Professional Documents
Culture Documents
VU23217 8102753 Assessment 02
VU23217 8102753 Assessment 02
VU23217 8102753 Assessment 02
Unit Code – VU23217 Recognise the need for cyber security in an Organisation
Student ID 8102753
Overview
In this assessment you will have the opportunity to demonstrate your knowledge/skills in the
following areas:
Instructions
Before commencing the assessment, enter your name and student number in the spaces
provided above.
If you are requested to provide screenshots, paste the screenshot/s into the answer box.
Ensure sufficient screenshots are provided to demonstrate that you have performed the
complete task.
Any word-count suggested for written answers is a recommendation only; your answers
should contain sufficient information to demonstrate your understanding of the topic.
All answers must be your own. Plagiarism is not tolerated and will lead to the assessment
being graded as unsatisfactory. You may conduct research before answering, but if you
include information from another source, it should be included in quotation marks and
appropriately referenced.
Resources Required
Suitable PC and access to software that will enable you to edit this document.
Online, library & class resources may be used when preparing your answers for this
assessment.
Documents to Submit
Submit this completed Cyber Security Demonstration Assessment -02 document to the Cyber
Security Demonstration Assessment-02 drop-box on VU Collaborate by the due date/time
shown on the VU Collaborate calendar.
Task 1:
1.1 What is the National Institute of Standards and Technology (NIST) cyber
security framework and what are its functions? How can it assist organisations to
protect themselves from cyber threats? (max 150 words)
Response:
NIST is a set of guidelines that helps an organisation to manage and minimise the
cyber security threats
NIST framework consists of 5 functions: identify, protect, detect, respond and cover
1.2 Define/explain each of the following terminologies in your own words: (max
50 words each)
Response:
a. Incident Response policies and processes: the steps that an organization should
follow to handle and manage security incidents to minimise the impact.
c. Threat Vectors: are the paths/routes/methods/tools that are used to attack the
targets.
d. Threat Goals: the purpose of the threat (i.e objectives and desired outcomes of
e. Firewall: is either a physical device or a software that helps to control and filter
network traffic. This allows the users to configure incoming/outgoing network
traffic for different scenarios/networks/goals
h. Cyber Kill chain: A framework developed by Lockheed Martin that outlines the
stages of a cyberattack. It helps to understand and to have a plan to counter the
attack for each stage.
j. IoT Devices - One IoT Example: are gadgets that connect together to collect and
exchange data to perform some useful functionality. Humid sensor is an
example, it reports the room’s humidity in real time.
24/7 server connection: IoT devices need connecting to the internet to the main
server to report and receive data to function. This means once an attacker takes
control of the device, they can gain access from the inside
Consider your office where you may have a computer, telephone, smart board, TV
monitor or Multi-Functional Devices (e.g. printer, scanner, fax). You perform daily
activities on your computer such as, reading, writing and sending emails. You also
prepare reports and notes using Microsoft office packages and several other software
applications as required by the workplace.
We can protect the personal device and data from the threats easily by applying
security measures. For example, enforcing a strong password mechanism.
Passwords are widely used to enforce authentication techniques to protect personal
devices and accounts.
Attackers will use many techniques to learn users’ passwords and gain unauthorised
access to a resource or data. To protect and safeguard your personal devices and
information, it is important to understand what makes a strong password and how to
store it securely. You can also protect personal and sensitive data for privacy
purposes by creating password-protected files. In addition, it is also good practice to
know about malware. Malware is sometimes designed to take your personal data, so
it is good to identify, block, and remove them.
2.1 Strong passwords have four main requirements listed in order of importance:
Based on the list above, the first requirement is probably the most important because
you need to be able to remember your password. For example, the password
#4ssFrX^- aartPOknx25_70!xAdk<d! is considered a strong password because it
satisfies the last three requirements, but it is very difficult to remember.
A good way to create strong passwords is to choose four or more random words and
string them together. The password televisionfrogbootschurch is stronger than
J0n@than#81. Notice that while the second password is in compliance with the
policies described above, password cracker programs are very efficient at guessing
that type of password. While many password policy sets will not accept the first
password, televisionfrogbootschurch, which is much stronger than the second. It is
easier for the user to remember (especially if associated with an image), it is very
long and its random factor makes it hard for password crackers to guess it.
Using an online password creation tool, create passwords based on the common
company password policy set described above.
Written Assessment Template v1.1 September 2022
Response:
Step Screenshots
1-2
3-4
This password is ok to use for general services and it somewhat good to against
general attackers, since it is hard-to-guess and having a bit of complexity.
However for critical services and to prevent incidents caused by high-end
attackers, it is recommended to use MFA together with this password instead.
2.2 Protecting the personal data for privacy access and gaining a good logical access
control.
Perform the following:
1. Open a Microsoft word document and write something in it. Next, create a
password for that file and save it to your desktop. Please provide screenshots
2. Place the document in a folder. Share this this folder with someone. Then,
change the permissions for the shared user to only be able to see ‘List folder
contents’ and ‘Read’ for this shared folder. Please provide screen capture of
the steps you perform.
3. Open the document and unlock it by entering the correct password. Please
provide screen capture of the steps you performed.
Response:
Screenshot
1 Note: The below steps are done in Ubuntu so there is no Microsoft Word, only
LibreOffice Writer instead
Create a document:
Result:
Written Assessment Template v1.1 September 2022
1. You will be able to see the similar viewing in the website as below:
2. If your computer is secured, it will display a message noting that the file is
blocked or something similar to this. Please take a screen capture of that and
place it here.
3. If a message does not appear, you can consider that the machine needs
attention from a security perspective (e.g. installing or updating your anti-virus
software or Operating System). Take a screen capture of this case and put it
here.
Response:
Unfortunately I’m using Ubuntu, so it won’t block and it downloads fine (because it cannot
execute .com file):
Task 3:
Scenario:
WIDGET accounting is a small company located in Belconnen in the ACT. They have
15 employees, including an Office Manager and the Business Owner. Ten of the
employees work onsite at the office, whilst the remaining five work remotely from
home or at a client’s premises. Responsibility for ICT resides with their Office
Manager, who is working their way through a TAFE ICT course in their spare time.
All the staff use laptops with Windows 10 Pro as the SOE. These are
all standard licenses, are patched and do NOT have security software
installed. Staff are free to choose their own passwords for their
individual machines.
The business has recently moved to the Office 365 Business
subscription service for Microsoft Office applications.
Wireless internet access for office staff is provided via ADSL using a
D-Link-2740B wireless router and the Wi-Fi password is publicly
available. Staff are permitted to connect their mobiles, laptops and
other electronic devices through this wireless network. They also can
form an internet-of-things structure by connecting these devices at the
same time for work purposes.
Wired network and internet access is also provided by a recently
installed NETGEAR JGS524 24-Port Gigabit Switch. There are 20
network jacks available, which can be used to connect any physical
computing devices. Couple of jacks are located in the public area of
the office accessible to clients and visitors.
Staff working remotely use either their personal mobile phones as hot
spots or their home internet connections to connect to the internet, and
3.1
Response:
A) Interconnection:
The staffs use laptop for work, either through the office's wired/wireless network, or remotely
via internet.
Data are transferred between these laptops to other devices like NAS, servers and IOT
devices. Passwords and logins are shared among the staffs so that data can be directly
accessed and exchanged between laptops.
The office network is also connecting to Office 365 cloud network for data transferring.
B) Diagram:
B) Pick one of the above and identify what steps the company could take to protect their
physical infrastructure in the future? Evaluate your steps by explaining how your steps
mitigate the risks?
3 security gaps:
1. Public and network are sharing the same network and password. That mean a device
from guest/visitor/unknown person can connect to devices of the offices
2. Same password for owner’s laptop, Facebook and Twitter. Once the password is lost,
everything is lost
3. Laptops do not have security software. A disaster will happen soon or late (if one
laptop is infected by viruses, the rest are infected)
Steps to do:
Mitigation:
With distinct Wifi names and security settings, it will ensure that there's no confusion
between the private and public networks. Different passwords for each network also
mean a compromise of one doesn't automatically mean a compromise of the other.
VLAN is the virtual barrier so that if a threat actor gains access to the public network,
they'll find it much harder (if not impossible) to traverse through the private network,
thus protecting sensitive data and devices on this private network.
3.3 Explain why it would be important that WIDGET need a professional cyber security
officer on staff? (max 150 words)
Response:
Hiring a professional cyber security officer will help to protect sensitive data and
making sure the business does not meet any difficulty during its running.
A cyber security officer will apply risk management, as well as educating staffs on
current issues such as scams/frauds, to help the business run smoothly.
This officer will also be able to prevent, detect or resolve any cyber threat targeting
the business.
In addition, the other staffs will not need to worry about incidents that may affect their
works, because there is already a staff helping them.