THE INSTITUTE OF FINANCE MANAGEMENT

FACULTY OF BUSINESS AND ECONOMICS (FBE)

BACHELOR IN ACCOUNTING WITH INFORMATION TECHNOLOGY

COURSE: INFORMATION SYSTEM SECURITY AND RISK

MANAGEMENT

CODE ITU 08115

STREAM C,

YEAR THREE

ACADEMIC 2024/2025S

NATURE OF WORK: INDIVIDUAL ASSIGNMENT

NAME: ERICK EZEKIEL GADIGA

REG, NUMBER: IMC/BAIT/2224396

EXPLANATION LETTER FOR THE REASON OF FAILURE OF THE
ASSIGNMENT.

Subject: Explanation for Assignment Performance and Request for a Second Chance

Dear Sir,

I hope this message finds you well. I am writing to address the concerns you raised regarding
the recent assignment, and to provide some reason for my poor performance.

Firstly, I would like to acknowledge your observation that some of us, myself included, may
have underestimated the importance of the assignment. In my case, this was an unfortunate
misjudgement on my part. While we did submit our work as a group, I understand that the
content was insufficient and lacked the depth you expected.

In addition to this, I must admit that I was under the impression we would be presenting our
findings rather than submitting a written report. This misunderstanding led to my lack of
preparation for a thorough written assignment. I realize now that I should have sought
clarification beforehand and that this is ultimately my responsibility.

I sincerely apologize for not meeting the expectations and for any disappointment this may
have caused. I am committed to improving my performance and would greatly appreciate an
opportunity to demonstrate my capabilities. If given another chance, I am confident that I can
deliver work that meets the high standards you expect.

Thank you for your understanding and consideration.

Sincerely, Erick Ezekiel

2|Page
Scenario 10:

An internal audit at a Tanzanian microfinance institution reveals unauthorised transactions

totalling TZS 50 million. Audit logs indicate unusual activity from a system administrator’s

account, but the administrator denies involvement, claiming their credentials were stolen.

Qn 1. What tools and techniques would you use to verify whether the administrator’s

account was compromised

➢ Tools and Techniques for Verification

I. Log Analysis

Definition and Importance

Log analysis refers to the process of reviewing and interpreting log data generated by various
systems, applications, and devices within an IT environment. According to Agrawal, M.,
Campoe, A., & Pierce, E. (2014) in their book “Information Security and IT Risk
Management,” log analysis is a critical component of information security management. It
involves examining logs for anomalies, patterns, or indicators of security incidents that may
compromise the integrity, confidentiality, or availability of information systems.

Types of Logs
Logs can originate from various sources including servers, firewalls, intrusion detection
systems (IDS), applications, and network devices. Each type of log serves a unique purpose:

System Logs: These logs provide insights into the operating system’s operations and events.

Application Logs: Generated by software applications to track user activities and application
performance.

Security Logs: Focused on security-related events such as authentication attempts and access
control changes.

Network Logs: Capture traffic data across networks which can help identify unauthorized
access or unusual patterns.

3|Page
Tools Used in Log Analysis

There are various tools available for effective log analysis including SIEM (Security
Information and Event Management) solutions like Splunk, ELK Stack (Elasticsearch,
Logstash, Kibana), and Graylog. These tools automate much of the collection and analysis
processes while providing dashboards for real-time monitoring.

Application in verifying whether the system administrator’s account was compromised

➢ Analyzing audit logs is crucial in identifying unauthorized access patterns. This

includes reviewing login times, IP addresses, and any changes made during the session.
Tools like Splunk or ELK Stack can be employed to aggregate and analyze log data
efficiently.

II. User Entity Behavior Analytics (UEBA)

Definition and Purpose of UEBA

User Behavior Analytics (UEBA) is a security process that focuses on the analysis of user
activities within an organization’s network. According to Peltier (2016), UEBA aims to
identify abnormal behavior patterns that may indicate potential security threats or breaches. By
monitoring user actions, organizations can detect anomalies that deviate from established
norms, which could signify malicious activities such as insider threats, compromised accounts,
or data exfiltration.

Benefits of UEBA

Implementing UEBA provides several benefits:

Enhanced Threat Detection: By focusing on user behavior rather than solely on traditional
security measures like firewalls and antivirus software, organizations can uncover
sophisticated attacks that might otherwise go unnoticed.

Reduced False Positives: Traditional security systems often generate numerous false alarms;
however, UEBA’s focus on behavioral anomalies helps reduce these instances by providing
context around user actions.

4|Page
Improved Incident Response: With timely alerts regarding suspicious behaviors, security
teams can respond more quickly to potential incidents before they escalate into serious
breaches.

Compliance Support: Many regulatory frameworks require organizations to monitor user

access and behavior closely; UEBA can assist in meeting these compliance requirements
effectively.

Application in verifying whether the system administrator’s account was compromised

Implementing UEBA tools can help detect anomalies in user behavior that deviate from
established patterns. For instance, if the administrator typically logs in from a specific location
but suddenly accesses the system from an unusual IP address, this could indicate a compromise.

III. Forensic Imaging

Forensic imaging refers to the process of creating an exact, bit-for-bit copy of digital data
from storage devices such as hard drives, SSDs, or smartphones. This process is crucial in
digital forensics as it ensures that the original evidence remains unaltered while allowing
forensic experts to analyse the duplicate for relevant information. The primary goal of forensic
imaging is to preserve the integrity of digital evidence, which is essential for legal proceedings.

Top Forensic Imaging Tools

Several forensic imaging tools are widely recognized for their effectiveness in digital
investigations:

1. EaseUS Todo Backup Home: This tool allows users to create identical copies of hard
drives while ensuring data security against ransomware attacks.
2. Sleuth Kit (+Autopsy): A powerful analysis tool that enables users to evaluate hard
drives or smartphones through a graphical interface while supporting email analysis.
3. Google Takeout Converter: This tool facilitates batch mode analysis of files obtained
from Google Takeout, streamlining the extraction and processing of email messages and
attachments.
4. PALADIN, Encase, SIFT Workstation, FTK Imager, X-Ways Forensics, and
Volatility Framework are also notable mentions among top forensic imaging tools used
by professionals in various scenarios.

5|Page
Application in verifying whether the system administrator’s account was compromised

Creating a forensic image of the system used by the administrator allows for an in-depth
examination of all files and logs without altering original data. This process helps uncover
hidden files or evidence of tampering.

Reference: Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to Computer Forensics and
Investigations. Cengage Learning. (Print)

IV. Network Traffic Analysis

Network Traffic Analysis (NTA) refers to the process of monitoring, analysing, and
understanding network traffic patterns to identify potential security threats, optimize network
performance, and troubleshoot issues. Network Traffic Analysis is a critical component of
network security and management, as it provides real-time visibility into network activity,
allowing organizations to detect and respond to threats, improve network reliability, and ensure
compliance with regulatory requirements.

Network Traffic Analysis Tools

Several tools are available for NTA, including:

Wireshark: A popular open-source network protocol analyser.

Tcpdump: A command-line tool for capturing and analysing network traffic.

NetFlow: A network protocol developed by Cisco for collecting and analysing network traffic
data.

sFlow: A network protocol for collecting and analysing network traffic data.

Network Taps: Hardware devices that provide a copy of network traffic for analysis.

6|Page
Application in verifying whether the system administrator’s account was compromised

Monitoring network traffic for unusual outgoing connections or data transfers can provide
insights into whether sensitive information was exfiltrated during unauthorized access.

Reference: Zeltser, L., & Gibbons, S.E. (2014). Malware Analyst’s Cookbook and DVD:
Tools and Techniques for Fighting Malicious Code. Wiley Publishing Inc. (Print)

V. Account Activity Review

Account Activity Review is a critical process in cybersecurity and information security

management that involves examining the actions and transactions associated with a specific
user account over a defined period. This review aims to identify any unauthorized or suspicious
activities that may indicate a compromise of the account or misuse of privileges.

Purpose of Account Activity Review

1. Detection of Unauthorized Access: The primary goal is to identify any unauthorized

access attempts or successful logins from unusual locations or devices.
2. Monitoring User Behavior: By analysing the behavior patterns of users, organizations
can establish baselines for normal activity, making it easier to spot anomalies.
3. Compliance and Audit Requirements: Many industries have regulatory requirements
that mandate regular reviews of user account activities to ensure compliance with
security policies.
4. Incident Response Preparation: In case of a security incident, having a record of
account activities can provide crucial information for forensic investigations.

Application in verifying whether the system administrator’s account was compromised

Reviewing all activities performed under the administrator’s account during the suspected
period of compromise is vital. This includes changes to user permissions, access to sensitive
files, and any transactions initiated.

Reference: Stallings, W., & Brown, L. (2012). Computer Security: Principles and Practice.
Pearson Education Limited. (Print)

7|Page
Qn:2 How can privileged access monitoring and user behavior analytics detect and
prevent such fraud

Privileged Access Monitoring (PAM) is a critical component of cybersecurity strategies

aimed at overseeing and controlling access to sensitive systems, data, and resources by
privileged users. Privileged users, such as system administrators, IT staff, or third-party
vendors, often have elevated access rights that, if misused or compromised, can lead to
significant security breaches.

Key Objectives of Privileged Access Monitoring:

Prevent Misuse: Ensure that privileged accounts are not misused, either intentionally or
accidentally.

Detect Anomalies: Identify unusual or suspicious activities that could indicate a security
threat.

Ensure Compliance: Meet regulatory and organizational compliance requirements by

maintaining detailed logs of privileged access.

Mitigate Risks: Reduce the risk of insider threats, external attacks, and data breaches.

Core Components of PAM

Privileged Account Discovery: Identify all privileged accounts across the organization,
including those in cloud environments, endpoints, and shared accounts.

Access Control: Implement strict access controls, such as role-based access control (RBAC)
and least privilege principles, to limit access to only those who need it.

Session Monitoring: Record and monitor all activities performed during privileged sessions,
including keystrokes, commands, and screen activity.

Real-Time Alerts: Set up alerts for suspicious activities, such as unauthorized access attempts
or unusual behavior.

8|Page
Audit Trails: Maintain detailed logs of all privileged access and actions for forensic analysis
and compliance reporting.

Password Management: Use secure password vaults to manage and rotate credentials for
privileged accounts.

Just-In-Time Access: Grant temporary access to privileged accounts only when needed and
revoke it immediately after use.

Benefits of Privileged Access Monitoring:

Enhanced Security: Reduces the attack surface by limiting and monitoring privileged access.

Improved Compliance: Helps organizations meet regulatory requirements like GDPR,

HIPAA, and SOX.

Faster Incident Response: Provides detailed logs and real-time alerts to quickly identify and
respond to security incidents.

Accountability: Ensures that all actions taken by privileged users are logged and traceable.

Application of PAM

Privileged Access Monitoring

Privileged access monitoring refers to the systematic oversight of accounts that have elevated
permissions within an organization’s IT infrastructure. These accounts, often held by system
administrators or IT personnel, possess significant access rights that can lead to severe
consequences if misused. Here’s how privileged access monitoring can help detect and prevent
fraud:

1. Real-time Activity Monitoring: By continuously tracking the actions taken by users

with privileged access, organizations can identify any deviations from normal behavior
patterns. For instance, if a system administrator typically accesses certain files or
systems during business hours but suddenly logs in at odd hours or accesses unusual
data sets, this could trigger alerts for further investigation.

9|Page
 2. Audit Trails: Maintaining detailed logs of all actions performed by privileged users
allows organizations to create a comprehensive audit trail. In the event of suspected
fraud, these logs can be reviewed to determine what actions were taken, when they
occurred, and whether they align with the user’s typical behavior.
3. Anomaly Detection: Advanced monitoring tools can employ machine learning
algorithms to establish baseline behaviours for privileged users. Any activity that
significantly deviates from this baseline can be flagged for review. For example, if an
administrator who usually processes transactions up to TZS 5 million suddenly attempts
to authorize a transaction for TZS 50 million without prior justification, this would
raise red flags.
4. Access Control Policies: Implementing strict access control policies ensures that only
authorized personnel have access to sensitive functions within the system. Regular
reviews of these policies and user privileges help minimize the risk of unauthorized
access.
5. Alerts and Notifications: Automated alert systems can notify security teams
immediately when suspicious activities are detected involving privileged accounts. This
allows for prompt action before significant damage occurs.

“Privileged Access Management.” Encyclopedia of Information Science and Technology,

edited by Khosrow-Pour M., IGI Global (Print).

Application of UEBA

User Behavior Analytics (UEBA)

User Behavior Analytics complements privileged access monitoring by focusing on

understanding how users interact with systems over time:

1. Behavioral Baselines: UEBA tools analyse historical data to establish normal usage
patterns for each user based on various factors such as login times, accessed resources,
and transaction types. This baseline is crucial in identifying anomalies indicative of
potential fraud.
2. Risk Scoring: Each user’s actions are assigned risk scores based on their behavior
relative to established norms. High-risk scores may indicate compromised accounts or
insider threats requiring immediate attention from security teams.

10 | P a g e
 3. Contextual Analysis: UEBA considers contextual factors such as location and device
used for accessing systems. If an administrator’s account is accessed from an unusual
geographic location or device not previously associated with their profile, it raises
suspicion regarding credential theft or misuse.
4. Integration with Incident Response: When anomalies are detected through UEBA,
they can be integrated into incident response protocols allowing organizations to take
swift action—such as locking accounts or requiring additional authentication
measures—to mitigate potential damage.
5. Continuous Improvement: The insights gained from UEBA not only assist in
detecting current fraudulent activities but also inform future security strategies by
highlighting vulnerabilities within existing processes and technologies.

Fraud Detection Techniques.” Handbook of Financial Fraud Prevention, edited by Smith

J., Wiley & Sons (Print).

Qn 3: Recommendations for Access Control and Authentication Policies

Implement Role-Based Access Control (RBAC)

The institution should adopt a role-based access control system that restricts system access to
authorized users based on their roles within the organization. This means that permissions
should be assigned according to job responsibilities, ensuring that employees only have access
to the information necessary for their functions. RBAC minimizes the risk of unauthorized
transactions by limiting access rights.

Enhance Multi-Factor Authentication (MFA)

To strengthen user authentication, the institution should implement multi-factor authentication

for all critical systems, especially those accessed by system administrators. MFA requires users
to provide two or more verification factors to gain access, such as something they know
(password), something they have (security token), or something they are (biometric
verification). This significantly reduces the likelihood of unauthorized access even if
credentials are compromised.

11 | P a g e
Regularly Review and Update User Access Rights

Conduct periodic reviews of user access rights to ensure that permissions remain appropriate
as roles change within the organization. This includes revoking access immediately when an
employee leaves or changes positions. Regular audits can help identify any discrepancies in
user privileges that may lead to potential security breaches.

Implement Logging and Monitoring Mechanisms

Establish comprehensive logging and monitoring systems that track user activities across all
critical systems. These logs should be regularly reviewed for unusual patterns or anomalies
indicative of unauthorized actions. Automated alerts can also be set up to notify security
personnel of suspicious activities in real-time.

Conduct Security Awareness Training

Provide ongoing training for all employees regarding security best practices, including
recognizing phishing attempts and safeguarding personal credentials. Employees should
understand the importance of reporting suspicious activity and adhering to established security
protocols.

Establish Incident Response Protocols

Develop clear incident response procedures that outline steps to take when a potential breach
is detected, including how to investigate unauthorized transactions effectively. This protocol
should include communication plans for notifying affected parties and regulatory bodies if
necessary.

Utilize Encryption for Sensitive Data

Ensure that sensitive data is encrypted both at rest and in transit to protect against unauthorized
interception or disclosure during transmission over networks.

Information Security Policies, Procedures, and Standards - Guidelines for Effective

Information Security Management T. Peltier Page -182 {access control policies}

12 | P a g e
Scenario 2:

A Tanzanian bank experiences a phishing campaign targeting its employees. Several

employees unknowingly shared their login credentials, leading to unauthorized access

Qn 1. Digital Auditing Techniques to Trace Actions of Compromised Accounts

To trace the actions of compromised accounts in a phishing incident, several digital auditing
techniques can be employed:

a. Log Analysis: The first step in tracing unauthorized access is to conduct a thorough analysis
of server and application logs. This includes examining login attempts, timestamps, IP
addresses, and user activity logs. By correlating this data, auditors can identify unusual patterns
or anomalies that indicate unauthorized access.

b. User Activity Monitoring: Implementing user activity monitoring tools allows for real-
time tracking of employee actions within the system. This includes file access, changes made
to sensitive data, and any transactions initiated by the compromised accounts. Such monitoring
can help pinpoint the extent of the breach.

c. Forensic Analysis: In cases where unauthorized access has occurred, forensic analysis may
be necessary. This involves creating a forensic image of affected systems and analyzing it for
evidence of malicious activity, such as malware installations or data exfiltration.

d. Network Traffic Analysis: Analyzing network traffic can reveal suspicious activities
associated with compromised accounts. Tools that monitor outgoing traffic can help identify if
sensitive information was transmitted outside the organization or if there were connections to
known malicious IP addresses.

e. Alerting Systems: Setting up alerting mechanisms for unusual login attempts or access
patterns can provide immediate notification of potential breaches. These alerts should be
configured based on predefined thresholds that consider normal user behavior.

13 | P a g e
Qn 2. Implementing Privileged Access Controls to Minimize Damage

To minimize damage from unauthorized access due to phishing attacks, implementing robust
privileged access controls is essential:

Privileged access controls (PAC) are essential components of cybersecurity frameworks that
help organizations manage and protect privileged accounts and their associated credentials.
These controls are designed to limit access to sensitive systems and data, ensuring that only
authorized users can perform actions that could affect the integrity, confidentiality, and
availability of critical resources.

a. Role-Based Access Control (RBAC): Establish RBAC policies that limit user permissions
based on their job roles within the organization. Employees should only have access to
information and systems necessary for their specific functions.

b. Multi-Factor Authentication (MFA): Enforce MFA for all users accessing sensitive
systems or data. This adds an additional layer of security beyond just passwords, making it
more difficult for attackers to gain unauthorized access even if they have obtained login
credentials.

c. Regular Review of Access Rights: Conduct regular audits and reviews of user access rights
to ensure that employees only retain permissions relevant to their current roles within the
organization. Promptly revoke access for employees who change roles or leave the company.

d. Session Management: Implement session management controls that automatically log users
out after a period of inactivity and require re-authentication for sensitive operations.

e. Incident Response Plan: Develop and maintain an incident response plan specifically
addressing phishing attacks and unauthorized account access scenarios. This plan should
outline steps for containment, investigation, communication, and recovery.

Blobel, B., Nordberg, R., Davis, J. M., & Pharow, P. (2006). Modelling privilege management
and access control. International Journal of Medical Informatics, 75(8), 597-623.(google
scholar)

14 | P a g e
Qn 3. Measures to Prevent Future Phishing Campaigns

To prevent future phishing campaigns targeting bank employees, several proactive measures
can be taken:

Phishing is a form of social engineering and cybercrime that involves deceiving individuals
into revealing sensitive information, such as passwords, account numbers, or personal
identification details. This deceptive practice often manifests through various digital
communication methods, including emails, text messages, and phone calls. The primary goal
of phishing attacks is to manipulate victims into providing confidential data or installing
malicious software on their devices.

Phishing attacks can take several forms:

1. Email Phishing: This is the most common type of phishing attack where fraudulent
emails are sent to a large number of recipients. These emails typically appear to come
from trusted sources like banks or online services and often contain links to fake
websites designed to capture login credentials.
2. Spear Phishing: Unlike general email phishing, spear phishing targets specific
individuals or organizations using personalized messages. Attackers may gather
personal information about the target to make their approach more convincing.
3. Voice Phishing (Vishing): This method uses phone calls instead of emails. Attackers
may impersonate legitimate institutions and use social engineering tactics to extract
sensitive information from victims over the phone.
4. SMS Phishing (Smishing): Similar to email phishing but conducted via text messages,
smishing involves sending deceptive messages that prompt recipients to click on
malicious links or provide personal information.
5. Page Hijacking: This technique redirects users from legitimate websites to malicious
ones through compromised web pages, often employing cross-site scripting techniques.
6. Quishing: A newer trend where attackers exploit QR codes to direct users to malicious
sites when scanned.

Gragg, David. “A Multi-Layered Approach to Phishing Prevention.” Information Systems

Security, vol. 15 no. 6, 2006, pp. 23-30 (Print).

15 | P a g e
a. Employee Training Programs: Regularly conduct comprehensive training sessions
focused on recognizing phishing attempts and safe online practices. Employees should learn
how to identify suspicious emails and report them promptly.

b. Simulated Phishing Exercises: Implement simulated phishing exercises to test employee

awareness and response capabilities regarding phishing threats actively. These exercises help
reinforce training by providing practical experience in identifying phishing attempts.

c. Email Filtering Solutions: Deploy advanced email filtering solutions that utilize machine
learning algorithms to detect and block potential phishing emails before they reach employees’
inboxes.

d. Security Awareness Campaigns: Run ongoing security awareness campaigns using

newsletters, posters, or intranet resources that keep cybersecurity top-of-mind among
employees.

e. Reporting Mechanisms: Establish clear reporting mechanisms for employees who suspect
they have received a phishing email or fallen victim to one so that swift action can be taken
against potential threats.

Adopting: A Zero Trust Policy is a cybersecurity framework that operates on the principle of
“never trust, always verify.” This approach assumes that threats could be both external and
internal, and therefore, no user or device should be trusted by default, regardless of whether
they are inside or outside the network perimeter.

Stafford, V. (2020). Zero trust architecture. NIST special publication, 800, 207.[Google-
scholar]

Key Principles of Zero Trust Policy

1. Verification Before Trust: Every access request must be authenticated and authorized
before granting access to resources. This involves verifying user identity through multi-
factor authentication (MFA) and ensuring that devices meet security compliance
standards.

16 | P a g e
 2. Least Privilege Access: Users should only have access to the resources necessary for
their job functions. This minimizes potential damage in case an account is
compromised.
3. Micro-Segmentation: The network is divided into smaller segments, each with its own
security controls. This limits lateral movement within the network, making it harder for
attackers to access sensitive data.
4. Continuous Monitoring: Continuous monitoring of user activity and network traffic
is essential to detect anomalies or suspicious behavior in real-time. This includes
logging and analyzing all access requests and actions taken within the system.
5. Assume Breach: The Zero Trust model operates under the assumption that breaches
will occur, so it emphasizes rapid detection and response capabilities to mitigate
potential damage.

Implementation Steps for a Zero Trust Policy

1. Identify Sensitive Assets: Determine which data, applications, and services are critical
to your organization’s operations and require heightened security measures.
2. Map Data Flows: Understand how data moves across your network to identify
potential vulnerabilities and points of unauthorized access.
3. Establish Identity Governance: Implement strong identity management practices that
include robust authentication methods (e.g., MFA) and regular reviews of user
permissions.
4. Implement Micro-Segmentation: Use firewalls or software-defined networking
(SDN) solutions to create micro-segments within your network where specific policies
can be applied based on user roles or device types.
5. Deploy Security Tools: Utilize advanced security tools such as intrusion detection
systems (IDS), endpoint detection and response (EDR), data loss prevention (DLP),
and threat intelligence platforms to enhance visibility into your environment.
6. Conduct Regular Audits: Perform regular audits of your security posture to ensure
compliance with Zero Trust principles and identify areas for improvement.
7. Educate Employees: Provide ongoing training for employees about cybersecurity best
practices, including recognizing phishing attempts and understanding their role in
maintaining security within a Zero Trust framework.

17 | P a g e
 REFERENCES

Anderson, Ross J., et al., Security Engineering: A Guide to Building Dependable Distributed
Systems. Wiley Publishing Inc., Print.

Information Security Policies, Procedures, and Standards - Guidelines for Effective

Information Security Management T. Peltier 2016

Fraud Detection Techniques.” Handbook of Financial Fraud Prevention, edited by Smith J.,
Wiley & Sons (Print).

Modern Language Association. MLA Handbook. 9th ed., Modern Language Association of
America, 2021. (Print)

18 | P a g e