UNIVERSITY EXAMINATIONS: 2011/2012
EXAMINATION FOR THE BACHELOR OF SCIENCE IN
INFORMATION TECHNOLOGY
BIT 3102 INFORMATION SYSTEMS SECURITY AND
CRYPTOGRAPHY
DATE: AUGUST, 2013 TIME: 2 HOURS
INSTRUCTIONS: Answer Question ONE and any other TWO
QUESTION ONE
a) Define the following computer security terminologies:
(i) cryptanalysis (1 Mark)
(ii) known plaintext attack. (1 Mark)
(iii) chosen plaintext attack (1 Mark)
(iv) Cryptography (1 Mark)
(v) dictionary attack (1 Mark)
b) Explain briefly the following data access principles:
(i) Least privilege (2 Marks)
(ii) Separation of Duties (SoD) (2 Marks)
c) Describe the working of a Trojan. (6 Marks)
d) Security models provide guidelines and frameworks for implementing security
policies to protect the confidentiality, integrity, and availability of information on
devices or networks. In this regard, discuss the following security models:
(i) Lattice Model (2 Marks)
(ii) Bell-LaPadula (BLP) Model (3 Marks)
e) Discuss the hash function and its role in information security. (6 Marks)
f) State any four layers of operational functionality that are contained in a strong
security process. (4 Marks)
QUESTION TWO
a) To be effective, a risk analysis process must be accepted as part of the business
process of the enterprise. Identifying a threat is just the first part of the analysis
phase. It is also necessary to determine just how vulnerable the enterprise is to
that threat. There are a number of factors that impact a threat. There are nearly as
many factors affecting the threat and its impact on the enterprise as there are
threats. Discuss briefly any six factors can increase or decrease the level of impact
a threat may have on an enterprise and its assets. (6 Marks)
b) Given that the majority of security problems are internal to the organization, it
is incumbent upon management to review system administration policies and
procedures at least once a year to ensure required security levels are being
followed. Obtaining a third party audit and certification of the processes is also
a prudent approach. State any five specific items to note in administrative
security policies. (5 Marks)
c) The goal of an IT risk management organization should be to ensure potential
risks are identified and assessed and, where the business considers it necessary, to
implement controls that mitigate the potential impact of the risk. State five ways
how this is achieved. (5 Marks)
d) The response to the introduction of risk can result in one of four decisions.
Explain briefly each of the four possible decisions (4 Marks)
QUESTION THREE
The first domain of a certified information security manager (CISM) is information
security governance. This job practice area establishes and maintains a set of policies
and procedures to ensure that information security strategies are aligned with business
goals and objectives. It also defines the roles and responsibilities of the Board of
directors and executive management with regard to information security. In addition, it
helps them accomplish several key activities, such as achieving the organization’s
information security goals and objectives, formulating a strategic direction for
information security activities, ensuring efficient utilization of information resources,
and managing risks related to information security.
a) You’re meeting with the IT team to review the organization’s information
security policies and procedures. Answer the following questions to explain the
points to be discussed:
(i) What are the two aspects of information security that a CISM needs to
understand? (2 Marks)
(ii) What are the initial four tasks in the information security governance job
practice area? (4 Marks)
(iii) Which five tasks are needed to establish an effective information security
governance structure? (5 Marks)
b) With the aid of examples, briefly explain the following types of access control:
(i) Compensation access control (2 Marks)
(ii) Directive access control (2 Marks)
(iii) Administrative access controls (2 Marks)
c) Describe the three primary authentication factor types. (3 Marks)
QUESTION FOUR
a) Cryptography is the study of the mathematical algorithms and functions used to
secure messages. These algorithms fall into two camps: restricted and open.
(i) Differentiate between open and restricted algorithms (2 Marks)
(ii) Explain which of the above the algorithm is preferable and why you
could choose it. (4 Marks)
b) Discuss how certification authority, digital certificate and hash function relate
to create a secure means of communication. (7 Marks)
c) In public key encryption, compare and contrast RSA and Diffie-Hellman
algorithms (7 Marks)
QUESTION FIVE
a) You have been assigned the role of a security consultant for an organization that
uses computers for their day-to-day operations. You first task is to prepare a
defence plan for this organization with a view to securing the organization’s data.
Describe any FIVE major considerations you must take into account when
choosing the design. (10 Marks)
b) There are several standardized data backup methods. Describe the following types
of backup:
(i) Full backup (1 Mark)
(ii) Incremental backup (1 Mark)
(iii) Differential backup (1 Mark)
(iv) Remote journaling (1 Mark)
(v) Electronic vaulting (1 Mark)
c. Describe briefly any five design principles for secure systems.
(5 Marks)