CIS2005 Principles of Information Security – Assignment 3

Posted by:Prof. Lexx Posted on:May 3,2016

This assignment assesses your understanding in relation to the following three course


  1. analyse information security vulnerabilities and threats and determine appropriate controls

that can be applied to mitigate the potential risks

  1. explain why continual improvement is necessary to maintain reasonably secure

information systems and IT infrastructure and to describe the role of disaster recovery and

business continuity plans in recovering information and operational systems when systems

and hardware fail

  1. demonstrate an ability to communicate effectively both written and orally about the

management of information security in organisations.

This assignment assesses the following graduate skills: Problem Solving, Academic &

Professional Literacy and Oral and Written Communication at level 2.

This assignment relates to the topics covered in modules 1 to 10. This assignment can be

completed by groups of two students or as an individual assignment. Details regarding the

allocation of students to teams will be provided on the course study desk. Each student team

will be allocated their own discussion forum for assignment 3 to specifically work

collaboratively as a team in developing and discussing their approach to assignment 3 case

study and the required Security report and presentation. Regular participation in each

team’s discussion forum by the team members each week from Monday 8th September until

Friday 17th October is expected. Each team member will also be required to keep a journal of

their activities and progress related to completing this assignment and will form part of the

assessment for assignment 3. In date order clearly list the following:

• date of research activity/discussion

• topics researched or discussed

• time duration of activity.

Submit this journal for each team member as an appendix to the assignment 3

Recommendations report. Any reference to web pages and on line resources such as white

papers, blogs, wikis etc. should be listed at the end of the journal.

Regular participation on the discussion forums dedicated for this assessment is highly

recommended and can assist greatly with this assessment item. Also note that you are

expected to do research outside of the course materials provided.


Description Marks

out of

Weighting Due date

Assignment 3 Report and Presentation based



(A fictitious analysis of a security breach)

Length: 3000 words approx. plus Appendices

100 30% 17th




Case Study: BIGCOINX (A fictitious analysis of the importance

of Security in the Digital Currency World)!

Background: !

BigCoinX (BCX) is an Internet bitcoin exchange start-up founded in early 2013 riding on the boom of

interest in the bitcoin currency of the last few years. !

Established by former work colleagues in the investment banking industry, Mark Buck (current CEO)

and Peter Gates (CTO), the company by late 2013 was relatively successful and doing an estimated

1% of all global bitcoin trades. !

While in the scheme of things, the user base numbers seems good, both Mark and Peter know, that to

achieve a critical mass of users that will establish BCX as a “player” in the bitcoin world, they will

need to reach numbers upwards of 10% of global bitcoin trades. !

With bitcoin being a hot topic and Internet start-ups springing up all the time to try to make money

from the bitcoin rush, BCX knows it has to stay ahead of the game. !

The company is continually innovating and responding to user requirements, industry trends and

competitive challenges. Mark and Peter’s 5 person business, based in Sydney’s upcoming Technology

Hub, Redfern, is a busy and dynamic environment. !

BCX is aiming to become profitable and self-sufficient by the end of 2014 at the latest. It is at this

time that their capital funds will be exhausted, but they estimate, once they hit the 3% global mark,

and have deployed into production their new bitcoin trading software, (both aggressively targeted for

October, 2014), they will have positive financial results.


News Release: March 17, 2013: “Largest Global Bitcoin Marketplace Hacked: Mt Gox, the world’s

largest bitcoin exchange files for bankruptcy. $600M in bitcoins stolen”.


Waking up to news overnight that their largest competitor has been hacked (or otherwise – details are

sketchy) and that they have lost over $600M in their customer’s bitcoins has shaken up the BCX



Mark and Peter are nervous. If the world’s largest bitcoin exchange has gone under, what position

does that leave them in? With little news available and probably no expectation of knowing what

exactly went on at Mt Gox for some time, BCX must try to assess their own position and risks. There

is a lot at stake here. Are they exposed as well? Are their clients going to be nervous and do a “run”

on the exchange? Is their business secure?


Time is of an essence so an emergency teleconference is organised between Mark, Peter and Phil

Jones, (Technical Support Manager) at HotHost1 – a cloud services company where the BCX

environment is hosted.



Some resources which may be useful for this assignment 3 Case Study

At Mt. Gox bitcoin hub, ‘geek’ CEO sought both control and escape


Avoiding the next Mt. Gox: Vault of Satoshi bitcoin exchange launches proof-of-solvency service


Bitcoin Transaction Malleability and MtGox

Mt.Gox Finds 200,000 Bitcoin In An “Old-Format” Digital Wallet

Mt.Gox Finds 200,000 Bitcoin In An “Old-Format” Digital Wallet

Mt. Gox


March 18, 2014, 9:45am: Offices of HackStop Consulting

A quiet morning for you until a call from a company called BCX reaches your desk.

As a Senior IT Security Consultant at HackStop Consulting, you’ve had calls like this many times. It’s

time to get your game on again! Time to visit the offices of BCX. Their CEO, CTO and a Manager

from their hosting provider HotHost1 are desperate to meet with you.


Your Task

On return from your meeting, it’s time to quickly put together a proposed plan of work and a response

for BCX. Given the nature of your assignment with BCX, an urgent response and work-plan is

required that outlines your approach and methodologies to:

(1) Assessing what could go wrong – how could someone (a hacker?) compromise the BCX

environment and steal the user bitcoins?

(2) How does BCX ensure it does not happen?


Student Notes

At present, no other assumptions need to be made about the actual security issues/breach at Mt Box

but an understanding of how it could have happened will assist with the assignment.

Read about the real Mt Gox episode and the history of bitcoin and other bitcoin security issues of the

past few years. (Google is your best friend).

This assignment is focused upon seeing if you, the student has built up an awareness of how security

in Internet Websites can be assessed and analysed to assist businesses in improving their overall

security position. !

By being able to outline how you would go about reviewing the security requirements outlined in the

BCX case study and making recommendations on improving security practices and the appropriate

controls that need to be put place to reduce the risks to an acceptable level for BCX, the markers will

be able to assess your level of knowledge learned in this course and the additional research you have


Any information not provided in the case study may be assumed, but make sure that your

assumptions are stated and that the assumptions are plausible.

**** NB; Importantly and in addition to your own study and research, there will be two specific

discussion forum threads on the assignment discussion forum where you can ask questions of the

main players in the scenario:

  1. Mark Buck and/or Peter Gates (BCX)
  2. Phil Jones (HotHost1)

By actively participating in the forum discussions for this assignment, you will gain valuable

information and insight into this case study that will be regarded highly by the markers.

(Note: Any questions which are not considered to be appropriate or professional for the purpose of

this assessment may not be answered)


The success of your engagement is based upon two deliverables:

(1) Development of security audit plan to assess how you would determine BCX’s security posture at

the present time.

(2) A business proposal to BCX Management in the form of a presentation (based on your proposed

security audit plan – Deliverable 1) that outlines how the organisation should be better focusing on

Information Security.

In detail:

(1) Security Audit Work-plan (WORD Document):

The Security Audit work plan should be included in a professionally presented document of no more

than 10 pages and be structured to show how each phase of work is to be undertaken. Your work-plan

must include the following at a minimum:

* Executive Summary: half-page brief outlining purpose; scope, expectations and outcomes of

the proposed plan of work. (250 words)


Structured and ordered work plan phase description, which for each section includes:

* Background and problem analysis – What could go wrong? How could a hacker

compromise the BCX web site environment and steal the user information ? (approx. 500 words)

* Threat analysis – What is to be investigated and tested, how it will be done, what sort of

potential issues you are looking for, and deliverables BCX and/or HotHost1 can expect for each phase

of work – (eg; the “deliverable” for the phase of work could potentially be a report containing the

results of a vulnerability assessment test on BCX’s server(s)). (approx. 1000 words)

* Dependencies and critical success factors to the job – such as key stakeholders in this

security audit – the key people to be interviewed or whose involvement in that phase of work is

required. (Remember, you don’t always get free-rein access to systems and other information and

because time is of importance, you won’t get a long time to master the environment. But, as you

know, you cannot also always believe everything you are told). What is key to getting this job done

efficiently and what support do you need to get this done, (from BCX and also the hosting provider).

(approx. 500 words)

* Set of recommendations for improving BCX’s current security practices and ensuring that an

appropriate set of controls are put in place (approx. 750 words)

* Reference list of key sources in particular technical references which support your approach

(Not counted in word count)

Note in this report and in the accompanying presentation you are encouraged to make

use of appropriate Figures and Tables to emphasise the key points that you are trying


* A journal of each team member’s (for students completing this assignment individually –

your) activities in participating and contributing to the completion of the work plan report and



(2) Developing a Securer Environment for BCX for the Future (POWERPOINT): !

Your strategy presentation should be created as if it were an actual presentation you were doing for a

real client in relation to your proposed work plan including a set of recommendations and should

contain the following at a minimum:

* 1 Slide for an Introduction outlining your team and the organisation you work for

* 2-3 Slides covering the Background: A brief summary of where BCX is today in regards to

security practices in their organisation and controls in place for their web servers.

* 2-3 Slides covering the Threat Analysis: A summary of the major threats and associated

vulnerabilities and the actions required to reduce the risks associated with these threats and specific

vulnerabilities in their web servers to an acceptable level.

* 2 Slides covering Dependencies and critical success factors to the job: i.e. what is key to

getting this job done efficiently and what support do you need to get this done, (e.g. internal business

stakeholders, developers etc.)

* 2 Slides covering your proposed Set of recommendations for improving security practices at

BCX and ensuring appropriate controls are in place in relation to their web site which is core to their

business !

[The following is also to be included. While not part of a “standard” Industry business presentation, it

is there to allow teaching staff to gauge what level of research has been undertaken].

* 1 Slide acknowledging the key authoritative reference sources which underpin the research

you have conducted and your approach in the proposed work plan in your proposed business


—————— !

Report and Presentation Format:

* MS WORD and PowerPoint respectively (or a web-based presentation as an alternative to

PowerPoint for (2) of the assignment deliverables) must be used. NB; For the presentation, you are

asked to include a Word document (or utilise the notes section of PowerPoint) to detail the length of

time expected to be spent on each slide (page) and the details of what you would expect to discuss

with the audience.

* This assignment is focused upon seeing if as a student in this course you have built up an

awareness of how security in an environment should be set up and operated. By being able to outline

how you would review and test the security of the fictional organisation, BCX, through assessment of

the basics such as good policies, standards, procedures and controls in place, in addition to detection

of incidents, the markers will be able to assess your level of knowledge learned from the course

content and from your own additional research in relation to this case study


Prof. Lexx

Overview I have a Bachelor of Arts, majoring in English and minoring in History. I have worked in various fields ranging from academic research to freelance translating to editing to customer support and data entry. These include editing my old university's newspaper as well as co-leading their creative writing team; serving as a junior member in the history department's research network; publishing music and film reviews for several different magazines and webzines; and translating papers and books for numerous researchers in various languages, including Russian, Spanish, and Romanian. I am also a skilled typist, with a rate of at least 70 words per minute, and have myself digitized dozens of books and essays for both private and commercial use. I have a very strong work ethic, and make sure to prioritize the task I am given so that it is completed as quickly as possible. I am organized and disciplined, ensuring a job done professionally and efficiently.

    I have a background of 8 years in writing profession and currently pursuing also as an editor and proofreader. I have a knack for writing and thus, it was obvious to enhance my skills and serve others. Currently joined ‘Member of Association of Professional Writers and Editors’ a

    Pro Alex