COLLEGE OF COMPUTING AND INFORMATION SCIENCES

Final-Term Assessment Fall 2020 Semester

Class Id 104732 Course Title Securing ERP Systems
Program BSERP Campus / Shift City Campus / Morning
Date 15th – December 2020 Total Marks 40
Duration 03 hours Faculty Name Muhammad Farhan Siddiqui
Student Id 64233 Student Name Maham Fatima

Instructions:
• Filling out Student-ID and Student-Name on exam header is mandatory.
• Do not remove or change any part of exam header or question paper.
• Write down your answers in given space or at the end of exam paper with proper title “Answer for
Question# _ _”.
• Answers should be formatted correctly (font size, alignment and etc.)
• If any question requires Handwritten text or image then it should be on A4 size page with clear visibility
of contents.
• Only PDF format is accepted (Student are advise to install necessary software)
• In case of CHEATING, COPIED material or any unfair means would result in negative marking or ZERO.
• A mandatory recorded viva session will be conducted to ascertain the quality of answer scripts where
deemed necessary.

• Caution: Extra 01 hour is given for paper formatting and PDF conversion and cater all kinds of odds in
submission of Answer-sheet. Therefore, if you failed to upload answer sheet on LMS and Google
Classroom (in PDF format) within 04 hours limit, you would be considered as ABSENT/FAILED.
Q1 Complete the given round using AES algorithm (10 Marks)
Q2- Suppose that Bob wants to send a message to Alice. Although it is not important
that the message be kept secret, he wants Alice to be certain that the message is indeed
from him. What need to be done in order to keep this conversation protected and both
can assure that the message is from genuine source (5 Marks)

ANSWER:
Alice and Bob should use Digital Signature to make sure the message comes from a real
source. In fact, what happens to Digital Signature is when you, the server, sign the document
digitally, inserting a one-way hash (encryption) message content using your public and private
key. Your client can still read it, but the process creates a "signature" which is the only server
community key that can remove the encryption. The client, using the public key of the server,
can verify the sender and the integrity of the message content.
A digital signature can be considered as a numerical value represented as a sequence of
letters. Digital signage is a complex mathematical process that can only be created by a
computer.
For example:
Imagine for a second you were transposed into the karmic driven world of Earl.
1. Bob types a message to be digitally signed or clicks on 'sign' in his messaging app
2. The message hash value is calculated by Bob's computer
3. This hash value is encrypted with Bob's Signing Key (Private Key) to create Digital
Signature.
Now, the first message and its Digital Signature are sent to Alice.
4. After Alice receives the signed message, the corresponding program (such as the
messaging system) indicates that the message has been signed.
5. Alice's computer then moves on to: Download Digital Signature using Bob's Public Key and
count the hash of the first message
Compare the hash 'A' listed in the received message with the 'B' encrypted message received
by Bob's message.
6. Any differences in hash values may result in message interruptions.

Q3- When tunnel mode is used, a new outer IP header is constructed. For both IPv4 and
IPv6, indicate the relationship of each outer IP header field and each extension header
in the outer packet to the corresponding field or extension header of the inner IP packet.
That is, indicate which outer values are derived from inner values and which are
constructed independently of the inner values. (5 Marks)

ANSWER:
IPv6 uses two different types of themes: Basic / Standard IPv6 Header and IPv6 Extension
Headers. The main IPv6 head is equal to one basic IPv4 although there are some field
differences that result from the lessons learned from IPv4 performance. introduces key topics
for IPv4 and IPv6. The options field in the IPv4 title is used to transfer additional information to
the package or the way it should be processed. Routers, unless otherwise instructed, should
consider options in the IPv4 topic. The processing of multiple header options pushes the
package to a cooler route that leads to the transmission of transfer functions.
IPv4 options play a very important role in the performance of the IP protocol and therefore
power must be stored in IPv6. On the other hand, the impact of IPv4 options on performance is
attributed to the development of IPv6. The functionality of the options is removed from the
main header and is done with a set of additional headers called extension headers. The main
header is always adjusted in size (40 bytes) while customized EHs can be added as needed.
Q4 (a) In the RSA public-key encryption scheme, each user has a public key, e, and a
private key, d. Suppose Bob leaks his private key. Rather than generating a new
modulus, he decides to generate a new public and a new private key. Is this safe. (2
Marks)

ANSWER:
No, it is not safe. When Bob leaks her private key, Alice can use this to enter her
modulus, N. Then Alice can crack any message Bob sends. Therefore, it is important for Bob
to change his modulus and create new keys.

Q4- (b) Perform encryption and decryption using the RSA algorithm. (4 Marks)
p = 7; q = 11, e = 17; M = 8
Q5- You are supposed to write a policy document with help of following document
regarding network security in your organization for the protection of the confidentiality,
integrity and availability of the network. (5 Marks)

1-Scope of this policy

2-The Policy
3- Risk Management
4-Access Control
5-Disaster Recovery
6-User Awareness
7- Information Security officer’s responsibilities
8-Security Audits
9- Device Maintenance
10- Over all Responsibilities
ANSWER:
UNILEVER
SCOPE OF THIS POLICY : This policy applies to all who have access to IPT networks.
Throughout this policy, the term “users” will be used to refer to everyone. The policy also
applies to all computer and data communications systems managed by IPT or partner
networks.
The POLICY:
All information that goes to IPT Networks that have not been specifically identified as assets of
other parties will be treated as assets of IPT networks. It is the policy of IPT networks to
prohibit unauthorized access, disclosure, duplication, alteration, diversion, destruction, loss,
misuse, or theft of this information. In addition, it is the policy of IPT networks to protect
third-party information provided to IPT networks in a manner consistent with its sensitivity and
in compliance with all applicable agreements.
RISK MANAGEMENT:
IPT NETWork aims to make efforts to identify and evaluate external and internal risks to the
security, privacy, and integrity of non-public financial information that may lead to
unauthorized disclosure, misuse, alteration, destruction or other compromise of that
information. The Director of IT Infrastructure Services will establish procedures for the
identification and evaluation of those risks in each relevant area of operation of the Agency,
including:
• Staff training and management
• Information Systems and Information Processing and Disposal
• Detecting, preventing and responding to attacks
ACCESS CONTROL:
The IPT network is responsible for the effective protection of intellectual property and personal
and financial information provided to it by students, staff, partners and others. Using hard
passwords to guess is an important step in successfully fulfilling that obligation.
Password System Setup:
All computers connected permanently or periodically connected to the IPT network local
networks must have password access controls. If computers contain confidential or protected
information, an extended user authentication system approved by the Information Technology
Multi-User Systems (servers) must use user IDs and passwords separately for each user, and
user rights restrictions based on personal need to know. Network-based, single-user
applications must use hardware or software controls approved by Information Technology
which prevents unauthorized access.
USER AWARENESS:
The Director of IT Infrastructure Services will liaise with third party service delivery agencies
between the Department of Information Technology and other relevant departments to raise
awareness, select and select options, and keep only those service providers who are able to
maintain non-public financial information protection for students and third parties. These
standards will apply to all existing and future contracts entered into with these third-party
service providers.
Information Security officer’s responsibilities
The Chief Information Officer (CIO) is responsible for developing, maintaining, implementing,
managing and interpreting the security policies of the organization's programs, standards,
guidelines and procedures. While the day-to-day responsibility of security of information
systems is the responsibility of all employees, specific guidance, supervision, and authority for
information security is centered on all IPT networks in the Information Technology
department. The department will conduct information system disaster risk assessments,
prepare information security action plans, evaluate information security products, and perform
other necessary functions to ensure a secure information system environment.
DEVELOPMENT OF THE DEVICE:
The Director of IT Infrastructure Services will liaise with third party service delivery agencies
between the Department of Information Technology and other relevant departments to raise
awareness, select and select options, and keep only those service providers who are able to
maintain non-public financial information protection for students and third parties. These
standards will apply to all existing and future contracts entered into with these third-party
service providers.
OVERALL RESPONSIBILITIES:
Directors and Deans have a responsibility to ensure that appropriate computer and
communication system security measures are taken in their areas. In addition to providing
adequate resources and staff time to meet the requirements of these policies, departmental
managers are responsible for ensuring that all employee users are aware of IPT network
policies related to computer security and communication. The Student Dean has the
responsibility to ensure that the security measures of the computer and communication
system are visible to the students. Dini is responsible for ensuring that all student users are
aware of IPT network policies related to computer security and communication. Users have a
responsibility to comply with this and all other IPT network policies that define computer and
network security measures. Users are also responsible for all risks to known information
security and infringement violations in the Information Technology department.

Q6- A significant security problem for networked systems is hostile, or at least

unwanted, trespass by users or software. User trespass can take the form of
unauthorized logon to a machine or, in the case of an authorized user, acquisition of
privileges or performance of actions beyond those that have been authorized. Software
trespass can take the form of a virus, worm, or Trojan horse.
All these attacks relate to network security because system entry can be achieved by
means of a network. However, these attacks are not confined to network-based attacks.
A user with access to a local terminal may attempt trespass without using an
intermediate network. A virus or Trojan horse may be introduced into a system by
means of a diskette.

You need to provide strategies intended for prevention and, failing that malicious
activity detection (5 Marks)
ANSWER:
Intrusion Detection System (IDS) is a combination of hardware / software or your combination
of both hardware and software that gets access to a system or network. IDS complements the
firewall by providing a complete overview of both package title and content and thus protects
against attack, which is otherwise seen by the firewall as a seemingly straightforward network.
Firefighters comply with regulatory requirements; package approved or opposed. The law
stipulates that a manager or network, or system must be approved for a trusted network. To
check the rules, the firewall should only check the TCP / IP protocol header such as FTP,
HTTP, or Telnet. However, it does not check the network packet data content. Even if the data
contains a malicious code, the firewall will allow the package to override as the packet header
complies with the rules set for the firewall. Therefore, you may still have a firewall but your
trusted network may be affected. IDSs scan the contents of each package across a network to
detect any malicious activity. The entire package is stripped down to the "data content" section
and the data content is checked for any malicious code and the package is compiled back to
its original form and the package shipped with it. As you can see, the whole package is
distributed and compiled back to layer 3, which makes IDS more efficient compared to a
firewall. A firewall is an essential element of a global network security topology but it is not
enough on its own. Most modern networks have IDS as an important part of security
construction.

Q7- Internet connectivity is no longer optional for organizations. The information and
services available are essential to the organization. Moreover, individual users within
the organization want and need Internet access, and if this is not provided via their LAN,
they will use dial-up capability from their PC to an Internet service provider (ISP).
However, while Internet access provides benefits to the organization, it enables the
outside world to reach and interact with local network assets. This creates a threat to
the organization. While it is possible to equip each workstation and server on the
premises network with strong security features, such as intrusion protection, this is not
a practical approach.

You are required to design a practical approach for such situation and what device
must be installed in order to provide better security. (Marks 4)

ANSWER:
It is possible to equip each workstation and server with a local network with strong security features,
such as intrusion protection, this may not be enough and in some cases less expensive. Think of a
network with hundreds or thousands of programs, running various operating systems, such as UNIX
and Windows versions. When a security error is detected, each potential system must be upgraded to
correct that error. This requires balanced configuration management and robust installation in order to
be effective. While difficult, this is possible and necessary if only host-based security is used. Another
widely accepted method or at least complements the security services designed for firewall hosting. A
firewall is installed between a local network and the Internet to establish a controlled connection and to
build a wall or external security area. The purpose of this cycle is to protect the local network from
Internet-based attacks and to provide a single congestion area for security and audit. A firewall can be
a single computer program or a set of two or more programs that work together to perform a firewall
function.
The firewall, therefore, provides an additional layer of protection, protecting internal systems from
external networks. This follows the old military doctrine of "deep defense," which also applies to IT
security.