Unit 11 Cyber Security Incident Management Part B
Have anyone done part B unit 11 cyber security, if so can u guys pls help, do u remember what was the scenario?? Thank u very much in advance
Reply 1
Original post
by asffwr221Have anyone done part B unit 11 cyber security, if so can u guys pls help, do u remember what was the scenario?? Thank u very much in advance
The Scenario was the same but the Ministry got a extortion email asking for BTC or they will leak private inforamtion about the company. If anybody alse did the exam today can you Help Me with the Network diagram and Cyber Documentation cause i have no clue what to write ?
Reply 2
Original post
by DaddyZonGThe Scenario was the same but the Ministry got a extortion email asking for BTC or they will leak private inforamtion about the company. If anybody alse did the exam today can you Help Me with the Network diagram and Cyber Documentation cause i have no clue what to write ?
do you remember the 5 evidences
Reply 3
Original post
by ljfifvjiljilvdo you remember the 5 evidences
1 is a report of the incident by the Senior System Tester for something
2 is an email basically saying "We hacked your boat and copied its data, you're for bad luck on your opening day, send us $50k in Bitcoin and we'll tell you how we got the data"
3 is the data table from the email the "hacker" sent
4 is the report of an Apprentice, 1 and half pages long, my system hanged over and it put us off, be ready to read all that
5 is the network diagram
6 is CSIRT policy
Sorry i dont remember much, Activity 4 and 5 really pmo
(edited 1 month ago)
Reply 4
Original post
by whyamihere21 is a report of the incident by the Senior System Tester for something
2 is an email basically saying "We hacked your boat and copied its data, you're for bad luck on your opening day, send us $50k in Bitcoin and we'll tell you how we got the data"
3 is the data table from the email the "hacker" sent
4 is the report of an Apprentice, 1 and half pages long, my system hanged over and it put us off, be ready to read all that
5 is the network diagram
6 is CSIRT policy
Sorry i dont remember much, Activity 4 and 5 really pmo
2 is an email basically saying "We hacked your boat and copied its data, you're for bad luck on your opening day, send us $50k in Bitcoin and we'll tell you how we got the data"
3 is the data table from the email the "hacker" sent
4 is the report of an Apprentice, 1 and half pages long, my system hanged over and it put us off, be ready to read all that
5 is the network diagram
6 is CSIRT policy
Sorry i dont remember much, Activity 4 and 5 really pmo
omg thank you so much!!!
Reply 5
does anyone remember anything about part b at all???
Reply 6
Can anyone help with part b activity 4 evidence and scenario
Reply 7
Guysss what did we conclude for the scenario in activity 4
Reply 8
anyone know how to do activity 5. structure, how many documents. and answers please too
Reply 9
Original post
by asffwr221Have anyone done part B unit 11 cyber security, if so can u guys pls help, do u remember what was the scenario?? Thank u very much in advance
PART B:
This paper must be read in conjunction with the unit information in the specification
and the BTEC Instructions for Conducting External Assessments (ICEA) document. See the
Pearson website for details.
Refer carefully to the instructions in this task booklet and the BTEC Instructions for
Conducting External Assessments (ICEA) document to ensure that the assessment is
supervised correctly.
Part A and Part B set tasks should be completed during the period of three weeks
timetabled by Pearson. Part A must be completed before starting Part B.
The 4-hour Part B set task must be carried out under supervised conditions.
The set task can be undertaken in more than one supervised session.
An electronic template for Activity 4 is available on the website for centres to download
for candidate use.
Learners must complete Part B on a computer using the templates provided and
appropriate software. All work must be saved as PDF documents for submission.
Teachers/Tutors and/or Invigilators may clarify the wording that appears in this task but
cannot provide any guidance in completion of Part B.
Teachers/Tutors and/or Invigilators should note that they are responsible for
maintaining security and for reporting issues to Pearson.
Maintaining security
• Learners must not bring anything into the supervised environment or take
anything out.
• Centres are responsible for putting in place appropriate checks to ensure that only
permitted material is introduced into the supervised environment.
• Internet access is not permitted.
• Learner’s work must be regularly backed up. Learners should save their work to their
folder using the naming instructions indicated in each activity.
• During any permitted break, and at the end of the session, materials must be kept
securely and no items removed from the supervised environment.
• Learners can only access their work under supervision.
• User areas must only be accessible to the individual learners and to named members
of staff.
• Any materials being used by learners must be collected in at the end of each session,
stored securely and handed back at the beginning of the next session.
• Following completion of Part B, all materials must be retained securely for
submission to Pearson.
• Part A materials must not be accessed during the completion of Part B.
3
Continue
W84538A
Outcomes for submission
Each learner must create a folder to submit their work. Each folder should be named
according to the following naming convention:
[Centre #]_[Registration number #]_[surname]_[first letter of first name]_U11B
Example: Joshua Smith with registration number F180542 at centre 12345 would have a
folder titled
12345_F180542_Smith_J_U11B
Each learner will need to submit 2 PDF documents within their folder. The 2 PDF
documents should use these file names:
Activity 4: activity4_incidentanalysis_[Registration number #]_[surname]_[first letter of
first name]
Activity 5: activity5_securityreport_[Registration number #]_[surname]_[first letter of
first name]
An authentication sheet must be completed by each learner and submitted with the
final outcomes.
The work should be submitted no later than 23 January 2026.
4
Continue
W84538A
Instructions for Learners
Read the set task information carefully.
Plan your time carefully to allow for the preparation and completion of all the activities.
Your centre will advise you of the timing for the supervised period. It is likely that you
will be given more than one timetabled session to complete these tasks.
Internet access is not allowed.
You will complete this set task under supervision and your work will be kept securely at
all times.
You must work independently throughout the supervised assessment period and must
not share your work with other learners.
Your invigilator may clarify the wording that appears in this task but cannot provide any
guidance in completion of the task.
Part A materials must not be accessed during the completion of Part B.
Outcomes for submission
You must create a folder to submit your work. Each folder should be named according
to the following naming convention:
[Centre #]_[Registration number #]_[surname]_[first letter of first name]_U11B
Example: Joshua Smith with registration number F180542 at centre 12345 would have a
folder titled
12345_F180542_Smith_J_U11B
You will need to submit 2 PDF documents within the folder. The 2 PDF documents
should use these file names:
Activity 4: activity4_incidentanalysis_[Registration number #]_[surname]_[first letter of
first name]
Activity 5: activity5_securityreport_[Registration number #]_[surname]_[first letter of
first name]
You must complete an authentication sheet before you hand your work into
your invigilator.
5
Continue
W84538A
Set Task Brief
The Cefurbo Sailing Academy
The Cefurbo Sailing Academy (CSA) project is now in its testing stage, before the official
opening at the end of January. The Project Manager is Viro D’Ordino.
There are three Wi-Fi networks:
• Visitor – free and open access to anyone.
• Premium – secured by WPA3. The password is only given to official visitors and
people staying at the academy.
• Admin – secured by WPA3 and restricted to the administration and IT centres.
A competitive sailing boat generates gigabytes of data during a race. This is transmitted
using a dedicated 5G system. The data is held in the IT centre and each support team
has its own virtual server and database.
Figure 1 shows a plan of the CSA site. The inset map shows the harbour and cell
tower locations.
Figure 1
There is a LAN connecting the buildings. The CSA computers use a secure version of
Linux, created by the government. Staff also use government mobile phones for both
internal and external communications. These use Android and have built-in encryption.
They use the Varma Loko Telecoms company cell towers.
6
Continue
W84538A
The CSA system is backed up daily to government servers at the Ministry of Sport. Team
data is not normally backed up. Teams may download its data to a suitable storage
device and/or request an image of its server.
Client brief
You advised Viro on cyber security matters last year. Now, a few weeks later, he wants
you to review a cyber security investigation.
He says that the Minister for Sport received an email on 28 December demanding
money and claiming that confidential diagnostic data from the trial event has been
hacked (see evidence items 2 and 3).
The incident was first investigated by the specialist in charge of testing the IT systems,
Cibero Estro. Cibero said the data was not confidential and not from the trial event (see
evidence item 1).
Cibero instructed a trainee technician, Juna Spertulo, to investigate and report as part of
their training (see evidence item 4).
Evidence items from the security incident at CSA
Evidence items include:
1. Cibero Estro’s memo
2. The email
3. Data table
4. Juna Spertulo’s report
5. Network diagram
6. Cyber security document.
7
Continue
W84538A
1. Cibero Estro’s memo
TO: Viro D’Ordino, Project Manager
FROM: Cibero Estro, Senior Systems Testing Manager
DATE: 29 December, 2025
SUBJECT: Extortion email
Further to our discussion at the Ministry yesterday. As I explained to the Minister and
yourself, I am not convinced this was a data breach. The data is obviously not from a
boat and is almost certainly just test data.
It is possible it came from the CSA system, but I think the ‘hackers’ would have included
a more convincing set of data if they had it.
I am therefore downgrading the incident from level 4 (Severe) to level 1 (Minor)
and have asked Juna Spertulo, an apprentice cyber technician, to investigate it as a
training exercise.
She is to pick her own Incident Response Team and treat the matter as a level 3 (Serious)
cyber security breach.
Juna has almost completed her training and I think this is a good opportunity for her to
show what she can do.
Please arrange the usual third-party review of her work.
2. The email
From: [email protected] 28/12/2025, 14:59
To: [email protected]
Subject: You have been pwned
Yesterday we hacked your shiny, new system at the Cefurbo Sailing Academy during a
sailing trial.
We copied the diagnostics data from the boats. It’s in the attached file so you know this
is real.
Imagine how the international sailing community would react if they knew. You might
have trouble at the opening event.
Don’t worry, it’s all fixable for a low price. Just send $50000 in Bitcoin to our wallet,
bc1d43UNd54eXiGm0qEM0h6r4h8n634to9jtp186es, and we’ll tell you how we
did it.
Hurry, the price will rise if you don’t take advantage of our early settlement offer.
The Pwnbears.
8
Continue
W84538A
3. Data table
All speeds shown in meters per second.
Time stamp True heading True speed
of boat
Speed
relative to
water
Wind angle
relative
to boat
heading
Wind
speed
relative to
boat
Degrees Minutes
2512271406 295 35 12.1 11.5 24 14
2512271407 297 42 12.2 11.3 22 16
2512271408 330 42 13.5 11.2 −13 17
2512271409 342 42 13.2 11.2 −25 17
2512271410 359 59 13.6 11.2 −39 18
2512271411 360 42 13.8 11.2 −39 18
2512271412 359 61 13.2 11.2 −40 18
2512271413 0 0 14 11.1 −40 18
2512271414 0 01 14.1 11.1 −42 18
2512271415 5 50 13.9 11.1 −51 160
2512271416 36 22 141 11.0 −80 15
2512271417 40 31 13.5 12.9 −92 16
9
Continue
W84538A
4. Juna Spertulo’s report
Incident TR20251229-01/3
Author: Juna Spertulo, Acting Computer Security Incident Response Team
(CSIRT) Leader.
Date: 31st December 2025
Terms of reference
The investigation is a training exercise, based on a level 1 incident at the Ministry of
Sport, Incident number SP202251228-01/4. It is to be treated as a level 3 event.
Cibero Estro, Senior Systems Testing Manager, will be the supervisor.
The investigation will start immediately, 09:30 on 29th December 2025, and be
completed by 18:00 on 31st December 2025.
Introduction
The incident was reported on 28th December 2025, to Cibero Estro by the Ministry
of Sport.
Mr Estro and Mr D’Ordino, the CSA Project Manager, met the Minister and were shown
an email and some data. The data was claimed to be race diagnostics information, taken
from the CSA system.
Mr Estro examined the data and concluded that it was (i) only test data, and therefore
not confidential, (ii) the incident was level 1 and probably an attempt to scare the
Minister into paying.
The CSA is not yet operational and does not have a CSIRT or a specific Incident
Management Policy. For this investigation, a template policy from the Ministry of Sport
has been adapted. (see evidence item 6).
As the incident may involve 5G telecoms and remote telemetry, a communications
expert, Sendrata Fakulo, has been asked to help. Miss Fakulo works with the Varma Loko
Sailing Team and is an expert on telemetry and data processing.
A trainee technician, Plej Nova, has also been co-opted.
The investigation
The email: (see evidence item 2). Mr Nova was tasked with looking at three items. The
name Pwnbears, the address onedayonlymail.com, and the bitcoin wallet.
The data table: (see evidence item 3). Miss Fakulo was asked to look at the data table
and comment on its authenticity and how it might have been intercepted.
The CSA system: The Team Leader, Miss Spertulo, looked at the CSA system to identify
any weaknesses and possible routes for data theft.
The results
The email:
Mr Nova reported that Pwnbears is not known to the Varma Loko Cyber Security Service.
10
Continue
W84538A
He suggests it may be an attempt to link to known groups who include bear or bears in
their names but there is no further evidence of that.
The email address is a throwaway, from a US-based company. As suggested by the
name, it expires after 24 hours and the company claims it does not keep logs. Mr Nova
looked at US law and thinks that government intervention would be needed to stand
any chance of getting any further information.
The bitcoin wallet exists and uses the common Segwit format but has never been used
for a transaction and the owner is therefore untraceable.
The data table:
Miss Fakulo reported that it is impossible for the data to be from the sailing trial on the
27th. The timestamps match but the data is obviously wrong.
She suggests it may be test data, with altered timestamps, but it could just be made up.
CSA diagnostic and analysis software is available to teams but most use their own
versions. Miss Fakulo explains that the data table resembles a screen view from
the diagnostic software used during testing but is missing several columns at the
right-hand side.
She also noted that the data file is far too small to be one of the test files being used.
Actual telemetry is sent over 5G, which uses SHA256 encryption. It is possible, but
unlikely, that a test transmission could have been sent before the encryption was
configured. This would have been in late November, while the system was being set up.
The CSA system:
I looked at the CSA network (see evidence item 5). I noted that the 5G tower feeds
directly to the IT centre and can only be accessed via the Admin LAN.
The data is held on virtual servers, one for each team. These have been extensively
tested. The default configuration is for each team to have a server, a database and
office software.
I inspected the test configurations log and noted that a strong password was
always required to access a team’s data. It is possible that a password was reused or
misconfigured during the testing phase, but an attacker would have had to be present
at the time to take advantage.
Several gigabytes of test data were available, but I was unable to match the material
from the data table.
Conclusions
The email:
The use of ‘bear’ in the name could infer a connection to a known group. I think the
demand for money in US dollars ($50000 in Bitcoin) and the use of a US email company
points to the attackers being North America-based.
11
Continue
W84538A
The data table:
This looks like CSA test data, although it could not be confirmed. The changing of
timestamps and possibly other items may have prevented a match being found.
Having the same columns as those of the diagnostic software confirms that the data
has been taken from the CSA system. The incompleteness of the data indicates that the
theft was very limited or somehow interrupted.
The failure of the attackers to include more complete data indicates that the attack was
a one-off, and they could not repeat the process.
The CSA system:
I helped set up the CSA network and could see that the network diagram (see evidence
item 5) is accurate in terms of devices and connections, but does not show the
physical layout.
The IT and administration centres have 24-hour security and a card access system.
The indoor training facilities are open to visitors on guided tours, but the PCs used
to access the virtual servers must be enabled from the IT centre. This is only done for
testing, training or events.
I believe this indicates that the data was most likely to have been taken during a tour
or training event. This would explain the limited amount of data, as it would have been
difficult for someone to spend a long time unobserved.
In conclusion, I think the data theft was opportunistic, very limited, and carried out by
someone from North America, probably visiting as a tourist.
To prevent a similar incident, visitors should be more closely supervised and any PCs
that might show sensitive data should be positioned to restrict visibility of their screens.
12
Continue
W84538A
5. Network diagram
6. Cyber security document – incident management policy
Incident management team
The Computer Security Incident Response Team (CSIRT) shall consist of:
• Team Leader, Juna Spertulo: [email protected]
• Trainee technician, Plej Nova: [email protected]
• Communications expert, Sendrata Fakulo: [email protected]
• Training supervisor, Cibero Estro: [email protected]
Incident reporting
Any member of staff who considers that an IT-related security incident has occurred
must report it as soon as possible to the Team Leader.
Initially it may be reported verbally but this must be followed up by an email. It is the
responsibility of the CSIRT to maintain detailed documentation on the incident from
first report to final resolution.
Security incidents may include:
1. theft of IT equipment
2. theft of CSA data
3. unauthorised access to CSA IT systems
4. infection of CSA IT systems with malware.
13
Continue
W84538A
Incident response procedures
(a) Theft of IT equipment
• Theft of IT equipment is a very serious issue. Any thefts must be reported at once
to the CSIRT leader, initially a verbal report must be made followed up by email,
providing as much information as possible (location and type of equipment, when it
was last seen, etc).
• The CSIRT Team Leader must ascertain if the item has actually been stolen (or if it is
just missing).
• If the item is confirmed as stolen, the CSIRT Team Leader must inform the duty
manager and the CSA security department.
• The CSIRT must prepare a report on the theft for the CSA finance department, and if
needed, justify the finances required to replace the stolen item.
(b) Theft of CSA data
• Theft or loss of CSA data may occur in a number of different ways.
• Any loss of CSA data must be reported at once to the CSIRT Team Leader, initially a
verbal report must be made followed up by email.
• The CSIRT must investigate the loss and identify exactly what data has been lost or
stolen and when the incident occurred.
• Having identified what has been lost or stolen and when the CSIRT must retrieve
backups and restore the data as soon as possible.
• The CSIRT should review the incident and implement procedures to prevent
future losses.
(c) Infection of CSA IT systems with malware
• Any member of staff who suspects that any IT system has been infected with
malware must report it at once to the CSIRT Team Leader, initially a verbal report
must be made and followed up by email.
• The infected system should be shut down as soon as possible.
• The CSIRT will investigate the infection and take appropriate measures to resolve the
infection and restore the system.
(d) Unauthorised access to CSA systems
• Any member of staff who suspects that there has been unauthorised access to any
CSA IT system must report it at once to the CSIRT Team Leader, providing as much
detail as possible (which system, how access was obtained). Initially a verbal report
must be made, followed up by email.
• The CSIRT will thoroughly investigate the incident and identify how the
unauthorised access was obtained.
• The CSIRT will recommend action to prevent future occurrences (e.g.
change passwords).
14
Continue
W84538A
Part B Set Task
You must complete ALL activities within the set task.
Produce your documents using a computer.
Save your documents in your folder ready for submission using the formats and
naming conventions indicated.
Read the set task brief carefully before you begin and note that reading time is
included in the overall assessment time.
You have been advising Viro on cyber security. Now they have asked you to review the
investigation of a cyber security incident.
Activity 4: Forensic incident analysis
Analyse the forensic evidence, including how the evidence was obtained, for the cyber
security incident at CSA.
Consider possible causes of the incident and come to a conclusion about the most likely
cause of the incident.
Refer to evidence items 1–5 inclusive.
Produce a forensic incident analysis using the template Forensic_Analysis.rtf
Save your completed forensic incident analysis as a PDF in your folder for submission as
activity4_incidentanalysis_[Registration number #]_[surname]_[first letter of
first name]
You are advised to spend 2 hours on this activity.
(Total for Activity 4 = 14 marks)
W84538A 15
Activity 5: Security report
Review the incident. Suggest improvements and explain how they would prevent a
similar incident in the future.
Areas for improvement are:
• adherence to forensic procedures
• the forensic procedure and current security protection measures
• the security documentation.
Read the set task brief and evidence items 1–6 inclusive when answering the question.
Save your completed security report as a PDF in your folder for submission as
activity5_securityreport_[Registration number #]_[surname]_[first letter of
first name]
You are advised to spend 2 hours on this activity.
(Total for Activity 5 = 20 marks)
TOTAL FOR TECHNICAL LANGUAGE IN PART B = 3 MARKS
TOTAL FOR PART B = 37 MARK
Quick Reply
Related discussions
- Unit 11 Cyber Security Incident Management Paper
- Unit 11 cybersecurity and incidents
- Unit 11 Cyber Security Incident Management and Unit 14 IT Service Delivery BTEC
- Unit 11 part B (part 1)
- BTEC IT level 3 unit 11 cyber security
- BTEC IT level 3 unit 11 Cyber Security
- Unit 11- Cybersecurity & Incident Management
- Has any of you done Part B of Unit 14 exam - BTEC ICT Level 3 on IT Service Delivery
- Unit 11 Cyber Security Incident Management and Unit 14 IT Service Delivery BTEC
- unit 14 IT service delivery jan 2025
- unit 14 IT service delivery jan 2026 part A
- unit 11 Part B (final part)
- BTEC IT Unit 11 Cyber and Unit 14 IT Service delivery March 2025 Results
- Unit 14 IT Service Delivery Part B
- BTEC grade calculation
- Unit 14 IT Service Delivery Jan 2023 Exam Discussion
- BTEC Level 3 IT (Information Technology) assignments and exam material.
- unit 11 cyber security exam
- BTEC Level 3 IT (Information Technology) assignments and exam material Help
- Cyber security exam
Latest
Trending
Last reply 7 months ago
Applied science btec - what do i need?Last reply 7 months ago
If i quit my WJEC applied diploma in criminology now will i still get the certificateLast reply 7 months ago
Uniformed and public servicesLast reply 7 months ago
Health and social care Btec gradingLast reply 8 months ago
predicted grades - btec applied scienceLast reply 8 months ago
Level 2 adult numeracy and literacy still accepted?Last reply 8 months ago
Btec health and social care unit 6Last reply 8 months ago
NCFE CACHE L3 Certificate Health and Social Care resultsLast reply 8 months ago
Health and Social Care Level 3Last reply 8 months ago
Btec level 3 Applied science extended diploma gradeLast reply 9 months ago
Can I get into uni with 2 btecs?
How The Student Room is moderated
To keep The Student Room safe for everyone, we moderate posts that are added to the site.
