Applied Project
Assessment Brief: BIS3004 IS Security and Risk Management
Trimester-2 2024
Assessment Overview
Assessment Task
Type Weighting Due Length ULO
Assessment 1: Case Study Write a report to discuss recent types of information security attacks, protection mechanisms and risk management.
Individual
30% Week 6 2500 words
ULO-2 ULO-3 ULO-4
Assessment 2: Quiz Quizzes assess students’ ability to understand theoretical materials. The quiz will be either multiple choice questions or short questions which are relevant to the lecture materials.
Individual
Invigilated
30%
Week 3, 4, 6, 8,
10
700 words
ULO-1 ULO-2 ULO-3 ULO-4
Assessment 3: Laboratory Practicum Lab activities and exercises assess students’ ability to understand theoretical materials.
Individual
Invigilated
10%
Weekly
equiv. 2300
words
ULO-1 ULO-2 ULO-3 ULO-4
Assessment 4: Applied Project Discuss and implement IS security protection techniques and implement access control under Linux.
Group
30%
Week 12
2500 words
ULO-1 ULO-2 ULO-3 ULO-4
equiv. – equivalent word count based on the Assessment Load Equivalence Guide. It means this assessment is
equivalent to the normally expected time requirement for a written submission containing the specified
number of words.
Note for all assessment tasks:
• Students can generate/modify/create text generated by AI. They are then asked to
modify the text according to the brief of the assignment.
• During the preparation and writing of an assignment, students use AI tools, but may
not include any AI-generated material in their final report.
• AI tools are used by students in researching topics and preparing assignments, but
all AI-generated content must be acknowledged in the final report as follows:
Format
I acknowledge the use of [insert the name of the AI system and link] to [describe how it was used]. The prompts used were entered on [enter the date in ddmmyyy:] [list the prompts that were used]
Example
Assessment 1: Case Studies (Use case analysis, Risk Identification and
Assessment)
Due date: Week 6
Group/individual: Individual
Word count / Time provided: 2500
Weighting: 30%
Unit Learning Outcomes: ULO-2, ULO-3, ULO-4
Justification
There is a noticeable increase in the occurrence of data intrusions within the financial and healthcare
sectors in Australia. The Australian government is currently revising its cybersecurity frameworks and
policies to strengthen resilience against nation-state threat actors and thereby disrupt this adverse
trend.
In the past 4 years, numerous data breaches have occurred in Australia. Several of them affected many
users. Table 1 is a comprehensive compilation of noteworthy instances of data breaches that have
transpired in recent years.
Table 1: Major Data Breach Incidents in Australia
Company Name Date of Impact
Latitude March 2023
Medibank December 2022
Optus September 2022
Eastern Health March 2021
Northern Territory Government February 2021
Canva May 2019
Australian Parliament House February 2019
Tools I acknowledge the use of ChatGPT https://chat.openai.com to create content to plan and brainstorm ideas for my assessment. The prompts used were entered on 18 March 2023:
• What are some key challenges in running an online business?
Approach Analysis You are required to choose one of the data breaches from the list above in Table 1 and create a report
on it. Your report must include the following information.
1. Detail of the Attack:
This section of your report should include the elements below.
• What was the attack? What vulnerability was exploited?
• Was the vulnerability already known? When did it happen?
• Were there any controls implemented against the vulnerability and yet it was
exploited?
2. Analysis and Action:
This section of your report should include the elements below.
• When and how did the target figure out about the attack?
• For how long, the risk was not actioned?
• Did the organisation have a risk assessment policy and procedure?
• Did the organisation maintain a risk register?
• Was the vulnerability included in the risk register?
• How was the risk perceived (critical/non-critical/high/medium/low)?
• What the attacker(s) did, stole, and wanted?
• Did the organisation pay anything because of the attack?
• What action did they adopt to avoid further damage?
3. Risk assessment
a. Risk Identification
b. Risk Analysis
c. Risk Evaluation
Risk Identification and Assessment
In this section, you need to identify risks and conduct an analysis of the selected use case. Regarding
the selected scenario, reasonable assumptions can be made if they are adequately documented and
supported. To perform risk identification and analysis, you can choose either of the following tools or
a combination of them.
• Factors Analysis in Information Risk (FAIR)
• NIST Privacy Risk Assessment Methodology (PRAM)
• NIST CyberSecurity Framework (CSF)
Assessment Description
Assume you have been recruited as a cybersecurity specialist by the client organisation (the use case
you chose). You are responsible for conducting a security risk assessment and preparing this report
for the board members. In most organisations, board members have minimal levels of computer
literacy and risk-related knowledge. Include the following information in your report preparation:
1. Introduction
2. Details of the attack
3. Analysis and action
4. Risk Assessment
a. Risk Identification
b. Risk Analysis
c. Risk Evaluation
5. Conclusion
6. References
Note: Your responses to the above questions must be supported by APA-style citations and
references.
Additional Information
When conducting research, you may find the following URLs or research tools useful:
✓ https://ieeexplore.ieee.org/Xplore/home.jsp
✓ https://dl.acm.org/
✓ https://scholar.google.com/
Marking Criteria and Rubric: The assessment will be marked out of 100 and will be weighted 30% of the total unit mark.
Marking Criteria
Not satisfactory
(0-49%) of the criterion mark
Satisfactory
(50-64%) of the criterion mark
Good
(65-74%) of the criterion mark
Very Good
(75-84%) of the criterion mark
Excellent
(85-100%) of the criterion mark
Introduction (10 marks)
The introduction lacks clarity, and an engaging hook, and disorganised, lacks originality
The introduction is generally clear, includes a moderately engaging opener, presents a well- articulated statement, about the topic, provides some pertinent context, is adequately organised, and lacks significant originality.
The introduction is clear, contains an engaging hook, presents a well- articulated statement, about the topic, provides relevant context, and is well- organized.
The introduction is well written with a clear discussion about the case analysis, Risk Identification and Assessment
The introduction is exceptionally clear, contains a highly engaging hook, presents a well- articulated topic, provides pertinent context, is flawlessly organised, and demonstrates originality.
Details of the Attack (15)
The report lacks clarity and detail, providing little to no information about the details of the attack and its various aspects.
The report provides a basic overview of the details of the attack, covering some of the necessary details but lacking depth in one or more areas, such as what vulnerability was exploited.
Generally, good discussion about the details of the attacks , including clear identification, a thorough explanation of the attack
Very clear discussion about the details of the attack. The answer is supported with reference and in-text citations
In-depth and very clear discussion about the details of the attack. Accurate answers are supported with reference and in-text citations
Analysis and action (10)
Poor discussion with irrelevant information
A brief discussion about the analysis and action. The analysis
Generally, good discussion regarding the analysis and
Very clear discussion about the analysis and action. The answer is
In-depth and very clear discussion about
provides a basic impact assessment but lacks comprehensive details.
action. The impact assessment is reasonable but may lack some depth
supported with references and in-text citations
the analysis and action. The report provides a complete strategy of how the target found out about the attack and the way they dealt with it with accurate answers supported with references and in-text citations.
Risk Identification (15)
Poor discussion with irrelevant information
A brief discussion about risk identification. Displayed a basic understanding of the threat landscape but it lacks depth. One of the provided tools was not utilised correctly.
Generally good discussion about risk identification. Shows a good grasp of the threat landscape but may overlook using one of the given tools.
Very clear discussion regarding risk identification. Properly use one of the given tools. The answer is supported by the reference and in-text citation
Using one of the
provided tools
demonstrates an
exceptional
understanding of the
threat landscape with
accurate responses
supported by
references and in-text
citations.
Risk Analysis (15)
Poor risk assessment. No assets were mentioned, nor were any threats evaluated.
A brief discussion about risk analysis. Few threats are evaluated.
Some relevant assets were identified, but important ones are missing. Some threats were assessed but lacked detail or accuracy.
Most relevant assets are identified with minor omissions or inaccuracies. Well- documented threats with minor omissions or inconsistencies. The answer is supported with reference and in-text citation
A very clear and in-depth Comprehensive identification of all relevant assets, including data, systems, and applications. A thorough assessment of potential threats, their likelihood, and potential impact. The answer is supported with reference and in- text citation
Risk Evaluation (20)
Poor evaluation of risk. There are no identified threats or vulnerabilities.
A brief discussion about risk evaluation. Few threats and vulnerabilities are identified.
Most threats are identified, but some important ones are missing. Some vulnerabilities were identified, but important ones are missing.
Comprehensive threat identification with minor omissions. Most vulnerabilities were identified and assessed with minor omissions. The answer is supported with reference and in-text citation
Thorough identification of potential threats, including emerging and known threats. Comprehensive identification and evaluation of vulnerabilities. The answer is supported with reference and in-text citation
Conclusion (10)
The conclusion is unclear, fails to summarize key points, has little to no impact, lacks coherence, and lacks originality
The conclusion is somewhat unclear, lacks a thorough summary of key points, has a limited impact, struggles with coherence, and lacks originality.
The conclusion is generally clear, summarizes key points adequately, has a moderate impact, maintains satisfactory coherence, and lacks significant originality.
The conclusion is clear, effectively summarizes key points, has a positive impact, maintains good coherence, and shows some originality.
The conclusion is exceptionally clear, effectively summarizes key points, has a significant impact, maintains excellent coherence, and demonstrates originality.
Formatting and referencing (5 marks)
Includes misspelt words, incorrect language, incorrect punctuation, improper formatting, and reference citation based on applicable standards; satisfies minimum page length requirements
Few spelling, grammatical, and punctuation problems are present. A few formatting or citation problems according to proper standards; fulfils minimal page requirements.
Few spelling, grammatical, and punctuation problems are present with a few citation problems
Few spelling, grammatical, and punctuation problems are present.
There are no spelling or grammar mistakes. The paper's format and citation of sources conform to applicable criteria; the minimum number of pages is met.
Assessment 2: Quiz
Due date: Week 3, 4, 6, 8, 10
Group/individual: Individual-Invigilated
Word count / Time provided: 700
Weighting: 30% quizzes
Unit Learning Outcomes: ULO-1, ULO-2, ULO-3, ULO-4
Assessment Details:
This assessment also includes an invigilated quiz that will assess your ability to understand theoretical
materials and your knowledge of key content areas. The quiz will be either multiple choice questions
or short questions that are relevant to the lectures of lecture materials. For successful completion of
the quiz, you are required to study the material provided (lecture slides, tutorials, and reading
materials) and engage in the unit’s activities. The prescribed textbook is the main reference along with
the recommended reading materials.
Marking information: The assessment will be marked out of 100 and will be weighted 30%.
Assessment 3: Laboratory Practicum
Due date: Weekly (week-1 to week-10)
Group/individual: Individual
Word count / Time provided: 2500
Weighting: 10%
Unit Learning Outcomes: ULO-1, ULO-2, ULO-3, ULO-4
Assessment Details:
Practical exercises assess students’ ability to apply theoretical learning to practical, real-world
situations every week. The practical exercises will improve student’s ability to practice information
security using Linux/Kali Linux platform such as phishing attacks, encryption and steganography and
other functions.
Students will be required to complete the practical exercises during the workshop and therefore,
attendance is required as part of this assessment. Students will not be assessed on work that is not
produced in workshop so that attendance is required as part of this assessment. Students are required
to submit the work that they have completed during the workshop session only. The details of the lab
work and requirements are provided on the online learning system.
Marking information: The assessment will be marked out of 100 and will be weighted 10%.
Assessment 4: Applied Project
Due date: Week 12
Group/individual: Group
Word count / Time provided: 2500
Weighting: 30%
Unit Learning Outcomes: ULO-1, ULO-2, ULO-3, ULO-4
Assessment Details:
This assessment is designed to assess your technical skills in applying information security tools. In this
assignment, you are required to study and apply steganography techniques to embedded data within
a file. In addition, you must understand Linux file systems and apply access control technologies. The
assessment is also assessing your skills to analyse information security principles against security
techniques including steganography and access control. In completing this assessment successfully,
you will be able to investigate IS security, and risk threats and propose suitable security controls, which
will help in achieving ULO-1, ULO-2, ULO-3, and ULO-4.
Task Specifications
This assessment includes three tasks as follows:
Task-1:
Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. Use Steghide tools available in Kali Linux/Linux to hide a text file that includes your group student's IDs on an audio file. You have first to create an audio file with no more than 30 seconds to record your group student's IDs only. Then, you must generate a text file with group information, including the first and last names of each student in your group. Finally, use Steghide tools (with security as the passphrase) to embed your text file within the resulting audio file.
In your report, you must include screenshots demonstrating the steps with the commands you followed during the installation of Steghide, the method used to hide group information text files into an audio file, and the steps used to extract the text file from the audio file to verify your work.
Task-2:
Access control is granting or denying approval to use specific resources. Technical access control consists of technology restrictions that limit users on computers from accessing data.
In this task, you are required to work in a group to understand Access Control List (ACL), special permissions, and file system security using a Linux environment. You need to complete the following tasks using Kali Linux or any Linux OS:
1. Fill the following table with the information related to all members of your group:
Sn. No
APIC Student ID First Name Last Name
1 {Student-ID1} {FirstName-1} {LastName-1}
2
3
Table 1: Group information
2. Create main directory named BIS3004 and set it permission to full access, fill the following table:
Task Command/s
Create directory named: BIS3004
Set full access to BIS3004 directory
Set the sticky bit for BIS3004 directory
Table 2: Create Directories APIC
3. Create sub-directories within BIS3004 directory according to Table 3:
Task Command/s
- Create directory {FirstName-1}
- Set read and write access permission only
- Create directory {FirstName-2}
- Set read access permission only
- Create directory {FirstName-3}
- Set read and execute access permission only
Table 3: Create Student ID directories
Please note, {FirstName-x} is the first name of the APIC student according to Table-1.
4. Create users, with names according to the group member student IDs for of your group as shown in Table-4
Task Command/s
- Create user {Student-ID1}
- Write Access Control Lists (ACLs) to enable:
1. full permission to {FirstName-1}
2. read and write permission to {FirstName-2} and
3. read permission only to other directories.
4. Set-user Identification (SUID) for Student-ID1
Access Control Lists
- Create user {Student-ID2}
- Write Access Control Lists (ACLs) to enable:
1. full permission to {FirstName-2}
2. read and execute permission to {FirstName-1}
3. read permission only to other directories.
Table 4: Create users
4. Create two groups and fill Table-5:
Task Command/s
- Create group {LastName-1}
- Add {Student-ID1} and {Student-ID2} users to {LastName-1} group
- Write ACL that {LastName-1} group users will get full access to {FirstName-1} directory and read access to {FirstName-2} directory.
- Set-group Identification (SGID) for group LastName-1
- Create group {LastName2}
- Add ‘{Student-ID2} and {Student-ID3} to {LastName-2} group
- Write ACL that {LastName-2} group users will get full access to {FirstName-2} directory and write and execute access to {FirstName-1} directory.
Table 5: Create groups
Use the commands available in Linux or Kali Linux to complete the above tables. In your report, you need to provide a screenshot to demonstrate the steps you followed during the process of conducting the assignment tasks and requirements according to your group details provided in Table-1 (student ID, first name and last name).
Task-3:
a) Discuss with a clear demonstration how the steganography and access control approach you implemented in Task-1 and Task-2 may accomplish Confidentiality, Integrity, and Availability (CIA). In your discussion, you must present justifications.
b) In addition to user, group, and other, the special permissions (SUID, SGID, and Sticky bit) you have defined in Task1 and Task2 constitute a fourth access level. Discuss how these additional permissions operate and their purpose. In your discussion, you must give justifications.
Task 4:
In this task, you are required to propose a new customised information security framework for the Case Study you selected in Assessment 1. The new framework must be based on well-known national and/or international standards, e.g., NIST. Your proposed framework needs to address the risks you identified and discussed in Assignment 1.
Submission
1. You need to submit a report in Word format file including your answers for Task-1,
Task-2, Task-3, and Task-4 with the required screenshots for Task-1 and Task-2. You need to include a cover page that includes the group's student ID and full name.
2. You have also to submit the created audio file that embedded your group information text file for Task-1 (make sure to use security as a passphrase)
The two files must be submitted separately, not in a single compressed file.
Marking Information: The applied project will be marked out of 100 and will be weighted 30% of
the total unit mark.
Marking Criteria
Not satisfactory
(0-49%) of the criterion mark)
Satisfactory
(50-64%) of the criterion mark
Good
(65-74%) of the criterion mark
Very Good
(75-84%) of the criterion mark
Excellent
(85-100%) of the criterion mark
Audio file embedded text file
(10 mark)
Lack of evidence of using the Steghide for Steganography with no audio file submission
The audio file does not include the embedded test file
The audio file includes a text file but with irrelevant information to a student group.
The audio file includes a text file but doesn’t include all the group information.
The audio file correctly includes group details.
Steganography steps and
Screenshot (10 mark)
Lack of evidence of understanding of the process of Steganography with no screenshot
The screenshot is provided with not complete or not using Steghide.
The screenshot is provided using Steghide with settings errors
The screenshot is provided using Steghide with some incorrect settings.
The screenshot is provided using Steghide with correct result.
Directory creation (10 mark)
Lack of evidence of understanding the Linux commands for directory creation and access.
A very brief demonstration of using Linux commands for directory creation and access.
Evidence of good understanding and demonstration of using Linux commands
Very clear understanding and demonstration of using Linux commands
Excellent understanding and demonstration of using Linux commands
for directory creation and access.
for directory creation and access.
for directory creation and access.
Users creation (15 mark)
Lack of evidence of understanding of the process of users creation and required permission
Very brief demonstration of using Linux commands for users creation and required permission
Evidence of good understanding and demonstration of using Linux commands for users creation and required permission
Very clear understanding and demonstration of using Linux commands for users creation and required permission
Excellent understanding and demonstration of using Linux commands for users and required permission
Group creation (15 mark)
Lack of evidence of understanding of the process of group creation and required permission
A very brief demonstration of using Linux commands for group creation and required permission
Evidence of good understanding and demonstration of using Linux commands for group creation and required permission
Very clear understanding and demonstration of using Linux commands for group creation and required permission
Excellent understanding and demonstration of using Linux commands for group creation and required permission
Achieving CIA in Steganography
(15 marks)
Poor discussion with irrelevant information.
A brief discussion about achieving CIA in Steganography with limited demonstration and justification.
Generally good discussion about achieving CIA in Steganography with good demonstration and justification.
Very clear discussion of achieving CIA in Steganography with clear demonstration and justification.
A very detailed and very clear discussion of achieving CIA in Steganography with very good demonstration and justification.
Achieving CIA in access control list
with special permissions (15 marks)
Poor discussion with irrelevant information.
A brief discussion about achieving CIA in access control list with limited demonstration and justification.
Generally good discussion about achieving CIA in an access control list with good demonstration and justification.
Very clear discussion of achieving CIA in an access control list with clear demonstration and justification.
A very detailed and very clear discussion of achieving CIA in an access control list with very good demonstration and justification.
Customised information
security framework (10 marks)
The framework is not aligned with industry standards and organisational objectives due to the absence of well-defined objectives and scope.
The framework outlines objectives and scope but lacks some clarity or alignment with organizational goals and industry
standards.
The framework defines clear objectives and scope, mostly aligning with organizational goals and industry standards, but lacks some clarity about well-known national and/or international standards, such as NIST.
The framework clearly defines comprehensive objectives and scope, perfectly aligned with organizational goals and industry standards, but it is not fully based on well- known national and/or international standards, such as NIST.
The framework is based on well-known national and/or international standards, such as NIST. The framework clearly defines comprehensive objectives and scope, perfectly aligned with organizational goals and industry standards.