Purpose: The purpose of this assignment is to assess the students$$ understanding on identifying the risks,

vulnerabilities and awareness of current industry and research trends in the field of information security.

Students need to exercise operational, analytical, and critical skills in order to reduce the potential security

risks involved in the given case study. Analyse and evaluate the organisational adoption of security controls.

Design solutions for concrete security problems for distributed applications. This assessment contributes to

learning outcomes a$,$ b$,$ c$,$ d$.$

Value: $35\%$ Due Date: Report submission Week $11$; Demonstration Week $12$

Assessment topic: Risk identification, assessment and treatment

Task details: This Assignment requires you to perform risk identification, assessment and treatment based

on the given case study. Also, it is required to implement ethical hacking $($which does not do any malicious

activity$)$ on your own virtual machine. This is just for demonstration purposes and focusing the risk

identification, assessment, and treatment accordingly, and you should implement it on any other computers.

The assignment$$s specification requires you to use Kali Linux and the related tools to perform the

configuration and testing.

Case Study: XYZ Tech Solutions $-$ Securing a Distributed Web Application

Introduction:

XYZ Tech Solutions is a leading technology company specializing in providing a distributed web application

that enables clients to manage sensitive financial data securely$.$ The application allows users to access

their financial information, perform transactions, and view real$-$time analytics. The platform is designed to

handle a large volume of users and financial transactions simultaneously, making it a valuable tool for both

individuals and businesses.

Challenges:

Despite XYZ Tech Solutions' commitment to information security, the company faces several challenges in

ensuring a robust security posture across its distributed web application:

Increasing Cyber Threats: The cybersecurity landscape is constantly evolving, with sophisticated cyber

threats emerging regularly. Ensuring the protection of sensitive financial data is paramount, as any security

breach could result in severe financial and reputational consequences for the company and its clients.

Web Application Complexity: The distributed nature of the web application involves numerous

interconnected components, such as web servers, databases, APIs, and administrative interfaces. Each

component represents a potential entry point for attackers, necessitating a comprehensive security

assessment.

Regulatory Compliance: XYZ Tech Solutions operates in a highly regulated industry where compliance with

data protection and privacy regulations is crucial. Adhering to industry standards such as PCI$-$DSS$,$ GDPR$,$

and ISO $27001$ is vital for maintaining the trust of clients and ensuring legal compliance.

Let us assume that the XYZ Tech Solutions' hires you to develop an information security plan to identify

the possible threats to the organization. For example, it is necessary to identify the important services $($e$.$g$.,$

website, booking portal, electronic equipment$)$ that XYZ Tech Solutions' is managing.

The criteria that you need to address based on the given scenario are summarized into two parts:

Part A:

$1.$ Assessing the current risk of the entire business

$2.$ Treat the Risk as much as possible

KING$$S OWN INSTITUTE$*$

Success in Higher Education

ICT$205$ CYBER SECURITY T$32327-$Oct$-23$ Page $12$ of $17$

$$ AUSTRALIAN INSTITUTE OF BUSINESS AND MANAGEMENT PTY LTD ABN: $72132629979$ CRICOS $03171$A

Task I: Risk Identification

In achieving the above two goals, you will do the followings $$

$1.$ Find at least five assets

$2.$ Find at least two threats against each asset

$3.$ Identify vulnerabilities for the assets

Task II: Risk Assessment

At the end of the risk identification process, you should have

i$)$ a prioritized list of assets and

ii$)$ a prioritized list of threats facing those assets and

iii$)$ Vulnerabilities of assets.

Using the information gathered during risk identification, create a prioritized list of assets, threats, and

vulnerabilities. Develop a Threats$-$Vulnerabilities$-$Assets $($TVA$)$ worksheet to assist in risk rating

calculations. Calculate the risk rating of each of the identified triplets out of $25.$

Part B:

You are expected to implement one of the attacks that could be happening on any of the assets. For

example, if one of the assets is the platform used $($e$.$g$.,$ Booking portal$),$ it has a login page, and the

patients have to enter their username and password. You can assume that the platform is vulnerable to

password$-$cracking attacks. This assessment requires you to use password crackers to break passwords.

A password cracker is software designed to break passwords. Use two types of password crackers $($e$.$g$.,$

Brute force Attack, Rule Attack or Dictionary attack$)$ to extract passwords from the Rainbow