Assessment 1: Case Study<\/p>\n
Introduction<\/p>\n
The Australian government has been working to strengthen the country’s cybersecurity frameworks and policies in response to a concerning trend of data breaches, particularly within the financial and healthcare sectors. Over the past four years, numerous high- assessment task profile data breaches have impacted many Australian organizations and their customers (see Table 1). As a cybersecurity specialist, I have been tasked with conducting a security risk assessment and preparing a report for the board of directors of one of the affected organizations.<\/p>\n
Details of the Attack<\/p>\n
In September 2022, telecommunications provider Optus suffered a significant data breach that exposed the personal information of millions of customers (Optus, 2022). The attack exploited a vulnerability in Optus’s customer database, allowing unauthorized access to sensitive data such as customer names, dates of birth, phone numbers, email addresses, and, in some cases, driver’s license and passport numbers.<\/p>\n
The vulnerability was a known issue, as Optus had previously been warned about it by cybersecurity experts. However, the organization had not implemented adequate controls to mitigate the risk. The breach went undetected for several days before Optus became aware of the incident. During this time, the attackers were able to access and exfiltrate a substantial amount of customer data.<\/p>\n
Analysis and Action<\/p>\n
Optus discovered the breach on September 22, 2022, but the organization had not maintained a comprehensive risk register, and the vulnerability was not properly documented or assessed. As a result, the risk was not perceived as critical, and mitigation measures were not prioritized. The attackers, believed to be a sophisticated criminal group, were able to access and steal the personal information of approximately 9.8 million current and former Optus customers (Optus, 2022).<\/p>\n
In the aftermath of the attack, Optus faced significant reputational damage and financial consequences. The organization was required to notify affected customers, provide credit monitoring services, and work with law enforcement agencies to investigate the breach. Additionally, Optus was subject to regulatory fines and potential legal action from customers whose data had been compromised.<\/p>\n
To mitigate further damage, Optus took several actions, including enhancing its security controls, implementing stronger access management protocols, and conducting a comprehensive review of its risk management processes. The organization also offered affected customers various support services, such as identity theft protection and access to credit reporting agencies.<\/p>\n
Risk Assessment<\/p>\n
Risk Identification<\/p>\n
The Optus data breach exposed several key risks, including:<\/p>\n
Unauthorized access to customer personal information, including sensitive data such as driver’s licenses and passports<\/p>\n
Potential identity theft and financial fraud affecting millions of customers<\/p>\n
Reputational damage and loss of customer trust<\/p>\n
Regulatory fines and legal liabilities<\/p>\n
Disruption to Optus’s operations and customer service<\/p>\n
Risk Analysis<\/p>\n
Using the NIST Cybersecurity Framework (NIST, 2018), the identified risks can be analyzed as follows:<\/p>\n
Asset Identification: The primary assets at risk were Optus’s customer database, containing extensive personal information, and the organization’s reputation and public trust.<\/p>\n
Threat Assessment: The threat actor was a sophisticated criminal group, with the capability and motivation to exploit the known vulnerability in Optus’s systems.<\/p>\n
Vulnerability Analysis: The vulnerability was a well-known issue, and Optus had failed to implement adequate security controls to mitigate the risk.<\/p>\n
Risk Evaluation<\/p>\n
Based on the FAIR (Factor Analysis of Information Risk) methodology (FAIR Institute, 2022), the Optus data breach posed a critical risk due to the following factors:<\/p>\n
High likelihood of the threat event occurring due to the known vulnerability<\/p>\n
Significant potential for loss, including financial, reputational, and regulatory impacts<\/p>\n
Lack of effective controls and risk management processes within the organization<\/p>\n
Conclusion<\/p>\n
The Optus data breach highlights the importance of proactive risk management and the need for organizations to maintain a comprehensive risk register, regularly assess vulnerabilities, and implement robust security controls to protect customer data. As a cybersecurity specialist, I recommend that Optus continue to enhance its security posture, strengthen its risk management framework, and work closely with regulatory authorities and industry partners to prevent similar incidents in the future.<\/p>\n
Keywords: data breach, cybersecurity, risk assessment, Optus, NIST Cybersecurity Framework, FAIR<\/p>\n
References<\/p>\n
FAIR Institute. (2022). FAIR Risk Analysis. Retrieved from https:\/\/www.fairinstitute.org\/fair-risk-analysis<\/p>\n
NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology. Retrieved from https:\/\/nvlpubs.nist.gov\/nistpubs\/CSWP\/NIST.CSWP.04162018.pdf<\/p>\n
Optus. (2022). Optus Cyber Incident Update. Retrieved from https:\/\/www.optus.com.au\/about\/media-centre\/media-releases\/2022\/09\/optus-cyber-incident-update.<\/p>\n
==========<\/p>\n
Assessment Brief: BIS3004 IS Security and Risk Management Trimester-2 2024<\/p>\n
Assessment Overview<\/p>\n
Assessment Task Type Weighting Due Length ULO
\nAssessment 1: Case Study Write a report to discuss recent types of information security attacks, protection mechanisms, and risk management.
\nIndividual 30% Week 6 2500 words ULO-2 ULO-3 ULO-4<\/p>\n
Assessment 2: Quiz Quizzes assess students\u2019 ability to understand theoretical materials. The quiz will be either multiple choice questions or short questions which are relevant to the lecture materials.
\nIndividual Invigilated 30% Week 3, 4, 6, 8, 10 700 words ULO-1 ULO-2 ULO-3 ULO-4<\/p>\n
Assessment 3: Laboratory Practicum Lab activities and exercises assess students\u2019 ability to understand theoretical materials.
\nIndividual Invigilated 10% Weekly equiv. 2300 words ULO-1 ULO-2 ULO-3 ULO-4<\/p>\n
Assessment 4: Applied Project Discuss and implement IS security protection techniques and implement access control under Linux.
\nGroup 30% Week 12 2500 words ULO-1 ULO-2 ULO-3 ULO-4<\/p>\n
equiv. \u2013 equivalent word count based on the Assessment Load Equivalence Guide. It means this assessment is equivalent to the normally expected time requirement for a written submission containing the specified number of words.<\/p>\n
Note for all assessment tasks:
\n\u2022 Students can generate\/modify\/create text generated by AI. They are then asked to modify the text according to the brief of the assignment.
\n\u2022 During the preparation and writing of an assignment, students use AI tools, but may not include any AI-generated material in their final report.
\n\u2022 AI tools are used by students in researching topics and preparing assignments, but all AI-generated content must be acknowledged in the final report as follows:<\/p>\n
Format – Best Help Writing My 99 Papers\u2014owl Essay Samples
\nI acknowledge the use of [insert the name of the AI system and link] to [describe how it was used]. The prompts used were entered on [enter the date in ddmmyyy:] [list the prompts that were used]
\nExample Assessment 1: Case Studies (Use case analysis, Risk Identification and Assessment) Due date: Week 6 Group\/individual: Individual Word count \/ Time provided: 2500 Weighting: 30% Unit Learning Outcomes: ULO-2, ULO-3, ULO-4<\/p>\n
Justification
\nThere is a noticeable increase in the occurrence of data intrusions within the financial and healthcare sectors in Australia. The Australian government is currently revising its cybersecurity frameworks and policies to strengthen resilience against nation-state threat actors and thereby disrupt this adverse trend.<\/p>\n
In the past 4 years, numerous data breaches have occurred in Australia. Several of them affected many users. Table 1 is a comprehensive compilation of noteworthy instances of data breaches that have transpired in recent years.<\/p>\n
Table 1: Major Data Breach Incidents in Australia<\/p>\n
Company Name\tDate of Impact
\nLatitude\tMarch 2023
\nMedibank\tDecember 2022
\nOptus\tSeptember 2022
\nEastern Health\tMarch 2021
\nNorthern Territory Government\tFebruary 2021
\nCanva\tMay 2019
\nAustralian Parliament House\tFebruary 2019
\nTools
\nI acknowledge the use of ChatGPT https:\/\/chat.openai.com to create content to plan and brainstorm ideas for my assessment. The prompts used were entered on 18 March 2023:
\n\u2022 What are some key challenges in running an online business?<\/p>\n
Approach Analysis
\nYou are required to choose one of the data breaches from the list above in Table 1 and create a report on it. Your report must include the following information.<\/p>\n
Detail of the Attack:
\nThis section of your report should include the elements below.
\n\u2022 What was the attack? What vulnerability was exploited?
\n\u2022 Was the vulnerability already known? When did it happen?
\n\u2022 Were there any controls implemented against the vulnerability and yet it was exploited?<\/p>\n
Analysis and Action:
\nThis section of your report should include the elements below.
\n\u2022 When and how did the target figure out about the attack?
\n\u2022 For how long, the risk was not actioned?
\n\u2022 Did the organisation have a risk assessment policy and procedure?
\n\u2022 Did the organisation maintain a risk register?
\n\u2022 Was the vulnerability included in the risk register?
\n\u2022 How was the risk perceived (critical\/non-critical\/high\/medium\/low)?
\n\u2022 What the attacker(s) did, stole, and wanted?
\n\u2022 Did the organisation pay anything because of the attack?
\n\u2022 What action did they adopt to avoid further damage?<\/p>\n
Risk assessment
\na. Risk Identification
\nb. Risk Analysis
\nc. Risk Evaluation<\/p>\n
Risk Identification and Assessment
\nIn this section, you need to identify risks and conduct an analysis of the selected use case. Regarding the selected scenario, reasonable assumptions can be made if they are adequately documented and supported. To perform risk identification and analysis, you can choose either of the following tools or a combination of them.
\n\u2022 Factors Analysis in Information Risk (FAIR)
\n\u2022 NIST Privacy Risk Assessment Methodology (PRAM)
\n\u2022 NIST CyberSecurity Framework (CSF)<\/p>\n
Assessment Description
\nAssume you have been recruited as a cybersecurity specialist by the client organisation (the use case you chose). You are responsible for conducting a security risk assessment and preparing this report for the board members. In most organisations, board members have minimal levels of computer literacy and risk-related knowledge. Include the following information in your report preparation:<\/p>\n
Introduction
\nDetails of the attack
\nAnalysis and action
\nRisk Assessment
\na. Risk Identification
\nb. Risk Analysis
\nc. Risk Evaluation
\nConclusion
\nReferences
\nNote: Your responses to the above questions must be supported by APA-style citations and references.<\/p>\n
Additional Information
\nWhen conducting research, you may find the following URLs or research tools useful:
\n\u2713 https:\/\/ieeexplore.ieee.org\/Xplore\/home.jsp
\n\u2713 https:\/\/dl.acm.org\/
\n\u2713 https:\/\/scholar.google.com\/<\/p>\n
Marking Criteria and Rubric: The assessment will be marked out of 100 and will be weighted 30% of the total unit mark.<\/p>\n
Marking Criteria
\nNot satisfactory (0-49%) of the criterion mark
\nSatisfactory (50-64%) of the criterion mark
\nGood (65-74%) of the criterion mark
\nVery Good (75-84%) of the criterion mark
\nExcellent (85-100%) of the criterion mark<\/p>\n
Introduction (10 marks)
\nThe introduction lacks clarity, and an engaging hook, and is disorganised, lacks originality.
\nThe introduction is generally clear, includes a moderately engaging opener, presents a well-articulated statement, about the topic, provides some pertinent context, is adequately organised, and lacks significant originality.
\nThe introduction is clear, contains an engaging hook, presents a well-articulated statement, about the topic, provides relevant context, and is well-organized.
\nThe introduction is well written with a clear discussion about the case analysis, Risk Identification, and Assessment.
\nThe introduction is exceptionally clear, contains a highly engaging hook, presents a well-articulated topic, provides pertinent context, is flawlessly organised, and demonstrates originality.<\/p>\n
Details of the Attack (15)
\nThe report lacks clarity and detail, providing little to no information about the details of the attack and its various aspects.
\nThe report provides a basic overview of the details of the attack, covering some of the necessary details but lacking depth in one or more areas, such as what vulnerability was exploited.
\nGenerally, good discussion about the details of the attacks, including clear identification, a thorough explanation of the attack.
\nVery clear discussion about the details of the attack. The answer is supported with reference and in-text citations.
\nIn-depth and very clear discussion about the details of the attack. Accurate answers are supported with reference and in-text citations.<\/p>\n
Analysis and action (10)
\nPoor discussion with irrelevant information.
\nA brief discussion about the analysis and action. The analysis provides a basic impact assessment but lacks comprehensive details.
\nGenerally good discussion regarding the analysis and action. The impact assessment is reasonable but may lack some depth.
\nVery clear discussion about the analysis and action. The answer is supported with references and in-text citations.
\nIn-depth and very clear discussion about the analysis and action. The report provides a complete strategy of how the target found out about the attack and the way they dealt with it with accurate answers supported with references and in-text citations.<\/p>\n
Risk Identification (15)
\nPoor discussion with irrelevant information.
\nA brief discussion about risk identification. Displayed a basic understanding of the threat landscape but it lacks depth. One of the provided tools was not utilised correctly.
\nGenerally good discussion about risk identification. Shows a good grasp of the threat landscape but may overlook using one of the given tools.
\nVery clear discussion regarding risk identification. Properly use one of the given tools. The answer is supported by the reference and in-text citation.
\nUsing one of the provided tools demonstrates an exceptional understanding of the threat landscape with accurate responses supported by references and in-text citations.<\/p>\n
Risk Analysis (15)
\nPoor risk assessment. No assets were mentioned, nor were any threats evaluated.
\nA brief discussion about risk analysis. Few threats are evaluated.
\nSome relevant assets were identified, but important ones are missing. Some threats were assessed but lacked detail or accuracy.
\nMost relevant assets are identified with minor omissions or inaccuracies. Well-documented threats with minor omissions or inconsistencies. <\/p>\n","protected":false},"excerpt":{"rendered":"
Assessment 1: Case Study Introduction The Australian government has been working to strengthen the country’s cybersecurity frameworks and policies in response to a concerning trend\u2026<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[298,1369,2127,868,358,2018,3349],"tags":[],"class_list":["post-17806","post","type-post","status-publish","format-standard","hentry","category-assessment-brief-assignment-help","category-assessment-brief-writing-help-uk","category-computer-and-information-assignment-help","category-cyber-security-assignment-help","category-it-computer-science-assignment-help","category-insurance-assignment-help","category-uk"],"_links":{"self":[{"href":"https:\/\/www.colapapers.com\/uk\/wp-json\/wp\/v2\/posts\/17806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.colapapers.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.colapapers.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.colapapers.com\/uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.colapapers.com\/uk\/wp-json\/wp\/v2\/comments?post=17806"}],"version-history":[{"count":1,"href":"https:\/\/www.colapapers.com\/uk\/wp-json\/wp\/v2\/posts\/17806\/revisions"}],"predecessor-version":[{"id":17807,"href":"https:\/\/www.colapapers.com\/uk\/wp-json\/wp\/v2\/posts\/17806\/revisions\/17807"}],"wp:attachment":[{"href":"https:\/\/www.colapapers.com\/uk\/wp-json\/wp\/v2\/media?parent=17806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.colapapers.com\/uk\/wp-json\/wp\/v2\/categories?post=17806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.colapapers.com\/uk\/wp-json\/wp\/v2\/tags?post=17806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}