Professional Documents
Culture Documents
internet worms.
i. Give the phases in the life cycle of a computer worm. [4]
Answer
Dormant phase
- Propagation phase
- Triggering phase
- Execution phase
ii. Explain any three effects of worms on computer security. [6]
b) Answer the following questions on Denial of Service.
i. What is denial of service (DOS) attack? [2]
Answer
is an attack meant to shut down a machine or network, making it inaccessible to
its intended users
ii. Describe the following examples of DOS. In your description suggest a possible
solution to each DOS attack [6]
Smurf
Answer
Smurf attacks - In this type of attack the attacker spoofs the IP Address of the victim
computer and sends a large amount of ICMP Ping broadcast traffic to the network address.
*Possible solution -There are multiple strategies that can be employed to reduce the
likelihood of a Smurf attack. The first is disabling IP broadcasting at all network nodes.
Legacy devices may have IP broadcasting enabled by default, so it is necessary to go to each
one and disable
Ping flood,
Answer
Ping flood attack - Ping flood attack relies on ICMP echo ping command which is normally
used for testing network connectivity. In this attack ping is used to flood large amounts of
data packets to the victim’s computer to try to overload the system.
*Possible solution - Simply block the IP Address from accessing your network.
Fraggle
Fraggle Attack - Fraggle attack is similar to Smurf attack except that it uses UDP protocol
instead of TCP protocol. This attack is not wildly used compared to Smurf attack.
*Possible solution- To prevent this attack you might want to consider blocking echo port 7
and port 19 on the firewall
b) Provide one example each for preventive, detective and corrective security controls,
for each of the following categories :
i. People
ii. technology
iii. operations [9]
c) The principle of `need to know' in information security advocates that each user
should have access to only as much information as needed to carry out the tasks they
are assigned, and no more (least privilege access). What are potential shortcomings of
such an approach to security?
[3]
Answer
Whilst the Least Privilege Principle has a range of benefits, shortcomings of such an
approach to security is that enforcing it can be challenging without a streamlined
solution to manage all privileged accounts and users. Incorporating the theory into a more
comprehensive PAM policy and platform offers a better strategy for optimizing security
against the potential risks posed by privileged
f)
g) The Rijndael algorithm uses a byte substitution table that comes from a formula applied
to $GF(2^8)$.
i. Is it necessary to use that formula? That is, would any substitution table work?
[2]
ii. What restrictions are there on the form of the table? [2]
iii. A property of the Rijndael algorithm is that it is quite regular. Why is this both a
good and a bad property for a cryptographic algorithm? [2]
b) Sometime ago LinkedIn confirmed that it had experienced a data breach that
likely compromised the e-mail addresses and passwords of 6.5 million of its
users. This confirmation followed the posting of the password hashes for these
users in a public forum. One criticism of LinkedIn is that they used unsalted
password hashes. In this question we’ll explore this criticism. Assume that each
stolen password record had two fields in it: [user_email,SHA1(password)] and
that a user login would be verified by looking up the appropriate record based
on user email, and then checking if the corresponding hashed password field
matched the SHA1 hash of the password inputted by the user trying to log in.
By contrast, if LinkedIn had used a salted scheme, then each record would have
had three fields: [user email, salt,SHA1(password+salt)] and login verification
would similarly require looking up the salt and using it when matching hashes.
Given this:
i. Suppose the attacker’s goal is to break your password via a dictionary attack. Does
the lack of salting in LinkedIn’s scheme make this goal substantially easier?
[3]
Answer
No. Because even were there a salt, the attacker knows what salt is used for a given user.
Thus, the time to create a dictionary of hashes is pretty much the same in both schemes.
ii. Suppose the attacker’s goal is to break at least half of the passwords via a
dictionary attack. Does the lack of salting in this scheme make this goal
substantially easier?
[2]
Answer
Yes. Without salting one dictionary of hashes is sufficient for searching the entire set of users.
With salting it will require a dictionary for each salt value seen.
iii. Suppose you are contacted by the attacker and given a set of password hashes
(that’s, no user_name, no salt). Assuming the hash function is known, is there a
measurement you could make on order to infer if the hashes are likely salted or not?
[3]
Answer
Yes. Recall that some passwords are much more popular than others. For example, the
password 123456 is used by at least 0.1% of all accounts. Thus, if you hash such passwords and
they appear disproportionately in the list then you might infer that the list is not hashed.
Similarly, even without doing a hash, if you sort the hashes by frequency, in an unsalted list
you will expect that there is some hash that occurs with frequency ~ 0.1%, whereas in a salted
list it will be ~0.1%/2n where n is the size of the salt in bits.
iii. It turns out that that 20% of LinkedIn users with Yahoo Mail e-mail addresses
used the same password at LinkedIn as Yahoo. You learn that, unlinked LinkedIn,
Yahoo salts its passwords. Should Yahoo be concerned about the LinkedIn breach or
not? [3]
Answer
Yes. For 20% of the Yahoo users in the LinkedIn breach, their user name and password is
known to the attacker. Yahoo’s salting helps mitigates a breach of their password database,
but doesn’t help at all in this case.
2. Phishing attacks
One of the more common attack vectors for stealing credentials is phishing attacks.
3. API-related breaches
The API (application program interface) is a security application, which due to its nature of
being largely open to the public and not very up-to-speed with security trends, gives rise to API-
based breaches focusing on high-profile messaging apps, financial processes, and social media.
4. Human-operated ransomware
Approximately 24% of current cyberattacks occur via ransomware.
5. Administrative tools
The use of administrative tools by cyber criminals accounts for over 50% of their attack
leverage; using administrative tools, cybercriminals use management tools and system
administration tools to breach the network of companies. 2021 is expected to see many more
attacks of this sort as IT systems grow to become more interconnected.
d) Briefly explain what is meant by an Authentication Header (AH) and an
Encapsulating Security Payload (ESP).
[6]
Answer
Authentication Header
Adds a new Header (inc New IP)
Provides authentication services
Verifies the originator of the message
Provides an integrity check of the entire packet, including the new L3 IP header.
Provides protection against replay attacks
Encapsulating Security Payload
Adds a new Header (inc New IP)
Encrypts the original datagram
Provides protection against replay attacks
Or
Authentication header
The AH is an IPsec protocol that provides data integrity, data origin authentication, and
optional anti-replay services to IP. AH does not provide any data confidentiality (Data
encryption). Since AH does not provide confidentiality, there is no need for an encryption
algorithm.
Encapsulating Security Payload (ESP)
An Encapsulating Security Payload (ESP) is a protocol within the IPsec for providing
authentication, integrity and confidentially of network packets payload in IPv4 and IPv6
networks. ESP provides payload encryption and the authentication of a payload and its
origin within the IPsec protocol suite.
e)
a) Answer the following on network attacks.
i. Explain TCP Syn Flooding attack briefly. [2]
Answer
A SYN Flood is a common form of Denial-of-Service (DDoS) attack that can
target any system connected to the Internet and providing Transmission
Control Protocol (TCP) services (e.g. web server, email server, file transfer)
Use a Virtual Private Network (VPN)—a VPN allows devices to connect to the Internet
through an encrypted tunnel. This makes all communication encrypted, and worthless for an
ARP spoofing attacker.
Use static ARP—the ARP protocol lets you define a static ARP entry for an IP address, and
prevent devices from listening on ARP responses for that address. For example, if a workstation
always connects to the same router, you can define a static ARP entry for that router, preventing
an attack.
Use packet filtering—packet filtering solutions can identify poisoned ARP packets by seeing
that they contain conflicting source information, and stop them before they reach devices on your
network.
Run a spoofing attack—check if your existing defenses are working by mounting a spoofing
attack, in coordination with IT and security teams. If the attack succeeds, identify weak points in
your defensive measures and remediate them.
Answer
In a man-in-the-middle attack the attacker sets up a bogus access point:
The bogus access point identifies a real corporate access point in advance.
When a corporate laptop sees the bogus access point and tries to associate to it the
bogus access point copies all the messages it receives to the valid corporate access
point, substituting its own Medium Access Control (MAC) address for the source
address.
The bogus access point copies all the messages received from the valid access
point back to the mobile device again substituting its own Medium Access
Control (MAC) address for the source address. This intervention is possible even
when the data is encrypted and without the enemy knowing the secret keys.
Password Attacks
Port Redirection
Man-in-the-Middle Attacks
Trust Exploitation
Packet Sniffers
Denial of Service (DoS) Attacks
f) James and Alexander are having another debate about computer and
network security. James says that it is the job of security professionals
to find all vulnerabilities and every threat and make sure the system is
always 100% secure. Do you agree with James? You should explain your
answer with nine reasons. [10]
Answer
-It is not possible to find all vulnerabilities and threats
It is prohibitively expensive to mitigate all of them
Many threats and vulnerabilities are non-technical
A risk-based approach is needed
A risk-based approach examines the likelihood and impact of potential security
incidents
A risk-based approach determines which the highest risks are.
Those identified as low risk can be accepted.
High risk can be controlled or transferred.
Estimating the cost of an incident against the cost of controlling it is one way of
deciding.
DoS attacks based on volume: The goal of this attack is to saturate the bandwidth of the
affected site and magnitude is calibrated in bits per second. This type of attacks includes
spoof-packet flood, ICMP flood and UDP flood.
DoS attacks based on the protocol: The goal of this attack is to consume the resources
of real servers or the component implemented for intermediate communication such as
load balancer and firewall. The transmission rate is measured in packets per second. This
type of attacks includes Ping of Death, Smurf denial of services, SYN floods, and
fragmented packet attacks.
DoS attacks on the application layer: The aim of the attack is to break down the web
server and it is measured in request per second. It has a specific area of targets such as
Apache, OpenBSD and Windows. The example of these attacks is GET/POST floods and
Low-and-Slow attacks.
i) Due to the nature of how mobile devices function, they tend to have
unique vulnerabilities when compared to desktops and servers, each with
its own built-in defences, attack vectors, and threats. Describe the
following problems.
i Physical Access [3]
Answer
Physical access
Mobile devices are small, easily portable and extremely lightweight. While their diminutive size
makes them ideal travel companions, it also makes them easy to steal or leave behind in airports,
airplanes or taxicabs. As with more traditional devices, physical access to a mobile device equals
“game over.
Answer
There are many considerations that organizations should include in their
firewall selection and planning processes. Organizations need to determine
which network areas need to be protected, and which types of firewall
technologies will be most effective for the types of traffic that require
protection. Several important performance considerations also exist, as well as
concerns regarding the integration of the firewall into existing network and
security infrastructures. Additionally, firewall solution design involves
requirements relating to physical environment and personnel as well as
consideration of possible future needs, such as plans to adopt new IPv6
technologies or virtual private networks (VPN).
k) A typical IPS/IDS alert contains information that can help you determine if an
event is indeed potentially malicious. Give any four kinds of information that
can be used in the determination of whether an event is potentially malicious.
[4]
Answer
Executive team: This team has access to customers’ addresses and billing data.
The customers: Each customer has access to his reserved block on the file system.
i. When a customer enters/edits their billing data, it has to be
protected from unauthorized access. Choose one of the following
encryption schemata (explain your choice): Triple DES,RSA,AES
[1]
ii. Given your choice above, write for each group which key should be
available to them (write the key type or “none”): [3]
n) The IT team has access to the system files, including sensitive files such as
/etc/passwd. Describe how you prevent them from using an executive team
member’s
credentials. [2]
o) Sales expert Alice (executive team) does not have PGP/RSA installed on her
private email client, however she does have a public/private key pair which
she uses when communicating over her corporate mail client. She wants to
send a sensitive message to sales expert Bob as she often does, however she
currently cannot use the corporate client. She considers two options:
(1) She sends this one e-mail unencrypted.
Which option poses the greater security risk? Please explain! [2]
p) Which algorithm among AES,DES and RSA would you use to secure the
customers’ data inside their blocks? Explain your answer. [2]