T-1.8.

1_v3

Details of Assessment
Term and Year Time allowed
Assessment No 2 of 2 Assessment Weighting 40%
Assessment Type Writing questions
Due Date Room
Details of Subject
Qualification ICT40118 Certificate IV in Information Technology
Subject Name Cyber Security
Details of Unit(s) of competency
Unit Code (s) and
ICTICT424 Address Cyber Security Requirements
Names
Details of Student
Student Name
College Student ID

Student Declaration: I declare that the work submitted is my

own and has not been copied or plagiarised from any person Student’s
or source. I acknowledge that I understand the requirements Signature: ____________________
to complete the assessment tasks. I am also aware of my
right to appeal. The feedback session schedule and Date: _____/_____/_________
reassessment procedure were explained to me.

Details of Assessor
Assessor’s Name

Assessment Outcome
Assessment
Competent Not Yet Competent Marks /40
Result
Feedback to Student
Progressive feedback to students, identifying gaps in competency and comments on positive improvements:
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
____________________________________________________________________
______________________________________________________________________________________

Assessor Declaration: I declare that I have conducted

a fair, valid, reliable and flexible assessment with this
student. Assessor’s
Signature: ___________________
Student attended the feedback session.
Student did not attend the feedback session. Date: _____/_____/________

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 1

 T-1.8.1_v3

Purpose of the Assessment

The purpose of this assessment is to assess the student Not Yet Competent
in the following learning outcomes: Competent (C)
(NYC)

Knowledge Evidence

Knowledge of common cyber security threats and risks

Knowledge of common cyber security controls

Knowledge of Cyber security control implementation

processes and procedures
Knowledge of Industry standards relevant to cyber security

Knowledge of Testing procedures and processes

Knowledge of Legislative and regulatory requirements

relevant to cyber security

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 2

 T-1.8.1_v3

Question 1
What is the difference between a threat and vulnerability? Identify the common Cyber
Security risks and threats. Write your answer in 200-250 words.

Threat: Threat is simply what an affiliation is guarding itself against. Anything that can
abuse a shortcoming, intentionally or coincidentally, and secure, hurt, or annihilate a bit of
leeway.
There are three types of threats which are as follow:
 Intentional threats
 Unintentional threats
 Natural threats

Vulnerability: Vulnerabilities are the gaps or inadequacies that undermine an affiliation's

IT security tries. There are four main types of vulnerability as follow:
 Economic vulnerability
 Physical vulnerability
 Emotional vulnerability
 Social vulnerability

Some common cybersecurity threats are as follow:

 Malware: Software that plays out a malevolent task on a target device or
framework, for instance debasing data.
 Phishing: An email-borne ambush that incorporates tricking the email recipient
into revealing ordered data.
 Man in the middle attack: Where an attacker sets up a circumstance between the
sender and recipient of electronic messages and catches them, possibly changing
them in movement.
 Denial of service attacks: Where an aggressor assumes control over a
noteworthy number of devices and usages them to call the components of a goal
system.
 Data breaches: A data breach is a theft of data by a harmful performer.

Some common cybersecurity risks are as follow:

 Ransomware: An ambush that remembers encoding data for the target system
and mentioning an installment as an end-result of letting the customer approach
the data again.
 Hacking: Hacking is the path toward expanding unapproved access into a PC
structure, or assembling of PC systems.
 Cloud abuse: A colossal risk factor is that Infrastructure as a Service, which is
responsible for helpfulness, has no sheltered enlistment process.
 Loss of data: It may be through modification, eradication, and usage of an
unpredictable amassing medium.
 Single factor password: The usage of single-factor passwords is a tremendous
security peril. It gives intruders basic access to data.

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 3

 T-1.8.1_v3

Question 2
What are the two most common Cyber Security controls implemented in an organization?
What are the advantages having such controls in place and explain the disadvantages
should they be not implemented? Write your answer in 200-250 words.

The two cyber security controls are:

1. Patch management lifecycle: The patch management procedure depends upon
an affiliation's degree of IT structure. Huge affiliations can feel that its inconvenient
and expensive to truly screen shortcomings present in contraptions spread over the
framework. To counter this, such associations can get incredible practices for
diminishing threats.
2. Apply antivirus solutions: At the point when an affiliation realizes an effective
antivirus thing, it denies software engineers the ability to execute ambushes through
noxious undertakings. Antiviruses determinedly channel a structure for ruinous
tasks and abstain from them before they can welcome on any damages.
Advantage of patch management lifecycle:

 Security is the most apparent bit of leeway offered by patch management.

 Another noteworthy bit of leeway of patch management is extended effectiveness.
 Having an automated patch management cycle will empower our relationship to
remain mindful of the latest degrees of progress in the development.
Disadvantage of patch management lifecycle:

 Patches can agitate essential business assignments.

 Another test to patch management is the difficult of patches before use.
Advantage of antivirus solution:

 Protection from viruses and their transmission.

 Square spam and advancements.
 Shield against software engineers and data hoodlums.
 Guarantees your data and archives.
 Firewall protection from spyware and phishing ambushes.
Disadvantage of antivirus solution:

 It doesn't offer complete protection.

 It can slow our PC and Network.
 It will simply offer confined disclosure techniques.

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 4

 T-1.8.1_v3

Question 3

One of the consultants working at Devon Accounting was offered a job at a larger accounting
firm. The consultant had access to clientele list, information on network drive and customer
data. Should this information be used in a wrong way, it would have dire consequences to
the company’s image. Privacy and data integrity would be compromised.

Using a threat classification method, conduct a threat and risk assessment. What controls
could the company use to prevent this situation from occurring? Write your answer in 200-
250 words.

Below is the threat and risk assessment of the issue that rose in Devon accounting. This
assessment was conducted by security manager along with 5 team members of this
company.

Hazards (threat) Privacy and data integrity of clients

Who may be harmed Staff, clients and stakeholders of Devon

accounting

Assessment and mitigation This hazard can cause serious problems

of data breach in the company and this
information can be used for illegal actions.
The company should take all the devices
the consultant was using in the company’s
job. He should be investigated to assure
he has no access to Devon accounting’s
personal data any more.

Record The security manager should record all

this information and investigation done for
this hazard in the form of document to
show the company a proof that the
assessment is done for this issue,

Assessment revision It should be reviewed to assure that a

consultant is going empty hand from this
company and the data is safe.

Control:
Company should follow some technical controls which includes securing the system of
the company by authentication. Data should be encrypted. Cryptographic controls should
also be followed. Another control Denial of service protection should be followed.

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 5

 T-1.8.1_v3

Question 4

What are cyber assets and define vulnerable assets? List and explain three security control
mechanisms to protect valuable assets. Write your answer in 200-250 words.

Cyber assets: A cyber asset is a. programmable electronic gadgets and correspondence

systems including equipment, programming, and information.
Vulnerable assets: A vulnerability is a defect in the measures you take to make sure
about an asset. This is a more extensive translation of the conventional definition, which
thinks about just defects or shortcomings in frameworks or systems.
Security control mechanisms to protect valuable assets are as follow:

 Inventory and Classification of Information Assets: Every piece of advantage

should be perceived, surveyed, described and made sure about subject to asset
regard, asset territory, asset danger and affectability.
 Privacy Impact Analysis: A convincing gadget to avoid privacy issues by choosing
perils and strategies that are the outcome of get-together, keeping up and
appropriating PII in electronic condition.
 Security Awareness Training: All work power should encounter security training,
which is, essentially, stamped information on security policy.
 Third-Party Management: This spreads controls to make sure about assets,
admission to controls, legal and regulatory requirements, and safe information
evacuation practices rehearsed by third social affairs.
 Security Incident Response Policy: Consider hurt control measures, time to
recovery, IR review instruments, and so on.

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 6

 T-1.8.1_v3

Question 5
In past eras, cybersecurity wasn’t an issue for business owners. But now, the internet
defines many corporate activities. Some businesses operate entirely online, and even the
ones that don't typically include the internet in their operations somehow use it - whether it’s
marketing to customers or keeping accurate records.

If company leaders do not understand the cybersecurity laws that relate to their operations,
they may be subjected to substantial fines. Moreover, substantial costs could result from
having to achieve compliance after regulatory bodies discover shortcomings and order
remedies. But awareness is the first step to avoiding issues.

What are the main legislative and regulatory requirements to Cyber Security inside
Australia? Write your answer in 200-250 words.

The Privacy Act 1988 (Privacy Act) was familiar with advance and secure the privacy of
individuals and to control how Australian Government workplaces and relationship with a
yearly turnover of more than $3 million, and some various affiliations, handle singular
information.
The Privacy Regulation 2013 relates to various plans of the Privacy Act including:

 The treatment of individual information in emergencies and disasters — a

component will regardless be committed for refuting the secret game plans of the
Census and Statistics Act 1905 in case they use or uncover singular information
that would some way or another or another be permitted under s 80P(1) of the
Privacy Act.
 the combination, use and revelation of individual information
 an affiliation or office's organization and obligation
 uprightness and correction of individual information
 the benefits of individuals to get to their own information
The law of Australia incorporates various degrees of arranged and uncodified kinds of law.
These join the Australian Constitution, establishment authorized by the Federal Parliament
and the parliaments of the states and districts of Australia, rules declared by the
Executive, and the uniquely based law of Australia rising up out of the selections of
judges.
The Australian Privacy Principles can't avoid being principles-based law. This gives an
affiliation or association flexibility to tailor their own information dealing with practices to
their game plans and the various needs of individuals. They are moreover development
objective, which licenses them to acclimate to developing advances.

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 7

 T-1.8.1_v3

Question 6
Research has shown that the majority of information security attacks stem from human error,
not from malicious intent. What controls can the company put in place to manage the human
errors to minimize the risk of cyber-attacks or data lost? Write your answer in 150-200
words.

Affiliations need to develop an incredible and thorough security framework that will
guarantee tricky data, decrease perils and assurance the reputation of an affiliation
remains impeccable.
The controls to minimize the risks of cyber-attacks or data lost in a company be done in
many ways as mentioned below:

 Limit access to your most significant data.

 Direct laborer security care getting ready.
 Update programming typically.
 Develop a Strong Disaster Recovery Plan.
 Standard Audits and Risk Assessments.
 Use Strong Passwords and encode data.
 Use patches.
 Secure your Wi-Fi frameworks. In case you have a Wi-Fi sort out for your
workplace guarantee it is secure and concealed.
 Limit specialist access to data and information and limit capacity to present
programming.
 Breaking point firewalls and web sections.

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 8

 T-1.8.1_v3

Question 7

What are the Industry standards relevant to cyber security in Australia? Write your answer in
150-200 words.

 AS/NZS ISO/IEC 27000 series – Information Security Management, which

includes:
o ISO/ IEC 27000:2018 – Information technology – Security techniques –
Information security management systems – Overview and vocabulary
o ISO/IEC 27001:2015 – Information technology – Security techniques –
Information security management systems – Requirements
o ISO/IEC 27002:2015 – Information technology – Security techniques –
Code of practice for information security controls
o ISO/IEC 27003:2017 – Information technology – Security techniques –
Information security management system – Guidance
o AS ISO/IEC 27004:2018 – Information technology – Security techniques –
information security management – Monitoring, measurement, analysis
and evaluation
o ISO/IEC 27005:2018 – Information technology – Security techniques –
Information security risk management
 AS ISO 55001:2014 – Asset management – Management systems –
Requirements
 AS/NZS ISO 31000:2018 – Risk Management – Guidelines
 HB 167:2006 – Security Risk Management

Standards Australia has propelled another team of industry delegates entrusted with
setting up gauge cybersecurity standards and industry-explicit augmentations. The new
team, which met just because this month, adjusts the modern standards-setting body
with cybersecurity advancement bunch AustCyber and the NSW government in an
exertion that its individuals concurred would "improve the act of cybersecurity across
Australian industry through part explicit activities and specialized direction, more
prominent collaboration among advances, and gaining from worldwide models".

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 9

 T-1.8.1_v3

Question 8

One of the tests conducted during cyber security is called Penetration Testing, define the
term. Explain 5 stages of Penetrating Testing and list and elaborate the penetration testing
methods. Write your answer in 200-250 words.

Penetration testing: Penetration testing, furthermore called pen testing or good hacking,
is the demonstration of testing a PC structure, framework or web application to find
security shortcomings that an assailant could mishandle. Penetration testing can be
robotized with programming applications or performed truly.
Five stages of penetration testing are as follow:
1. Reconnaissance: During this stage, the security testing gathering will collect
anyway much information as could sensibly be normal about the goal before
playing out any ambushes.
2. Scanning: Scanning is performed on the target application with a point of
recognizing the shortcomings that can be abused in later stages for gaining
access.
3. Gaining Access: Security testing bunch mishandles the structure to acquire
entrance, by compromising the recognized shortcomings in the past stages.
4. Maintaining Access: Once the access is gotten in the earlier stage, the
gathering needs to figure out how to continue gaining access to the structure.
5. Covering Tracks: Finally, the gathering will figure out how to eradicate the traces
of attack with a point of not getting perceived.

Methods of penetration testing are follow:

 External testing: External passageway tests center around the upsides of an
association that is evident on the web.
 Internal testing: In an internal test, an analyser with access to an application
behind its firewall reproduces an ambush by a poisonous insider.
 Blind testing: In a blind test, an analyser is simply given the name of the
undertaking that is being targeted.
 Double-blind testing: In a double blind test, security personnel have no previous
data on the imitated attack.
 Targeted testing: In this circumstance, both the analyser and safety crew
collaborate and keep each other assessed of their turns of events.

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 10

 T-1.8.1_v3

Marking Sheet for Trainers

Marking List Marks out

of

/5
Question 1

/5
Question 2
/5
Question 3

/5
Question 4

/5
Question 5
/5
Question 6

/5
Question 7
/5
Question 8

TOTAL /40

Cyber Security - Assessment Task 1 v.1, Last updated on 19/08/2019 Page 11