This second assignment will make you more familiar with the process of developing controls for specific risks.
"The only way to discover the limits of the possible is to go beyond them into the impossible"
Arthur C. Clarke
The University IT team was so impressed with your work on assignment 1, that they have asked for your assistance in making the campus more cyber secure.
They have asked for your input into the identification of a comprehensive set of controls in certain areas. With your solid background on the topic, you feel up to the task.
After an internal survey, they have identified the following types of threats as being of particular concern (note there is a bit of overlap here and there):
Phishing Attacks: Cybercriminals may target university staff and students with phishing emails or messages to trick them into revealing sensitive information, such as login credentials.
Research Data Theft: Universities often conduct valuable research, making them potential targets for cybercriminals seeking to steal intellectual property, research findings, or sensitive data.
Credential Theft: Attackers may attempt to compromise user accounts by stealing usernames and passwords, gaining unauthorized access to systems or confidential information.
Denial-of-Service (DoS) Attacks: Disrupting online services, such as course registrations or research databases, can be a motive, affecting the normal functioning of the university.
Insider Threats: Employees or students with access to sensitive information may intentionally or unintentionally compromise security, making it crucial to monitor internal activities.
Ransomware: Universities are susceptible to ransomware attacks, where cybercriminals encrypt data and demand payment for its release, potentially disrupting operations.
IoT Vulnerabilities: As universities adopt Internet of Things (IoT) devices for various purposes, the security of these devices becomes crucial to prevent unauthorized access.
Insecure Wi-Fi Networks: Weaknesses in Wi-Fi security can expose sensitive data to unauthorized users, posing a threat to both university networks and individual users.
Cloud Security Concerns: Universities often store data in the cloud, making them vulnerable to cloud-related threats such as misconfigurations, data breaches, or unauthorized access.
Social Engineering Attacks: Manipulating individuals into divulging confidential information through social engineering techniques remains a persistent threat.
Lack of Patch Management: Failing to regularly update and patch software and systems can create vulnerabilities that attackers may exploit.
Mobile Device Threats: With the increased use of mobile devices for educational purposes, there is a risk of mobile-specific threats like malware or unsecured apps compromising university data.
The team wants a detailed assessment of recent developments in these key areas, and a detailed control option analysis of four of these from every student, which you will select using the logic in this little bit of Python.
Run the code and note down your selected topic areas. Report these in your submission.
For each of your four algorithmically determined topics, conduct online research and identify any new developments in each of your topic areas from the last 6 months. Try to find at least one news story which demonstrates an evolution for each of your risk areas. Summarize your research for each of your topics. Include appropriate links to online reports or information.
For each of your four topic areas, review the applicable portions of NIST SP 800-53 to help you identify as many different controls as you can think of, to address particularly any new dimensions of each risk, as well as any other persistent risks. Explore controls along 5 dimensions:
Preventive controls
Detective controls
Corrective controls
Deterrent controls
Compensating controls
For each potential control, provide details of the following control dimensions:
A descriptive name for the control
The goal of the control, i.e. what is the logical/scientific basis for its efficacy - how does it affect the threat/risk
How the control works. i.e. what are the operational steps
How easy it is to implement the control
How to measure the efficacy of the control
The team wants you to be creative and include as many controls as you can think of. Use your imagination. Think how attackers would execute a strategy to exploit weaknesses in your four risk areas, how to defeat any existing controls and think of ways to counter these.
Organize all your different types of proposed controls and the associated data in a nice spreadsheet.
In your submission email, show how you calculated your assigned topics, using the above algorithm.
Submit a PDF containing your response to Part A.
For Part B, prepare a complete, but concise, spreadsheet summarizing your analysis:
Use appropriate headings and provide the required detail.
Use clear and concise language, providing detailed information and explanations where necessary.
Make it aesthetically pleasing!
I will assess your grade as follows:
The use of innovative and creative thinking in formulating potential controls (3).
The number of potentially useful controls identified (3).
Thoroughness in description and analysis (the commentary) of the proposed set of controls (4).