This assignment assesses your understanding in relation to
the following three course objectives:
1. Analyse information security vulnerabilities and threats
and determine appropriate controls that can be applied to mitigate the
potential risks
2. Explain why continual improvement is necessary to
maintain reasonably secure information systems and IT infrastructure and to
describe the role of disaster recovery and business continuity plans in
recovering information and operational systems when systems and hardware fail
4. Demonstrate an ability to communicate effectively both
written and orally about the management of information security in
organisations.
This assignment assesses the following graduate skills:
Problem Solving, Academic & Professional Literacy and Oral and Written
Communication at level 2.
This assignment relates to the topics covered in modules 1
to 10. This assignment can be completed by groups of two students or as an
individual assignment. Details regarding the allocation of students to teams
will be provided on the course study desk. If working in a student team you
will be expected work collaboratively as a team in developing and discussing
their approach to assignment case study and the required Security report and
presentation. Regular participation by the team members or an individual
completing this assignment each week from Monday 7th September until Friday
23rd October is expected. Each team member or an individual will also be
required to keep a journal of their activities and progress related to
completing this assignment and will form part of the assessment for assignment
3. In date order clearly list the following:
• date of research activity/discussion
• topics researched or discussed
• time duration of activity.
Submit this journal for each team member or as an individual
as an appendix to the assignment Recommendations report. Any reference to web
pages and on line resources such as white papers, blogs, wikis etc. should be
listed at the end of the journal.
Regular participation on the discussion forums dedicated for
this assessment is highly recommended and can assist greatly with this
assessment item. Also note that you are expected to do research outside of the
course materials provided.
Case study – Gamble Bet
BackGround
Harry’s Bookmaking Agency has been working the rails on
Australian Horse Racetracks for over 40 years. When Harry retired 10 years ago,
his son Bob took over as Head Bookmaker, (and CEO) and stills runs the business
to this day.
Bob realised early on his in tenure, that after 30 years of
little change to their business model, they faced some disruptive new market
and technological forces, where if they did not react, Harry’s Bookmaking
Agency may not exist for much longer.
Bob could see the signs. The Internet was changing the world
and changing how businesses worked. Already, online betting was becoming big
overseas in the US and some of Europe, and early adopters in Australia were
making some good head roads into the local market. While his business was not
affected as yet, the writing was on the wall. To survive, Harry’s Bookmaking
Agency had to make the most radical changes to their business in all their
existence.
‘GambleBet Pty Ltd’ (Harry’s Bookmaking Agency and online
business’ new name) was started in 2000.
Today, GambleBet has 20 staff and operates out of 1 office
in Melbourne. Of GambleBet’s staff, 15 are bookmakers who spend their work
hours in front of scores of screens watching sport from around the world and
other bookmaking sites to be able to set the markets for sports betting they
offer their clients. There are also 3 business administration staff, 1
accountant and Bob as the CEO. They have no IT people in their organisation.
GambleBet’s IT infrastructure is fully outsourced to a
third-party hosting provider,’NetBest IT Services’, who also manage all aspects
of GambleBet’s 3 servers and all communications from their office and links to
the ISP. GambleBet’s online betting system application and credit card
processing system is developed and managed by BigFrog Software.
In 2001, 90% of business revenue still came from the rails
business on the racetrack. In 2014, 95% of all revenue comes from the online
business. GambleBet 2013 revenue topped $100M AUD. Up from $4M AUD in 1999.
Business is booming!
Setting the Scene
This afternoon, Bob received a call from his bank’s Risk
Management and Compliance Division Manager. He was informed that the bank
believed that GambleBet’s security has been compromised. The bank’s credit card
fraud system was raising alarm bells and through further investigation by the
bank, a pattern was emerging that compromised credit card numbers seemed to be
originating from the credit card numbers of GambleBet’s customers. At present,
fraudulent purchases from these credit cards totalled in excess of $50,000 and
were growing by the day. Fraudulent transactions were happening across the
globe and the bank informed Bob that it suspected that a criminal hacking
organisation has broken into GambleBet’s systems and has stolen some or all of
the credit card numbers of their clients.
As per bank policy and as documented in the credit card
merchant contract between the bank and GambleBet, in the event of potential
fraud being detected, the bank has the right to undertake an investigation into
the matters. Bob was informed that the bank has engaged independent IT security
specialists, HackStop Pty Ltd to:
• Review the security of GambleBet IT systems and
applications
• Determine whether GambleBet is the source of the fraud
• And if so, report on what can be done to mitigate security
issues now and ongoing to minimise the likelihood of further fraud.
Bob knows he needs to comply with the bank. Aside from the
reputation damage to his brand and business if this made the press, 99% of all
payments to GambleBet are made by clients using credit cards. If the bank took
his ability away to process credit card transactions, his 40 year old business
would be ruined. He agrees to meet with the HackStop consultant first thing the
next day. It’s 5:00pm now and Bob knows he will not sleep well tonight.
Your task
As the IT Security Consultant for HackStop assigned to the
GambleBet investigation, you are required to put together a high-level security
audit work plan for the bank and GambleBet that outlines your approach and
methodologies to: (1) review the security of GambleBet and its key third party
service providers, and (2) to determine whether GambleBet is the source of the
credit card fraud. You also required to deliver your proposed security audit
work plan in a Power point presentation.
The Security Audit work plan should be professionally
presented and be concise and to the point. Remember, time is of an essence here
and the work plan must be signed off as soon as is possible for the actual work
to commence. Each day of delay could equate to many more thousands of dollars
of fraud incurred by the bank and potentially also by GambleBet.
Some resources which may be useful for this assignment 4
Case Study will be provided on the Assignment 4 discussion forum
Any information not provided in the case study may be
assumed, but make sure that your assumptions are stated and that the
assumptions are plausible.
Security Audit Work-plan Report Structure and Requirements
(WORD Document):
The Security Audit work plan should be included in a
professionally presented document of no more than 10 pages and be structured to
show how each phase of work is to be undertaken. Your work-plan must include
the following at a minimum:
1. Executive Summary: half-page brief outlining purpose;
scope, expectations and outcomes of the proposed plan of work. (250 words)
Structured and ordered work plan phase description, which
for each section includes:
2. Background and problem analysis - What went wrong? How
was GambleBet website compromised and customer credit card details stolen ?
(approx. 500 words)
3. Threat analysis - What is to be investigated and tested,
how it will be done, what sort of potential issues you are looking for, and
deliverables GambleBet and their Bank can expect for each phase of work – (eg;
the “deliverable” for the phase of work could potentially be a report
containing the results of a vulnerability assessment test on GambleBet’s
server(s) and web applications). (approx. 1000 words)
4. Dependencies and critical success factors to the job -
such as key stakeholders in this security audit – the key people to be
interviewed or whose involvement in that phase of work is required. (Remember,
you don’t always get free-rein access to systems and other information and
because time is of importance, you won’t get a long time to master the
environment. But, as you know, you cannot also always believe everything you
are told). What is key to getting this job done efficiently and what support do
you need to get this done, (from GambleBet, NetBest IT Services and Big Frog
Software) (approx. 500 words)
5. Set of recommendations for improving GambleBet’s current
security practices and ensuring that an appropriate set of controls are put in
place (approx. 750 words)
6. Reference list of key sources in particular technical
references which support your approach (Not counted in word count)
Note in this report and in the accompanying presentation you
are encouraged to make use of appropriate Figures and Tables to emphasise the
key points that you are trying make
7. A journal of each team member's (for students completing
this assignment individually – your) activities in participating and
contributing to the completion of the work plan report and presentation.
Suggested Security Audit Work Plan Report Presentation
Structure
Developing a Securer Environment for GambleBet in the Future
(POWERPOINT):
Your strategy presentation should be created as if it were
an actual presentation you were doing for a real client in relation to your
proposed security audit work plan including a set of recommendations and should
contain the following at a minimum:
* 1 Slide for an Introduction outlining your team and the
organisation you work for
* 2-3 Slides covering Background and problem analysis: A
brief summary of where GambleBet is today in regards to security practices and
controls in place for their web servers and web applications.
* 2-3 Slides covering the Threat Analysis: A summary of the
major threats and associated vulnerabilities and the actions required to reduce
the risks associated with these threats and specific vulnerabilities in their
web servers and web applications to an acceptable level.
* 2 Slides covering Dependencies and critical success
factors to the job: i.e. what is key to getting this job done efficiently and
what support do you need to get this done, (e.g. internal business
stakeholders, and key third party service providers etc (NetBest IT Services
and Big Frog Software.)
* 2 Slides covering your proposed Set of recommendations for
improving security practices of GambleBet and its key third party service
providers ensuring appropriate controls are in place in relation to their web
site and web applications which is core to their business
[The following is also to be included. While not part of a
“standard” Industry business presentation, it is there to allow teaching staff
to gauge what level of research has been undertaken].
* 1 Slide acknowledging the key authoritative reference
sources which underpin the research you have conducted and your approach in the
proposed work plan in your proposed business report.
------------------
• This assignment is focused upon seeing if as a student in
this course you have built up an awareness of how security in an environment
should be set up and operated. By being able to outline how you would review
and test the security of the fictional organisation, GambleBet, through
assessment of the basics such as good policies, standards, procedures and
controls in place, in addition to detection of incidents, the markers will be
able to assess your level of knowledge learned from the course content and from
your own additional research in relation to this case study.
• Any information not provided in the case study may be
assumed, but make sure that your assumptions are stated and that the
assumptions are plausible.
• There will be three specific threads on the Assignment 4
discussion forum asking questions and seeking clarification on the GambleBet
Case Study from
(1) Bob CEO of GambleBet;
(2) Phil Technology manager of NetBest IT Services; and
(3) Jim Project manager of Big Frog Software.
By actively participating in the forum discussions for this
assignment, you will gain valuable information and insight into this case study
that will be regarded highly by the markers.
These Assignment discussion forum threads are to be used to
professionally ask relevant questions of senior management in these three
organisations and their involvement in the GambleBet case study as if you were
really interacting with the key people in these organisations as part of your
information security consultancy deployment.
Please note, if any of these senior managers feel that they
are being asked to answer unnecessary questions or has not been asked
professionally, they reserve the right to refuse to answer a specific question.
Submission of your assignment security audit work plan
report and presentation (word document and powerpoint presentation.
0 comments:
Post a Comment