Peters Excellent Packers (PEP) is a meat packing and delivery
service located in Western Sydney. They are a small to medium
enterprise, and last year their turnover was about $15 million.
They employ a small number of staff and use their own software
system, developed in-house in the late 90s. This system is used for
all accounting and inventory purposes, as well as the bulk of their
tax reporting, although they still employ one accountant, the CFO,
Kishwar Chowdhary.
The business has a website which takes orders for their services
and issues invoices. It is linked to their main transactional
database. They are also contracted to pack and supply meat goods to
large shopping centres. The firm has a small network on their
premises. Currently, all IT related duties are performed by staff
member, Elise Pulbrook.
The management of PEP has recently become aware of the attack on
JBS Foods in early 2021. The company is concerned that attacks like
the one on JBS Foods are on the rise. As part of your report, PEP
want you to give a brief explanation and timeline on the attack on
JBS Foods. (Note: PEP is fictional, but JBS Foods and the attack on
JBS Foods is a real-world case, which also affected businesses in
Australia. You must discuss the real-world attack, with references,
including the Australian impact. You cannot “discover” fictional
data about JBS Foods, although you are encouraged to do so for
PEP.)
PEP has called on you and your small team of cybersecurity
consultants, to improve the security of their organisation. They
want to protect against the same type of attack that hit JBS Foods,
but they may also want mitigation against any threats or
vulnerabilities you might find after investigating their
organisation. This “investigation” is a part of A2.
In preliminary discussion with the CEO, Peter Campbell, it seems
there is no system-wide intrusion detection and prevention and no
network segmentation, although the CEO seemed quite vague on the
topic.
In the first instance (for your assessment 2), PEP wants a report
on threats and vulnerabilities in their organisation. (You should
“discover” at least 10 threats and/or vulnerabilities and map these
against the STRIDE categories. See the assessment brief.)
After this, they might commission you to design a project of
mitigation with some recommendations of ongoing security management
(this will be your assessment 3). In the mitigation scheme, as much
as possible, they want you to match controls against threats and
justify your controls in the case of the threat(s) related to the
specific attack on JBS Foods. (This is for assessment 3.)
You have negotiated with PEP to use STRIDE to perform an IT
security risk analysis, to advise them on their overall
cybersecurity but also report on their in-house system.
Peter Campbell has sent you an email with some helpful links to the
JBS Foods attack that have raised the concern of PEP.
JBS Foods attack:
White House Warns Business Leaders To Increase Cybersecurity
Cyber attack shuts down global meat processing giant JBS
Assessment Task and Context
The goal of this assessment is to identify the threats or
vulnerabilities in the case scenario described in the associated
file, Assessment Initial Case Scenario.docx. NOT all threats or
vulnerabilities you “discover” are in the initial case scenario.
The scenario discusses some elements of the business that are
needing mitigation, but you will need to also “discover” other
threats or vulnerabilities.
You should use this assessment brief document to guide what to
include in this assessment and use the provided case study to help
demonstrate understanding of the topic.
Instructions
To successfully complete this assessment, your MIS607 Assessment 2
MUST include:
▪ Data Flow Diagram (DFD) – The DFD must relate to the business
described in the initial case scenario. You must remember that the
DFD is the FIRST step in the “Risk Analysis” process, but it is not
the main output of this assessment. The main output of MIS607
Assessment 2 is the categorized threats (see below).
For the DFD section of your report, you will need to present at
least a “Context Diagram” and a “Level-0 Diagram”. You can include
further levels of DFD (e.g. Level-1, Level-2) if you feel they are
needed to show a threat boundary, but it’s not necessary.
The level-0 diagram (and further level diagrams, if needed) must
not break the rule for proper DFD formation/development. And the
DFDs (excluding the Context Diagram) MUST have labelled threat
boundaries.
You MUST use the below symbol conventions shown and used in classes
when developing and drawing the DFDs:
- Initial Case Scenario Peters Excellent Packers Pep Is A Meat Packing And Delivery Service Located In Western Sydney T 1 (33.03 KiB) Viewed 125 times
Threat Model Report Individual/Group
Individual Length
1500 words (+/-10%) Learning Outcomes
▪ Threats Discovery – The main output of MIS607 Assessment 2 should
be a table with a set of minimum 10 threats or vulnerabilities that
need mitigation in the case scenario organisation. Out of these 10
threats or vulnerabilities, choose 3 and explain them in more depth
below the table. You will discover these threats or vulnerabilities
with the help of the DFDs and the threat boundaries.
Imagine yourself as a consultant called into work inside the
business to discover threats. For this assessment, business acumen
and business logic in approaching threats is what is
required.
The main threat for this assessment resembles a real-world attack.
You need to develop a brief, factual overview of the real-world
attack (web links can count as references here since the attack
might not yet be covered academically). You are required to
reference suggested mitigations, or costs in the real-world attack
as this will help enormously with both MIS607 Assessment 2 and
Assessment 3 and will be taken into consideration when marking.
IMPORTANT NOTE: Any explanation of the real-world case is based on
real information/data, NOT speculation or simulated
“discovery”.
It is important to understand that you need to “discover”
additional threats or vulnerabilities on the associated initial
case scenario. The case scenario is only an initial assessment of
the organisation. The “discovery” can be simulated based on your
simulated investigation. Obviously, you must cover the main threats
already identified in the case scenario, but other threats or
vulnerabilities should be “discovered” by you. In this regards,
inform the reader about what discovery techniques were used. In
bullet points inform the audience …. “who you talked to”,
“questions you asked” – but keep this very brief (maximum 8-10
bullet points).
▪ STRIDE Methodology – will be used in this assessment. Note
carefully that the DFDs are NOT the main output of this assessment.
The main result of this assessment is a “set of threats or
vulnerabilities”. Important points to consider are:
✓ Try to map these threats or vulnerabilities as best you can
against threat boundaries;
✓ And categorize the identified threats or vulnerabilities as best
you can, against STRIDE categories.
The STRIDE categories are NOT the threats. Do not be concerned if
the threats you discover do not fit all STRIDE categories. In a
full real-world assessment with hundreds of threats, this would be
the case, but with around 10 threats this will probably not be
possible. You can make assumptions, but the report is written from
the point of view of a consultant who has made “discoveries” from
their investigations. In the simulation you may gather needed
information from stakeholders. Assessment markers are aware that
the technical information
Report Structure and Format:
The report should have the following heading structure.
Assignment Cover Sheet (Individual)
(Found via the following link:
https://www.torrens.edu.au/policies-forms) Make sure to complete
Sections 1, 2 and 3 of the “Assignment Cover Sheet (Individual)”
and sign and date it. Once finished, take a screenshot and insert
it on the first page of your assessment WORD document as a JPG
file.
Executive Summary
Mainly this section is where you “Summarize” your report. The best
time to write the Executive Summary is when you have finished
working on your assessment. By then you will be able to “Summarise”
your work. It should be written in a simple and easy to read
language. IMPORTANT NOTE: Make sure to ONLY provide the summarised
version of the report.
1. Introduction
In this section introduce your assessment/report to the reader.
Think of the purpose and objectives of your assessment and ask this
question from yourself that why this assessment is valuable and
important? You will need to provide a short description of the case
scenario. Overall, the introduction section is about “What the
assessment is going to be about?”.
2. Main Discussion
IMPORTANT NOTE: The required discussions for sub-sections 2.1, 2.2
and 2.3 are discussed earlier in this assessment brief document
(see above).
2.1. Data Flow Diagrams (DFDs)
2.2. Threats Discovery
2.3. Threats List and STRIDE Categorisation
3. Conclusion
In this section, you will wrap up your discussion in a clear and
simple way. Overall, the conclusion section reminds the reader what
the report/assessment has been about. Indicate and discuss the
major findings and/or recommendation of your report.
4. References
A minimum of three (3) references are required in this assessment.
At least one (1) reference needs to be a “peer-reviewed” journal
article or a conference paper. IMPORTANT NOTE: You are welcome to
use more than three (3) references in your MIS607 Assessment 2
based on your decision and preference; however, the minimum number
of references to be used in this assessment is three (3)
references.
It is essential that you as the author of your assessment/report
use appropriate APA style for citing and referencing research.
Please see more information on referencing here in the Academic
Writing Guide found via the Academic Skills website.
Make sure to list the references alphabetically and where possible,
make sure to use the most recent references.
5. Appendices (Appendix 1, Appendix 2, etc.)
Overall, there is no need to have an Appendix in this assessment;
however, if there is any EXTRA information which you might think of
being necessary in your assessment, you can use this section to
highlight it. IMPORTANT NOTE: ALL important and necessary
information (e.g. DFDs, Threats, STRIDE, etc.) for your report MUST
be inserted and discussed within the report and NOT in Appendices
(Appendix 1, Appendix 2, etc.) section.
MIS607 – Assessment 2 Brief – Threat Model Report Page 4 of 6
IMPORTANT NOTES FOR MIS607 ASSESSMENT 2 SUBMISSION:
▪ This assessment must be submitted as a WORD document (*.docx OR
*.doc).
▪ Make sure to follow the provided guideline on how to fill in the
“Assessment Cover Sheet”.
▪ The report should use Arial or Calibri fonts, 11 point. It should
be line spaced at 1.5 and must have page numbers on the bottom of
each page.
▪ The word count for this assessment is 1500 words (+/- 10%), NOT
counting Tables, Figures, Executive Summary, Cover Sheet,
References, and Appendices (if any).
▪ It is highly advised that you read the “case scenario” several
times. Then, read through this assessment brief document and take
notes for your assessment writing task. Furthermore, make sure to
check the Marking Rubric for more information on how marking is
completed.
▪ You must be careful NOT to use up the word count discussing any
type of general information such as cybersecurity basics and etc.
This is NOT an exercise in summarising class notes and etc.
Discussing general information and material will not count towards
marks.
▪ Make sure to use a reasonable number of Tables and Figures in
your assessment.
▪ ALL inserted/used Tables and Figures within the report MUST be
captioned/labelled and numbered (e.g. Table 1, Table 2,
etc.).
▪ ALL inserted/used Tables and Figures within the report require
being initially introduced and then discussed in a clear, focused
and simple way.
▪ Within the assessment document, when referring to Tables and
Figures, you require to refer to them by their captions. NOTE:
Tables and Figures without a caption may be treated as if they are
not in the report.
▪ Discovery techniques for your assessment can include interviews,
questionnaires, observations, and documentation. You might use
other techniques as well. Overall, to “discover threats or
vulnerabilities” you can use one of these techniques.
▪ Leading into MIS607 Assessment 3, try to concentrate on threats
with “corresponding controls”. IMPORTANT NOTE: The “controls” are
NOT part of MIS607 Assessment 2 but be prepared to find the
“controls” for your MIS607 Assessment 3. For instance:
✓ Weak Passwords: Password policy and/or 2 factor
✓ Fire: Fire alarms and extinguishers and/or fire insurance,
✓ Theft: CCTV system
▪ Please be advised that if you do not perform so well with MIS607
Assessment 2 (Your Assessment 2 mark is less than 60%), you will
need to fix the issues noted in your assessment 2 once the feedback
is provided and then you must include your MIS607 Assessment 2 in
your MIS607 Assessment 3 “Appendix 1” section. IMPORTANT NOTE:
There will be NO MARKS for the remediation of MIS607 Assessment
2.
Academic Integrity
All students are responsible for ensuring that all work submitted
is their own and is appropriately referenced and academically
written according to the Academic Writing Guide. Students also need
to have read and be aware of Torrens University Australia Academic
Integrity Policy and Procedure and subsequent penalties for
academic misconduct. These are viewable online. Students also must
keep a copy of all submitted material and any assessment
drafts.
Submission Instructions
You should submit your MIS607 Assessment 2 via the Assessment link
in the main navigation menu in MIS607 Cybersecurity on the Student
Portal.
The learning facilitator will provide feedback via Grade Centre in
the Student Portal. Feedback and the mark can be viewed in “My
Grades”.
You MUST use the below symbol conventions shown and used in classes when developing and drawing the DFDs: 1S607 - Assessment 2 Brief - Threat Model Report Page 1 of 6 TORRENS UNIVERSITY AUSTRALIA Process Data Flow Data Store Entity