CSE1ICB Introduction to Cybersecurity

Assignment 2: Threat Assessment and Network Simulation

Instruction

· Please submit via CSE1ICB LMS page Assignment submission section.

· This assignment is due on Week 8:  11.59 pm (AEST/AEDT), Friday, 2 May 2025

· Evaluation: 30 marks (= 30% of your final grade)

· You must submit a PDF or word file for Part 1 and Packet Tracer file (.pkt) for Part 2.

· Please write your full name and student number on the top of the first page.

· Cut-off days: 5 days, no submission is allowed after cut-off periods.

· 10% late submission penalty per day will be applied for submissions during the cut-off days.

· Any submission in the draft will be marked as zero.

Description:

The risk assessment methodology forms part of a standard risk management process (depicted in Figure 1), which enables an organisation to effectively identify, assess, and treat risk.

Understanding the importance of threat and risk assessment, a small business wants to strengthen its security posture by analysing the vulnerabilities and threats in its network (shown in Figure 2) to assess the risks involved. The company includes three sectors (subnets) for Staff, Finance, and Human Resource (HR).  Suppose that you are a member of the risk assessment team of that company, and you are expected to perform. comprehensive risk assessment to protect the company’s assets. The three main phases of the risk assessment include risk identification, risk analysis, and risk evaluation. After risk assessment is completed, the company will decide to implement appropriate risk treatment (accept, avoid, or mitigate the risk).

Current Setup: The company’s network has three subnets: i) Staff subnet, ii) Finance subnet, and iii) HR subnet. Some hosts in each subnet are connected to the Internet and can be the entry point of cyber-attacks. All subnets are connected using the routers. PC0, PC1, and PC2 in staff subnet are connected to the Internet, PC 4 in finance and Server0 in the HR are also connected to the Internet. Server is connected to a local database and also provides critical services to the users; server needs to be always available for legitimate users.

Part 1: Threat (Risk) Assessment (20 Marks)

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This Database is one of the most well-known vulnerability repositories that provides useful information regarding current vulnerabilities and quantifies them based on some important metrics such as Base score, exploitability, Impact, and so on. The NVD vulnerability search engine: https://web.nvd.nist.gov/view/vuln/search

The company purchases the Nessus vulnerability scanner tool to scan its subnets and hosts for possible vulnerabilities.

Step 1: Risk (threats) Identification (10 Marks)

Suppose that you have completed some parts of threats identification and performed the vulnerability testing process. The captured vulnerabilities for each critical PCs in the company’s subnets are listed in Table 1.

Deliverable:

1. Complete the risk identification process by describing each discovered vulnerabilities and pinpointing the status of the vulnerabilities (e.g. fixed, patched, updated, etc.) and other information asked in Table 1. Note: refer to NVD website to get required information. (6 marks)

2. Identify all possible threat actors, threats, and information assets based on the “current setup” provided in description part in page 1. Describes all important facets of possible attack scenarios. (4 marks)

Step 2: Risk Analysis (5 Marks)

After identifying and capturing the threats and risks (as in step 1), you need to perform. risk analysis to gain some real measurements such as impact and likelihood (or exploitability).

Deliverable:

1. Complete Table 2 by searching each vulnerability in NVD vulnerability search website and reflect exploitability and impact metrics. (3 marks)

2. Provide a brief description about CVSS base score, exploitability score, and impact score. (2 marks)

Step 3: Risk Evaluation (5 Marks)

The risk assessment team suggests the following formula to compute risk for each Host:

Risk = Likelihood * Impact

· Likelihood (probability of attack success): this can be achieved based on the exploitability metric divided by 10 based on Table 2 for each vulnerability. For example, if exploitability is 8.6, the likelihood is (8.6 / 10 = 0.86)

· Impact: this can be achieved based on the Impact metric in for each vulnerability in Table 2.

Deliverable:

1. Complete Table 3 by assessing the risks for each host given in table 2 (based on the above formula). (3 marks)

2. What type of risk assessment have you performed in this assignment? Why? Compare it with the other type of risk assessment discussed in the lectures. (2 marks)

Table 3

Part 2: Network Simulation – Access Control List (10 Marks)

To reduce the risks of malicious access to the server, the company plans to restrict access to the server 0 (in HR) from the hosts that are connected to the internet (PC0, PC1, PC2 in staff subnet and PC 4 in finance). Your task is to build an access list policy, implemented in the Packet Tracer, for the company’s network shown in Figure 2 that satisfies the following access control list rules (networks are given in Figure 2).

Access Control List Rule:

• PC 0, PC1, and PC 2 in Staff network, and PC 4 in Finance subnet cannot ping Server 0 in HR.

• All other PCs can access the server (e.g., can ping the server).

Deliverable:

1. Complete table 4 and include all required IP addresses asked. (1.5 marks)

2. Create Packet Tracer Network and give appropriate IP address to PCs, Routers’ interfaces, and configure the routing tables. (2.5 marks)

3. Implement following access control list: (6 marks)