Professional Documents
Culture Documents
CSS_Online_Assignment_2_Briefing Sheet 2023-24_v1-1
CSS_Online_Assignment_2_Briefing Sheet 2023-24_v1-1
CSS_Online_Assignment_2_Briefing Sheet 2023-24_v1-1
COURSEWORK ASSIGNMENT
Please refer to your student handbook for details about the grading schemes used by the School when
assessing your work. Guidance on assessment will also be given in the Module Guide.
Guidance on avoiding academic assessment offences such as plagiarism and collusion is given at this
URL: http://www.studynet.herts.ac.uk/ptl/common/LIS.nsf/lis/citing_menu
ASSIGNMENT BRIEF
Page 1 of 4
UNIVERSITYOF HERTFORDSHIRE
School of Physics, Engineering and Computer Science
Students, you should delete this section before submitting your work.
This Assignment assesses the following module Learning Outcomes (Take these from the module
DMD):
Knowledge and understanding of:
3. computer systems risks, vulnerabilities, threats analysis, and software security,
Assignment Brief:
This is an individual assessment, which carries 30% of the overall module mark. The task will assess your
understanding of the process of penetration testing as a method of systems security evaluation, and in
particular you will focus on the preparation phase, where the pen testing scope is discussed and
evaluated, a standard operating procedure (SOP) is devised and agreed with the client, and an Attack
Tree is prepared and shared with the pen testing team, in order for them to follow it, when decisions need
to be made during the test.
All academic reports that you write as part of your coursework assessments are in fact technical reports,
and as such the following report structure is expected:
1. A professional title page.
2. A Contents page with page numbers, and also numbers for each section or subsection
3. A professional layout of the whole report, with numbered sections and subsections headings,
and indentation for subsections as well
4. An Introduction (which obviously will be numbered as 1.0), where you will introduce the topics
of penetration testing types, methodologies involved, and then you introduce the report itself.
5. Main Body, where you will develop your arguments, by critically discussing and analysing the
topics you introduced in the introduction. You will draw conclusions as you analyse.
5.1 Pen Testing Methodology Selection
5.2 Develop a Standard Operating Procedure
5.3 Develop a Decision-Making Tree (or Attack Tree)
6. Conclusions section, where you summarise the conclusions previously drawn, evaluate those
conclusions, and make recommendations, or draw lessons for the future
7. References, aim for an average of 12-15 references for the report.
8. Appendixes
You are expected to demonstrate an insight into the implications of the problem introduced in the task by
using clear and concise arguments. The reports should be well written (and word-processed), showing
good skills in creativity and design. Sentences should be of an appropriate length and the writing style
should be academic and informative.
During the teaching weeks you will have the opportunity to ask specific questions about the assignment in
class – in person during the practical session, or online during the tutorial session. The module team will
provide general (not individualised) feedback based on your questions, and will advise regarding your
progress (if it is deemed necessary). The deadline for Assignment 2 is 26.07.2024.
The Assignment Task – Developing a Standard Operating Procedure and Decision Tree
for a System Security Test (Penetration Testing)
It is expected that the report for this task will be no less than 1250-1300 words. Through a critical analysis,
Page 2 of 4
UNIVERSITYOF HERTFORDSHIRE
School of Physics, Engineering and Computer Science
you are required to select a suitable penetration testing methodology, which you will use for designing and
developing your Standard Operating Procedure (SOP), including a decision-making tree (please put this in
an appendix). The SOP will developed based on the following phases of pen testing: intelligence
gathering, target profiling, vulnerability identification, target exploitation and post exploitation. An SOP is
defined as a set of step-by-step instructions compiled by an organisation to help workers carry out routine
operations. The SOP should be appropriate for task 3, which is the penetration test of a single Linux
target, offering several network services.
As stated, the deadline for Assignment 2 is on the 26.11.2023 by electronic submission via
StudyNet. If you fail to do so, you either can submit until one week after the deadline with a
reduced mark, being capped to a maximum of 40%, or you complete a EC (Exceptional
Circumstances) form to require a deferral to the May/June period, or a deferral in the next run of
the module (this is for all assignments and it can be done even at the end of the module period).
You can also apply for a maximum of ten working days extension, by completing a form, and
supplying evidence for the deadline extension request. Please remember that failing one
assignment does not necessary mean failing the module. The overall mark for the module will be
calculated from all three assessments.
Submission Requirements:
You are required to take and submit the coursework via StudyNet before the deadline.
You will submit a report of your practical work that you have done to prepare for your test,
including the specific Standard Operating Procedure (SOP) and the Attack Tree that you have
developed as part of this preparation.
IMPORTANT NOTE! This assignment is NOT an essay on pen testing methodologies, SOPs, and
Decision Trees. It is a report on your practical work to scope and plan a system security test
(penetration test).
This assignment is worth 30% of the overall assessment for this module.
Marks awarded for:
Criteria Fail (< 40) Pass (40 – 49) Good (50 – 59) Very Good (60 – 69) Excellent (>70) A
Assignme Little or no analysis Reasonably clear Clear understanding of The SOP demonstrates Excellent understanding
nt 2 of system testing definitions of ‘the the different phases. a very good and exposition of the
methodologies, with different phases of a SOP offers advice an understanding of the penetration test issues
no explanations of PenTest but appropriate usage of processes, covering all that shows insight and
what type of pen underdeveloped tools. Complete key issues, offering a draws together various
test would be arguments. Basic decision making tree very good techniques and tools. No
conducted. Little or SOP and basic but may contain some understanding of the errors. SOP and decision
no plan with either decision making errors. implications. The making tree can pass
very limited or no tree. decision making tree professional scrutiny.
evidence of SOP or makes very good
Attack Tree plan assumptions and
Lack of originality. presumptions
Page 3 of 4
UNIVERSITYOF HERTFORDSHIRE
School of Physics, Engineering and Computer Science
Date Work handed out: Date Work to be handed in: Target Date for the return of
the marked assignment:
w/c 26/06/2024 26/07/2024
30/08/2024
Page 4 of 4