UNIVERSITY EXAMINATIONS 2018
EXAMINATION FOR THE DEGREE OF BACHELOR OF APPLIED
BAC5110 NETWORK SECURITY
FULL TIME/PART TIME
DATE: DECEMBER, 2018 TIME: 2 HOURS
INSTRUCTIONS: Answer Question One & ANY OTHER TWO questions.
QUESTION ONE [30 MARKS]
a) State any five top cloud security threats. 5 Marks
b) State any four techniques used for wireless networks security. 4 Marks
c) Explain any five ways in which cryptographic algorithms are compromised.
d) Explain how the Diffie-Hellman key exchange Algorithm works between two parties, say
Alice and Bob. 7 Marks
e) State the properties exhibited by modular arithmetic. 3 Marks
f) Using the properties of congruence and modular arithmetic, find:
(i) 177 mod 19 3 Marks
(ii) 139 mod 17 3 Marks
QUESTION TWO [20 MARKS]
a) Describe how secret key encryption is used in protecting pay TV transmissions.
b) Explain how the Key Distribution Centre (KDC) works. 4 Marks
c) The use of cryptography facilitates the provision of a secure service. Many of the
disjointed situations represent scenarios that the man in the street encounters almost every day,
but probably does not appreciate either the security risks or the role played by encryption. In this
particular case we focus on a cash withdrawal from an ATM machine.
(i) When someone makes a cash withdrawal from an Automated Telling Machine
(ATM), they need to produce a plastic, magnetic stripe card and have knowledge of the
associated PIN. The customer places their card in the ATM slot and enters their PIN.
They then enter the amount requested for withdrawal. In a typical transaction, what does
the system need to check? 2 Marks
(ii) The ATM sends the card details and PIN to the host computer, and the response
message either authorizes the transaction or refuses it. Clearly these communications
need protection. Although the amount of a withdrawal may not be secret, what is
important about the amount dispensed at the machine? 1 Mark
(iii) Banks are understandably nervous about the possibility of an ATM paying out on
the same positive response message more than once. What is required in this regard?
(iv) All banks instruct their customers to keep their PINs secret as anyone who knows
the correct PIN can use a stolen or lost card. Clearly the banks must ensure that the PIN is
not compromised within their system and so the PIN is encrypted during transmission
and on the database that is used for checking the validity of the PIN. The algorithm used
for this process is DES in ECB mode. Since DES encrypts 64-bit blocks and PINs are,
typically, only four digits, how do they ensure that the block is properly encrypted?
(v) How do they ensure that anyone who gains access to encrypted PIN blocks would
be able to identify customers who share the same PINs? 2 Marks
(vi) This use of encryption prevents the PIN being exposed to eavesdroppers who
intercept the communications between the ATM and the host computer. They also
prevent PINs from being read by personnel who have access to the bank’s database.
However, encryption cannot prevent a fraudster guessing someone’s PIN. Anyone who
finds or steals a plastic card can enter it into an ATM and try a lucky guess. Since there
can be at most 10,000 four-digit PINs, the chances of a successful guess are not
ridiculously small. In recognition of this, how is this problem dealt with in most ATMs?
QUESTION THREE [20 MARKS]
a) State any five different ways in which malware can get into a system. 5 Marks
b) Prior to the widespread use of smartphones, the dominant paradigm for computer
and network security in organizations was as follows. Corporate IT was tightly controlled.
User devices were typically limited to Windows PCs. Business applications were controlled y IT
and either run locally on endpoints or on physical servers in data centers. Network security was
based upon clearly defined perimeters that separated trusted internal networks from the untrusted
Internet. Today, there have been massive changes in each of these assumptions. Discuss four
things an organization’s network must accommodate. 8 Marks
c) (i) What is SQL injection? 1 Marks
(ii) Explain the information gathering stage of SQL injection methodology.
QUESTION FOUR [20 MARKS]
a) Defence in Depth strategy is a security strategy in which several protection layers are
placed throughout an information system. With the aid of a diagram, explain how this strategy
works. 8 Marks
b) Explain briefly the following cloud computing threats:
(i) Unknown risk profile 2 Marks
(ii) Abuse of cloud services 2 Marks
c) Discuss any four cloud computing security considerations. 4 Marks
d) Outline any four best practices for securing the cloud. 4 Marks.
QUESTION FIVE [20 MARKS]
a) Discuss briefly any three major characteristics exhibited by most cyber criminals.
b) You’re meeting with the IT team to review the organization’s information security
policies and procedures. Answer the following questions to explain the points to be discussed:
(i) What are the initial four tasks in the information security governance job
practice area? 4 Marks
(ii) Which five tasks are needed to establish an effective information security
governance structure? 4 Marks
c) Discuss any three design principles for secure systems. 6 Marks