 with your assignment you should be focusing on task three, the last task, so let's say a little bit about it. For task two, most people I think who submitted are going okay, that is I think the list of risks or assets and risks that have identified are appropriate. There's a few comments that I have, although just my notes as I was reading through for the different groups, some groups, this doesn't make much sense but it's just a reminder to me, but some groups when they listed the assets they focused on the information systems, but I suggest you focus on the more detailed information types, okay, that the pieces of information are assets, remember, an asset is something that's valuable to an organization or a person, so when I say assets are okay it means the list that that group gave seem okay, okay, that is they make sense, they are appropriate assets, in some cases for example group one gave the assets as really information systems, I suggest you give more detail, instead of saying the asset is the grading system, the asset is the student grades or the student contact information, that information is the asset, that's the real valuable thing, the database that stores the information is not as valuable as the information itself, okay, so that's the main point, most people are okay, if it says no submission in required format I was a bit lazy in going and checking paper submissions, I don't want paper submissions, submit a spreadsheet so I can copy and paste it and analyze it, PDFs, no, just submit a spreadsheet as either ODS or XL, okay, so I didn't bother reading paper submissions, so I read them but I didn't bother giving feedback, the number of assets, okay, I said last week what, aim between 20 and 30, so everyone aimed for 20 I think, some people gave only had 10, someone sent in two different files again, I'm not going to join your two files together, if you're going to submit a spreadsheet in one file with the right name, so assets are okay, means the list of assets you gave make sense or appropriate, be more specific, so some of the assets like the asset is a server or there are many types of servers, the web server, the database server, the email server, which web server that www.sit, reg.sit, so be specific if you talk about an asset, so remember assets are the things that are valuable to us, but I think most people are okay there, the again threats and vulnerabilities, I think they're not too hard to come up with a list of what can go wrong, if how could someone get access to the student grades, what could go along, they be released or if it's not available, so if you compromise the confidentiality, integrity or availability of those assets, so my point is focus on task three, okay, now that you have your assets, if you don't have 20 or so then add some more, what was the other comment? Alright, some people just focused all on one type of asset and looked at many different attacks or vulnerabilities on that one type of asset, would have been better if you covered a wider range of assets that is different things, but not so important, task three, no, some examples, so this is a copy and paste of some group submissions, it's maybe hard to see, the first four are related to finance, maybe hard to see, but these are four submissions from four different groups relating to payroll, financial records, salary information, so different groups perspective, most likely meaning the same thing, say someone's salary information, the financial information and some threats about them and different classifications here, okay, so again this is showing, there's no one answer, I'm not saying any one of these are wrong, but we see that people have different views of the different assets and the value of them, so think carefully about the occurrence, so this four different groups said the occurrence is low to very low, so that means that maybe that's correct, four independent people are coming up with the same classification and that's okay, the likelihood of impact or the impact likelihood are high to moderate, so these trends amongst the different groups look okay, these five or six are for internet Wi-Fi access, so you know you need to log in with a username and password for internet, so most people mention that Wi-Fi or internet access system and some vulnerabilities with that, like someone intercepting or listening to people's passwords when they log in and there's a wide range of classifications here, this one ranks things at low, these are high, these are very high, okay, so people have different ideas of what the value of this information is, so think carefully about okay, if someone could get your password for internet access at SIT, what damage could they do, what could they do, so then that may lead, how easy is that to do, I would say that's very easy to do, we could do that in five minutes to collect not many people's passwords if they're using the Wi-Fi because the Wi-Fi is unencrypted, so the occurrence or the likelihood, I suspect, I don't know, but I suspect people have done it already, so I'd say it's very high likelihood for that one to happen, people to intercept passwords, but what's the impact or what's the consequence of if someone captures your password for the SIT login, what damage can they do, so again, there's no perfect answers here, but the purpose of this assignment and this task is just to make you think about what's the chance of things happening and what are the possible impacts, so focus on task three now, okay, move on to task three, what is task three, now that you've looked at some vulnerabilities, you're aware of different vulnerabilities, look at attacks, and I'll give you a template which will open up, so of those risks that you've identified, explain, so the main part, explain an attack, how would you perform the attack, how would you get that information, okay, as detailed as possible, so for example, many people identify the risk of someone accessing the username and password for the Wi-Fi or the SIT internet login, it's the same system, how would someone obtain that information, how would someone perform the attack to get the username and password of another student, so this should describe how to do it, don't do it, okay, I think it's quite easy to describe how to do it without doing it, some you can be more detailed than others, okay, but use your knowledge from what we've talked about in some of the topics in this course, many of them are network attacks, so use your knowledge of what you know about computer networks, how to intercept information, and say give a suggestion of this is what someone could do to perform the attack, and I say it should be detailed enough such that other ITS 335 students could understand it and perform it, so enough details that someone could read your description and go and understand what you're talking about and if under the right conditions perform it, so for example the students next year that take this course could read your description and they'd immediately know how to do this attack, then once you have described an attack, say how to stop it, the counter measure for that attack, so what would you suggest for SIT to do to prevent this attack from happening, or to detect this attack when it does happen, okay, so this is what the attacker would do, this is what the organisation should do to prevent that attack, and again be as specific as possible, some you can be more detailed than others, so that's the main two parts, so choose one of the risks from your task two and do that, some discussion okay maybe you can talk about if there are other security controls, so the security control is the counter measure, what do we do to stop the attack, but there may be multiple options, so I want you to describe one, the one you recommend here, the discussion may be short of saying well why did you choose that one, so this is saying how to do the counter measure, that is the counter measure is that the computer centre must implement this encryption scheme for all the wireless networks, so this is saying what to do, discussion is saying what's the advantage and disadvantage of doing that, why did you choose that one, especially when there are others to choose from, so a little bit about well this one we think is secure enough and it's cheap enough to implement for these reasons, so some discussion here, then do it again, and I think I said how many five different attacks, so with how many people in a group, three students per group, it's easy, so one or two attacks per student, describe them, recommend the controls to as the counter measures and a short discussion, so that's the last task for this assignment, any questions, when's the deadline, any suggestions, these first point, consider different risks, don't choose all the same related ones, don't say I've chosen five different risks and I'll give five attacks and it turns out all your attacks are identical, you won't get high marks with that, so choose risks that require different types of attacks, so if risk number one and risk number two, the attack is the same, that's not so interesting, that's one point, if there are multiple attacks, I think your question is focus on just one, for each risk one attack, say one way you could take advantage of this vulnerability, that's all, so one attack, one recommender control, or the way that you recommend, but maybe some discussion, okay, there may be some other approaches, but they may be more costly or not as secure, or they may be more inconvenient for the user, so answer your question. Yes, you can, as long as the attacks aren't all the same, okay, that is if the attack involves someone intercepting the passwords or packets sent across the Wi-Fi, okay, if that's the attack, it involves someone listening and you know how to do this because you did it in your assignment last semester, how to listen into Wi-Fi communications, if that's the attack and you intercept a password, alright, that's okay for one of them, but if the next one is the same attack, I'm not so interested, okay, that is you won't get full marks, that is the attacks themselves should be different, use different techniques, okay, now if they're attacking different systems or the same system, that's okay, so long as these attacks use different techniques, and there are many ways, they don't have to be technical, they can use some social engineering, so you can talk about some ways that someone could get access by some social engineering, some phishing attacks or similar, any other questions, again, deadline, when, where are we, we're in week, it's the 13th of February, there's, what, after this week there are three more weeks of lectures, I think, three more weeks, when are you going to finish task three, next week, it doesn't take too much, you just need to sit down for a couple of hours and design them, you should be spending a few hours a week on these tasks, so I don't mind too much, but I don't, the earlier the deadline, the more chance I can give you some, some grades, next week, and he's it, yes, hands up for next week, next Thursday, yes, what about the week after, no preference, maybe if you have assignments for other courses, you may have a preference, but if not, do this one and it's done, next week, everything, yes, so this is the final deadline, so what I'll require you to do is, yes, submit this one, you'll get no feedback, you'll just get the final grade for this one, then, and at the same time submit task one and two, so you can update them, most people you don't need to make many changes, but just make sure that everything is complete on task one and two, submit all three documents and I'll mark all of them together, maybe we'll look at, so today is the 13th, so next week will be the 20th of February, maybe the Tuesday after, so that gives you this weekend, next week, and the weekend after, so I think 20, maybe about the 25th of February, okay, I'll set the deadline around that, okay, so let's move on with our certificates.