Lecture 1:

(MCQ)
1. Which factor of authentication is described as “something you are”?
a) Knowledge factor
b) Possession factor
c) Biometric factor
d) Location factor
2. An advertising email sent to a company’s customers in which the “From:
line shows the email address of every customer”. This is a breach of:
a) Confidentiality
b) Integrity
c) Availability
d) Authentication
3. Hundreds of businesses receive emails claiming to come from international
courier companies. The emails contain links to online forms where import
duties can supposedly be paid on parcels entering the country. A number of
these organizations follow the link and are defrauded by criminals. This
scenario is considered as:
a) Targeted attack
b) Untargeted attack
c) Insider attack
d) Passive attack
4. Which of the following best describes a vulnerability?
a) A potential attack from a hacker
b) A type of malware designed to steal information
c) A weakness in a system that can be exploited
1
d) A tool for protecting networks
5. What is the main purpose of multi-factor authentication (MFA)?
a) To restrict user access to a single device
b) To enhance security by requiring more than one form of verification
c) To ensure that passwords are updated regularly
d) To simplify user login processes
6. What is considered an asset in the context of cybersecurity?
a) Any hardware or software that is vulnerable to attack
b) Any resource, data, or information that is valuable to an organization
c) A type of malware used in phishing attacks
d) A network protocol used to transmit sensitive data
7. What is the main difference between authentication and authorization?
a) Authentication verifies who you are, while authorization determines what
you can access
b) Authentication checks passwords, while authorization checks encryption
c) Authorization provides access, and authentication verifies encryption
d) Authentication grants access, while authorization limits permissions

2
(T or F)
1. Email addresses are the most used form of computer identity; they are
familiar and relatively simple to remember, and they can be reused on many
different systems. However, users lose control of their identity if an attacker
compromises the email account. (T)
2. Reusing an email identity across several systems potentially makes that
identity vulnerable in multiple systems. (T)
3. TrustedBank offers an online banking service that allows people to access
their accounts through a web browser. Every user has an account number,
an online password, as well as a small hardware token to generate random
PINs. In the login process, the user must provide an account number,
password, and a PIN from the token. In this case the TrustedBank uses
Single Factor Authentication. (F)
4. A critical asset is an asset without which an individual or organisation cannot
function. For instance, a bank’s customer account database is a critical asset
to that bank; the loss of, damage to, or inability to access the database would
prevent the bank from functioning. (T)
5. An organizational vulnerability encompasses weaknesses in the design,
implementation, and configuration of technical components, such as
unnecessary open network ports on an organization's internet-facing
firewall, weak access controls, and unencrypted sensitive data. (F)
6. A vulnerability is a weakness in an asset or the security of a system that can
be subjected to threats in an attack. (T)
7. Multi-Factor Authentication (MFA) generally uses only one form of
authentication for added security. (F)
8. Common Vulnerabilities and Exposures (CVE) is a resource that publicizes
known technological vulnerabilities. (T)
9. Passive attacks attempt to make changes in a system, while active attacks
focus on learning and understanding information without affecting the
system's state. (F)
10.Environments in which human factors are considered are more secure
against cyber security threats. (T)

3
11.An advertising email sent to a company’s customers in which the “From:
line shows the email address of every customer”. This is a breach of
Availability. (F)
12.A bug in an online shopping service results in customers being able to access
other people’s accounts and make orders using their payment cards. This is
a breach of confidentiality and integrity. (T)
13.An unhappy worker makes copies of confidential medical records with the
intention of selling them to a newspaper. This could be considered as insider
human threat. (T)
14.Hundreds of businesses receive emails claiming to come from international
courier companies. The emails contain links to online forms where import
duties can supposedly be paid on parcels entering the country. A number of
these organizations follow the link and are defrauded by criminals. This
scenario is considered as Targeted attack. (F)
15.An employee takes confidential employee records home to work on
promotion cases over the weekend. The employee’s car is stolen with the
records inside. This could be considered as an insider threat. (T)
16.The biometric authentication uses a unique aspect of an individual user such
as fingerprint or face and is described as “something you are”. (T)
17.Single-Factor Authentication (SFA) is considered more secure than Multi
Factor Authentication (MFA). (F)
18. Out-Of-Band Authentication (OOBA) involves the exchange of a
confidential factor using a single channel. F 4. In cyber security, assets refer
to anything that has value (not necessarily financial value) to an individual
or organization. (T)
19.In cyber security, assets refer to anything that has value (not necessarily
financial value) to an individual or organization. (T)

4
Short Questions
1. Whenever you use a computer system, it is not enough for you to claim an
identity, you must prove that identity using a further piece of information
called a factor. Cyber security specialists agree on three distinct factors of
authentication. Identify these factors with a brief description for each one.
OR
When using a computer system, simply claiming an identity is insufficient;
you must verify that identity with an additional piece of information, known
as a factor. Cybersecurity experts recognize three distinct authentication
factors. Identify these factors and provide a brief description for each.
OR

Authentication is the process of verifying the identity of a user, system, or

entity. Cyber security specialists agree on a list of distinct authentication
factors. Identify these authentication factors.

Answer:
1. The knowledge factor (i.e., something you know). This is something that can
be recalled from your memory such as PIN number.
2. The possession factor (i.e., something you have). These factors consist of
physical objects including physical keys and smart ca
3. The biometric factor (i.e., something you are). This final factor uses a
supposedly unique aspect of an individual user such as a fingerprint or facial
proportions.
4. The location factor (sometimes described as ‘somewhere you are’).
5. The activity factor (sometimes described as ‘something you do’).

5
2. A critical asset is an asset without which an individual or organisation cannot
function. For instance, a bank’s customer account database is a critical asset
to that bank; the loss of, damage to, or inability to access the database would
prevent the bank from functioning. The following three scenarios each
contain one or more assets. Identify the assets and decide if each asset is
tangible or intangible
1. A lightning strike causes a fire at the headquarters of a tech company. All the
data is safely backed up to the cloud, but the building and its contents are
completely destroyed.
2. The recipe for a brand-new beverage, unreleased, is accidentally posted on
the company’s public website. Thousands of people read the page before it is
taken down.
3. Luggage containing a prototype microchip and a USB flash memory drive
containing the design files for the processor are lost by Oceanic Airlines.

Answer:
1. The building and contents, such as computers and furniture, are tangible
assets.
2. The recipe is an intangible asset – it is a type of information.
3. The microchip is a physical asset, as is the USB drive. The design files are an
intangible asset – again they are a type of information.
3. An attack can be defined as an ‘attempt to destroy, expose, alter, disable,
steal or gain unauthorized access to anything that has value to the
organization. Based on your understanding briefly describe the following
terms: Passive attack, Active attack, Targeted attack, Untargeted attack.

Answer:
• Active attack: an attempt to make changes in a system – such as by stealing
or destroying data – or to impact its operation – such as a denial-of-service
attack.
• Passive attack: an attempt to learn, understand or make use of information
without directly impacting the state of a system resource
6
 • Targeted attack: aims at a specific organisation, in which the attacker
posing the threat has interests.
• Untargeted attack: involves indiscriminate attacks on organizations.
4. Email addresses are the most used form of computer identity; they are
familiar and relatively simple to remember. Users can reuse them on many
different systems. Briefly discuss the downsides of an email address as an
identity.
Answer:
• User losing access to that identity if they lose access to that email address
(such as by changing job or their email provider closing down).
• Reusing an identity across several systems potentially makes that identity
vulnerable in multiple systems.
• Losing control of the identity if an attacker compromises the email account
• Email addresses are effectively public, making that identity also public.
5. A vulnerability is a weakness in an asset or the security of a system that can
be subjected to threats in an attack. Based on your understanding provide a
comparison between the technological vulnerability and the organizational
vulnerability.

Answer:
• A technological vulnerability includes weaknesses in the design,
implementation, and configuration of technical components such as hardware
or software: for example, network ports on an organization’s internet-facing
firewall that are open unnecessarily, weak access controls and important data
that is unencrypted.
• An organizational vulnerability includes weaknesses associated with people,
processes, and procedures: for example, no cyber security training for staff,
poor password policies and allowing personal devices to connect to a corporate
network.

7
6. What is the main purpose of an audit in cybersecurity?

Answer:
The main purposes of an audit in cybersecurity are to:
- identify vulnerabilities, threats, and risks to an organization.
-verify that an existing security strategy meets the organization's requirements.
-ensure employee compliance with security policies.
-identify unnecessary software and hardware.
-identify new threats introduced during organizational and technological
changes.
7. Briefly discuss the difference between Single-Factor Authentication (SFA)
and Multi-Factor Authentication (MFA).
Answer:
Single-Factor Authentication (SFA): Authentication performed using only
one factor. Almost all personal computers use SFA for day-to-day login:
either a password or a biometric factor. Multi-Factor Authentication (MFA)
requires more than one form of authentication. MFA is considered more
secure simply because it is generally less easy for an attacker to obtain two
authentication factors than just one. Most systems implementing MFA
choose different types of factors – many online services use a password
(‘something you know’) and a PIN delivered by SMS to a mobile phone
(‘something you own’).
8. Advanced Persistent Threat (APT) is a form of attack utilizing multiple
attack vectors over an extended period to compromise a system. It requires
high levels of investment in time and money; consequently, they have
traditionally targeted ‘high value’ systems belonging to governments and
major corporations. Cyber security experts identify several phases in an
APT. List three of them with a brief description.
Answer:
1. Gain access: Access is often performed through a malware attack or by
social engineering attacks such as phishing and spear phishing.

8
2. Establish a foothold: Once the attackers are inside a system, they attempt
to secure continued access in the event their original attack is discovered or
rendered useless.
3. Escalate privileges: The attackers attempt to gain greater control of their
target computers by increasing their level of access – they ‘escalate their
privileges’.
4. Perform reconnaissance: The attackers use their newly acquired
privileges to explore the network hosting the compromised computer (a
passive attack). They identify network connections and the purposes of
individual computers and learn about users, installed software and any
security processes that are in place.
5. Move laterally: This reconnaissance is used to compromise further
computers and user accounts. This lateral spread through an organisation
can be performed by malicious software taking advantage of flaws in
networking software.
6. Maintain presence: All this effort would be wasted if the attackers cannot
remain inside the target system.
7. Complete the mission: The weeks, months and sometimes years spent on
the earlier steps are for a reason. The APT ends when the attackers achieve
their aim, such as stealing or destroying data.

9
Problem Solving
1. Attacks can be classified as targeted or untargeted. Based on your
understanding, determine the type of attack described in each of the
following scenarios:
1. Hundreds of businesses receive emails claiming to come from
international courier companies. The emails contain links to online forms
where import duties can supposedly be paid on parcels entering the
country. A number of these organizations follow the link and are
defrauded by criminals.
2. A contractor, claiming to work for a heating company, is left
unsupervised to perform routine maintenance on radiators in a secure
office space. A few days later, a routine audit shows that confidential
design documents were copied to a removable disk during that time.
3. A determined group of hackers conducts extensive research to identify
a vulnerable entry point in an international corporation. They discover
an employee with access to critical systems who frequently travels for
work. The hackers send a carefully crafted spear-phishing email that
appears to be from a trusted colleague within the organization. The email
contains a seemingly innocuous attachment that, once opened, installs a
backdoor into the corporate network. Over several months, the hackers
accurately gather sensitive intellectual property and customer data, with
the goal of selling this information to a competitor.

Answer:
1. Untargeted attack
2. Targeted attack
3. Targeted attack

10
Lecture 2:
(MCQ)
1. Insider threats are often more dangerous because:
a) They rely on external tools to perform attacks
b) Insiders have legitimate access to sensitive systems
c) They can only attack through external networks
d) They do not require physical access to systems
2. Social engineering attacks primarily target which aspect of system security?
a) Hardware vulnerabilities
b) Software exploits
c) Human behavior
d) Network vulnerabilities
3. What is the primary purpose of patching in cybersecurity?
a) To remove unused software from the system
b) To enhance system performance
c) To fix vulnerabilities and improve security
d) To increase user access to the system
4. In the context of risk management, what is the primary goal of a risk
assessment?
a) To eliminate all potential risks
b) To enforce compliance with security policies
c) To enhance user productivity
d) To identify, assess, and prioritize risks based on impact and likelihood

11
 5. Which security objective is compromised when an insider steals sensitive
data?
a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation

(T or F)
1. Risk assessment involves understanding business operations, detailing responses,
considering continuity preparations, and providing an exercise framework.
(T)
2. The six principles of social engineering include reciprocity, scarcity, and
authority. (T)
3. It is not necessary to consider the risks of continuing to use obsolete equipment
and no need to plan for its replacement. (F)
4. To reduce the risk of zero-days vulnerabilities, patches should be installed as
widely as possible and as soon as possible. (T)
5. Unintentional Insider Threats (UITs) occur when employees inadvertently
compromise an organization's security, without malicious intent. (T)

Short Questions
1. Once a risk has been identified and quantified, it can be classified into one
of three categories. Discuss these categories briefly.

Answer:
1. Acceptable: in this category, the risk has limited to no impact on the
organization.
2. Tolerable: The risk has been contained and is either 'As Low As Reasonably
Possible' (ALARP) or 'As Low As Reasonably Achievable' (ALARA).
3. Intolerable: The part of the system at risk needs to be abandoned or
replaced since the risk poses an existential threat. If this is not possible, then
vulnerabilities need to be eliminated wherever possible.
2. Define “insider threat” and provide an example.
12
 Answer:
An insider threat refers to a threat that comes from individuals within the
organization who have authorized access to the systems and data. Examples
include employees who commit fraud, improperly access confidential data,
or sabotage computer systems.

3. What is the 'risk triangle' and how does it relate to cybersecurity? Answer:
The risk triangle illustrates the inter-relationship between risks, assets,
threats, and vulnerabilities. For a risk to exist, there must be assets to
protect, threats that could exploit vulnerabilities, and vulnerabilities in the
system.
4. There is an almost unimaginable variety of social engineering attacks,
but they can be broadly classified into a set of attack vectors. Mention these
attack vectors with a brief description.
Answer:
• Phishing: untargeted attempts to solicit personal information from a
victim.
• Whaling: spear-phishing aimed at senior executives in an organization.
• Vishing (voice phishing): is a related attack vector where the attacker
solicits information from the victim in a phone call.
• Smishing: conducts the attacks using messaging services such as SMS.

5. Penetration testing (a.k.a., pentesting) is widely used to test organizational

security. During a penetration testing, attackers are authorized to try and
break security controls, exposing weaknesses in order to better understand
the risks, and more appropriate controls put in place. Pentesting is divided
into three categories based on the amount of knowledge the testers have
about the system they are examining. Identify these pentesting categories
with a brief description for each one.

Answer:

13
 1. Black box, the pentesters are given no information about the target
system.
2. Gray box, the pentesters are given a partial view of the system.
3. White box, the pentesters are given comprehensive information about a
system.

Problem Solving
Social engineering relies on exploiting vulnerabilities in humans rather than
machines. Each of these two fictional social engineering scenarios uses at least
one of the social engineering principles. Identify and discuss the principles based
on the following scenarios.
1. Alice receives an email claiming to come from Mallory, who recently left for a
competitor organisation. The email tells Alice that not only is Mallory earning
much more money and now has a new car but also that there is a similar position
opening soon. Competition for the new job is going to be very strong and the place
will not be open for very long, so Mallory strongly recommends Alice completes a
personal application form linked from the email.

Answer:
It uses two principles – Liking (Alice and Mallory are friends) and Scarcity (the
position is not going to be advertised for very long). Alice should make contact with
Mallory, preferably using another form of communication such as a phone call, to
check if the message actually came from her.

2. Bob works in an organisation where availability of assets is crucial. Following a

recent security alert, a major software upgrade must be performed that will require
a brief interruption in service. Shortly before the work is scheduled to start, Bob

14
 receives a phone call and is told by someone claiming to be a senior company official
that the work must be delayed.

Answer:
This scenario uses the principle of Authority. Bob receives a phone call from a
supposed manager who has seniority over Bob. In actuality, it could well be an
attacker impersonating a manager – Bob really had better check with his managers
to see if the upgrade has been delayed.

Lecture 3:
(MCQ)

15
 1. Which of the following cryptographic attacks involves capturing and reusing
a legitimate communication session to impersonate a user?
a) Replay attack
b) Dictionary attack
c) Man-in-the-middle attack
d) Side-channel attack

(T or F)
1. A stream cipher encrypts one block at a time, making it faster than a block
cipher. )F(
2. Each component of a system must be secured individually to achieve complete
system security. (T)
3. A block cipher encrypts one bit or byte at a time, making it faster than a stream
cipher. )F(
4. Reverse engineering is a process in which software is constructed to extract
design information from it. )F(

Short Questions
1. Identify and briefly explain three limitations of symmetric encryption systems.
Answer:
16
 1. Susceptibility to Brute-Force Attacks:
✓ Symmetric encryption relies on a single key for both encryption
and decryption. If an attacker can guess or brute-force the key,
they can decrypt the data.
2. Key Distribution Problem:
✓ Securely sharing the symmetric key between sender and receiver
can be challenging, especially over insecure channels. If the key is
intercepted, the encryption is compromised.
3. Multiple Key Problem:
✓ In a large network with many participants, each pair of users needs a
unique symmetric key, leading to a large number of keys that need to be
managed and securely stored.

2. Interception is the act of preventing someone or something from reaching the

intended destination in an uncompromised manner. How does interception
affect the confidentiality of information in transit?

Answer:
Interception breaches confidentiality by allowing unauthorized entities to
access information during its transmission. This can occur through monitoring
communication channels or gaining access to system resources, ultimately
compromising the confidentiality of the information being transmitted.

Problem Solving
1. Suppose that Alice wants to send a confidential document to Bob. She contacts
Bob and requests his public key. Shortly after, Alice receives an email from Bob

17
 that contains his public key. However, Alice is concerned that someone, possibly
Eve, could be eavesdropping and might carry out a man-in-the-middle (MITM)
attack, intercepting Bob’s email, as shown in Figure 1. If Eve successful conducts
this attack, she could replace Bob’s key with her own public key. In such a
situation, If Alice sends the encrypted document to Bob, how can she ensure that
Eve cannot intercept and decrypt the confidential document?
Answer:
Alice can mitigate the risk of Eve intercepting and decrypting the document by
relying on a trusted third party to verify Bob's public key:
1. Using a well-known and trusted certificate authority that vouch for the
authenticity of public keys. In this scenario, the certificate authority would
authenticate Bob's public key, providing public trust in its distribution (e.g.,
DigiCert, Entrust, and GoDaddy)
2. Establishing trust through a concept known as a web of trust, where users
personally verify and endorse each other's keys, forming a decentralized network
of trust.

Lecture 4:
(MCQ)

18
2. Which cryptographic attack that target Key strength by trying all possible
combinations?
a) Brute-Force Attack
b) Dictionary Attack
c) Rainbow Attack
d) Man-in-the-Middle Attack
3. In asymmetric cryptography, which key is used to decrypt a message?
a) Private key
b) Symmetric key
c) Public key
d) Session key
4. Which cryptographic attack involves using a collection of well-known passwords
and guessable passwords?
a) Brute-Force Attack
b) Dictionary Attack
c) Rainbow Attack
d) Man-in-the-Middle Attack
5. Which of the following protocols is used for key exchange in asymmetric systems?
a) AES
b) DES
c) Diffie-Hellman
d) MD5

6. In asymmetric cryptography, what is used to encrypt data?

a) Private key

19
 b) Public key
c) Symmetric key
d) Hash function
7. What is a nonce used in cryptographic communications?
a) Encrypting data
b) Decrypting data
c) Ensuring message freshness
d) Hashing data

(T or F)
1. Public Key Infrastructures (PKI) play a crucial role in ensuring non-
repudiation and authentication of digital signatures in asymmetric
cryptography. (T)
2. WhatsApp uses end-to-end encryption based on "The Signal Protocol". )T(
3. Hashing generates a fixed-length hash value used for data confidentiality and
doesn't require a key, unlike encryption and decryption. )F(

Short Questions
1. Explain the concept of 'freshness' in cryptography and why it is important.

Answer:
Freshness in cryptography refers to the assurance that a message is recent
and not a replay of an old message. It is important to prevent replay attacks where
an attacker intercepts and retransmits a valid data transmission to deceive the
receiver into thinking it is a new communication.

Lecture 5:
(MCQ)
1. Which of the following is a key aspect of server hardening?

20
 a) Disabling encryption
b) Installing unnecessary software
c) Updating and patching the operating system regularly
d) Reducing password complexity
2. In a Role-Based Access Control (RBAC) model, which of the following is true? a)
Users can directly manage access controls.
b) Access is granted based on user roles.
c) Access is always mandatory and predefined by the system.
d) Access control lists are used to specify permissions.
3. Server hardening is the process of securing a server’s configuration and settings
to:
a) Increase network traffic
b) Reduce IT vulnerability
c) Enhance user experience
d) Improve server performance
4. NOT(A multi-server operating system) the correct question (The basic OS add
all components in a trusted boundary. The trusted boundary ensures that the
user is authenticated and authorized to access the entire system.) places all the
components within a single trust boundary. This trusted boundary ensures that
the user is:
a) Authenticated and authorized to access the entire system
b) Only authenticated to access specific components
c) Restricted from accessing any part of the system
d) Able to bypass security protocols

(T or F)
1. Discretionary Access Control (DAC) is well-suited for systems with a large
number of users. (F)

21
 2. A multi-server operating system places all the components within a single trust
boundary. This trusted boundary ensures that the user is authenticated and
authorized to access the entire system. (F)
3. Server hardening is the process of securing a server’s configuration and settings
to reduce IT vulnerability. (T)
4. Virtualization allows multiple operating systems to run on one physical server.
(T)

Short Questions
1. A password manager is a software application or service designed to securely
store and manage passwords for various online accounts. It typically works by
storing encrypted passwords in a centralized vault, accessible to the user with a
single master password or passphrase. Summarize the advantages and risks
associated with password manager software.

Answer:
Advantages:
• Easier to generate and use more secure passwords.
• No reuse of passwords across multiple information systems.
• Users no longer need to remember individual passwords.
• If used by an organization, it makes it easier to ensure password policy is being
adhered to.
Risks:
• Password managers are software tools and might have security vulnerabilities
that compromise the confidentiality of the users’ passwords.
• Users may need additional support to adopt and effectively use password
manager tools.
• Password managers are an attractive target for attackers as success means
access to all the user’s passwords.
• Losing master password will prevent a user from using any of the stored
passwords.

22
2. Define 'Mandatory Access Control' (MAC) and provide one advantage and one
disadvantage of this model.
Answer:
Mandatory Access Control (MAC) is an access control policy uniformly enforced
across all subjects and objects within an information system, where subjects are
constrained by fixed policies.
Advantage: High levels of security since every subject and object must have a
sensitivity label.
Disadvantage: Difficult to implement and manage due to the need to assign
correct sensitivities to potentially a large number of objects.

3. Passwords are a basic element of authentication approaches. It is common to use

straightforward passwords that can be guessed or hacked. Organizations often
adopt a password policy to ensure that passwords provide a certain level of
security. Specify the key elements of a password policy.
Answer:
• minimum password length, typically 8 characters
• the required mix of alphabetic, numeric and symbol characters
• the lifetime of a password before it must be changed
• words that cannot be used as a password or part of a password
• prevention of the reuse of previous passwords.
4. What is a monolithic operating system, and what are some advantages and
security concerns associated with it?
Answer:
A monolithic operating system is a type of OS architecture in which core OS
components are grouped within a single kernel that operates within a trust
boundary, accessible only by
system administrators or root users. This structure separates applications and
system functions, isolating user applications to prevent unauthorized data access
or modification.
Advantages of a monolithic OS include improved performance, as all OS
functions are combined in a single environment. However, a key security concern
is vulnerability to privilege escalation attacks; if an attacker gains root access,

23
 they have full control over the system. This architecture is still widely used by
popular operating systems like Linux, Windows, and macOS.

Problem Solving
5. Mandatory Access Control (MAC) is an access control policy that is uniformly
enforced across all subjects and objects within the boundary of an information
system. Based on your understanding of MAC, answer the following questions:
1. In the context of MAC, sensitivity is a label assigned to every object and
subject outlining what restrictions are placed on it. Whenever a subject
requests access to an object, the system uses a pair of rules to compare the
subject’s sensitivity to the object, discuss these pair of rules.
Answer:
1. ‘No Read Up’ (NRU) This rule states that a subject can read an object
only if they have a clearance greater than or equal to the object’s
classification.
2. ‘No Write Down’ (NWD) This rule states that a subject can write to an
object only if they have a clearance less than or equal to the object’s
classification.

2. A computer system implements MAC using the Government Security

Classifications Policy (from least to most sensitive): OFFICIAL, SECRET
and TOP SECRET. The system contains the following three files:

1. Alice is a user who has a sensitivity of SECRET. Which files can she read?
Answer:
• Holiday_photo.png

24
 • testing_data.xls
2. Bob has a sensitivity of OFFICIAL. Can he see SECRET data?
Answer:
No, Bob cannot access SECRET files.
3. Charles can open the file ‘war_plans.ppt’. What is his sensitivity?
Answer:
TOP SECRET

3. Given that, Angela, Bob, and Charles are all doctors at the hospital and have
been given the role of doctor. As a doctor, they can perform any of the
transactions belonging to that role such as make diagnosis, prescribe
medication, or update records as shown in figure 1. Danny, Elaine, and Fred
are nurses at the same hospital. They are allocated with a different role
nurse, which is linked to its own set of transactions such as administer
medicine and update records as shown in figure 2. Under Role-Based Access
Control (RBAC), anyone in the hospital assigned to the role of doctor or
nurse can perform all transactions allocated to their role, but only those
transactions. Based on your understanding, answer the following questions
about RBAC

25
 1. Is Bob capable of administrating medication? Why?
2. What role does Elaine occupy, and what transactions is she authorized to
perform?
3. Which transaction can be performed by both a doctor and a nurse?
Answer:
1. No, the transaction Administer medicine is available only to people with
the role of ‘Nurse’. Bob is not a ‘Nurse’ (he is a ‘Doctor’).
2. Elaine is a ‘Nurse’; she can perform the transactions Administer
medicine and Update records.
3. Both a ‘Doctor’ and a ‘Nurse’ can perform the transaction Update
records.

4. Access Control List (ACL) is a set of rules that instruct the authorization
mechanism on whether an attempt to access a resource should be allowed or
denied. The following table shows an illustration of the ACL associated with
a file object in a hypothetical operating system:

Based on the permissions recorded in the table, select the correct answer to each
of the questions:
26
1. Is it possible for every user to read the file’s content?
2. When Alice opens the file and edits its content, can she able to save her
modifications?
3. Charles opens the file and makes edits. Is he allowed to save the
modifications?
4. Does Bob have the permission to run the file?

Answer:
1. Yes
2. Yes
3. No
4. No

5. Given that, Angela, Bob, and Charles are all doctors at the hospital and have
been assigned the role of doctor. As a doctor, they can perform any of the
transactions belonging to that role such as make diagnosis, prescribe
medication, or update records as shown in Figure 1. On the other hand,
Danny, Elaine, and Fred are nurses at the same hospital. They are allocated
the role of nurse, which is linked to its own set of transactions such as
administer medicine and update records as shown in Figure 2. According to
Role-Based Access Control (RBAC), individuals in the hospital assigned to
the role of doctor or nurse can perform all transactions allocated to their
respective roles, but only those transactions. Based on your understanding,
answer the following questions about RBAC:

27
1. Can Elaine administrate medication? Why?
2. What role does Bob hold, and which transactions is he authorized to
perform?
3. Which transaction can be performed by both a doctor and a nurse?

Answer:
1. Yes, the transaction Administer medicine is available only to people with the
role of ‘Nurse’. Elaine is a ‘Nurse’.
2. Bob is a ‘Doctor; he can perform make diagnosis, prescribe medication, or
update records
3. Both a ‘Doctor’ and a ‘Nurse’ can perform the transaction Update records.

6. You are responsible for implementing a Mandatory Access Control (MAC)

system in a secure government facility, using the classification levels:
OFFICIAL, SECRET, and TOP SECRET. Your team is reviewing the
security rules, specifically the ‘No Read Up’ (NRU) and ‘No Write Down’
(NWD) rules, to ensure they are correctly applied in the system. Consider
the following access scenarios:
• Alice has a sensitivity level of SECRET.
• Bob has a sensitivity level of OFFICIAL.
• Charles has a sensitivity level of TOP SECRET.
The system has three files with the following sensitivity levels:
• war_plans.ppt (TOP SECRET)

28
 • testing_data.xls (SECRET)
• holiday_photo.png (OFFICIAL)
1. Based on the NRU and NWD rules, determine which files Alice, Bob, and
Charles can read and write. Justify your answer based on the MAC rules.
2. Consider what would happen if the No Write Down (NWD) rule did not
exist in the system. Discuss the potential risks to confidentiality if this rule
were removed.

Answer:

1. Access Decisions:
✓ Alice (SECRET): Can read testing_data.xls (SECRET) and
holiday_photo.png (OFFICIAL) but cannot read war_plans.ppt (TOP
SECRET). She can write to testing_data.xls and war_plans.ppt, but
not to holiday_photo.png.
✓ Bob (OFFICIAL): Can only read and write to holiday_photo.png
(OFFICIAL). He cannot access higher classifications.
✓ Charles (TOP SECRET): Can read all files but can only write to
war_plans.ppt (TOP SECRET).

2. Impact of Rule Removal:

✓ If the No Write Down (NWD) rule did not exist, subjects with higher
classification (e.g., TOP SECRET) would be able to write sensitive
information to lower-classified objects (e.g., OFFICIAL). This would
create a severe risk to confidentiality, as sensitive data could be
transferred to files accessible by users with lower clearance. For
example, Charles could write TOP SECRET data to
holiday_photo.png, allowing Bob (OFFICIAL) to read it, thereby
exposing highly classified information to unauthorized users.

29
Lecture 6:
(MCQ)
1. Which security device acts as a barrier between an internal network and the
outside world?
a) Switch
b) Router
c) Firewall
d) Server

2. Which of the following best describes a Demilitarized Zone (DMZ) in network

topology?
a) A network segment that connects all internal devices
b) A secured area within the LAN where all critical assets are stored
c) A buffer zone between an internal network and external networks, often used to
host public-facing services
d) A subnet dedicated to virtual private networks
3. What is network segmentation, and why is it commonly used in network
security?
a) Dividing a network into isolated segments to limit access to certain resources and
improve security
b) Combining multiple networks to allow unrestricted data sharing
c) Creating multiple firewalls within a single network to restrict traffic
d) Using virtual machines to simulate different network environments

30
 4. Which of the following best describes endpoint security?
a) Protecting only network routers and switches from unauthorized access
b) Securing devices that connect to a network, such as computers and mobile
devices, from potential threats
c) Monitoring data traffic only within a Virtual Private Network (VPN)
d) Isolating network segments to limit unauthorized access
5. Which of the following describes “host defense in depth”?
a) Using a single security measure on each host device
b) Isolating each host device on its own private network
c) Installing only antivirus software on every endpoint
d) Implementing multiple layers of security controls on a host to protect against
various types of attacks

(T or F)
1. Denial of Service (DoS) attacks are designed to make network services
unavailable by overwhelming the target with traffic or malicious packets. (T)
2. As data moves between nodes/servers in Tor, source and destination IP addresses
are encrypted. (T)
3. The Onion Router (Tor) provides anonymity on the internet by routing data
through a distributed network of volunteer-operated servers and encrypting the
traffic, thereby concealing the user's original IP address and location. (T)
4.

Short Questions
1. What are the three common types of network attacks?
Answer:
The three common types of network attacks are

31
 1. Denial of Service (DoS) attacks,
2. spoofing attacks, and
3. man-in-the-middle attacks.

2. Briefly explain the concept of network segmentation and its purpose.

Answer:
Network segmentation involves dividing a network into discrete areas (or
segments) based on function. This helps in improving security by isolating
different parts of the network, making it harder for attackers to move laterally
and access sensitive areas.
3. Networks are susceptible to various threats. Please provide common categories of
network threats, along with a brief description for each one
Answer:
1. Service disruption Preventing users from accessing services on a network; for
example, DoS attacks on servers, network devices and links.
2. Information theft Unlawful access to computers and servers to obtain
confidential information for criminal purposes.
3. Data manipulation Unlawful access to computers and servers to destroy,
manipulate or alter data.
4. Identity theft Stealing personal information from systems for impersonation
and fraudulent means.
4. A Denial of Service (DoS) attack is one of the most common forms of attack
against a computer network and associated network infrastructure services. The
main aim of a DoS attack is to disrupt network operations, user services, devices,
and applications, in order to make them unavailable. Routers employ various
techniques to mitigate DoS attacks, briefly discuss two types of these techniques
Answer:

1. Blackholing: traffic originating from a suspicious source is funnelled into a

black hole (or a null route) and the packets are dropped from the network.
2. Limiting requests: allowing a server to receive no more than a certain number
of requests, to stop it becoming overwhelmed.

32
 3. Network diffusion: using load balancing techniques to redistribute traffic
across the network.
5. What are some popular techniques for mitigating wireless networks, and how do
they contribute to enhancing network security in the face of evolving threats? [5
Marks]
Answer:
1. Passwords: changing the default passwords of wireless access points, as well as
using strong passwords.
2. MAC address filtering: maintaining a list of MAC addresses of only the devices
that are allowed onto the network (more suitable for smaller or home
networks).
3. SSID protection: configuring the access point to not broadcast the SSID for the
network, helping to keep the network invisible to attackers scanning for
wireless networks.
4. Data encryption: enabling the strongest encryption possible for the network
and making sure that other devices on the network support the same
encryption level (the current standard is WPA3).
5. Patching: keeping access point firmware up to date and frequently patched.
6. What role do signatures play in antivirus systems, and what are some common
methods for creating and using these signatures to identify and combat malware
threats?
Answer:

Signatures are a critical component of antivirus systems, serving as unique

fingerprints or patterns that help identify and combat malware threats.
Common methods for signature:
✓ Byte streams: the simplest form of signature specific to malware files.
✓ Checksums: used by almost all antivirus systems and based on
calculating cyclic redundancy check (CRC).
✓ Hashing: another popular method that generates a signature based
on the output of a hash function.

33
 7. In recent years, as wireless networking and mobile technology have become
ubiquitous in the workplace, more employees are using their own devices.
Although Bring Your Own Device (BYOD) can help minimizing costs for
organizations, they also introduce additional risks. List these risks that are
associated with BYOD scheme.
Answer:
• loss of company data (accidental or deliberate)
• exploitation of data due to weak configuration
• out-of-date software, leading to exploitation by attackers.
• inadequate monitoring (e.g., antivirus) leading to spread of malware.
• unauthorized transfer of data to third-party recipient
• devices being used in insecure environments (thus revealing sensitive data).
8. What role do signatures play in antivirus systems, and what are some common
methods for creating and using these signatures to identify and combat malware
threats?
Answer:
Signatures are a critical component of antivirus systems, serving as unique
fingerprints or patterns that help identify and combat malware threats.
Common methods for signature:
Byte streams: the simplest form of signature specific to malware files.
Checksums: used by almost all antivirus systems and based on calculating cyclic
redundancy check (CRC).
Hashing: another popular method that generates a signature based on the output of
a hash function.

Problem Solving
9. TechSecure Denial of Service (DoS) attack.
TechSecure Ltd. has recently experienced several Denial of Service (DoS) and
Distributed Denial of Service (DDoS) attacks. These attacks have disrupted
network performance, caused website unavailability, and increased the volume

34
of spam emails received by the company. The attacks involved flooding target
servers with overwhelming traffic and forwarding maliciously formed packets,
resulting in buffer overflow conditions. Additionally, there have been instances
of physical security breaches, where power to servers and network equipment
was disconnected, causing further disruption. As the newly appointed Chief
Information Security Officer (CISO), you are tasked with developing a
comprehensive mitigation strategy to protect the company's network
infrastructure from future DoS and DDoS attacks. You need to analyze the
different types of attacks, understand their mechanisms, and propose effective
solutions to mitigate their impact.
Based on your understanding of the attack answer the following questions:
1. What are the three main types of DoS attacks?
2. What are the techniques that could be implemented to mitigate DoS
attacks?
3. What are the physical security measures that could be implemented to
prevent the physical security breaches?
Answer:
1. DoS attacks:
a. Volume-based attacks: These attacks saturate the bandwidth of the
target site with spoofed packets.
b. Protocol-based attacks: These attacks consume server resources
and network equipment by exploiting vulnerabilities in protocol
implementations.
c. Application layer attacks: These attacks target vulnerabilities in
applications to crash servers and network devices.
2. Techniques to mitigate DoS attacks:
a. Blackholing: traffic originating from a suspicious source is
funnelled into a black hole (or a null route) and the packets are
dropped from the network.
b. Limiting requests: allowing a server to receive no more than a
certain number of requests, to stop it becoming overwhelmed.
c. Network diffusion: using load balancing techniques to redistribute
traffic across the network.

35
3. To prevent physical security breaches, implement the following
measures:
a. Secured access: Restrict physical access to servers and network
equipment through locked doors and security badges.
b. Surveillance: Install CCTV cameras to monitor server rooms and
network equipment areas.
c. Power redundancy: Ensure power redundancy with
uninterruptible power supplies (UPS) and backup generators to
prevent power disconnections from impacting operations.

36
Lecture 7:
(MCQ)
1. Which of the following is a common type of Cross-Site Scripting (XSS) attack?
a) DOM-based XSS
b) Buffer overflow
c) Heap overflow
d) Integer overflow
2. What is the primary goal of application security?
a) To monitor network traffic and filter unauthorized access
b) To protect applications from threats by identifying and addressing security
vulnerabilities
c) To encrypt all data in transit
d) To install antivirus software on all network devices
3. What is the primary focus of cloud application security (SaaS)?
a) Ensuring network routers are updated regularly
b) Protecting data and applications hosted on cloud platforms
c) Monitoring hardware resources for any unauthorized access
d) Securing only on-premises servers and applications
4. How does virtualization enhance application security?
a) By isolating applications within virtual environments, reducing the impact of a
breach on other applications
b) By allowing unlimited data sharing between applications
c) By encrypting all network traffic by default
d) By automatically applying security updates

37
 5. Which of the following describes the purpose of DevSecOps?
a) To create isolated networks for different applications
b) To install firewalls in development environments
c) To automate security checks, ensuring security is a shared responsibility across
development, security, and operations teams
d) To conduct regular penetration tests only after application deployment
6. Which of the following is an example of a common application security threat?
a) Physical tampering with network cables
b) Unauthorized access to mobile hardware components
c) Distributed Denial of Service (DDoS) targeting a Wi-Fi network
d) SQL Injection, where attackers insert malicious code into a SQL query
7. How does Cross-Site Scripting (XSS) threaten web applications?
a) By injecting scripts into webpages viewed by other users, potentially stealing data
b) By making network routers less responsive
c) By shutting down the entire web application
d) By creating isolated environments for applications

(T or F)
1. DevSecOps integrates security at every phase of the software development
lifecycle. (T)

Short Questions

38
1. Define application security and explain its importance.
Answer:

• Application security is the process of developing, adding, and testing

security features within applications to prevent vulnerabilities against
threats such as unauthorized access and modification.
• It is important because it helps protect sensitive information, builds
consumer trust, and mitigates potential attacks on applications.
2. DevSecOps revolutionizes software development by integrating security
seamlessly into the development lifecycle. It automates security at every stage,
fostering a culture of shared responsibility for security among development
teams. Factors like the growing importance of security in cloud and web
applications have accelerated its adoption. What role does DevSecOps
development team play in ensuring security throughout development?
Answer:
The development team is:
✓ responsible for carrying out security testing.
✓ responsible for managing and fixing any issues that are found.
✓ trained to manage and fix issues to keep issues internal (in-house) to
development processes (not having to rely on external developers to
carry out fixes).
3. How do common application threats like Cross-Site Scripting, SQL injection, and
Cross-Site Request Forgery pose risks to the security of web applications?
Answer:
• Cross-Site Scripting (XSS) is a prevalent internet threat affecting web
applications, involving the insertion of malicious code into web pages, forms,
or URLs.
• SQL injection is a common attack targeting SQL databases powering
websites, where attackers manipulate SQL queries to execute unauthorized
actions.
• CSRF (Cross-Site Request Forgery) forces authenticated users to perform
unintended actions on a web application. This can occur through phishing
techniques or by exploiting session cookies to impersonate users and send
forged requests.
39
 4. What is the purpose of using a Web Application Firewall (WAF)?
Answer:
• A web application firewall (WAF) protects web applications by analyzing
and filtering HTTP traffic.
• It sits between the external firewall and the web application server, using
heuristic, anomaly, and signature-based detection to prevent attacks
specific to web applications.

Problem Solving
1. How would you implement a secure LAMP stack for a web application server,
ensuring that the web and database services are separate, secure database
access is granted to a hidden system user, and that the web server can
communicate with the database? Please provide a detailed step-by-step plan
and use the above Figure as a reference to illustrate the network configuration
and communication between the web and database servers.

Answer:
• Implementation of a basic web application server installed on Linux, Apache,
MySQL and PHP (LAMP stack):
1. Install the web service (Apache) and the database service (MySQL) on two
separate operating systems as shown in Figure 3.38.

40
 2. Configure the network addresses to be a part of a wider subnetted scheme.
3. Run a secure installation script that provides important security features
✓ adding administrator (root) passwords,
✓ removing anonymous accounts,
✓ removing the test database
4. Create a system user that providing the web server with access to the database
(i.e., consider hiding the sys user):
✓ adduser R@nd0mus3r101
✓ enter password: secure_password
✓ usermod -u 800 R@nd0mus3r101
5. Granting access to the database for only this system user
✓ GRANT ALL PRIVILIGES on *.my_database TO
'R@nd0mus3r101'@'192.168.101.93' 'secure_password’;

2. Given the following code snippet which represents the ssl.conf configuration file

1. What does 443 signify?

2. If we were not running HTTPS on our site, would we still use 443?
3. What encryption method is being used for the CSR?
Answer:
1. 443 signifies the port for HTTPS, which runs over port 443.

41
 2. If the server was running over regular (insecure) HTTP, the port would be
80.
3. Triple DES is being used (-des3).

Lecture 8:
42
(MCQ)
1. Which method is used to authenticate email headers and identify spoofed
addresses?
a) SPF
b) DKIM
c) HTTPS
d) STARTTLS

(T or F)
Short Questions
1. Briefly explain the concept of 'Secure by Default' and its importance in
cybersecurity
Answer:
• 'Secure by Default' ensures that security is built into products from the
beginning, treating root causes of security issues rather than symptoms.
• It ensures security is integrated seamlessly, requiring minimal
configuration, and evolving to meet new threats. This principle is crucial
because it provides robust protection without compromising usability,
making secure practices easier for users to follow.

2. The Open Web Application Security Project (OWASP) has created a set of ten
principles for the “Secure by Design” development process that developers are
encouraged to follow. State four principals.
43
 Answer:
1. Minimize attack surface area
2. Establish secure defaults
3. Principle of least privilege
4. Principle of defense in depth
5. Fail securely
6. Don’t trust services
7. Separation of duties
8. Avoid security by obscurity
9. Keep security simple
10. Fix security issues correctly.

Problem Solving

44
 1. Using the provided DKIM message sample, identify and explain tags present in
the DKIM-Signature header and how they contribute to email authentication and
integrity verification in the DKIM process.

Answer:
1. a=rsa-sha256: This tag specifies the algorithm used for the cryptographic
signature, which is RSA with SHA-256 hashing.
2. d=gmail.com: This tag specifies the domain name of the sender, which is
"gmail.com".
3. s=20161025: This tag represents the selector used to locate the public DKIM
key in the DNS records. It indicates the specific DKIM key selector used for this
message, which is "20161025".
4. h=mime-version:references…: This tag lists the header fields included in the
DKIM signature hash computation. It specifies the headers that are part of the
message content that is hashed and signed.
5. bh=WVarN5QDQ6….: This tag contains the hash value of the body of the
email message. It represents the hash of the body content, ensuring its integrity.
6. b=hiUrs0JBJiTMkeiX34...: This tag contains the signature value generated
using the private DKIM key. It represents the cryptographic signature of the
message, generated using the private key associated with the DKIM selector.

Lecture 9:

45
(MCQ)
(T or F)
1. Security Operations Centre (SOC) oversees the detection and response to threats,
increases resilience, and addresses criminal or negligent behavior at an
organizational level. (T)
2. The incident management process spans the entire incident life cycle and involves
coordination with internal and external stakeholders, including senior managers.
(T)

Short Questions
Problem Solving

Lecture 10:

46
(MCQ)
(T or F)
Short Questions
Problem Solving

Lecture 11:

47
(MCQ)
(T or F)
1. Digital forensics primarily focuses on investigating incidents and gathering
evidence after they occur, rather than preventing or detecting attacks. (T)

Short Questions
Problem Solving
1. Consider the following scenario and answer the three questions below. Briefly
note your conclusions and, in a few words, say why you have come to those
conclusions

1. Does the USB stick belong to the concerned employee?

2. Can it be determined that the employee copied the sensitive documents onto the
USB stick?
3. Can it be determined that the documents were passed to a third party?

Answer
1. No, The USB stick found in the employee’s desk drawer suggests that it might
either belong to them or have been used by them.
2. No, it is not possible to conclusively determine if the employee copied the
sensitive documents onto the USB stick.
3. No, the scenario does not provide evidence regarding whether the documents
were passed to a third party.

General Problem Solving

48
1. Consider a cyber security engineer at a large organization that handles
sensitive data, including healthcare records and financial information.
Recently, there has been a growing concern about the security of data
stored on employees' laptops and mobile devices, especially in light of the
increasing number of cyber threats targeting remote workers. To address
this issue, you have been tasked with implementing BitLocker encryption
to enhance data protection and mitigate the risk of unauthorized access to
confidential information.

Based on your understanding of how BitLocker work answer the following

questions:

2. 1. What are the primary security threats BitLocker encryption aims to

address, especially in remote work environments?
3. 2. How does BitLocker leverage Trusted Platform Module (TPM) to ensure
the security of protected devices?
4. 3. What authentication mechanisms does BitLocker offer for devices
without TPM support?
Answer:

1. BitLocker aims to mitigate the risk of unauthorized access to sensitive

data stored on lost, stolen, or decommissioned devices. It protects against
threats such as data theft, exposure, and tampering by encrypting entire
volumes.
2. BitLocker works in conjunction with a Trusted Platform Module (TPM)
to verify system integrity and prevent tampering during the boot process.
TPM stores encryption keys securely and ensures that a device hasn't been
compromised while offline.
3. In the absence of TPM, BitLocker can use alternative authentication
methods such as startup keys, PINs, or passwords. However, these methods
may not provide the same level of security as TPM-based encryption.

49
 2. In 2018, MyFitnessPal, a health and wellness app that serves a diet and
fitness community, experienced a security breach compromising over 150
million user accounts. The stolen data included usernames, email addresses
and hashed passwords. Fortunately, payment card data remained
unaffected as it was collected and processed separately. One year after the
breach, the stolen data was offered for sale on the dark web. The attackers
accessed the data using SHA-1 with a single salt value for hashing all
passwords. A separate salt should have been used for hashing each
password. The method used to infiltrate the systems and obtain the data
remains unknown. However, given the vulnerability of SHA-1 and the
availability of the password hashes, the attack could have easily led to
recovery of all the passwords:

1. Describe the security breach that occurred with MyFitnessPal, including

the type of information compromised and the vulnerability exploited by
the attackers.
2. What measures were taken in response to the cyber-attacks on
MyFitnessPal to mitigate the security breach and protect user data?

Answer:

1. A. Type of Information Compromised:

✓ Usernames
✓ Email addresses
✓ Hashed passwords
B. Vulnerability Exploited:
✓ Use of SHA-1 with a single salt value for hashing all passwords
✓ Lack of separate salt for hashing each password
✓ Over 150 million user accounts affected
✓ Stolen data later offered for sale on the dark web

50
2. The cybersecurity response to mitigate attacks on MyFitnessPal
includes:
✓ Patching vulnerabilities promptly.
✓ Strengthening password security.
✓ Enhancing encryption and hashing methods.
✓ Implementing robust monitoring and detection systems.
✓ Developing an incident response plan.
✓ Educating users on cybersecurity practices.
✓ Ensuring compliance with data protection regulations.

51
3. Imagine that you are a cybersecurity analyst at a financial institution.
Recently, there have been multiple instances of unauthorized access to
customer accounts. Describe the steps you would take to enhance the
authentication process to prevent future unauthorized access.
Answer:
The following steps will enhance the authentication process against the
unauthorized access:
1. Implement Multi-Factor Authentication (MFA) by requiring customers to
use a combination of factors such as a password and a one-time PIN sent via
SMS.
2. Introduce Out-Of-Band Authentication (OOBA) to add an extra layer of
security by using a secondary channel for passing authentication factors.
3. Ensure that strong, complex passwords are mandated and regularly
updated.
4. Monitor and analyze authentication logs to detect any unusual login
patterns or multiple failed login attempts, indicating potential unauthorized
access attempts.
5. Educate customers on the importance of securing their login credentials
and recognizing phishing attempts.

52
4. Your organization is setting up a new information system that will handle
sensitive customer data. Design a security plan that includes measures for
confidentiality, integrity, and availability.
Answer:
• Confidentiality:
✓ Implement strong encryption protocols (e.g., AES) for data at rest and
in transit.
✓ Use access control mechanisms to restrict access to sensitive data.
✓ Employ multi-factor authentication for system access.
• Integrity:
✓ Use cryptographic hash functions to verify data integrity.
✓ Implement version control for critical files to track changes.
✓ Regularly audit system logs for unauthorized modifications.
• Availability:
✓ Set up redundant systems and data backups to prevent data loss.
✓ Use load balancers to distribute traffic and prevent system overloads.
✓ Implement robust disaster recovery plans to ensure quick restoration
of services.

53
5. A large financial company has recently discovered that one of its employees,
an insider with legitimate access to the internal systems, has been leaking
sensitive customer data to external parties. This employee had access to
critical customer information as part of their job, including personal and
financial details. The company’s monitoring system did not detect the
unauthorized transfer of data because the employee had legitimate access
rights. This breach has caused significant damage to the company’s
reputation and financial loss.

1. Explain why the company’s existing security controls failed to prevent the
insider from leaking sensitive data.
2. Suggest one security control or process that could be implemented to
prevent or detect insider threats like this in the future.

Answer:
1. The security flaw lies in the company’s lack of proper monitoring and data
loss prevention controls. While the employee had legitimate access to
sensitive data, there were no mechanisms in place to monitor or restrict
unusual data transfers. The company also failed to implement user behavior
analytics to detect suspicious activity, such as large data transfers or
accessing data outside of normal working hours.
2. Implement a Data Loss Prevention system that monitors and restricts
unauthorized data transfers, even by users with legitimate access.
Additionally, deploy User Behavior Analytics to detect anomalous behaviors,
such as unusual access patterns or large volumes of data being copied, and
alert security teams in real time. These measures would help identify and
stop insider threats before damage occurs.

54
6. Threats to computer systems can be initiated by either humans or
computers. Understanding the nature of these threats is crucial for
implementing appropriate controls to protect digital systems. All threats
originate from specific attack vectors, and attackers often use one or more
of these vectors to gain access to a system and its data. For each of the attacks
described below, state the attack vector used by the attacker and justify your
choice, identify which of the following security objectives is breached in each
case: confidentiality, integrity, authentication, availability, or non-
repudiation.
1. Email Spoofing occurs when a scammer forges email headers to display a
fraudulent sender address, tricking users into believing that a malicious
message is from someone they know or trust. This increases the likelihood
that the recipient will trust the message and its contents, prompting them to
click on malicious links, open malware attachments, share sensitive data, or
even transfer money.
2. A cleaner working in a large corporation eavesdrops on conversations in
the boardroom, where confidential corporate information and strategies are
discussed. The cleaner then sells these corporate secrets to a competitor. This
type of attack is known as corporate or industrial espionage.
3. An e-commerce company was recently hit by a Denial-of-Service (DoS)
attack. Malware flooded their web server with spurious requests,
overwhelming the server and preventing it from responding to genuine
customer requests.
4. A multi-national bank recently disclosed a data breach that compromised
several hundred customer records, including personal and financial
information. The breach was the result of an insider attack by a member of
the bank’s IT team. The rogue employee altered the email server
configurations to forward a copy of all customer emails to a personal
address.

55
 Answer:
1. Email Spoofing:
✓ Attack Vector: Social Engineering
✓ Justification: The attacker manipulates the recipient's trust by
forging a familiar sender's address.
✓ Security Objective Breached: Confidentiality (Sensitive
information is exposed), Authentication (The sender's identity is
falsely verified).
2. Corporate Espionage by Eavesdropping:
✓ Attack Vector: Physical Access
✓ Justification: The cleaner gains unauthorized access to confidential
conversations in person.
✓ Security Objective Breached: Confidentiality (Sensitive corporate
data is leaked).
3. Denial-of-Service (DoS) Attack:
✓ Attack Vector: Network-based Attack
✓ Justification: The attacker floods the server with spurious requests,
making it unavailable.
✓ Security Objective Breached: Availability (The system becomes
inaccessible to legitimate users).
4. Insider Job at a Bank:
✓ Attack Vector: Insider Threat
✓ Justification: A trusted employee uses their access to manipulate
the email server.
✓ Security Objective Breached: Confidentiality (Customer data is
leaked), Integrity (Server settings are tampered with).

56
7. In a certain chip and PIN card system, the PIN was encrypted, but the bank
account number was not. A fraudster, Eve, used a card reader to replace her
account number with a victim's account number, Alice, which she obtained
from an ATM receipt. When Eve used her altered card at the ATM, the
system verified her PIN but allowed her to withdraw money from Alice’s
account.

Based on your understanding answer the following questions:

1. Explain why the system allowed Eve to access Alice's account.

2. Suggest one way to improve the security of the system to prevent this type
of fraud.

Answer:

1. The system did not encrypt the bank account number, allowing Eve to
replace her account number with Alice's. The ATM only checked the PIN, so
when Eve entered her correct PIN, the system allowed her to withdraw from
Alice’s account.
2. Encrypt both the PIN and the account number, and ensure they are
securely linked so that altering one would invalidate the other. This would
prevent Eve from changing the account number without detection.

57
 8. Safety first principal.
Imagine that you are an IT manager at a mid-sized company that relies heavily
on Microsoft Windows-based tools for daily operations. Recently, the company
decided to implement several new software tools to enhance productivity.
However, these tools will change the contents of your computers. Given the
potential risks, it is crucial to develop a robust backup strategy to protect your
systems and data. Your task is to create a comprehensive backup plan that
ensures data integrity and system recovery in case of failures, hacks, or
malware attacks.
Additionally, you must ensure that the backup process does not interfere with
regular operations and that the backup images created are as close to
forensically sound as possible, even though they might not meet the full forensic
standards due to the live system interaction.
Based on your understanding answer the following questions:
1. Outline a detailed backup plan for the company's computers?
2. Evaluate and recommend appropriate backup tools for Microsoft
Windows systems. Consider factors such as ease of use, reliability, cost,
and compatibility with your existing infrastructure?
Answer:
1. Backup plan:
✓ Types of data: System files, user data, application data, and
configuration files.
✓ Backup frequency and schedule: Daily incremental backups with
weekly full backups. Monthly backups for archival purposes.
• Backup methods:
✓ Full Backup: A complete copy of all data.
✓ Incremental Backup: Only the data that has changed since
the last backup.
✓ Differential Backup: All data that has changed since the last
full backup.

58
 • Storage locations:
✓ Local Drives: Fast access, but vulnerable to local disasters.
✓ Network Storage: Centralized and scalable, useful for large
data sets.
2. Backup Tools:
✓ Acronis True Image: Provides comprehensive backup solutions
including full, incremental, and differential backups. It is easy to
use and supports cloud storage.
✓ Paragon Hard Disk Manager Advanced: Offers advanced features
like disk partitioning and cloning. Reliable and integrates well with
existing infrastructures.
✓ R-Drive Image: Cost-effective and efficient. Provides disk imaging
and cloning solutions, suitable for small to mid-sized businesses.

59
9. On 13 April 2020, Capcom (i.e., a Japanese video game company)
implemented a ‘work from home or stay at home’ policy. Like many
organizations, this rapid shift in working practices adversely affected the
cyber security of Capcom. The Capcom ransomware attack was partially
caused by the COVID-19 pandemic, which forced remote work and the use
of an older VPN device as a backup. Cybercriminals exploited this older
device to gain access, steal confidential data, and demand a ransom.
Despite Capcom's efforts to secure its network, the attack had severe
consequences, with some data made public. The company has since
enhanced its security measures and introduced a Security Operation
Center service to detect and respond to similar attacks in the future.

Based on your understanding of the attack answer the following questions.

1. What specific type of cyberattack did Capcom experience in 2020?

2. Identify the primary cause of the security breach that affected Capcom.
3. Which components of the CIA (Confidentiality, Integrity, Availability)
were impacted by the attack, and can you explain why these components
were affected?

Answer:

1. Capcom suffered a ransomware attack.

2. The root cause was the exploitation of a vulnerability on an older
‘backup’ VPN device, left online to help the increased number of employees
working from home connect to the company network.
3. Confidentiality was impacted because: ‘confidential company
information including future planned releases and personal information of
some company employees’ (Adams, 2021) was taken. There is no mention
of data integrity or availability in the article.

60
10.On 13 December 2020, the US Department of Homeland Security issued
Emergency Directive 21-01, advising that SolarWinds Orion products (i.e.,
designed to provide network infrastructure monitoring and platform
management) were being actively exploited by malicious actors.
Disconnecting devices using the software was advised as: ‘the only known
mitigation measure’. The exploit centered on the Orion software updates
becoming Trojanised with malware known as SUNBURST. However, any
updates coming onto a customer’s network appeared legitimate and
therefore trusted, as they were sent from a supplier’s server. SolarWinds
provides software services to thousands of customers and according to
breachlock.com, 18,000 customers who updated their Orion product
became exposed to the threat themselves. Prior to the attack, SolarWinds
proudly listed some of its many customers on its website, which included
the Executive Office of the President of the United States. The customer list
was hastily removed following the attack (i.e., but is captured on Wayback
Machine) and there is also a timeline of events.

Based on your understanding of the attack answer the following questions:

1. What was the nature of the exploit targeting SolarWinds Orion

products?
2. Why was disconnecting devices using the software advised as the
primary mitigation measure?
3. How did the exploit occur, specifically regarding the Trojanization of
Orion software updates with malware known as SUNBURST?
4. What made the malicious updates appear legitimate to customers, and
why were they sent from a supplier's server?
5. How many customers were affected by the exploit, according to
breachlock.com, and what were the potential consequences for those who
updated their Orion product?
6. Can you explain the significance of SolarWinds' customer list, including
its removal from the website following the attack, and what insights can be
gleaned from the captured timeline of events?

61
Answer:
1. The exploit targeting SolarWinds Orion products involved the
Trojanization of software updates with malware known as SUNBURST.
2. Disconnecting devices using the software was advised as the primary
mitigation measure to prevent further exploitation.
3. The exploit occurred when Orion software updates were tampered with,
inserting the SUNBURST malware. This malware allowed threat actors to
gain unauthorized access to networks where the compromised software
was installed.
4. The malicious updates appeared legitimate to customers because they
were sent from a supplier's server, giving the impression of authenticity.
This trust in the supplier's update mechanism made it difficult for
customers to discern the presence of malware.
5. According to breachlock.com, approximately 18,000 customers who
updated their Orion product became exposed to the threat themselves. The
potential consequences for these customers included unauthorized access
to their networks and sensitive data by threat actors.
6. The significance of SolarWinds' customer list lies in its association with
high-profile organizations. The removal of the customer list from the
website following the attack suggests a recognition of the severity of the
breach. The captured timeline of events provides insights into the
progression of the attack and its impact on SolarWinds and its customers.

62
11.Port forwarding You have a file server on your internal network that allows
remote access on port 22 (SSH) with the address: 192.168.1.254
(255.255.255.0) You wish to be able to access this file server from outside
the network. To do so, you would create a port forwarding rule on the
router that maps the IP address to the port: 192.168.1.254:22 A request
arrives from outside on port 22 to access the file server. The router knows
that this doorway is open and forwards the request to the server, which is
listening on port 22, awaiting requests.

Based on your understanding answer the following questions:

1. Do you see any specific security implications arising from this scenario?
2. Supposing you want to implement a HTTP server alongside your file
server. What steps do you think you would need to take?
3. List five popular services and their port numbers.

Answer:

1. Security implications arising from this are that the computer would be
exposed to the outside world, leaving itself open to brute-force attack.
2. To implement a HTTP server, a port forwarding rule would have to be
created that would allow incoming requests on port 80 – 192.168.1.254:80.
3. Five other popular services and their port numbers are: HTTPS (443),
FTP (21), SMTP (25), DNS (53), POP3 (110).

63
 12.Figure 1 illustrates an insecure FTP server set up by Employee A, who
sends login credentials over the network. Employee B, with malicious
intent, uses a network sniffer to intercept the credentials sent in plaintext.
Given the vulnerabilities of using insecure protocols such as FTP, answer
the following questions:
1. Explain why the FTP protocol used by Employee A is insecure in this
scenario. Include in your response why protocols like FTP and Telnet are
inherently insecure, especially in modern networks.
2. Suggest some security measures that the organization should implement
to prevent unauthorized access and protect sensitive data.
3. Employee A needs to continue sharing files within the organization
securely. Suggest an alternative protocol or method that Employee A
could use instead of FTP. Explain why this alternative is more secure and
how it addresses the vulnerabilities identified.

Answer:
1. FTP transmits data in plaintext, which allows any data, including login
credentials, to be easily intercepted by a malicious actor using a network
sniffer. Protocols like FTP and Telnet lack encryption, making them
vulnerable to unauthorized access, especially in modern networks with
more connected devices and greater security threats.

64
2. Security measures for mitigating:
a. Access Control: Implement strict access controls to limit who can
install or run specific software.
b. Network Monitoring and Logging: Employ network monitoring
tools that can detect and alert administrators when insecure
protocols are in use or when unauthorized tools like sniffers are
detected on the network.
3. Recommend using SFTP or HTTPS for secure data transmission, as these
protocols encrypt data in transit, protecting sensitive information like
login credentials from interception.

65
 13.Figure 2 illustrates a software supply chain attack. In this scenario, the
threat actor has managed to inject malware into the supplier's network,
resulting in a pre-infected update code. When this code is deployed to the
supplier’s update server, it creates Trojanized updates that are distributed
to the victim’s server. These infected updates provide backdoor access to
the threat actor, allowing data theft, such as customer credit card details
from the victim's customers. Using Figure 2 as a reference, answer the
following questions:
1. Identify key security weaknesses in this supply chain model that the
threat actor exploited. For each weakness, explain its impact on the
supply chain's security.
2. Suggest mitigation strategies that could prevent such attack from
occurring.

Answer:
1. Key Security Weaknesses:
a. Insecure Code Validation: The supplier’s update server lacks robust
validation processes, enabling Trojanized updates to be distributed
without detection.

66
 b. Lack of Update Authenticity Checks: The victim’s server does not verify
the legitimacy of incoming updates, allowing malware to infiltrate
easily.
2. Mitigation Strategies:
a. a. Require digital signatures on updates, allowing recipients to verify
authenticity before installation.
b. Isolate update servers from the main network to limit the impact of
malware infiltration.
c. Regularly audit suppliers to verify compliance with security standards
and identify potential vulnerabilities.

67
 14.An organization wants to build a strong security culture but finds that
employees don’t automatically follow secure practices. Using the
“Awareness Maturity Curve”, suggest a simple step-by-step plan to help
employees move from not understanding security risks to handling them
confidently and automatically.

Answer:
1. Make employees aware of security risks by running awareness campaigns
with real life examples that show why security matters.
2. Provide short, focused training based on job roles, and make time for
practice so it doesn’t feel like extra work.
3. Assign simple security tasks and recognize employees who follow secure
practices.
4. Offer ongoing support and updates, and lead by example to keep security
top of mind.

68