School of Informatics & IT

AY 2012/2013
(Oct Semester)
CASE STUY !UIE
"ASIC IT SECU#ITY (CC1C01)
SU"$ECT %E&E% ' 1
TI(E A%%O)E ' 13 )EE*S
INSTRUCTIONS TO CANDIDATES
1. This Case Study Guide consists of 10 pages e!c"uding the co#e$ page%.
&. This pape$ has de"i#e$a'"es in (ee) * and (ee) 1+.
+. Read th$ough the enti$e Case Study and fo""o, the inst$uctions ca$efu""y.
-. Inc"ude the na.es and .at$icu"ation ca$d nu.'e$s of a"" you$ g$oup .e.'e$s on the Case Study $epo$t
co#e$ page.
"ITS Case St+,- .ro/ect (001)
G$oup Co.ponent/ 1001 Indi#idua" Co.ponent/ 200
- students pe$ g$oup in specia" cases + students in a g$oup%
12 Intro,+ction
3ou ha#e 4ust g$aduated f$o. Te.ase) 5o"ytechnic1 Schoo" of Info$.atics 6 IT1 ,ith a Dip"o.a in Cy'e$
Secu$ity and Digita" 7o$ensic Dip in CSD7%. 3ou ha#e found a 4o' as an Associate Info$.ation Secu$ity
Consu"tant A8ISC% in one of the "a$gest secu$ity consu"ting fi$.1 Inte$nationa" Secu$ity Co$po$ation
Ad#iso$y the$eafte$ te$.ed as ISCA%. ISCA is a 9u"ti8Nationa" Co$po$ation 9NC% ,ith a huge footho"d in
the Asia 5acific1 ha#ing it:s head;ua$te$ in Singapo$e.
The i.po$tance of secu$ing info$.ation has 'een inc$easing .o$e co.p"e! and essentia". <an)s and
go#e$n.ent entities such as 9inist$y of Secu$ity 8 Singapo$e 9oSS% a$e the & 'iggest custo.e$ g$oups that
ISCA hand"es fo$ the past one yea$. GT<1 3o)e <an) and Si"#e$.an =i#e$.o$e ha#e 'een engaging ISCA
se$#ices fo$ the past 2 yea$s1 ,ith feed'ac) that ISCA p$o#ides the 'est se$#ice e!ce""ent1 high"y co.petent
info$.ation secu$ity consu"tants and offe$s the .ost co.petiti#e p$icing.
BITS Case Study Guide 1
AY2012/13 Oct
22 .ro/ect Scenario
ISCA had $ecent"y tende$ed fo$ and ,as a,a$ded the cont$act to design and de"i#e$ a $ese$#ation syste. fo$
a ne,"y co.p"eted the.e pa$) in St 9a$y Is"and1 ca""ed Ga"a!y (o$"d Ente$tain.ent 5a$) G(E5%. 3ou
ha#e 'een assigned to ,o$) ,ith + othe$ A8ISC to de"i#e$ a co.p$ehensi#e secu$e so"ution1 ,ith a detai"ed
$is) and secu$ity ana"ysis on top of a ,e""8p"anned net,o$) and syste. design diag$a.1 ,ithin a pe$iod of 1+
,ee)s. As this is a .u"ti8.i""ion do""a$ cont$act1 it is a huge "ong te$. 'usiness oppo$tunity fo$ ISCA.
Afte$ ,ee)s of engaging G(E5 ope$ations1 secu$ity1 net,o$) p$ofessiona"s to unde$stand the 'usiness
en#i$on.ent1 the info$.ation ,hich you ha#e gathe$ed is "isted 'e"o,/
"+siness En3ironment
G(E5 has t,o sepa$ate $ese$#ation syste.s to hand"e thei$ t,o .ain 'usiness entities1 ,hich a$e 5a$is >ote"
and ((( The.e 5a$). The t,o syste.s a$e .anaged sepa$ate"y and G(E5 ha#e no intention to co.'ine
these t,o syste.s togethe$ into a ne, $ese$#ation syste..
A pay.ent gate,ay ,i"" a"so need to 'e in p"ace fo$ p$ocessing of pay.ent detai"s c$edit ca$d% once a
$ese$#ation is .ade. An Apache (e' Se$#e$ is used to se$#e static and dyna.ic ,e' pages to ,e' use$s
f$o. the Inte$net th$ough a 5ac)et 7i"te$ing Route$. The ,e' se$#e$ is a"so used to p$ocess $ese$#ations f$o.
potentia" ,e' custo.e$s. DNS se$#e$ is a"so needed to 'e in the =AN net,o$) of G(E5.
G(E5 engages e!te$na" de#e"ope$s f$o. A"" Things Digita" Inc ATDI% to .aintain and upg$ade the
app"ications used in (e' Se$#e$1 as ,e"" as "in)ing up the ,e' app"ication to the pay.ent gate,ay and the
t,o sepa$ate 'usiness entities. The ,e' app"ication is coded using 5>5. A"" se$#e$s $uns on 9ic$osoft
(indo,s * Ente$p$ise. The$e is a"so an ad.inist$ato$ 5C to .aintain the O$ac"e data'ase and ,e' se$#e$
configu$ation of the $ese$#ation syste.. A S9T5 Se$#e$ is used to a""o, ad.inist$ato$ and de#e"op.ent 5Cs
use$ to send and $ecei#e e.ai"s. Once a $ese$#ation is .ade and pay.ent detai"s a$e co.p"eted and p$ocessed
'y the pay.ent .e$chant1 a confi$.ation e.ai" ,i"" 'e send to the custo.e$. (e' use$ can a"so send e.ai" to
custo.e$ se$#ice 5Cs.
7igu$e 1 sho,s a si.p"e diag$a. .eant fo$ you$ $efe$ence you a$e to re,esi4n this net,o$) diag$a. in
acco$dance to the p$o4ect $e;ui$e.ent "ate$ in the ne!t section1 it on"y se$#es to he"p you #isua"ise the
e"e.ents in#o"#ed in this case study%
BITS Case Study Guide 2
AY2012/13 Oct
5i4+re 1
A"though G(E5 net,o$) is sti"" in its infancy1 the$e a$e t$aces of the ,e' se$#e$ 'eing hac)ed in the
'eginning as G(E5 sta$ted to .a)e use of the pu$chased do.ain na.e1 ,,,.g,ep.co..sg. The
.odification is .ino$ 'ut G(E5 COO is conce$ned a'out this and high"ighted it to you and you$ tea.
du$ing you$ $e;ui$e.ent gathe$ing phase. G(E5 COO has a"so .entioned that the enti$e syste. .ust ha#e
a#ai"a'i"ity of ??.?0. A"" se$#e$s1 data'ase and 5Cs ,i"" 'e $esiding in Singapo$e1 St 9a$y Is"and fo$ easy
.aintenance.
BITS Case Study Guide 3
AY2012/13 Oct
32 .ro/ect #e6+irements
3ou$ tea. is $e;ui$ed to inc"ude the fo""o,ing in you$ so"ution/
a. @TACR @u"ne$a'i"ities1 Th$eat1 Asset1 Cont$o"ASafegua$dsACounte$.easu$es1 Ris)% to the
'usiness
'. Redesign and e!p"ain you$ p$oposed "ogica" net,o$) 6 syste. design ,ith ,hat you ha#e "ea$nt
on secu$ity
c. 7o$ each tea. .e.'e$1 p$oposed secu$ity .easu$es on one of the fo""o,ing topics/
Autho$iBation1 Access Cont$o" and Use$ 9anage.ent
Ope$ations Secu$ity
<usiness Continuity 5"anning and Disaste$ Reco#e$y 5"ans
App"ication Secu$ity
d. =i.itations of you$ p$oposed p"ans and i.p"e.entations
e. >o, ,i"" you achie#e CIA Confidentia"ity1 Integ$ity and A#ai"a'i"ity%
f. Effo$t to .ini.iBe the cost of the so"ution
g. Refe$encesA<i'"iog$aphyACitations inc"ude as Appendi!%
BITS Case Study Guide 4
AY2012/13 Oct
72 .ro/ect Sco8e
The .anage.ent of G(E5 does not to"e$ate unp$ofessiona" ,o$). They a$e especia""y against #ague and
unc"ea$ $epo$ts ,ith "ifting of info$.ation f$o. .u"tip"e sou$ces sa"es '$ochu$es1 datasheets% ,ithout
de.onst$ating any $ea" unde$standing no$ assi.i"ation into the p$oposed so"ution.
(an,ator- Sco8e of )or9
3ou$ tea. has 'een ad#ised to dist$i'ute the tas)s as fo""o,s $efe$ to Section +/ 5$o4ect Re;ui$e.ents%/
Resea$ch and docu.ent Section +/ 5$o4ect Re;ui$e.ent +a% as a 4ro+8
Design Section +/ 5$o4ect Re;ui$e.ent +'% as a 4ro+8.
Each .e.'e$ .ust ,o$) on at "east ONE aspect of pa$t Section +/ 5$o4ect Re;ui$e.ent+c%
in,i3i,+all-. The$e .ust 'e NO dup"icate effo$t ,ithin a g$oup%
3ou .ay a"so inc"ude findings f$o. Section +/ 5$o4ect Re;ui$e.ent +a% to suppo$t you$ indi#idua"
design.
Rega$d"ess of g$oup A indi#idua" ,o$)1 you .ust inc"ude conside$ations fo$ Section +/ 5$o4ect
Re;ui$e.ent +d1 +e 6 +f% in you$ so"ution A findings.
Challen4e (In,i3i,+al)
3ou .ay $eco..end po"icies and p$ocess f"o, fo$ the secu$ity aspect that you a$e ,o$)ing on in,i3i,+all-
(ie +c).
Challen4e (!ro+8)
3ou .ay e!p"ain in $e;ui$e.ent ana"ysis and p$oposed so"ution ,ith conside$ation on ho, to seg$egate
net,o$) and syste. and p$o#ision fo$ g$oups of use$ that a$e dyna.ic in natu$e
At the end of the p$o4ect you ,ou"d 'e $e;ui$ed to
su'.it a g$oup $epo$t consisting of <OT> indi#idua" 6 g$oup sections.
p$esent you$ so"ution to GWEP .anage.ent the teaching tea.%.
BITS Case Study Guide 5
AY2012/13 Oct
:2 .ro/ect (ilestone &eli3era;les
ateline eli3era;les
(ee) *
* Dec &01&C &+2?%
5$o4ect 5$oposa" and Inte$i. Assess.ent
Individual (14%):
- 5$oposed Secu$ity 9easu$e Out"ine% If the topic has
a"$eady 'een co#e$ed1 tuto$s ,ou"d e!pect a fai$"y co.p"ete
p$oposa" %
Group (6% => challenge take up 1%):
- 9a4o$ ,eightage%5$oposed =ogica" Net,o$) 6
Syste. Diag$a. ,ith E!p"anation
- 9ino$ ,eightage% <ac)g$ound1 O'4ecti#e1 <usiness
Assu.ption1 Conc"usion and
Refe$encesA<i'"iog$aphyACitations
(ee) 1+
1D Ean &01&C &+2?%
7ina" Repo$t and 5$esentation
Individual (1% =>challenge take up !% ):
- 5$oposed Secu$ity 9easu$e 7u""y co.p"eted%
Group (4%):
- 9a4o$ (eightage% 5otentia" @TACR
- 9ino$ ,eightage% Repo$t fo$.at and f"o,
5$esentation
Individual (1"%):
- 5$esentation of so"ution of the chosen topic.
- F6A
BITS Case Study Guide 6
AY2012/13 Oct
#e8ort Co3er .a4e
&er- Im8ortant <otes=
If cha""enge is atte.pted1 p"ace the cha""enge ,$ite8up in the $e"e#ant sections% and c"ea$"y "a'e" that the
section is you$ $esponse to the cha""enge if it is the indi#idua" section ensu$e you$ na.e is the$e%.
The fo""o,ing is the suggested fo$.at. 3ou a$e f$ee to .odify it as you dee. fit. 5"ease .a)e su$e that the
$epo$t is concise1 c"ea$ and neat. Re.o#e a"" unnecessa$y $e.a$)s and .a)e su$e to inc"ude page nu.'e$s.
=ast"y1 a"though the .ain 'u") of the .a$)s a$e de$i#ed f$o. the indi#idua" section1 the g$oup 9UST ,o$)
togethe$ to ensu$e a co.p"ete $epo$t ,ith c"ea$ and "ogica" f"o,. As this is not a c$eati#e ,$iting c"ass1 ,e ,i""
not pena"iBe diffe$ing ,$iting sty"es 'ut ,$ite in +
$d
pe$son. 5oint fo$. is accepted.
School of Informatics & IT
A3 &0GGA&0GG 9T> Se.este$
i8loma In >>>>
"asic IT Sec+rit-
CC1C01
"asic IT Sec+rit-
Case St+,- Interim / 5inal #e8ort
<ame (atric <o To8ic
BITS Case Study Guide 7
AY2012/13 Oct
"asic IT Sec+rit- (CC1C01)
#e8ort S+;mission

.ractical Class / 501 A 50& A 50+ A 50- A 502
S+;mitte, ;-/ H9at$ic Nu.'e$I H7u"" Na.e of studentI
ate' dd A..Ayyyy
?"- s+;mittin4 this @or9A I am / @e are ,eclarin4 that I am / @e are the ori4inator(s) of this @or9 an, that
all other ori4inal so+rces +se, in this @or9 has ;een a88ro8riatel- ac9no@le,4e,2
I / )e +n,erstan, that 8la4iarism is the act of ta9in4 an, +sin4 the @hole or an- 8art of another 8ersonBs
@or9 an, 8resentin4 it as m-/ o+r o@n @itho+t 8ro8er ac9no@le,4ement2
I / )e also +n,erstan, that 8la4iarism is an aca,emic offence an, that ,isci8linar- action @ill ;e ta9en for
8la4iarism2C
<A(E A< SI!<ATU#E O5 STUE<T' DDDDDDDDDDDDDD
<A(E A< SI!<ATU#E O5 STUE<T' DDDDDDDDDDDDDD
<A(E A< SI!<ATU#E O5 STUE<T' DDDDDDDDDDDDDD
<A(E A< SI!<ATU#E O5 STUE<T' DDDDDDDDDDDDDD
BITS Case Study Guide 8
AY2012/13 Oct
Content .a4e
"ac94ro+n,
#e$cri%e the $cenario in &hich 'our pro(ect &ill %e u$ed)
O;/ecti3e
*tate the o%(ective o+ 'our pro(ect)
"+siness Ass+m8tion
,i$t do&n an' %u$ine$$ a$$u-ption -ade +or 'our propo$ed $olution. a$$u-ption -ade -u$t %e reali$tic and
logical
.otential &TAC#
,i$t o+ /0123 that &ould a++ect I0 in+ra$tructure and operation$)
.ro8ose, %o4ical <et@or9 & S-stem ia4ram @ith EE8lanation
1part +ro- the diagra-. al$o provide an anal'$i$ o+ the con$ideration$ given to the de$ign
.ro8ose, Sec+rit- (eas+re
Each $ection &ould %e a $u%4$ection) 0he header o+ each $ection $hould de$cri%e clearl' the topic and
na-e5-atric nu-%er o+ individual re$pon$i%le +or the $ection)
Anal-sis of re6+irements
E6plain 'our anal'$i$ o+ the re7uire-ent$)
.ro8ose, Sec+rit- (eas+re
Indicate 'our propo$ed $ecurit' -ea$ure)
%imitation of .ro8ose, .lan an, Im8lementation
#e$cri%e an' li-itation that 'our propo$ed plan and i-ple-entation &ill have)
Actions to o3ercome the limitation(s)A if thereBs an-
#e$cri%e an' li-itation that 'our propo$ed plan and i-ple-entation &ill have)
BITS Case Study Guide 9
AY2012/13 Oct
Achie3in4 CIA
E6plain ho& 'our tea- can achieve 2I1
Efforts to minimiFe cost of sol+tion
#e$cri%e the &a'$ that 'our tea- can -ini-i8e the co$t the $olution
Concl+sion
Provide a $u--ar' Each $ection &ould %e a $u%4$ection) 0he header o+ each $ection $hould de$cri%e clearl'
the topic and na-e5-atric nu-%er o+ individual re$pon$i%le +or the $ection)
#eferences/"i;lio4ra8h-/Citations (incl+,e as A88en,iE)
Include an' re+erence$5%i%liograph'5citation$ a$ appendi6 in another $ection
BITS Case Study Guide 10
AY2012/13 Oct