Unit:

Network Security and Cryptography

Assignment title:
Star Shredding

September 2018

Marking Scheme
Markers are advised that, unless a task specifies that an answer be provided in a
particular form, then an answer that is correct (factually or in practical terms) must be
given the available marks. If there is doubt as to the correctness of an answer, the relevant
NCC Education materials should be the first authority.

This marking scheme has been prepared as a guide only to markers and there will
frequently be many alternative responses which will provide a valid answer.

Each candidate’s script must be fully annotated with the marker’s comments (where
applicable) and the marks allocated for each part of the tasks.
Task Guide Maximum
Marks
1 The term information assets has been limited to electronic assets,
the most valuable of which will be data. This section is aimed at
students identifying what is of real value in the company and the
risks associated with it. Since remote access to data via tablets is
the main sales channel, risks to it should be considered as high.
Highest value data will be business critical (contract, employee
personal data, and customer data).
a) Award 2 marks for identifying appropriate assets
b) Award 5 marks for identifying appropriate threats which should
include accidental, system, malicious (Malware, Eavesdropping
on transmitted data, hacking (external), Internal (e.g. weak
access control, policies), equipment failure, DOS attacks,
phishing. Availability issues are very important for sales access
and confidentiality particularly for finance and systems
containing personal data (e.g. payments). Legal compliance
issues (Data protection).
c) Award 2 marks for making reasonable assessment of likelihood
and impact.
d) Award 1 mark for applying risk matrix correctly

Since ecommerce is projected to be the main sales channel, risks

to it should be considered as high. Highest value data will be
business critical (contract, employee personal data, Customer
data, Ecommerce site (product data).
10

Page 2 of 5
Network Security and Cryptography © NCC Education Limited 2018
2 a) Award 2 marks for each bullet point. This will rather Up to 30
depend on the threats that they have identified:

Internal
• Acceptable use policies, contracts. InfoSec policy
• Strong password (technical) policies.
• Access controls on folders,
• Restrictions on downloads. limit exchangeable media,
Dropbox etc.
• Monitoring.
• Loss of tablet: encryption/ remote wipe.

System
• Resilience – backup, redundant hardware, UPS etc.
• Cloud services (e.g. Office365) for some information
(depends on service level agreement/ trust as to what level
of critical data are hosted in cloud)
• Upgrading Win Server 2012 to 2016

External
• Malware: anti-malware
• Eavesdropping or Spoofed web sites: TLS
• Website vulnerabilities – SQL injection/ XSS/ PHP/ non-
default configuration, patching – pentest vulnerability
analysis on regular basis is worthwhile
• Secure configuration of systems to avoid defaults/
hardening
• Encryption of sensitive data at rest and in transit (email/ File
transfer)
• Firewall / DMZ/ Proxy to control traffic
• Patch management
• Phishing: Spam filter/ anti-malware/ training
• Vulnerability assessment

b) Relevance of other standards Up to 5

• They should point out that the Cyber Essentials and 10
steps have all been incorporated – a useful checklist! (2
marks)
• BMIS is a systemic approach, which could be implemented
over time, integrating security into the business. Award 3
marks for any reasonable discussion that doesn’t state it
should be ignored!

c) Encryption Up to 10

1) VPN (Site to Site) for remote access.

2) VPN for remote users (via Surface)
3) Symmetric encryption for critical data at rest (EFS)
4) Critical Discussion of any alternatives 45

Page 3 of 5
Network Security and Cryptography © NCC Education Limited 2018
3 a) Diagram
12
Award up to 2 marks for each bullet point up to a maximum of
12 marks. The diagram should show:
• Firewall in correct location (perimeter), Regional offices
combined router/Firewall
• DMZ including mail server & Web server (if not hosted in
cloud)
• Internal networks: Domain controller
• UPS
• Backup system. Redundant hardware necessary as
availability is key issue.
• A good answer will separate out the email server from the
DC.
• Good answers will show virtual secure connection for
remote access (VPN).
• Clearly labelled routers/ switches.
b) IP addressing etc 8
• Private IPs and NAT (PAT) on internal network except
servers. Static NAT ok in DMZ (4 marks)
• Valid IPs with subnet masks (2 marks)
• Brief explanation of NAT expected (2 marks)
c) Justification
10
Award 2 marks for each point that relates a feature of the network
solution to the risks in Task 1.
Note: Award 2 marks for any valid alternatives given. 30
4 Award up to 2 marks for each bullet point up to a maximum of 8
marks:
• Training
• Policies – for staff and students
• Vulnerability assessment 8
• Other audit.
5 7
Award up to 7 marks for a justified reflective commentary.
Total: 100 Marks

Page 4 of 5
Network Security and Cryptography © NCC Education Limited 2018
Learning Outcomes matrix

Task Learning Outcomes Marker can differentiate

assessed between varying levels of
achievement
1 6,5 Yes
2 1,2,3,4,6,8,9 Yes
3 1,2,3,4,7,8,9 Yes
4 5,6 Yes
5 All. Yes

Grade descriptors

Learning Outcome Pass Merit Distinction

Understand the Demonstrate Demonstrate Demonstrate highly
most common types adequate robust comprehensive
of cryptographic understanding of understanding of understanding of
algorithm common types of common types of common types of
cryptographic cryptographic cryptographic
algorithm algorithm algorithm
Understand the Demonstrate Demonstrate Demonstrate highly
Public-key adequate level of robust level of comprehensive level
Infrastructure understanding understanding of understanding
Understand security Demonstrate Demonstrate Demonstrate highly
protocols for adequate robust comprehensive
protecting data on understanding of understanding of understanding of
networks security protocols security protocols security protocols
Be able to digitally Demonstrate ability Demonstrate ability Demonstrate ability to
sign emails and files to perform the task to perform the task perform the task to
consistently well the highest standard
Understand Demonstrate Demonstrate Demonstrate highly
Vulnerability adequate level of robust level of comprehensive level
Assessments and understanding understanding of understanding
the weakness of
using passwords for
authentication
Be able to perform Demonstrate ability Demonstrate ability Demonstrate ability to
simple vulnerability to perform the task to perform the task perform the task to
assessments and consistently well the highest standard
password audits
Be able to configure Demonstrate Demonstrate Demonstrate highly
simple firewall adequate level of robust level of comprehensive level
architectures understanding and understanding and of understanding and
ability ability ability
Understand Virtual Demonstrate Demonstrate Demonstrate highly
Private Networks adequate level of robust level of comprehensive level
understanding understanding of understanding
Be able to deploy Demonstrate ability Demonstrate ability Demonstrate ability to
wireless security to perform the task to perform the task perform the task to
consistently well the highest standard

Page 5 of 5
Network Security and Cryptography © NCC Education Limited 2018