grade, the work should be of satisfactory standard, showing strength in a few tasks, but let down by some other aspects. A 0-39% (Fail) grade will be given where the work contains serious errors/limitations. (0% is used either when nothing is correct or no attempt is made.) The marks will be determined in the first place according to the detailed marks breakdown given below. In addition, the marking grid below will be used particularly for the “Making a sound argument (etc) parts” (2x20 marks) and as a sanity check on the overall mark, for both parts.
|
|
|
Module leader/tutor name: |
Nick Ayres |
|
Contact details: |
nick.ayres@dmu.ac.uk , GH4.75 |
Marking grid for CTEC3753 coursework: argumentation and critical analysis
|
Criteria |
0-39% (Fail) |
40-49% (3rd) |
50-59% (2.2) |
60-69% (2.1) |
70%+(1st) |
|
Case Articulation (summary of the case) |
Little to no attempt at summing up the case and articulating the high-level security risk assessment |
Reasonable attempt at summing up the case and articulating the high-level security risk assessment |
Decent attempt at summing up the case and articulating the high-level security risk assessment |
Most essential aspects of the case covered. Good attempt at articulating the high-level security risk assessment |
Complete summary and critical analysis of the case. Excellent articulation of the high-level security risk assessment |
|
Threats Analysis and Risk Assessment (the assets, vulnerabilities, threat sources and threat actors, security recommendations) |
Not acceptable; large sections are missing; Little to no attempt at threats analysis and risks assessment are made |
Serious gaps in coverage; analysis and risks assessment mostly on a common sense rather than systematic base |
Acceptable, but not all aspects covered; some attempt to perform a threats analysis and risks assessment are made using terminology of the module |
Good coverage of all or most aspects; good threats analysis and risks assessment are in places |
Excellent coverage; evidence of good understanding of all aspects; authoritative and comprehensive threats analysis and risks assessment |
|
Breach announcement and recovering from the attack |
Not acceptable; large sections are missing; Little to no attempt at discussion made |
Serious gaps in coverage. Minimal discussion. |
Acceptable, but not all aspects covered; some attempt at discussion made |
Good coverage of all or most aspects; good critical analysis in places |
Excellent coverage; evidence of good critical understanding of all aspects; authoritative and comprehensive |
|
Structure, presentation, language and citation of the report |
Not acceptable; not structured; Little to no attempt at formatting text and citing authoritative resources and/or English level is not understandable |
Just about acceptable, but not well-structured and presented reporting, with little citation, variable level of English |
Acceptable, but not very well-structured and presented reporting, with little citation, acceptable level of English |
Good and well-structured report, presentation supported by graphical illustration when needed, well-cited, the command of English is good |
Excellent structure of the report, presentation supported by graphical illustration when needed, extensively-cited, excellent command of English; authoritative and comprehensive |
|
Overall Grade |
|
|
|
|
|