6COM1033 Computer Systems Security Assessment Coursework Semester A | University of Hertfordshire

6COM1033 ASSIGNMENT BRIEF

This Assignment assesses the following module Learning Outcomes (Take these from the module DMD):

Knowledge and understanding of:3. computer systems risks, vulnerabilities, threats analysis, and software security,Skills and Attributes:Students will develop the ability to:

1. apply particular computer security techniques to analysis and testing
2. analyse and solve problems in secure systems design and implementation
3. achieve familiarity with methods of secure systems development and to exercise critical evaluationof information accessed from a wide variety of sources

Assignment Brief:

This is an individual assessment, which carries 50% of the overall module mark. The task will assess your your ability to conduct a full-scale penetration test on a Linux based system. You will follow the plan that you made in Assignment 2, going through the steps of the pen test. Considering that the goal of the pen test is to find security vulnerabilities and to explain to a client how to mitigate them, you will write a detailed technical report of the practical work that you have done. It is important to write notes and take screenshots while you do the practical work.All academic reports that you write as part of your coursework assessments are in fact technical reports, and as such the following report structure is expected:

1. A professional title page
2. A Contents page with page numbers, and also numbers for each section or subsection
3. A professional layout of the whole report, with numbered sections and subsections headings, and indentation for subsections as well
4. An Introduction (which obviously will be numbered as 1.0), where you will introduce the pen test scope and goal.
5. Main Body, where you will report on the actual attack on the system (attack narrative), the vulnerabilities, exploits, and the mitigation measures. You will draw conclusions as you analyse.
6. Conclusions and evaluation section, where you summarise the conclusions previously drawn, evaluate those conclusions, make recommendations, and draw lessons for the future
7. References, aim for an average of 12-15 references for the report, in Harvard format
8. AppendixesYou are expected to demonstrate an insight into the implications of the problem introduced in the task byusing clear and concise arguments.

The reports should be well written (and word-processed), showing good skills in creativity and design. Sentences should be of an appropriate length and the writing style should be brief but informative. During the teaching weeks you will carry out the practical work in the Cybersecurity labs, or using the pen test rig set up on your own PC or laptop.

The Assignment Task – Penetration Test 

As stated above, the Assignment 3 is weighted at 50% of the overall module mark. It should take you approximately 30 hours to complete. It is expected that the report for this task will be in the region of 1800 - 2200 words, plus the appendices. You are expected to conduct a penetration test against a target system (Linux based) that will be provided to you (the IP address of the target will be provided for every individual student by the 15th of November 2023). You are required to present your findings in a factual manner based on the scenario “to advise and convince decision makers of a large corporation (your imaginary sponsor or client) on the security of their systems”. The target system will be accessible via the infrastructure in the Cybersecurity Lab through the VPN connection. You will also be able to use the computers in the Cybersecurity Lab for this purpose, during your timetabled hours. During the module, youwill also receive instructions on how to setup the same PenTest virtual lab in your home computer or laptop, in order to be able to complete your work remotely, through the VPN connection. Every student willbe provided a dedicated target which will be a clone of the same VM.

Overall Report Conclusion and Reflection

The overall report conclusions offer your reflection on the undertaken activities and the encountered problems carrying 5% of the overall report mark.

The FINAL deadline for Assignment 3 Pen testing report is on the 08.01.2024 by electronic submission viaStudyNet

Please note you are not required to provide an activity narrative (a narrative on your intelligence gathering activities). You are required to provide an attack narrative detailing four found vulnerabilities, from the risks point of view (the target scanning and four vulnerabilities).

During the narrative, you will have to explain your reasoning behind the attack vector (supported by the findings of the scanning phase), the vulnerabilities that you have chosen to report, linking them to the risks and threats they pose to the “client organization”.This will lead you to the next section - vulnerability exploits and mitigation methods for each vulnerability in the attack narrative. This section is your most important one, as it can be seen by the 40 marks associated with it.

Submission Requirements:

You are required to take and submit the coursework via StudyNet before the deadline.

You are expected to unify everything into one report. The final report is an academic report and as such the following report structure is expected:

1. Introduction: up to 250 words, where you will discuss your methodology in approaching the assignment.
2. Attack Narrative of four found vulnerabilities (research is required about the risks associated with each vulnerability)
3. Vulnerability Exploit and Mitigation – detailing four exploits of vulnerabilities that were found and the mitigation methods (research is required here about the vulnerability mitigation methods)
4. Overall Conclusions - up to 250 words, where you will comment on the undertaken activities
5. References: one fused reference list in Harvard format.
6. Appendices You are required to submit the final report via StudyNet in a PDF or Word format, including your student number in the filename. 

This is imperative as the naming template will be used for corroborating what you claim in your reports with the log files your PenTest activities will generate.

This assignment is worth 50% of the overall assessment for this module.

Marks awarded for: