ACCA7033 Ethical Hacking L7 Assessment Specification 2025

Task Description

Use of Generative AI in Assessment
(The lecturer to indicate Yes or No against each element)

Introduction

An Ethical Hacker is a person who performs most of the same activities as a hacker but with the owner of the company’s permission. The distinction is important and can mean the difference between being charged with a crime or not being charged. Ethical Hackers are usually contracted to perform vulnerability assessment, penetration or security tests. However, some organizations may also hire dedicated security testers as a part of their Red Team.

To this effect, this assignment is based on research into cyber security attacks, vulnerability assessments and Penetration testing for a virtualised simulated company website. It is designed to meet the requirements of the ACCA7033 indicative content and learning outcome as prescribed in the student’s handbook.

Any assumptions made should be documented

Overview

You will be required to submit your written documentation/report. A Moodle link will be created to upload additional files such as design approach, implementations if or any other additional work done.

Each task is weighted 50% (task 1 = 50% + task 2 = 50%). Total marks =100% (task 1 + task 2)

Tasks:

1. Research any three latest cyber security attacks that took place on businesses/organisations/industries/institutions. Critically analyse them with the aid of your diagrams or models and peer-reviewed articles. Explained how these could have been prevented; in other words, what countermeasures, if any, could have prevented these attacks. What would you recommend to these businesses/organisations/industries/institutions to prevent such attacks in the future?

2. Based on your research in task 1, along with class contents and lab exercises conducted, use the following scenario to complete task 2.

• Cureton Pharmaceutical Company (CPC) is working ferociously to come up with new cures for the latest respiratory viruses. The company is very close in coming up with various vaccines and wants to ensure that their systems are not compromised or hacked into.
• CPC formed an internal Red Team as an extended arm of its existing Cybersecurity Division to test the effectiveness of their systems and infrastructure’s security controls.

Requirments

Assume that you are employed with CPC and is assigned as the Red Team Specialist to conduct a multi-layered, full scope cyberattack simulation on CPC’s systems and infrastructure. Your goal is to implement a virtualized replica of the production environment
 
and actively analyse for design weaknesses, technical flaws, and vulnerabilities! Your tasks involve the following:

1. Design (using block or flow diagram and then set up a replica of CPC’s critical server infrastructure using appropriate tools and software.
2. Point out potential threats and attack vectors identified, document the most critical vulnerabilities and how they can be exploited.
3. Use but not limited to these, MITRE ATT&CK and OWASP Top 10 Frameworks as your point of guide/reference for the types of attacks you want to mount. You can research and find as many more attack types as you like and feel free to use them in your attack simulation.
4. Write a comprehensive technical report of your attack simulation results for the virtualized environment.

• Evidence of research conducted using the appropriate referencing format should aid in your analysis discussion of the report.

The report of your findings should have the following format:

1. Front cover
2. Table of Content
3. Introduction
4. List of figures and tables.
5. List of Acronyms.
6. Detailed contingency policy to be put in place before you begin Pentest.
7. Choice of Penetration testing framework. Check for example of Pentest framework here: (http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html)
8. Choice of Penetration testing tools. Check for examples of Pentest tools here: (http://www.softwaretestinghelp.com/penetration-testing-tools/)
9. Explain the types of attacks you simulated with diagrams. This should include the following:

• List of vulnerabilities that you targeted
• Attack tools used
• Protocols involved in the attack
• How the attack was launched
• Why you recorded success or failure

10. Recommended solutions for the threats you discovered on the environment. This should include:

• The configuration changes that could be made to the systems
• New software and hardware that might be bought
• Defence strategy to avoid this type of attack succeeding in the future

11. Cost of Solution. This should include the following:

• Cost of replacing software or Hardware (if required)
• Cost of implementing the fix, including your hourly rate

12. Timetable for execution of solution and an invoice for your professional service.

Guidance

NOTE: The guidance offered below is linked to the five generic assessment criteria overleaf.

1. Engagement with Literature Skills

Your work must be informed and supported by scholarly material that is relevant to and focused on the task(s) set; you should make use of scholarly reviews and primary sources, as appropriate (for example, refereed research articles and/or original materials appropriate to the discipline). You should provide evidence that you have accessed a wide range of sources, which may be academic, governmental and industrial; these sources may include academic journal articles, textbooks, current news articles, organisational documents, and websites. You should consider the credibility of your sources; academic journals are normally highly credible sources, while websites require careful consideration/selection and should be used sparingly. Any sources you use should be current and up-to-date, mostly published within the last five years or so, though seminal/important works in the field may be older. You must provide evidence of your research/own reading throughout your work, using a suitable referencing system correctly, including in-text citations in the main body of your work and a reference list at the end of your work.

Guidance specific to this assessment: Your work must focus on a variety of scanning and defence technologies available for you to choose for the given scenario. Your work must include articles published by peer-reviewed journals, conference proceedings, books, and related websites (e.g. IEEE, ACM, Science direct). Information from websites such as eHow, wiki, forums, etc., will not be accepted.

Marks will be awarded for:

• Diversity of sources and materials used
• Key concepts discussed
• Appropriate summaries of articles and level of critical appraisal of literature
• Application of appropriate referencing conventions

2. Knowledge and Understanding Skills

At level 7, you should be able to demonstrate a systematic understanding of knowledge, and a critical awareness of current problems and/or new insights, much of which is at, or informed by, the forefront of your academic discipline, field of study or area of professional practice, with a comprehensive understanding of techniques applicable to your own research or advanced scholarship. Your work must demonstrate your growing mastery of these concepts, principles, current challenges, innovation and insights associated with the subject area. Knowledge relates to the facts, information and skills you have acquired through your learning. You demonstrate your understanding by interpreting the meaning of the facts and information (knowledge). This means that you need to select and include in your work the contemporary concepts, techniques, models, theories, etc., appropriate to the task(s) set. You should be able to explain the theories, concepts, etc. meaningfully to show your understanding. Your mark/grade will also depend upon the extent to which you demonstrate your knowledge and understanding; ideally each should be complete and detailed, with comprehensive coverage.

Guidance specific to this assessment: Your work must demonstrate understanding of concepts and underlying principles. You should explain and analyse the chosen area in a meaningful way.

This will be assessed by

• Depth of the research
• Strength of the statements
• Structure of the paper
• Quality of the report

 3. Cognitive and Intellectual Skills

You should be able to evaluate critically current research and advanced scholarship in the discipline; evaluate methodologies and develop critiques of them and, where appropriate, to propose new hypotheses; deal with complex issues both systematically and creatively to make sound judgements in the absence of complete data. Your work must contain evidence of logical, analytical thinking, evaluation and synthesis. For example, to examine and break information down into parts, make inferences, compile, compare and contrast information. This means not just describing what! But also justifying: Why? How? When? Who? Where? At what cost? At all times, you must justify your arguments and judgments. Evidence that you have reflected upon the ideas of experts within the subject area is crucial to you providing a reasoned and informed debate within your work. Your choice of methodologies to gather data and information must be rigorously defended. Furthermore, you should provide evidence that you can make sound judgements and convincing arguments using data and concepts. Sound, valid, and persuasive conclusions are necessary and must be derived from the content of your work. Where relevant, alternative solutions and recommendations may be proposed.

Guidance specific to this assessment: Your work must demonstrate critical analysis and evaluation of different types of attacks that could be mounted on the website/design through the Internet service. Critical analysis and evaluation of the investigation and reporting documentation. Your work must also justify your research findings and provide evidence.

This will be assessed by the quality of your comments, conclusions and recommendation throughout the report:

The configuration changes that could be made to the webserver(s) or site(s)
New software and hardware that might be procured (existing infrastructure or new implementation)
Defence strategy to avoid attack in the future if your attack was successful.
Cost of solutions:

• Cost of replacing software or Hardware if required to
• Cost of implementing the fix based on your staff's hourly rates
• Cost for consultancy of the security measure for the implementing the fix

Timetable for the execution of solutions
Specify fees paid for professional services (invoice)
Analysis of the findings

4. Practical Skills

At level 7, you should be able to demonstrate originality in the application of knowledge, together with a practical understanding of how established techniques of research and enquiry are used to create and interpret knowledge in the discipline. This includes acting autonomously in planning and implementing tasks at a professional or equivalent level, originality in tackling and solving problems, and decision-making in complex and unpredictable contexts or situations.

You should be able to demonstrate mastery of the leading edge subject-related concepts and ideas as they relate to real world situations and/or particular contexts. How do they work in practice? You will deploy models, methods, techniques, and/or theories, in those contexts or circumstances, to assess current situations, perhaps to formulate plans or plausible, justifiable recommendations to solve problems, or to propose new models, or to create artefacts, which may be innovative and creative, thereby demonstrating your understanding of how the boundaries of knowledge are advanced through research and/or application. This is likely to involve, for instance, the use of real world artefacts, examples and cases, the application of a model within an organisation and/or benchmarking one theory or organisation against others.

Guidance specific to this assessment: You will use cybersecurity/ethical hacking tools used in the lab exercises or any equivalent tools to conduct analysis and investigate the best possible permutations of solutions.

You may want to design a working diagram if possible, in Packet Tracer, GNS3 and/or suitable simulation software and upload to the Moodle link that will be created.
 
The best way forward is to understand the problem. This means you have to do proper research on different types of penetration testing that could bring down your simulated website/design. Analyse the websites, you will have to decide for yourself which attack is appropriate to take down the servers/sites and justify your selection. For example, if there is a faulty implementation or HTML code that does not properly protect the severs/sites. Are these companies protected by a Firewall or IDS? Similarly, when you do your Black Box analysis, you may choose to start from the HTML code and configuration.

This will be assessed by finding the nature of the attack with diagrams. This should include the following:

• Nature of penetration testing.
• Application used and protocols involved
• Tools used
• How the attack was launched.
• Restricted access to the necessary site(s)

5. Transferable Skills for Life and Professional Practice

Your work must provide evidence of the qualities and transferable skills necessary for postgraduate-level employment in circumstances requiring sound judgment, personal responsibility and initiative in complex and unpredictable professional environments. This includes demonstrating: the independent learning ability for continuing professional development to advance existing skills and acquire new competences of a professional nature that will enable you to assume significant responsibility within organisations; that you can initiate and complete tasks, projects and procedures, whether individually and/or collaboratively, to a professional level; that you can use appropriate media to effectively communicate information, arguments and analysis in a variety of forms for a variety of audiences; fluency of expression; clarity and effectiveness in presentation and organisation. Work should be coherent and well-structured in presentation and organisation.

Guidance specific to this assessment: You must submit a report which should be approximately 5,000 words in length. The report should be presented academically and, therefore must include an abstract, an introduction, a conclusion and a list of references. The report must be submitted via Turnitin, and practical implementation must be uploaded to the Moodle link that will be created.

This will be assessed based on the written and presentational quality of your report:

• Flow
• Professionalism
• Comprehension (grammar and spelling)
• Completeness and presentation of report

Module Learning Outcomes

• Provide a systematic understanding of a wide range of current research and technological advances in cyber security incidents;
• Perform information security assessments, investigate, analyse, and support cyber security activities of an organisation with effective usage of security tools and methodologies.