Course Code – 22603VIC Certificate IV in Cyber Security

Unit Code – VU23217 Recognise the need for cyber security in an Organisation

Assessment 02 – 2. Cyber Security Demonstration

Student Name Tuong Thanh Nguyen (Ryan Nguyen)

Student ID 8102753

Overview
In this assessment you will have the opportunity to demonstrate your knowledge/skills in the
following areas:

 Types Organisational threats

 Current types of security vulnerabilities and malware
 Techniques used by attackers
 Trends of cyber threats
 Relationships between networks, machines, users and applications in an enterprise
 Concepts and methods of cyber threats and attacks
 Reasons and methods to protect data and privacy
 Methods and tools to safeguard personal privacy are defined
 Techniques to protect personal devices and data are described and implemented
 Methods for protecting an organisation from cyber-attacks are developed and evaluated
 Problem solving threats and vulnerabilities

Instructions
Before commencing the assessment, enter your name and student number in the spaces
provided above.

This assessment must be completed individually.

This assessment is self-paced but recommended to be completed as detailed in the Unit

Guide.

If you are requested to provide screenshots, paste the screenshot/s into the answer box.
Ensure sufficient screenshots are provided to demonstrate that you have performed the
complete task.

Any word-count suggested for written answers is a recommendation only; your answers
should contain sufficient information to demonstrate your understanding of the topic.

All answers must be your own. Plagiarism is not tolerated and will lead to the assessment
being graded as unsatisfactory. You may conduct research before answering, but if you
include information from another source, it should be included in quotation marks and
appropriately referenced.

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 1 of 15

If your initial response is graded as unsatisfactory, your assessor will provide specific
feedback that can be used to improve your answer. You may re-submit the assessment once
after addressing the assessor’s feedback. Please refer to the Unit Guide for more detailed
information about assessment conditions and resubmission.

Resources Required
 Suitable PC and access to software that will enable you to edit this document.
 Online, library & class resources may be used when preparing your answers for this
assessment.

Documents to Submit
Submit this completed Cyber Security Demonstration Assessment -02 document to the Cyber
Security Demonstration Assessment-02 drop-box on VU Collaborate by the due date/time
shown on the VU Collaborate calendar.

Task 1:
1.1 What is the National Institute of Standards and Technology (NIST) cyber
security framework and what are its functions? How can it assist organisations to
protect themselves from cyber threats? (max 150 words)

Response:

NIST is a set of guidelines that helps an organisation to manage and minimise the
cyber security threats

NIST framework consists of 5 functions: identify, protect, detect, respond and cover

It helps the organisation by having a prioritised/risk-based approach. So that the

organisation is able to understand its limit/strength, before setting their goals on their
cyber security environment. The organisation will also be ready and know what to do
if an incident occurs.

1.2 Define/explain each of the following terminologies in your own words: (max
50 words each)

Response:
a. Incident Response policies and processes: the steps that an organization should
follow to handle and manage security incidents to minimise the impact.

b. Threat Actors: are individuals/groups/organisations that exploit targets’ security

weaknesses to gain profits (most common type is financial profits).

c. Threat Vectors: are the paths/routes/methods/tools that are used to attack the
targets.

d. Threat Goals: the purpose of the threat (i.e objectives and desired outcomes of

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 2 of 15

 the thread actors).

e. Firewall: is either a physical device or a software that helps to control and filter
network traffic. This allows the users to configure incoming/outgoing network
traffic for different scenarios/networks/goals

f. Gateway: a network point or a physical device that connects 2 different

networks, allowing data going from and to each other

g. Botnets: a network of controlled computers, usualy used to initiate DDOS attack

h. Cyber Kill chain: A framework developed by Lockheed Martin that outlines the
stages of a cyberattack. It helps to understand and to have a plan to counter the
attack for each stage.

i. MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK):

ATT&CK is a framework to provide understanding of attacker actions from start
to finish. By categorising the actions, we can anticipate and counter the threats
effectively. It is like an advanced version of Cyber Kill chain.

j. IoT Devices - One IoT Example: are gadgets that connect together to collect and
exchange data to perform some useful functionality. Humid sensor is an
example, it reports the room’s humidity in real time.

k. Explain two security vulnerabilities in IoT devices:

24/7 server connection: IoT devices need connecting to the internet to the main
server to report and receive data to function. This means once an attacker takes
control of the device, they can gain access from the inside

No update mechanism: once a firmware is found broken/vulnerable, the end

users cannot perform firmware update without advanced knowledge

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 3 of 15

 Task 2:
Scenario:

Consider your office where you may have a computer, telephone, smart board, TV
monitor or Multi-Functional Devices (e.g. printer, scanner, fax). You perform daily
activities on your computer such as, reading, writing and sending emails. You also
prepare reports and notes using Microsoft office packages and several other software
applications as required by the workplace.
We can protect the personal device and data from the threats easily by applying
security measures. For example, enforcing a strong password mechanism.
Passwords are widely used to enforce authentication techniques to protect personal
devices and accounts.
Attackers will use many techniques to learn users’ passwords and gain unauthorised
access to a resource or data. To protect and safeguard your personal devices and
information, it is important to understand what makes a strong password and how to
store it securely. You can also protect personal and sensitive data for privacy
purposes by creating password-protected files. In addition, it is also good practice to
know about malware. Malware is sometimes designed to take your personal data, so
it is good to identify, block, and remove them.

2.1 Strong passwords have four main requirements listed in order of importance:

1. The user can easily remember the password.

2. It is not trivial for any other person to guess a password.
3. It is not trivial for a program to guess or discover a password.
4. Must be complex, containing numbers, symbols and a mix of upper case and
lower case letters.

Based on the list above, the first requirement is probably the most important because
you need to be able to remember your password. For example, the password
#4ssFrX^- aartPOknx25_70!xAdk<d! is considered a strong password because it
satisfies the last three requirements, but it is very difficult to remember.

Many organisations require passwords to contain a combination of numbers,

symbols, and lower and upper case letters. Passwords that conform to that policy are
fine as long as they are easy for the user to remember.
Below is a sample password policy set for a typical organisation:
 The password must be at least 8 characters’ long
 The password must contain upper- and lower-case letters
 The password must contain a number
 The password must contain a non-alphanumeric character

A good way to create strong passwords is to choose four or more random words and
string them together. The password televisionfrogbootschurch is stronger than
J0n@than#81. Notice that while the second password is in compliance with the
policies described above, password cracker programs are very efficient at guessing
that type of password. While many password policy sets will not accept the first
password, televisionfrogbootschurch, which is much stronger than the second. It is
easier for the user to remember (especially if associated with an image), it is very
long and its random factor makes it hard for password crackers to guess it.
Using an online password creation tool, create passwords based on the common
company password policy set described above.
Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 4 of 15

 Steps
1. Open a web browser and go to http://passwordsgenerator.net
2. Select the options to conform to password policy set. (provide screen capture)
Generate the password.
3. Write down or provide screen capture of the password generated by the
website and provide your response on the strength of the password. (max 100
words)

Response:

Step Screenshots
1-2

3-4

This password is ok to use for general services and it somewhat good to against
general attackers, since it is hard-to-guess and having a bit of complexity.
However for critical services and to prevent incidents caused by high-end
attackers, it is recommended to use MFA together with this password instead.

2.2 Protecting the personal data for privacy access and gaining a good logical access
control.
Perform the following:

1. Open a Microsoft word document and write something in it. Next, create a
password for that file and save it to your desktop. Please provide screenshots

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 5 of 15

 of the steps you perform.

2. Place the document in a folder. Share this this folder with someone. Then,
change the permissions for the shared user to only be able to see ‘List folder
contents’ and ‘Read’ for this shared folder. Please provide screen capture of
the steps you perform.

3. Open the document and unlock it by entering the correct password. Please
provide screen capture of the steps you performed.

Response:

Screenshot
1 Note: The below steps are done in Ubuntu so there is no Microsoft Word, only
LibreOffice Writer instead

Create a document:

Password protect it when saving:

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 6 of 15

 Enter the wanted password:

2 Create folder & upload file

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 7 of 15

 Share & permission set:

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 8 of 15

 3 Reopen the file by and enter the password:

Result:
Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 9 of 15

 2.3 Follow the below steps to check whether your computer can identify any suspicious
files such as malware. (note that this file will not cause any harm to your computer, it is a
simple trial task).

Download the file called “eicar.com” from https://www.eicar.org/?page_id=3950

1. You will be able to see the similar viewing in the website as below:

2. If your computer is secured, it will display a message noting that the file is
blocked or something similar to this. Please take a screen capture of that and
place it here.
3. If a message does not appear, you can consider that the machine needs
attention from a security perspective (e.g. installing or updating your anti-virus
software or Operating System). Take a screen capture of this case and put it
here.

Response:

Unfortunately I’m using Ubuntu, so it won’t block and it downloads fine (because it cannot
execute .com file):

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 10 of 15

 Yes my anti-virus software is able to scan and found the file:

Task 3:
Scenario:

WIDGET accounting is a small company located in Belconnen in the ACT. They have
15 employees, including an Office Manager and the Business Owner. Ten of the
employees work onsite at the office, whilst the remaining five work remotely from
home or at a client’s premises. Responsibility for ICT resides with their Office
Manager, who is working their way through a TAFE ICT course in their spare time.

WIDGET’s ICT Infrastructure consists of the following:

 All the staff use laptops with Windows 10 Pro as the SOE. These are
all standard licenses, are patched and do NOT have security software
installed. Staff are free to choose their own passwords for their
individual machines.
 The business has recently moved to the Office 365 Business
subscription service for Microsoft Office applications.
 Wireless internet access for office staff is provided via ADSL using a
D-Link-2740B wireless router and the Wi-Fi password is publicly
available. Staff are permitted to connect their mobiles, laptops and
other electronic devices through this wireless network. They also can
form an internet-of-things structure by connecting these devices at the
same time for work purposes.
 Wired network and internet access is also provided by a recently
installed NETGEAR JGS524 24-Port Gigabit Switch. There are 20
network jacks available, which can be used to connect any physical
computing devices. Couple of jacks are located in the public area of
the office accessible to clients and visitors.
 Staff working remotely use either their personal mobile phones as hot
spots or their home internet connections to connect to the internet, and

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 11 of 15

 they do not have any password policy enforced.
 Sensitive data is stored on laptops, servers and the NAS without using
cryptographic techniques.
 Employees share passwords and logins with each other if they are
having difficulty logging in or they need to access to material on other
machines.
 The business does not have a website and instead conduct marketing
campaigns through a Facebook page and a Twitter account. The user
name and password for these services are the same as the Business
Owner’s username and password for his work laptop.
 You are asked as an external security expert to evaluate Widget
Accounting’s current physical security infrastructure.

3.1

A) Define how the components of WIDGET’S infrastructure in relation to data, networks,

machines, users and applications are interconnected with each other.
B) Please draw a simple diagram to demonstrate how the components are interconnected
with each other.

Response:

A) Interconnection:

The staffs use laptop for work, either through the office's wired/wireless network, or remotely
via internet.

Data are transferred between these laptops to other devices like NAS, servers and IOT
devices. Passwords and logins are shared among the staffs so that data can be directly
accessed and exchanged between laptops.

The office network is also connecting to Office 365 cloud network for data transferring.

B) Diagram:

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 12 of 15

 3.2
A) Identify 3 security gaps for WIDGET’s infrastructure that makes the devices or
components vulnerable.

B) Pick one of the above and identify what steps the company could take to protect their
physical infrastructure in the future? Evaluate your steps by explaining how your steps
mitigate the risks?

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 13 of 15

 Response:

3 security gaps:

1. Public and network are sharing the same network and password. That mean a device
from guest/visitor/unknown person can connect to devices of the offices

2. Same password for owner’s laptop, Facebook and Twitter. Once the password is lost,
everything is lost

3. Laptops do not have security software. A disaster will happen soon or late (if one
laptop is infected by viruses, the rest are infected)

Solution: separate out the public network and private network

Public network: general (or no) password

Private network: password will be shared among staffs only.

Steps to do:

1. Create 2 VLANs, one for public, one for private.

2. Each VLAN has different wifi name and connection jacks
3. Tighten the router firewall for network isolation, so that VLAN cannot access each
other.
4. (Optional) setup correct bandwidth for each network

Mitigation:

With distinct Wifi names and security settings, it will ensure that there's no confusion
between the private and public networks. Different passwords for each network also
mean a compromise of one doesn't automatically mean a compromise of the other.

VLAN is the virtual barrier so that if a threat actor gains access to the public network,
they'll find it much harder (if not impossible) to traverse through the private network,
thus protecting sensitive data and devices on this private network.
3.3 Explain why it would be important that WIDGET need a professional cyber security
officer on staff? (max 150 words)

Response:

Hiring a professional cyber security officer will help to protect sensitive data and
making sure the business does not meet any difficulty during its running.

A cyber security officer will apply risk management, as well as educating staffs on
current issues such as scams/frauds, to help the business run smoothly.

This officer will also be able to prevent, detect or resolve any cyber threat targeting
the business.

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 14 of 15

 Sometimes due to the nature of work, having a cyber security officer will affirm the
customers and gain a better image overall for the business.

In addition, the other staffs will not need to worry about incidents that may affect their
works, because there is already a staff helping them.

Written Assessment Template v1.1 September 2022

[22603VIC] [VU23217] [Assessment Task 02] [V1.0] [Nov] [2022] Page 15 of 15