COMPSCI 316: Cyber Security

Assignment 1

COMPSCI 316: Cyber Security, Semester 2, 2024

This assignment is worth 100 marks. The weight of this assignment is 10% of the course. The deadline to submit this assignment is Friday, September 13, 23:59 hrs NZ Time. No late submissions are accepted. The assignment must be submitted through Canvas. The only acceptable format is PDF.

For answers containing brief explanations, the answers should not exceed 300 words. You are also expected to use APA or IEEE1 referencing style. in this assignment.

Note. Sharing assignment solutions does not help in your learning. Consequently, our academic integrity policy does not permit sharing solutions or source code leading to solutions. Violation of this will result in your assignment submission attracting no marks, and you may also face disciplinary actions. Therefore, please do not share assignments, assignment solutions or source code leading to assignment solutions. Do not publish or make available your assignments or solutions online. You will be liable if someone copies your solution. Please talk to us if you have any doubts about what is legit and what is not.

Do not leave your computers, devices, and belongings unattended — you must always secure these to prevent anyone from accessing your assignments or solutions.

For more information, see our University’s Student Academic Conduct Statute.

Question I. (20 marks) Data Breach. Identify a data breach discovered between August 2023 and July 2024 and answer the following questions.

1. Share the URL reporting this data breach. [1 mark]

2. Briefly describe the impact of this data breach. Briefly describe how many users were affected, the level of impact (explaining whether it was low, medium, or high), and financial, or other losses (e.g., reputation damage). [5 marks]

3. Briefly explain what information was released. [3 marks]

4. Briefly describe the root cause of this data breach. [5 marks]

5. As a cyber security expert, what kind of security measures would you take to reduce the risk of similar data breaches in the future? Provide a brief explanation. [6 marks]

Question II. (25 marks) Vulnerability Analysis. Visit https://cve.mitre.org/cve/search_cve_list.html and search for a CVE ID (CVE, 2023) that contains the last three digits in your UPI (username). If no entry corresponds to the last three digits of your UPI (username), you can increment your UPI by one and repeat the process unless you find a valid CVE ID. If you see multiple CVE IDs, you can choose any one of them. For your CVE entry, which you must write down in your answer, you should be able to find its NVD entry, where you can find detailed information about the vulnerability. Answer the following questions:

1. Briefly explain the vulnerability in your own words. [5 marks]

2. Briefly explain why the confidentiality score is low, medium, or high. [3 marks]

3. Briefly explain why the integrity score is low, medium, or high. [3 marks]

4. Briefly explain why the availability score is low, medium, or high. [3 marks]

5. Consider that you are a cyber security consultant for an organization that uses a product or service that can be exploited using the vulnerability in question. Briefly describe at least one alternative product or service you can suggest to your organization. [6 marks]

6. Can this vulnerability be identified using static analysis or dynamic analysis? Explain briefly. [5 marks]

Question III. (8 marks) Usable Security. As healthcare digitization continues, the industry must prioritize security measures that protect patient data, healthcare systems and infrastructure. Phishing is a leading cause of healthcare data breaches, and attacks have been increasing exponentially. Assume you are working as a cyber security consultant for the healthcare industry. You are tasked to develop an app that teaches employees in the healthcare sector how to protect themselves from phishing attacks (State any assumptions you have made).

1. Briefly explain your advice to develop appropriate teaching content (i.e., what to teach) in the app to combat contemporary phishing attacks. [2 marks]

2. Briefly explain your strategy to get users (i.e., doctors, nurses, admin staff, and patients in healthcare sectors) to better interact with the app to improve their learning experience. [2 marks]

3. Briefly explain how you assess the user’s learning (users could be doctors, nurses, admin staff, and patients). [4 marks]

Question IV. (12 marks) Software Security. Assume you are working as a cyber security consultant for the Ministry of Defence in New Zealand. You are tasked to develop a fully working, secure messaging app (i.e., audio, video, text, file sharing etc.) for internal communication purposes within the ministry. You have learned the Open Web Application Security Project (OWASP) top-10 most seen application vulnerabilities. You are required to advise your software development team to implement the following security features (i.e., secure login, secure communication, secure password storage, and secure all messages) in the messaging app.

1. Briefly explain your advice on developing a secure login for users. [4 marks]

2. Briefly explain your advice on developing secure password storage for individuals. [4 marks]

3. Briefly explain your advice to secure all messages and communication in the application. [4 marks]

Question V. (15 marks) Cyber Security Risk Management. Assume you are working as a cyber security consultant for a major bank in New Zealand to develop a mobile banking system for their customers. It will record, process, and store customers’ banking data such as demographic information, transactions, loans, insurance information, and other data that a banking professional collects to identify an individual and determine appropriate service. The senior management at the bank has determined that a new risk management plan must be developed. To this end, you must answer the following questions (State any assumptions you have made):

1. Introduce a risk management plan to the senior management at the bank by briefly explaining its purpose and importance. [ 3 marks]

2. Create an outline (i.e., visually describe the outline) for the completed risk management plan. [5 marks]

3. How can the CIA triad be applied in cyber security risk management? [7 marks]

Question VI. (20 marks) Usable Privacy and GDPR. Consider that you are working as a DevOpsSec (development, security and operations) Consultant at a cyber security company to develop a health care system for Auckland City Hospital in New Zealand. You are required to design a web-based healthcare application that allows remote consultation with medical professionals, general practitioners, and specialists for payment. Patients should be able to browse a registered list of medical professionals and chat (i.e., text, audio, and video) about their health problems for advice.

Doctors and healthcare professionals can register on the application to earn by providing their expertise to patients. The application will be freely available online for desktop and mobile platforms and charge for individual (i.e., patient) consultations. You may want to consider advertising and data sharing with third parties, such as insurance providers and hospitals (State any assumptions you have made).

1. Briefly explain what privacy requirements should be considered when developing healthcare applications to preserve end-user privacy. [8 marks]

2. Briefly explain your strategy for implementing appropriate privacy requirements using GDPR principles in the healthcare application to preserve end-user privacy. [12 marks]