UNIVERSITYOF HERTFORDSHIRE

School of Physics, Engineering and Computer Science

COURSEWORK ASSIGNMENT

Module Title: Computer Systems Security Module Code: 6WCM0031-32/0509

Assignment Title: Assignment 2 – Scoping and

Individual Assignment - Yes
Planning A System Security Test

Tutor: Seyedali Pourmoafi Internal Moderator: Stilianos Vidalis

Student ID Number ONLY: Year Code:

Marks Awarded %: Marks Awarded after Lateness Penalty applied %:

Penalties for Late Submissions

 Late submission of any item of coursework for each day or part thereof (or for hard copy submission
only, working day or part thereof) for up to five days after the published deadline, coursework relating
to modules at Levels 0, 4, 5, 6 submitted late (including deferred coursework, but with the exception
of referred coursework), will have the numeric grade reduced by 10 grade points until or unless the
numeric grade reaches or is 40. Where the numeric grade awarded for the assessment is less than
40, no lateness penalty will be applied.
 Late submission of referred coursework will automatically be awarded a grade of zero (0).
 Coursework (including deferred coursework) submitted later than five days (five working days in the
case of hard copy submission) after the published deadline will be awarded a grade of zero (0).
 Where genuine serious adverse circumstances apply, you may apply for an extension to the hand-in
date, provided the extension is requested a reasonable period in advance of the deadline.

Please refer to your student handbook for details about the grading schemes used by the School when
assessing your work. Guidance on assessment will also be given in the Module Guide.

Guidance on avoiding academic assessment offences such as plagiarism and collusion is given at this
URL: http://www.studynet.herts.ac.uk/ptl/common/LIS.nsf/lis/citing_menu

ASSIGNMENT BRIEF

Page 1 of 4
UNIVERSITYOF HERTFORDSHIRE
School of Physics, Engineering and Computer Science

Students, you should delete this section before submitting your work.

This Assignment assesses the following module Learning Outcomes (Take these from the module
DMD):
Knowledge and understanding of:
3. computer systems risks, vulnerabilities, threats analysis, and software security,

Skills and Attributes:

Students will develop the ability to:
1. apply particular computer security techniques to analysis and testing
2. analyse and solve problems in secure systems design and implementation
3. achieve familiarity with methods of secure systems development and to exercise critical evaluation
of information accessed from a wide variety of sources

Assignment Brief:
This is an individual assessment, which carries 30% of the overall module mark. The task will assess your
understanding of the process of penetration testing as a method of systems security evaluation, and in
particular you will focus on the preparation phase, where the pen testing scope is discussed and
evaluated, a standard operating procedure (SOP) is devised and agreed with the client, and an Attack
Tree is prepared and shared with the pen testing team, in order for them to follow it, when decisions need
to be made during the test.
All academic reports that you write as part of your coursework assessments are in fact technical reports,
and as such the following report structure is expected:
1. A professional title page.
2. A Contents page with page numbers, and also numbers for each section or subsection
3. A professional layout of the whole report, with numbered sections and subsections headings,
and indentation for subsections as well
4. An Introduction (which obviously will be numbered as 1.0), where you will introduce the topics
of penetration testing types, methodologies involved, and then you introduce the report itself.
5. Main Body, where you will develop your arguments, by critically discussing and analysing the
topics you introduced in the introduction. You will draw conclusions as you analyse.
5.1 Pen Testing Methodology Selection
5.2 Develop a Standard Operating Procedure
5.3 Develop a Decision-Making Tree (or Attack Tree)
6. Conclusions section, where you summarise the conclusions previously drawn, evaluate those
conclusions, and make recommendations, or draw lessons for the future
7. References, aim for an average of 12-15 references for the report.
8. Appendixes

You are expected to demonstrate an insight into the implications of the problem introduced in the task by
using clear and concise arguments. The reports should be well written (and word-processed), showing
good skills in creativity and design. Sentences should be of an appropriate length and the writing style
should be academic and informative.

During the teaching weeks you will have the opportunity to ask specific questions about the assignment in
class – in person during the practical session, or online during the tutorial session. The module team will
provide general (not individualised) feedback based on your questions, and will advise regarding your
progress (if it is deemed necessary). The deadline for Assignment 2 is 26.07.2024.

The Assignment Task – Developing a Standard Operating Procedure and Decision Tree
for a System Security Test (Penetration Testing)
It is expected that the report for this task will be no less than 1250-1300 words. Through a critical analysis,

Page 2 of 4
UNIVERSITYOF HERTFORDSHIRE
School of Physics, Engineering and Computer Science

you are required to select a suitable penetration testing methodology, which you will use for designing and
developing your Standard Operating Procedure (SOP), including a decision-making tree (please put this in
an appendix). The SOP will developed based on the following phases of pen testing: intelligence
gathering, target profiling, vulnerability identification, target exploitation and post exploitation. An SOP is
defined as a set of step-by-step instructions compiled by an organisation to help workers carry out routine
operations. The SOP should be appropriate for task 3, which is the penetration test of a single Linux
target, offering several network services.

As stated, the deadline for Assignment 2 is on the 26.11.2023 by electronic submission via
StudyNet. If you fail to do so, you either can submit until one week after the deadline with a
reduced mark, being capped to a maximum of 40%, or you complete a EC (Exceptional
Circumstances) form to require a deferral to the May/June period, or a deferral in the next run of
the module (this is for all assignments and it can be done even at the end of the module period).
You can also apply for a maximum of ten working days extension, by completing a form, and
supplying evidence for the deadline extension request. Please remember that failing one
assignment does not necessary mean failing the module. The overall mark for the module will be
calculated from all three assessments.

Assignment 2, Assessment Weighted mark Mark out of 100%

Criteria
Based on the test type, select a 6 20
suitable Pen Testing
methodology
Critically analyse existing SOP 12 40
examples, and develop an SOP
for your own Pen Test
Critically analyse existing 12 40
Decision-Making Tree examples
and develop an Attack Tree for
your own Pen Test
Total 30 100
Please note that if you fail to design an appropriately structured SOP, you will be penalised, and if you fail
to design an appropriately structured decision-making tree, you will be penalised. Both are very well-
defined notions/structures. Examples will be provided through StudyNet.

Submission Requirements:
You are required to take and submit the coursework via StudyNet before the deadline.
You will submit a report of your practical work that you have done to prepare for your test,
including the specific Standard Operating Procedure (SOP) and the Attack Tree that you have
developed as part of this preparation.
IMPORTANT NOTE! This assignment is NOT an essay on pen testing methodologies, SOPs, and
Decision Trees. It is a report on your practical work to scope and plan a system security test
(penetration test).

This assignment is worth 30% of the overall assessment for this module.
Marks awarded for:
Criteria Fail (< 40) Pass (40 – 49) Good (50 – 59) Very Good (60 – 69) Excellent (>70) A
Assignme Little or no analysis Reasonably clear Clear understanding of The SOP demonstrates Excellent understanding
nt 2 of system testing definitions of ‘the the different phases. a very good and exposition of the
methodologies, with different phases of a SOP offers advice an understanding of the penetration test issues
no explanations of PenTest but appropriate usage of processes, covering all that shows insight and
what type of pen underdeveloped tools. Complete key issues, offering a draws together various
test would be arguments. Basic decision making tree very good techniques and tools. No
conducted. Little or SOP and basic but may contain some understanding of the errors. SOP and decision
no plan with either decision making errors. implications. The making tree can pass
very limited or no tree. decision making tree professional scrutiny.
evidence of SOP or makes very good
Attack Tree plan assumptions and
Lack of originality. presumptions
Page 3 of 4
UNIVERSITYOF HERTFORDSHIRE
School of Physics, Engineering and Computer Science

note to the Students:

1. For undergraduate modules, a score above 40% represent a pass performance at honours level.
2. For postgraduate modules, a score of 50% or above represents a pass mark.
3. Modules may have several components of assessment and may require a pass in all elements.
For further details, please consult the relevant Module Guide or ask the Module Leader.

Typical (hours) required by the student(s) to complete the assignment: 20 hours

Date Work handed out: Date Work to be handed in: Target Date for the return of
the marked assignment:
w/c 26/06/2024 26/07/2024
30/08/2024

Type of Feedback to be given for this assignment:

Summative feedback will be given for the assignment on StudyNet, on the submission area within four weeks after
you have completed the assignment and have submitted the evidence of assignment completion on
StudyNet.

Page 4 of 4