Reference no: EM133926231 , Length: word count:2000

Assessment - CORAS Risk Assessment on SIM Porting Scenario

LO 1: Describe key terms and concepts in cybersecurity, cyber law, intellectual property and cybercrime.
LO 2: Analyse approaches to network security, firewalls, intrusion-detection systems and intrusion prevention systems.
LO 3: Formulate approaches for incident analysis, risk management in cyberspace and incident response.

Purpose

In this assessment you will use the CORAS approach to risk analysis on a provided case study.

Task details
Read the provided case study and, using the CORAS approach to risk analysis, identify and model applicable risks.

Instructions
Referring to the following case study (and the resources provided below (e.g. the paper, CORAS and Risk Assessment reading materials), use the CORAS risk assessment methodology to identify and model applicable risks using asset, threat, risk, treatment and treatment overview diagrams.

Overview
This assessment requires you to apply the CORAS risk assessment methodology to a re- alistic case study. The case study concerns a home-based microenterprise (for example, a home-based online business) that becomes the victim of a SIMporting (SIMswap) attack. A SIM porting attack occurs when an adversary convinces a telecommunications provider to transfer the victim's mobile phone number to a SIM card under the adversary's control. Once the attacker controls the number, they can intercept SMS onetime passwords, reset account credentials and potentially drain financial accounts. Your task is to identify what is valuable to the business (Assets), analyse how such an attack unfolds (Threats), estimate the associated risks (unwanted incidents) and propose treatments (risk controls).

What you must deliver
Your submission must be a single PDF of approximately 2 000 words (±10%; diagrams, tables, figure captions, and the reference list are excluded from this word count) containing the following sections. Use the accompanying Template.tex (or its PDF rendition) as the structure and complete each section with your analysis and figures. Get expert-level assistance in any subject with our assignment help services.

Cover page. Include the title, subject code, your name, student number, the submis- sion date, and the word count.

Executive summary. Provide a concise, one-paragraph summary of the scenario, the highest-priority risks, and your key recommended treatments.
Introduction. Include:
Problem Statement (business background and the SIM-porting incident),
Purpose & Objectives (why CORAS; what you will analyse and deliver),
Target Description & Views (the analysis goals, the specific target(s) in use-e.g., mobile number, storefront, cloud services-and the business/organisation view- point on why these are critical),
Scope (what is in/out of scope and why), and
Methodology & Standards (CORAS plus any standards/guidance you will refer- ence; tools used to draw diagrams).
Stakeholder and viewpoint analysis. Identify all relevant parties (e.g. business owners, telecommunications provider, cloud providers, customers, regulators) and de- scribe their interests/priorities. Use a table to capture role and priority.
Asset identification and valuation. Create a table listing the business assets rele- vant to the scenario. Assign relative values for confidentiality, integrity, and availabil- ity, and rank the assets by importance. Briefly justify why each asset matters. (These rankings will feed into the TVA matrix.)
Asset diagram. Draw a CORAS asset diagram showing assets, parties, and their relationships. Highlight the most critical assets.

High-level threat identification. Summarise the main threat agents, unwanted incidents, and vulnerabilities relevant to SIM porting. Keep this high-level (save detail for the threat diagram).

Detailed CORAS threat diagram. Produce a detailed threat diagram showing the paths an attacker might take, the vulnerabilities exploited, and the resulting unwanted incidents. Include at least two paths (e.g. social engineering, insider misuse, IoT pivot). Use CORAS notation and annotate likelihoods where appropriate.

Risk analysis. Define your risk function and evaluation metrics (likelihood and im- pact scales) and justify them with credible sources. Build a Threat-Vulnerability- Asset (TVA) ranking matrix, and explain how the TVA rankings inform placement in the risk matrix.

Risk evaluation and prioritisation. Using the TVA matrix and the risk matrix, rank the risks, state which are acceptable and which require treatment, and justify the acceptance criteria.

Risk treatment planning. For each unacceptable risk, select an option (avoid, mitigate, transfer, or accept) and propose one or more controls with short justification (cost, feasibility, residual risk). Include a CORAS risk-treatment diagram linking risks to controls.

Conclusions and recommendations. Summarise the key findings and highlight quick wins versus longer-term improvements. Ensure recommendations align with busi- ness objectives and the regulatory environment.

References. Provide a reference list in APA 7th edition. Cite all external sources used (e.g. official guidance on SIM-swap/port-out prevention). Do not rely solely on lecture notes.

Hints and guidance
Draw from credible sources. Consult reports from regulators (e.g. ACMA, CISA), industry bodies (e.g. FINRA) and reputable news articles for statistics on SIMporting fraud. Use these sources to justify your likelihood estimates and control recommenda- tions.
Avoid providing solutions in the introduction. The introduction should set up the scenario and explain why a risk assessment is needed, not present your treatments. Save detailed controls for the risk treatment section.

Use the CORAS language. CORAS diagrams have specific symbols (e.g. stick figures for threat agents, ellipses for vulnerabilities, triangles for unwanted incidents, money bags for assets).