Short Answer Questions

Week 1

1. What is CIA Triad? Explain each of its elements.

① Confidentiality
1) Data confidentiality
Confidentiality is about preventing unauthorized access to
data/information.
2) Privacy
The concept of privacy refers to ensuring individuals have control
over what information related to them can be collected, stored, and
disclosed, and by whom.
Confidentiality is often achieved through encryption, access controls,
and other security measures.
② Integrity
1) Data integrity
This assures that information is changed only in a specified and
authorized manner. Data should remain consistent without
unauthorized alterations. Techniques to ensure data integrity
include checksums, hashes, and digital signatures.
2) System integrity
This assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent
unauthorized manipulation.
③ Availability
This principle assures that systems operate promptly and service is
not denied to authorized users. Data and services need to be
accessible when required, meaning that system uptime is
maximized and downtime is minimized.

2. Give 3 computer security challenges, explain why they are challenging, and
how to tackle the challenges.
 Cyber Attacks and Threats
Increasingly sophisticated forms of cyber threats, such as malware,
ransomware, phishing, and denial-of-service (DoS) attacks, and the speed at
which they evolve pose significant challenges for computer security.
Implement a multi-layered security approach that includes firewalls,
intrusion detection systems, and antivirus software. Regularly update and
patch systems to protect against known vulnerabilities. Educate users about
online safety.
  Insider Threats
Insider threats, whether malicious or accidental, are a significant
security challenge. Employees or other insiders may unintentionally expose
sensitive data through careless actions, or they may intentionally steal or
damage data.
Implement strict access control measures, ensuring that individuals can
only access the data necessary for their job roles. Provide regular training to
employees to enhance their awareness of security protocols and the
potential consequences of carelessness. Monitor user activities to detect
and respond quickly to any unusual or suspicious actions.
 Cloud Security
Data stored in the cloud can be accessed from anywhere, which
increases the potential attack surface. Additionally, organizations often lack
visibility and control over their data in the cloud.
Use encryption for data at rest and in transit. Implement strong user
authentication methods, such as two-factor or multi-factor authentication.
Establish clear policies regarding data management in the cloud.

3. What’s the difference between “threat” and “attack”?

Threat: A threat refers to a potential negative action or event facilitated by a
vulnerability that results in an unwanted impact on a computer system
or network. It's essentially a possible danger that might exploit a
weakness.
Attack: An attack, on the other hand, is an act where a hacker or a malicious
program exploits a vulnerability in a system to cause harm. It's the
realization of a threat, where the potential danger has been actualized.

4. What are the disadvantages of connectionless integrity service compared to

connection oriented integrity service? Should you worry about these
advantages/disadvantages? Why or why not?

Connection-oriented services establish a dedicated connection between the

communicating entities for the duration of the communication session. In the
context of integrity services, this means that the system checks the integrity of
the entire communication session, ensuring that all data packets sent are
received and are in the correct order.

Connectionless services, on the other hand, treat each data packet

independently. Packets are sent individually and can take different routes to the
destination. Connectionless integrity service would provide a check on the integrity
of each individual packet, but not on the sequence or overall session.

 Packet Order: In a connectionless service, packets are sent individually and

may arrive out of order. Without the session check of a connection-oriented
 service, there's no mechanism to ensure that the packets are reassembled in
the correct order.
 Missing Packets: In connection-oriented services, the system can detect if a
packet is missing from the sequence and request a retransmission.
Connectionless services typically lack this feature, so some packets might be
lost without detection.
 Session-Level Attacks: Without session checks, connectionless services might
be more vulnerable to certain types of attacks, such as replay attacks.
If you need to ensure the complete integrity of a sequence of communications,
then a connection-oriented service might be more suitable. However, connectionless
services can be faster and more flexible, as they don't require the establishment and
maintenance of a dedicated connection.

5. Give 5 fundamental security design principles and explain each one of them
(do not copy from lecture slides or textbook – explain from your
understanding).
1．Least Privilege: Users and systems should only have the minimum levels of
access – or permissions – necessary to perform their tasks. This reduces the risk of an
attacker gaining elevated privileges or of an accidental misuse of privileges causing
extensive damage.

2．Defense in Depth (Layered Security): Defense in depth, or layered security,

involves creating multiple layers of defense that can independently resist attacks. If
one layer fails, the other layers continue to provide protection. For example, a
network might be protected with firewalls, intrusion detection systems, and strong
access controls.

3．Fail-Safe Defaults (Deny All): Access decisions should deny by default,

granting permission only when explicit permission is provided. If a system fails, it
should fail to a secure state where access is restricted.

4．Psychological Acceptability: Security mechanisms should not make the

resource more difficult to access. Security should not be so burdensome that users
find it hard to comply, which could lead to workarounds that compromise security.

5．Economy of Mechanism: This principle calls for keeping systems simple and
straightforward. A simple design is easier to test and secure, as complexity often
hides security flaws.

6．Open Design: The security of a system should not depend on the secrecy of
its design or implementation. It should be secure even if the attackers know how the
system works. The security should rely on publicly known and thoroughly tested
security mechanisms.
 Complete Mediation: Every access to every resource must be checked for
permissions. The system should not rely on cached permissions or assume that a
previous check is sufficient for subsequent accesses.

Separation of Privilege: A system should not grant permission based on a single

condition. Instead, it should require multiple conditions to be met before granting
access or privileges, reducing the risk of a single point of failure.

Least Common Mechanism: The principle suggests minimizing the amount of

mechanisms shared by different users and processes. Sharing increases the potential
of one user's actions negatively affecting others.

Isolation: Different processes and components of a system should be isolated

from each other. For instance, a failure in one area should not compromise the
security of another. This can be achieved through such measures as sandboxing,
virtualization, and maintaining separate execution environments.

Encapsulation: This is the principle of restricting the access to some of a

component's internal parts, which are not meant to be exposed to the rest of the
system. By encapsulating the details, only specified interfaces are allowed for
interaction with the component, protecting its integrity.

Modularity: The system should be composed of well-defined, independent

modules, so that each can be updated or checked for security without affecting
others. Modularity also enables easier security analysis by breaking down the system
into manageable pieces.

Least Astonishment: A user interface should behave in a way that users expect it
to, which means that programs and operations should perform in a manner
consistent with user expectations. This helps prevent users from making dangerous
mistakes that could lead to security breaches.

6. Explain the term “drive-by download”. How can attackers perform the
attack?
“Drive-by download” refer to the unintended download of malicious
software (malware) to a user's system — without consent. This also includes
unintentional downloads of any files or bundled software onto a computer
device.
An attacker performs a drive-by download attack generally by injecting
malicious code into a website, or by planting a malicious file as attachments in
an email. When a user visits that website or opens the attachment in the email,
the code is automatically executed, which then downloads and installs malware
on the user's device without their knowledge.
 7. What is SQL injection?
SQL Injection is an attack that enables attackers to manipulate the SQL
queries used by a web application to interact with its database. By injecting
malicious SQL commands into input fields, attackers can trick the application into
executing unintended commands, potentially allowing them to view, modify, or
delete data.

8. What is a session token? What is it used for?

A session token (or session ID) is a unique identifier that is generated and
sent from a server to a client to track the current interaction session. The client
usually stores this token, often in a cookie, and sends it back with each
subsequent request so the server can recognize and remember the client. A
session token is used as an authentication mechanism to check if the user is
legitimate.

9. What is Session Hijacking? Why would the attacker want to hijack a session
token?
Session hijacking is a type of attack where an attacker intercepts and steals
the session token from a user's communication with a server. Once the attacker
has the session token, they can use it to impersonate the user, gaining
unauthorized access to the server and its associated resources.
 Bypassing login mechanisms
 Access to unauthorized information
 Perform actions as the user

An attacker would want to hijack a session token for several reasons:

1．Access to unauthorized information: Once an attacker has a session token,
they can impersonate a user and gain access to any information that user can access.
This could include personal data, sensitive corporate information, or anything else
the user has access to.

2．Perform actions as the user: Not only can the attacker see what the user can
see, but they can do what the user can do. They could send messages, conduct
transactions, or perform any other actions as if they were the hijacked user.

3．Bypassing login mechanisms: By hijacking a session, the attacker can avoid

having to know the user's username and password, bypassing the login mechanism
entirely. This can allow them to gain access more quickly and with less likelihood of
detection.
Week 2

1. How can you prevent an SMTP server from sending unable to deliver the
message back to spammers (draw a diagram/picture if you’d like and explain)?
Why is it important to do so?
 Implementing Sender Verification: Only accept emails from known, valid
senders.
 Using Spam Filters: Detect and block spam before it enters your system, thus
avoiding Non-Delivery Report (NDR) for spam messages.
 Backscatter Protection: Tools that identify and filter bounce messages that were
not caused by your own system.
It is important to implement these measures to prevent spammers from confirming
that the email addresses they are targeting are valid. It also reduces the load on your
email servers and helps protect your domain reputation.

2. Is it recommended to install a spam filter on a POP3 server? Why or why not?

It is not recommended due to the potential for increased costs associated with
storage, transmission, backup, and deletion.

3. What is a Virtual Private Network (VPN)? And what are VPN concentrators?
A VPN is a technology that creates an encrypted connection over a less secure
network, typically the internet. It allows users to send and receive data across shared
or public networks as if their devices were directly connected to the private network.

A VPN concentrator is a networking device that provides secure creation of VPN

connections and delivery of messages between VPN nodes. It is used in creating a
secure tunnel between the client and the host.
4. What is a Demilitarised zone (DMZ)? Why would you want to employ it to a
network?
A DMZ is a sub-network that contains and exposes an organization's external services
to an untrusted network, usually the internet. The purpose of a DMZ is to add an
additional layer of security to an organization's internal network; an external attacker
only has access to the DMZ, rather than the internal network.

5. What is “port security”? What are the techniques can you use to protect the
ports?
Port security refers to the defense mechanisms used to protect network ports against
unauthorized access and threats. Techniques include:

 MAC Address Filtering: Restricting the devices that can connect to a network
based on their MAC address.
 Port-based Authentication: Using Port-Based Network Access Control (PNAC)
protocols like 802.1X to authenticate devices before granting access to the
network.
 Disabling Unused Ports: Physically disconnecting or administratively disabling
ports that are not in use.

6. Explain the term “Network Separation”.

Network separation involves segmenting a network into different sub-networks or
zones to improve security and manageability. This separation can limit the spread of
security breaches within a network by isolating different departments or types of
traffic.

7. What is flood guard? What kind of attacks associate with it?

Flood guard is a feature in many network security devices that is designed to prevent
or mitigate the effects of flood attacks, such as Distributed Denial of Service (DDoS)
attacks, which overwhelm a network with excessive traffic.

8. A company has asked for your opinion on their network infrastructure as follows:
• Its employees are to have access to their computing devices over the internet,
how would NAT technologies be used for that?
NAT for Remote Access: NAT (Network Address Translation) can be used to allow
employees to access their computing devices over the internet by translating public
IP addresses to private IP addresses and vice versa. This hides internal IP addresses,
adding a layer of security.

• In addition, the company employees’ desktop/devices are not located within their
department areas, as they may move among the different departments or floors if
the employees have more than one main duty. What would you think is the best
solution? Explain why the solution is recommended in relation to network security.
A Virtual LAN (VLAN) setup allows network administrators to group servers and
devices on separate VLANs as if they were on different physical networks, even if
the employees move physically. This maintains network security by segregating
traffic and reducing the potential for data leakage between departments.

Week 3

1. Who are misfeasors? Give some examples of their intrusion.

Misfeasors are individuals who have legitimate access to a system but misuse their privileges,
either intentionally or unintentionally. Examples of their intrusion include:

 An employee using their access to confidential data for personal gain.

 A system administrator running unauthorized software on company servers.
 An authorized user accessing file areas that are outside the scope of their job
requirements.

2. There are two ways to protect a password file. What are they? Explain.
Password file protection: There are several ways to protect a password file:

One-way function - Password Hashing: Instead of storing plaintext passwords, systems store
a cryptographic hash of the password. When a user enters their password, the system hashes
the input and compares it to the stored hash. This way, even if the password file is
compromised, the attacker cannot easily derive the original passwords.
Access control - File System Permissions: The password file should have strict permissions,
such that only necessary processes can read it. This limits the potential for unauthorized
access.

3. With regards to intrusion detection, explain these terminologies:

a True positive
b False positive
c True negative
d False negative
True Positive: A true positive is when the intrusion detection system (IDS) correctly identifies
an actual attack.
False Positive: A false positive is when the IDS incorrectly identifies legitimate activity as an
attack.
True Negative: A true negative is when the IDS correctly identifies that normal, legitimate
activity is not an attack.
False Negative: A false negative is when the IDS fails to identify an actual attack, incorrectly
classifying it as legitimate activity.

4. What is statistical anomaly detection?

Statistical Anomaly Detection: Statistical anomaly detection is an Intrusion Detection System
method that collects data of the behaviors of legitimate users over a period of time and uses
statistical models to define normal network or system behavior. Any significant deviation
from this baseline is considered anomalous and could signal an intrusion.

a. Threshold detection: This approach involves defining thresholds, independent of user, for
the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.

5. What is rule-based Intrusion detection?

Rule-based intrusion detection, also known as signature-based detection, uses a set of rules
or attack patterns (signatures) that decides if a behavior is from an intruder. Observed
behaviors are compared against the rules to identify possible intrusions. If an event matches
a signature, an alert is generated.

6. What are honeypots?

A What are the uses of them?
B Give three possible locations to deploy them and also explain the advantages and
disadvantages of placing them in each of the three locations.
Honeypots: Honeypots are decoy systems designed to attract and distract attackers,
protecting real systems from attack and gathering information about the attacker's methods.

Uses: Honeypots can be used to distract attackers, gather intelligence about attack methods,
and help develop defenses against future attacks.

Deployment Locations and Pros/Cons:

 Network Perimeter (Outside the external firewall): Here, honeypots can attract
external attackers. The advantage is early detection of attacks, but the disadvantage is
potential exposure to a high volume of traffic and attacks.
 Internal Network: Honeypots here can detect attacks from within the organization. They
offer the advantage of detecting insider threats, but can be harder to manage and can
distract from perimeter defenses.
 Demilitarized Zone (DMZ): This area between the internal network and the external
network is often where public-facing servers are located. Honeypots here can help
protect these vulnerable systems, but they also face a high volume of attacks and can be
complex to manage.

7. What is the difference between “reactive” and “proactive” password checking?

 Reactive: This method checks passwords against dictionaries or known weak passwords
after they have been chosen by the user, usually in response to an attempted security
breach.
 Proactive: This involves enforcing password policies that require users to create
passwords meeting specific complexity criteria (length, character types, etc.) to prevent
the selection of weak passwords in the first place.
8. What is the purpose of using “salt” in the context of UNIX password management?
A salt is a random data string added to a password before it is hashed. The purpose is to
ensure that if two users have the same password, they will still have different password
hashes, thwarting rainbow table attacks and making it more difficult to crack passwords.

9. What is the difference between a packet filtering firewall and stateful inspection packet
firewall?
Packet Filtering Firewall vs Stateful Inspection Firewall:

Packet Filtering Firewall: This type of firewall inspects packets individually and makes allow
or deny decisions based on rules involving source and destination IP addresses, ports, and
protocols.
Stateful Inspection Firewall: Goes beyond packet filtering by keeping track of the state of
active connections and making decisions based on the context of the traffic (e.g., TCP
handshake completion), watching for legitimate initiated sessions and preventing unsolicited
packets from entering the network.

10. Explain the personal firewall in a home environment.

A personal firewall is a software application used to control network traffic to and from that
machine. It protects a single computer from unauthorized access. It monitors incoming and
outgoing traffic and can allow or block data packets based on a set of user-defined rules.

11. Explain distributed firewall configuration. Where can the firewalls be placed? Why are
they placed there?
Distributed Firewall Configuration refers to the implementation of firewall functionality
across multiple points within a network architecture rather than centralizing it at a single
point.

 Network Perimeter: Firewalls are placed at the network perimeter to control all
inbound and outbound network traffic, serving as a barrier that prevents external
threats from infiltrating the organization's internal systems.

 Outside the Internal Network: Firewalls positioned outside the internal network, but
still within the organization's overall network framework, are intended to safeguard the
internal network where critical assets and sensitive data reside.

 Within the Internal Network: Implementing firewalls within the internal network allows
for creations of different security segments, containing potential security breaches to a
limited area.
Week 4

1. What are the 5 elements of a symmetric encryption scheme? Explain.

 Plaintext: The original readable message or data that is to be encrypted.
 Encryption Algorithm: The method used to transform the plaintext into ciphertext using the
key.
 Secret Key: A secret value that is used by the encryption algorithm and is shared between
the sender and receiver.
 Ciphertext: The scrambled and unreadable output of the encryption process.
 Decryption Algorithm: The method used to convert the ciphertext back into plaintext, using
the same secret key.

2. Explain the difference between a block cipher and a stream cipher in plain-text processing.
 Block Cipher: Encrypts data in fixed-size blocks (e.g., 128 or 256 bits) and requires padding if
the plaintext does not exactly fit the block size.
 Stream Cipher: Encrypts data one bit or byte at a time and is often used where data is
streamed continuously.

3. In cryptanalysis, given types of attack below, explain what is known to a crypt-analyst for
each type of the attacks.
(a) Ciphertext only: The cryptanalyst has access only to the encryption algorithm and
the ciphertext to be decoded.

(b) Known plaintext: The cryptanalyst has access to the encryption algorithm, the
ciphertext to be decoded, and part of the plaintext and its corresponding ciphertext.

(c) Chosen plaintext: The cryptanalyst has access to the encryption algorithm, the
ciphertext to be decoded, and can choose arbitrary plaintext and obtain their corresponding
ciphertexts.

4. An encryption scheme is computationally secure if the ciphertext generated by the

scheme meets one or both of what criteria?
 The cost of breaking the cipher exceeds the value of the encrypted information.
 The time required to break the cipher exceeds the useful lifetime of the information.

5. Explain brute-force attack.

Involves trying every possible key until the correct key is found to decrypt the ciphertext. This
method is time-consuming and resource-intensive.

6. Briefly explain:
• Data Encryption Standard (DES): An older encryption algorithm that uses a 56-bit key,
now considered insecure due to its small key size and rather slow.
 • Triple DES (3DES): An enhancement to DES that applies the DES cipher algorithm three
times to each data block, using three keys for better security. Considered adequately secure
but very slow.

• Advanced Encryption Standard (AES): A widely used encryption standard that

supports key sizes of 128, 192, or 256 bits and is considered secure against brute-force
attacks.

7. What is the difference between random and pseudorandom numbers?

 Random numbers are generated from a physical source of randomness, such as atmospheric
noise, radioactive decay, or thermal noise.
 Pseudorandom numbers are generated by computational algorithms and can be predicated
or reproduced if the initial state or seed is known. They are faster and easier to implement
than TRNG.

8. With regards to a sequence of random numbers, explain:

(a) Randomness: Refers to the lack of pattern in a sequence of numbers. Occurrence of
each element in the sequence is uniformly distributed (Uniform Distribution).

(b) Unpredictability: Means the inability to foresee the next number in a sequence. Each
element is independent from other elements. They cannot be inferred by previous element.
This Independence ensures unpredictability.

9. What are the advantages/disadvantages of triple DES?

 Advantages: More secure than single DES due to its longer effective key length, which makes
it resistant to brute-force attacks.
 Disadvantages: Slower than other encryption standards like AES because it applies the DES
algorithm three times, which can be computationally intensive.

Week 5

1. What are the differences between symmetric and asymmetric cryptography?

Symmetric cryptography uses a single key to both encrypt and decrypt
information. Both parties (sender and receiver) share this secret key. In contrast,
asymmetric cryptography uses a pair of keys: a public key to encrypt data and a
corresponding private key to decrypt it. The public key can be freely distributed,
while the private key remains confidential to its owner.

2. Is it possible to perform authentication solely by using symmetric encryption?

Explain.
While symmetric encryption alone does not inherently provide authentication,
when combined with message authentication algorithms like a hash function, it
 can. The secret key would be used to create a Message Authentication Code
(MAC) or an encrypted hash of the message. This MAC or encrypted hash, when
verified by the recipient using the same secret key, ensures the message's
authenticity. However, the challenge is that both parties must securely share and
maintain the secret key, and the key must remain uncompromised for the
authentication to be reliable.

3. What is the problem with message authentication approaches that do not rely
on encryption?
Message confidentiality is not provided. As was mentioned, message encryption
by itself does not provide a secure form of authentication. However, it is possible to
combine authentication and confidentiality in a single algorithm by encrypting a
message plus its authentication tag.

4. Explain how to produce Message Authentication Code (MAC)?

A Message Authentication Code is created by applying a cryptographic hash
function to the combination of a message and a secret key. The resulting MAC is sent
along with the message. The receiver, using the same algorithm and the shared
secret key, performs the same operation on the received message and compares the
resulting MAC with the received MAC. If they match, the message is authenticated.

5. Explain one-way hash function/secure hash function.

A one-way hash function is a cryptographic algorithm that takes an input and
produces a fixed-size string of bytes, typically a hash value. It's designed to be a one-
way function, meaning that once data has been transformed into a hash, it is
infeasible to be reversed back to the original input.

6. What is a message digest?

A message digest is the result produced by running a message through a
cryptographic hash function. This digest is a unique representation of the original
message, used for verifying the message's integrity.

7. What is SHA?
SHA stands for Secure Hash Algorithm. It's a family of cryptographic hash
functions used to ensure data integrity. It was published by the National Institute of
Standards and Technology (NIST). Examples include SHA-1, SHA-256, and SHA-3.

8. What is the difference between MAC and HMAC?

HMAC specifically uses a cryptographic hash function in conjunction with a
secret key, providing an additional layer of security. MAC does not necessarily apply
hash function in the process.

9. What are the 6 elements of public-key encryption? Explain.

1. Plaintext: The original readable message.
2. Encryption algorithm: The method that transforms plaintext using the public key.

3. Public key: A key that is available to the public and is used for encryption.

4. Ciphertext: The unreadable output of the encryption process.

5. Private key: A key that is kept secret and is used for decryption.

6. Decryption algorithm: The method that transforms ciphertext back to plaintext

using the private key.

10. What are the uses of public-key cryptosystems?

1. Key Exchange for securely sharing a symmetric encryption key over a public
network.
2. Digital Signature for authenticity and non-repudiation
3. Encryption/Decryption

11. What is RSA? What are the possible attack approaches that can be done on
RSA? Explain.
RSA (Rivest-Shamir-Adleman) is a public-key scheme for secure data
transmission.
 Mathematical attacks: There are several approaches, all equivalent in effort to
factoring the product of two primes. The defense against mathematical attacks is
to use a large key size. Thus, the larger the number of bits, the better.

 Timing attacks: These depend on the running time of the decryption algorithm.
Various approaches to mask the time required so as to thwart attempts to
deduce key size have been suggested, such as introducing a random delay.

 Chosen ciphertext attacks: This type of attack exploits properties of the RSA
algorithm by selecting blocks of data that, when processed using the target’s
private key, yield information needed for cryptanalysis. These attacks can be
thwarted by suitable padding of the plaintext.

12. Briefly explain how Diffie-Hellman key exchange works.

Diffie-Hellman is a method of securely exchanging cryptographic keys over a
public network. Each party generates a public-private key pair and shares the public
key. They then use their own private key and the other party's public key to create a
shared secret key.
Here's a simplified explanation of how it works:

1. Each party generates a pair of keys - a private key which is kept secret, and a
public key which is shared openly. These keys are mathematically linked: operations
performed with one key can be undone or verified with the other key.

2. Each party shares their public key with the other party.

3. Upon receiving the other party's public key, each party combines this public
key with their own private key to compute a shared secret.

4. The shared secret is the same for both parties, and can be used as a
symmetric key for further encrypted communication.

13. Can key exchange protocol prevent a man-in-the-middle attack? Explain.

While key exchange protocols like Diffie-Hellman allow two parties to establish a
shared secret key, they do not inherently authenticate the participants. Therefore,
they're vulnerable to man-in-the-middle attacks where an attacker intercepts the key
exchange process and establishes separate keys with each party. Digital signatures
and public-key certificates can be used to mitigate this risk.

Week 6

1. Can message authentication and user authentication be used interchangeably?

Why or why not? Explain.
No, message authentication and user authentication cannot be used
interchangeably as they serve different purposes. Message authentication assures
that the message comes from a genuine source and has not been altered during
transmission. User authentication verifies the identity of a user.

2. What are the four general means of authenticating a user’s identify? Explain.

 What you know: Information that the user can memorize, such as passwords,
PINs, or answers to secret questions.
 What you have: Physical objects in the user's possession, such as smart cards,
tokens, or mobile phones used for authentication.
 What you are: Biometric characteristics of the user, such as fingerprints, facial
recognition, iris scans, or voice recognition.
 What you do: Behavioral biometrics, which include patterns in the way a user
types, uses a mouse, or other behavioral traits.

3. In Symmetric key distribution, how is the permanent key used for distributing
session keys?
A permanent key, also known as a master key, is a secret key shared between
two parties or with a key distribution center (KDC). This key is used to encrypt and
securely distribute session keys. The session keys are then used for a limited time to
encrypt communications during a session. Once the session is over, the session key is
discarded, and a new one will be generated for future communications.

4. With regards to Kerberos, what are timestamp and lifetime of a ticket (issued by
the Ticket Granting Server (TGS))? And why are they important?
 Timestamp: This is the time at which the ticket was issued.
 Lifetime: This is the duration for which the ticket is valid.
They can be used to prevent replay attacks.

5. What is a nonce in Version 5 Kerberos and what is the use of it?

A nonce in Version 5 Kerberos is a random number used only once in a
communication to ensure that the response is fresh and has not been replayed.

6. What is the main problem with publishing a public-key? And how has the
problem been tackled?
The main problem with publishing a public key is ensuring its authenticity - that
it truly belongs to the person or entity claiming to own it. Users could be tricked into
encrypting messages with a key provided by an attacker.

This problem is tackled through the use of Public Key Infrastructure (PKI), where
a trusted third party known as a Certificate Authority (CA) verifies the identity of the
key holder and issues a digital certificate that binds the public key to the individual or
entity. Users can then verify the certificate to ensure the public key's authenticity
before use.

7. What is public-key infrastructure?

Public Key Infrastructure (PKI) is a framework of policies and procedures for public
key authenticity. PKI works by having a trusted Certificate Authority (CA) issue digital
certificates to users and servers, ensuring that public keys are indeed owned by the
claimed owners.

8. Explain Identity federation.

Identity federation is a system of trust between different organizations that
allows them to use the same identification data to access services across all networks
of the federated entities.

9. What is single sign-on (SSO)?

Single sign-on (SSO) is an authentication scheme allowing users to access multiple
applications or systems with one set of login credentials.

Week 7

1. What is Network Access Control (NAC)? Why is it needed?

 NAC is a security solution that grants or denies network access to devices based
on a set of security policies. NAC is needed to prevent unauthorized access, enforce
security compliance, and protect the network from potential threats.

2. What is the quarantine network, and what is the purpose of having it?
A quarantine network is a designated, restricted segment of a computer network
where devices that do not meet the defined security policy are placed. Its purpose is
to isolate non-compliant devices to prevent the spread of malware until they can be
brought into compliance.

3. Explain the following NAC enforcement method:

(a) IEEE 802.1X is an authentication protocol that provides an authentication
mechanism to devices wishing to connect to a LAN or WLAN. It is used to prevent
unauthorized access by requiring valid credentials before network access is granted.

(b) Virtual local area networks (VLANs) are used to segment networks into smaller
parts for reducing broadcast traffic. VLANs can isolate sensitive data and limit access
to specified users, thereby acting as a method for enforcing NAC policies.

4. What is an Extensible Authentication Protocol (EAP) method? What do we use it

for?
EAP is a framework for network access and authentication protocols. It is used in
network access authentication, where it provides authentication methods between a
client and an authentication server.

5. What is cloud computing?

Cloud computing is a model for delivering convenient, on-demand network
access to a shared pool of configurable computing resources.

6. Explain the following initialisms:

(a) SaaS
Cloud service offering software applications available to users over the internet.
(b) PaaS
Cloud service offering platforms such as hardware and software tools over the
internet, primarily for application development.
(c) IaaS
Cloud service providing network infrastructure like physical computing
resources, location, data partitioning, scaling, security, backup etc.
(d) SecaaS
Cloud service providing security applications and services.

7. Give three cloud security threats and their countermeasures.

 Shared technology issues: In IaaS, users share Infrastructure, which do not have
strong isolation properties for a multi-user environment.
 Countermeasures: Promote strong authentication and access control.

 Data loss or leakage: Data on cloud can be lost or stolen.

Countermeasures: Encrypt and protect integrity of data in transit.

 Abuse of cloud computing: It’s easy to register and become an insider of cloud
computing.
Countermeasures: Enforce stricter initial registration and validation processes.

8. Explain the following database environments:

(a) Multi-instance model
Each customer has a separate database instance, providing greater isolation and
security at the cost of increased resource use.
(b) Multi-tenant model
Multiple customers share the same database instance but with separate views of
the database; this model maximizes resource efficiency.

9. How can you protect data in the cloud?

Data in the cloud can be protected through a multi-layered approach that includes:

 Data Encryption: Encrypt data before uploading it to the cloud and keep control
of the encryption keys.

 Access Management: Implement strong identity management policies.

 Regular Audits: Conduct regular security audits and compliance assessments to

ensure that data is protected as per the standards.

 Backup and Redundancy: Ensure data is regularly backed up and that

redundancy is in place.

 Secure APIs: Use secure APIs and ensure they are constantly updated and
monitored for unauthorized access attempts.

10. Give five examples of cloud security as a service (SecaaS) and explain each
example.
 Identity and Access Management (IAM): Controls who is authenticated and
authorized to use resources.
 Data Loss Prevention (DLP): Ensures sensitive data is not lost, misused, or
accessed by unauthorized users.
 Intrusion Management: Detects and responds to cyber threats to protect cloud
services.
 Security Assessment: Evaluates the security posture of cloud services and
suggests improvements.
 Security Information and Event Management (SIEM): Provides real-time
visibility and analysis of security alerts generated by applications and network
hardware.

Week 8

1. What are the characteristics of the World Wide Web that make it vulnerable to a
variety of security attacks?
 Openness: It's designed to be open and accessible, which exposes it to
unauthorized access.
 Complexity: Web technologies are complex and interdependent, increasing the
attack surface.
 Connectivity: Constant connectivity provides more opportunities for attacks.
 Anonymity: Users can interact with web services without revealing their identity,
making it difficult to track malicious actors.
 Decentralization: The web has no central authority, which makes consistent
security policies and standards difficult to enforce.

2. Threats on the Web can be categorised into 4 categories. What are they? Give 2
examples of each threat and how to prevent or tackle such threats.
Integrity Threat
An integrity threat is when unauthorized modifications are made to data, which can
lead to misinformation or system malfunctions.

 SQL Injection: This occurs when an attacker inserts or "injects" a malicious SQL
query via the input data from the client to the application.
 Prevention: Use prepared statements and parameterized queries. Validate and
sanitize all user inputs.
 Cross-site Scripting (XSS): This is when attackers inject malicious scripts into
content from otherwise trusted websites.
 Prevention: Implement content security policies, encode data on output, and use
appropriate response headers to prevent browsers from interpreting injected
scripts as legitimate.

Confidentiality Threat
A confidentiality threat involves unauthorized access to sensitive data.

 Eavesdropping/Interception: Attackers may intercept data in transit, such as

credit card information, through unsecured connections.
 Prevention: Use encryption protocols like TLS/SSL for data in transit, and ensure
secure and encrypted connections for sensitive data exchanges.
 Data Breach: Unauthorized access to a database and extraction of sensitive data.
 Prevention: Employ strong authentication and authorization mechanisms,
 encrypt sensitive data at rest, and use database monitoring tools to detect
unusual access patterns.

Denial of Service Threat

Denial of service (DoS) or distributed denial of service (DDoS) threats overwhelm
resources, making the service unavailable to legitimate users.

 SYN Flood: An attacker sends a succession of SYN requests to the target's system
in an attempt to consume enough server resources to make the system
unresponsive to legitimate traffic.
 Prevention: Use firewall rules to limit the rate of SYN packets, employ SYN
cookies, and leverage DDoS protection services.
 Network Flood: The attacker overwhelms the network with a large amount of
traffic which could be through a botnet in case of a DDoS.
 Prevention: Implement rate limiting, use anti-DDoS services, and configure
network hardware to mitigate traffic floods.

Authentication Threat
Authentication threats occur when an attacker gains access to a system by
circumventing or breaking the authentication mechanism.

 Phishing: Attackers deceive users into providing their login credentials.

 Prevention: Educate users on how to recognize phishing attempts, use multi-
factor authentication, and implement advanced email filtering solutions.
 Password Attack: Attackers use methods such as brute force, dictionary attacks,
or credential stuffing to guess or steal passwords.
 Prevention: Enforce strong password policies, use account lockout mechanisms
after several failed attempts, and promote the use of password managers.

3. What is Transport Layer Security (TLS)? What is it used for?

TLS is a cryptographic protocol designed to provide communications security
over a computer network. Websites use TLS to secure all communications between
their servers and clients.

4. Explain how TLS Record Protocol provides confidentiality and message integrity
services.
 Confidentiality: The Handshake Protocol defines a shared secret key negotiated
during the TLS handshake. The key is used for conventional encryption of TLS
payloads.
 Message Integrity: The Handshake Protocol also defines a shared secret key that
is used to calculate a message authentication code (MAC).

5. What is the use of a heartbeat protocol?

The heartbeat protocol is used to keep connections alive without constantly re-
negotiating them. It sends a 'heartbeat' message, which prompts a response from
the other party, indicating the connection is still active.

6. SSL/TLS attacks can be divided into four groups; what are they? Explain.
1. Attacks on the Handshake Protocol
The handshake protocol is used to establish the security settings for a TLS
connection. During the handshake, the client and server agree on various parameters
to establish a secure connection.

2. Attacks on the Record and Application Data Protocols

The record protocol provides confidentiality and integrity for the exchange of
application data.

3. Attacks on the PKI (Public Key Infrastructure)

PKI is the framework that manages the digital certificates used in the TLS protocol.

4. Other Attacks like DoS

These are attacks that aim to disrupt service rather than intercept or alter data.

7. Explain HTTPS.
HTTPS stands for HyperText Transfer Protocol Secure. It is the secure version of
HTTP, where communications are encrypted by TLS or SSL. This protocol is used for
secure transactions and to prevent unauthorized interception of data.

8. What is Secure Shell (SSH) protocol? Is it an important protocol? Why or why

not?
SSH is a network protocol that provides a secure channel over an unsecured
network. It's important because it provides a secure channel for remote login and
command execution, which is crucial in today's environment where much of the
system administration is done remotely.

9. What are the authentication methods used in SSH? Explain.

SSH supports multiple methods for authenticating a user to a remote server,
ensuring that only authorized users can access the system:

 Password Authentication: The client sends a message containing a plaintext

password, which is protected by encryption by the Transport Layer Protocol.

 Public Key Authentication: The client sends a message to the server that
contains the client’s public key, with the message signed by the client’s private
key. When the server receives this message, it checks whether the supplied key
is acceptable for authentication, and, if so, it checks whether the signature is
correct.
 Host-Based Authentication: Authentication is performed on the client’s host
rather than the client itself. Thus, a host that supports multiple clients would
provide authentications for all its clients. This method works by having the client
send a signature created with the private key of the client host. Thus, rather than
directly verifying the user’s identity, the SSH server verifies the identity of the
client host—and then believes the host when it says the user has already
authenticated on the client side.

10. One of the most useful features of SSH is port forwarding. Explain what port
forwarding is and how it works.
Port forwarding via SSH, or SSH tunneling, creates a secure connection between
a local computer and a remote machine through which services can be relayed.

Local Port Forwarding: This allows you to connect from your local machine to remote
server through your SSH client.

Remote Port Forwarding: This allows you to accept connections on a port of a

remote server and tunnel them to your local machine.

Week 9

1. Give four key factors contributing to the higher security risk of wireless networks
compared to wired networks. Explain each factor.
 Channel: Wireless networking typically involves broadcast communications,
which is far more susceptible to eavesdropping and jamming than wired
networks. Wireless networks are also more vulnerable to active attacks that
exploit vulnerabilities in communications protocols.
 Mobility: Wireless devices are, in principal and usually in practice, far more
portable and mobile than wired devices. This mobility results in a number of
risks, described subsequently.
 Resources: Some wireless devices, such as smartphones and tablets, have
sophisticated operating systems but limited memory and processing resources
with which to counter threats, including denial of service and malware.
 Accessibility: Some wireless devices, such as sensors and robots, may be left
unattended in remote and/or hostile locations. This greatly increases their
vulnerability to physical attacks.

2. How can a wireless access point be protected?

The main threat involving wireless access points is unauthorized access to the
network. The principal approach for preventing such access is the IEEE 802.1X
standard for port-based network access control. The standard provides an
authentication mechanism for devices wishing to connect to a wireless network.
3. Mobile devices need additional, specialised protection measures, there are
seven major security concerns for mobile devices. Explain each of the concerns
below:
(a) Lack of physical security controls
Mobile devices are easily lost or stolen, potentially exposing sensitive data.
(b) Use of untrusted mobile devices
Personal devices not managed by an organization can introduce malware or leak
data.
(c) Use of untrusted networks
Mobile devices often connect to insecure public Wi-Fi networks, risking data
interception. Traffic that includes an off-premises segment is potentially susceptible
to eavesdropping or man-in-the-middle types of attacks.
(d) Use of applications created by unknown parties
Third-party applications may contain malicious code or vulnerabilities.
(e) Interaction with other systems
A common feature found on smartphones and tablets is the ability to automatically
synchronize data, apps, contacts, photos, and so on with other computing devices
and with cloud-based storage.
(f) Use of untrusted content
Mobile devices may access and use content that other computing devices do not
encounter, such as QR codes.
(g) Use of location services
The GPS capability on mobile devices can be used to maintain a knowledge of the
physical location of the device, creating security risks.

4. Explain the following:

(a) Wi-Fi Protected Access (WPA)
A security protocol that secures wireless networks by encrypting data and includes
user authentication.

(b) Wired Equivalent Privacy (WEP)

An outdated security protocol that included a set of security features for privacy and
authentication that were weak.

(c) Robust Security Network (RSN)

A security protocol for wireless networks that allows the use of advanced encryption
methods and replaces WEP.

5. Explain Extended Service Set (ESS)

An ESS is a set of interconnected Basic Service Sets (BSSs) that form one logical
network with one SSID (Service Set Identifier). This allows users to roam seamlessly
within the area covered by the BSSs.

6. Explain the following services:

a. Association
The process by which a wireless device connects and authenticates to an access
point.
b. Reassociation
Moving an existing association from one access point to another without
disconnecting.
c. Disassociation
The process of terminating the connection between a wireless device and an access
point.

7. What are the five phases of a Robust Security Network (RSN)? Explain.
1. Discovery: Devices discover each other's security capabilities.
2. Authentication: Establishes the identity of devices.
3. Key Generation and Distribution: Encryption keys are created and distributed.
4. Protected Data Transfer: Data is encrypted and securely transmitted.
5. Connection Termination: The secure connection is properly closed.

8. What is the use of pairwise keys?

Pairwise keys are unique encryption keys established between two devices, typically
between an STA and an AP in a wireless network, ensuring a secure communication
channel.

9. What is the importance of Temporal Key (in pairwise keys)?

A Temporal Key is a temporary encryption key used in the encryption of data frames
in a session. It provides the actual protection for user traffic.

10. Explain the relationship between Group Master Key (GMK) and Group Temporal
key (GTK).
The Group Master Key (GMK) is a key used to generate Group Temporal Keys (GTKs).
The GMK is held by the access point and is used to derive new GTKs, used to encrypt
traffic in a wireless network.

Week 10

1. What are the three functional areas the IP-level security encompasses? Briefly
explain their functionality.
 Authentication: The goal of authentication in IPsec is to verify that the received
packets are indeed from the claimed sender and have not been altered during
transit.
 Confidentiality: Confidentiality ensures that the data being sent is only readable
by the intended recipient. This is typically referred to as encryption.
 Key Management: Key management encompasses the methods and protocols
used to generate, distribute, and maintain cryptographic keys in an IPsec
 environment.

2. List some benefits of IPsec.

 Provides a transparent security solution that does not require changes to
individual applications.
 Supports network-level peer authentication, data origin authentication, data
integrity, data confidentiality (encryption), and replay protection.

3. List and briefly define different categories of IPsec documents.

1. Architecture: Framework outlining how IPsec provides secure
communication, with protocols for authentication, key negotiation, and data
protection.

2. Authentication Header (AH): Protocol for packet integrity and

authentication, without confidentiality.

3. Encapsulating Security Payload (ESP): Protocol providing integrity,

authentication, and encryption for packet confidentiality.

4. Internet Key Exchange (IKE): Protocol for key management, establishing,

and maintaining security associations.

5. Cryptographic Algorithms: Methods for encryption and hashing, such as AES

for encryption and SHA for integrity.

6. Other Components:

 IPsec Policy: Rules for how traffic is processed by IPsec.

 Security Associations (SA): Agreements on the parameters for secure
communication between entities.
 IPsec Databases: Include SPD (Security Policy Database) and SAD
(Security Association Database).

4. Explain the transport mode and tunnel mode for Authentication Header and
Encapsulating Security Payload (ESP) protocol.
AH Transport Mode: The AH header is inserted after the original IP header and
before the payload, and it covers the IP payload and AH header for authentication.
The IP header itself is not protected.

ESP Transport Mode: ESP in transport mode encrypts and optionally authenticates
the IP packet's payload only. It does not protect the IP header, so while the data is
confidential, information in the IP header is visible.

AH Tunnel Mode: In tunnel mode, AH encapsulates the entire inner IP packet

(including the inner IP header and payload) for authentication. A new IP header is
added to the outer packet. The entire inner packet is authenticated, but as with AH in
general, there is no encryption, so the inner packet is not confidential.

ESP Tunnel Mode: ESP in tunnel mode encrypts the entire inner IP packet and
provides optional authentication. The inner packet is encrypted.

5. What is an Association in both the authentication and confidentiality

mechanisms for IP? And what are the parameters of the association?
A Security Association (SA) is a set of parameters that define the services and
mechanisms necessary for secure communication between IP endpoints. Parameters
include Security Parameter Index (SPI), IP destination address, security protocol
(AH/ESP), and cryptographic algorithms used for authentication and/or encryption.

6. Briefly explain Encapsulating Security Payload (ESP).

ESP is an IPsec protocol that provides confidentiality, source authentication, and
integrity to IP packets. It encrypts the payload data, and optionally the headers, to
protect communications from eavesdropping and tampering.

7. What are two ways in which security associations may be combined into
bundles? Briefly explain them.
 Transport adjacency: Multiple SAs are applied in sequence to the same IP packet
without tunneling.
 Iterated tunneling: An IP packet is subjected to multiple layers of SAs, with each
layer corresponding to a different tunnel.

8. Briefly explain the key management of IPsec.

Internet Key Exchange (IKE) of IPsec establishes shared keys between parties. IKE
operates on the principle of a Diffie-Hellman key exchange.

9. What are the roles of the Oakley key determination protocol and ISAKMP in
IPsec?
 Oakley Key Determination Protocol: A key agreement protocol based on the
Diffie-Hellman algorithm, used to establish a shared secret over an insecure
channel.
 ISAKMP (Internet Security Association and Key Management Protocol): Defines
procedures and packet formats to establish, negotiate, modify, and delete
security associations. ISAKMP works with Oakley to establish the shared secret
keys.