TNE30009 Network Security and Resilience

Case Study
Introduction
You are to select ONE of the topics listed below and carry out a risk analysis for the organisation,
specify policy to address that risk, and specify how it will be implemented. Each topic can be selected
by one group only, on first come, first served basis.

This project is to be conducted in groups of 4 students. Smaller or larger groups may be accepted but
a higher standard will be expected from larger groups. You must notify the convener if your group is
not three people.

The project report is due on the Friday of Week 12, before 5.00 pm.

Project requirements
For the option chosen, you are required to:

1. Identify the major security risks the malware or vulnerability poses to the organisation and
perform a risk analysis. The number of major risks is to be no more than five. You must use
the Delphi method discussed in class to rank the risks.
2. Write security policies that address the risks identified in the risk analysis.
3. Specify how each policy will be implemented. Explain what technologies and procedures will
be deployed and how they will be used. Briefly outline the capabilities of the technologies to
be implemented.

In preparing this work you will need to make a number of assumptions regarding the organisation.
You are welcome to check your assumptions with the convener. When you prepare your work, you
will need to document your assumptions.

Report
Your work will be submitted as a group project report. Use the format of this document as a guide to
the layout of the report. Sections are to be numbered. Diagrams are to be labelled. Any references
used are to be listed in a Reference section.

The report is to be no more than 15 pages. Below are the marks allocated to each section. The report
will be marked out of 20. Marks will be deducted for no cover page and no or inadequate referencing.
Referencing is to be IEEE or Author-Date.

The report is to have the following sections:

1. Cover page.

This to include the organisation analysed and the names and student identity numbers of all
participants.

2. Executive summary. (1 marks)

No more than one page outlining the contents and summarising the recommendations of the
report.

3. Introduction. (2 marks)
TNE30009 Network Security and Resilience

No more than one page discussing the security issues faced by the organisation including any
assumptions made.

4. Risk analysis. (5 marks)

Identify and rank the security threats faced by the organisation using the method discussed in
class.

This is to include an identification of the relevant organisation’s assets. Threats faced by the
organisation are to specify what assets are at risk.

5. Security programme (5 marks)

This is to consist of policy statements that address the threats identified in the previous
section. No more than five of the most urgent threats are to be addressed. Policy statements
are high level statements of security goals.

6. Implementation of security programme. (5 marks)

Specify how each policy will be implemented. Specify what technologies are to be used and
where and how they will be deployed. Outline any manual controls to be adopted. Outline
technologies that are recommended.

This is to be written to sufficient depth that it could be given to technical and administrative
staff to implement.

7. Summary including recommendations. (2 marks)

This will consist of a bullet point list of recommendations.

8. References

Use IEEE or Author-Date.

In the above sections you must document any assumptions you make.

Assessment
Assessment will be based on how thoroughly and clearly the risk analysis, the security programme and
the implementation are described.

Marks will be deducted for failing to adhere to the format of the report.

Active participation of all members is expected. You will be given a private channel in MS Team for
your group and I will be expecting active communication and sharing of information and draft in the
private channel. Evidences of project planning, sharing of found information, report draft and
feedback on other members work are expected. Individual member of the group will be assessed on
his/her activeness in participating in the group communication and contribution to the report. Each
member’s marks on the report will be obtained by multiplying group paper marks with the scale
below:

Multiplier Description
1.00 Demonstration of consistent and active participation in MS Team private channel
chat throughout the project duration with evidences of effort shown.
0.75 Demonstration of active participation in MS Team private channel chat but in an
inconsistent manner with evidences of effort on major tasks shown.
TNE30009 Network Security and Resilience

0.50 Demonstration of participation in MS Team private channel but in an inconsistent

Project topics
1. Conficker
Conficker is a computer worm that spreads itself to other computers in a variety of ways. You
need to obtain an understanding of Conficker and similar malware. You are to choose an
organization you are familiar with and do the following:
• Identify the risks that malware similar to Conficker poses to this organization.
• Rank the risks using the method discussed in the lectures.
• Formulate policy to address those risks.
• Outline how the policy is to be implemented.
2. BGP Vulnerabilities
BGP is the core Internet routing protocol. BGP is surprisingly fragile. You need to obtain an
understanding of BGP and its vulnerabilities. You are to consider how these vulnerabilities can
affect the operation of a small ISP. To do this you are to do the following:
• Identify the risks that BGP vulnerabilities pose to a small ISP.
• Rank the risks using the method discussed in the lectures.
• Formulate policy to address those risks.
• Outline how the policy is to be implemented.
3. Stuxnet
The Stuxnet worm was (believed to be) developed to attack a nuclear power station in Iran.
You are to obtain an understanding of Stuxnet and similar malware and do the following:
• Identify the risks that worms similar to Stuxnet pose to similar industrial systems.
• Rank the risks using the method discussed in the lectures.
• Formulate policy to address those risks.
• Outline how the policy is to be implemented.
4. Athens phone tapping scandal
The mobile phones of over a hundred Greek public figures were illegally tapped from August
2004 to March 2005. This was caused by the illegal placement and use of phone tapping
technology on core telecommunications equipment. You are to explore how this occurred. As
in the previous scenarios you are to do the following:
• Identify the risks that illegal placement of such software poses to the company.
• Rank the risks using the method discussed in the lectures.
• Formulate policy to address those risks.
• Outline how the policy is to be implemented.