Set Task Electronic Template – Unit 11
Task A - Activity 2 Template: Cyber security plan for the networked system
Use the section headings below for each protection measure.
1) Threat(s) addressed by the protection measure
2) Details of action(s) to be taken
3) Reasons for the actions
4) Overview of constraints – technical and financial
5) Overview of legal responsibilities
6) Overview of usability of the system
7) Outline cost-benefit
8) Test plan
Protection measure 1.
Threats addressed – 5. Network access by guest and staff mobile devices could be an attack
vector due to misconfigured SSID or encryption on Wi-Fi. Size of loss. Major.
Actions to be taken:
Ensure that Staff WAP is configured with WAP2 and has a strong password.
Additionally use a Mac address in order to white list staff on WAP.
For both staff and guest WAP enter correct SSID and key.
Reasons for actions:
The separate guest WAP should be configured so that access to the access to the WAP only
allows for access to a restricted area of the BCTAA network, such as the internet.
By integrating a strong password on the Staff WAP it will increase the difficulty of attackers
being able to gain unauthorised network access.
The use of a Mac access list would only for only pre-approved devices to connect to the Staff
network which increases security and limits the number of devices able to connect.
A misconfigured SSID could result in guests attempting to connect to the wrong network, and
potentially raising a security alert.
Also a misconfigured WAP2 and key could restrict the functionality of the network and leave
points of weakness for attackers to exploit.
Constraints:
Technical: MAC white list. Medium. The list would be simple to set up but would have to be
propagated to all staff WAPs. There may be a physical limit however on the on the size of the
list the staff WAP will allow therefore there is a possibility of not enough space for all staff
devices.
Financial: minimal. The staff WAP will most likely already include a MAC list capability
therefore the financial constraint should be minimalistic.
Legal responsibilities:
None as long as confidential data is protected by other means such as encryption.
Usability: medium if MAC lists are included, however the enforcement of strong passwords
may cause some logon errors such as locked accounts.
Cost – benefit. The possibility of a major system intrusion heavily outweighs the small cost
required to implement the protection plan. The use a MAC lists is very desirable however it
should be measured against the number of staff devices which require access to the network
and the frequency at which they may change.
, Test plan
Test Test description Expected outcome Possible further
No action following
test
1 Select guest SSID, Only authorised areas of the
Logon to guest WAP and network will be available.
attempt to Access the
BCTAA network.
2 Attempt to logon to staff Logon screen requesting Repeat the test with
WAP. password should be displayed. each staff WAP to
Logon succeeds with correct ensure that WAP2
password. and SSID has been
configured correctly
for each.
3. When MAC list is used, Only listed devices will log on. Repeat the test with
attempt staff logon to each staff WAP to
staff WAP, with listed ensure the list has
and unlisted devices. been properly
integrated.
Protection measure 2.
Threats addressed – 2, 3, 7 Attack via electronic door control system, misconfigured firewall,
size of loss. Major.
Actions to be taken:
Install active firewall if not already installed in the routers.
Configure internet firewall to allow access via ports required by the electronic door control
system chosen. If possible change the ports from the default ones.
Network address translation to forward the electronic door control to the correct electronic
door control system server.
Configure electronic door control system server.
For the WI-FI router, open ports 80, 443 and 993 only.
Reasons for actions:
Attacks on commonly use ports are frequent and automated therefore it is important to install
a firewall in order to block and ignore pings unless the relevant port has been opened. Open
ports for known software invites further, more targeted attacks. Changing the port number
will resist automated attacks as the attack will be trying to compromise a software normally
found using the new port.
For the WI-FI router ports 80, 443 and 993 allow http, https and email functions.
Constraints:
Technical: Minimal. Setup and configuration of firewalls are simple and walk through are
freely available.
Financial: Minimal. A commercial quality router will almost always include a firewall
Legal responsibilities: None as long as the data is protected by other means such as encryption.
Usability: Minimal, as the installation of the firewall should only block malicious attacks.
Task A - Activity 2 Template: Cyber security plan for the networked system
Use the section headings below for each protection measure.
1) Threat(s) addressed by the protection measure
2) Details of action(s) to be taken
3) Reasons for the actions
4) Overview of constraints – technical and financial
5) Overview of legal responsibilities
6) Overview of usability of the system
7) Outline cost-benefit
8) Test plan
Protection measure 1.
Threats addressed – 5. Network access by guest and staff mobile devices could be an attack
vector due to misconfigured SSID or encryption on Wi-Fi. Size of loss. Major.
Actions to be taken:
Ensure that Staff WAP is configured with WAP2 and has a strong password.
Additionally use a Mac address in order to white list staff on WAP.
For both staff and guest WAP enter correct SSID and key.
Reasons for actions:
The separate guest WAP should be configured so that access to the access to the WAP only
allows for access to a restricted area of the BCTAA network, such as the internet.
By integrating a strong password on the Staff WAP it will increase the difficulty of attackers
being able to gain unauthorised network access.
The use of a Mac access list would only for only pre-approved devices to connect to the Staff
network which increases security and limits the number of devices able to connect.
A misconfigured SSID could result in guests attempting to connect to the wrong network, and
potentially raising a security alert.
Also a misconfigured WAP2 and key could restrict the functionality of the network and leave
points of weakness for attackers to exploit.
Constraints:
Technical: MAC white list. Medium. The list would be simple to set up but would have to be
propagated to all staff WAPs. There may be a physical limit however on the on the size of the
list the staff WAP will allow therefore there is a possibility of not enough space for all staff
devices.
Financial: minimal. The staff WAP will most likely already include a MAC list capability
therefore the financial constraint should be minimalistic.
Legal responsibilities:
None as long as confidential data is protected by other means such as encryption.
Usability: medium if MAC lists are included, however the enforcement of strong passwords
may cause some logon errors such as locked accounts.
Cost – benefit. The possibility of a major system intrusion heavily outweighs the small cost
required to implement the protection plan. The use a MAC lists is very desirable however it
should be measured against the number of staff devices which require access to the network
and the frequency at which they may change.
, Test plan
Test Test description Expected outcome Possible further
No action following
test
1 Select guest SSID, Only authorised areas of the
Logon to guest WAP and network will be available.
attempt to Access the
BCTAA network.
2 Attempt to logon to staff Logon screen requesting Repeat the test with
WAP. password should be displayed. each staff WAP to
Logon succeeds with correct ensure that WAP2
password. and SSID has been
configured correctly
for each.
3. When MAC list is used, Only listed devices will log on. Repeat the test with
attempt staff logon to each staff WAP to
staff WAP, with listed ensure the list has
and unlisted devices. been properly
integrated.
Protection measure 2.
Threats addressed – 2, 3, 7 Attack via electronic door control system, misconfigured firewall,
size of loss. Major.
Actions to be taken:
Install active firewall if not already installed in the routers.
Configure internet firewall to allow access via ports required by the electronic door control
system chosen. If possible change the ports from the default ones.
Network address translation to forward the electronic door control to the correct electronic
door control system server.
Configure electronic door control system server.
For the WI-FI router, open ports 80, 443 and 993 only.
Reasons for actions:
Attacks on commonly use ports are frequent and automated therefore it is important to install
a firewall in order to block and ignore pings unless the relevant port has been opened. Open
ports for known software invites further, more targeted attacks. Changing the port number
will resist automated attacks as the attack will be trying to compromise a software normally
found using the new port.
For the WI-FI router ports 80, 443 and 993 allow http, https and email functions.
Constraints:
Technical: Minimal. Setup and configuration of firewalls are simple and walk through are
freely available.
Financial: Minimal. A commercial quality router will almost always include a firewall
Legal responsibilities: None as long as the data is protected by other means such as encryption.
Usability: Minimal, as the installation of the firewall should only block malicious attacks.
