1 Security Goals (20 marks)
Analyse the following real-world IT-related incidents and data breaches where specific security goals were compromised. For each scenario, identify the compromised security goal (e.g., Confidentiality, Data/Message Integrity, Authenticity, Authorisation, Accountability, Non-repudiation, Deniability, Availability, Privacy) and explain how the incident compromised that goal.
You will have to do your research by referring to various news articles and incident reports to understand what happened in each incident. We have given some sample links to get you started but feel free to investigate more and understand what happened in each incident. Most of the questions
will have more than one correct answer, depending on how you look at them. We will accept them if
your explanation is correct and related to the incident.
Provide clear and concise explanations for each scenario, as shown in the example.
Example 1 - CrowdStrike Falcon update failure 2024 -
Link
Compromised Security goal:
Availability
Explanation:
Windows machines with the CrowdStrike Falcon Sensor installed went into
the boot loop with BSOD (Blue Screen of Death), making them unusable and compromising availability.
iuww520iuww520iuww520iuww520iuww520iuww520iuww520iuww520
Example 2 - Optus data breach 2022 -
Link
Compromised Security goal:
Confidentially
Explanation:
Personal information of the Optus customers, such as driver’s licence number,
passport number, and address, was harvested by an attacker using an unauthenticated API
endpoint. Optus was in breach of keeping their customer’s data confidential. Here, arguments
can be made for security goals such as authorisation and privacy - but they are secondary to
confidentiality.
2 marks for each. 1 mark for correctly naming the security goal and one mark for the
explanation.
i Twitter account hijacking, 2020,
Link
.
ii Struxnet, 2010,
Link
.
iii
Medicare and Pharmaceutical Benefits Scheme (PBS) data released by the Australian Department of Health, 2016,
Link 1
,
Link 2
.
iv SolarWinds Supply Chain Attack, 2020,
Link
.
v Attack on Dyn DNS Provider, 2016
Link
.
vi Poly Network Hack, 2021,
Link 1
,
Link 2
.
vii Silk Road Takedown, 2013,
Link 1
,
Link 2
.
viii Colonial Pipeline Cyberattack, 2021,
Link
.
ix Ashley Madison Breach, 2015,
Link
.
x Unisuper Google Could Incident, 2024,
Link 1
,
Link 2
,
Link 3
.
2 Social Engineering (20 marks)
ZenithTech, a prominent financial services firm, has been experiencing a surge in activity due to the launch of a new investment platform. During this time, Sarah, an operations manager, receives a call from someone claiming to be Chris, a representative from their external auditing firm. Shortly after,
she also receives an email supposedly from the company’s internal audit department.
Chris:
"Hello Sarah, I’m Chris from your external audit firm. We’re conducting a quick review
of the new investment platform’s security protocols. Could you provide the access logs and system
architecture diagrams?”
Sarah:
"I wasn’t aware of this audit. Shouldn’t this request come through our IT security team?”
Chris:
"I understand your concern, Sarah. Due to the urgency of this review, we’ve been asked to
directly contact key personnel. I’ve already spoken to Michael from your internal audit team, and he’ll
send you an email confirming my request.”