OCR LEVEL 3 CAMBRIDGE TECHNICAL

Transcription

1 Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10

2 NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 AIM AND PURPOSE OF THE UNIT On completion of this unit learners will know the range of network attacks, where they originate and why. Learners will be able to use this information to develop an understanding of the ways in which networks can be protected and how organisations can avoid or reduce their risk of attack and plan security procedures to protect the network. Learners will also have the necessary practical skills to configure hardware and software to improve security against attack and carry out tests on systems to confirm that the network system is secure from potential attacks and threats. 2

3 Networked systems security Level 3 Unit 28 ASSESSMENT AND GRADING CRITERIA Learning Outcome (LO) Pass Merit Distinction The learner will: The assessment criteria are the pass requirements for this unit. The learner can: To achieve a merit the evidence must show that, in addition to the pass criteria, the learner is able to: To achieve a distinction the evidence must show that, in addition to the pass and merit criteria, the learner is able to: 1 Know the types and sources of network attacks 2 Know about security related hardware and software 3 Understand organisational aspects of network security 4 Be able to apply system security P1 describe how networks can be attacked P2 describe how networked systems can be protected P3 explain what an organisation can do to minimise security breaches in networked systems P4 plan procedures to secure a network P5 configure a networked device or specialist software to improve the security of a network M1 explain reasons why networks can be attacked M2 explain types of security hardware and software which are used to protect networks M3 develop user documentation to enable users to secure a network D1 compare the effectiveness of security measures used by organisations D2 develop a test plan to test the security of the network system 3

4 TEACHING CONTENT The unit content describes what has to be taught to ensure that learners are able to access the highest grade. Anything which follows an i.e. details what must be taught as part of that area of content. Anything which follows an e.g. is illustrative, it should be noted that where e.g. is used, learners must know and be able to apply relevant examples to their work though these do not need to be the same ones specified in the unit content. LO1 - Know the types and sources of network attacks types of threats external hacking internal hacking malware; worms, viruses, spyware, Trojans, time bombs and Denial of Service attacks theft of resources and equipment. reasons for carrying out attacks or hacking into systems cyber terrorism hacktivism espionage, (industrial or international) personal gain disgruntled employees trying to retaliate against the employer. LO2 - Know about security related hardware and software Hardware security systems physical, (e.g. key pad, card entry, surveillance cameras, fingerprint readers, locking equipment cabinets, parallel systems, access control, circuit breakers, fuses) routers switches wireless access point. Software operating system security confidentiality levels integrity of software and data. software security passwords user permissions updates and patches. LANS authentication, (e.g. Wire Equivalence Privacy, WI-FI Protected Access) access control, (e.g. Medium Access Control). encryption symmetric, public key encryption protocols, (e.g. Secure Socket Layer). firewalls hardware anti-virus software. intrusion detection. LO3 - Understand organisational aspects of network security risk assessment to establish minimum levels of access for users clarity and simplicity of security procedures effect of procedures on staff, (i.e. training requirements) implementation/maintenance costs against lost time/ data recovery costs. different types of networks wired Wi-Fi LAN (Local Area Network) WAN (Wide Area Network) MAN (Metropolitan Area Network) CAN (Campus Area Network) serve based networks peer to peer networks. effectiveness of security measures size of organisation type of industry, (e.g. retail, finance, e-commerce etc) external and internal security functions deterrent measures preventative measures. policies guide decision making allow managerial discretion integral part of organisational strategies formulated by top management. procedures drive actions detailed and rigid tactical tools. examples of policies and procedures include: backup 4

5 Networked systems security Level 3 Unit 28 recovery data classification (e.g. public, confidential, commercially sensitive) authentication passwords, usernames biometrics physical security identify passes key cards locked door or locked computer requirements inappropriate website access policies e.g. pornographic and other inappropriate websites mobile technology security copying and downloading of software anti malware measures (e.g. up to date anti-malware software) back up and back up locations data destruction the security software and hardware which can be implemented. LO 4 - Be able to apply system security network security plan document to include: sections: title page with organisation name, system identification, (e.g. name, identification code, name of system security plan owner document version table) system characteristics should include the following: system type system status purpose of system system interconnection and information sharing programs and applications on system. applicable laws or regulations security level protection requirements management controls including certification, accreditation, tasks and milestones, continuous monitoring security planning policy and procedures rules of behaviour software usage restrictions user installed software. operation controls to include: security awareness and training and associated policy and procedures awareness courses security training for users and technical staff security training records configuration change control and monitoring access restrictions. contingency planning contingency policy and procedures contingency plan contingency training contingency plan testing and exercises to be carried out a range of contingency activities, (e.g. alternative storage sites, information system backup, telecommunication services, information system recovery and rebuild) control policies, (e.g. incident response, maintenance, physical access, media protection, personnel security, information input, error handling, spam protection) technical controls, (e.g. access management and enforcement, information flow, separation of duties. Number of attempts at log in, period of time for which failed attempts at log-in will count towards the total permitted number, remote access, wireless access restrictions, control of mobile devices including laptops). test plan create a test plan containing the following headings: test number date of test description of test anticipated test result actual test result issues actions to be taken. the test plan should monitor system security elements including: level of staff training in correct security procedures level of staff awareness of the need for security as stated in the network security plan the level of contingency training what contingency plan testing has take place what contingency exercises have taking place what security issues have been identified and addressed the success or failure of the elements of the security plan the success or failure of the elements of the contingency plan. 5

6 securing networks - hardware use of shielding, (transmission control) intrusion detection, (e.g. alarms) router switch wireless access points. securing networks - software personal access control setting protocols and access levels encryption of files configuring firewalls and anti-virus software. 6

7 Networked systems security Level 3 Unit 28 DELIVERY GUIDANCE Know the types and sources of network attacks Learners must be taught about the different types of threats to network security. This could be delivered through a presentation of the different types of threats and how they affect networks i.e. what do they do. Learners could then research real life examples of the different types of threats. A group discussion could then follow on how these attacks are implemented and why the attacks are instigated e.g. external hacking to extract sensitive information, cyber terrorism attacking particular governments to try and destroy or discredit them. Encouraging learners to research articles or recorded discussions of real-life examples where threats have turned into reality is a way to engage them. They in turn can conduct further research, possibly working in teams, and present other examples, which can be fed back to the whole group through discussion or presentations. The tutor can use this activity to correct any misconceptions and fill in any gaps in the knowledge demonstrated. Know about security related hardware and software Learners must have a good understanding of the constraints and principles for designing network security measures, for example no user should have higher access levels than they need to carry out their legitimate activities. Information relating to the different hardware and software security measures could be presented to the learners through a presentation. An overview of the different security measures could be given, with the learners then having to consider different real life examples of when the different measures are used, e.g. - use of card entry systems to access buildings and rooms, for example the server room for a network is normally protected by a lock or keypad. Learners should be taught about the different hardware and software available to support the securing of a network as per the teaching content. The learners must have an understanding of how hardware and software can be configured and used to secure different types of networks. Tutors can use examples, such as when organisational systems have been unavailable or slow because of the testing or checking. Examples such as these will enable learners to understand why interference with normal processing and usage is one way in which users can become disaffected with security. It is important for learners to understand that security systems which use too much user time or require irrelevant activities to be carried out can cause security plans to: not be implemented properly not be implemented at all circumvented by the user. Understand organisational aspects of network security The tutor could begin by asking learners to review: the knowledge that they have already gathered the restrictions and behaviours that they have to deal with when using the institutional, training or work based information systems creating lists of policies and procedures which these represent. It is important that tutors ensure that learners can differentiate between policies and procedures before embarking on this activity. The learner must be introduced to the range of policies and procedures which can be used to minimise security breaches, these should include the policies and procedures identified in the teaching content. Through a group discussion, learners could discuss the security measures implemented by different organisations and compare their effectiveness as per the teaching content. 7

8 Be able to apply system security It is important that learners understand the need to test security measures and how the tests can be carried out. Learners should be asked to consider the different security threats and attacks that they have previously been taught and their associated security measures. They should then think about how these security measures could be tested. The learners should be given guidance on what constitutes a good test plan i.e. number of test, date of test, description of test, anticipated result of test, actual test result, issues that have occurred and the number of the re-test. Through a group discussion between the tutor and the class, a plan should be devised to secure a given network. This could be based on a type of organisation e.g. insurance company who will store information relating to their customers i.e. names, addresses, dates of birth, bank details etc. They could be given a template of a network security planning document to complete for the network. The learners will need to consider what documentation should be put into place to support the users who need to apply the procedures. This can include the network managers who have to put the security measures in place, to the staff who have to use login procedures etc. This again could be delivered by having an initial group discussion between the tutor and the learners about who may need documentation and why. The class could then work together in smaller groups to develop user documentation for the different personnel involved. Learners should be given a network system where they have to a) plan the security measures to be implemented using the appropriate documentation, b) devise user documentation so that the users can implement the security measures, c) develop a test plan to test the security of the network system after the security measures have been implemented. 8

9 Networked systems security Level 3 Unit 28 SUGGESTED ASSESSMENT SCENARIOS AND TASK PLUS GUIDANCE ON ASSESSING THE SUGGESTED TASKS It should be noted that the evidence for a number of assessment criteria could be provided in a single report but this is at the discretion of the tutor. Assessment Criteria P1 and M1 For P1, learners are required to describe how networks can be attacked. They must be able to provide at least one example of each of the types of threats from the teaching content, but can present more examples. Learners could produce a report or a presentation with detailed speaker notes. Alternatively learners could produce a table with appropriate headings. For merit criterion M1 learners must explain the reasons why networks can be attacked and present their findings. This could be an extension of their evidence for P1, explaining the type of threats and why these attacks are carried out. This could be an extension to the report produced for P1 or an extension to the presentation. If the learner used the table format for P1, they could produce a separate report or presentation. Assessment Criteria P2, M2 The learner could evidence P2 by creating a report, presentation with detailed speaker notes or a leaflet describing how networked systems can be protected. Learners may find it easier, if they give examples of different threats, as produced as evidence for P1, and then provide a description of how a network can be secured to prevent the attacks taking place. For merit criterion M2 learners must explain the types of security hardware and software which are used to protect networks. They could provide the information in a report, presentation with detailed speaker notes or in a table. The evidence should include at least three different types of security hardware and three different types of security software. Assessment Criteria P3, D1 P3 could be achieved through learners producing a report or presentation with detailed speaker notes explaining what an organisation can do to minimise security breaches in networked systems. Learners could be given a scenario for a particular type of organisation. For distinction criterion D1 learners must provide a comparison of the effectiveness of security measures used by organisations. They should compare organisations of different sizes and types in order to provide a comparison of the external and internal security functions, deterrent measures and preventative measures. They could provide this in a table format, a report or as a presentation with detailed speaker notes. Assessment Criteria P4, M3 and D2 P4 may be achieved by the learner producing a plan of the necessary security procedures required to protect the network of a given system. The evidence will be the plan. For merit criterion M3 learners must produce documentation that will enable the staff involved in the security of the IT system to implement the planned security measures. The documentation can be in either paper format, electronic, interactive presentation etc. Learners should ensure that the documentation is clear and easy to follow. For distinction criterion D2 learners must produce a test plan which can be used to test the security of the network. The test plan must be detailed and include the headings identified in the teaching content. Assessment Criterion P5 For P5, learners will need to configure a networked device or specialist software to improve the security of a network. Evidence could be presented in the form of annotated photos or screenshots supported by detailed assessor observation. SUGGESTED SCENARIOS Learners could be given a scenario for a particular type of organisation e.g. small travel agents who have 6 computers on a wired network linked to a server. The information stored on the server includes: names, addresses and telephone numbers of customers wishing to purchase a property as well as the vendors (people selling properties). All of the accounts information including the payroll is stored on the server. The computers are used by the accounts manager, the office manager, two admin assistants and two qualified estate agents who conduct valuations on properties. RESOURCES This unit requires that learners have access rights to the hardware and software of a network and also to any security components. They must be able to change and monitor security settings. The access to hardware and the opportunities to add or change components also requires that 9

10 learners have the necessary training in the Health and Safety aspects of working with live electronic equipment. Tutors will need to be experienced in all of these areas in order to train and support learners throughout the unit. Access to network systems is also important for learners to carry out security hardware and software configurations, and carry out the necessary learning activities for learning outcome 4. Learners may require internet access to conduct research on real life security breaches. 10

11 Networked systems security Level 3 Unit 28 MAPPING WITHIN THE QUALIFICATION TO THE OTHER UNITS Unit 1 - Communication and employability skills for IT Unit 4 - Managing networks Unit 5 - Organisational systems security Unit 7 - Computer networks LINKS TO NOS 6.2 IT Security Management 6.3 IT Disaster Recovery 11

12 CONTACT US Staff at the OCR Customer Contact Centre are available to take your call between 8am and 5.30pm, Monday to Friday. We re always delighted to answer questions and give advice. Telephone