Duration: July 2025 (6 Weeks) | Tutor: Dr. Nawaz Khan
Learning Objectives
- Understand the fundamentals of vulnerability assessment in various systems.
- Understand of the fundamentals of the provision of security in information networks.
- Be aware of the various protocols and architectures used by various network systems.
- An understanding of the use and benefits of various monitoring and logging tools
- An understanding of how to create and use security vulnerability and assessment tools.
- The ability to present critical arguments for specific actions or outcomes to a diverse audience.
- The opportunity to reflect on and evaluate their personal development.
Website choice activity
I was required to select a website for ongoing security assessments throughout the module. I chose to go with demo.testfire.net. The reason to choose this website was as its a banking web application, which aligns with my professional interest in the banking and financial services sector. This choice allows me to practice applying network security concepts to real-world financial applications, which are highly regulated and security-sensitive.
Working on this website will help me understand the Compliance and Security requirements of real-world banking and financial services
The Solar Winds Breach Case Study and cyber kill chain model
I was asked to analyse the SolarWinds breach using the Cyber Kill Chain model. The task involved breaking down the attack into its phases, identifying potential mitigations, and suggesting tools that could be utilised at various stages. I also had to prepare a short presentation summarising my findings for the seminar.
Here is a link to the presentation.
Working on the SolarWinds case study really opened my eyes to how complex supply-chain attacks can be. I had read about the breach before, but breaking it down with the Cyber Kill Chain made me see each stage more clearly and think about where defenses succeed or fail. What stood out to me most was how much trust we place in vendors, and how hard it is to defend once that trust is broken. It also helped me appreciate the value of structured academic frameworks — they gave me a clearer way to analyse and explain something that, in the past, I would have only looked at from a technical or practical angle.
Digitalisation – What are the Security Implications of the Digital Economy?
Taking part in this discussion helped me see digitalisation from more than just a technical angle. I came in with strong views shaped by my work with SMEs, but the exchange with others showed me how much the human and financial aspects matter too. It made me realise that security is not just about building controls—it’s also about awareness, culture, and the ability of smaller businesses to balance cost with protection.
What I took away from this activity is the importance of looking at problems from multiple perspectives. My peers reminded me that employees at every level need to be part of the security picture, and that budgeting decisions often drive choices more than technology itself. This pushed me to think more critically about my own assumptions and the way I frame risks.
The learning outcome for me was recognising that good cybersecurity isn’t just technical expertise—it’s also about governance, culture, and practical realities. I feel more confident now in analysing these broader issues and weaving them into both my academic work and professional practice.
Here is a link to my initial post
Vulnerability Audit and Assessment – Baseline Analysis and Plan
In developing the assessment plan for demo.testfire.net, I chose to base my approach on the OWASP Top 10, OWASP Risk Rating Methodology, and OWASP Web Security Testing Guide, rather than the Cyber Kill Chain. My reasoning was that OWASP provides a more practical framework for identifying and prioritising vulnerabilities in web applications, whereas the Cyber Kill Chain is more suited to analysing attack campaigns. By aligning the plan with PCI-DSS and GDPR, I was also able to connect technical findings with compliance obligations that are especially relevant in the banking and finance sector .
This activity strengthened my ability to structure complex information in a way that is clear and client-facing. I learned how to balance technical detail with executive-level communication by using tables, risk ratings, and phased deliverables to present findings in a digestible format. I also gained confidence in selecting and justifying tools such as OWASP ZAP, Metasploit, and testssl.sh, not only in terms of their technical purpose but also their business impact .
One of the biggest takeaways was how standards, tools, and risk models can be combined into a single narrative. Previously, I would treat these elements separately in practice, but this task showed me the value of integrating them into a coherent assessment plan that highlights risks, aligns them to regulations, and proposes actionable recommendations. This more structured approach has already shifted the way I think about client deliverables, making me more critical about clarity, prioritisation, and the linkage between vulnerabilities and business risk.
Here is a link to the plan i had submitted
Marriott Data Breach Case Study
Looking into the Marriott breach gave me a clearer picture of how complex incidents can become when technical weaknesses overlap with business decisions. What struck me most was how the acquisition of Starwood played such a big part in the breach, showing that cybersecurity due diligence in mergers is just as critical as day-to-day technical controls .
Working through the checklist helped me connect the dots between technical failures, regulatory obligations, and the wider social and ethical impact. I realised that a breach is not just about lost data — it is about trust, reputation, and responsibility to customers. It made me think more carefully about the role of governance and compliance, especially under frameworks like GDPR, where the consequences go beyond financial cost.
For me, the biggest learning outcome was understanding how important it is to look beyond the immediate technical fix. A complete approach needs planning around acquisitions, stronger key and privilege management, and a culture of accountability. This case reinforced that being an information security professional means balancing technical skills with foresight, communication, and responsibility to both the organisation and its customers.
Here is a link to my presentation
Vulnerability Audit and Assessment – Results and Executive Summary
Working on the final assessment report for Altoro Mutual was one of the most important activities in this module. It was the first time I had to bring together all my findings into a structured, business-focused executive summary rather than just a technical report. The challenge was not only in analysing 47 vulnerabilities but also in explaining what they meant for the organisation in terms of financial, reputational, and regulatory impact .
This task taught me how to balance technical depth with clarity. Instead of presenting raw scanner outputs, I learned to translate them into risk categories that business leaders could understand. Mapping the issues against GDPR and PCI-DSS requirements helped me connect technical flaws with legal and compliance obligations . This was a new skill for me — in the past, I focused on fixing vulnerabilities, but here I had to explain why those fixes mattered in terms of business continuity, customer trust, and regulatory fines.
Another key learning was prioritisation. Organising recommendations by business priority rather than just technical severity made me think differently about remediation. For example, weak authentication and SQL injection were not only “critical” in technical terms but also carried the highest potential for fraud and GDPR non-compliance . This shift forced me to look at vulnerabilities through a business lens and gave me a better understanding of how security teams should advise senior management.
The report also improved my professional communication skills. Using executive summaries, structured tables, and clear recommendations helped me practice writing in a way that supports decision-making. I realised that the effectiveness of a report is not measured by the number of vulnerabilities listed, but by how well it enables leaders to understand risks and act on them.
Overall, this assignment showed me how to connect technical findings to compliance, business impact, and strategy. It gave me confidence in preparing executive-level deliverables and reminded me that the role of a security professional is not just to find problems but to present them in a way that drives meaningful action.
Here is a link to the final assesment report
Professional Skills Matrix and Action Plan
| Skill Area | Evidence from Module | Development Plan |
|---|---|---|
| Time Management | Managed multiple deliverables (assessment plan, breach case studies, final report) under strict deadlines. | Develop a more structured weekly study schedule and apply project management techniques (e.g., milestones) in professional projects. |
| Critical Thinking & Analysis | Compared different frameworks (OWASP, Cyber Kill Chain, WSTG) to decide the most relevant for Altoro Mutual. | Continue practising threat modelling and impact analysis with new frameworks like MITRE ATT&CK. |
| Communication & Literacy | Produced executive summaries and structured reports (Altoro Mutual), adapted technical findings for non-technical audiences. | Refine executive communication skills by creating shorter, more visual reports for stakeholders. |
| IT & Digital Skills | Applied OWASP Top 10, risk rating methodology, and security tools such as OWASP ZAP and testssl.sh. | Expand toolset to include SIEM/EDR tools and automated compliance mapping. |
| Numeracy | Used OWASP risk scoring, calculating technical and business impact values to prioritise vulnerabilities. | Improve accuracy in applying risk models and explore quantitative risk analysis frameworks (e.g., FAIR). |
| Research | Integrated case studies (SolarWinds, Marriott) and academic references into reflections and reports. | Build a habit of reviewing latest industry and academic research for client projects. |
| Interpersonal Skills | Engaged in collaborative discussions, responded to peer feedback, and adapted perspectives. | Take a more active role in peer/group work, and practise client-facing communication. |
| Problem-Solving | Produced recommendations in the Altoro Mutual report, prioritised by business impact and compliance risk. | Strengthen by simulating incident response scenarios and root cause analysis in real-world environments. |
| Ethical Awareness | Reflected on GDPR obligations, reputational harm, and accountability in breach case studies. | Develop deeper knowledge of legal/ethical frameworks across different regions (e.g., DIFC, NIST). |
Nikunj Bhalotia 