Task 1A.edited
docx
keyboard_arrow_up
School
American University of The Middle East *
*We aren’t endorsed by this school
Course
126
Subject
Information Systems
Date
Nov 24, 2024
Type
docx
Pages
27
Uploaded by JusticeGiraffePerson656
1
Task 1A.
I.
The network diagram for the School of CMS Cybersecurity should entail the following
modules:
1.
Internet access.
2.
Website server.
3.
Computing devices. This may comprise university-owned or personal desktops,
laptops, smartphones, and other devices.
4.
Routers.
5.
Switches.
6.
Firewall.
The network diagram will depict the main components needed for the School of CMS
cybersecurity assessment website. An internet connection is illustrated, enabling external access
to the website server from outside the UoG network. For instance, this enables users to reach the
website from any internet-connected gadget. The firewall secures the CMS network by filtering
outgoing and incoming traffic as a security strategy. Moreover, it blocks potentially unauthorized
access trials and malicious activities. The main component is the website server, which hosts the
authentic cybersecurity assessment website. This server stores the software and website data,
making the website accessible to users.
Numerous routers and switches facilitate continuous communication between all devices
on the network. For instance, switches operate at layer 2, using MAC addresses to directly
interlink networked gadgets with a local area network (LAN). Routers work at layer 3, using IP
addresses to route data packets between diverse subnets and networks. Intelligent routing allows
2
efficient data transfer between computer devices, website servers, and internet gateway. The
computing devices comprise numerous university-owned or personal desktops, laptops,
smartphones, and other gadgets. All these devices will connect to the network to access the
cybersecurity website. Standardized protocols enable diverse platforms to communicate.
The network diagram provides the fundamental connectivity and security infrastructure to
allow computing devices across UoG to leverage the CMS cybersecurity assessment website.
The multi-layer modules work in concert to provide secure, performant access to the website for
data security and technology troubleshooting.
MAC: AA-BB-CC-DD-EE-F2
IP: 192.168.1.101
Internet Access
MAC: 11-22-33-44-55-66
IP: 192.168.1.1
Router.
Student’s PC.
MAC: 00-11-22-33-44-55
IP: 192.168.1.2
Institution’s
desktop.
Firewall.
Switch
Switch
Student’s
smartphone.
MAC: AA-BB-CC-DD-EE-F3
IP: 192.168.1.102
Institution’s
Printer.
Switch
Dean's PC
MAC: AA-BB-CC-DD-EE-F7
IP: 192.168.1.104
MAC: AA-BB-CC-DD-EE-F5
IP: 192.168.1.110
MAC: AA-BB-CC-DD-EE-F3
IP: 192.168.1.107
3
II.
Every device should have a unique IP address and MAC address to support secure data
sharing within the CMS network. The following is a table with MAC and IP addresses for every
device.
Device.
MAC ADDRESS.
IP ADDRESS.
Firewall
00-11-22-33-44-55
192.168.1.2
Internet Access
11-22-33-44-55-66
192.168.1.1
Student’s PC
AA-BB-CC-DD-EE-F2
192.168.1.101
Institution’s desktop
AA-BB-CC-DD-EE-F3
192.168.1.102
Student’s smartphone.
AA-BB-CC-DD-EE-F5
192.168.1.110
Dean's PC
AA-BB-CC-DD-EE-F7
192.168.1.104
Institution’s printer.
AA-BB-CC-DD-EE-F9
192.168.1.107
The MAC/IP address assignment helps ensure every device can be quickly and uniquely
identified. In addition, it helps in addressing within the network. Hence ensuring data exchange
and secure communication.
III.
To illustrate secure data sharing, I will trace the path between Device 1 and the Website
Server.
The journey of data starts with the Student's PC (192.168.1.101) initiating a request to
load the cybersecurity website hosted on the Website Server within the University network. The
student's PC packages the request comprising the source and destination IP addresses, enabling
the packets to be routed through the network infrastructure. The packets first reach the firewall,
allowing outbound traffic while restricting threats from external sources. After the firewall, the
router receives the data packets and scrutinizes the destination IP, determining the Website Server
resides on its local 192.168.1.0/24 subnetwork.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
The router then forwards the request packets to the Website Server through the LAN
switch. As a result, this eliminates unnecessary hops across network subnets. The Website Server
allows the request, processes it, and then develops response packets to the Student's PC. For
instance, the firewall recognizes this incoming traffic as part of an allowed developed session
and enables passage. The router gets the return packets and sees the destination is for the
Student's PC on its 192.168.1.0/24 subnetwork. It goes through the response via the local switch
to reach the Student's PC.
With bidirectional connectivity achieved, encrypted HTTPS communication now ensues,
providing authenticated and safeguarded transmission of authentic website content between the
Student's PC and the Website Server. The layered model allows numerous modules such as
routers, firewalls, and HTTPS to perform their specialized functions while working together to
facilitate safe, private data sharing through the institutional network.
Some critical considerations for IP address assignment:
IP address assignment is foundational in enabling efficient communication between
networked devices. The 192.168.1.0/24 private address safe can fully accommodate all internal
devices without needing scarce public IPs. Hence simplifying networking needs by avoiding
NAT or public IP requests. Maintaining all gadgets grouped within this /24 subnet also
streamlines routing and access control rules. Hence avoiding complex inter-subnet
communication challenges. The router can route any packet destined to a 192.168.1.0/24 address
directly to the local network.
The logical organization of IP addresses also promotes usability. Assigning the Website
Server the .100 address creates an intuitive landmark identifier. Sequentially, assigning devices
5
IPs such as .102, .102, .104, .107, and .110 creates a structured numbering scheme. Hence, this
allows network operators to map IPs to physical devices quickly. Sequential blocks also support
inventory management when extending the network by depicting available ranges.
Uniqueness is ensured by manual IP assignment and DHCP, which assigns dynamic IPs
from a pre-defined pool. The MAC address hard-coded on a device's NIC card guarantees layer
two uniqueness. With customizable hostnames, devices can maintain distinct identities for
management and security. A well-planned IP addressing scheme allows networks to maximize
performance, operational efficiency, and access control configurations. These best practices
eliminate complex routing requirements, assist usability, and support organizational goals.
IV.
I will first check the website's URL. The URL of the website starts with 'HTTPS' instead
of 'HTTP'. This shows that the website for this institution is secure. For instance, 'S' stands for
'secure,' which means the website uses encryption to secure the user's data. This is evident in the
screenshot below.
6
Looking at the padlock icon in the address bar made me understand the website is secure.
On clicking the icon, I could see more information about the website's security certificate. After I
clicked on the 'Connection is secure' I could see that the certificate was available. This confirms
that the website is secure.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
7
8
After checking the website's security certificate, the security certificate is a document that
confirms the website owner's identity. The security certificate can be checked by clicking on the
padlock icon and then on 'Certificate information .'Confirm on the following screenshot.
After reading the website's privacy policy, I understood the website collects, uses, and
shares my data. For instance, the site has cookies and other data to remember the user. A good
example is when one signs in or personalizes ads. This confirms the security of the website.
9
V.
Two common threats in my home Wi-Fi network include packet sniffing and man-in-the-
middle attack. For instance, software could be installed on the network to inspect and log all
traffic. This could expose critical data to unauthorized individuals or parties. Network traffic
should be encrypted using protocols like TLS to eliminate sniffing attacks. In addition, one can
use VPNs or sniffing detection programs could be used to identify snooping activities. The
screenshot below clearly shows that TLS secures my network, and data security is ensured.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
10
Moreover, malicious actors could position themselves between the two communicating
gadgets and interrupt their data transmission. They could view or interfere with the data
transmitted to the intended recipient. The gadgets could establish an encrypted TLS or SSL
connection, which could secure the data from being altered or read while in transit.
11
The primary mitigations would be to introduce encryption using keys/certificates, limit
physical access to the network, and educate users about threats and best practices for data
security when transmitting on a network. Moreover, one can use tools to analyze network traffic
for abnormalities.
The following are screenshots for the network on the Wireshark.
12
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
13
TASK 2A.
I.
Risk
Likelihoo
d
Impact
Risk Level
Mitigation Strategies.
Data breaches
Medium
High
High
Frequently scan for vulnerabilities and patch software
promptly. Implement a data loss prevention (DLP)
solution to eliminate sensitive data from leaving the
network.
Unauthorized
access to data.
High
High
Extreme
Implement strong access controls, such as multi-factor
authentication. Use encryption to secure sensitive data
at rest and in transit.
Denial-of-
service
(DoS)
attacks
Medium
Medium
Medium
Implement intrusion detection systems (IDS) and
firewalls to detect and block DoS attacks. Use load
balancers to distribute network traffic and prevent
overload.
Data
manipulation
Low
High
Medium
Implement data integrity controls, such as hashing and
digital signature. Frequently audit data to detect
unauthorized transitions.
Malicious
insiders.
Low
High
Medium
Implement strong access controls and background
checks for all employees. Frequently educate workers
concerning cybersecurity risks and best practices.
Interception of
communications
Medium
High
High
Implement virtual private networks (VPNs),
encryption, and secure communication protocols.
Insufficient
authentication
controls
Medium
Medium
Medium
Implement strong password requirements for multi-
factor authentication.
Device malware
Medium
High
High
Install antivirus software and patch devices frequently.
14
infection
The risk of unauthorized access to confidential data is highly likely, given the connected
state of the network, and the effect of such access would be major in terms of compromised
privacy and potential misuse of critical information. Mitigation approaches should aim at
encryption of the sensitive data both when transmitted across the network and at rest on
endpoints using cryptographic standards and strong encryption protocols. Strict access controls
should also be enforced through permissions and compartmentalization of access.
Interception of communications sent across the network has a moderate likelihood due to
the possibility of an attacker infiltrating the internal infrastructure. However, the privacy
implications mean the effect would still be high. Encryption of the network traffic by use of
VPNs, SSL/TLS protocols, or other standards would make intercepted data meaningless to
attackers. Network monitoring can also identify irregular traffic patterns.
Malware infections on endpoints such as mobile devices, laptops, and computers have an
unfortunately joint likelihood of allowing attackers or enabling disruptive activities. Effects can
vary based on infection criticality. Antivirus software, user security awareness training, prompt
patching, and device hardening can eliminate most malware. Quarantining and rebuilding
infected devices may be needed in response.
Inadequate user authentication controls through default or weak passcodes make
unauthorized access easily achievable. The effects can include loss of data control and
availability disruptions. Multi-factor authentication mechanisms and strong password policies
significantly raise the obstacles for attackers. Authentication logging and alerting also facilitate
timely feedback.
15
While denial-of-service attacks are less likely on internal networks, a successful one can
severely obstruct productivity and availability. Monitoring for unusual spikes in traffic can point
out an attack, while intrusion detection and prevention systems can block malicious traffic.
Maintaining redundant infrastructure and efficient backup systems also mitigates the effect.
II.
1.
Risk 1:
Data breaches.
Threat Modelling Tool: Microsoft Threat Modelling Tool (MTMT)
Threat Analysis:
Threat: A malicious actor that obtains access to the network and steals sensitive data,
such as student records or financial records.
Vulnerability: Unpatched vulnerabilities in hardware or software could allow an attacker
to exploit a defect in the system to obtain access to data.
Impact: Data breaches can result in financial losses, legal disabilities, and reputational
destruction.
Mitigation Strategies:
Educate workers about cybersecurity best practices, such as identifying and reporting
phishing attacks.
Install firewalls and intrusion detection systems (IDS) to detect and block unauthorized
access.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
16
Frequently scan for vulnerabilities and patch software on time.
Implement a data loss prevention (DLP) solution to prevent critical data from leaving the
network.
Encrypt critical data at rest and in transit.
2.
Risk 2:
Unauthorized access of data.
Threat Modelling Tool: Microsoft Threat Modelling Tool (MTMT)
Threat Analysis:
Threat: An unauthorized user gains access to critical data, such as financial or student
records.
Vulnerability: Weak access controls, such as inadequate password authentication or
outdated hardware or software, could enable an attacker to exploit a vulnerability in the
system to get access to data.
Effect: Unauthorized access to critical data could result in breaches, reputational damage,
and financial losses.
Mitigation Strategies:
Implement strong access controls like multi-factor authentication (MFA) and role-based
access control (RBAC).
Educate employees about the importance of password hygiene and how to identify and
report suspicious activity.
17
PART B: ENCRYPTION AND HASHING TECHNOLOGIES
Task 1B [5 marks]
According to the options provided, the correct answer is
B. Steg hides the meaning of a
message so an unauthorized reader cannot find the message itself. In contrast, crypto hides
the existence of the message itself.
18
The main differences between steganography are:
Steganography hides the existence of the message itself. For instance, the message is
embedded in something else, such as video, audio, image, etc. Moreover, the message
will not be deleted by an unauthorized party. They cannot even know to try extraction or
decryption of the message.
Cryptography scrambles or transforms the message so an unauthorized individual cannot
understand it. The existence of the message is not exposed, apart from its meaning.
So B correctly states:
Crypto hides the existence of the message itself (the message turns out to be scrambled,
but existence is apparent as scrambled text/data)
Steg hides the meaning of a message so an unauthorized reader cannot get the message
itself (the existence is hidden; they don't know a message exists to try reading)
Other answers were not suitable because:
A.
swaps description of steganography and crypto.
C.
incorrectly states crypto reveals message content to unauthorized parties.
D.
mixes up hides "meaning" vs. "existence" comparisons between crypto and steganography.
Task 2B [5 marks]
Based on the options provided. The correct answer is
B. YTJFD
The following is a more direct and quicker method of acquiring the answer without going
through three different encipherments:
Step 1
. Apply the net shift to the original plaintext.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
19
To encipher the word ‘TODAY’ using a net shift of 11 to the right, we can directly shift
each letter 11 positions to the right in the alphabet.
Plaintext: TODAY
Shift: 11 (right)
Cipher text: YTJFD
Step 2
. Apply the net shift.
Instead of applying the ciphers successively, we can calculate the net shift by adding the
individual shifts together. In this scenario, the net shift is:
5 (right) + 4 (left) + 2 (left) = 11 (right)
Task 3B [5 marks]
The correct answer is
C. Mary must not send her private key to John, and John must send his
public key to Mary.
In an asymmetric cryptography system like Rivest–Shamir–Adleman (RSA):
The private key decrypts the message encrypted by the corresponding public key.
The public key encrypts messages, which can only be decrypted by the private key.
Private keys should be kept secret and only be shared with authorized individuals or
parties. For instance, public keys can be shared freely.
From this incident:
John needs to encrypt critical thesis data that only Mary is to be allowed to read.
Therefore, he requires Mary’s public key to secure the data she can decrypt with her
private key.
20
Mary's response does not require to be encrypted. So, she does not require John's public
key, and he is not required to decrypt any of her messages.
The other answers need fixing. For instance,
A.
Mary should send John her public key,
not refrain from sending it. On the other hand,
B.
Mary should refrain from sharing her private
key, mainly with an untrusted individual or party. Lastly,
D.
Again, private keys should be kept
private.
Therefore, answer
C
. defines the correct asymmetric encryption configuration for their
needs. Mary sends John a public key so he can securely send encrypted thesis materials to her
without requiring access to decrypt her unsecured responses.
Task 4B: [5 marks]
The correct answer is
A. Hex5.
The following is the solution:
Plaintext: Hex 5C:D
Salt: Hex 7
Rotate: 1 place to the left
Algorithm:
1.
Convert the plaintext and salt to binary:
Plaintext: 0101 1100 0101 1101
Salt: 0111 0111
2.
XOR the plaintext and salt:
Result: 1010 1011 0000 0000
3.
Rotate the result one place to the left:
21
Result: 0101 0110 0000 0000
4.
Convert the result to hexadecimal:
Result: Hex 56:0
5.
Take the first 4 bits of the result:
Result: Hex 5
Therefore, the message digest of the plaintext Hex 5C:D using a salt of Hex 7 and a
rotation of 1 place to the left is Hex 5.
Task 5B. [5 marks]
The correct answer is
4.
John would encrypt his message to Mary with his private key
and then encrypt the ciphertext with Mary's public key. Mary would encrypt her
communication to John with her public key and then encrypt this ciphertext with John's
public key.
The main reasons why 4 is the correct answer are:
1.
Encrypting a second time with the recipient’s public key ensures only they can
decrypt it with their private key.
2.
Encrypting with your private key provides non-repudiation. For instance, it proves
you are the sender, as only you have the private key to perform the encryption.
So, for secure communication:
Then encrypt with Mary's public key so only she can decrypt the message
John should encrypt with his private key first to prove he is the sender.
Vice versa for Mary encrypting messages back to John.
The other options have flaws:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
22
Encrypting first with your public key does not prove you are the sender.
Mary should not have access to John's private key and vice versa.
Private keys should remain private and not be shared.
So, option 4 represents the optimal double encryption system to authenticate the sender
and securely transmit the message.
Task 6B [5 marks]
The correct answer is
A.
Sharon must decrypt the digital signature on the certificate
using the public key of the signing authority specified on Dave's certificate and obtained from
that signing authority's certificate; this will result in the original message digest for Dave's
certificate. Then Sharon must compare this message digest with a digest she calculates for
herself using the certificate contents and the digest algorithm given on Dave's certificate.
The steps Sharon should take to validate Dave's digital certificate are as follows:
Get the public key of the Certificate Authority (CA) that issued and digitally signed
Dave’s certificate. This will be specified on the certificate.
Independently calculate a message digest from Dave’s certificate content using the hash
algorithm mentioned on the certificate.
Use the CA’s public key to decrypt the digital signature attached to Dave’s certificate.
This recovers the original message digest the signature was developed from.
Compare the decrypted digest to the freshly calculated one. If they are similar, then the
certificate is authentic.
The other four options cannot work because:
B
. Sharon's private key is not involved in validating Dave's certificate that she obtains.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
23
C
. Dave's public key only encrypts data for Dave. It does not verify signatures from his
certificate.
D
. The CA’s private key signs the certificate. Sharon does not have access to his.
For instance, A. accurately describes the validation process using CA's public key to
check the signature they attached with their private key.
Task 7B.
The following is a step-by-step work to calculate the total number of passwords that
could be generated from the stated password policy:
1) First 3 characters - upper or lower case letters.
There are 26 letters in the alphabet.
Each of the 3 characters can be any of the 26 letters.
So there are 26 x 26 x 26 = 26^3 = 17,576 possible combinations for the first 3
characters.
2) Next 3 characters - numeric digits.
There are 10 numeric digits (0 to 9).
Each of the 3 digits can be any of the 10.
So there are 10 x 10 x 10 = 10^3 = 1,000 possible combinations.
3) Next 2 characters - special symbols £$%^&*!
There are 7 special symbols listed.
Each character can be any of the 7 symbols.
But they cannot be the same.
So, there are 7 options for the first symbol.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
24
And 6 remaining options for the second symbol.
So 7 x 6 = 42 possible combinations.
4) Total number of possible passwords.
The first 3 characters = 17,576 options.
The next three digits = 1,000 options.
The last two symbols = 42 options.
Total combinations = 17,576 x 1,000 x 42 = 736,192,000
Therefore, with the stated password policy, 736,192,000 possible 8-character passwords
could be produced.
Task 8B [5 marks]
Provided:
Image size: 20 Megapixels (20 million pixels)
Each pixel is coded by 8 bits (1 byte)
Data to hide is ASCII (1 byte per character)
Sampling factor: 0.25
Word size: Average five characters
Line size: Average 10 words
Page size: Average 50 lines
Working:
1) Total bits available in the image:
20 million pixels
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
25
8 bits per pixel
- Total bits = Pixels x Bits per pixel
= 20,000,000 x 8
= 160,000,000 bits
2) Bits used for hiding data (sampling factor):
The sampling factor is 0.25
So bits used = Total bits’ x Sampling factor
= 160,000,000 x 0.25
= 40,000,000 bits
3) Bits per page of hidden data:
Average characters per word = 5
ASCII uses 1 byte (8 bits) per character
So bits per word = 5 x 8 = 40 bits
Words per line = 10
So bits per line = 10 x 40 = 400 bits
Lines per page = 50
So bits per page = 50 x 400 = 20,000 bits
4) Number of pages that can be hidden:
- Total bits available = 40,000,000 (from step 2)
- Bits per page = 20,000 bits (from step 3)
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
26
- Pages that can fit = Total bits / Bits per page
= 40,000,000 / 20,000
= 2,000 pages
Therefore, approximately 2,000 data pages can be hidden using the specified
steganography algorithm with the given image size and data page layout.
Task 9B [10 marks]:
The PCI standard you refer to likely relates to the following encryption requirement:
"PCI DSS Requirement 4 - Encrypt transmission of cardholder data across open, public
networks." This requires organizations handling credit/debit card payments to encrypt any
payment card data transmitted over public networks. Two examples where CMS managers may
need to implement encryption controls for PCI compliance:
1.
E-commerce website - If CMS has a website that allows online card payments for
booking events or purchasing items, all payment form data submissions must be
encrypted in transit between the site and CMS servers. SSL/TLS encryption using high-
security protocols and ciphers would satisfy the PCI requirement.
2.
Point-of-Sale (POS) Systems - If CMS uses POS terminals or integrated systems for face-
to-face card payments, the connection to the payment processor to authorize the
transaction must utilize encryption to secure the card data flow. A validated P2PE (Point-
to-Point Encryption) solution or incorporating strong encryption modules/settings in the
POS software would address PCI DSS encryption obligations.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
27
In summary, securing all system components and card data flows with strong
cryptography and encryption technologies would allow CMS to comply with core PCI data
security standards regarding transmission protection.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help