UNIVERSITY EXAMINATIONS: 2011/2012
THIRD YEAR EXAMINATION FOR THE BACHELOR OF
SCIENCE IN INFORMATION TECHNOLOGY
BIT 3102 INFORMATION SYSTEMS SECURITY AND
CRYPTOGRAPHY
DATE: JULY, 2012 TIME: 2 HOURS
INSTRUCTIONS: Answer Question ONE and any other TWO
QUESTION ONE
a) State any four reasons why physical security is needed. (4 Marks)
b) Session hijacking can be either active or passive in nature, depending on the
degree of involvement of the attacker in the attack. Explain briefly these two
types of session hijacking. (4 Marks)
c) There are many different types of Trojans, which can be grouped into main
categories. However, it is usually difficult to classify a Trojan into a single group,
as Trojans often have traits that would place them in multiple categories. Describe
briefly any three categories that outline the main types of Trojan. (6 Marks)
d) Brute force attack is a type of password attack, which uses exhaustive trial and
error methods for finding legitimate authentication credentials. State four issues
the difficulty of a brute force attack depends on. (4 Marks)
e) The Gartner Group notes six human behaviors for positive response to social
engineering. Explain briefly these human behaviours. (6 Marks)
f) Explain how the following attack tools operate:
i. Spyware (2 Marks)
ii. Keystroke logger (2 Marks)
iii. Rootkit (2 Marks)
QUESTION TWO
a) Describe how public key cryptography solves the key management problem
Experienced in symmetric key cryptography. (4 Marks)
b) Describe briefly the features of the following cryptographic algorithms:
i. RC4 (2 Marks)
ii. RC5 (2 Marks)
iii. Blowfish (2 Marks)
c) State five things that Secure Shell (SSH) protects against. (5 Marks)
d) Explain briefly five things that PGP is basically used for. (5 Marks)
QUESTION THREE
a) i. Describe the two types of automated vulnerability scanners. (4 Marks)
ii. What are the limitations of vulnerability scanning software? (3 Marks)
b) i. The web application can be comprised of many layers of functionality.
However, it is considered a three-layer architecture. Briefly describe each
of these layers. (3 Marks)
ii. Exploitive behavior, as demonstrated by hackers, can take many forms.
Explain any five of these exploitative forms. (5 Marks)
c) Explain the following terminologies as used in information systems security:
i. Sniffing (1 Mark)
ii. Shoulder surfing (1 Mark)
iii. Dumpster diving (1 Mark)
iv. Social engineering (1 Mark)
v. Security perimeter (1 Mark)
QUESTION FOUR
a) Networks can be protected from attacks by using different mechanisms to
prevent or identify the attacks as they occur. Describe briefly the following
network security mechanisms:
i. Firewall (2 Marks)
ii. ACL (2 Marks)
iii. IDS (2 Marks)
b) A single point of failure is any device, circuit, or process that causes the
unavailability of data upon failure, thus requiring consistent maintenance and
redundancy. Explain briefly how the following points of failure are dealt with:
i. Disks (2 Marks)
ii. Servers (2 Marks)
iii. Routers (2 Marks)
c) i. How is a sensitivity profiling developed and what is the benefit?
(2 Marks)
ii. How can you address the major considerations of sensitivity profiling for
job positions? (2 Marks)
d) Information technology has been advancing at an unprecedented rate. Not
surprisingly, law enforcement has been left behind, especially at the local and
national level. Explain any four reasons for this. (4 Marks)
QUESTION FIVE
a) Discuss briefly any four factors can increase or decrease the level of impact a
threat may have on an enterprise and its assets. (4 Marks)
b) Outline any two advantages and two disadvantages associated with the use of
digital signature (4 Marks)
c) State four reasons for performing a risk analysis (4 Marks)
d) i. In a non-electronic banking scenario, a customer, A, may write
instructions to his bank to transfer funds from his account to another
customer B’s account. A third party (messenger) delivers the instructions
to the bank. Explain the integrity and authentication concerns in this
scheme and how they are typically addressed. (5 Marks)
ii. In an electronic banking scenario, and considering the transaction
described above, explain the integrity and authentication concerns and
their cryptography- based solutions. (3 Marks)
