Enterprise information security
EIS Assignment 2
This assignment has several options from which to choose the parts that you wish to undertake. You are required to choose any 2 of the task areas and prepare an appropriate response or submission. Some of the tasks are practical application tasks and others are less hands-on — this gives you the opportunity to pursue the areas of greatest interest or relevance to you and allows you to shape your assessment accordingly. Submission is to be a pdf ?le to the assignment space on FLO. 1. Forensic Computing Task A legacy application is being investigated as there is a suspicion of some previous fraudulent activity. The data from the application is in a native ?le format structure and it is your task to attempt to reconstruct as much of the data as possible. Fortunately it has been possible to obtain a test ?le with a known layout as well as the ?le in question which has an uncertain layout. The ?les are labelled test?le.dat and legacy.dat accordingly. The speci?cations for test?le.dat are as follows: Table Structure Record Length Field 1 (Record Status) Field 2 Field 3 Field 4 Field 5 Field 6 Field 7 Field 8 Field Type & Size (if appropriate) 60 Long Char String(30) String(10) Byte Integer Long Real
Table 1: Test?le Structure It has also been possible to recover from early system documentation of a pilot project the structure and listing of the contents of the test?le, the contents being available in the ?le labelled test?le.txt , stored in the same area as the test?le data ?le. The proprietary ?le structure uses an old ISAM ?le organisation in which the ?rst record is a header record, and the data records follow. In the legacy ?le legacy.dat , it is known that the data was taken from a business transaction ?le and should have included at least the following data elements: Transaction id, transaction type, date, customer number, item description, amount, gst Additionally there may be a number of other values such as item codes, reference values, and potentially internal structural data such as pointer links [probably long integers ]. Your submission should be a technical report identifying what you did, and what you achieved, and ideally the details of the recovered data [or as much of it as you have been able to reconstruct ]. Appendix elements should include code listings where appropriate.
COMP3721 – Enterprise Information Security
3
COMP8721 – Enterprise Information Security GE
Flinders University
School of Computer Science, Engineering and Mathematics
2. Encryption-Decryption Task A small company has decided to use the web to sell some of its product. Being mindful of potential security problems, their consultant has advised that a simple form of encryption of critical data may be su?cient for their needs. Accordingly you have been engaged to provide a prototype solution for the problem speci?cations below: Construct a (web) form application to capture the order information for the client company. The nature of the business is that usually 1, but no more than 3, order lines are ever required, and payment method for this application is exclusively by credit/debit card. Although the product details would normally be obtained from a database, for testing purposes you are to provide for manual entry of the form items. The form content should have:
Customer Name Shipping Address Line(s) 1, 2, 3 Postal Code Transaction ID # Transaction Date Order Line Items Set – {product #, Qty, Price} x {1..3} Credit Card Detail: Card Number (16 digits) Expiry Date (mm/yy or mm/yyyy) Cardholder Name (up to 30 chars) Card Security Code (often on back of card – 3 or 4 digits)
{ccno} {expiry} {ccname} {security}
The solution application is required to encrypt the credit/debit card detail plus the order total price {total} [= qty1 x price1 + qty2 x price2 + qty3 x price3] as a single ?eld in colon delimited format, and the other ?elds are to be merged into a single composite message, symbol delimited (eg $ or ˜ ) using as much detail as provided by the user or application. [eg. In the case of a single item entry, the encoded string would have “$$$$$$$” as the last part of the ?rst concatenation.] The application should then store the transaction line as an appended detail line in a transaction ?le. After acceptance testing the application would send the transaction information as the body of an email to the nominated address (eg. orders@clientcompany) via a normal form-to-email application.
(ie. “name$addr1$addr2$addr3$post$transid$transdate”+ “$item1$qty1$price1…$item3$qty3$pr3$”+ “keycode:”+“ccno:expiry:ccname:security:total”)
Since there is only the one user of the data (the business owner), a symmetric encryption technique is to be used. In particular, the TEA (Tiny Encryption Algorithm) block encryption technique is to be applied using a randomly supplied keystring from a library of up to 255 keystrings. The keystring id should be inserted as a single byte at the front of the encoded data {labelled ‘keycode’ in the above example} so that the decryption routine can ?rstly parse the string into its 2 parts – keystring id and encrypted string and then apply the appropriate keystring to decrypt the data so that it can be restored to the relevant credit card detail ?elds. {You may use one of the enhancer complications of Tutorial 7 to perform the encryption/decryption task as needed.} The randomising algorithm should be a relatively easily computable value (for example, seconds since midnight (from system clock) at the time the ‘submit’ button is clicked mod 255 ). Clearly this value needs to be recorded at least momentarily while the subsequent processing occurs.
COMP3721 – Enterprise Information Security
4
COMP8721 – Enterprise Information Security GE
Flinders University
School of Computer Science, Engineering and Mathematics
The decryption application needs to be able to restore the data into the relevant data ?elds. This would be achieved either by downloading (eg FTP) the transaction data and performing the restore action, or capturing the email body content and performing the restore action. Submission for this task should comprise: • Program listings for the part 1 message concatenation and encryption, and the part 2 restoration and decryption. Include a copy of your intermediate ?le either as a screen capture or printed version (if the encrypted segment does not contain non-printing characters). • Documentation about your approach and its speci?c details. • Personal re?ection on what you have done/achieved/learned from this task. Suggestion: If setting up a test environment you might test the direct emailing approach (to yourself ) to capture and then interpret the transaction information.
3. Scripting Evaluation Task A friend of yours has decided to recommend you to an acquaintance of theirs who is establishing a new business venture specialising in the manufacture and supply of small sheds – toolsheds, garden sheds, bird aviaries, and similar. The owner of that business has already subscribed to a web hosting company which provides a unix/linux based host with some elementary perl scripts for form-to-email, guestbook, and simple web-mail applications. Other software technologies provided on the server include PHP and MySQL. Other than the web-mail application the business owner is concerned that the provided scripts are either too basic or of uncertain security for the business model being proposed, and would prefer to upload his own applications for: • customer relationship management, preferrably including form-to-email facilities • a job quoting system, to keep track of quotations given to customers • basic e-commerce functions – to enable online orders to be place and deposits to be taken (securely) Being a new business venture, the costs of development of such applications is prohibitive, so the owner is seeking advice and recommendations regarding available scripts that could be used and modi?ed if needed. Your task is to research available script libraries and suggest 3 appropriate scripts for each application, with a suitable review and recommendation about the preferred option. If possible, a freeware/shareware/open source application should be selected, but if not suitable a lower cost item should be proposed unless there are compelling reasons for not doing so. Your submission should take the form of a consultant report, clearly showing what you have reviewed, what associated work you have done, and ultimately what your ?nal recommendations for the client are.
COMP3721 – Enterprise Information Security
5
COMP8721 – Enterprise Information Security GE
Flinders University
School of Computer Science, Engineering and Mathematics
4. Technical Research Report Task The technical research report task requires you to research any one of the following security issues and prepare a mini-conference style paper on that topic area. You are able to adopt a viewpoint from the perspectives listed about the topic area and construct a suitably justi?ed argument that expresses your viewpoint. The mini-conference paper should be no more than 3000 words in length and contain an abstract, introduction, relevant content section(s), a conclusion, and a set of references. The report should be in 2-column format after the title and abstract, single-line spacing, and 11-point Times (New Roman) font. The ?nal report should be submitted in pdf format. The topic issues <topic> from which you may choose are: • • • • • • Social Networking in Enterprises The Australian Privacy Principles (as amended in March 2014) A Security Culture in Enterprises The Role of Encryption in Information Security Testing the E?ectiveness of an Enterprise’s Information Security Initiatives Using Forensic Computing Techniques in Enterprises
and combine the selected topic with one of the following perspectives: • • • • Does <topic> pose a serious security threat or not? Compare the Business Issues against the Technical Issues of <topic>. What is the impact of <topic> on enterprise information security planning? Other {a speci?c area of your own interest} **
** seek topic coordinator approval ?rst
Assessment
The assessment for this assignment is subject to the following: • Students are required to complete any 2 of the assignment tasks 1 – 4. Some of these tasks are practically oriented, and others are more report oriented. • Each assignment task will be graded separately in the usual University range of [HD, DN, CR, P, F]. Where the task is assessed as being close to a neighbouring grade scale the symbols + and – may be appended to indicate whether the submission falls at the high or low end of the grade range. Variations to the overall mark are subject to the student nominated weighting for each part as described in the following paragraph. • Students may nominate their weightings for each of the assessment tasks in the range 40-60% at the time of submission. Thus if you feel that each task is equally worthy, a 50-50 split (the default) would be nominated. If you feel that you have completed one task much better than the other, you might nominate a 60-40 split, or 55-45. If you wish to have a non-equal weighting applied to your tasks, you must clearly identify the task and chosen weighting at the time of submission. Due Date: Monday June 9, 2014 at 5:00pm
COMP3721 – Enterprise Information Security
PLACE THIS ORDER OR A SIMILAR ORDER WITH US TODAY AND GET AN AMAZING DISCOUNT 🙂