Assignment Task
Task
Specification
In this assignment, you will play the role of an independent security consultant engaged by an SME(Small-to-Medium Enterprise) to plan a vulnerability assessment exercise. There are two parts to this exercise – first, a Parameters and Scope document, followed by a Vulnerability Assessment Proposal.
A-Plus Writing Help For University Students
Get expert assistance in any academic field. All courses and programs covered.
Get Help Now!1. A preliminary version of the Parameters and Scope document is due first. You’ll be given feedback on this document, which will give you the opportunity to revise it before the final submission.
2. You’ll then develop the Vulnerability Assessment Proposal based on the revised Parameters and Scope document, and then submit both documents for assessment.
In preparing for this assignment, refer to slide 26 of the week 2 lecture. This slide documents the stages involved in an approach to penetration testing, which is in many ways a superset of vulnerability assessment.
- Stage 1 means you would be learning about the company and the required scope of the assessment – information for this will be determined through your specific Parameters and Scope document
- Stages 2 and 3 cover the vulnerability assessment process itself, which is what you will document in your Vulnerability Assessment Proposal.
Not included in the vulnerability assessment:
- Stages 4 and 5 detail the planning and execution of a penetration attack
- Stage 6 covers the analysis and reporting of the results
- Stage 7 attempts to undo any changes that were made, and generally clean up.
The Parameters and Scope Document
Preparation for a vulnerability assessment, which we could call the discovery process, would normally require you to initially talk to the business client to determine as much as possible about them that you can – this must occur well before you start planning the actual vulnerability assessment itself. During discovery, questions to ask would have included:
- what is the size of the business,
- how many offices they have,
- how many staff they have,
- what sorts of customers they serve,
- how geographically distributed they are,
- how many devices (computers, servers, mobile devices, etc.) they have,
- what sort of software and services they run,
- how broad or how focussed they want the assessment to be,
- whether they’ve had assessments or penetration tests done in the past, and so on.
Since the company you are preparing the vulnerability assessment for is not real, real discovery information isn’t available. However, in fictitious exercises like this, a case study is usually supplied (or developed as part of the exercise) to provide as much of this background discovery information as possible.
To make things more interesting, and to provide each student in the class with a slightly different scenario, we will use a pseudo-random process that generates some basic parameters to define some aspects of the SME business client. The SME parameter data generated will be repeatable (but unique) for each student. You will then take that data and expand on it to create a cohesive “backstory” for the business that documents as much as you can, including the business’ systems and infrastructure, what they want assessed, and so on.
To generate your starting parameters:
• log in to the cyber account in an ICT Networks lab, or on LabShare
• open the Macintosh terminal, and enter the command:
./cyber-params username studentid
where:
- username is your (short) UTas username (the same one you use to log in to the LabShare web server, or authenticate on the cyber account in a lab)
- studentid is your UTas student ID number, with leading zeros omitted – for example, if your student number is 002754, you would enter 2754.
This command runs a script that outputs a series of parameters that define some aspects of your SME that you will use in creating the vulnerability assessment proposal. These values are pseudo- random (i.e. no student will get exactly the same data), but you will get the same results every time for your unique combination of username and student ID (so the person marking your assignment can generate the same list of parameters to check that you have stayed within the constraints produced by the command).
An example of the script’s output might be as follows:
You may find some apparent inconsistencies in the output – for example, the organisation may have conducted assessments in the past, but does not have a formal security policy in place. These things can happen in the real world, and you’ll need to consider them in your plan. In addition to what is generated by the script, you are free to invent as much about the SME and their requirements as you need to develop your plan. You must document everything together with any assumptions you have made in the Parameters and Scope document. For example, you should consider:
- inventing the name of the business and what they do (e.g. manufacturing, online services, etc.),
- the number of systems used in the organisation, including servers, desktops and mobile devices, and their roles (development, production, administration, etc),
- the types of operating systems, applications and services that are in use,
- whether the business has a defensive strategy already in place,
- how long the vulnerability tests would last, and so on.
Your own assumptions must be reasonably based on the parameters generated by the cyberparams script. For example, if the parameters for your SME state that it has no intrusion detection system, your assessment proposal should not involve testing it, since there isn’t one. Furthermore, you can’t require that the SME install additional infrastructure not already in place just to make it fit in with your proposal plan.
Remember that the Parameters and Scope document exists so that the marker:
- can provide feedback on your assumptions and parameters before you undertake the larger process of producing the proposal plan itself,
- has a reference to use while marking your vulnerability assessment proposal.
You must include the output of the cyber-params script in your Parameters and Scope document.
- After you have received feedback on your first Parameters and Scope document submission, you’re free to modify the document in any way you want. Only the second submission of this document will be assessed.
- Remember that the Parameters and Scope document doesn’t actually exist within the fictitious world of the business – much of the information it contains would be the discovery information found during an initial meeting with the business. This means you wouldn’t be giving this document to the client, nor would you refer to it directly in the Vulnerability Assessment Proposal.
The Vulnerability Assessment Proposal
The second document you need to deliver is the Vulnerability Assessment Proposal. The SME has asked you, as a security consultant, to develop the assessment proposal, and this document must take the form of a proposal to the SME. This means you are detailing to the client what you would do in a vulnerability assessment – in other words, think of it like a tender document where you are trying to convince the client the work proposed is rigorous, well-planned, and comprehensive, with realistic timelines. Your proposal should consider including all or some of the following:
- proposals and justifications for which parts of the SME should be tested as part of the vulnerability assessment, and which parts will be exempt
- any brief introductory material for the SME explaining what the assessment process involves, particularly if this is the first time that they’ve undertaken this process
- any relevant timeline(s)
- tools that you propose to use
- any risks that the assessment might present
- any “next steps” you might want to highlight should the SME accept your proposal
- any other details that you feel will help the SME determine whether they wish to proceed with the exercise, and what outcomes they might expect
Your assessment proposal does not necessarily need to test all aspects of the SME’s operation. For example, perhaps the proposal focuses on selected areas based on whether past assessments have been done, the nature of the business undertaken, the location of servers, the potential impact of any assessments, etc., however, any constraints or assumptions made must be justified in the proposal as to why you’ve made specific recommendations. As a brief example, if the proposal specifies you would not be including the business’ web servers in the vulnerability assessment, you will need to detail why they are out of scope etc.
Links to Learning Outcomes
This assignment links to learning outcomes 1, 2 and 4, which are as follows:
1. explain ethical hacking as it relates to cybersecurity, privacy and the law
2. evaluate cyber threats and risks to computer systems
3. defend against cybersecurity threats by applying appropriate countermeasures
This KIT715–IT Computer Science Assignment has been solved by our IT Computer Science Expert at TV Assignment Help. Our Assignment Writing Experts are efficient to provide a fresh solution to this question. We are serving more than 10000+ Students in Australia, UK & US by helping them to score HD in their academics. Our Experts are well trained to follow all marking rubrics & referencing Style. Be it a used or new solution, the quality of the work submitted by our assignment experts remains unhampered.
You may continue to expect the same or even better quality with the used and new assignment solution files respectively. There’s one thing to be noticed that you could choose one between the two and acquire an HD either way. You could choose a new assignment solution file to get yourself an exclusive, plagiarism (with free Turn tin file), expert quality assignment or order an old solution file that was considered worthy of the highest distinction.
Welcome to our Online Essay Writing Agency. Securing higher grades costing your pocket? Order your assignment online at the lowest price now! Our online essay writers are able to provide high-quality assignment help within your deadline. With our homework writing company, you can order essays, term papers, research papers, capstone projects, movie review, presentation, annotated bibliography, reaction paper, research proposal, discussion, or another assignment without having to worry about its originality – we offer 100% original content written completely from scratch
We write papers within your selected deadline. Just share the instructions