ITNET202A Enterprise Security Assignment 2
Due Date: 12/Nov/2018 23:59 Value: 20% Format:
Professional Report, approximately 10-12 pages long, including cover page, executive summary and table of contents.
Upon receiving your briefing in Assignment 1, the authority would like to know more about what happened around the incident focusing on Software/Application, Physical Security, and Operational Control. The authority would also like to know what HA/DR options would prevent/mitigate Stuxnet, or any future hostile actions that might jeopardise the programme.
The programme chief is also worried about the possibility of an Air Strikes by hostile parties. As a result, the Russian and the Chinese proposed their versions of their Anti-Air system, the S-300 and the HQ18 respectively. (assume S-300 and HQ18 have the same effectiveness)
The authority is impressed by your performance in your first assignment. Not only that you have passed probation, but is now the Lead Enterprise Architecture responsible for the security of Iranian nuclear research programme.
1. Explain, in your own words, based on what we have learned thus far in the course, what Stuxnet does. (Focus on Application/Software, Operation/Incident Management and Physical Security). Explain why regular antivirus solution failed, and how the virus jumped the “Air-Gap”.
2. While your boss is happy with your effort on the overall Qualitative Risk analysis you presented in Assignment 1, you are now asked to focused on Physical Security (one aspect only) using Quantitative Risk Analysis technique. Use the following table:
Total Cost of the Nuclear Programme (Asset Value) 1000 Million, $
In case of a successful Air Strike, expected loss: 500 Million, $
Successful air strike happens once in 20 Years
By installing S300 Missiles, the Exposure factor is reduced by a factor of 10
By installing S300 Missiles, the occurrence of successful air strike would reduce by 50%
The S300 yearly cost is (ACS, Annual Cost of Safeguard) 15 Million, $
The Chinese HQ18 yearly cost is (ACS, Annual Cost of Safeguard) 7.5 Million, $
1. What is the Exposure Factor (EF, in %)
2. What is the Single Loss Expectancy (SLE, in $)
3. What is the Annualised Rate of Occurrence (ARO)
4. What is the Annualised Loss Expectancy (ALE)
5. What is the Exposure Factor with S300 in place? (EF_S300)
6. What is the Single Loss Expectancy with S300 in place? (SLE_S300)
7. What is the Annualised Rate of Occurrence with S300 in place? (ARO_S300) 8. What is the Annualised Loss Expectancy with S300 in place? (ALE_S300)
9. What is the Value of the Russian Safeguard (S300)?
10. What is the Value of the Chinese Safeguard (HQ18)?
11. Should the programme implement the S300 or HQ18? Why?
3. Upon listening to the presentation by Machines for Business, International (MBI) and Mensies Corporation, as well as your analysis, the authority decided that they will implement TOGAF, since the C4ISTAR is primarily a NATO standard, and that TOGAF is more open. (Later on, a more security focused SABSA will also be implemented, for now, they need an overall Enterprise Architecture first)
Which one of the following best describes the TOGAF standard?
o A. A framework and method for architecture development o B. An architecture pattern o C. A business model
o D. A method for developing Technology Architectures o E. A method for IT Governance
What does ADM stand for in TOGAF.
What are the basic structure of the ADM cycle?
TOGAF which is primarily focused on commercial implementation. With a bank, for example, the requirements could look something like:
1. Compliance with federal and state legislation,
2. Public confidence in your enterprise by providing confidentiality, availability and integrity of customer data,
3. Privacy of customer data,
4. Interoperation with other financial institutions, both nationally and internationally,
5. Compliance with international standards,
6. Security of all bank assets,
7. Current trends in customer engagement via the internet
What are the likely requirements in OUR scenario?
4. In the movie “Contact”, S.R. Hadden said, “First rule in government spending: why build one when you can have two at twice the price? Only, this one can be kept secret. Controlled by Americans, built by the Japanese subcontractors.”
Would this “have two, for twice the price” option be a valid HA/DR option in a case? Under what circumstances is this valid? Under what circumstances is it not valid? If implemented, is this a Cold Site, Warm Site, Hot Site, Mobile Site or is this irrelevant? Comment and justify.
This is an individual assessment; you are to demonstrate to your boss that:
1. This assignment is shorter than it looks
2. Use Excel to Help you with the qualitative assessment, show your working in a comment cell. You won’t be penalised for one wrong answer.
3. Show that you understand the importance of customising a framework to suit your needs.
4. Q4 is relatively “free”, demonstrate your thinking. This could also help: http://www.reuters.com/article/ususa-northkorea-stuxnet-idUSKBN0OE2DM20150529 (Exclusive: U.S. tried Stuxnet-style campaign against North Korea but failed – sources)