ASSIGNMENT 1 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Student ID

Class Assessor name

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand
that making a false declaration is a form of malpractice.

Student’s signature

Grading grid

P1 P2 P3 P4 M1 M2 D1
❒ Summative Feedback: ❒ Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

I.Introduction
As part of the esteemed team at FPT Information Security (FIS), we understand the paramount
importance of staying ahead in the ever-evolving landscape of cybersecurity. FIS, a leading Security
consultancy in Vietnam, is committed to partnering with medium-sized companies, offering expert
guidance and tailored solutions to combat the intricate challenges posed by IT security threats.
In our line of work, we often encounter clients who have chosen to entrust their security concerns to FIS,
recognizing the expertise and dedication we bring to the table. Many of these organizations have opted
for outsourcing due to the inherent complexity of IT security and the scarcity of in-house technical
proficiency. It is within this context that our role as trainee IT Security Specialists gains heightened
significance.
Today, under the directive of our esteemed manager, Jonson, we embark on a journey to equip
ourselves with the indispensable knowledge and skills required to effectively identify and assess IT
security risks. Our objective is not only to fortify the defenses of our clients but also to empower
ourselves with the expertise needed to navigate the intricate nuances of cybersecurity.
Throughout this session, we will explore the diverse array of tools and techniques essential for robust
risk identification and assessment. From vulnerability scanning to threat intelligence analysis, we will
delve into practical methodologies aimed at strengthening our understanding and proficiency in this
critical domain.
As we delve deeper into the intricacies of IT security, let us approach this learning opportunity with
enthusiasm and dedication. Let us leverage the collective expertise within our organization to foster a
culture of continuous learning and innovation.
II.Content
P1.Discuss types of security risks to organisations
1. Define IT risks
A network security threat is exactly that: a threat to your network and data systems. Any attempt to
breach your network and obtain access to your data is a network threat.There are different kinds of
network threats, and each has different goals. Some, like distributed denial-of-service (DDoS) attacks,
seek to shut down your network or servers by overwhelming it with requests. Other threats, like
malware or credential theft, are aimed at stealing your data . Still others, like spyware, will insert
themselves into your organization’s network, where they’ll lie in wait, collecting information about your
organization.
• Threat can be anything that can take advantage of a vulnerability to breach security and negatively
alter, erase, harm object or objects of interest.
• Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that malware,
virus, worms, bots are all same things. But they are not same, only similarity is that they all are malicious
software that behaves differently.[1]
2. Discuss types of risks to organizations
a. Malware attacks
Malware attacks are any type of malicious software designed to cause harm or damage to a computer,
server, client or computer network and/or infrastructure without end-user knowledge.
Cyber attackers create, use and sell malware for many different reasons, but it is most frequently used to
steal personal, financial or business information. While their motivations vary, cyber attackers nearly
always focus their tactics, techniques and procedures (TTPs) on gaining access to privileged credentials
and accounts to carry out their mission.[2]
Types of malwares:
 Viruses : When a computer virus is executed, it can replicate itself by modifying other programs
and inserting its malicious code. It is the only type of malware that can “infect” other files and is
one of the most difficult types of malware to remove.

Figure 1 : Viruses
 Worm : A worm has the power to self-replicate without end-user involvement and can infect
entire networks quickly by moving from one machine to another.

Figure 2 : Worm

 Trojan : Trojan malware disguises itself as a legitimate program, making it one of the most
difficult types of malware to detect. This type of malware contains malicious code and
instructions that, once executed by the victim, can operate under the radar. It is often used to let
other types of malware into the system.

Figure 3 : Trojan
 Adware : Adware serves unwanted and aggressive advertising (e.g., pop-up ads) to the end-user.

Figure 4 : Adware

 Spyware : Spyware spies on the unsuspecting end-user, collecting credentials and passwords,
browsing history and more.

Figure 5 : Spyware
  Ransomware : Ransomware infects machines, encrypts files and holds the needed decryption key
for ransom until the victim pays. Ransomware attacks targeting enterprises and government
entities are on the rise, costing millions of organizations as some pay off the attackers to restore
vital systems. Cyptolocker, Petya and Loky are some of the most common and notorious families
of ransomware.

Figure 6 : Ransomware

3. What are the recent security breaches? List and give examples with dates
a. 'Mother of all breaches': 26 BILLION records leaked
Security researcher Bob Diachenko and Cybernews investigators discovered an open version with more
than 26 billion data records, mostly compiled from previous breaches – although it may also including
new data.
Organizations involved in these data records include:
 Tencent QQ – 1.4 billion records;
 weibo – 504 million records;
 Myspace – 360 million records;
 X/Twitter – 281 million records;
 Deezer – 258 million records;
 LinkedIn – 251 million profiles;
  AdultFriendFinder – 220 million profiles;
 Adobe – 153 million records;
 Canva – 143 million records;
 VK – 101 million records;
 Dailymotion – 86 million records;
 Dropbox – 69 million records;
 Telegram – 41 million profiles
Data is more than just authentic information – according to Cybernews, most of the exposed data is
sensitive.
Given the unusual scale of the data breach, it was dubbed the 'MOAB' (mother of all breaches). A total of
3,876 domains were included in the exposed dataset.
Leon Teale is a senior penetration tester at IT Administration with over ten years of experience
performing penetration tests for clients in various industries worldwide. Leon has also won hackathon
events in the UK and internationally, and has been recognized for numerous bug awards.[2]
b. Aadhaar details, phone numbers of nearly 75 crore Indians put up for sale, cybersecurity firm claims
The threat actors selling the data allegedly obtained the data through ‘vulnerabilities in government
databases or telecommunication systems’, said CloudSek.

Figure 7 : Image for representation. | Noah Seelam/AFP

Personal data such as Aadhaar details and mobile phone numbers of nearly 75 crore Indians has been
allegedly put up for sale online, said digital threat analysis company CloudSek in a report on Wednesday.

The company said that its digital risk protection platform discovered that a threat actor named CyboDevil
had made a post on an “underground forum” promoting the sale of the comprehensive mobile network
consumer database on Tuesday.

It said that a similar post was made by another threat actor named UNIT8200 on January 14 on the
instant messaging platform Telegram.

The database allegedly includes the name of the mobile user, their phone numbers, residential
addresses, Aadhaar details and names of their family members.

The CyboDevil and UNIT8200 are a part of the CYBOCREW group, which was founded around July 2023.
The CYBOCREW group has been “linked to significant breaches, targeting Netplus Co, Zivame, Giva Co,
and a Hyundai data breach affecting 2.1 million individuals”, according to the cybersecurity firm.

In its report, the firm also included screengrabs of the posts made on Telegram and the “underground
forum”. It, however, did not mention if CloudSek had independently verified the dataset.

It said that the exact way in which the data was breached is not clear but added that the threat actors
hinted at “exploiting vulnerabilities within government databases or telecommunication systems”.

The report said that when CYBOCREW was asked how it acquired the extensive dataset, the group
“asserted obtaining the data through undisclosed asset work within law enforcement channels”.

“This opaque explanation prompts a critical examination into the legitimacy and ethical considerations
surrounding the actor’s access to highly sensitive information,” the company said. “Further scrutiny is
warranted to validate the veracity of the claim and assess the potential implications of such data
sourcing practices.”

The report also raised alarms about the significant risks due to such leaks and said that it could be used
for “sophisticated ransomware attacks or data exfiltration”.

In December, Union Minister of State for Electronics and Information Technology Rajeev Chandrasekhar
said that there have been 165 breaches of data of Indian citizens between January 2018 and October
2023.[3]

c. UK and allies sanctions Russian cyber hacker

The UK, US and Australia have sanctioned a Russia-based cyber hacker in coordinated action aimed at
cracking down on international cyber crime.

Figure 8 : UK and allies sanctions Russian cyber hacker

The UK, US and Australia have today (Tuesday 23 January) sanctioned a Russia-based cyber hacker in the
latest wave of coordinated action aimed at cracking down on international cyber crime.

Today’s sanctions target Russian national Aleksandr Ermakov who has been identified by the Australian
Signals Directorate and Australian Federal Police along with international partners as a key actor in the
Australia Medibank cyber attack in 2022.

The attack, largely considered one of the worst cyber incidents in Australia’s history saw 9.7 million
customers’ records, containing medical and personal data, and data on over 480,000 health claims
leaked on the dark web.

The data leaked contained highly sensitive medical information about individuals’ treatment, including
records on mental health, sexual health and drug use.

Today’s measures will hold the individual responsible for this atrocious attack accountable. Ermakov will
now be subject to a series of asset freezes and travel bans.

The UK has sanctioned Aleksandr Ermakov as part of our wider commitment to cracking down on
malicious cyber activity and working with our international partners to promote international security
and stability in cyberspace.
4. Discuss the consequences of this breach

The consequences of information security violations can be very serious and can affect individuals,
organizations and society as follows:

 Data loss and financial loss: In the case of ransomware attacks or other data breaches, financial
losses can be huge. The loss of important data or personal information can lead to financial and
reputational consequences for the organization.
 Loss of reputation and brand: Organizations and businesses are affected by loss of reputation
and brand due to the disclosure of personal or confidential information, especially if they fail to
meet the trust of their customers in protecting their data.
 Legal risks: Information security breaches can lead to legal consequences, including facing legal
action, fines and lawsuits from affected parties.
 Loss of operations: In some cases, cyber attacks can disrupt an organization's business or service
operations, causing major economic loss and affecting its ability to deliver. service for customers.
 National security risk: Particularly complex and sophisticated cyber attacks can threaten national
security, including the disclosure of military or national intelligence information, or cause the loss
of in terms of nuclear, grid power, or infrastructure management systems.
 Impact on individuals and society: Loss of personal information can have significant
consequences for individuals, including loss of account security, financial fraud, or other
consequences such as assassination honor or unemployment.

To minimize the consequences of information security breaches, organizations need to implement

effective security measures, train employees on cybersecurity, and comply with security regulations and
standards. international network.

5. Suggest solutions to organizations

Implement a comprehensive cybersecurity strategy: Develop and implement a comprehensive

cybersecurity strategy, including identifying, assessing and managing information security risks, as well
as establishing policies policies and procedures to protect systems and data.

Invest in modern security technology: Use advanced security technologies such as firewalls, data
encryption, intrusion detection systems (IDS), and malware prevention systems to prevent attacks.
network and protect the system from risks.
Training and raising security awareness for employees: Organizations need to train employees on the
risks and prevention measures of cyber attacks, as well as promote information security awareness in all
their activities. .

Periodic audits and assessments: Conduct periodic cybersecurity audits and risk assessments to ensure
that security measures are implemented effectively and that the organization has the ability to respond
quickly to incidents. new threats.

Partner and vendor management and monitoring: Ensure that the organization's vendors and partners
comply with cybersecurity standards and provide security measures that are strong enough to protect
critical information organization's.

Incident prevention and recovery planning: Develop a detailed prevention and recovery plan so the
organization can quickly respond to and recover from cyber attacks and security incidents.

Compliance with cybersecurity regulations and standards: Ensure that the organization complies with
international cybersecurity regulations and standards such as GDPR, PCI DSS, or ISO/IEC 27001 to protect
data and comply with regulatory requirements. Legal requirements.

P2 Describe at least 3 organizational security procedures.

1. Definition

A security procedure is a set sequence of necessary activities that performs a specific security task or
function. Procedures are normally designed as a series of steps to be followed as a consistent and
repetitive approach or cycle to accomplish an end result. Once implemented, security procedures
provide a set of established actions for conducting the security affairs of the organization, which will
facilitate training, process auditing, and process improvement. - The purpose of security procedures is to
ensure consistency in the implementation of a security control or execution of a security relevant
business process. They are to be followed each time the control needs to be implemented or the security
relevant business process followed. In addition, security procedures also guide the individual executing
the procedure to an expected outcome.

2. Organizational security procedures

a. Password Management

This procedure outlines the creation, usage, and storage of strong passwords for accessing organizational
systems and accounts.

It typically includes:
  Minimum password complexity requirements: Enforcing a minimum length, character variety
(uppercase, lowercase, numbers, symbols), and password history to prevent reuse of recent
passwords.
 Regular password changes: Requiring users to update their passwords periodically to reduce the
risk of unauthorized access if a password is compromised.
 Prohibition of password sharing: Emphasizing the importance of individual accountability for login
credentials and the dangers of sharing them with others.
 Use of password managers: Encouraging the use of secure password management tools to store
and manage complex passwords effectively.

Figure 9 : Password Management

b. Access Control

This procedure defines who has access to specific systems, data, and resources within the organization.

It involves:

 User authentication: Implementing mechanisms like multi-factor authentication (MFA) to verify a

user's identity beyond just usernames and passwords.
 Least privilege principle: Granting users only the minimum level of access necessary to perform
their assigned tasks, reducing the potential damage if their credentials are compromised.
  Regular review of access privileges: Periodically reviewing user access to ensure it remains
appropriate and aligned with their current roles and responsibilities.

Figure 10 : Access Control

c. Incident Response

This procedure outlines the steps to take when a security incident, such as a data breach or cyberattack,
occurs.

It includes :

 Detection and reporting of incidents: Establishing clear channels for employees to report
suspicious activity or potential security breaches.
 Investigation and containment: Defining a process to investigate the incident, determine its scope
and impact, and contain the threat to prevent further damage.
 Eradication and recovery: Taking steps to remove the threat from the system and restore
affected systems and data to a functional state.
 Communication and learning: Communicating the incident to relevant stakeholders and learning
from the experience to improve future security posture.
 Figure 11 : Incident Response

P3 Identify the potential impact to IT security of incorrect configuration of firewall policies and IDS.

1. Discuss briefly firewall and policies, its usage and advantages in a network.

a. Definition

Firewall is also known in English as Firewall, this is a familiar specialized term in computer network
technology. It is a hardware or software tool, or possibly both, integrated into the system to prevent
unauthorized access, prevent virus intrusion... ensuring that internal information sources are always
protected. full. In the shortest and easiest way to understand, a Firewall is the security boundary
between the inside and outside of a computer network system. The birth of a Firewall plays an essential
role for any computer with a system. connected to the internet, as it will help manage what is allowed
on the network and what is allowed out of the network. Having such a “gatekeeper” to monitor how
everything happens is extremely important.
 Figure 12 : Definition Firewall

b. There are several types of Firewalls

Personal firewall

 This type is designed to protect the computer against unauthorized access from the outside.
Personal Firewall also integrates useful features such as monitoring anti-virus software and anti-
intrusion software to keep data safe.
 Some popular Personal Firewalls include: Microsoft Internet connection firewall, Symantec
personal firewall, Cisco Security Agent...
 This type of firewall will be more suitable for individuals because they usually only need to
protect their computers. Firewalls are often built into laptops, PCs, etc.

Network Firewalls

 Designed to protect network hosts against outside attacks. We have Appliance-Based network
Firewalls such as Cisco PIX, Nokia firewalls, Symantec's Enterprise Firewall, Juniper NetScreen
firewall, Cisco ASA. Or some examples of Software-Base firewalls include Check Point's Firewall,
Linux-based IPTables, Microsoft ISA Server .

 The difference between these two types of firewalls is the number of hosts that the firewall is
responsible for protecting. Please keep in mind that Personal firewall can only protect a single
 computer. As for Network firewall, it is different, it can protect an entire computer network
system.

c.How does a firewall work?

Basically, a Firewall is a shield between your computer and the Internet, like a security guard that helps
you escape from enemies who want to attack you. When a Firewall is active, it can deny or allow
network traffic between devices based on the rules that have been configured or installed by a firewall
administrator.

There are many personal firewalls like Windows firewall that operate on a set of pre-installed settings.
Thus, users do not need to worry about how to configure the firewall. But in a large network, configuring
a firewall is extremely important to avoid possible threats in the network.

d.Benefits of firewalls

- Enhanced Security:

 Blocks unauthorized access: Firewalls act as a barrier, preventing unauthorized users, devices, or
malware from infiltrating your network and potentially causing harm.
 Shields against cyberattacks: By filtering and blocking malicious traffic, firewalls significantly
reduce the risk of cyberattacks like phishing attempts, malware intrusions, and data breaches.
 Protects from data breaches: By controlling data flow, firewalls help prevent sensitive
information from being leaked or accessed by unauthorized individuals.

- Improved Network Control:

 Limits internet usage: Firewalls can be configured to restrict access to specific websites or
applications, promoting responsible internet usage and potentially enhancing productivity.
 Enforces access control: By defining access rules, firewalls dictate which devices and users can
access specific resources within the network, preventing unauthorized modification or misuse.
 Manages bandwidth allocation: Firewalls can help optimize network performance by regulating
bandwidth usage, ensuring critical applications have sufficient resources to function smoothly.

- Increased Visibility and Monitoring:

 Tracks network activity: Firewalls log network traffic, providing valuable insights into data flow
patterns and potential security concerns.
 Detects suspicious activity: By analyzing traffic logs, firewalls can help identify anomalies and
suspicious activity, enabling timely intervention to mitigate potential threats.
  Simplifies security management: Firewalls offer centralized management tools, allowing
administrators to configure, monitor, and maintain security policies efficiently

e. Firewall Policy, Firewall Usage

Firewall Policy

 Packet filtering: Determines packets allowed in and out of the network based on IP address, port,
protocol and other criteria.
 NAT Rules: Translates internal IP addresses into public IP addresses for Internet access.
 Network segmentation: Divide the network into separate areas with different levels of security.

Firewall Usage

 Configure rules: Define rules that allow or block traffic based on specific network needs.
 Regular updates: Update software and virus signature database to protect against new threats.
 Activity monitoring: Monitor firewall logs to detect suspicious activities and unauthorized access.

2. How does a firewall provides a security to a network

Filtering :

Firewalls analyze each data packet, similar to checking an ID, based on pre-defined rules and criteria.
These criteria can include:

 Source and destination IP addresses: Identifying who sent the data and where it's intended to go.
 Port numbers: Recognizing the specific type of communication (e.g., web browsing, email).
 Protocols: Determining the communication language used (e.g., HTTP, HTTPS).

Based on these criteria, the firewall decides whether to:

 Allow: If the data adheres to the security rules, the firewall permits it to pass through, ensuring
smooth communication for legitimate activities.
 Block: If the data appears suspicious or violates the rules (e.g., originating from a known
malicious source or attempting unauthorized access), the firewall blocks it, preventing potential
harm to the network.

Access Control:

Firewalls can implement access control mechanisms by defining who can access specific resources within
the network. This helps:
  Restrict unauthorized access: Only authorized users and devices with proper credentials can
access designated resources, preventing unauthorized individuals from infiltrating the network.
 Segment the network: Firewalls can be used to create separate network segments, isolating
sensitive areas like financial data or internal servers from other parts of the network, minimizing
the potential damage if a breach occurs in one segment.

Additional Security Features:

Modern firewalls often incorporate additional features to further enhance network security:

 Deep packet inspection: Goes beyond basic packet analysis, examining the actual content of the
data packets to identify hidden threats like malware or malicious code.
 Application control: Allows granular control over specific applications and their network access,
providing more comprehensive protection against vulnerabilities specific to certain applications.
 Intrusion prevention systems (IPS): These work in conjunction with firewalls to actively identify
and block malicious activities like denial-of-service attacks or unauthorized attempts to access
network resources.

3. Show with diagrams the example of how firewall works

Figure 13 : diagrams the example of how firewall works

Diagrammatic explanation of how a firewall works

- Intranet

The area protected by the firewall, including devices such as computers, printers, servers, phones, etc.

The hard drive icon represents sensitive data and information stored on the internal network.

- External network

Represents the internet or any other network outside the internal network.

The globe symbol symbolizes the vast and diverse connections of the internet.

- Firewall

The security system acts as a "gatekeeper", controlling traffic between the internal network and the
external network.

The "wall" icon represents the ability to protect and prevent unauthorized access.

- Packet

Units of data transmitted over a network, represented by moving arrows.

Packets may include access requests, data sent, or responses received.

- Firewall rules

A set of rules is defined on the firewall to determine the action for each packet.

The "document" icon represents a set of rules configured according to security requirements.

- Submit request

A device on a local network (for example, a computer) sends an access request to a service or website on
the internet.

The request is packaged into packets and sent to the firewall.

- Check and compare

The firewall examines each packet based on defined rules.

Rules include information such as source/destination IP addresses, ports, protocols, etc.

- Allow or block
If the packet matches the allowed rules, it is allowed to pass through the firewall and reach the internet.

If the packet does not conform to any of the rules, or violates a security rule, it is blocked and not
allowed to pass through.

- Logging

Firewalls record information about packets processed, including time, IP address, action taken
(allow/block), etc.

Logs help monitor network activity and assist in identifying and resolving security issues.

4. Define IDS, its usage, show with diagrams examples

a.Define IDS

An intrusion detection system (IDS) acts as a vigilant guardian within your network, constantly
monitoring for suspicious activity and potential security breaches. Imagine a security guard patrolling a
building, meticulously observing any unusual behavior or unauthorized access attempts. Similarly, an IDS
will carefully analyze network traffic, looking for anomalies that could indicate a cyberattack or system
compromise.

Figure 14 : Define IDS

b. Here's how IDS works

- Data collection : IDS actively collects information from a variety of sources within the network, such as

 Network traffic (data packets transmitted over the network)

 System log (record of device activity)
 Security events (alerts from other security applications)

- Analyze and detect

The collected data is then analyzed based on a predefined set of signatures and rules. These signatures
are like fingerprints of known malicious activities and rules that define acceptable behavior within the
network.

Any activity that deviates from these established patterns or matches known attack signatures will raise
a red flag for the IDS.

- Warning and response

If the IDS detects suspicious activity, it will trigger an alert, notifying security personnel of the potential
threat.

Alerts often include details about detected anomalies, such as:

 Time and origin of suspicious activity

 Type of activity detected
 Potential impact of the threat

Based on the information provided by IDS, security professionals can investigate further and take
appropriate action to mitigate the threat and prevent potential damage.

c. Benefits of using IDS

Detect threats early: Helps identify potential security breaches before they cause significant damage.

Improve security: Contribute to a stronger security environment by proactively monitoring for threats.

Provide valuable security insights: Helps security teams understand attack vectors and improve their
overall security strategy.

d. Example diagram
 Figure 15 : Example diagram

Diagram depicting how an intrusion detection system (IDS) works to protect an internal network from
unauthorized access and internet threats. Below is a detailed explanation of each part of the diagram:

Intranet:

The area protected by IDS, includes devices such as computers, printers, servers, phones, etc.

The hard drive icon represents sensitive data and information stored on the internal network.

External network

Represents the internet or any other network outside the internal network.

The globe symbol symbolizes the vast and diverse connections of the internet.

Intrusion detection system (IDS)

The security system acts as a "gatekeeper", monitoring traffic between the internal network and the
external network.

The "eye" symbol represents the ability to observe and detect unusual activities.

Packet

Units of data transmitted over a network, represented by moving arrows.

Packets may include access requests, data sent, or responses received.

Signature databas
Stores information about known types of attacks and malicious activities.

The "document" icon represents the set of samples used to compare the packets.

How it works:

Send require

A device on a local network (for example, a computer) sends an access request to a service or website on
the internet.

The request is packaged into packets and sent to the IDS.

Compare with signature:

The IDS compares each packet with the signatures in the database.

If the packet matches a signature, the IDS considers it suspicious activity and takes the next steps.

Behavior analysis:

IDS can use advanced analytics techniques to evaluate the behavior of devices in the network.

For example, an IDS can track the number of access requests from a certain device or the type of data
transmitted.

Alarm and response:

If the IDS detects suspicious activity, it triggers an alarm and notifies the network administrator.

Network administrators can review alarms and take appropriate actions, such as:

 Lock user accounts

 Disconnect the device from the network
 Launch the incident response process

5. Write down the potential impact(Threat-Risk) of FIREWALL and IDS incorrect configuration to the
network.

a. Write down the potential impact(Threat-Risk) of FIREWALL

Increased network vulnerabilities:

Unwanted access: Incorrect firewall rules can allow unauthorized access to sensitive resources within the
network, putting them at risk of theft, manipulation, or destruction.

Exposure to malware: Improper configuration can leave vulnerabilities unblocked, allowing malware
such as viruses, worms, or ransomware to enter the network and cause disruption widespread.

Data breaches: Accidentally allowing access to sensitive data through misconfigured rules can lead to
data breaches, compromise of confidential information, and potentially cause financial loss. financial or
reputational damage.

Reduced network performance:

Overly restrictive rules: Overly restrictive firewall rules can block legitimate traffic, hindering normal
network operations and user productivity. This can lead to frustration and inefficiency for authorized
users.

Resource depletion: Complex or poorly optimized firewall configurations can consume too many system
resources, impacting overall network performance and potentially causing delays or disruptions.

Operational challenges:

Management complexity: Difficulty managing and maintaining complex firewall configurations can lead
to human error and inconsistency, further increasing security risks.

Limited visibility: Inadequate logging or monitoring can make it difficult to detect and investigate
suspicious activities, potentially delaying response to security incidents.

b. and IDS incorrect configuration to the network.

Missed threats

Inadequate signature updates: Failure to regularly update the IDS signature database can leave the
system vulnerable to new and emerging threats, causing them to evade detection.

False negatives: Incorrect configuration or incomplete tuning can cause an IDS to miss real threats,
leaving the network exposed and vulnerable to attack.

False positive results

Settings that are too sensitive: An IDS that is too sensitive can produce many false positives, causing
security personnel to send alerts about non-threatening events. This can lead to alert fatigue and
potentially hinder the timely identification of real threats.

**wasted resources:** Investigating and responding to many false positives can consume valuable time
and resources, leaving them unable to address real security concerns.
Obstacles in operations

Over-monitoring: Monitoring too much data or using overly complex detection techniques can overload
the IDS, impacting IDS performance and potentially leading to missed alerts.

Limited integration: Poor integration with other security tools can hinder the sharing of important
information, making it difficult to gain a comprehensive view of the network's security posture.

P4.Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can
improve Network Security

1.Define and discuss with the aid of a diagram DMZ focus on usage and security function as advantage

a.Definition of DMZ

What is DMZ? To explain this concept, in the field of information technology, DMZ is a neutral network
area between the internal network and the Internet. The role of DMZ is to enhance system security and
minimize risks from cyber attacks.

In a network system, DMZ is often used to place servers such as web servers, mail servers or other
applications that can be accessed from the Internet. These servers are placed in the DMZ to ensure that
external attacks can only impact the DMZ and cannot reach internal servers within the internal network.

Figure 16 : Definition of DMZ

b. The importance of DMZ

Deploy online services: DMZ allows deploying online services such as websites, email, FTP, etc. without
affecting the internal network. These services are located in the DMZ and only allow access from outside
via the Internet, minimizing risks to the internal network system.

Network protection: DMZ helps protect the network from outside attacks. A DMZ firewall helps control
network traffic accessing services and applications located in the DMZ, allowing only accepted
connections and blocking malicious connections.

Providing services to partners and customers: DMZ provides a secure environment to provide services to
partners and customers remotely. Services are located in a DMZ and controlled by a firewall to ensure
that only legitimate connections are allowed access.

Access management: DMZ allows access to services and applications to be managed from the outside.
Administrators can configure the DMZ firewall to control access to services and applications, allow only
specific connections, and block malicious connections.

c. Structure of DMZ

DMZ Server: Is a server located in the DMZ and contains services or applications that can be accessed
from the Internet such as Web Server, Mail Server, DNS Server, and many other services. However, these
servers are only allowed to access the internal network in case of necessity.

DMZ firewall: A firewall placed on the DMZ, with the function of filtering packets entering and exiting the
DMZ to ensure that only valid and authorized packets are transmitted. The firewall in the DMZ network is
configured to only allow specified connections to be established between hosts in the DMZ and hosts on
the internal network.

Security server: A server located on the internal network, with the role of monitoring and managing
activities on the DMZ. Security servers are often installed with security event management (SIEM)
software and log analysis systems to monitor activities on the DMZ and detect potential threats.
Additionally, the security server can be configured to send alerts to administrators as soon as it detects
attacks that have passed through the DMZ's firewall.
 Figure 17 : Structure of DMZ

DMZ has two common architectural styles today:

Single firewall: DMZ with single firewall design requires three or more network interfaces. The first is the
external network, which connects the public internet connection to the firewall. The second network
forms the internal network, while the third network is connected to the DMZ. Various rules monitor and
control traffic allowed to access the DMZ and restrict connections to the internal network.

Dual Firewalls: Deploying two firewalls with a DMZ between them is often a more secure option. The first
firewall only allows external traffic to the DMZ, and the second firewall only allows traffic to go from the
DMZ into the internal network. An attacker would have to compromise both firewalls to gain access to
the organization's LAN.

d. How does a DMZ work

The DMZ acts as a buffer zone between the public internet and the private network. The DMZ subnet is
deployed between two firewalls. All incoming network packets are then screened by a firewall or other
security device before they reach the servers stored in the DMZ.

If hacker attacks get past the firewall first, they must gain unauthorized access to services within the
DMZ before they can cause any damage to the internal network. Finally, in case the services in the DMZ
are successfully penetrated, hackers still have to overcome the final firewall of the internal network
before being able to access sensitive business resources or data.

Attackers can attack the most secure DMZ architecture. However, once an attack takes place, an alarm
will be activated and security experts will be notified to promptly prevent the attacks.
To explain simply, the way a DMZ works is to use Mail, Web servers and Firewalls to isolate services and
applications accessed from the Internet and keep the internal network secure. It helps prevent cyber
attacks and minimize risks to the network system.

e. Advantages and disadvantages of DMZ

Advantages Disadvantages
Enhanced security: DMZ creates an additional Complexity: Setting up and managing a DMZ can
layer of security for internal networks by isolating be complex and requires network and security
publicly accessible services from critical systems. expertise.
Access Control: DMZ allows granular control of
access to services, helping to protect against Cost: Deploying and maintaining a DMZ can be
unauthorized access. expensive due to requiring additional hardware,
software, and expertise.
Flexibility: DMZ allows organizations to deploy
new services without compromising the security Risk of attack: DMZ can become an attractive
of the internal network. target for cyber attacks.

Scalability: DMZ can be easily expanded to meet Performance issues: DMZs can impact network
the needs of the organization. performance because traffic must pass through
multiple layers of security.
Table 1 : Advantages and disadvantages of DMZ

2. Define and discuss with the aid of a diagram static IP focus on usage and security function as
advantage

a. Definition IP

Static IP (also known as static IP), this is a fixed IP address reserved for a person or group of users whose
devices connected to the Internet are always assigned an IP address. Usually a static IP is given to a
server with a specific purpose such as a web server, mail server, etc. so that many people can access it
without interrupting those processes.

Figure 18 : Definition IP
b. The importance of static IP

Remote access and server storage:

 Reliable connection: Static IP enables consistent remote access to devices such as servers,
security cameras or home automation systems. You can connect from anywhere to the internet
without having to re-establish the connection every time the IP changes.
 Server Management: Static IP is important for hosting web server, email server or any server
application. They allow users to easily find your server using a Domain Name System (DNS)
service that associates domain names with static IP addresses.

Business applications:

 VPN Connectivity: Static IP simplifies setting up and managing a Virtual Private Network (VPN) for
secure remote access to the corporate network. Employees can always connect to the same IP
address for a seamless experience.
 Business Continuity: Static IP ensures consistent communication with business partners or
suppliers that rely on specific IP addresses for data exchange or collaboration tools.

Advanced network and security:

 Port forwarding: Static IP is needed to configure port forwarding, which allows external devices to
access specific services running on your network (e.g. gaming servers, security cameras) .
 Firewall Rules: Static IP simplifies creating firewall rules to control incoming and outgoing traffic
for specific devices on your network.

In short, static IP provides:

 Reliability: Consistent IP addresses ensure consistent connections for remote access and server
management.
 Control: You have more control over how your device interacts with the internet.
 Security: Static IP can increase security by simplifying firewall configuration and allowing secure
remote access.

c. Advantages and disadvantages of static IP

Advantages Disadvantages
A static IP address will make connections faster The first disadvantage that static IP has is that you
because users do not need to re-assign a new IP. have to configure the devices manually. Servers
To put it more simply, a static IP is similar to an and remote access require you to set up the
email or home address, it will not change, making correct IP and router to communicate with that
communication and use convenient. address. Meanwhile, for dynamic IP, just plug in
 Static IP is very suitable for environments that use the router and it will issue a dynamic IP via DHCP.
many computers, business fax machines or cafe
systems. It will minimize the risks of data loss. The second disadvantage is that the security of a
Static IP will help computers work together more static IP will not be equal to that of a dynamic IP.
stably. For example, if the company has set up a Since it never changes, hackers have time to find
static IP, the machines in the company will vulnerabilities more easily. Dynamic IPs that
connect to that IP to be able to fax and print constantly change will make it difficult for
easily. For dynamic IP, when the server starts, the hackers.
IP will change. This causes connections to become
interrupted and you have to reset the IP for each
device, which is very time-consuming.
Not only that, static IP also helps companies use
cameras and fax machines to monitor from
outside.
Table 2 : Advantages and disadvantages of static IP

3.Define and discuss with the aid of a diagram NAT focus on usage and security function as advantage

a. Definition of NAT

NAT (Network Address Translation) est une technique qui permet la conversion d'une adresse IP vers
une autre adresse IP. Normalement, NAT est couramment utilisé dans les réseaux utilisant des adresses
locales, nécessitant un accès au réseau public (Internet). L'emplacement où NAT est implémenté est le
routeur frontalier reliant les deux réseaux.

Figure 19 : Definition of NAT

b. Classement NAT

Static NAT - Static NAT

Static NAT, also known as Static NAT, is a one-to-one NAT method. This means that a fixed IP address in
the LAN will be mapped to a fixed Public IP address before the packet goes out to the Internet. This
method is not intended to save IP addresses but only to map an IP in the LAN to a Public IP to hide the
source IP before going out to the Internet, reducing the risk of online attacks.

This technique is often used to convert from one IP address to another on a permanent basis, and usually
from a private address to a public address. This entire process is set up manually, IP addresses are
statically mapped to each other through configuration commands.

Dynamic NAT - Dynamic NAT

NAT is performed automatically. On the Router, the administrator configures a list of internal addresses
that need to go out to the Internet and a list of external addresses that represent internal addresses.
Next, the administrator configures the Router NAT request from the internal list to the external list. The
Router's NAT table will not have any pre-created NAT information lines, but NAT information lines will
only be created when a packet arrives at the Router to the Internet.

Dynamic NAT is more complicated than Static, they must store connection information and even find TCP
information in the packet. Due to its higher level of complexity, Dynamic NAT is only used instead of
Static NAT for security purposes. Outsiders cannot find out the IP connected to the specified host
because at the next moment this host may receive a completely different IP.

NAT Overload - PAT

NAT Overload - PAT is the most used solution, especially in ADSL Modems, this is a solution that brings
both advantages of NAT: hiding the IP address in the internal network system before the packet goes
out. Integra aims to minimize the risk of cyber attacks and save IP address space. PAT essentially
combines the Public IP and port number before going out to the Internet. At this time, each IP in the LAN
when going out to the Internet will be mapped to a Public IP combined with the port number.

c. What is the mission of NAT?

Generally, the border router is configured for NAT i.e the router which has one interface in the local
(inside) network and one interface in the global (outside) network. When a packet traverses outside the
local (inside) network, then NAT converts that local (private) IP address to a global (public) IP address.

When a packet enters the local network, the global (public) IP address is converted to a local (private) IP
address. If NAT runs out of addresses, i.e., no address is left in the pool configured then the packets will
be dropped and an Internet Control Message Protocol (ICMP) host unreachable packet to the destination
is sent. sent.

d.Advantages and disadvantages of NAT

Advantages Disadvantages
Save IP addresses: NAT helps save IP addresses, Reduced performance: NAT can reduce network
especially IPv4 addresses that are gradually performance because IP address translation
running out. By using one public IP address for requires additional processing time.
multiple devices, NAT helps minimize the need for
IP addresses. Difficulty in remote access: NAT can make it
difficult to access devices on the LAN remotely,
Security: NAT helps secure LAN networks by especially when using applications that require a
hiding the real IP addresses of devices inside the direct connection.
network from the internet. This helps minimize
the risk of cyber attacks. Compatibility: NAT may not be compatible with
some applications and services.
Easy Management: NAT simplifies LAN
management by configuring only one public IP
address for the entire network.
Table 3 : Advantages and disadvantages of NAT

M1.Propose a method to assess and treat IT security risks.

1. Discuss methods required to assess it security threat? E.g. Monitoring tools

a.Below are the detailed steps to perform a cybersecurity threat assessment

Identify assets:

 Identify all of the organization's information assets, including:

 Data: confidential data, sensitive data, financial data, customer data, etc.
 System: servers, computers, network devices, mobile devices, etc.
 Applications: web applications, mobile applications, internal applications, etc.
 Network infrastructure: LAN, WAN, VPN, etc.

Vulnerability analysis:

Use automated vulnerability scanning tools or manual assessments to identify security vulnerabilities in
assets.

Some common types of vulnerabilities include:

  Software vulnerabilities: errors in software that can be exploited by attackers.
 Configuration Vulnerabilities: Misconfigured configurations can create security vulnerabilities.
 Human vulnerability: human error can lead to data leaks or cyber attacks.

Assess the threat level:

 Identify potential threats that could affect assets.

 Some common types of threats include:
 Cyber attacks: phishing attacks, malware attacks, DDoS attacks, etc.
 Internal discrimination: employees intentionally or unintentionally cause harm to the
organization.
 Natural disasters and disasters: fires, floods, earthquakes, etc.

Impact analysis:

 Assess the impact of threats on assets.

 The following factors should be considered:
 Incident severity: the extent of the incident's impact on the organization's business operations.
 Likelihood of an incident: the possibility of an incident occurring in the future.

Plan to minimize risks:

 Based on the assessment results, create a risk mitigation plan including prevention, detection and
response measures.
 Some common preventative measures include:
 Install security software: antivirus, firewall, intrusion detection system, etc.
 Cyber security awareness training for employees.
 Identify and implement access controls.

b. E.g. Monitoring tools

Intrusion detection system (IDS)

IDS monitors networks and systems to detect suspicious activity that could be a sign of a cyberattack. IDS
can be classified into two main types:

 Network-based IDS: Monitor network traffic to detect malicious activities.

 Host-based IDS: Monitors activities on servers and computers to detect signs of attack.

Intrusion prevention system (IPS)

IPS works similarly to IDS, but has the ability to prevent malicious activities before they happen. IPS can
be classified into two main types:

 Network-based IPS: Prevents malicious network traffic.

 Host-based IPS: Prevents malicious activities on servers and computers.

Security information and event management system (SIEM)

SIEM collects and analyzes security logs from a variety of sources to give organizations a comprehensive
view of their security posture. SIEM can help organizations:

 Detect threats earlier.

 Investigate security incidents more effectively.
 Comply with security regulations.

Security Orchestration, Automation and Response (SOAR) system

SOAR automates incident response processes to help organizations respond more quickly and effectively
to cybersecurity threats. SOAR can help organizations:

 Reduce the time needed to respond to security incidents.

 Minimize the impact of security incidents.
 Improve defense against cyber security threats.

c. The problem of monitoring tools

ABC Company is a large company with more than 1000 employees and uses many different networks and
applications. Company management is concerned about the risk of cyber attacks and wants to
strengthen the company's security capabilities.

Request:

 Choose the right monitoring tools to protect your company's network and applications.
 Deploy and configure selected monitoring tools.
 Train employees on how to use monitoring tools.
 Monitor and analyze alerts generated by monitoring tools.

Select monitoring tool:

 IDS/IPS: Monitors networks and systems to detect malicious activities.

 SIEM: Collect and analyze security logs from various sources.
 SOAR: Automate incident response processes.
Deployment and configuration:

 Install and configure monitoring tools according to vendor instructions.

 Identify appropriate rules and alerts.
 Integrate monitoring tools with other company security systems.

Monitor and analyze:

 Monitor and analyze alerts generated by monitoring tools.

 Investigate security incidents and implement remedial measures.
 Update rules and alerts based on new threats.

2. What are the current weakness or threat of the organization ?

Based on the scenario of ABC Company, here are some current weaknesses or threats to their
organization:
Weaknesses:
 Lack of security measures: The scenario mentioned their concerns about potential cyber-attacks,
implying a lack of existing security measures. This can include missing firewalls, outdated
software, or insecure configurations.
 Large attack surface: With over 1000 employees and a diverse network, ABC Company provides a
large attack surface for hackers to exploit. More devices and systems increase the number of
potential entry points.
 Limited security awareness: The need for employee training reveals potential weaknesses in
employee security awareness. Unaware employees can fall for scams or click on malicious links,
unintentionally compromising company security.
Threats:
 Cyberattacks: The most prominent threat is cyberattacks, including malware, ransomware, data
breaches, and denial of service attacks. These can disrupt operations, steal sensitive data, or
cause financial loss.
 Advanced persistent threats (APT): These targeted attacks by skilled attackers pose a significant
threat. APTs can infiltrate networks, remain undetected for long periods of time, and steal
valuable data.
 Social engineering: Social engineering tactics such as phishing emails or phone phishing can trick
employees into revealing sensitive information or granting access to systems.
 Insider threats: Disgruntled employees or those with high access privileges can pose a threat by
intentionally stealing data, sabotaging systems, or selling confidential information.

3. What tools will you propose to treat the IT security risk?

a. Detection and prevention
Security information and event management (SIEM): Tools like Splunk, Elastic SIEM, or Sumo Logic can
centrally collect and analyze security logs from firewalls, IDS/IPS, endpoints, and other sources. This
enables comprehensive threat detection and investigation.

Intrusion detection/prevention system (IDS/IPS): Snort or Suricata are open source options for network-
based IDS/IPS, while Cisco Security and McAfee offer commercial solutions. These tools monitor network
traffic for suspicious activity and can detect or block potential attacks.

b.Endpoint protection:

Anti-virus and anti-malware: Crowdstrike Falcon or SentinelOne are some Endpoint Detection and
Response (EDR) solutions that go beyond traditional antivirus software by providing real-time threat
monitoring and hunting capabilities.

c. Vulnerability management:

Nessus or OpenVAS: These open source vulnerability scanners can identify security weaknesses in
operating systems, applications, and network devices.

Quality or rentability:These commercial vulnerability management platforms offer more features,

including automated patching and remediation.

d.Security Orchestration, Automation and Response (SOAR):

apid7 InsightConnect or Palo Alto Networks Cortex XSOAR : These SOAR platforms automate repetitive
security tasks such as incident response processes, streamlining processes and minimizing human error.

M2.Discuss three benefits to implement network monitoring systems with supporting reasons
III.Conclusion
IV.Evaluation
V.References

1.nibusinessinfo.co.uk. (2017). What is IT risk? [online] Available at:

https://www.nibusinessinfo.co.uk/content/what-it-risk.

2. Cyberark (2023). Malware Attacks. [online] CyberArk. Available at:

https://www.cyberark.com/what-is/malware/.

2. Consultant, I.G. (2024). ‘Mother of All Breaches’: 26 BILLION Records Leaked. [online] IT Governance
UK Blog. Available at:
https://www.itgovernance.co.uk/blog/mother-of-all-breaches-26-billion-records-leaked.

3. Staff, S. (2024). Aadhaar details, phone numbers of nearly 75 crore Indians put up for sale, claims
cybersecurity firm. [online] Scroll.in. Available at:
https://scroll.in/latest/1062708/aadhaar-details-phone-numbers-of-nearly-75-crore-indians-put-up-for-
sale-says-cybersecurity-firm.