UNIVERSITY EXAMINATIONS: 2013/2014
ORDINARY EXAMINATION FOR THE BACHELOR OF SCIENCE
IN INFORMATION TECHNOLOGY
BIT 3102 INFORMATION SYSTEMS SECURITY AND
CRYPTOGRAPHY DISTANCE LEARNING
DATE: AUGUST, 2014 TIME: 2 HOURS
INSTRUCTIONS: Answer Question ONE and any other TWO
QUESTION ONE
a) Explain the basic essential steps of public key encryption. (5 Marks)
b) With the aid of relevant examples, describe what three types of information can
be used to authenticate a user. (6 Marks)
c) Networks are subject to a number of different attacks that jeopardize their ability
to support confidentiality, integrity, and availability. Describe the following
network attacks:
(i) Denial of Service (DoS) (2 Marks)
(ii) Spam (2 Marks)
(iii)` Malicious code (2 Marks)
d) (i) What benefits does the security principle known as job rotation provide?
(2 Marks)
(ii) How is a sensitivity profiling developed and what is the benefit?
(3 Marks)
e) Define the following terminologies as used in information systems security:
(i) Trojan horse (1 Mark)
(ii) Trapdoor (1 Mark)
(iii) Principle of Adequate Protection (1 Mark)
(iv) Encryption (1 Mark)
f) Even when everyone acknowledges that a computer crime has been committed,
computer crime is hard to prosecute. State four reasons why it is hard to
prosecute computer crimes. (4 Marks)
QUESTION TWO
a) There are many different factors that should be considered when managing
cryptographic keys. Explain any six of these factors. (6 Marks)
b) There are many available symmetric encryption algorithms. Describe briefly any
four of these algorithms. (4 Marks)
c) Access control services implementation is required for all systems, regardless of
the access control system type. Once the access control rules are provided and
implemented, the system must then limit access based on those rules. Describe the
steps involved in implementing access control services. (5 Marks)
d) Describe briefly five ways in which cryptographic algorithms are compromise.
(5 Marks)
QUESTION THREE
a) (i) Browsing, leakage and inference are threats to the secrecy of data. Discuss
in detail how each of these threats are realized. (6 Marks)
(ii) Two threat classifications that fit into neither inegrity nor secrecy
categories are masquerading and Denial of Service (DoS). Discuss briefly
these two threats. (4 Marks)
b) Discuss briefly any five access control attacks that are directed against people.
(5 Marks)
c) Starting as British Standard (BS) 7799, then BS 17799, and renamed International
Organization for Standardization (ISO) International Electrotechnical
Commission (IEC) 27002, the ISO 27002 document is the current international
standard for information systems security. State any five areas that this document
provides guidance on. (5 Marks)
QUESTION FOUR
a) Most security protocols today have been upgraded from their initial versions to
provide increased protection, or have used other protocols to encapsulate their
data in a secure envelope. Describe briefly the following protocols:
(i) SSL (2 Marks)
(ii) TLS (2 Marks)
(iii) HTTPS (2 Marks)
b) Networks can be protected from attacks by using different mechanisms to prevent
or identify the attacks as they occur. Describe the following network security
mechanisms:
(i) ACL (2 Marks)
(ii) Firewall (2 Marks)
(iii) IDS (2 Marks)
(iv) IPS (2 Marks)
c) Discuss how hashing is used in password protection. (4 Marks)
d) After one-way hashing encryption transforms cleartext into ciphertext, what is the
result? (2 Marks)
QUESTION FIVE
a) Intellectual property law protects the rights of ownership of ideas, trademarks,
patents, and copyrights, including the owners’ right to transfer intellectual
property and receive compensation for the transfer. Describe the following as
defined under the Intellectual Property Law:
(i) Patent (1 Mark)
(ii) Trademark (1 Mark)
(iii) Copyright (1 Mark)
(iv) Trade secret (1 Mark)
(v) Privacy (1 Mark)
b) (i) You work for a large multi-national corporation. As the chief security
officer, you have been asked to chair the Business Continuity Planning
(BCP) advisory team for the company headquarters. Who might you invite
to join the team? (3Marks)
(ii) The advisory committee has met for its monthly meeting and you have left
the meeting with a beta-level draft of the BCP. You have been charged
with evaluating the BCP prior to implementation. What are some
examples of items that you will be evaluating? (5 Marks)
c) Audit logs can be generated at the system level to record a number of activities.
State any eight activities that are recorded by audit logs. (4 Marks)
d) How can public-key encryption support secrecy? How can it support integrity?
(3 Marks)
