UNIVERSITYOF HERTFORDSHIRE
School of Physics, Engineering and Computer Science
COURSEWORK ASSIGNMENT
Module Title: Computer Systems Security Module Code: 6COM1033
Assignment Title: Assignment 3 – Testing the
Individual Assignment - Yes
security of a computer system
Tutor: Gani Nashi Internal Moderator: Eric Chiejina
Student ID Number ONLY: Year Code:
Marks Awarded %: Marks Awarded after Lateness Penalty applied %:
Penalties for Late Submissions
Late submission of any item of coursework for each day or part thereof (or for hard copy submission
only, working day or part thereof) for up to five days after the published deadline, coursework relating
to modules at Levels 0, 4, 5, 6 submitted late (including deferred coursework, but with the exception
of referred coursework), will have the numeric grade reduced by 10 grade points until or unless the
numeric grade reaches or is 40. Where the numeric grade awarded for the assessment is less than
40, no lateness penalty will be applied.
Late submission of referred coursework will automatically be awarded a grade of zero (0).
Coursework (including deferred coursework) submitted later than five days (five working days in the
case of hard copy submission) after the published deadline will be awarded a grade of zero (0).
Where genuine serious adverse circumstances apply, you may apply for an extension to the hand-in
date, provided the extension is requested a reasonable period in advance of the deadline.
Please refer to your student handbook for details about the grading schemes used by the School when
assessing your work. Guidance on assessment will also be given in the Module Guide.
Guidance on avoiding academic assessment offences such as plagiarism and collusion is given at this
URL: http://www.studynet.herts.ac.uk/ptl/common/LIS.nsf/lis/citing_menu
ASSIGNMENT BRIEF
Page 1 of 4
�UNIVERSITYOF HERTFORDSHIRE
School of Physics, Engineering and Computer Science
Students, you should delete this section before submitting your work.
This Assignment assesses the following module Learning Outcomes (Take these from the module
DMD):
Knowledge and understanding of:
3. computer systems risks, vulnerabilities, threats analysis, and software security,
Skills and Attributes:
Students will develop the ability to:
1. apply particular computer security techniques to analysis and testing
2. analyse and solve problems in secure systems design and implementation
3. achieve familiarity with methods of secure systems development and to exercise critical evaluation
of information accessed from a wide variety of sources
Assignment Brief:
This is an individual assessment, which carries 50% of the overall module mark. The task will assess your
your ability to conduct a full-scale penetration test on a Linux based system. You will follow the plan that
you made in Assignment 2, going through the steps of the pen test. Considering that the goal of the pen
test is to find security vulnerabilities and to explain to a client how to mitigate them, you will write a detailed
technical report of the practical work that you have done. It is important to write notes and take
screenshots while you do the practical work.
All academic reports that you write as part of your coursework assessments are in fact technical reports,
and as such the following report structure is expected:
1. A professional title page
2. A Contents page with page numbers, and also numbers for each section or subsection
3. A professional layout of the whole report, with numbered sections and subsections headings,
and indentation for subsections as well
4. An Introduction (which obviously will be numbered as 1.0), where you will introduce the pen
test scope and goal.
5. Main Body, where you will report on the actual attack on the system (attack narrative), the
vulnerabilities, exploits, and the mitigation measures. You will draw conclusions as you
analyse.
6. Conclusions and evaluation section, where you summarise the conclusions previously drawn,
evaluate those conclusions, make recommendations, and draw lessons for the future
7. References, aim for an average of 12-15 references for the report, in Harvard format
8. Appendixes
You are expected to demonstrate an insight into the implications of the problem introduced in the task by
using clear and concise arguments. The reports should be well written (and word-processed), showing
good skills in creativity and design. Sentences should be of an appropriate length and the writing style
should be brief but informative.
During the teaching weeks you will carry out the practical work in the Cybersecurity labs, or using the pen
test rig set up on your own PC or laptop.
The deadline for the completion of the practical work is the 20.12.2021.
The deadline for the finalised Pen Test Report is the 09/01/2022
IMPORTANT NOTE - the time from the 20th of December 2021, until the 9th of January 2022 is to
finalise the draft report that you will write while doing the practical work. The final deadline does
not mean that you will start the report after the 20th of December. The writing of the report must be
done in parallel with the practical work.
The Assignment Task – Penetration Test
As stated above, the Assignment 3 is weighted at 50% of the overall module mark. It should take you
Page 2 of 4
�UNIVERSITYOF HERTFORDSHIRE
School of Physics, Engineering and Computer Science
approximately 30 hours to complete. It is expected that the report for this task will be in the region of 1500
- 2000 words, plus the appendices. You are expected to conduct a penetration test against a target
system (Linux based) that will be provided to you (the IP address of the target will be provided for every
individual student by the 20th of November 2021). You are required to present your findings in a factual
manner based on the scenario “to advise and convince decision makers of a large corporation on system
security strategies”. The target system will be accessible via the infrastructure in the Cybersecurity Lab
through the VPN connection. You will also be able to use the computers in the Cybersecurity Lab for this
purpose, during your timetabled hours. During the module, you will also receive instructions on how to
setup the same PenTest virtual lab in your home computer or laptop, in order to be able to complete your
work remotely, through the VPN connection. Everyone will get a dedicated target which will be a clone of
the same VM.
Overall Report Conclusion and Reflection
The overall report conclusions offer your reflection on the undertaken activities and the encountered
problems carrying 5% of the overall report mark.
The FINAL deadline for Assignment 3 Pen testing report is on the 09.01.2022 by electronic submission via
StudyNet.
CW 3, Assessment Criteria Mark out of 100%
Attack Narrative – in the format of an 30
executive summary, detailing the risk
assessments of four found vulnerabilities
Vulnerability Exploits & Mitigation method – an 40
explanation of the exploits, and the mitigation
methods of four vulnerabilities (10 marks
each)
Report Structure and technical writing skills 20
Overall Conclusions and Reflections 10
Total 100
Please note you are not required to provide an activity narrative (a narrative on your intelligence gathering
activities). You are required to provide an attack narrative detailing four found vulnerabilities, from the
risks point of view (the target scanning and four vulnerabilities). During the narrative, you will have to
explain your reasoning behind the attack vector (supported by the findings of the scanning phase), the
vulnerabilities that you have chosen to report, linking them to the risks and threats they pose to the “client
organization”.
This will lead you to the next section - vulnerability exploits and mitigation methods for each
vulnerability in the attack narrative. This section is your most important one, as it can be seen by the 40
marks associated with it.
Submission Requirements:
You are required to take and submit the coursework via StudyNet before the deadline.
Please make a note of the following date on your calendars.
Task – Assignment 3 Date
Availability of the target system 20/11/2021 – 20/12/2021
Final Deadline (including pen test report) 09/01/2022
You are expected to unify everything into one report. The final report is an academic report and as such
the following report structure is expected:
1. Introduction: up to 250 words, where you will discuss your methodology in approaching the
assignment.
2. Attack Narrative of four found vulnerabilities (research is required about the risks associated
with each vulnerability)
3. Vulnerability Exploit and Mitigation – detailing four exploits of vulnerabilities that were found
and the mitigation methods (research is required here about the vulnerability mitigation
methods)
4. Overall Conclusions - up to 250 words, where you will comment on the undertaken activities
Page 3 of 4
�UNIVERSITYOF
Crite Fail (< 40) HERTFORDSHIRE
Pass (40 – 49) Reasonable (50 – Good (60 – 69) Excellent (70 - 79) Outstanding
School of Physics, Engineering
ria 59) and Computer Science (80+)
CW3 Very limited Satisfactory Good explanation Report provides a Excellent technical High academic
attack explanation of the of the attacks very good analysis report overall. learning ability
5.explanation.
References:
No attacks one
against fused reference list in Harvard
against the target of the targetformat.
VM The vulnerabilities achieved with
6.technical terms
Appendices the target VM. VM. The issues that leads to have been identified outstanding
have been used The security of explanations comprehensive and exploited level of
in the the target system demonstrate recommendations demonstrating understanding
You are required
explanations of to has
submit
been the final good
reportuse via
of StudyNet aboutin a PDF or Word
possible format,
excellent level ofincluding
of theyour
variousstudent
number in the filename.
vulnerabilities This
evaluated in ais imperative
technical as the naming
terms. template
solutions. The willskills.
be used for corroborating
target VM what you
claimand
in your reports
exploits. with the log files
No satisfactory your PenTest security
Four activities will generate.
assessment The target system vulnerabilities,
vulnerability manner. Four vulnerabilities of the target system has been attacked demonstrating
identification, vulnerabilities have been has been done at a with purpose, and professionalism This
or very limited have been identified and very good level. the technical report and
work n that identified but no some Very few errors. demonstrates an methodological
aspect. Very detailed risk recommendations Very good writing excellent level of thinking in
week report assessment and regarding risk skills and the security evaluation, conducting the
structure. Lack mitigation. Report assessment and technical report is in including a risk security
of originality. structure and mitigation are general very good. assessment for assessment of a
writing level is given. Good level vulnerabilities, and target system.
satisfactory. of writing skills. their mitigation.
assignment is worth 50% of the overall assessment for this module.
Marks awarded for:
A note to the Students:
1. For undergraduate modules, a score above 40% represent a pass performance at honours level.
2. For postgraduate modules, a score of 50% or above represents a pass mark.
3. Modules may have several components of assessment and may require a pass in all elements.
For further details, please consult the relevant Module Guide or ask the Module Leader.
Typical (hours) required by the student(s) to complete the assignment: 35 hours
Date Work handed out: Date Work to be handed in: Target Date for the return of
the marked assignment:
19/11/2021 09/01/2022
02/02/2022
Type of Feedback to be given for this assignment:
Summative feedback will be given for the assignment on StudyNet, on the submission area within four weeks after
you have completed the assignment and have submitted the evidence of assignment completion on
StudyNet.
Page 4 of 4
