University of Colombo, Sri Lanka

University of Colombo School of Computing

BACHELOR OF SCIENCE IN INFORMATION SYSTEMS
Second Year Examination — Semester II— UCSC AY20 [held in March/April 2024]
IS 2109 — Information Systems Security
(Two (2) Hours)
Answer All Questions
Number of Pages = 11 Number of Questions = 4

To be completed by the candidate

Index Number

Important Instructions to candidates:

• Students should answer in the medium of English language only using

the space provided in this question paper.
To be completed by
• Note that questions appear on both sides of the paper. If a page or a
the examiners
part of this question paper is not printed, please inform the supervisor
immediately.
1
• Write your index number CLEARLY on each and every page of this
Question paper.
2
• This paper consists of 4 questions in 11 pages (including the Cover
Page). Answer ALL questions. Questions 1,2,3,and 4 carry 30,20,25,
and 25 marks accordingly.
3
• Some useful glossary of terms are given on Page 11.

• Negative marks are given for obviously incorrect answers. Therefore, 4

blind guessing is discouraged.

• Calculators and any electronic device capable of storing and retrieving Total
text including electronic dictionaries, smart watches and mobile phones
are not allowed.

• Do not tear off any part of this answer book. Under no circumstances
may this book, used or unused, be removed from the Examination Hall
by a candidate

1
 Index Number

1. (a). Suppose Nadaraja is developing an IoT-based weather monitoring system. This system con-
tains several IoT devices deployed over a large area. It has also been observed that data sent
by some of the IoT devices is not accurate.
Suranjith, a competitor, is also interested in the data for developing a weather forecasting
system. Furthermore, Suranjith has not deployed any IoT devices.
In the left column, you are provided with some actions taken to make a robust and secure sys-
tem. You are required to identify the most appropriate information security goal or concept
for the given action and write them in the second column.
Each answer is unique. In other words, the same answer cannot be used twice.

[20 marks]
Scenario Information security concept or goal
Make sure the system has capacity and capabil-
ity to store all collected temperature data.
Verify the exact data sent by the IoT sensors are
received by the receiving end.
Preventing data from being leaked to Suranjith
since this data is valuable.
Prevent manufacturers of malfunctioning IoT
devices from denying that inaccurate data was
sent by their devices.
Implement a mechanism to identify malfunc-
tioning IoT devices.
Allowing the temperature sensor to only write
temperature values to the corresponding tem-
perature table in the database.
Providing the assigned device name of the de-
vice to the central system in pairing.
Verifying that the received data was sent by the
claimed device and ensuring the accuracy of the
received data.
Challenging a newly added device to provide
the secret code to establish connection with the
central system.
The system is designed such that every system,
user, or processor must obtain the necessary se-
curity clearance before executing any operation.

2
 Index Number

(b). You are given the description of attacks on the left column. Identify the correct name for each
attack and write down the name on the corresponding column on the right. Your answers
should be based on the RFC 4949.

[10 marks]
Attack technique Name of the attack
Switching off the Closed-Circuit Television
(CCTV) by gaining physical access.
Gaining access to sensitive data by launching a
series of brute force attacks.
Revealing the how the information is being pro-
cessed by disassembling and analyzing the de-
sign of a system component.
Reasoning from known facts or premises to
reach new conclusions or predictions.
The secret service listening to communication
between two social activists.
Obtaining sensitive data from from discarded
mobile devices.
An adversary pretends to be the CEO of the
company and asks the security operator to reset
the password.
An act of God that alters system functions or
data.
Unauthorized modifications to software pro-
grams, which can introduce backdoors into sys-
tems.
A circumstance or event that results in control
of system services or functions by an unautho-
rized entity.

3
 Index Number

2. On the left column, you are given information about systems that were designed based on some
security principles. You are required to identify and write down the relevant information security
design principle for these information systems in the corresponding column on the right. The
same answer could appear more than once.

[20 marks]

Description of the Information system security principle

Nadaraja adopts a modular approach in developing
the IoT-based weather monitoring system. He creates
simple and small modules that are easily testable and
replaceable for updates.
Nimal attempts to withdraw money from an ATM.
Before completing the transaction, he decides to
check his account balance. After checking the bal-
ance, he is prompted to re-enter his PIN code.
Nimala was tasked with configuring a firewall. Ini-
tially, she denies all incoming messages and then al-
lows access only to a select few trusted sources.
The source code of the encryption algorithm is made
available to the public for scrutiny and analysis of the
strength of the algorithm.
Suppose a transaction transitions the system from
State A to State B. If the transitioning process fails be-
fore reaching State B, the system should revert back
to State A before terminating the process.
A critical system is designed such that the password is
divided and given to two system administrators. Both
of them are required to get access to the core of the
critical information system.
Access to the system requires both the OTP received
on the mobile device and the password.
In a nuclear power plant, the network is divided into
three segments: one for visitors to the building, an-
other for administrators, and the remaining one ex-
clusively for scientists.
To gain physical access to the core system of a nuclear
power plant, a user must pass through security guards,
provide their fingerprints, enter a password, and use a
key to unlock the padlock.
The network operating center is located on the second
floor, accessible only to authorized personnel.

4
 Index Number

3. (a). Advice Alice on how to send a message such that anyone can read, verify it’s from Alice,
and ensure everyone receives the same message.

[5 marks]

(b). Suppose Bob is the president of a country, and he wishes to listen to the citizens of the county.
His sole requirement is that messages sent by the citizens should not be seen by anyone other
than Bob. Advise Bob on how to receive messages from the citizens in a manner that ensures
only Bob can read them.

[5 marks]

5
 Index Number

(c). Design a very efficient system that guarantees the message integrity and confidentiality. The
proposed system should not suffer from the key distribution problem.

[5 marks]

(d). Using a diagram, briefly describe Bell Lapadula model.

[5 marks]

6
 Index Number

(e). Encrypt the following message using Playfair cyber. The keyword is “Gravity Falls” and the
messages to be encrypted is ”Attack the enemy camp”.

[5 marks]

4. (a). Using a 2x2 matrix, discuss how an organization can reduce the level of risk to its infor-
mation assets by modifying the attack surface and defense layers. Provide an example that
encompasses all three elements.

[4 marks]

7
 Index Number

(b). List four (4) counter measures that could be used to protect individuals from human vulner-
abilities.

[8 marks]

8
 Index Number

(c). Shantha, a junior cybersecurity officer at a multinational bank, noticed a massive data leakage
just before leaving the office. He promptly turned off the computers and left the building.
In response to Shantha’s actions, the bank requests that you create a policy outlining how to
handle similar situations in the future. What are the possible contents of this policy and how
would you name it? You should not focus on preventing the attack. Your focus should
be on how to react when you are noticing a similar attack.

[5 marks]

(d). Briefly discuss the importance of cookies and the values of cookies for a forensic examiner.

[4 marks]

9
 Index Number

(e). There are four major types of threat actions that lead to unauthorized disclosure of informa-
tion. Provide examples for each of these four (4) types of attacks.

[4 marks]

10
 Index Number

Glossary of Terms

Access Control (AC), Active Attacks, Adversary (Threat Agent), Assurance, Attack, At-
tack Surfaces, Attacks, Audit and Accountability, Authentication, Awareness and Train-
ing (AT), Certificates, Communication Facilities, Complete Mediation, Computer Secu-
rity, Computer Security Challenges, Computer Security Strategy, Confidentiality, Con-
figuration Management, Consequences, Contingency Planning, Corruption, Countermea-
sure, Cryptanalysis, Data, Deception, Economy of Mechanism, Encapsulation, Environ-
mental Protection, Evaluation, Exposure, Fail-safe, Falsification, Frameworks, Funda-
mental Security Design Principles, Harm, Hardware, High, Identification, Incapacitation,
Incident Response, Inference, Information Resources, Information System, Infrastruc-
ture, Infrastructure Protection, Integrity, Interception, Intrusion, Isolation, Laws, Layer-
ing, Least Astonishment, Least Common Mechanism, Least Privilege, Levels of Impact,
Low, Maintenance, Masquerade, Media Protection, Misappropriation, Misuse, Moderate,
Modularity, Network, Networks, Obstruction, Open Design, Passive Attacks, Penetration,
Personnel Security, Planning, Policies, Psychological Acceptability, Regulation, Repudia-
tion, Reserve Engineering, Resource Protection, Reverse Engineering, Risk, Risk Assess-
ment, Security, Security Assessments, Security Policy, Separation of Privilege, Service,
Software, Standards, System and Communications Protection, System and Information
Integrity, System and Services Acquisition, System Resource (Asset), Systems, Trespass,
Theft of Data, Theft of Functionality, Theft of Service, Threat, Threats, Training, Unau-
thorized Disclosure, Usurpation, Vulnerabilities, Vulnerability, Zero Trust, Proof Knowl-
edge

—– ***** —–

11