Level 3 Technical Level IT: CYBER SECURITY J/507/6435 Unit 6 Network and cyber security administration Mark scheme

Level 3 Technical Level IT: CYBER SECURITY J/507/6435 Unit 6 Network and cyber security administration Mark scheme June 2019 Version: 1.0 Final *196AJ/MS* Mark schemes are prepared by the Lead Assessment Writer and considered, together with the relevant questions, by a panel of subject teachers. This mark scheme includes any amendments made at the standardisation events which all associates participate in and is the scheme which was used by them in this examination. The standardisation process ensures that the mark scheme covers the students’ responses to questions and that every associate understands and applies it in the same correct way. As preparation for standardisation each associate analyses a number of students’ scripts. Alternative answers not already covered by the mark scheme are discussed and legislated for. If, after the standardisation process, associates encounter unusual answers which have not been raised they are required to refer these to the Lead Examiner. It must be stressed that a mark scheme is a working document, in many cases further developed and expanded on the basis of students’ reactions to a particular paper. Assumptions about future mark schemes on the basis of one year’s document should be avoided; whilst the guiding principles of assessment remain constant, details will change, depending on the content of a particular examination paper. Further copies of this mark scheme are available from Copyright information For confidentiality purposes acknowledgements of third-party copyright material are published in a separate booklet which is available for free download from after the live examination series. Copyright © 2019 AQA and its licensors. All rights reserved. Level of response marking instructions Level of response mark schemes are broken down into levels, each of which has a descriptor. The descriptor for the level shows the average performance for the level. There are marks in each level. Before you apply the mark scheme to a student’s answer read through the answer and annotate it (as instructed) to show the qualities that are being looked for. You can then apply the mark scheme. Step 1 Determine a level Start at the lowest level of the mark scheme and use it as a ladder to see whether the answer meets the descriptor for that level. The descriptor for the level indicates the different qualities that might be seen in the student’s answer for that level. If it meets the lowest level then go to the next one and decide if it meets this level, and so on, until you have a match between the level descriptor and the answer. With practice and familiarity you will find that for better answers you will be able to quickly skip through the lower levels of the mark scheme. When assigning a level you should look at the overall quality of the answer and not look to pick holes in small and specific parts of the answer where the student has not performed quite as well as the rest. If the answer covers different aspects of different levels of the mark scheme you should use a best fit approach for defining the level and then use the variability of the response to help decide the mark within the level, ie if the response is predominantly level 3 with a small amount of level 4 material it would be placed in level 3 but be awarded a mark near the top of the level because of the level 4 content. Step 2 Determine a mark Once you have assigned a level you need to decide on the mark. The descriptors on how to allocate marks can help with this. The exemplar materials used during standardisation will help. There will be an answer in the standardising materials which will correspond with each level of the mark scheme. This answer will have been awarded a mark by the Lead Examiner. You can compare the student’s answer with the example to determine if it is the same standard, better or worse than the example. You can then use this to allocate a mark for the answer based on the Lead Examiner’s mark on the example. You may well need to read back through the answer as you apply the mark scheme to clarify points and assure yourself that the level and the mark are appropriate. Indicative content in the mark scheme is provided as a guide for examiners. It is not intended to be exhaustive and you must credit other valid points. Students do not have to cover all of the points mentioned in the Indicative content to reach the highest level of the mark scheme. An answer which contains nothing of relevance to the question must be awarded no marks. The following annotation is used in the mark scheme: ; - means a single mark // - means alternative response / - means an alternative word or sub-phrase A. - means acceptable creditworthy answer R. - means reject answer as not creditworthy NE. - means not enough I. - means ignore DPT. - in some questions a specific error made by a candidate, if repeated, could result in the candidate failing to gain more than one mark. The DPT label indicates that this mistake should only result in a candidate failing to gain one mark on the first occasion that the error is made. Provided that the answer remains understandable, subsequent marks should be awarded as if the error was not being repeated. Question Guidance Mark 01 Mark is for AO2 control over personal data. R. more than one box ticked 1 02 Mark is for AO4 information security management system (ISMS). R. more than one box ticked 1 03 Mark is for AO6 store a recent copy of the source data. R. more than one box ticked 1 04 Mark is for AO7 Nessus R. more than one box ticked 1 05 Mark is for AO4 Electromagnetic radiation R. more than one box ticked 1 Question Guidance Mark 06.1 2 marks for AO5 Maximum of 2 from: https (although certificate could still have expired); SSL/security certificate; padlock symbol/security status; secured and verified badge; URL scanning // vulnerability scan // conduct a penetration test; A. Any other creditable answer 2 06.2 Mark is for AO5 Maximum of 1 from: encryption/visibility of data exchanged// security of data, eg protection of credit card details; reputation // avoid browsers alerts; secure authentication; improves Google ranking; A. Any other creditable answer 1 07 3 marks for AO7 Example answer: attempting to penetrate a system or network; by determining its weaknesses and vulnerabilities; in a legitimate/licensed/legal manner; Maximum of 3 from: • using same tools as malicious hacker/cracker (but in legitimate manner); • identifying vulnerabilities a malicious hacker could exploit; • determining how to minimise risk/improve overall security /prevent them from being exploited by malicious hackers // to assess the security posture; (eg for a client); • perhaps using information provided by the client (eg system, objectives); • an example of penetration testing (eg intrusion testing, red teaming); • an expansion point on any of the above; A. Any other creditable answer 3 Question Guidance Mark 08 2 marks for AO6 • an appropriate method eg cloud storage, hard drive, a replica of data maintained at another facility (and kept in sync with the primary copy); • a valid justification, eg: cloud storage allows instant access to data for recovery; cloud storage can be recovered to any location with Internet access; the replica of data can be kept in sync with the primary copy // using a SAN in each location with the ability to maintain the mirror (eg NetApp using SnapMirror) // the replica could be made writeable in a DR event; 2 09 3 marks for AO1 (control over) multiple compromised/infected systems // many different sources; (is) used to target/flood/send requests to a single system; Maximum of 1 from: • (by flooding the system with requests) the system slows down / is taken down completely // the cumulative effect of all these endpoints hitting a target system can be enough to overwhelm its resources; • the cumulative effect effectively makes the system unreachable for valid users; • the hacker controls the end system and all contributing systems; • it is difficult to distinguish legitimate traffic from attack traffic (and so is difficult to stop); • example of type, eg traffic/bandwidth/application Trojan attack; • largest DDoS attacks have caused over 100Tbps of traffic to reach a target; A. Any other creditable answer 3 Question Guidance Mark 10.1 3 marks for AO2 Maximum of 3 from: Example answers: Traffic sent over a network may not use secure/encrypted protocols / is susceptible to being intercepted/altered by an attacker; a VPN sends all traffic destined to a particular system/s through an encrypted tunnel; this prevents the traffic being intercepted; VPNs use a combination of dedicated connections and encryption protocols; to generate virtual P2P connections; even if hackers obtained the data it would be difficult to obtain because of the encryption; • (more) secure/private connections // allows secure access to a private network; • as communication is encrypted; • this makes it harder to intercept / your communication / packets etc; • VPNs enable users to send and receive data across shared / public networks as if their device was directly connected to the private network; • protocols such as IPSec increase security; and can be combined with other protocols to further increase the level of security; • a VPN hides your IP address; making it more difficult for others to track your activity; A. Any other creditable answer 3 10.2 3 marks for AO2 Maximum of 3 from statements that make valid reference to any of the following: • unauthorised users; • password control; • dual tunnelling not permitted // only one channel allowed; • management responsibilities; • requirement to keep device up-to-date (OS, antivirus etc); • inactivity period; • hours of operation; • legal clauses // applicable policies/jurisdiction/usage restrictions; • restriction to current employees; • (devices which are not college-owned) must be configured to comply with all college security / network policies; • virus protection on connected devices; Examples: VPN software must only be installed on approved college endpoints; Authentication to the VPN must use multi-factor authentication; All access to college systems must be via the VPN software; A. Any other creditable answer 3 Question Guidance Mark 11 2 marks for AO5 Maximum of 2 from: MAC: • access to resource objects (files, devices) is controlled by the operating system/administrator; • based on system administrator configured settings; • users cannot change access control; • allows administrators to implement security policies across the whole organisation; DAC: • each user controls access to their own data // the control can be in the hands of the individual/object owner; • a user can only set access permissions for resources which they already own; R. Max 1 mark if no contrasting point/difference A. Any other creditable answer 2 12.1 3 marks for AO3 Maximum of 3 from: • which ports are open/the state of ports; • which ports are listening/receiving information; • which computers/systems/MAC addresses are active; • weak points of access; • the presence of security devices, eg firewalls (fingerprinting); • IP addresses of systems that are identified; • open/closed/filtered ports on those systems (eg TCP port number); • operating system detection using TCP/IP stack fingerprinting; A. Any other creditable answer 3 12.2 3 marks for AO3 Maximum of 3 from: used to capture / inspect / analyse / log; signals / data traffic over a communication channel; a common use is by network administrators in order to troubleshoot applications; by examining the network traffic they generate; A. Different wording with similar meaning A. Any other creditable answer 3 Question Guidance Mark 12.3 2 marks for AO3 Maximum of 2 from: • firewall; • intrusion detection system; • vulnerability scanner; • honeypot/honeynet; • banner grabber; • syslog monitoring // event log; • SIEM; A. Any other creditable answer A. proprietary names 2 13 6 marks for AO3 / AO5 a valid precautionary measure;;; a relevant expansion point;;; Examples: Insist that the device must be enrolled within a Mobile Device Management system; in order to be able to assign policy to a device and checks its health; Create a policy and ensure that employees have seen/agreed to the terms before they can use a personal device; This policy might include terms of use and also clarify risks (eg potential for devices to be wiped or seized by law enforcement as part of investigations); Establish the technical controls that will be implemented on personally owned devices; eg password/PIN / screen lock / minimum OS/patch level; • assessment of hardware and software vulnerabilities / virus presence/risk; • acceptable use policy, eg misuse/acceptable use of employee hardware and software; • extent of access rights // data/file permissions; • separation of personal and company data; method of connecting to the company network, eg stipulate VPN access from home; security of data; • strong authentication methods; so only authorised users can connect easily; • assess compliance with GDPR and other legislation; eg allow for remote wiping to secure breached data; • outline consequences to employee, eg reputational damage from data loss / financial repercussions from security breaches; • review security policies; to take account of the fact that the organisation no longer owns the devices / assess new risks involved. R. Similar expansion points A. Any other creditable answer. 6 Question Guidance Mark 14 6 marks for AO5 / AO7 Maximum of 6 marks overall. Maximum of 4 from (types of information): • personal details with example; • details of family/relationships/colleagues/competitors; • social connections; • job titles; • details of software that the company might run (and therefore could be targeted); • political or other opinions/affiliations; • court records; • professional licences/registrations/memberships; • geolocation; • metadata, eg from images/photos; Maximum of 4 from (where you would find it): • social media; • BTL comments; • forums; • CVs uploaded publicly/to job sites (which identifies the software the employee is experienced with and which company); • publicly available sources / websites / company websites; • archived or stored information; • hidden content; • reverse look-ups; • DNS tracking; • unpublished directories/files/servers; • phishing attack; such as an email that appears to be from a trusted source; • socially engineer by contacting individuals at the company directly / through a switchboard / IT support (pretending to be employees); • theft of identification documents; • expansion point;; A. Any other creditable answer. 6 Question Guidance Mark 15 6 marks for AO8 For each process objective: 1 mark for each point or expansion point up to a maximum of 2 marks. One or more process objectives from the following categories: Strategy Management for IT Services Process Objective: To assess the service provider's offerings, capabilities, competitors as well as current and potential market spaces in order to develop a strategy to serve customers. Once the strategy has been defined, Strategy Management for IT Services is also responsible for ensuring the implementation of the strategy. Service Portfolio Management Process Objective: To manage the service portfolio. Service Portfolio Management ensures that the service provider has the right mix of services to meet required business outcomes at an appropriate level of investment. Business Relationship Management Process Objective: To maintain a positive relationship with customers. Business Relationship Management identifies the needs of existing and potential customers and ensures that appropriate services are developed to meet those needs. 6 Question Guidance Mark 16.1 12 marks for AO2 12 Mark using the levels of response table and the indicative content on the following page. Level Description Mark Range 4 A discussion which includes a range of relevant threats to company data and shows a clear understanding of a range of measures focused on how to counter the threats in the context of wireless communication. 10–12 3 A discussion which includes relevant threats to company data and shows some understanding of a range of measures with some focus on how to counter the threats mostly in the context of wireless communication. 7–9 2 A discussion which includes threats (to data) and shows general understanding of two or three measures which might counter the threats; some in the context of wireless communication. or Lists relevant threats (to data) and includes some appropriate measures with some valid points on how to counter these threats mostly in the context of wireless communication though with limited discussion. 4–6 1 Lists general threats (to data) and gives one or two measures which could be used to counter these threats; or Lists some appropriate measures; 1–3 No creditworthy material 0 Indicative content: • the changing use of devices, eg wireless instead of physical access to building network introduces risks (anyone within signal reach) • purpose and scope of the policy • controls to ensure that suitable security is in place (might supplement or even instead of user policy, ie leave users free to work without understanding much of the technical detail) • the required security standards for wireless devices • approved devices; the types of devices that the policy applies to • roles and responsibilities, eg the body responsible for enforcing standards, responsibilities to employee, employee responsibilities to body • compliance and exemptions • authentication and encryption • registration of access points • allocation of channels, policies on avoiding interference • SSID identification (eg don’t identify the organisation) • use a VPN • use mobile phone data rather than public Wi-Fi • turn off Wi-Fi in public areas, eg to prevent accidental connection • limit type of data sent, eg credit card information, confidential documents • disable sharing • keep device protected/updated. Examples of threats: • interception • sniff traffic off the airwaves (if network not appropriately secured) • connecting through a malicious hotspot • connecting through an unsecured/unencrypted connection • networks using WPS-PSK are insecure since all users typically share the same pre-shared key and are therefore in a position to decrypt the traffic of other users • 3G encryption between the mobile device and the base station is trivially easy to defeat • man-in-the-middle attack • malware, eg while file sharing enabled • unauthorised access. Specific measures: • Implement WPA2 Enterprise, with 802.1x to authenticate devices to the network using certificates. Ensure all APs have such security in place. • Ensure that new physical sites have wireless surveys conducted to provide adequate signal coverage whilst limiting signal leakage beyond the building boundaries. • Consider directional antennae to direct the signal away from boundaries. • Include rogue access point detection as part of initial site audit, and as ongoing measure to ensure that only expected APs operating within the buildings. • This helps to ensure that employees are not deploying their own APs and connecting them to the network to bypass firm policies, or that a malicious attacker has not done the same. • Insist on the use of a VPN when using external networks (home/public Wi-Fi etc) to prevent the interception of traffic. Question Guidance Mark 16.2 3 marks for AO5 Maximum of 3 from: • hide/stop broadcasting SSID; • change default network ID; • WPA/WPA2 // use encryption; • implement WP2 Enterprise and authenticate users using a secure method such as certificates. • use a firewall; • change default router settings; • MAC authentication / filtering; • strong passwords; • separate wireless network for visitors; • using VPN / tunnelling protocols; an expansion point on one of the above; A. Any other creditable answer 3 Question Guidance Mark 17 15 marks for AO1 15 Mark using the levels of response table and the indicative content on the following page. Level Description Mark Range 5 A discussion which shows clear understanding of the reasons with even and perceptive coverage of the bullet points (the first three) framed in a public/political context. The methods that could be used in a cyber-attack are clearly understood. 12–15 4 A discussion which shows understanding of the reasons with even coverage of the bullet points, with most of the first three framed in a public/political context. The methods that could be used in a cyber-attack are understood. 10–12 3 A discussion which shows some understanding of the reasons with coverage of the bullet points developed in some areas, some of which relates to a public/political context. There is some understanding of the methods that could be used in a cyber-attack. 7–9 2 An attempt to discuss which shows general understanding of the reasons and some of the bullet points, some of which relates to a public/public context. There is some reference to the methods that could be used in a cyber-attack. or Lists some appropriate reasons and addresses some of the bullet points, with some reference to a public/public context. There is some reference to the methods that could be used in a cyber- attack. 4–6 1 General understanding of the reasons with some attempt to address the bullet points, not always in context. or Lists reasons for a cyber-attack in a public/political context. 1–3 No creditworthy material 0 Indicative content: Perpetrators: • (Foreign) governments / intelligence services • Cyber criminals/hacking groups/collectives • Individual hackers eg WannaCry, either alone or behalf of others • Industrial competitors • Hacktivists • Terrorists • Current/former employees // contractors with access to system/buildings Potential targets: • Banks, HMRC, government departments • Defence contractors • Power facilities • Vulnerable systems Objectives, rewards/consequences: Degrade, disrupt, impair or deny service. Compromise security/stability: • undermine trust • commercial advantage • financial gain, eg fraud or sale of valuable information, ransom payments in Bitcoin • intellectual/reputational gain. • inflict reputational/political damage: • promote fear, confusion, uncertainty, chaos • cyber terrorism • derail military efforts, eg Stuxnet attack on Iranian uranium enrichment. Economic or diplomatic advantage including: • paralyse financial systems • impede media communications • gather intelligence through data theft • national security (espionage) • competitive advantage/steal secrets. Virtual protest/political statement including: • agitation campaigns • hacktivist • public shaming • warfare; ‘Casus belli’. Methods: • Malware, eg Stuxnet • Ransomware • Phishing • Denial of Service (DoS) • Password attacks • Drive-by downloads • Man-in-the-middle (MITM) • Backdoor • Exploiting known weaknesses, eg unsupported or unpatched systems/software. Question Assessment Outcomes TOTAL 1 2 3 4 5 6 7 8 SECTION A 1 2b (1) 1 2 4a (1) 1 3 6c (1) 1 4 7d (1) 1 5 4b (1) 1 6.1 5b (2) 2 6.2 5b (1) 1 7 7c (3) 3 8 6c (2) 2 9 1a (3) 3 10.1 2c (3) 3 10.2 2c (3) 3 11 5b (2) 2 12.1 3f (3) 3 12.2 3f (3) 3 12.3 3f (2) 2 13 2c (3) 5b (3) 6 14 5a (1) 7b (5) 6 15 8a (6) 6 Total A 3 7 11 2 9 3 9 6 50 SECTION B 16.1 2a (12) 12 16.2 5b (3) 3 17 1abc (15) 15 Total B 15 12 0 0 3 0 0 0 30 Total A+B 18 19 11 2 12 3 9 6 80