Unit:
Network Security and Cryptography
Assignment title:
Smith and Jones Auctions
Spring 2020 – 20 Credit
單元:
網絡安全和密碼學
作業標題:
史密斯和瓊斯拍賣行
• 2020年春季– 20學分
Scenario
As the world’s largest industrial auctioneer, Smith and Jones Auctioneers conducts hundreds of live unreserved public auctions of used heavy equipment, trucks and industrial components every year. Auctions take place at more than 60 auction sites in North America, Europe, the Middle East, Asia, and Australia. More than half of bidders participate online, at www.SandJauction.example.com.
The company works hard to keep the network fast and free of infections. Malware can prevent customers from bidding online and can expose sensitive information. “We need to give customers confidence that online bidding is safe and secure,” says Milo, senior network security specialist for Smith and Jones. “Their first experience has to be good.” A common source of infections is when employees or customers unknowingly click links to malicious websites. Smith and Jones had tried using a web-filtering application at the head office. “The trouble was that routing web traffic from all 60 sites to one location slowed down critical business applications,” says Milo. Routing all web traffic through Canada also meant that customers at auction sites around the world could only use Canadian search engines. Smith and Jones. decided to give each auction site its own Internet connection for web traffic but the company wanted to centrally control web security for all auction sites.
Additionally, the company intends to confidently offer guest Wi-Fi access at all auction sites. Customers like being able to connect with their phones or tablets to browse the web and check email. They can also bid online for items at other auction sites, increasing sales. Auction sites expect as many as 500 people to connect over Wi-Fi at the same time.
Key Challenges
• Adding two new sites (Manchester & Mexico City) and using the new sites as prototypes for all other Smith and Jones auctions sites
• Connect sites through to main site in Toronto
• Prevent network outages and protect sensitive information
• Provide great experience for employees and customers
• Minimise workload for small IT team
• Offer a Site Security Solution
• Improve/Future proof WAN performance
• Identify and design Wi-Fi BYOD systems
情境
作為全球最大的工業拍賣商,史密斯(Smith)和瓊斯(Jones)拍賣商每年對二手重型設備,卡車和工業零件進行數百場無保留的現場公開拍賣。拍賣在北美,歐洲,中東,亞洲和澳大利亞的60多個拍賣地點進行。超過一半的投標人都通過www.SandJauction.example.com在線參與。
該公司一直在努力保持網絡快速且不受感染。惡意軟件可以阻止客戶在線競標,並可能洩露敏感信息。 Smith和Jones的高級網絡安全專家Milo說:“我們需要讓客戶相信在線投標是安全的。” “他們的初次體驗必須是好的。”常見的感染源是員工或客戶在不知不覺中單擊指向惡意網站的鏈接時。史密斯和瓊斯曾嘗試在總部使用網絡過濾應用程序。 “問題在於將Web流量從所有60個站點路由到一個位置會降低關鍵業務應用程序的速度,” Milo說。通過加拿大路由所有網絡流量也意味著世界各地拍賣網站上的客戶只能使用加拿大搜索引擎。史密斯和瓊斯。決定為每個拍賣站點提供自己的Internet連接以進行網絡訪問,但該公司希望集中控制所有拍賣站點的網絡安全。
此外,該公司打算在所有拍賣網站上為客人提供Wi-Fi接入。客戶喜歡能夠通過手機或平板電腦進行連接以瀏覽網頁並查看電子郵件。他們還可以在線競標其他拍賣網站上的物品,從而提高銷量。拍賣網站預計將有多達500個人同時通過Wi-Fi連接。
關鍵挑戰
•添加兩個新站點(曼徹斯特和墨西哥城),並將這些站點用作其他所有史密斯和瓊斯拍賣場的原型
•將站點連接到多倫多的主要站點
•防止網絡中斷並保護敏感信息
•為員工和客戶提供豐富的經驗
•最小化小型IT團隊的工作量
•提供站點安全解決方案
•改進/面向未來的WAN性能
•識別和設計Wi-Fi BYOD系統
Task 1 – Risk Assessment – 10 Marks
• Analyse the scenario and identify what you consider to be the 5 most important electronically held information assets for the Smith and Jones. Justify your decision. You will need to make some reasonable assumptions here, since the scenario is brief.
This section of the report should be approximately ONE HUNDRED AND FIFTY (150) words.
• Create a table (see below) which lists the assets. For each asset identify the main security threats that you think could affect its confidentiality (C), integrity (I) or availability (A). Remember, threats can be accidents as well as malicious. There are likely to be multiple threats for each asset and the same threats are likely for several assets.
Asset
Threat
CIA?
Likelihood
Impact
Risk
E.g. Personal data
Server failure
A
Low
Medium
Low
Employee theft
C
Low
High
Medium
任務1 –風險評估-10分
a)分析場景並確定您認為史密斯和瓊斯最重要的5種電子持有的信息資產。 證明您的決定。 由於場景很短,因此您將需要在此處做出一些合理的假設。
報告的此部分應大約一百五十(150)個字。
b)創建一個列出資產的表格(見下文)。 對於每項資產,請確定您認為可能會影響其機密性(C),完整性(I)或可用性(A)的主要安全威脅。 請記住,威脅既可以是事故,也可以是惡意的。 每個資產可能存在多種威脅,而某些資產可能存在相同的威脅。
• Complete the columns of the table by assessing the likelihood of the threat being successful and the impact that it would have on the company. In this scenario you should consider Low/Medium and High definitions as follows:
c)通過評估威脅成功的可能性及其對公司的影響,來完成表格的各列。 在這種情況下,您應考慮以下的“低/中”和“高”定義:
Likelihood
Impact
Low
Less than once per year
Low
Inconvenience may affect operation for a day or two
Medium
Once per year to once per week
Medium
Operation may be impacted for over a week, loss of customers
High
Several times a week
High
Company may not survive – lost reputation and customers
• Now complete the Risk column by using the following Risk matrix.
d)現在,使用以下風險矩陣填寫“風險”列。
Impact
Low
Medium
High
Likelihood
Low
Very Low
Low
Medium
Medium
Low
Medium
High
High
Medium
High
Very High
Task 2 – Controlling the risks – Explanation – 45 Marks
Once you have identified the highest risks, you need to make recommendations of how to control those risks, i.e. what security you will put in place.
• Discuss each of the threats you have identified and explain what security you recommend they use to reduce the risk and justify your choice.
• Discuss why there will be a need for encryption and state the protocol or encryption algorithm that you recommend.
This section of the report should be approximately NINE HUNDRED (900) words.
任務2 –控制風險–解釋-45分
一旦確定了最高風險,就需要對如何控制這些風險提出建議,即您將採取何種安全措施。
a)討論您已識別的每種威脅,並說明建議使用哪些安全措施來降低風險並證明選擇的合理性。
b)討論為什麼需要加密並說明您建議的協議或加密算法。
報告的此部分應大約九百(900)字。
Task 3 – Setting up the VPN – 30 Marks
• Explain the two site-to-site VPN connection options for using either the Intranet or Extranet outlining the differences and benefits. You should make recommendations regarding which option would be the best option for Smith and Jones auctions to their branch sites and justify your recommendation.
• Draw a diagram, showing the components that will be needed to create the siteto-site VPN connection between Main site and the Mexico City and Manchester branches. Each client PC need not be shown, but all other components should be included.
• As part of the security features of using a VPN, discuss the use of Firewalls and the rules they use.
This section of the report should be approximately SIX HUNDRED (600) words.
任務3 –設置VPN-30分
a)說明兩個站點到站點VPN連接選項,以使用Intranet或Extranet概述其區別和好處。 您應就史密斯和瓊斯拍賣行到其分支機構的最佳選擇提出建議,並提出合理的建議。
b)畫一個圖,顯示在主站點與墨西哥城和曼徹斯特分支機構之間建立站點到站點VPN連接所需的組件。 無需顯示每台客戶端PC,但應包括所有其他組件。
c)作為使用VPN的安全性功能的一部分,討論防火牆的使用及其使用的規則。
報告的此部分應大約六百(600)字。
Task 4 – Maintaining Security – 5 Marks
Explain any actions you would recommend for ensuring security is taken seriously across the partnership by all users and how you would monitor the effectiveness of the Information Security Management System.
This section of the report should be approximately ONE HUNDRED AND FIFTY (150) words.
任務4 –維護安全– 5分
說明您建議採取的確保所有夥伴認真對待安全性的所有措施,以及如何監控信息安全管理系統的有效性。
報告的此部分應大約一百五十(150)個字。
Task 5 – 10 Marks
Using the Rolfe, G., Freshwater, D. and Jasper, M. (2001) model, critically review the learning that you have undertaken in order to complete this assignment.
Based upon your learning, your reflection should include a description; an analysis and; an action plan in order to bring about improvements in the future.
任務5 – 10分
使用Rolfe,G.,Freshwater,D.和Jasper,M.(2001)模型,批判性地回顧您為完成這項任務而進行的學習。
根據您的學習,您的反思應包括描述; 分析和; 一項行動計劃,以期在未來實現改進。
Submission requirements
• The report should be professionally presented, checked and proofed. In addition, the report should be presented in a format and style appropriate for your intended audience. You must also include a list of references and you must always use correct Harvard referencing and avoid plagiarism throughout your work.
• Your answers to the tasks should be combined in a single word-processed report with an appropriate introduction. The report should be 1750 words +/- 10% in length (excluding tables).
• Familiarise yourself with the NCC Education Academic Dishonesty and Plagiarism Policy and ensure that you acknowledge all the sources which you use in your work.
• You must submit a paper copy and digital copy (on disk or similarly acceptable medium).
• Media containing viruses, or media which cannot be run directly, will result in a fail grade being awarded for this module.
提交要求
•報告應經過專業介紹,檢查和校對。 此外,報告應以適合您的目標受眾的格式和样式呈現。 您還必須包括參考文獻列表,並且必須始終使用正確的哈佛參考文獻,並在整個工作中避免竊。
•您對任務的答案應合併在一個單詞處理的報告中,並提供適當的介紹。 報告長度應為1750字+/- 10%(不包括表格)。
•熟悉NCC教育學術不誠實和Pla竊政策,並確保您認可在工作中使用的所有資源。
•您必須提交紙質副本和數字副本(在磁盤或類似的可接受介質上)。
•包含病毒的介質或無法直接運行的介質將導致此模塊的等級為失敗。