Unit 6 Network security management

Level 3 Technical Level IT: NETWORKING A/507/6495 Unit 6 Network security management Mark scheme June 2019 Version: 1.0 Final *196AA/MS* Mark schemes are prepared by the Lead Assessment Writer and considered, together with the relevant questions, by a panel of subject teachers. This mark scheme includes any amendments made at the standardisation events which all associates participate in and is the scheme which was used by them in this examination. The standardisation process ensures that the mark scheme covers the students’ responses to questions and that every associate understands and applies it in the same correct way. As preparation for standardisation each associate analyses a number of students’ scripts. Alternative answers not already covered by the mark scheme are discussed and legislated for. If, after the standardisation process, associates encounter unusual answers which have not been raised they are required to refer these to the Lead Examiner. It must be stressed that a mark scheme is a working document, in many cases further developed and expanded on the basis of students’ reactions to a particular paper. Assumptions about future mark schemes on the basis of one year’s document should be avoided; whilst the guiding principles of assessment remain constant, details will change, depending on the content of a particular examination paper. Further copies of this mark scheme are available from Copyright information For confidentiality purposes acknowledgements of third-party copyright material are published in a separate booklet which is available for free download from after the live examination series. Copyright © 2019 AQA and its licensors. All rights reserved. Level of response marking instructions Level of response mark schemes are broken down into levels, each of which has a descriptor. The descriptor for the level shows the average performance for the level. There are marks in each level. Before you apply the mark scheme to a student’s answer read through the answer and annotate it (as instructed) to show the qualities that are being looked for. You can then apply the mark scheme. Step 1 Determine a level Start at the lowest level of the mark scheme and use it as a ladder to see whether the answer meets the descriptor for that level. The descriptor for the level indicates the different qualities that might be seen in the student’s answer for that level. If it meets the lowest level then go to the next one and decide if it meets this level, and so on, until you have a match between the level descriptor and the answer. With practice and familiarity you will find that for better answers you will be able to quickly skip through the lower levels of the mark scheme. When assigning a level you should look at the overall quality of the answer and not look to pick holes in small and specific parts of the answer where the student has not performed quite as well as the rest. If the answer covers different aspects of different levels of the mark scheme you should use a best fit approach for defining the level and then use the variability of the response to help decide the mark within the level, ie if the response is predominantly level 3 with a small amount of level 4 material it would be placed in level 3 but be awarded a mark near the top of the level because of the level 4 content. Step 2 Determine a mark Once you have assigned a level you need to decide on the mark. The descriptors on how to allocate marks can help with this. The exemplar materials used during standardisation will help. There will be an answer in the standardising materials which will correspond with each level of the mark scheme. This answer will have been awarded a mark by the Lead Examiner. You can compare the student’s answer with the example to determine if it is the same standard, better or worse than the example. You can then use this to allocate a mark for the answer based on the Lead Examiner’s mark on the example. You may well need to read back through the answer as you apply the mark scheme to clarify points and assure yourself that the level and the mark are appropriate. Indicative content in the mark scheme is provided as a guide for examiners. It is not intended to be exhaustive and you must credit other valid points. Students do not have to cover all of the points mentioned in the Indicative content to reach the highest level of the mark scheme. An answer which contains nothing of relevance to the question must be awarded no marks. The following annotation is used in the mark scheme: ; - means a single mark // - means alternative response / - means an alternative word or sub-phrase A. - means acceptable creditworthy answer R. - means reject answer as not creditworthy NE. - means not enough I. - means ignore DPT. - in some questions a specific error made by a candidate, if repeated, could result in the candidate failing to gain more than one mark. The DPT label indicates that this mistake should only result in a candidate failing to gain one mark on the first occasion that the error is made. Provided that the answer remains understandable, subsequent marks should be awarded as if the error was not being repeated. Question Guidance Mark 01 Mark is for AO1 access their files from home and college. R. more than one box ticked 1 02 Mark is for AO2 enable access to specific resources on a network. R. more than one box ticked 1 03 Mark is for AO2 TKIP R. more than one box ticked 1 04 Mark is for AO3 Banner grabbing R. more than one box ticked 1 05 Mark is for AO4 provider and customer. R. more than one box ticked 1 Question Guidance Mark 06 2 marks for AO2 Maximum of 2 from: • monitors (all) network traffic; • used to detect malicious activity; • can be host-based (HIDS); • can be network-based (NIDS); • reports violations (to an administrator) // sends alerts (to an administrator); A. HIDI / HIDS / NIDS A. any reference to system / file / network intrusion(s); A. stack-based / signature-based / preconfigured / (statistical) anomaly-based (ie candidate not required to identify NIDS for this mark); A. traffic sampling; A. Any other creditable answer R. 'detects' unless reference to what R. any reference to preventing / protecting / blocking / removing 2 Question Guidance Mark 07 4 marks for AO2 Maximum 4 marks. correct feature;; appropriate expansion point;; Examples include: • (install) antivirus software; update it regularly / keep it updated; • keep proprietary operating system up to date; enable and accept OTA updating / check for updates; • ensure built-in firewalls are active; check firewall status / check for green ticks / / filters // flags incoming packets // programmable (ie what to let in / what to keep out); • database // checks exe. files / /definitions and signatures; • use latest version of web browser; opt for browser that updates itself (automatically) // allow browser to detect and block phishing sites • email authentication // blocks harmful / fraudulent email // authentication by rules defined by user / domain owner • make use of propriety Malicious Software Removal tools; detects specific types of malware; • antispam filters can protect (from email infection) // delete / quarantine / move to spam folder // Bayesian / content filtering / blacklisting / profiling / eliminating; • infection persists / malware difficult to detect and remove; use (anti-malware) boot CD or rescue disc (which scans PC for malware); R. “sheep dip” / use of standalone computer not connected to network R. any reference suggesting the user needs to do anything, eg scan all attachments / don't open attachments from unknown senders / don't click on unknown links, etc, etc 4 08 4 marks for AO4 1 mark for each correct benefit or expansion point, up to a maximum of 4 marks. Examples include: • security; guarantee of minimum requirements / defines minimum expectations; protected from excessive demands; • legal protection / contractual; expectations are clear / written down; • quality guarantee; improves relationship/confidence/stability; improves outcomes, better results; avoids unnecessary worry/uncertainty; • compliance; contractor knows what they need to do; business gets the service they require; non-compliance prevented // punished/handled; 4 Question Guidance Mark 09.1 2 marks for AO1 Maximum of 2 marks from: used to prevent unauthorised network intrusion / unauthorised network access; also known as ethical / white hat hacking / attacking; simulates actions a hacker might take; process of (systematic) probing for vulnerabilities // looks for vulnerabilities; identifies (potential) vulnerabilities; tests to see if (potential) vulnerabilities are real; aims to improve (network) security; provides preventive action against future attacks; R. also known as pen test A. Any other creditable answer 2 09.2 2 marks for AO1 Maximum of 2 marks from: current user documentation / current network specification used to identify vulnerabilities / series of tests for penetration testing / non-malicious; focuses on interfaces; where network (software) and external environment meet; network interfaces / user interfaces / application programming interfaces (APIs); determines what information has been accessed by external user / what information could be accessed by an external user // replicates actions of (potentially malicious) external user; investigates all user alerts / error messages / logs // looks for patterns / profiles // determines if any external user has had malicious intent; A. reference to ethical hacking/white/black hat attack A. Any other creditable answer (credit any explanation not credited in 9.1) R. any repetition from 9.1 without explanation / expansion 2 Question Guidance Mark 10.1 2 marks for AO3 Maximum of 2 marks from: using a port scanner as an administrative tool; to identify all network services running (on a host) // inventory of ports available // number of ports open / closed; A. allow (for open) // deny or blocked (for closed);use a port scanner to identify flaws in network security; in order to patch / remediate; auditors and network administrators thereby acting as ethical hacker / white hat attack // identifying flaws // mapping out (potential) attacks; A. identify open ports A. Any other creditable answer R. Scans server / system for open ports 2 10.2 1 mark for AO3 Maximum of 1 mark from: scans server for open ports / vulnerabilities // weak(ended) access points // identifying open ports for exploiting; application / service broadcasting information useful for attackers; seeking to identify flaws for exploit / have malicious intent; A. Any other creditable answer 1 Question Guidance Mark 11 4 marks for AO3 Maximum 4 marks. for each correct way; for each appropriate expansion point; Examples include: • probes network // connected device(s) // trusted device(s) // unknown device(s) // 'sniffs' traffic; • turn on logging (software); ensure logging correct events; • maintain (very detailed) records; analyse (everything recorded) / identify root cause / establishes list of known threats; • use of network automation tools; R. CNSM • some applications log by default; some web servers log all incoming traffic; • weblogs detail what and when attempts are made to access system; and whether successful or not / with proper permissions or not; • essential action be taken / patch applied as necessary; A. can monitor manually // log threats found; A. may opt not to log everything; eg if collation involves large file sizes // impacts adversely on (processor/system) performance A. event log only if reference to logging in / out; A. audit log only if reference to destination / source address and / or user login information; R. reference to CNSA and automated / continuous alone without further explanation or expansion (see Q12) 4 Question Guidance Mark 12 6 marks for AO3 Maximum 6 marks. 1 mark for each correct benefit; 1 mark for each correct expansion up to maximum of 6 marks; Examples include: • protection from attack; gain information about security threats / prompts solutions; • can help identify zero-day attacks / new, previously unknown threats; • 24/7 / around the clock detects threats and breaches that would otherwise have been undetected; threats are not a 9-5 business; • identify (patterns of) suspicious behaviour; logging and analysing traffic data continuously over an extended period of time; captures/records/analyses the big picture / provides alerts / reduces exposure; • protect business / mitigate problems; streamlines compliance reporting; detects and quantifies data breaches; • (potential) threats identified / actioned quicker / cost effective; 6 Question Guidance Mark 13.1 2 marks for AO1 Maximum of 2 marks from: 3 parties / customer, bank, man-in-the-middle; man-in-the-middle intercepts communication // intercepts communication between customer and bank; neither (legitimate) sender or (legitimate) receiver knows there is a man-in-the middle // neither customer nor bank knows there is a man-in-the-middle; A. customer is lured to a “fake” site; A. Any other creditable answer 2 13.2 4 marks for AO1 Maximum of 4 marks from: • customer receives an email asking they log in; in order to confirm contact information; • customer clicks on the link provided; logs into a website they believe to be their bank; • action so far essentially phishing; customer's email appears to have come from their bank; • man-in-the-middle attacker has created a website that looks like customer's bank website; so much so that customer does not suspect / does not hesitate to log into man-in-the-middle attacker's website; • customer is not, however, logging into their bank account; but, rather, is providing their log in credentials to their man-in-the-middle attacker; • man-in-the-middle attacker uses customer's own authenticated credentials to log into customer's own account as the customer; is thereby able to take money or issue instructions to bank to transfer money (to the attacker's account, or any other account), as the customer or account holder could; Example answer: Customer does not know man-in-the-middle (MITM) is intercepting their communication with their bank; so far as the customer is concerned, they are logging into their bank's website; using a link their bank has provided // entering their own log in credentials as they always do; and as requested, so far as the customer is concerned, by their own bank; the MITM contacts bank using these details and money is paid into their (MITM’s) false bank account; A. customer is lured to a fake website R. repetition of answers given in Question 13.1 A. Any other creditable answer 4 Question Guidance Mark 14 6 marks for AO4 Maximum of 6 marks from: • username and password allocated to authenticated users; • username and password allocated must be kept confidential; • username and password must not be borrowed or shared; • unauthorised users are not allowed remote access; • users must report any loss of accreditation to network security administrator immediately; • accredited access available to all permanent / part-time staff / guests / visitors / vendors / suppliers / contractors; • accredited access subject to application to and approval by network security administrator; • accredited access may be withdrawn at any time should user violate VPN remote access policy; • devices (PC, laptop, tablet, smartphone, etc) must either belong to the business (eg school, college, medical practice, sports centre, etc) or user must ensure their own device is configured to the same standard as a condition of use; • personal devices are subject to the same rules and regulations that govern any device belonging to the business; • all users agree to collection of metadata detailing connection, time, IP address / duration, etc; • users should log off if not using system / will be disconnected after 30 minutes of inactivity; • appropriate usage/compliance requirements; A. Any other creditable answer 6 Question Guidance Mark 15.1 3 marks for AO5 1 mark for each appropriate point, up to a maximum of 3 marks. Examples include: • attacks are commonplace so it’s important to have a plan in place to counters those threats; • establishing procedures should keep the network more secure; • avoidance of business disruption / routine delivery of goods and services / (avoidance of) loss of business / common (preventative) standards (for all) / improves operations; • protection of business reputation / common protection protocols (for all) from known threats and vulnerabilities / common access controls • (enhances) compliance / protection of customer data / protection from malware; • GDPR / DPA / fines / statutory requirements / legal ramifications / minimises catastrophic data events; • secure (remote) access, 24-7 flexible working; A. any reference to furthering understanding (eg business / security / compliance, etc); 3 15.2 3 marks for AO5 Maximum of 3 from: • email usage / encryption of sensitive data; • internet usage; • password security; • user authentication standards/procedures; • (software / hardware) protocols; • (protection of) business assets; • CYOD / BYOD / device usage; • social media usage; • incident reporting / disruption / downtime; • measure & controls / end-to-end security; • remote working; • end-user training requirements; • how to secure / security of data; A. Any other creditable answer 3 Question Guidance Mark 16.1 6 marks for AO2 Maximum of 1 mark for: • username or password; • (at its simplest, most commonly) requires ID and password combination; R. password alone Maximum of 1 mark for: • (user) ID / passcode / PIN (number) / OTP / hard token / fob; • biometrics / authenticator apps etc; Maximum of 4 marks from: • identifies an individual / validates users; • identity enables connection to network / network resource; • and the level of access granted; • (adding more) authentication factors improve security; • uses a database of accepted identifiers / credentials • authenticates the user, not the device; • expansion points;; R. 'authenticates the user' alone (ie without reference to how) A. Any other creditable answer 6 Question Guidance Mark 16.2 9 marks for AO2 9 Level Description Mark Range 3 Candidate clearly explains how effective protocols are in maintaining and promoting networked communication while prioritising security over network communications, may make reference to HTTPS, SSL and SFTP, includes appropriate reference to OSI model; includes appropriate reference to or examples of authentication and appropriate technical references eg data packets, details fundamental role of TCP/IP protocol 7 – 9 2 Candidate makes some attempt to explain how protocols maintain networked communication, makes reference to networking protocols, including named network communication protocols / basic data communication protocols eg TCP/IP and HTTP includes appropriate reference to OSI model, and other relevant examples, including some reference to TCP/IP and some technical reference eg IP headers 4 – 6 1 Candidate gives a general description of networked communication with few supporting references or examples 1 – 3 No creditworthy content 0 Indicative content: • establishes rules for devices to communicate • uses common language between devices • error detection and correction • protocols identify the computer or device / makes connections between the computer or device • WPA / WPA2 are protocols used to establish and maintain secure (Wi-Fi) networks // enhanced WPA / WPA 2 due to enhanced encryption R. reference to enhanced password encryption alone • transfers authentication data between two (or more) devices / specifies how data is packaged into messages (sent and received) / defines rules, procedures, formats, conventions for communication / defines communication between two (or more) devices • TCP/IP is the fundamental communication protocol /enables computers to communicate in a simple way / TCP sends message / message returns an IP header giving location and IP address destination • authenticates the connecting entity / eg authenticates a client connecting to a server (or server to a client) / enables devices to identify and make connections with each other • provides the information needed for authentication / using correct syntax • (the most) important layer of protection for secure communication (within computer networks) / dictates end to end process / ensure secure and managed data (network communication) • protocols exist for hardware and software, individually and combined • vital to keep protocols up to date • www / Internet uses HTTP to send messages (around globe) / URL transmits messages by HTTP to the web server / web server responds and delivers search results • can encrypt data between various devices // can encrypt router to router; • secures against unauthorised / illegitimate attempt(s) to review / extract data; Question Guidance Mark 17.1 6 marks for AO1 Maximum of 6 marks. RISK 1 mark for each explanation/expansion, up to a maximum of 3 marks. Examples include: • data breaches can cause loss of confidence in a business / loss of customers / loss of business revenue / loss of business reputation; • data breaches can cause harm to individuals / information gained may be used by attacker to commit fraud; • data breach only serious if it includes an individual's name and other personal information / if breach included card data (eg financial transactions) but not customer's name then breach will be deemed not so serious; MITIGATE & CONTROL 1 mark for each explanation/expansion, up to a maximum of 3 marks. • retailer cannot AVOID risk (it has happened); • retailer must REDUCE the impact of events / by seeking to mitigate and control the publicity / control narrative (eg by advertising in newspaper who may be criticising them editorially / framing as ‘in the past’) / thereby reducing the potential for loss of business / customers / revenue / reputation; • convince the public that the situation has been analysed / risk identified / and control of data re-established; • retailer is thereby REDUCING the likelihood of events; A. Any other creditable answer 6 17.2 9 marks for AO1 Level Description Mark Range 3 Candidate clearly explains personal data breach AND theft of information / unauthorised access / legal remedy, acknowledges and explains harmful nature of unauthorised access, makes reference to appropriate legislation by name AND cites relevant content 7 – 9 2 Candidate makes some attempt to explain personal data breach and / or theft of information / unauthorised access / legal remedy and is clear that such access is harmful to individuals and / or can be used to commit fraud, there is some reference to appropriate legislation, by name or by content 4 – 6 1 Candidate gives a general description of personal data breach and / or theft of information / unauthorised access / legal remedy, with little by way of explanation or relevant example 1 – 3 No creditworthy material 0 Indicative content: INVOLVEMENT OF LAW FIRM • personal data breach / unauthorised disclosure of or access to personal data / punishable by law • data breaches can cause harm to individuals / information gained may be used by attacker to commit fraud / data breach deemed serious if it includes an individual's name and other personal information / law firm will seek apology or compensation or both • Data Protection Act (2018) / stronger sanctions for malpractice / specific reference to the processing of personal data / allows Data Commissioner to levy additional fines on data controllers and processors for the most serious data breaches / up to £17m or 4% of global turnover • The larger the number (of breaches) / the greater the access to personal data / the greater the (potential) fine / punitive damages LEGISLATION Computer Misuse Act (1990) • designed to protect against attack / theft of information • three offences identified in this Act / one is HACKING / unauthorised access to computer material from outside organisation Data Protection Act (2018) • updates UK's data protection laws /applies EU's GDPR standards • sets new standards for protecting data / stronger sanctions for malpractice • specific reference to law enforcement processing / specific reference to the processing of personal data • allows Data Commissioner to levy additional fines on data controllers and processors for the most serious data breaches / up to £17 m or 4% of global turnover R. reference to Communications Act (2003) Assessment Outcomes Question AO1 AO2 AO3 AO4 AO5 Question Total SECTION A 1 1a (1) 1 2 2c (1) 1 3 2d (1) 1 4 3c (1) 1 5 4b (1) 1 6 2a (2) 2 7 2e (4) 4 8 4b (4) 4 9.1 1b (2) 2 9.2 1b (2) 2 10.1 3c (2) 2 10.2 3c (1) 1 11 3b (4) 4 12 3a (6) 6 13.1 1c (2) 2 13.2 1c (4) 4 14 4a (6) 6 15.1 4c (3) 3 15.2 4c (3) 3 Total A 11 8 14 11 6 50 SECTION B 16.1 2c (6) 6 16.2 2d (9) 9 17.1 1c (6) 6 17.2 1d (9) 9 Total B 15 15 0 0 0 30 Total A+B 26 23 14 11 6 80