a) Knowledge of worm life cycle helps us to make good defense mechanism against

internet worms.
i. Give the phases in the life cycle of a computer worm. [4]
Answer

Dormant phase

- Propagation phase

- Triggering phase

- Execution phase
ii. Explain any three effects of worms on computer security. [6]
b) Answer the following questions on Denial of Service.
i. What is denial of service (DOS) attack? [2]
Answer
is an attack meant to shut down a machine or network, making it inaccessible to
its intended users

ii. Describe the following examples of DOS. In your description suggest a possible
solution to each DOS attack [6]
Smurf

Answer

Smurf attacks - In this type of attack the attacker spoofs the IP Address of the victim
computer and sends a large amount of ICMP Ping broadcast traffic to the network address.

*Possible solution -There are multiple strategies that can be employed to reduce the
likelihood of a Smurf attack. The first is disabling IP broadcasting at all network nodes.
Legacy devices may have IP broadcasting enabled by default, so it is necessary to go to each
one and disable

Ping flood,

Answer
 Ping flood attack - Ping flood attack relies on ICMP echo ping command which is normally
used for testing network connectivity. In this attack ping is used to flood large amounts of
data packets to the victim’s computer to try to overload the system.

*Possible solution - Simply block the IP Address from accessing your network.

Fraggle

Fraggle Attack - Fraggle attack is similar to Smurf attack except that it uses UDP protocol
instead of TCP protocol. This attack is not wildly used compared to Smurf attack.

*Possible solution- To prevent this attack you might want to consider blocking echo port 7
and port 19 on the firewall

c) Describe briefly the role of signature detection. [2]

Answer
Identifying malicious threats and adding their signatures to a repository is the primary
technique used by Signatures such as antivirus products.
used to address software threats levelled at your computer. These threats include viruses

e) Explain the difference between fabrication and modification attacks. [2]

Answer
fabrication: An unauthorized party inserts counterfeit objects into the system and basically
attacks the authenticity of the system.
modification: An unauthorized party modifies the assets of the system and basically attacks the
integrity of the system
a) Bindura University of Science Education (BUSE) is implementing an electronic voting
(e-voting) system to elect their chancellor. Only the faculty of Science are allowed to
vote online at a voting website that the university IT department is implementing.
What is the security attributes that need to be considered for the e-voting system? Be
specific. For instance, do not just say `confidentiality', but enumerate which (all)
 kinds of information need to be kept confidential. Note that the security attributes
could go beyond the classical three used in CIA-triad.
[6]

b) Provide one example each for preventive, detective and corrective security controls,
for each of the following categories :
i. People
ii. technology
iii. operations [9]
c) The principle of `need to know' in information security advocates that each user
should have access to only as much information as needed to carry out the tasks they
are assigned, and no more (least privilege access). What are potential shortcomings of
such an approach to security?
[3]
Answer

Whilst the Least Privilege Principle has a range of benefits, shortcomings of such an
approach to security is that enforcing it can be challenging without a streamlined
solution to manage all privileged accounts and users. Incorporating the theory into a more
comprehensive PAM policy and platform offers a better strategy for optimizing security
against the potential risks posed by privileged

f)
g) The Rijndael algorithm uses a byte substitution table that comes from a formula applied
to $GF(2^8)$.
i. Is it necessary to use that formula? That is, would any substitution table work?
[2]
ii. What restrictions are there on the form of the table? [2]
iii. A property of the Rijndael algorithm is that it is quite regular. Why is this both a
good and a bad property for a cryptographic algorithm? [2]
b) Sometime ago LinkedIn confirmed that it had experienced a data breach that
likely compromised the e-mail addresses and passwords of 6.5 million of its
 users. This confirmation followed the posting of the password hashes for these
users in a public forum. One criticism of LinkedIn is that they used unsalted
password hashes. In this question we’ll explore this criticism. Assume that each
stolen password record had two fields in it: [user_email,SHA1(password)] and
that a user login would be verified by looking up the appropriate record based
on user email, and then checking if the corresponding hashed password field
matched the SHA1 hash of the password inputted by the user trying to log in.
By contrast, if LinkedIn had used a salted scheme, then each record would have
had three fields: [user email, salt,SHA1(password+salt)] and login verification
would similarly require looking up the salt and using it when matching hashes.
Given this:

i. Suppose the attacker’s goal is to break your password via a dictionary attack. Does
the lack of salting in LinkedIn’s scheme make this goal substantially easier?
[3]
Answer
No. Because even were there a salt, the attacker knows what salt is used for a given user.
Thus, the time to create a dictionary of hashes is pretty much the same in both schemes.

ii. Suppose the attacker’s goal is to break at least half of the passwords via a
dictionary attack. Does the lack of salting in this scheme make this goal
substantially easier?
[2]
Answer
Yes. Without salting one dictionary of hashes is sufficient for searching the entire set of users.
With salting it will require a dictionary for each salt value seen.

iii. Suppose you are contacted by the attacker and given a set of password hashes
(that’s, no user_name, no salt). Assuming the hash function is known, is there a
measurement you could make on order to infer if the hashes are likely salted or not?
[3]
Answer
Yes. Recall that some passwords are much more popular than others. For example, the
password 123456 is used by at least 0.1% of all accounts. Thus, if you hash such passwords and
they appear disproportionately in the list then you might infer that the list is not hashed.
Similarly, even without doing a hash, if you sort the hashes by frequency, in an unsalted list
you will expect that there is some hash that occurs with frequency ~ 0.1%, whereas in a salted
list it will be ~0.1%/2n where n is the size of the salt in bits.

iii. It turns out that that 20% of LinkedIn users with Yahoo Mail e-mail addresses
used the same password at LinkedIn as Yahoo. You learn that, unlinked LinkedIn,
Yahoo salts its passwords. Should Yahoo be concerned about the LinkedIn breach or
not? [3]

Answer

Yes. For 20% of the Yahoo users in the LinkedIn breach, their user name and password is
known to the attacker. Yahoo’s salting helps mitigates a breach of their password database,
but doesn’t help at all in this case.

c) List any five Top Cloud Security Threats of 2021. [5]

Answer
1. Cloud security issues
As more and more businesses integrate their work with the cloud, they expose themselves to
cloud-related risks

2. Phishing attacks
One of the more common attack vectors for stealing credentials is phishing attacks.

3. API-related breaches
The API (application program interface) is a security application, which due to its nature of
being largely open to the public and not very up-to-speed with security trends, gives rise to API-
based breaches focusing on high-profile messaging apps, financial processes, and social media.

4. Human-operated ransomware
Approximately 24% of current cyberattacks occur via ransomware.

5. Administrative tools
The use of administrative tools by cyber criminals accounts for over 50% of their attack
leverage; using administrative tools, cybercriminals use management tools and system
administration tools to breach the network of companies. 2021 is expected to see many more
attacks of this sort as IT systems grow to become more interconnected.
 d) Briefly explain what is meant by an Authentication Header (AH) and an
Encapsulating Security Payload (ESP).
[6]
Answer
Authentication Header
 Adds a new Header (inc New IP)
 Provides authentication services
 Verifies the originator of the message
 Provides an integrity check of the entire packet, including the new L3 IP header.
 Provides protection against replay attacks
Encapsulating Security Payload
 Adds a new Header (inc New IP)
 Encrypts the original datagram
 Provides protection against replay attacks
Or
Authentication header
The AH is an IPsec protocol that provides data integrity, data origin authentication, and
optional anti-replay services to IP. AH does not provide any data confidentiality (Data
encryption). Since AH does not provide confidentiality, there is no need for an encryption
algorithm.
Encapsulating Security Payload (ESP)
An Encapsulating Security Payload (ESP) is a protocol within the IPsec for providing
authentication, integrity and confidentially of network packets payload in IPv4 and IPv6
networks. ESP provides payload encryption and the authentication of a payload and its
origin within the IPsec protocol suite.

e)
a) Answer the following on network attacks.
 i. Explain TCP Syn Flooding attack briefly. [2]

Answer
A SYN Flood is a common form of Denial-of-Service (DDoS) attack that can
target any system connected to the Internet and providing Transmission
Control Protocol (TCP) services (e.g. web server, email server, file transfer)

ii.Suggest a solution for ARP Cache poisoning attack. [2]

Answer

 Use a Virtual Private Network (VPN)—a VPN allows devices to connect to the Internet
through an encrypted tunnel. This makes all communication encrypted, and worthless for an
ARP spoofing attacker.
 Use static ARP—the ARP protocol lets you define a static ARP entry for an IP address, and
prevent devices from listening on ARP responses for that address. For example, if a workstation
always connects to the same router, you can define a static ARP entry for that router, preventing
an attack.
 Use packet filtering—packet filtering solutions can identify poisoned ARP packets by seeing
that they contain conflicting source information, and stop them before they reach devices on your
network.
 Run a spoofing attack—check if your existing defenses are working by mounting a spoofing
attack, in coordination with IT and security teams. If the attack succeeds, identify weak points in
your defensive measures and remediate them.

iii. Give names of two attacks at the network layer. [2]

Answer

Spanning Tree Protocol (STP) Attacks

Address Resolution Protocol (ARP) Attacks
Media Access Control (MAC) Spoofing
Virtual LAN (VLAN) Hopping

b) Answer the following questions on Wi-Fi Security

i. Describe how a man-in-the-middle attack may be performed on a Wi-Fi
network and the consequences of such an attack. [6]

Answer
 In a man-in-the-middle attack the attacker sets up a bogus access point:
 The bogus access point identifies a real corporate access point in advance.
 When a corporate laptop sees the bogus access point and tries to associate to it the
bogus access point copies all the messages it receives to the valid corporate access
point, substituting its own Medium Access Control (MAC) address for the source
address.
 The bogus access point copies all the messages received from the valid access
point back to the mobile device again substituting its own Medium Access
Control (MAC) address for the source address. This intervention is possible even
when the data is encrypted and without the enemy knowing the secret keys.

c) An access attack is an attempt to access another user account or network device

through improper means. As a network administrator you are responsible for ensuring
that only authorized users access the network. Unauthorized attacks are attempted via
four means, all of which try to bypass some facet of the authentication process.
Give the four attacks. [4]
Answer

Password Attacks
Port Redirection
Man-in-the-Middle Attacks
Trust Exploitation
Packet Sniffers
Denial of Service (DoS) Attacks

f) James and Alexander are having another debate about computer and
network security. James says that it is the job of security professionals
 to find all vulnerabilities and every threat and make sure the system is
always 100% secure. Do you agree with James? You should explain your
answer with nine reasons. [10]
Answer
-It is not possible to find all vulnerabilities and threats
 It is prohibitively expensive to mitigate all of them
 Many threats and vulnerabilities are non-technical
 A risk-based approach is needed
 A risk-based approach examines the likelihood and impact of potential security
incidents
 A risk-based approach determines which the highest risks are.
 Those identified as low risk can be accepted.
 High risk can be controlled or transferred.
 Estimating the cost of an incident against the cost of controlling it is one way of
deciding.

g) A denial of service (DoS) attack is an incident in which a user or

organization is deprived of the services of a resource they would
normally expect to have.
h) Describe any two forms of DoS attack. [4]
Answer

 DoS attacks based on volume: The goal of this attack is to saturate the bandwidth of the
affected site and magnitude is calibrated in bits per second. This type of attacks includes
spoof-packet flood, ICMP flood and UDP flood.

 DoS attacks based on the protocol: The goal of this attack is to consume the resources
of real servers or the component implemented for intermediate communication such as
load balancer and firewall. The transmission rate is measured in packets per second. This
type of attacks includes Ping of Death, Smurf denial of services, SYN floods, and
fragmented packet attacks.
  DoS attacks on the application layer: The aim of the attack is to break down the web
server and it is measured in request per second. It has a specific area of targets such as
Apache, OpenBSD and Windows. The example of these attacks is GET/POST floods and
Low-and-Slow attacks.

i) Due to the nature of how mobile devices function, they tend to have
unique vulnerabilities when compared to desktops and servers, each with
its own built-in defences, attack vectors, and threats. Describe the
following problems.
i Physical Access [3]
Answer

Physical access
Mobile devices are small, easily portable and extremely lightweight. While their diminutive size
makes them ideal travel companions, it also makes them easy to steal or leave behind in airports,
airplanes or taxicabs. As with more traditional devices, physical access to a mobile device equals
“game over.

ii Data Privacy and Security Concerns [3]

Answer
iii Mobile Risks and attacks [3]
i) The Zimbabwean government recently proposed that the Cybersecurity
and Cybercrimes Bill will now incorporate the draft Data Protection Bill
and the Electronic Transactions and Electronic Commerce Bill. Describe
the incorporated bills and explain the significance of the incorporation
to the general populace of Zimbabwe.
[11]
j) Firewalls rules can be customized as per your needs, requirements and security
threat levels. You can create or disable firewall filter rules based on such
conditions. Explain any five conditions that can be used. [10]

Answer
 There are many considerations that organizations should include in their
firewall selection and planning processes. Organizations need to determine
which network areas need to be protected, and which types of firewall
technologies will be most effective for the types of traffic that require
protection. Several important performance considerations also exist, as well as
concerns regarding the integration of the firewall into existing network and
security infrastructures. Additionally, firewall solution design involves
requirements relating to physical environment and personnel as well as
consideration of possible future needs, such as plans to adopt new IPv6
technologies or virtual private networks (VPN).
k) A typical IPS/IDS alert contains information that can help you determine if an
event is indeed potentially malicious. Give any four kinds of information that
can be used in the determination of whether an event is potentially malicious.
[4]
Answer

l) Management has consulted you on which Operating system to use between

Windows and Linux, and you recommend the use of Linux. Explain any three
key factors that underlie Linux's superior security:
[6]
Answer
Differentiator is that Linux is open source.
Linux is the most secure operating system
Windows users “are generally given administrator access by default, which means they pretty
much have access to everything on the system,
m) You are responsible for the security of cloud storage and computing service.
Naturally, you need to protect your customers’ data by fully encrypting their
reserved blocks on your server. You distinguish:
IT team: This team has access to the server and all system files for maintenance.

Executive team: This team has access to customers’ addresses and billing data.
The customers: Each customer has access to his reserved block on the file system.
 i. When a customer enters/edits their billing data, it has to be
protected from unauthorized access. Choose one of the following
encryption schemata (explain your choice): Triple DES,RSA,AES
[1]
ii. Given your choice above, write for each group which key should be
available to them (write the key type or “none”): [3]
n) The IT team has access to the system files, including sensitive files such as
/etc/passwd. Describe how you prevent them from using an executive team
member’s
credentials. [2]
o) Sales expert Alice (executive team) does not have PGP/RSA installed on her
private email client, however she does have a public/private key pair which
she uses when communicating over her corporate mail client. She wants to
send a sensitive message to sales expert Bob as she often does, however she
currently cannot use the corporate client. She considers two options:
(1) She sends this one e-mail unencrypted.

(2) She uses an online encryption/decryption service she found at www.isilver.com,

where she can submit the message and Bob’s public key and receives a cipher text
which she sends to Bob. Bob can likewise decrypt the cipher text by uploading it
together with his private key to the same site.

Which option poses the greater security risk? Please explain! [2]

p) Which algorithm among AES,DES and RSA would you use to secure the
customers’ data inside their blocks? Explain your answer. [2]

q) Address the following questions concerning cookies.

i. How do the HTTP cookies work in general?
[3]
ii. Can the HTTP cookies be used to exchange for personal
information?
 [2]
r) A virtual private network (VPN) is a network that uses public means of transmission
(Internet) as its WAN link and a well-designed VPN uses several methods for keeping
your connection and data secure. Give any five ways that can be employed to keep a
connection secure. [5]