UNIVERSITY EXAMINATIONS: 2014/2015
ORDINARY EXAMINATION FOR THE BACHELOR OF SCIENCE
IN INFORMATION TECHNOLOGY
BIT 3102 INFORMATION SYSTEMS SECURITY AND CRYPTOGRAPHY
DATE: DECEMBER, 2014 TIME: 2 HOURS
INSTRUCTIONS: Answer Question ONE and any other TWO
QUESTION ONE
a) Define the following terminologies:
(i) Nonrepudiation (Non-repudiation) (1 Mark)
(ii) Privacy (1 Mark)
(iii) Trapdoor (1 Mark)
(iv) Shoulder surfing (1 Mark)
(v) Dumpster diving (1 Mark)
b) A firm security implementation plan can be launched and established using a
series of best practices. State any five of these best practices. (5 Marks)
c) Scanning is one of most the important phases of intelligence gathering for an
attacker. In the scanning phase, the attacker tries to find out various ways to
intrude into the target system. Discuss the three types of scanning that are used.
(6 Marks)
d) Brute force attack is a type of password attack, which uses exhaustive trial and
error methods for finding legitimate authentication credentials. State four issues
the difficulty of a brute force attack depends on. (4 Marks)
e) Describe how public key cryptography solves the key management problem
experienced in symmetric key cryptography. (4 Marks)
f) Explain how the following attack tools operate:
(i) Spyware (2 Marks)
(ii) Keystroke logger (2 Marks)
(iii) Rootkit (2 Marks)
QUESTION TWO
a) In public key encryption, compare and contrast RSA and Diffie-Hellman
algorithms. (7 Marks)
b) With the aid of diagrams explain how the DES algorithm operates. (8 Marks)
c) Describe how public key encryption is used to establish the authenticity of a
message that is exchanged between two parties, say Alice and Bob. (5 Marks)
QUESTION THREE
a) Describe any FIVE major considerations you must take into account when choosing the security design that will secure an organization’s data.
(5
Marks)
b) In the last few years, customers have been turning to Managed Security Service
(MSS) providers in growing numbers. That growth reflects a general increase in
IT outsourcing.
(i) Outline any four common motivations for companies to seek outside
security help. (4 Marks)
(ii) Explain briefly any four categories of Managed Security Services.
(4 Marks)
c) Access control services implementation is required for all systems, regardless of
the access control system type. Once the access control rules are provided and implemented, the system must then limit access based on those rules. List the five
steps involved in implementing access control services. (5 Marks)
d) Differentiate between cryptanalysis and cryptology (2 Marks)
QUESTION FOUR
a) Discuss in detail three common applications of digital signatures. (6
Marks)
b) With the aid of examples, explain the following access control types:
(i) Compensation access controls (3 Marks)
(ii) Administrative access controls (3 Marks)
c) (i) What is Kerberos? (2 Marks)
(ii) Describe the kerberos logon process (6 Marks)
QUESTION FIVE
a) New employees in sensitive jobs should sign employment agreements with nondisclosure provisions. Explain briefly any six specifications for this agreement.
(6 Marks)
b) Discuss any four design principles for secure systems. (8Marks)
c) A data backup is a second copy of data captured at a point in time and stored in a
secure area as a precautionary safeguard in case of a disaster. Backups can use a
variety of media copy mechanisms and different methods for selecting the data to
back up. These variables affect the amount of data stored and the amount of time
and media required for the backup. Describe the following data backup schemes:
(i) Incremental backup (2 Marks)
(ii) Differential backup (2 Marks)
(iii) Remote journaling (2 Marks)