CSEC5616 — S1 2025
Assignment - 1
This is an individual assignment.
This assignment worths 10% of the final marks of the course. It covers Weeks 1-3 (inclusive).
Submit your final report as a PDF and codes as a zip file in Canvas. In Canvas, under Assignment 1, you will find two links to submit your report and code separately.
You should explain any details of how to run your code in the report.
Please read the below instructions carefully.
*** IMPORTANT ***
1) Note the answer release date: Please note the answer release date mentioned below. Any submission after that will get zero marks, instead of a late penalty.
2) Typeset reports only: We accept only typeset answers. Any hand written answers will get zero marks. This is because we can’t do plagiarism checks for hand written answers.
3) DO NOT repeat questions in the report: Simply include the question number and your answer only. If you include question text in your answer sheet, your TurnItIn score will be high and there will be additional checks. This will cause a delay in releasing your marks. We will also impose a penalty of 10% of the total marks.
3) Cite your sources: If you are referring to any internet sources include them as citations. We do not expect any specific citation style. You are free to select a style. you think as appropriate. As mentioned in class announcements you are free to use GenAI. If you do do, make declaration in the report.
*** SUBMISSION ***
Final Report & Code: Due by Week 5, Sunday the 30th of March, 2025 11:59 PM
Simple Extensions: For this assignment, you can apply for simple extensions following the university process. If your request is approved, the revised deadline will be 4th of April, 2025 11:59 PM. Please note that you have do it yourself and no need to contact the unit of study co-ordinator for this. We will get an automatic email from the system if your request was approved. Also note that, this system is not connected with Canvas, therefore it is normal for you the see the old deadline in Canvas, even if your simple extension was approved.
Answer release: The answers to this assignment will be automatically released on the 7th of April 00:00 AM. Any submissions after that will get zero marks. If you have a legitimate reason that requires an extension beyond that you will need to go through the university special considerations process. If approved, what you will be grant is a mark adjustment not an extension.
1 Fundamental of Security Engineering (20 marks)
a) Security Goals (10 marks)
Analyse the following real-world IT-related incidents and data breaches where specific security goals were compromised. For each scenario, identify the compromised security goal (e.g., Confidentiality, Data/Message Integrity, Authenticity, Authorisation, Accountability, Non-repudiation, Deniability, Availability, Privacy) and explain how the incident compromised that goal.
You will have to do your research by referring to various news articles and incident reports to understand what happened in each incident. We have given some sample links to get you started but feel free to investigate more and understand what happened in each incident. Most of the questions will have more than one correct answer, depending on how you look at them. We will accept them if your explanation is correct and related to the incident. However, you should only pick one, i.e. one you think as most appropriate, and explain it. Attempts to list multiple answers will result in zero marks.
Provide clear and concise explanations for each scenario, as shown in the example.
Example 1 - CrowdStrike Falcon update failure 2024 - Link
Compromised Security goal: Availability
Explanation: Windows machines with the CrowdStrike Falcon Sensor installed went into the boot loop with BSOD (Blue Screen of Death), making them unusable and compromising availability.
Example 2 - Optus data breach 2022 - Link
Compromised Security goal: Confidentially
Explanation: Personal information of the Optus customers, such as driver’s licence number, passport number, and address, was harvested by an attacker using an unauthenticated API endpoint. Optus was in breach of keeping their customer’s data confidential. Here, arguments can be made for security goals such as authorisation and privacy - but they are secondary to confidentiality.
2 marks for each. 1 mark for correctly naming the security goal and one mark for the explanation.
i MOVEit Breach, 2023 Link
ii Okta Support System Breach, 2023 Link 1, Link 2
iii MGM Resorts Cyberattack, 2023 Link 1 Link 2
iv Medibank Breach, 2022 Link 1 Link 2
v SolarWinds Supply Chain Attack, 2020, Link.
b) Security Design Principles (10 marks)
Each of the following descriptions relates to one of the fundamental security design principles we discussed in class. In some cases, the situation illustrates the application of a fundamental security design principle; in others, it shows where a principle has been violated. For each scenario, name and briefly explain the corresponding fundamental security design principle. In some cases there will be more than one acceptable answer. We will accept them depending on your explanation. However, you should only pick one, i.e., the one you think as most appropriate and explain it. Attempts to list multiple answers will result in zero marks. (2 marks for each)
i Kerckhoffs’s principle states that all details of a crypto system should be made public except for the key. By doing this, many can understand and even attempt to compromise the crypto system, identifying any associated vulnerabilities. Making system information public doesn’t weaken the crypto system. Every instance of the crypto system’s use will employ different secure keys, which an attacker can not guess or brute-force efficiently. ..........................................................................
ii Sam is building a secure network protocol for his company. The company has many different servers and computers with different operating systems and hardware capabilities. Sam’s protocol works like this. During the connection establishment phase the sender and the receiver exchange the encryption schemes and key sizes they support. If there are common schemes, the sender choses the highest commonly supported version the highest possible key size. If there are no common encryption schemes the protocol goes in the to the default mode of communication, which is the non-encrypted communication. ..........................................................................
iii Many modern enterprise networks use network segmentation for better security. Publicly accessible servers such as webservers and mail servers are placed in a Demilitarised Zone (DMZ) while the highly valued servers such as finance, payroll, and HR are in subnetworks that are not publicly accessible. ..........................................................................
iv As an IT manager in the University, Adam has realised that many employees are reluctant to update their operating systems to the latest version. The main reason they highlight is that after operating system updates, some of the software employees use stop working and they have to uninstall and reinstall them. And some of the software configurations are lost and the employees have to reconfigure them. As a result many of the employees spends hours and hours trying to make their computer work properly after updates, and therefore, generally don’t want to update their operating systems at all. ..........................................................................
v Mobile apps in operating systems such as Android and iOS run in sandboxes. They have privileges granted by the users, but nothing more than that. For example, they are not allowed to access any of the operating system files. ..........................................................................
2 Social Engineering (20 marks)
Mark is a senior IT administrator at a multinational tech company with strict security protocols. One afternoon, he receives a call from someone identifying themselves as Linda from “Global Cyber Audits,” a third-party vendor the company has worked with periodically for compliance checks. The call seems casual, and Linda references an upcoming audit that aligns with a recurring schedule Mark is familiar with. Though he hasn’t interacted he also does remember a name Linda from “Global Cyber Audits” last time.
Linda: Hi Mark, this is Linda from Global Cyber Audits. How are you doing today? We’re getting ready for the compliance audit next week – it’s the usual routine. I wanted to confirm a few firewall settings we’ll need for the network tests.
Mark: Oh, sure. I remember the audit usually happens around this time. What do you need to know?
Linda: Appreciate it. Nothing major, just need to make sure I can access the firewall logs during the tests. Could you remind me of the VPN gateway address? I misplaced the note from last time.
Mark: Hmm, let me check. But I thought access was handled by Greg or IT security?
Linda: You’re right – Greg mentioned that in the last audit. I think he’s swamped right now, and this is more of a pre-check. I just need to make sure my login isn’t blocked by the firewall filters. If it’s easier, you can email it to me after this call. No rush.
Mark: I see. I’ll check and get back to you.
Linda: Thanks, Mark. One small thing – during the audit window, could you keep MFA off for the firewall admin account? Last time it blocked me halfway through testing, and Greg said it was fine to bypass temporarily.
Mark: I’ll have to double-check, but that sounds reasonable if it’s limited to the test window.
Linda: Perfect. I appreciate it, Mark. Let me know if you need anything in writing. I’ll loop back with Greg if needed.
A week later Mark’s company found that a massive amount of sensitive data has been exfiltrated from them. Though, Mark didn’t give any information to Linda, someone else seem to have done it.
i Identify two psychological biases Linda exploited during this interaction. Explain your answers. (4 marks)
ii Describe two red flags, that are different from your answers to i), that indicate this could be a social engineering attempt, despite the casual tone? (4 marks)
iii Linda seems to know quite a lot about Mark’s company. Explain how is that possible. (4 marks)
iv How could Mark have handled Linda’s requests in a way that adheres to security best practices without compromising workflow? (4 marks)
v Describe two procedural safeguards should be in place to ensure that temporary security changes, like disabling MFA, are properly vetted? (4 marks)
3 Social Engineering in Practice (20 marks)
You are a given a X (formerly Twitter) profile of a fictitious person.
https://x.com/EmilyB62363
Your task is to conduct some reconnaissance on the profile and guess the password used by this subject to zip a file. Write a Python program that takes keyword list as the input create a list of possible word combinations that may be used by this subject as a password.
For example, if you find possible keywords to be “blue”, “car”, the Python program should be able to generate a list like and programmatically try to unzip the given file by entering generated passwords.
blue
car
blueblue
bluecar
carblue
carcar
Hint: The correct password contains lower case letters, digits, and a special character. The length of the password is less than 20 characters.
Include any details of how to run your code and the contents of the unzipped file in the PDF report and submit your code in the code submission link given in Canvas.
4 Access Control (20 marks)
a) Basics
i Access control is often categorised into two general forms (which we called two ends of a spectrum). What are they, and how are they different from each other? (2 marks)
ii Which form. of access control, from the options above, do cloud-based storage solutions like Google Drive or Microsoft OneDrive use? Explain your answer. (2 marks)
iii Modern CPUs have support for access control. Explain two key ideas of the common x86 architecture. (2 marks)
iv In class, we learned about role-based access control (RBAC) and discussed its primary use in databases. However, there are other forms of access control. Conduct your own research on the following access control methods and explain them briefly (3-5 sentences each). For each method, provide an application case where it might be useful. (6 marks)
a Rule-based access control
b Attribute-based access control
c Break-glass access control
b) Security Policy Models
Table 1 and Table 2 show mappings between users and clearances, and between required clearances and objects, respectively. The clearance level increases as Basic, Internal, Confidential, Secret and Top Secret, in increasing level of security. Only these mappings are defined; no other rule sets exist. Explain if the following statements are right or wrong, and explain why.
i “In a Bell LaPadula model, Sarah can read the file financial_report.txt.” (2 marks)
ii “In a Biba model, Michael can edit company_memo.txt.” (2 marks)
iii “In a Bell LaPadula model, Thomas can help John access strategic_plan.txt by writing its content to company_memo.txt.” (2 marks)
iv “In a Biba model, Emma can modify strategic_plan.txt.” (2 marks)
User Clearance
John Basic
Sarah Internal
Michael Confidential
Emma Secret
Thomas Top Secret
Table 1: User Clearance Levels
Object Required Clearance
company_memo.txt Internal
financial_report.txt Confidential
research_proposal.txt Secret
strategic_plan.txt Top Secret
Table 2: Object Clearance Requirements
5 Linux Access Control (20 marks)
Below questions are associated with the provided Azure VM.
a) Basic Access Control
Below questions can be answers by Linux One liners. Provide the answer to each question and include the command you used. Make sure that you include the command as letters/characters in the report (than screenshots/images), so that the markers can copy/paste command and check whether it is working.
i What is the User ID (UID) of the user sheppard. (1 mark)
ii What is the Group ID (GID) of the group athosians. (1 mark)
iii Find which group(s) the user carter belongs to. (1 mark)
iv Find all the users in the group humans. (1 mark)
v Does the user ronan have sudo access? There are multiple ways to do this. Answers requiring more than one command is also accepted. (1 mark)
vi Does the user carter have sudo access? There are multiple ways to do this. Answers requiring more than one command is also accepted. (1 mark)
b) File Permissions
For i-iii, use the linux find command with correct options and make sure that you command do not generate any permission denied messages or other error messages. Include the commands you used in your answer. You must include the full paths of the files.
i Find all the non hidden files owned by user tela. (1 mark)
ii Find all the files owned by tela and associated with the group ancients. (1 mark)
iii Locate a file owned by mckay. Can carter write to this file? Can ladon write to this file? Explain your answer. (3 marks)
iv In user kolya’s home directory, you will find a file named secret_script.sh. Can the user ladon execute this file? Can the user todd execute this file? Explain your answer. (2 marks)
v In above iv) note that the permission string for others is ‘r-x’. Will your answers to iv) change if you change the others permission to ‘–x’. Explain. (2 marks)
c) SUID Bit
i Find all the files own by root and having the group as humans. Similar to above, your command must not generate any permission denied messages or other error messages. (1 marks)
ii The search in i) will return two files. Explain the difference in permission strings of these two files. (2 marks)
iii Explain and demonstrate how the permission setting in one of the files can create a security vulnerability. (Hint: You will have to run the files and use the whoami command.) (2 marks)