TNE30009/TNE80009
Project
1. Introduction
You are to select ONE of the topics listed in Section 5 and carry out a risk analysis for the organisation, specify policy to address that risk, and specify how it will be implemented.
This project is to be conducted in groups of 3 students. Smaller or larger groups are acceptable but a higher standard will be expected from larger groups. You must notify the convenor if your group is not three people.
The project report is due at midnight on the Sunday following the end of semester.
TNE80009 STUDENTS ARE TO DO PROJECT 5.1 OR 5.2
TEAMS MAY INCLUDE A MIX OF TNE80009 AND TNE30009 STUDENTS BUT IF IT DOES THEN THE TEAM MUST CHOOSE PROJECT 5.1 OR 5.2.
2. Project requirements
For the option chosen, you are required to:
1. Identify the major security risks the malware or vulnerability poses to the organisation and perform a risk analysis. The number of major risks is to be no more than five. You must use the Delphi method discussed in class to rank the risks.
2. Write security policies that address the risks identified in the risk analysis.
3. Specify how each policy will be implemented. Explain what technologies and procedures will be deployed and how they will be used. Briefly outline the capabilities of the technologies to be implemented.
In preparing this work you will need to make a number of assumptions regarding the organisation. You are welcome to check your assumptions with the convenor. When you prepare your work you will need to document your assumptions.
3. Report
Your work will be submitted as a group project report. Use the format of this document as a guide to the layout of the report. Sections are to be numbered. Diagrams are to be labelled. Any references used are to be listed in a Reference section.
The report is to be no more than 15 pages. Below are the marks allocated to each section. The report will be marked out of 20. Marks will be deducted for no cover page and no or inadequate referencing. Referencing is to be IEEE or Author-Date.
The report is to have the following sections:
1. Cover page.
This to include the organisation analysed and the names and student identity numbers of all participants.
2. Executive summary. (1 marks)
No more than one page outlining the contents and summarising the recommendations of the report.
TNE30009/TNE80009
Project
3. Introduction. (2 marks)
No more than one page discussing the security issues faced by the organisation including
any assumptions made.
4. Risk analysis. (5 marks)
Identify and rank the security threats faced by the organisation using the method
discussed in class.
This is to include an identification of the relevant organisation’s assets. Threats faced by
the organisation are to specify what assets are at risk.
5. Security programme (5 marks)
This is to consist of policy statements that address the threats identified in the previous
section. No more than five of the most urgent threats are to be addressed. Policy
statements are high level statements of security goals.
6. Implementation of security programme. (5 marks)
Specify how each policy will be implemented. Specify what technologies are to be used
and where and how they will be deployed. Outline any manual controls to be adopted.
Outline technologies that are recommended.
This is to be written to sufficient depth that it could be given to technical and
administrative staff to implement.
7. Summary including recommendations. (2 marks)
This will consist of a bullet point list of recommendations.
8. References
Use IEEE or Author-Date.
In the above sections you MUST DOCUMENT ANY ASSUMPTIONS YOU MAKE.
4. Assessment
Assessment will be based on how thoroughly and clearly the risk analysis, the security
programme and the implementation are described.
Marks will be deducted for failing to adhere to the format of the report.
All members of the group will receive the same mark.
5. Project Topics
5.1 Conficker and Similar Malware
TNE80009 students must choose either this or the next option.
Conficker is a computer worm that spreads itself to other computers in a variety of ways. You
need to obtain an understanding of Conficker and similar malware. You are to choose an
organization you are familiar with and do the following:
• Identify the risks that malware similar to Conficker poses to this organization.
• Rank the risks using the method discussed in the lectures.
• Formulate policy to address those risks.
• Outline how the policy is to be implemented.
TNE30009/TNE80009
Project
5.2 BGP Vulnerabilities
TNE80009 students must choose either this or the previous option.
BGP is the core Internet routing protocol. BGP is surprisingly fragile. You need to obtain an
understanding of BGP and its vulnerabilities. You are consider how these vulnerabilities can affect the
operation of a small ISP. To do this you are to do the following:
• Identify the risks that BGP vulnerabilities pose to a small ISP.
• Rank the risks using the method discussed in the lectures.
• Formulate policy to address those risks.
• Outline how the policy is to be implemented.
5.3 Stuxnet
The Stuxnet worm was (believed to be) developed to attack a nuclear power station in Iran.
You are to obtain an understanding of Stuxnet and similar malware and do the following:
• Identify the risks that worms similar to Stuxnet pose to similar industrial systems.
• Rank the risks using the method discussed in the lectures.
• Formulate policy to address those risks.
• Outline how the policy is to be implemented.
5.4 Athens phone tapping scandal
The mobile phones of over a hundred Greek public figures were illegally tapped from August
2004 to March 2005. This was caused by the illegal placement and use of phone tapping
technology on core telecommunications equipment. You are to explore how this occurred. As
in the previous scenarios you are to do the following:
• Identify the risks that illegal placement of such software poses to the company.
• Rank the risks using the method discussed in the lectures.
• Formulate policy to address those risks.
• Outline how the policy is to be implemented.
5.5 Scenario of your own choice
You are free to choose an organisation with which you are familiar and a threat to that
organisation and carry out an analysis for it. You must discuss your proposal with the
convenor before commencing work on it. As before you must:
• Identify the risks that the malware poses to the organisation
• Rank the risks using the method discussed in the lectures.
• Formulate policy to address those risks.
• Outline how the policy is to be implemented.