ITNET202A Enterprise Security Assignment 1
Due Date: 15/Oct/2018 Value: 20% Format:
Professional Report, approximately 10-12 pages long, including cover page, executive summary and table of contents.
Stuxnet is a malicious computer worm believed to be a jointly built American-Israeli cyber weapon.
Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material.
Security communities claimed the worm was developed during the Bush administration to sabotage Iran’s nuclear program with what would seem like a long series of unfortunate accidents.
Machines for Business, International (MBI) and Mensies Corporation each offered 5 Enterprise Architect/Enterprise Security Architect to implement a formal Enterprise Architecture/Enterprise Security Architecture for the nuclear research programme.
You are the newly appointed security specialist responsible for the security of Iranian nuclear research programme. Using your own words:
1. Explain, in your own words, based on what we have learned thus far in the course, what Stuxnet does. (Focus on Access Control, Identity, Crypto and Network security)
2. During the course, we have looked at Quantitative Risk Analysis. We have NOT covered Qualitative Risk Analysis. Imagine you are responsible for the security of Iranian nuclear research programme, research and apply Qualitative Risk Analysis on Iranian nuclear research asset.
3. Would adopting a formal Enterprise Architecture (EA) or Enterprise Security Architecture (ESA) framework such as SABSA, TOGAF, or C4ISTAR framework help the Iranian prevent attacks such as Stuxnet? Why and Why not? If it would help, which framework is suitable?
4. The regulations applied to civilian rarely applies in the international arena. The applicable laws would be UN Charter Article 2(4) and UN Charter Article 51. The Tallinn Manual may also provide guidance. But what are they? How do they apply to Iranian and Stuxnet? What options does the Iranian have to retaliate, what did they do instead?
This is an individual assessment; you are to demonstrate to your boss that:
1. You understand what had happen
2. You understand what Qualitative Risk Analysis is and the risks of the programme
3. You understand what an Enterprise Architect/Enterprise Security Architect does. Establish your own view of whether formal EA/ESA would be useful in the case.
4. Demonstrate capacity of conducting own research of a problem related to, but not covered, in the course.