7025CEM Assignment Help
Intrusion Detection and Response Assignment help
Module Learning Outcomes Assessed:
1. Critical awareness of the legal, ethical and professional issues involved in incident response investigation.
2. Evaluate and apply appropriate technological solutions and processes in the detection, management and
investigation of information and system security incidents.
3. Critically evaluate and apply digital forensic methodology to cyber security incidents and commercial
investigation; establish an audit trail, documenting a digital investigation from a legal and professional
perspective.
4. Ensure all actions undertaken are Association of Chief Police Officers (ACPO) Principles of
Digital Evidence compliant.
Instructions
Coursework Motivation
This coursework is designed to assess your research and analytical abilities. Often, in the course of your
career, you will find that you are faced with new technologies and concepts. Such situations will require
you to conduct research and investigation to evaluate new tools and techniques. This requires a degree
of independence of thought, and building confidence in new approaches based on technical design.
Your analytical abilities will be called into question almost daily and you will often be faced with
challenges under economic, social, legal and ethical constraints.
Writing Guidance
This coursework requires you to answer ALL questions. The questions should be answered in the given
order in a single report. You do not need to provide an abstract.
This document is for Coventry University students for their own use in completing their
assessed work for this module and should not be passed to third parties or posted on any
website. Any infringements of this rule should be reported to
facultyregistry.eec@coventry.ac.uk.
Be clear and precise with the use of terminology. So, for example, terms such as data, traffic, packets,
messages and information are often used interchangeably. Note that these are different terms and
convey different meaning in different contexts.
It is highly recommended that you read the questions carefully before answering. Illustrations are
encouraged, but should be clearly labelled and relevant to use. Otherwise it may not help clarity and
cause confusion.
Client Network
The network, shown in Figure 1, represents a client network that you are called to handle. Your role, as
a network security evaluation specialist, is to help the client design and build an effective evaluation
and monitoring solution. Your client has specific requirements that need to be met and expects you to
address some of the technical and legal challenges involved. The client owns all the data created,
processed, stored and communicated on the networked systems, some of which is sensitive.
The network is designed such that various services are spread out on server farms. The three server
farms host server nodes vie respective gateway nodes numbered 3,4 and 5. Gateway nodes 8-13
connect to client nodes (several hundred) distributed across subnets.
The nature of service traffic is a combination of web services (for external customer enquiries and
ecommerce), and various application services for use within the organisation. Some of the services
need to be accessible from the outside world.
The nodes are diverse in their configuration and with different levels of access to services and the
outside world (internet) which is accessible by gateway node 0. Nodes 1, 2, 6 and 7 serve for the
purpose of intermediary routing within the network. Nodes 14 and 15 are a series of APs providing
WiFi networking to the offices.
This document is for Coventry University students for their own use in completing their
assessed work for this module and should not be passed to third parties or posted on any
website. Any infringements of this rule should be reported to
facultyregistry.eec@coventry.ac.uk.
The client is involved in innovation and product development within the defence and security sector
serving clients ranging from government departments, multinational firms and foreign agencies. The
nature of activity lends itself to sabotage and intellectual property theft. The collaborative nature of
the organisation also means that it hosts development teams from other partners from a variety of
countries.
Your role has specific deliverables and you are asked to prioritise the activities (set out in the
questions) detailed below. You have a few weeks to present a report to the technical leadership of
the client on these matters.
For the sake of consistency, in your answers, specific locations should be referred to by the labels
used above. It would be wise to label and help clarify particular locations that you refer to including
particular interfaces on the firewall, routers (as there are multiple), links between routers and
switches and so on.
If you need to make any assumptions in addition to the brief given above, (e.g. any particular security
software or hardware already deployed on the network, or what services are running on a particular
subnet), you should clearly specify these in a section called ‘Assumptions’ at the beginning of your
report. The assumptions section does not count toward the word limit.
Assignment
Question 1: Detecting reconnaissance (25 Marks, 1000 words)
The client is particularly vulnerable to insider attacks including sabotage (disruption and destruction)
and espionage (stealing sensitive information). To detect any such attacks, it is important that the
client has effective measures in place.
You are asked to evaluate the level of exposure for servers from insiders. Of particular interest here is
network reconnaissance (scanning and enumeration) activity that originates internally.
Briefly explain how potential intruders (insider of the network) can collect and use
reconnaissance data for malicious purposes?
Describe what data would you prefer to collect and at what points on the network? You are
expected to adopt a systematic approach where you justify why are you collecting the various
types of data and where?
To support the above activity, what tools would you use and what type of activity would you
configure to detect? Your answer is expected to prescribe tools that the client may wish to
use and adopt in the future. Your client would appreciate suggestions for configuration of
such tools to assist in efficient collection, logging and analysis of data collected.
This is a high volume network and parts of it get very busy at peak times. Any activity of
collecting traffic from the network would be a challenge. In the context of above activity,
discuss relevant strategies to help overcome the problem of scale.
Question 2: Session Data collection (15 Mark, 500 words)
This document is for Coventry University students for their own use in completing their
assessed work for this module and should not be passed to third parties or posted on any
website. Any infringements of this rule should be reported to
facultyregistry.eec@coventry.ac.uk.
Leave A Comment