代写program、代做Java/C++程序设计

日期：2024-03-27 09:01

ANU data breach: Hackers got inside Australia's

top university-Initial Case Scenario

In the latter part of 2018, the Australian National University Canberra (ANUC)

encountered a critical cybersecurity incident involving unauthorised access to

its systems. This breach had far-reaching implications, as the attackers

successfully infiltrated and accessed sensitive data comprising personal details,

academic records, and bank account information belonging to staff, students,

and alumni.

One of the most important parts of assessment 2 and 3 is “discovery”. You will

be researching academic and non-academic material on threats and

Universities. For example, you will need to research a great deal of background

material on ANU as this case study is modelled on the attack on ANU. You are

also asked to put yourself “into the shoes” of a cybersecurity manager

researching threats and mitigation. So “tell the story” of how you gathered the

background information necessary to make judgements about important

threats. You will need to detail this in writing in a few paragraphs for three of

the threats: for the threat model in assessment 2 and for the risk and controls

in assessment 3.

There is no-one who knows everything about security and your skill as a

manager is largely to gather knowledge from online resources.

ANU's reputation was significantly affected, leading to concerns among

students, staff, and alumni about the security of their personal and academic

information. ANU faced regulatory investigations and compliance challenges

due to data protection regulations.

The University now is looking to improve their security generally. As an expert

cybersecurity consultant, you have been called upon to investigate and improve

the security of ANUC. Assume the data leak is the same attack that occurred to

ANU in 2018. You need to research this attack and the details surrounding the

attack.

Your DFD model should include trust boundaries around the student and staff

data base. Note that the data of staff is just as sensitive as the data of students.

Include other trust boundaries and other possible threats closely following the

ANU operations. The threat of data leak is of utmost importance for ANUC, but

they are also seeking to tighten overall security. You should investigate ANUC

(and ANU) and try to find other attacks that you think they need to secure

against based on your research. (There is a list of possible attacks below, but

you can choose another if you wish.) The detailed threat discovery in your

report should cover these two threats along with phishing attack threats. You

will “discover” other threats (no less than 10 overall) and you can include these

in your threat list, but they don’t need to be discussed in detail in the text. Each

threat must be mapped against a STRIDE category and associated with a trust

boundary from the business model. This should be presented in a clear table

that could be easily understood by board and upper management.

You have agreed to provide ANUC with two reports. The first report

(assessment 2) will list 10 or more threats and outline threat discovery, with a

deeper report on discovery for three of the threats. Three of the threats require

a few paragraphs explaining discovery techniques as if you performed the

discovery personally. (Note that mitigation is not performed in assessment 2.)

After this, if ANUC wish to proceed further, you will provide a second report

resulting in a mitigation plan (assessment 3). Assessment 3 takes the result of

threat discovery and performs a risk analysis and culminates in a mitigation

scheme/plan.

Below is a list of possible attacks to choose from. You can choose other attacks,

but it is probably best to ask your facilitator first. Attacks that are too generic

will not be accepted. Remember you need to look more deeply into three cases:

✓ backup and business continuity,

✓ failure of policy or management commitment,

✓ employee awareness,

✓ information security insurance,

✓ service-level agreement,

✓ DR, rainbow attack,

✓ social engineering,

✓ botnets and trojans,

✓ USB attack,

✓ attacks on TLS/SSL,

✓ Wi-Fi protocol insecurities,

✓ phishing attacks,

✓ DoS,

✓ DDOS,

✓ VPN insecurities,

✓ mobile devices,

✓ password storage,

✓ password entropy,

✓ password reuse,

✓ identity theft,

✓ physical theft,

✓ insider attacks,

✓ social networks,

✓ ACL lists,

✓ security policy update,

✓ security policy documentation,

✓ security policy design,

✓ security policy dissemination,

✓ biometric access control,

✓ Bluetooth attacks,

✓ session hijacking,

✓ cross-site scripting (XSS),

✓ shoulder surfing,

✓ rootkit or bootkit,

✓ logic bomb,

✓ software backdoor,

✓ keylogger,

✓ credit card fraud,

✓ 2 factor issues,

✓ MFA

The university, ANUC, is clearly modelled on ANU and its business processes.

You need to investigate the attack on ANU, but also research ANU itself in

depth: its business model, business and management structure, operational

procedures, and business processes. Model ANUC on these as much as possible.

Are there issues with ANU’s business model that make it uniquely open to

attack? It is important to understand the attack on ANU and their responses to

the attack. Identify the strengths and weaknesses of their response to the

attack and advise ANUC accordingly. Do not advise ANUC to make the same

mistakes as ANU.

It may be difficult to find academic articles on the direct attack as these take

some time in editing, but there is a wealth of online information about the

attack. Feel free to use and quote from these. One place to start could be the

following list of articles. (Links are extant at time of writing.)

https://theuniguide.com.au/news/anu-releases-details-of-data-breach

https://www.canberratimes.com.au/story/6414841/like-a-diamond-heist-howhackers-got-into-australias-top-uni/

https://www.theguardian.com/australia-news/2019/jun/04/australiannational-university-hit-by-huge-data-breach

https://www.aspistrategist.org.au/lessons-from-the-anu-cyberattack/

https://apo.org.au/node/262171

https://www.zdnet.com/article/anu-incident-report-on-massive-data-breach-amust-read/

https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu-hack-thatcompromised-private-details/11566540

https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu-hack-thatcompromised-private-details/11566540

Note that assessment 3 should be in the form of a business report (employing

academic judgement and citation rigour).

The executive summary especially should be written last and in past tense. It is

like an abstract in a journal article (note, you should not have an “abstract”.)

The executive summary is the first thing people will read and should give a

quick round up of what was done and what was found. It is often the only part

of the report that upper management will read.

A big tip with executive reports is to write the executive summary last. After

you have written everything and point out the major conclusions. Also write it

in past tense since it is written after the research was done.

A business report is best if it is clearly written. Without omitting important

details, make sure the report could be read and understood by management if

they decided to read the entire script. Tables are a necessity in assessment 2

and 3.

Table structure For Assessment 2: The table in assessment 2 should contain

the threats, a brief description, the stride category it most relates to, and the

trust boundary it most relates to. You may want to add other information.

Note: if your threats in assessment 2 contained errors, you can restart with a

new set of threats for assessment 3.

You will need to create two tables for Assessment 3. The proposed table

structures are given to you as a guideline and your tables need to include the

parameters mentioned here but is not just limited to the proposed parameters.

For the Table1 for assessment 3 you need to show the threat name, information

needed to determine the level of risk, risk likelihood, risk consequence, level of

risk. The Table 2 can include but is not limited to: threat name, control, control

cost, responsible parties/personnel, targeted assets, attack vector, cost

estimate to manage the risk and the decision. The decision should be one of:

• Mitigation: Reduce the risk

• Avoidance: can’t reduce all risk, except by removing using a risky system

• Transference: Outsource risk to other assets, firms or organizations, or

insurance

• Acceptance (accept the risk): Why spend $100,000/year for a control

that has a $100/year loss? One of your threats must have the decision of

acceptance.

For the mitigation scheme (needed only in assessment 3) you should present

the data needed for the next stage of the overall mitigation process. Each

threats requires data for the threat: threat name, timeline, control, people who

are responsible for implementing the control, cost of the control, and any other

information you may deem important.

A great way to summarise this information is with a Gannt chart.

The business will be interested in costs: the cost of your analysis thus far and

the overall cost of mitigation to follow. This is necessary for assessment 3.

After mitigation, some risks inevitably remain. These are called “residual

risks”. It is a good idea to characterise these risks as it lets the reader know

that there may be attacks in the future and not all threats can be economically

100% protected. In fact, you will have some marks for residual risks.