代写Security作业,对企业进行风险分析,包括 Vulnerability Analysis
等。
Requirement
You have been engaged by Auric Enterprises to perform a desktop Threat and
Vulnerability Analysis. Auric Enterprises has a large mining and metallurgical
operation in central Australia. The whole operation occupies a single site of
approximately 6 km x 26 km, including mining pits, processing plant, train
load-out, workshops, operations control centre, engineering and administration
buildings.
The operations control centre, engineering and administration buildings are
all together and interconnected by 10 Gbit fibre and there is a 2 Gb microwave
link to the workshops, processing plant and train load-out. All the wiring
within each building is Cat 3 (10 Mb) ethernet, except for the administration
building which has Cat 5 (100 Mb) cabling; and all server rooms have Cat 6 or
multi-mode fibre connections (1-10 Gb). There are server rooms in the
administration building and in the processing plant. All data and
communications from the control centre to the mining equipment is via radio
technologies. Radios are used for voice communications, including safety and
traffic management. Wi-Fi is used for all data transfer (reporting position,
loads, telemetry and receiving targets, mining instructions, job messages,
etc.) to the draglines, shovels, haul trucks and other equipment throughout
the site. To cover the distances required, there is a network of Wi-Fi
repeaters that retransmit all Wi-Fi packets to all stations in range. See the
map on the next page showing the network of repeaters so that the Wi-Fi
signals get to all parts of the site. Because the various equipment has
different capabilities, the repeaters relay all types of Wi-Fi traffic,
including open, WEP, WPA and WPA2.
The drilling rigs are automated and use GPS to position the bore holes for
explosives and have a Wi-Fi data connection back to the control centre. The
draglines are electric and have their own industrial control systems with
multiple ruggedized general purpose computers and many Programmable Logic
Controllers (PLC) with Wi-Fi links back to the control centre. Also the
electric motor manufacturer has their own 3G connection to each dragline to
get data from the motors. Electric and diesel shovels take the material from
the draglines and load it into haul trucks that carry the ore to the Run of
Mine (RoM - unprocessed ore) grizzly (a grate that stops pieces that are too
big). Most of the haul trucks can only support WEP encryption on the Wi-Fi
(refitting is expensive and requires expensive downtime), and since haul
trucks may get close to boundaries (and hence public areas) the maintenance
manager decided to follow the famous xkcd cartoon ( http://xkcd.com/936/
) but with mining terms and so Auric use the complex
WEP password “auricblackcoalmining”. The shovels have to use unencrypted
(“open”) Wi-Fi, but they are all too far from the mine boundaries for their
Wi-Fi radios to reach outside the mine. All other WPA and WPA2 Wi-Fi stations
use secure IEEE 802.1X authentication. The workshops, control centre,
engineering and administration buildings all have Wi-Fi throughout with WPA2
and 802.1X authentication.
Auric Enterprises have reliable, patched and up-to-date firewalls on their
Internet connection. For security they use IPv4 private addressing internally
with the entire 10.0.0.0/8 address space configured on all devices throughout
the site. This flat network means any device will work anywhere on the site
and can easily interoperate with any other device, anywhere else on the site,
including:
- finance
- HR
- all office PCs (Windows 7, 8 & 10)
- all engineering workstations (Windows XP with Siemens Step7 SCADA software)
- all SCADA devices (Siemens S7-300 PLCs with Vacon variable-frequency drives)
- all draglines
- all shovels and drilling rigs
- all haul trucks
When asked what the primary business risks were, the following personnel
provided:
CFO: “Our finance data in our MSSQL databases is absolutely critical. If we
lose that or it is tampered with it will conservatively cost us up to
$10,000,000. In addition, it is crucial that our mining product and volume
data, both in these databases and the SCADA systems, is kept secret, otherwise
price negotiations with our biggest customers could easily cost us $10,000,000
per annum. Our biggest trading country is Kamaria.”
COO: “Our mining operations are absolutely critical. We have 24 hour
operations. Our operations cost $2,500,000 a day. Trains load all day and
night. Each train takes 8 hours to load and is worth $1,000,000. If the plant
stops or the load-out stops or the trains stop, it will cost us $3,000,000 a
day in lost revenue and 2,500,000 in expenses.”
CEO: “My travels are absolutely critical. I travel extensively for business
along with my black and yellow Rolls Royce Phantom III. My personal assistant
makes all my travel arrangements. Being a Kamarian national, he does not speak
much English, but he uses my login and password on all systems to make any
arrangements necessary. Because I need to be able to monitor all my business,
I also have unlimited access to all the systems on the site.”
CIO: “Our information systems are absolutely critical. It is essential that
the business systems can interrogate the mining data from the SCADA systems,
so that we have the advantage over our competitors. Availability is everything
- all of the systems administrators can access all systems anytime to make
sure everything stays working. After hours, they can telnet directly into the
network devices from their home computers or airport kiosks if they are
travelling. It is excellent.”
Shift Supervisor: “Plant reliability absolutely critical. These variable-
frequency drives we have throughout the plant are giving us no end of trouble.
They keep failing and it is costing us dearly. We are averaging 10 days
downtime every month lately!”
Assignment
Review the current literature in Information Security and provide a concise
1500-2000 words report on the “Auric Enterprises Threat and Vulnerability
Analysis”.
Your report must identify the three most relevant THREATS to the information
systems particular to this scenario (explain why each is a threat), as well as
the five most significant VULNERABILITIES apparent in this scenario (explain
why each one is a vulnerability) and how those VULVERABILITIES may be
EXPLOITED in order to realise those THREATS.
Your report must also identify what are the most important CONTROLS that Auric
Enterprises should be considering as a priority to mitigate the RISKS of these
THREATS being realised.
Your report should be sized for A4 paper and must have an appropriate
structure and logical flow. You MUST use the correct IEEE citations and
references throughout.
Every statement you make must be backed up with the evidence (citation) of
where you found the information. But remember, this is YOUR report - YOU
interpret the information and present it in your own words. Do NOT just
present a series of quotations!
Marking Scheme
Threats (max 3 marks)
Some relevant threats are explained (why they are threat) - 1
Relevant threats from quality industry sources with no vulnerabilities
identified as threats - 2
Relevant threats from peer-reviewed sources with no vulnerabilities identified
as threats - 3
Vulnerabilities (max 4 marks)
Some significant vulnerabilities are explained (why they are vulnerability) -
Some significant vulnerabilities are explained and no threats are identified
as vulnerabilities - 2
Significant vulnerabilities from quality industry sources with no threats
called vulnerabilities - 3
Significant vulnerabilities from peer-reviewed sources with no threats called
vulnerabilities - 4
Controls (max 4 marks)
Some relevant controls are provided - 1
Some relevant controls are explained (how they reduce the risk) - 2
All threats have relevant controls and demonstrate innovation beyond lecture
material - 3
All threats have relevant controls, have innovation and are practical in this
scenario - 4
Communication (max 4 marks)
Report has the correct structure - 1
Report correct structure, readable English & mostly correct reference formats
- 2
Report correct structure, acceptable university English & mostly correct
reference formats - 3
Report correct structure, high quality academic English & correct reference
formats - 4
Further Guidelines
Report Length
The length of the report is to be 1500 - 2000 words.
Report Structure
The structure of the report should follow the following outline. The structure
of the main content, e.g. the number of sections, headings etc. is up to you.
Please use meaningful headings. It is important that the report has a logical
flow and is easy to read. Professional and consistent formatting is expected.
Structure template:
- Executive Summary (Abstract) (~100 word summary of report)
- Introduction
- …(main content, headings as appropriate)
- …
- …
- Conclusions
- References
Information Sources
A significant part of the information in the report should be based on quality
sources of information, i.e. peer-reviewed scholarly journal or conference
papers. Given the focus of this assignment on recent trends, you might also
consider some relevant quality online sources of information.
It is expected that you will find, read, understand and summarise information
from relevant sources. In addition to summarising information, you need to
provide your own critical discussion and analysis of the information.
You need to express the concepts and ideas in your own words. You are allowed
to quote small parts of text from different sources, but this needs to be
clearly identified via quotation marks, accompanied by the relevant reference.
Submission Instructions
You need to submit an electronic version of your assignment in PDF format via
Blackboard. The submission deadline is midday Tuesday 08/10/2019.
Good time management is critical. Students should not expect any significant
assistance from the lecturer or tutor on this assignment in the last few days
before the deadline.
