MSc Couse Info- System Security

Group-Based Case-StudyGroup-Based Case-Study12-702312-7023

Module OperationModule Operation

Group-Based Case StudyGroup-Based Case Study

• Opportunity to try to put into practice Opportunity to try to put into practice some of what you have learned in some of what you have learned in the preceding modules.the preceding modules.

• Networks, System & Applications, Networks, System & Applications, Web Applications, ISO27001, ISMS, Web Applications, ISO27001, ISMS, Risk Assessment etc.Risk Assessment etc.

• Adding some material on security Adding some material on security assessment (e.g. penetration assessment (e.g. penetration testing).testing).

GroupsGroups

• Class will be divided into groups.Class will be divided into groups.• Group constitution determined by the Group constitution determined by the

tutor.tutor.• Each group will comprise 2 teams.Each group will comprise 2 teams.

– System development team.System development team.– System assessment team.System assessment team.

• Team constitution determined by the Team constitution determined by the group.group.

• Each team member responsible for Each team member responsible for delivery of one unit of the team’s work.delivery of one unit of the team’s work.

• Team-member roles determined by the Team-member roles determined by the team.team.

Team-member rolesTeam-member roles

• Does not mean that all the work for that unit has Does not mean that all the work for that unit has to be done by a single team member...to be done by a single team member...

• But that the team-member is responsible for But that the team-member is responsible for seeing that the work is done and for that section seeing that the work is done and for that section of the team report.of the team report.

• If the team is ‘short’ we will invent a ‘ghost’ If the team is ‘short’ we will invent a ‘ghost’ member.member.– Ghost’s work unit done by designated team-members.Ghost’s work unit done by designated team-members.

• You are encouraged to work cooperatively and You are encouraged to work cooperatively and share tasks.share tasks.

• The marking scheme reflects this.The marking scheme reflects this.• Team roles are complementary:Team roles are complementary:

– Controls Controls Evaluation Evaluation

Module OperationModule Operation

• Each group is given a customer Each group is given a customer requirements specification for a client-requirements specification for a client-server system.server system.

• Development teams’ task is to produce a Development teams’ task is to produce a fully-documented design and fully-documented design and implementation from that specification.implementation from that specification.

• Emphasis is on security issues:Emphasis is on security issues:– Confidentiality, Integrity, Availability of the Confidentiality, Integrity, Availability of the

client’s data.client’s data.• Implementation details are left open:Implementation details are left open:

– O/S, software etc – as available in the lab.O/S, software etc – as available in the lab.

Module OperationModule Operation

• Assessment teams’ task is to specify, Assessment teams’ task is to specify, design and implement an appropriate design and implement an appropriate assessment strategy for the client’s assessment strategy for the client’s system.system.

• Again, fully-documented.Again, fully-documented.

• Strategy will be applied to another group’s Strategy will be applied to another group’s system.system.

• Results of the assessment form part of the Results of the assessment form part of the target group mark.target group mark.

DeliverablesDeliverables

• Group report should contain:Group report should contain:

• 1. Risk Assessment.1. Risk Assessment.

• 2. Controls Design.2. Controls Design.

• 3. Controls Implementation.3. Controls Implementation.

• 4. Evaluation Design.4. Evaluation Design.

• 5. Evaluation Implementation.5. Evaluation Implementation.

• 6. Evaluation Analysis.6. Evaluation Analysis.

Assessment & MarkingAssessment & Marking

• Module is assessed on a group, team & individual Module is assessed on a group, team & individual basis:basis:

• Each section is awarded a percentage mark.Each section is awarded a percentage mark.• Individual mark is 50% of section mark.Individual mark is 50% of section mark.• The team mark is an average of the individual The team mark is an average of the individual

team-member marks and each member receives team-member marks and each member receives 30% of the team mark.30% of the team mark.

• The group mark is an average of the individual The group mark is an average of the individual group-members marks and this contributes 20% group-members marks and this contributes 20% to an individual’s final mark.to an individual’s final mark.

• The marking scheme is designed to encourage The marking scheme is designed to encourage cooperation and teamwork as well as rewarding cooperation and teamwork as well as rewarding individual performance.individual performance.

Assessment CriteriaAssessment Criteria

• Groups should ensure that all units are Groups should ensure that all units are completed in a manner that is systematic, completed in a manner that is systematic, thorough, effective and in accordance with thorough, effective and in accordance with relevant standards (e.g. IAM, OSSTMM relevant standards (e.g. IAM, OSSTMM etc).etc).

• Guidance will be provided by the tutor who Guidance will be provided by the tutor who will act as an independent consultant.will act as an independent consultant.

• The tutor will also play the role of The tutor will also play the role of customer as far a functional requirements customer as far a functional requirements are concerned.are concerned.

TimescalesTimescales

• Testing and assessment will be Testing and assessment will be carried out in week 6.carried out in week 6.

• Reports are due in exactly 1 week Reports are due in exactly 1 week after ‘assessment day’.after ‘assessment day’.

Non-PerformanceNon-Performance

• Responsibility of group:Responsibility of group:– Allocation of roles.Allocation of roles.– Schedule of meetings.Schedule of meetings.– Work deadlines etc.Work deadlines etc.

• You are required to set out and document You are required to set out and document a schedule of work at the outset and to a schedule of work at the outset and to insist that members attend meetings and insist that members attend meetings and honour their commitments.honour their commitments.

• Post ALL documentation on Blackboard.Post ALL documentation on Blackboard.

Non-PerformanceNon-Performance

• Defaulting individuals receive ‘yellow Defaulting individuals receive ‘yellow card’card’– From tutor on advice from the group.From tutor on advice from the group.

• 2 yellow cards = exclusion from 2 yellow cards = exclusion from group.group.– Group must re-organise to cover unit.Group must re-organise to cover unit.– Excludee’s work assessed in isolation.Excludee’s work assessed in isolation.– Harder to pass or do well....Harder to pass or do well....

AssumptionsAssumptions

• Nature of the exercise obviates certain Nature of the exercise obviates certain considerations:considerations:

• Physical Security:Physical Security:– Fire, Flood, Earthquake, Volcano, Theft, Fire, Flood, Earthquake, Volcano, Theft,

Terrorism, Vandalism....Terrorism, Vandalism....

• Social Engineering:Social Engineering:– ‘‘rubber hose’, torture, bribery, theft, blackmail rubber hose’, torture, bribery, theft, blackmail

– not allowed.– not allowed.– Persuasion and trickery – allowed (document!)Persuasion and trickery – allowed (document!)

AssumptionsAssumptions

• Denial of ServiceDenial of Service– Should be considered both from the Should be considered both from the

defensive and assessment viewpoints.defensive and assessment viewpoints.– A successful DoS attack during the live A successful DoS attack during the live

audit will be considered a data-audit will be considered a data-availabilty compromise (no DDOS!)availabilty compromise (no DDOS!)

– Once demonstrated is should be Once demonstrated is should be stopped.stopped.

– Don’t assume your users are security-Don’t assume your users are security-aware – provide training!aware – provide training!

AssumptionsAssumptions

• All of the provided hardware in lab may be used but no additional All of the provided hardware in lab may be used but no additional hardware may be brought in.hardware may be brought in.

• Some customer data are for public www consumption but some are Some customer data are for public www consumption but some are extrememely sensitive and must not be disclosed to third parties under extrememely sensitive and must not be disclosed to third parties under any circumstances. An NDA will be assumed to be in operation between any circumstances. An NDA will be assumed to be in operation between customer and group. The integrity of all data is essential.customer and group. The integrity of all data is essential.

• Customer data is required for secure access by the customer via a web Customer data is required for secure access by the customer via a web browser and a secure shared filesystem arrangement of some kind. browser and a secure shared filesystem arrangement of some kind. Access should be available through wired (Ethernet) and wireless (IEEE Access should be available through wired (Ethernet) and wireless (IEEE 802.11) media. The customer requires read and write access to the 802.11) media. The customer requires read and write access to the data.data.

• A facility should be added to the www site for visitors to leave contact A facility should be added to the www site for visitors to leave contact details.details.

• Both client and server systems must be made available to the customer Both client and server systems must be made available to the customer at appropriate times. Accounts and authentication tokens and keys of at appropriate times. Accounts and authentication tokens and keys of whatever kind must be provided via secure and convenient means.whatever kind must be provided via secure and convenient means.

• All normal network services such as DHCP and (internal) DNS should be All normal network services such as DHCP and (internal) DNS should be available. IP address ranges and domain names will be allocated to each available. IP address ranges and domain names will be allocated to each group.group.