What are you protecting and what are you protecting it from? Are central questions for a security expert. In this project you will perform an analysis of the CIS datacenter in room 830 (the STEM center). The datacenter contains the infrastructure we use to teach many CIS and CS classes. Your analysis will help you understand the value of the assets of the CIS/CS programs and explore the consequences of various threats.

Like the last project it's essential that you work with your peers. There are many details that are easy to overlook. Working with teams creates a diversity of opinion. Diversity suits a security team by reducing groupthink. There will be times when a team member notices something you would never have thought of. Good working teams learn how to capture it all into a strong security plan. You can work in the same group as Project 1 or pick a new group.

This project is the last group project in the class. You have four weeks to do it. Be sure to get some work done every week.

Part 1: Take Inventory

Your group's first task is to take a complete inventory of the CIS datacenter. The CIS datacenter is located in room 830 (the STEM center). Build a spreadsheet with the inventory. Not every member of the group needs to be physically able to do this but at least one person should start the spreadsheet with all items they discovered. Every item in your spreadsheet should contain the following information:

  • Item Description. This should contain the manufacturer and model if possible. For example “Dell R620 Server” or “Cisco 2901 Router” or simply “2 post rack”
  • Item Count.
  • Unit Cost. Look online for the price of the item. It may not be possible to find an exact figure (e.g. server prices depend on processors, RAM). Make an estimate based on a “middle” cost.
  • Total Cost. This is Unit Cost times Item Count

Be as thorough as possible. When you have all items listed total the costs and figure out how much the whole datacenter costs.

Part 2: Network Analysis

There's more to a datacenter than just equipment. You can see the physical devices that make the network but not the IP addresses, protocols and open ports that make systems available. Perform penetration testing as if you were a red team. A red team is a group of people hired to find vulnerabilities in a network. Red teams are “white hat” hackers that use the methods and tactics of “black hat” hackers. There are rules of engagement that are important to follow.

Red teams are working for the people they attack and can be fired by those people. So:

  • Red teams must never intentionally damage the network they're analyzing
    • Reductions in QoS because of scanning activity are okay so long as they are for short periods of time.
    • Sometimes hosts fail when scanned, that's okay but don't repeat scans that cause damage.
  • Red teams may use malware but cannot let infections spread out of control
  • Red teams may break into systems and steal data but must be careful to stay away from sensitive data (like health records). Any stolen data should be considered a “proof of concept.”
  • Red teams must report all activities without withholding any vulnerabilities.
  • Red teams must stop all activity upon request.

You are required to submit weekly updates on your scanning and penetration activities.

I have uploaded PDFs to Canvas that contain information about the IP addresses and VLANs on the CIS network. Start with that information and scan each assigned IP address range from inside of Cabrillo's network. You must have a team member who can be physically present to do the scanning, otherwise the RFC-1918 private address ranges will not be reachable. Each host on the network should have a complete port scan and you should attempt to determine what operating system is running on each host.

Part 3: Risks Analysis

By this time you should have some key data that you need to perform a risk assessment. Start by filling out the spreadsheets that we did as part of the Risk Management lecture. You can copy the blank spreadsheet here:

Risk Management Blank

I want you to consider the following criteria and their relative weights:

  1. Impact to the ability to teach classes. (40%)
    1. Can I start a lecture on zoom?
    2. Do the classroom computers work?
    3. Can you login to Cabrillo servers such as Opus and vlab?
  2. Impact to budget and faculty time. (30%)
    1. How much time will it take to recover from a loss?
    2. Will it cost a lot of money to recover?
  3. Impact to the reputation of Cabrillo or the CIS department.
    1. Will a loss reduce future enrollment? (30%)
    2. Will I be in trouble with the college or law enforcement?

Consider the following assets:

  1. The operation of the 828, 829 and 830 room networks.
  2. The physical assets (computers, routers, etc.) and their ongoing operation.
  3. Student and instructor account information (e.g. logins and passwords) .
  4. Student VMs, data and homework assignments.

Discuss with your group the impacts, assets and threats. Compete the TVA spreadsheet telling me what the highest priority items are. In your report you must explain why you came up with the answer you did.

Part 4: Write a Report

Finally you will combine everything you've learned in the previous parts into a report. Your report must have the following sections:

  1. Executive Summary. Summarize what you did and what the biggest risks are.
  2. Methods. Explain in detail how you gathered data for the report. When you did inventory and what tools you used to do scanning and mapping.
  3. Results. Include the results from your inventory, network analysis and risk assessment. These should be formatted to be readable in a document (not just a spreadsheet)
  4. Conclusion. Suggest what steps might be taken to lower the risk for the most urgent items you found.
  5. Raw Data. Please include your spreadsheets as an appendix.


You will be graded on completeness, correctness and professional presentation:

  • 10% for teamwork. You must work with a team for this project.
  • 20% professional presentation. Your report should be written in complete sentences, professionally formatted and contain all requested sections.
  • 70% correctness. You must list all significant items in the datacenter and you must find all hosts/networks.