UNIVERSITY EXAMINATIONS: 2014/2015
ORDINARY EXAMINATION FOR THE BACHELOR OF SCIENCE
IN INFORMATION TECHNOLOGY
BIT 3102 BBIT 301 INFORMATION SYSTEMS SECURITY AND
CRYPTOGRAPHY NETWORK SECURITY
DATE: APRIL, 2015 TIME: 2 HOURS
INSTRUCTIONS: Answer Question ONE and any other TWO
QUESTION ONE
a) Define the following terminologies:
(i) Social engineering (1 Mark)
(ii) Virus (1 Mark)
(iii) Logic Bomb (1 Mark)
(iv) Sheep dip computer (1 Mark)
(v) Keylogger (1 Mark)
b) Access controls are necessary to protect the confidentiality, integrity,
and availability of objects (and by extension, their information and data). In
this regard describe the following types of access control.
(i) Preventive access control (2 Marks)
(ii) Corrective access controls (2 Marks)
(iii) Compensation access control (2 Marks)
c) Discuss how hashing is used in password protection. (4 Marks)
d) Outline four categories of computer fraud. (4 Marks)
e) Describe how secret key encryption is used in protecting pay TV transmissions.
(6 Marks)
f) Outline briefly any five important factors to consider when choosing a firewall
solution. (5 Marks)
QUESTION TWO
a) There are two ways to encrypt a hard drive: at the file level and at the driver level.
Discuss. (5 Marks)
b) There are many different factors that should be considered when managing
cryptographic keys. Explain any four of these factors. (4 Marks)
c) Discuss the security of public key algorithms (7 Marks)
d) State any four weaknesses that compromise cryptographic algorithms. (4 Marks)
QUESTION THREE
a) Discuss four developments that have led to an increase in computer fraud
(4 Marks)
b) The use of cryptography facilitates the provision of a secure service. Many of the
disjointed situations represent scenarios that the man in the street encounters
almost every day, but probably does not appreciate either the security risks or
the role played by encryption. In this particular case we focus on a cash
withdrawal from an ATM machine.
(i) When someone makes a cash withdrawal from an Automated Telling
Machine (ATM), they need to produce a plastic, magnetic stripe card and
have knowledge of the associated PIN. The customer places their card in
the ATM slot and enters their PIN. They then enter the amount requested
for withdrawal. In a typical transaction, what does the system need to
check? (2 Marks)
(ii) The ATM sends the card details and PIN to the host computer, and the
response message either authorizes the transaction or refuses it. Clearly
these communications need protection. Although the amount of a
withdrawal may not be secret, what is important about the amount
dispensed at the machine? (1 Mark)
(iii) Banks are understandably nervous about the possibility of an ATM paying
out on the same positive response message more than once. What is
required in this regard? (1 Mark)
(iv) All banks instruct their customers to keep their PINs secret as anyone who
knows the correct PIN can use a stolen or lost card. Clearly the banks must
ensure that the PIN is not compromised within their system and so the PIN
is encrypted during transmission and on the database that is used for
checking the validity of the PIN. The algorithm used for this process is
DES in ECB mode. Since DES encrypts 64-bit blocks and PINs are,
typically, only four digits, how do they ensure that the block is properly
encrypted? (1 Mark)
(v) How do they ensure that anyone who gains access to encrypted PIN blocks
would be able to identify customers who share the same PINs?
(2 Marks)
(vi) This use of encryption prevents the PIN being exposed to eavesdroppers
who intercept the communications between the ATM and the host
computer. They also prevent PINs from being read by personnel who have
access to the bank’s database. However, encryption cannot prevent a
fraudster guessing someone’s PIN. Anyone who finds or steals a plastic
card can enter it into an ATM and try a lucky guess. Since there can be at
most 10,000 four-digit PINs, the chances of a successful guess are not
ridiculously small. In recognition of this, how is this problem dealt with in
most ATMs? (1 Mark)
c) Let’s assume that there are two parties A (Alice ) and B (Bob), who exchange a finite
number of messages:
| |
| M1 |
| ———————>|
| M2 |
A| <——————– | B
| M3 |
| ———————>|
| M4 |
| <——————- |
| |.
A starts the protocol by sending a message to B, M1. B replies with M2, etc. We
assume that message N+1 is not sent until message N has been received and
understood. During or after the exchange of the messages what do we need to be
sure of? (4 Marks)
d) In general, it is not possible to satisfy the beliefs in (c) above until the protocol
has completed its exchange. The contents of the messages can be verified for their
integrity in a number of ways.
(i) How do we ensure that no-one has messed with the messages in transit?
(2 Marks)
(ii) We must also verify that the message is not just a replay of an older
message which someone picked up by snooping on the network. List two
methods used to verify this. (2 Marks)
QUESTION FOUR
a) Discuss any three major reasons why cybersecurity is considered a “hard,
multifaceted problem”. (6 Marks)
b) The Information Security Officer (ISO) is charged with providing support for
expected governance activities. To support the governance responsibilities of the
Board, the ISO is required to perform many different functions and assume
numerous roles in the organization. Describe any six of these functions.
(6 Marks)
c) Audit logs can be generated at the system level to record a number of activities.
State any eight activities that are recorded by audit logs. (4 Marks)
d) Even when everyone acknowledges that a computer crime has been committed,
computer crime is hard to prosecute. State four reasons why it is hard to
prosecute computer crimes. (4 Marks)
QUESTION FIVE
a) Discuss briefly any four factors can increase or decrease the level of impact a
threat may have on an enterprise and its assets. (4 Marks)
b). State any four reasons why physical security is needed. (4 Marks)
c) Describe briefly any five IDS categories. (5 Marks)
d) Define the following terminologies:
(i) Penetration testing (1 Mark)
(ii) Recovery Point Objective (RPO) (1 Mark)
(iii) Recovery Time Objective (RTO) (1 Mark)
(iv) Business Continuity Plan (BCP) (1 Mark)
(v) Business Impact Analysis (BIA) (1 Mark)
e) Describe the Biba security model. (2 Marks)
