Task 1 Case Study
Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF) and Structured Query Language (SQL) Injections are common attacks, exploiting web application vulnerabilities. Your task is to select one case study example of one attack type from either XSS, CSRF or SQL injection as the basis for your report and explain (and graphically depict) all components of the attack by addressing the following three requirements:
1. Develop a detailed walkthrough of how your chosen attack type would theoretically operate in the real-world. This section should clearly represent each stage of the attack with supportive discussions.
2. Select one CVE (Common Vulnerabilities and Exposures) and proceed to identify and explain the intricacies of that real-world incident that eventuated based on your chosen attack type.
3. By explaining your selected real-world incident, you should at a minimum answer the following
• What was the outcome of your chosen incident?
• What was the impact of your chosen incident?
• Identification of the personal identifiable information (PII) that was held, used, and collected by the organisation.
• Discuss the C.I.A triad and how these principles relate to the information security breach, i.e., what was breached in relation to C.I.A?
• What threats and vulnerabilities to the information exist in the case study?
• What protections were in place; what worked and what failed in this particular case?
• Discuss the lessons learnt from the breach, for example, legal, financial, risk.
• What did the organisation do after the breach, i.e., what happened after the fact?
• Why was this breach such an important case to learn from?
Task 2: Attack Tree on “obtain your friend’s password”
Attack (or threat) trees are becoming increasingly popular in many fields as a means of visualising information. As presented by Dekker (2015) attack trees are; flexible, visual and formal, yet provide a means of portraying scenarios, encourage brainstorming activities, and allows organisations to apply a defence in depth approach to the identified threats.
Among many things Attack Trees help with visualising all the potential ways any given organisation or system may be attacked. It assists with conceptualising; asset identification/classification, threats, vulnerabilities, exploits and many more aspects of cybersecurity risk management.
It is important that you understand how to develop and analyse attack trees for the purposes of not only this assignment (or potential exam questions) but for your future career. Bruce Schneier is a respected cybersecurity expert who has written extensively on the creation of attack trees. You are strongly advised to research this information and ensure you have grasped the concept of attack trees, and its associated characteristics. You should also research more attack tree structures as part of this task
You will attempt to develop your own attack tree. Using the overall goal of "obtain your friend's login password" develop one or more attack trees which demonstrate the different technical and non-technical approaches you could use to acquire ‘the password’.
For the purposes of this activity, you should aim to have approximately 25 nodes, presented on multiple levels. The above example has approximately 13 nodes, for example. For the first level, try to be creative in how you split your tree up. So, this means you should try to avoid using ‘technical’ and ‘non-technical’ as your top two headings. In addition, you should aim to have 3-6 words per node to ensure that it is explained sufficiently.
Microsoft Visio is a popular tool that can be used to develop Attack Trees. However, any brainstorming tools will be equally suitable. There are plenty of freely available brainstorming tools that can be found by doing a simple search on the Internet. However, whenever you download software it is always advisable to scan the product with appropriate anti-virus software beforehand.
Finally, briefly discuss in a conclusion for this task how might an attack tree analysis have been helpful for the organisation(s) involve in task 1.