Assessment Brief: BIS3004 IS Security and Risk Management 2500 Words

Posted: March 21st, 2022

Assessment 1: Case Study

Introduction

The Australian government has been working to strengthen the country’s cybersecurity frameworks and policies in response to a concerning trend of data breaches, particularly within the financial and healthcare sectors. Over the past four years, numerous high-profile data breaches have impacted many Australian organizations and their customers (see Table 1). As a cybersecurity specialist, I have been tasked with conducting a security risk assessment and preparing a report for the board of directors of one of the affected organizations.

Details of the Attack

In September 2022, telecommunications provider Optus suffered a significant data breach that exposed the personal information of millions of customers (Optus, 2022). The attack exploited a vulnerability in Optus’s customer database, allowing unauthorized access to sensitive data such as customer names, dates of birth, phone numbers, email addresses, and, in some cases, driver’s license and passport numbers.

The vulnerability was a known issue, as Optus had previously been warned about it by cybersecurity experts. However, the organization had not implemented adequate controls to mitigate the risk. The breach went undetected for several days before Optus became aware of the incident. During this time, the attackers were able to access and exfiltrate a substantial amount of customer data.

Analysis and Action

Optus discovered the breach on September 22, 2022, but the organization had not maintained a comprehensive risk register, and the vulnerability was not properly documented or assessed. As a result, the risk was not perceived as critical, and mitigation measures were not prioritized. The attackers, believed to be a sophisticated criminal group, were able to access and steal the personal information of approximately 9.8 million current and former Optus customers (Optus, 2022).

In the aftermath of the attack, Optus faced significant reputational damage and financial consequences. The organization was required to notify affected customers, provide credit monitoring services, and work with law enforcement agencies to investigate the breach. Additionally, Optus was subject to regulatory fines and potential legal action from customers whose data had been compromised.

To mitigate further damage, Optus took several actions, including enhancing its security controls, implementing stronger access management protocols, and conducting a comprehensive review of its risk management processes. The organization also offered affected customers various support services, such as identity theft protection and access to credit reporting agencies.

Risk Assessment

Risk Identification

The Optus data breach exposed several key risks, including:

Unauthorized access to customer personal information, including sensitive data such as driver’s licenses and passports

Potential identity theft and financial fraud affecting millions of customers

Reputational damage and loss of customer trust

Regulatory fines and legal liabilities

Disruption to Optus’s operations and customer service

Risk Analysis

Using the NIST Cybersecurity Framework (NIST, 2018), the identified risks can be analyzed as follows:

Asset Identification: The primary assets at risk were Optus’s customer database, containing extensive personal information, and the organization’s reputation and public trust.

Threat Assessment: The threat actor was a sophisticated criminal group, with the capability and motivation to exploit the known vulnerability in Optus’s systems.

Vulnerability Analysis: The vulnerability was a well-known issue, and Optus had failed to implement adequate security controls to mitigate the risk.

Risk Evaluation

Based on the FAIR (Factor Analysis of Information Risk) methodology (FAIR Institute, 2022), the Optus data breach posed a critical risk due to the following factors:

High likelihood of the threat event occurring due to the known vulnerability

Significant potential for loss, including financial, reputational, and regulatory impacts

Lack of effective controls and risk management processes within the organization

Conclusion

The Optus data breach highlights the importance of proactive risk management and the need for organizations to maintain a comprehensive risk register, regularly assess vulnerabilities, and implement robust security controls to protect customer data. As a cybersecurity specialist, I recommend that Optus continue to enhance its security posture, strengthen its risk management framework, and work closely with regulatory authorities and industry partners to prevent similar incidents in the future.

Keywords: data breach, cybersecurity, risk assessment, Optus, NIST Cybersecurity Framework, FAIR

References

FAIR Institute. (2022). FAIR Risk Analysis. Retrieved from https://www.fairinstitute.org/fair-risk-analysis

NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Optus. (2022). Optus Cyber Incident Update. Retrieved from https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-cyber-incident-update.

==========

Assessment Brief: BIS3004 IS Security and Risk Management Trimester-2 2024

Assessment Overview

Assessment Task Type Weighting Due Length ULO
Assessment 1: Case Study Write a report to discuss recent types of information security attacks, protection mechanisms, and risk management.
Individual 30% Week 6 2500 words ULO-2 ULO-3 ULO-4

Assessment 2: Quiz Quizzes assess students’ ability to understand theoretical materials. The quiz will be either multiple choice questions or short questions which are relevant to the lecture materials.
Individual Invigilated 30% Week 3, 4, 6, 8, 10 700 words ULO-1 ULO-2 ULO-3 ULO-4

Assessment 3: Laboratory Practicum Lab activities and exercises assess students’ ability to understand theoretical materials.
Individual Invigilated 10% Weekly equiv. 2300 words ULO-1 ULO-2 ULO-3 ULO-4

Assessment 4: Applied Project Discuss and implement IS security protection techniques and implement access control under Linux.
Group 30% Week 12 2500 words ULO-1 ULO-2 ULO-3 ULO-4

equiv. – equivalent word count based on the Assessment Load Equivalence Guide. It means this assessment is equivalent to the normally expected time requirement for a written submission containing the specified number of words.

Note for all assessment tasks:
• Students can generate/modify/create text generated by AI. They are then asked to modify the text according to the brief of the assignment.
• During the preparation and writing of an assignment, students use AI tools, but may not include any AI-generated material in their final report.
• AI tools are used by students in researching topics and preparing assignments, but all AI-generated content must be acknowledged in the final report as follows:

Format
I acknowledge the use of [insert the name of the AI system and link] to [describe how it was used]. The prompts used were entered on [enter the date in ddmmyyy:] [list the prompts that were used]
Example Assessment 1: Case Studies (Use case analysis, Risk Identification and Assessment) Due date: Week 6 Group/individual: Individual Word count / Time provided: 2500 Weighting: 30% Unit Learning Outcomes: ULO-2, ULO-3, ULO-4

Justification
There is a noticeable increase in the occurrence of data intrusions within the financial and healthcare sectors in Australia. The Australian government is currently revising its cybersecurity frameworks and policies to strengthen resilience against nation-state threat actors and thereby disrupt this adverse trend.

In the past 4 years, numerous data breaches have occurred in Australia. Several of them affected many users. Table 1 is a comprehensive compilation of noteworthy instances of data breaches that have transpired in recent years.

Table 1: Major Data Breach Incidents in Australia

Company Name Date of Impact
Latitude March 2023
Medibank December 2022
Optus September 2022
Eastern Health March 2021
Northern Territory Government February 2021
Canva May 2019
Australian Parliament House February 2019
Tools
I acknowledge the use of ChatGPT https://chat.openai.com to create content to plan and brainstorm ideas for my assessment. The prompts used were entered on 18 March 2023:
• What are some key challenges in running an online business?

Approach Analysis
You are required to choose one of the data breaches from the list above in Table 1 and create a report on it. Your report must include the following information.

Detail of the Attack:
This section of your report should include the elements below.
• What was the attack? What vulnerability was exploited?
• Was the vulnerability already known? When did it happen?
• Were there any controls implemented against the vulnerability and yet it was exploited?

Analysis and Action:
This section of your report should include the elements below.
• When and how did the target figure out about the attack?
• For how long, the risk was not actioned?
• Did the organisation have a risk assessment policy and procedure?
• Did the organisation maintain a risk register?
• Was the vulnerability included in the risk register?
• How was the risk perceived (critical/non-critical/high/medium/low)?
• What the attacker(s) did, stole, and wanted?
• Did the organisation pay anything because of the attack?
• What action did they adopt to avoid further damage?

Risk assessment
a. Risk Identification
b. Risk Analysis
c. Risk Evaluation

Risk Identification and Assessment
In this section, you need to identify risks and conduct an analysis of the selected use case. Regarding the selected scenario, reasonable assumptions can be made if they are adequately documented and supported. To perform risk identification and analysis, you can choose either of the following tools or a combination of them.
• Factors Analysis in Information Risk (FAIR)
• NIST Privacy Risk Assessment Methodology (PRAM)
• NIST CyberSecurity Framework (CSF)

Assessment Description
Assume you have been recruited as a cybersecurity specialist by the client organisation (the use case you chose). You are responsible for conducting a security risk assessment and preparing this report for the board members. In most organisations, board members have minimal levels of computer literacy and risk-related knowledge. Include the following information in your report preparation:

Introduction
Details of the attack
Analysis and action
Risk Assessment
a. Risk Identification
b. Risk Analysis
c. Risk Evaluation
Conclusion
References
Note: Your responses to the above questions must be supported by APA-style citations and references.

Additional Information
When conducting research, you may find the following URLs or research tools useful:
✓ https://ieeexplore.ieee.org/Xplore/home.jsp
✓ https://dl.acm.org/
✓ https://scholar.google.com/

Marking Criteria and Rubric: The assessment will be marked out of 100 and will be weighted 30% of the total unit mark.

Marking Criteria
Not satisfactory (0-49%) of the criterion mark
Satisfactory (50-64%) of the criterion mark
Good (65-74%) of the criterion mark
Very Good (75-84%) of the criterion mark
Excellent (85-100%) of the criterion mark

Introduction (10 marks)
The introduction lacks clarity, and an engaging hook, and is disorganised, lacks originality.
The introduction is generally clear, includes a moderately engaging opener, presents a well-articulated statement, about the topic, provides some pertinent context, is adequately organised, and lacks significant originality.
The introduction is clear, contains an engaging hook, presents a well-articulated statement, about the topic, provides relevant context, and is well-organized.
The introduction is well written with a clear discussion about the case analysis, Risk Identification, and Assessment.
The introduction is exceptionally clear, contains a highly engaging hook, presents a well-articulated topic, provides pertinent context, is flawlessly organised, and demonstrates originality.

Details of the Attack (15)
The report lacks clarity and detail, providing little to no information about the details of the attack and its various aspects.
The report provides a basic overview of the details of the attack, covering some of the necessary details but lacking depth in one or more areas, such as what vulnerability was exploited.
Generally, good discussion about the details of the attacks, including clear identification, a thorough explanation of the attack.
Very clear discussion about the details of the attack. The answer is supported with reference and in-text citations.
In-depth and very clear discussion about the details of the attack. Accurate answers are supported with reference and in-text citations.

Analysis and action (10)
Poor discussion with irrelevant information.
A brief discussion about the analysis and action. The analysis provides a basic impact assessment but lacks comprehensive details.
Generally good discussion regarding the analysis and action. The impact assessment is reasonable but may lack some depth.
Very clear discussion about the analysis and action. The answer is supported with references and in-text citations.
In-depth and very clear discussion about the analysis and action. The report provides a complete strategy of how the target found out about the attack and the way they dealt with it with accurate answers supported with references and in-text citations.

Risk Identification (15)
Poor discussion with irrelevant information.
A brief discussion about risk identification. Displayed a basic understanding of the threat landscape but it lacks depth. One of the provided tools was not utilised correctly.
Generally good discussion about risk identification. Shows a good grasp of the threat landscape but may overlook using one of the given tools.
Very clear discussion regarding risk identification. Properly use one of the given tools. The answer is supported by the reference and in-text citation.
Using one of the provided tools demonstrates an exceptional understanding of the threat landscape with accurate responses supported by references and in-text citations.

Risk Analysis (15)
Poor risk assessment. No assets were mentioned, nor were any threats evaluated.
A brief discussion about risk analysis. Few threats are evaluated.
Some relevant assets were identified, but important ones are missing. Some threats were assessed but lacked detail or accuracy.
Most relevant assets are identified with minor omissions or inaccuracies. Well-documented threats with minor omissions or inconsistencies.