A(i). Policy 4 limits remote administration to SSH from the internal 10.0.4.0/24 network only. This protects the device because an outside attacker cannot reach the admin interface at all; the avenue of attack is closed before authentication is even attempted. (Policy 3, banning removable media, is also acceptable: it prevents malware from being introduced through an infected USB drive the firm cannot vet.)

A(ii). Policy 1 could be strengthened by requiring multifactor authentication in addition to the 12-character password. For example, requiring a one-time code from an authenticator app means a stolen or guessed password alone would not grant access. (Also acceptable: shorten the patch window in Policy 2 from 7 days to 48 hours so critical vulnerabilities are closed faster.)

B(i). The log shows many failed password attempts for the same account in a very short window, all from one source. Rows 1 through 8 are failed passwords for tokafor between 02:14:07 and 02:14:11, roughly eight failures in about five seconds, followed by a failed attempt for user root on row 9. This rapid sequence is a brute-force or password-guessing attack. Row 10 then shows an accepted login, meaning the attack succeeded.

B(ii). 10.0.4.88

C(i). For payroll.sh the permissions are -rwxrwx---. The first grouping rwx gives the owner tokafor read, write, and execute. The second grouping rwx gives the group finance read, write, and execute. The final grouping --- gives all other users on the system no access at all.

C(ii). The file q3_report.txt is currently -rw-rw-r--, so every other user on the system can read it. To restrict access for those users, remove the read permission from the “others” category so only the owner and the finance group can read it.

C(iii). chmod o-r q3_report.txt  (equivalently chmod 660 q3_report.txt).

D(i). The firewall log in Source 4 shows three [UFW BLOCK] entries from 198.51.100.77 to destination port 3389 (RDP). These were blocked because firewall rule 7 denies that exact source IP on port 3389, and because the firewall uses first match wins, rule 7 is reached before the broad Allow in rule 8.

D(ii). Change rule 7 from Deny to Allow for source 198.51.100.77 on port 3389 (or remove rule 7 so that the Allow in rule 8 applies to that host). Either change lets the RDP connection from 198.51.100.77 through.

D(iii). Allowing 198.51.100.77 to reach RDP exposes the Remote Desktop service to an external, untrusted host. That host could now send RDP traffic to the server and attempt to brute-force the login, increasing the attack surface and the volume of inbound traffic the server must process.

E(i). A directory traversal (path traversal) attack.

E(ii). The web access log in Source 5 shows GET requests to the download endpoint whose file parameter contains ../ sequences, such as rows 2 and 3 requesting ../../../../etc/passwd and ../../../../etc/shadow. Row 4 uses the URL-encoded form ..%2f to try to evade filtering. The 200 responses indicate the traversal to /etc/passwd succeeded in returning a file outside the web directory.

E(iii). A web application firewall or an IPS with a signature for traversal patterns can inspect each incoming request and block any whose parameters contain ../ or its encoded equivalents before the request reaches the application, stopping the attack in real time.

E(iv). Any non-automated countermeasure, for example: validate and sanitize the file parameter in the application so it only accepts an allowlist of filenames and rejects path separators; or run the web service under least-privilege file permissions so it cannot read /etc/shadow even if traversal is attempted; or keep the application patched.