Professional Documents
Culture Documents
Q01
i. Define following terms with examples.
a. Security Attack
Any action that compromises the security of information owned by an
organization (3 marks)
b. Security Service
Something that enhances the security of the data processing systems and
the information transfers of an organization
Intended to counter security attacks
Make use of one or more security mechanisms to provide the service
Replicate functions normally associated with physical documents (3 marks)
a. Security Mechanism
A mechanism that is designed to detect, prevent, or recover from a security
attack (3 marks)
** Any answer given by students which contains the above idea is acceptable
iii. Explain how each of the above attacks is launched and the impact of them to
information systems/networks.
Both attacks are launched by using particular specialized tools developed for the
purpose of attacking itself.
Passive attacks do not damage the network/information system. The attacker uses
passive attacks to gather information on the target network or information system.
On gathering enough amount of information, he launches an active attack which
will cause substantial damage
(3 marks)
iv. Give 3 examples for each of the above categories
Passive : Traffic analysis
Electronic eaves dropping
Wire tapping
Software that cause damage to computers and related devices making them mal
functioning are categorized as malicious software
ii. What are the differences between spyware and adware? (4 marks)
Spyware aims at tracing and tracking users actions and data
Adware is more focused towards posting commercial purpose advertisements on
users systems
iii. “Computer viruses are very harmful types of software created by persons who has
excellent knowledge in the field of Computer Science” Do you agree with this
statement? Justify your answer (5 marks)
Yes. I agree
To create computer viruses a person should have an excellent knowledge on the
functionality and structure of all computer related devices and their coordination
within the computer systems. Therefore the people who create viruses are
absolutely experts with bad intentions
iv. “An Intrusion detection system (IDS) may be considered a more effective way of
handling security threats than a virus guard” A security expert expressed this idea to
one of his clients. Give reasons for your approval or disapproval with his opinion
(8 marks)
An intrusion detection system is more of a proactive strategy of tackling possible
threats for an information system. It is capable of scanning the environment of the
information system and pick up possible suspicious actions that may turn into
serious threats. A virus guard can only pick up one type of threat within the
system. Therefore an Intrusion detection system provides security in a wider area
than a virus guard
Q03
i. What is X-800 Security Architecture?
A security architecture for OSI that defines a systematic way of defining and
providing security requirements (3 marks)
b. Perimeter defence
Network Perimeter Defense refers to the information security whereby it
can provide enterprise-class protection and compliance for businesses of
any size.
c. Bastian host
highly secure host system
potentially exposed to "hostile" elements
hence is secured to withstand this
may support 2 or more net connections
may be trusted to enforce trusted separation between network
connections
runs circuit / application level gateways
or provides externally accessible services (2x3 marks)
(8 marks)
v. What is meant by “configuring a firewall”?
Configuring means setting up the firewall with the parameters and settings
required by the organization, to provide sufficient protection for their information,
information system and the network (2 marks)
Q05
i.
a. What is the meaning of “Authentication” in information security?
Assuring that an entity is exactly who/what it claims to be
(2 marks)
b. Briefly explain the 3 basic authentication models.
What user has – authenticated user can be verified using an
identification number, a smart card or a password user has with him
What user knows – verifying the user by some information he knows, a
PIN, password, etc
What user is – verifying using one of users’ biological characteristics,
iris, retina, fingerprint, DNA,etc (6 marks)
c. What is the basic security requirement addressed by Authentication of
information?
Integrity
(2 marks)
ii.
a. Compare and contrast Symmetric and Asymmetric Encryption.
Symmetric Asymmetric
conventional / private-key / single-key Sender and receiver both have 2 types
sender and recipient share a common of keys – public key and private key
key Public key is known by all the
all classical encryption algorithms are members of the system
private-key Private key of each member is known
was only type prior to invention of to the member only
public-key in 1970’s Private key is generated using the
key should be sent over to the public key algorithms purchased from
recipient before communication an independent certification authority
key is bulky Not necessary to send over the key to
the receiver
encryption and decryption both done If encrypted using public key,
by the same key decryption should be done using the
private key and vice-versa
(6 marks)
b. What are the differences between Block Ciphers and Stream Ciphers?
block ciphers process messages in into blocks, each of which is then
en/decrypted
like a substitution on very big characters
64-bits or more
stream ciphers process messages a bit or byte at a time when
en/decrypting
many current ciphers are block ciphers
hence are focus of course
(4 marks)
Q06
i.
a. Hashing is a mathematical technique, used to assure a certain essential
information security requirement. What is that?
Information integrity (2 marks)
ii.
a. What is a “Digital Certificate”? Why is it needed?
The Digital certificate is the legal document awarded to users of public key
algorithms, authorizing them to communicate using the keys
It gives the users proper legal authority to use public key algorithm to protect
their information in communicating with external parties (6 marks)
Q07
Write short notes on 5 (FIVE) of the following topics (4x5 marks)
v. Substitution Ciphers
One of the techniques used to encrypt information, making them unintelligible to
unauthorized users. In this cipher, letters of plaintext are replaced by other letters
or by numbers or symbols
If plaintext is viewed as a sequence of bits, then substitution involves replacing
plaintext bit patterns with ciphered text bit patterns
Caesar cipher is one of the widest used substitution ciphers at present
For example, a layer that provides error-free communications across a network provides
the path needed by applications above it, while it calls the next lower layer to send and
receive packets that make up the contents of the path. Conceptually two instances at one
layer are connected by a horizontal protocol connection on that layer
** The answers given are simple guidelines to the topics given. Any acceptable facts outside
the information given here, written by students can be accepted as correct answers and
marks awarded accordingly
Q08
Organizations grant employees access to their information systems, based on the role they
play within the organization and the nature of the work they handle. They use access control
software to grant access to the information system and other resources
i. Why is access control necessary? (2 marks)
iv. “Lack of ethics and good faith in modern “Digital Society” has given rise to
concerns such as Non-repudiation and made a “Digital Monster” out of it” Do you
agree with the above statement? Give reasons for your answer. (6 marks)
Yes I agree.
Regardless of numerous security measures we can impose on the information, the
ethics and good faith of the employees and citizens of the society matters most in
the well being of the modern digital society. The technology will always be
dependent of the users to some extent. Therefore citizens of the society always
have a greater responsibility to safeguard them
Steganography is the art and science of writing hidden messages in such a way that no
one, apart from the sender and intended recipient, suspects the existence of the message,
a form of security through obscurity.
Generally, messages will appear to be something else: images, articles, shopping lists, or
some other cover text and, classically, the hidden message may be in invisible ink between
the visible lines of a private letter.
The advantage of steganography over cryptography alone is that messages do not attract
attention to themselves. Plainly visible encrypted messages—no matter how unbreakable
—will arouse suspicion, and may in themselves be incriminating in countries where
encryption is illegal
Therefore, whereas cryptography protects the contents of a message, steganography can
be said to protect both messages and communicating parties.
Steganography includes the concealment of information within computer files. In digital
steganography, electronic communications may include steganographic coding inside of
a transport layer, such as a document file, image file, program or protocol. Media files
are ideal for steganographic transmission because of their large size. As a simple
example, a sender might start with an innocuous image file and adjust the color of every
100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not
specifically looking for it is unlikely to notice it.
END