COMP1427 Cyber Security Coursework Guidelines and Tasks | UOG

COMP1427 Cyber Security Coursework

PART A: Network Reconnaissance, Sql Injection Attacks, Packet Sniffing, Risk Assessment, and Lsepi

Background

Company X has recently set up an Artificial Intelligence (AI) website for assessing and providing insights into the security of their resources such as data, communication, connection, and services. The website can be accessed via a Local Area Network (LAN) and a Wireless Area Network (WAN). Only authorised computing devices such as computers and smart phones are allowed to access website via the LAN, which is also used as a test network to ensure that the resources are operating in the right security conditions. The company believes such set up and access control will mitigate the risks of vulnerabilities and attacks targeted at their resources. The company staff are encouraged to use the website at all times and provide feedback on any gaps or enhancements. Additionally, external users are encouraged to submit any vulnerabilities found on the website for a reward, thereby minimising the threat exposure of the company’s resources. 

Please perform the following tasks based on the background. The tasks are linked to the COMP1427 labs (Part A) and material on Cryptography (Part B). 

Task 1A : 

1. Draw a detailed single network diagram showing the LAN and WAN. Please show the data exchange between a computing device and the website.
2. Manually assign an IP address and a MAC address to every component (such as the computing devices) on the network and show secure communications across the network.
3. Assuming that the website is CMS Support and the computing device accessing the website is your Personal Computer (PC), verify the security of connection and services between the website and computing device and then present and explain your results. Please provide some screenshots to support your results. 
4. Using any wide-accepted network packet analyser tool (e.g., Wireshark), explain two threats to the secure usability of the test network and resources and briefly state how these threats could be practically mitigated. Please use screenshots and diagram(s) to support your answers for the threats and mitigations, respectively.

Task 2A :

Cyber-attacks remain a major concern that can cause disruption to the security of the networks and reward scheme, which is designed for the external users. These attacks are capable of causing legal, social, ethical, and professional issues. In this light, you are required to carry out the following: 

1. Using the aforementioned background, design a risk matrix to show five distinct tailored risks associated with the security of the AI website, resources, LAN (or test network), WAN, and external users’ reward scheme. Please present a control for each of the tailored risks. 
2. Using any widely accepted real-world threat modelling tool (e.g., Microsoft Threat Modeling Tool), evaluate the threats any two of your presented risks in Task 2A.I above pose to the company. Use the same tool to show and explain how the threats could be mitigated. 
3. Discuss the Legal, Social, Ethical, and Professional Issues (LSEPI) for the background. 

PART B: Encryption and Hashing Technologies

Company X staff are encouraged to provide feedback on any gaps or enhancements and external users (such as supplier AIdeas) are also encouraged to submit any vulnerabilities found on the website, To ensure confidentiality and integrity of these communications, Company X have decided upon the widespread use of encryption and hashing techniques using the PCI standard and PGP application. However, Company X managers are not experts in these technologies and have approached you, an MSc graduate, to give feedback on some of their questions:

Task 1B RSA :

I. In consideration of Legal, Social, Ethical and Professional Issues (LSEPI) Company X managers have considered the use of public/private key technology (RSA) techniques on all external communications. They have considered a system on the Company X network such that any external user can report a network weakness to Company X Network Admin (CXNA). It is deemed that an external user must
communicate with CXNA such that the external user can send secret messages to CXNA but CXNA cannot send secret messages to the external user. Based on the Cybersecurity lecture notes, which of the following best defines their situation?

1. External user must not send his public key to CXNA, but CXNA must send their public key to External user.
2. CXNA must send their private key to External user and External user must send their public key to CXNA.
3. CXNA must not send their private key to External user and External user must send their public key to CXNA.
4. CXNA must send their private key to External user and External user must send their private key to CXNA.
5. None of the other answers is correct.

Choose one of the above answers and EXPLAIN why the other four answers were not amenable to you.

Task 2B PCI : 

Company X have heard that many companies are applying for PCIDSS accreditation even though they don’t actually deal in card-based financial transactions. Discuss FIVE good reasons (max. three lines each) why such companies might make such a decision. 

Task 3B STEG V CRYPTO :

For mitigation of possible threats, Company X has considered that steganography might be useful. However, managers are not clear about differences between Cryptography and Steganography and have put down some of their differing thoughts for you to enlighten them: 

1. Crypto obfuscates (mixes up) the text of a message so the message cannot be read by unauthorised parties whilst Steg ensures only unauthorised parties can find the message.
2. Steganography hides a message so that unauthorised parties are not aware of the message existence and Crypto ensures a message content can be understood by unauthorised parties.
3. Steg hides the meaning of a message so an unauthorised reader cannot find the message itself whilst Crypto hides the existence of the message itself.
4. Steganography hides the meaning of a message and the fact that a message exists while Crypto obfuscates (mixes up) the text of a message so that it cannot be understood except by unauthorised parties.
5. None of the other answers is correct.

Choose one of the above answers and EXPLAIN why the other answers were not amenable to you.

Task 4B DIGESTS :

Managers are aware that message digests (hashes) may enhance assurance as to integrity fears over stored data. To show their understanding of digests, they have each created a 4 bit message digest of the text AI by converting the text to ASCII and using a salt of Hex C and a rotate of 1 place to the left, they have used the algorithm shown in the Cybersecurity lecture notes, to create a 4bit message digest. However, they have all come up with different answers. 

A. HexD
B. Hex2
C. HexC
D. Hex9
E. None of the other answers is correct.

Choose one of the above answers and show it is correct by working it out in full and showing all your intermediary results in binary and Hex.

Task 5B Passwords: 

Company X managers are concerned that, to maintain true confidentiality, the new network must have a password policy and they have drawn one up which specifies: ‘All passwords must be exactly 8 characters long and be composed of: first 2 characters any of upper case or lower case characters, next 3 characters any of numeric digits but excluding all three digits being the same digit, next three characters being any of the characters £$%^&*! but excluding any three characters all the same character. How many passwords theoretically could be produced from this policy?

Calculate the total number of theoretically possible passwords using above statements. Show all your working at each step. 

Task 6B  Steganography :

Company X are concerned that highly confidential messages need to be sent to AIdeas concerning new AI algorithms. They propose using LSB steganography for hiding sensitive messages in the Company X logo which appears on all electronic documents to business partners. The logo picture is 20 megabytes in size (approximate to 20 million bytes) and each pixel has its colour coded for by 16-bits (two bytes). The data to be hidden is in 8-bit ASCII and there is a sampling factor of 0.2. How many pages of data can be hidden in the logo picture using an LSB steganographic algorithm if there are, on average, 5 characters per word, 20 words per line, and 50 lines per page?
Calculate the above showing all your working at each step. 

Task 7B PGP :

Company X internal staff are encouraged to provide feedback on any gaps or enhancements in security and the PCI standard recommends use of encryption products such as PGP to maintain confidentiality of such sensitive communications. Write a memo (200 words max) to internal staff giving FIVE reasons why, in future, PGP might be a good choice for encryption of this particular application at Company X.