Unit:

Network Security and Cryptography

Assignment title:
Beautiful Bagels
Spring 2019

Important notes
• Please refer to the Assignment Presentation Requirements for advice on how
to set out your assignment. These can be found on the NCC Education
website. Click on ‘Policies & Advice’ on the main menu and then click on
‘Student Support’.
• You must read the NCC Education documents What is Academic
Misconduct? Guidance for Candidates and Avoiding Plagiarism and
Collusion: Guidance for Candidates and ensure that you acknowledge all the
sources that you use in your work. These documents are available on the
NCC Education website. Click on ‘Policies & Advice’ on the main menu and
then click on ‘Student Support’.
• You must complete the Statement and Confirmation of Own Work. The form
is available on the NCC Education website. Click on ‘Policies & Advice’ on
the main menu and then click on ‘Student Support’.
• Please make a note of the recommended word count. You could lose marks
if you write 10% more or less than this.
• You must submit a paper copy and digital copy (on disk or similarly
acceptable medium). Media containing viruses, or media that cannot be run
directly, will result in a fail grade being awarded for this assessment.
• All electronic media will be checked for plagiarism.
Scenario
Beautiful Bagels is a well-established chain of 20 shops throughout the South of England.
There is also a small head office which houses the management and administration team.
This team deals with back-office functions of HR, purchasing, finance, IT and marketing.
Each shop has a permanent full-time manager and the remaining staff are part time. The
chain is run from the central head office and the shop managers have little say over what
their shop sells or how it is run. However, they are responsible for stock management and
any variations to standard orders.
The company has a simple responsive web-site for marketing purposes, enabling
locations of cafes to be found. It is hosted by their ISP.

Current Technology
Beautiful Bagels has been trading for over 20 years, and whilst it has updated various
aspects of its IT systems, its IT architecture reflects a pre-cloud model.
Each shop has an EPOS system which connects to a PC and local printer, to provide
some basic reports. The PC is also connected to the Internet via Cat-5 cable and a router.
Card payments are processed via WorldPay through a Wi-Fi portable card reader. The Wi-
Fi uses 802.11n.
The head office has a 100BASE-TX LAN connected via a router to the Internet. This
contains a server which is configured as a domain controller running Windows Server
2008 R2 which hosts financial systems (Sage), order processing, email (Microsoft
Exchange) and human resources (employee) data. Office staff have PCs running
Windows 10 professional. All computers have individual host-based firewalls and anti-virus
software installed.
The company has a content management system (WordPress) website for marketing with
a contact form and blog, which is also hosted by their ISP. Marketing staff access the site
via a web portal and update the news and blog on a regular basis.
Like many other eateries, Beautiful Bagels offers free Internet access whilst you are
visiting. However, the CEO recently read an article about the security dangers for the
public in using open Wi-Fi hotspots. The article explained how a hacker could set up a
small black device with an antenna on it, called a Wi-Fi pineapple that connected to a
laptop PC.
The Wi-Fi pineapple can act as a "Hot-spot Honeypot" that attracts the tablets,
smartphones and laptops looking to connect to Wi-Fi, making users believe they are
actually connecting to the network of the place they’re visiting. Visitors’ internet
connections are therefore intercepted.
The article emphasized that digital identity fraud is an increasingly common problem. The
prevalence of open, unprotected Wi-Fi networks does make it extremely easy for
Cybercriminals. Furthermore, the device with a rechargeable lithium battery and magnets
on the back could be attached to many surfaces in public spaces. The box also could
easily be designed to plug into a hidden wall outlet under a hotel hallway bench, for
instance.
The final piece of advice in the article was simply “It is not advisable to use open WiFi
networks in public places”.

Network Security and Cryptography Page 2 of 6 © NCC Education Limited 2019

Beautiful Bagels’ owners take pride in providing excellent service and are concerned and
conscious of gaining a bad reputation and losing business, if hacking of their customers’
devices is happening on their premises.
The article raised the CEO’s awareness to this threat, and security in general. He wants to
understand the problem better and to make his staff and customers aware of the potential
issues and what they can do to protect themselves. He also wants to ensure Beautiful
Bagels protect their other systems.
The CEO has therefore called you in as a consultant to help him secure his business and
provide safe Wi-Fi networking for customers. He now states that information security is
‘top priority’.
In your discussions with the CEO and the IT manager you discover that:
• There are no company policies in relation to information security;
• The company have not considered the issue of ownership of information and data,
and corresponding access rights;
• The email is not hosted by an ISP, but on a server running MS Exchange in the
LAN, however the company website is hosted by the ISP;
• The CEO wants to know if a new cloud-based solution would be better for business
and security. He would be prepared to replace all the company hardware in shops
and any changes required in the head office for such a system;
• The company has just purchased a mobile coffee cart and would like to ensure that
it is able to offer consistent services.
The CEO has been looking to identify ‘best practice’ and has discovered ISO27001, the
Government’s ‘Cyber Essentials’ programme and ’10 steps to Cyber Security’ guidance
from the National Cyber Security Centre. He is not sure of the difference but likes the idea
of adhering to an international standard.
As the InfoSec consultant, your terms of reference are: To identify the key security
challenges faced by the company and recommend solutions. Particular focus should
be paid to the relative security benefits of a cloud-based solution.

Network Security and Cryptography Page 3 of 6 © NCC Education Limited 2019

Task 1 – Risk Assessment (10 Marks)
As a security professional, you point out that the most effective approach is to start with a
risk assessment, so that the most valuable information assets can be prioritised. This
ensures that security measures are put in place in the most cost-effective way.
This section of the report should be approximately 250 words.

a) Analyse the scenario and identify FIVE (5) important electronically held information
assets relating to Beautiful Bagels.
b) Create a table (see below) which lists the assets. For each asset identify the main
security threats that you think could affect its confidentiality (C), integrity (I) or
availability (A). Remember, threats can be accidents as well as malicious. There are
likely to be multiple threats for each asset and the same threats are likely for several
assets.
Asset (a) Threat (b) CIA? (b) Likelihood (c) Impact (c) Risk (d)

E.g. customer Server failure A Low Medium Low

personal data Theft C Low High Medium

c) Complete the columns of the table by assessing the likelihood of the threat being
successful and the impact that it would have on the company. In this scenario, you
should consider Low/Medium and High definitions as follows:
Likelihood Impact
Inconvenience may affect operation for
Low Less than once per year
a day or two
Once per year to once Operation may be impacted for over a
Medium
per week week, loss of customers.
Company may not survive – lost
High Several times a week
reputation and customers

d) Now complete the Risk column by using the following Risk matrix.
Impact
Low Medium High
Low Very Low Low Medium
Likelihood
Medium Low Medium High
High Medium High Very High

A completed table will look something like this:

Asset Threat CIA? Likelihood Impact Risk
E.g. employee Server failure A Low Medium Low
personal data
Employee theft C Low High Medium

Network Security and Cryptography Page 4 of 6 © NCC Education Limited 2019

Task 2 – Explaining Risk Control (45 Marks)
Once you have identified the highest risks, you need to make recommendations of how to
control those risks, i.e. what security you will put in place. Some controls will be technical,
others will involve policies or management actions.
a) Discuss each of the threats you have identified and explain what security you
recommend putting in place to reduce the risk of that threat. For the highest grades
you should consider alternatives where they exist and justify your choice. Where
you use a technical term, you should explain it.
b) Briefly discuss the relevance of the recommendations of Cyber Essentials, the ’10
steps to Cyber Security’ and ISO27001.
c) Where you use encryption, explain why you recommend it and state the protocol or
encryption algorithm that you recommend.
This section of the report should be approximately 750 words.

Task 3 – Network Diagram (30 Marks)

The scenario provided an outline of the main existing network components, excluding
printers and switches. The existing system has security vulnerabilities and your risk
assessment should have identified methods of controlling the risks. You now need to
prepare a diagram to show how to secure the network. Make sure you are clear where the
software and hardware are located.
You should select either a new Cloud-based solution or updated site-based solution
(with justification). These must be consistent with your risk assessment/ controls.
a) Draw a network diagram, showing network components of the company head office
and two cafes. Include also the mobile coffee cart. Each client PC need not be
shown, but all other components should be included.
b) Your diagram should include suitable (invented, but realistic) IP addresses.
c) Make sure that you explain how the network design meets the security
requirements that you identified in Tasks 1 & 2. Any alternatives should be briefly
discussed.
This section of the report should be approximately 450 words.

Task 4 – Customer Wi-Fi (8 Marks)

A major concern was for improved security for customer Wi-Fi. Explain any actions you
would recommend for helping customers and shop staff avoid threats such as those you
have identified above.
This section of the report should be approximately 150 words.

Network Security and Cryptography Page 5 of 6 © NCC Education Limited 2019

Task 5 – Reflective commentary (7 Marks)
You should use this section to reflect on what you learned from completing the
assignment.
a) Explain any problems you had and how you went about solving them.
b) Explain anything you would do differently if you were to start it again.
This section of the report should be approximately 150 words.

Submission requirements
• The report should be professionally presented, checked and proofed. In addition,
the report should be presented in a format and style appropriate for your intended
audience. You must also include a list of references and you must always use
correct Harvard referencing and avoid plagiarism throughout your work.
• Your answers to the tasks should be combined in a single word-processed report
with an appropriate introduction. The report should be 1750 words +/- 10% in
length (excluding tables).
• All references and citations must use the Harvard Style.
• You must submit a paper copy and digital copy (on disk or similarly acceptable
medium).

Candidate checklist
Please use the following checklist to ensure that your work is ready for submission.

Have you read the NCC Education documents What is Academic

Misconduct? Guidance for Candidates and Avoiding Plagiarism and

Collusion: Guidance for Candidates and ensured that you have
acknowledged all the sources that you have used in your work?

Have you completed the Statement and Confirmation of Own Work form

and attached it to your assignment? You must do this.

Have you ensured that your work has not gone over or under the

recommended word count by more than 10%?

Network Security and Cryptography Page 6 of 6 © NCC Education Limited 2019