Académique Documents
Professionnel Documents
Culture Documents
Assignment title:
Star Shredding
September 2018
Marking Scheme
Markers are advised that, unless a task specifies that an answer be provided in a
particular form, then an answer that is correct (factually or in practical terms) must be
given the available marks. If there is doubt as to the correctness of an answer, the relevant
NCC Education materials should be the first authority.
This marking scheme has been prepared as a guide only to markers and there will
frequently be many alternative responses which will provide a valid answer.
Each candidate’s script must be fully annotated with the marker’s comments (where
applicable) and the marks allocated for each part of the tasks.
Task Guide Maximum
Marks
1 The term information assets has been limited to electronic assets,
the most valuable of which will be data. This section is aimed at
students identifying what is of real value in the company and the
risks associated with it. Since remote access to data via tablets is
the main sales channel, risks to it should be considered as high.
Highest value data will be business critical (contract, employee
personal data, and customer data).
a) Award 2 marks for identifying appropriate assets
b) Award 5 marks for identifying appropriate threats which should
include accidental, system, malicious (Malware, Eavesdropping
on transmitted data, hacking (external), Internal (e.g. weak
access control, policies), equipment failure, DOS attacks,
phishing. Availability issues are very important for sales access
and confidentiality particularly for finance and systems
containing personal data (e.g. payments). Legal compliance
issues (Data protection).
c) Award 2 marks for making reasonable assessment of likelihood
and impact.
d) Award 1 mark for applying risk matrix correctly
Page 2 of 5
Network Security and Cryptography © NCC Education Limited 2018
2 a) Award 2 marks for each bullet point. This will rather Up to 30
depend on the threats that they have identified:
Internal
• Acceptable use policies, contracts. InfoSec policy
• Strong password (technical) policies.
• Access controls on folders,
• Restrictions on downloads. limit exchangeable media,
Dropbox etc.
• Monitoring.
• Loss of tablet: encryption/ remote wipe.
System
• Resilience – backup, redundant hardware, UPS etc.
• Cloud services (e.g. Office365) for some information
(depends on service level agreement/ trust as to what level
of critical data are hosted in cloud)
• Upgrading Win Server 2012 to 2016
External
• Malware: anti-malware
• Eavesdropping or Spoofed web sites: TLS
• Website vulnerabilities – SQL injection/ XSS/ PHP/ non-
default configuration, patching – pentest vulnerability
analysis on regular basis is worthwhile
• Secure configuration of systems to avoid defaults/
hardening
• Encryption of sensitive data at rest and in transit (email/ File
transfer)
• Firewall / DMZ/ Proxy to control traffic
• Patch management
• Phishing: Spam filter/ anti-malware/ training
• Vulnerability assessment
c) Encryption Up to 10
Page 3 of 5
Network Security and Cryptography © NCC Education Limited 2018
3 a) Diagram
12
Award up to 2 marks for each bullet point up to a maximum of
12 marks. The diagram should show:
• Firewall in correct location (perimeter), Regional offices
combined router/Firewall
• DMZ including mail server & Web server (if not hosted in
cloud)
• Internal networks: Domain controller
• UPS
• Backup system. Redundant hardware necessary as
availability is key issue.
• A good answer will separate out the email server from the
DC.
• Good answers will show virtual secure connection for
remote access (VPN).
• Clearly labelled routers/ switches.
b) IP addressing etc 8
• Private IPs and NAT (PAT) on internal network except
servers. Static NAT ok in DMZ (4 marks)
• Valid IPs with subnet masks (2 marks)
• Brief explanation of NAT expected (2 marks)
c) Justification
10
Award 2 marks for each point that relates a feature of the network
solution to the risks in Task 1.
Note: Award 2 marks for any valid alternatives given. 30
4 Award up to 2 marks for each bullet point up to a maximum of 8
marks:
• Training
• Policies – for staff and students
• Vulnerability assessment 8
• Other audit.
5 7
Award up to 7 marks for a justified reflective commentary.
Total: 100 Marks
Page 4 of 5
Network Security and Cryptography © NCC Education Limited 2018
Learning Outcomes matrix
Grade descriptors
Page 5 of 5
Network Security and Cryptography © NCC Education Limited 2018