Page 1 of 6

V IT - ICT 3156 – CYBER SECURITY – MISAC 1 – 02.09.2023, Saturday, 8 AM

Note: 1. Answer up to the point with proper justifications and illustrations as applicable.
2. Each question carries 2.5 marks.

1. Defeating authentication follows the method–opportunity–motive paradigm. Discuss

how these three factors apply to an attack on authentication.

Method: By method mean the skills, knowledge, tools, and other things with which to
perpetrate the attack. he method refers to the technical and strategic approach employed
by an attacker to exploit vulnerabilities in the authentication system. This could involve
various techniques such as brute force attacks, credential stuffing, phishing, man-in-
the-middle attacks, and more. The choice of method depends on the attacker's technical
skills, resources, and the specific weaknesses of the target authentication system.
Opportunity: is the time and access to execute an attack Many computer systems present
ample opportunity for attack. Systems available to the public are, by definition,
accessible; often their owners take special care to make them fully available so that if
one hardware component fails, the owner has spares instantly ready to be pressed into
service. Other people are oblivious to the need to protect their computers, so unattended
laptops and unsecured network connections give ample opportunity for attack. Some
systems have private or undocumented entry points for administration or maintenance,
but attackers can also find and use those entry points to attack the systems.
Motive: Finally, an attacker must have a motive or reason to want to attack.
Method, opportunity, and motive are all necessary for an attack to succeed; deny any of
these and the attack will fail.

2. A company is interested in adopting biometric authentication to improve security and

streamline employee access to sensitive systems and facilities. They are considering
various biometric modalities, including fingerprint recognition, facial recognition, and
iris scanning. Assess the advantages and disadvantages of each biometric modality
(fingerprint, facial, and iris recognition) in the corporate environment. Consider factors
such as accuracy, user acceptance, cost, and potential vulnerabilities.

Fingerprint Recognition:
Advantages:
High Accuracy: Fingerprint recognition is known for its accuracy and low false acceptance rate,
making it reliable for authentication.
User Acceptance: It's widely accepted and used in various consumer devices, which may
contribute to higher user acceptance.
Cost: Implementation costs are relatively moderate compared to some other biometric
methods.
Disadvantages:
Hygiene Concerns: Fingerprint scanners may require regular cleaning to maintain accuracy,
which can be challenging in shared corporate environments.
Privacy: Concerns may arise regarding the storage and misuse of fingerprint data.
Spoofing: While modern fingerprint systems are designed to resist spoofing, this remains a
potential vulnerability.

Facial Recognition:
 Page 2 of 6

Advantages:
Non-Intrusive: Facial recognition is non-intrusive and does not require physical contact with a
sensor.
User Convenience: Users are familiar with the concept from smartphone and laptop
authentication.
Cost: Implementation can be cost-effective as it often relies on existing camera infrastructure.
Disadvantages:
Accuracy: Facial recognition can be influenced by lighting conditions, angles, and facial changes
over time, potentially leading to lower accuracy.
Privacy: Collecting and storing facial data can raise privacy concerns, especially in corporate
settings.
Vulnerabilities: Facial recognition systems may be vulnerable to spoofing using photos or
videos.

Iris Scanning:
Advantages:
High Accuracy: Iris scanning is highly accurate and offers low false acceptance rates.
Non-Intrusive: Like facial recognition, it's non-intrusive and user-friendly.
Security: Iris patterns are unique and stable, making it difficult to spoof.
Disadvantages:
Cost: Iris scanning systems tend to be more expensive to implement due to specialized
hardware requirements.
User Acceptance: While generally well-accepted, some users may have concerns about their
iris data being collected.
Complexity: The complexity of iris recognition systems may require more significant
integration efforts.

V IT - ICT 3156 – CYBER SECURITY – MISAC 1 – 02.09.2023, Saturday, 8 AM

Note: 1. Answer up to the point with proper justifications and illustrations as applicable.
2. Each question carries 2.5 marks.

1. Preserving confidentiality, integrity, and availability of data is a restatement of the

concern over interruption, interception, modification, and fabrication. How do the first
three concepts relate to the last four? That is, is any of the four equivalents to one or
more of the three?
Confidentiality and Interception:
Confidentiality: This focuses on ensuring that sensitive information is accessible only
to authorized individuals or entities. It involves preventing unauthorized access or
disclosure of data. Confidentiality is closely related to the concern of interception.
Interception: This relates to the unauthorized capture of data during its transmission
over a network or communication channel. The concern over interception aligns with
the need to maintain the confidentiality of data.
Integrity and Modification:
Integrity: Integrity ensures that data remains accurate, complete, and unaltered
throughout its lifecycle. It involves protecting data from unauthorized changes.
Integrity is directly connected to the concern of modification.
Modification: This refers to the unauthorized alteration or tampering of data.
Maintaining data integrity helps address the concern of data being modified without
authorization.
 Page 3 of 6

Availability and Interruption:

Availability: Availability ensures that authorized users have timely and reliable access
to data and services when needed. It involves preventing disruptions that could lead to
unavailability of resources.
Interruption: Interruption refers to the disruption or unavailability of services, often
caused by attacks or failures. The concept of maintaining availability is closely related
to the concern of interruption.
Fabrication: Fabrication involves the creation of false or unauthorized data or
information. It is not directly equivalent to any of the three CIA concepts. Instead, it
relates to the broader concerns of data integrity and authenticity.

2. In the context of access control and pseudonyms, can you describe a scenario where
allowing users to assign unique names to files within their directories can lead to a
situation where one user may have two different sets of access rights to the same file,
causing potential inconsistencies in permissions?

Suppose, however, that S would like to use a name other than F to make the file’s contents
more apparent. The system could allow S to name F with any name unique to the directory of
S. Then, F from A could be called Q to S. S may have forgotten that Q is F from A, and so S
requests access again from A for F. But by now A may have more trust in S, so A transfers F
with greater rights than before. This action opens up the possibility that one subject, S, may
have two distinct sets of access rights to F, one under the name Q and one under the name F.
In this way, allowing pseudonyms can lead to multiple permissions that are not necessarily
consistent. Thus, the directory approach is probably too simple for most object protection
situations.

V IT - ICT 3156 – CYBER SECURITY – MISAC 1 – 02.09.2023, Saturday, 8 AM

Note: 1. Answer up to the point with proper justifications and illustrations as applicable.
2. Each question carries 2.5 marks.

1. If you forget your password for a website and you click [Forgot my password], Such
that Compare these two cases in terms of vulnerability of the website owner.
(a)Company sends you a new password by email.
(b) Sends you your old password by email.

(a) Company sends you a new password by email:

In this case, the website owner generates a new password for the user who has forgotten
their password and sends it to them via email. This approach has several security
concerns:
Security of the New Password: Generating a new password and sending it by email
introduces the risk that the generated password could be intercepted by a malicious
actor if the email communication is compromised. This could potentially allow
unauthorized access to the user's account. Password Strength: If the new password is
generated automatically without user input, there's a chance that it might be weak or
easily guessable. Weak passwords can be exploited by attackers. Lack of
Authentication: Sending a new password without any additional authentication process
 Page 4 of 6

might allow an attacker who gains access to the user's email account to easily reset the
password and gain control of the account.

(b) Company sends you your old password by email:

In this case, the website owner sends the user their old password by email. This
approach has even more significant security concerns:
Storing Passwords in Plain Text: The fact that the website owner can send the user their
old password implies that the passwords are stored in plain text or in an easily reversible
format. This is a severe security vulnerability because if the website's database is
breached, attackers would gain direct access to users' passwords. Lack of Hashing:
Secure practices involve storing hashed and salted passwords, which means that even
if the database is breached, attackers cannot easily retrieve the actual passwords.
Sending old passwords via email suggests that hashing might not be used. Password
Reuse Risk: If users reuse passwords across multiple sites (which is unfortunately
common), revealing an old password from one site could put their accounts on other
sites at risk if they use the same password there.
In both cases, the website owner is vulnerable to potential security breaches and
unauthorized access due to the insecure handling of passwords. However, sending the
old password by email is a much more critical vulnerability because it indicates poor
password security practices and could have more far-reaching consequences in terms
of data breaches and unauthorized access. It's essential for websites to follow best
practices such as securely hashing passwords, using multi-factor authentication, and
employing secure password reset mechanisms to mitigate these vulnerabilities.

2. In the context of access control and networked systems, explain the complexities and
challenges that arise when an owner, like A, wishes to revoke access rights to a file (F)
that has been shared with multiple users, especially in scenarios where user B might
have passed these access rights to another user, C. How does the size and structure of
the networked system make this problem even more difficult?

If owner A has passed to user B the right to read file F, an entry for F is made in the directory
for B. This granting of access implies a level of trust between A and B. If A later questions that
trust, A may want to revoke the access right of B. The operating system can respond easily to
the single request to delete the right of B to access F, because that action involves deleting
one entry from a specific directory. But if A wants to remove the rights of everyone to access
F, the operating system must search each individual directory for the entry F, an activity that
can be time consuming on a large system. For example, large systems or networks of smaller
systems can easily have 5,000 to 10,000 active accounts. Moreover, B may have passed the
access right for F to another user C, a situation known as propagation of access rights, so A
may not know that C’s access exists and should be revoked. This problem is particularly serious
in a network.

V IT - ICT 3156 – CYBER SECURITY – MISAC 1 – 02.09.2023, Saturday, 8 AM

Note: 1. Answer up to the point with proper justifications and illustrations as applicable.
2. Each question carries 2.5 marks.

1. The financial institution is planning to implement a new system that allows clients to
securely communicate and exchange financial documents with their account managers.
 Page 5 of 6

They want to ensure that only authorized individuals can access and transmit this
confidential information. Additionally, they want to protect the data from interception
and unauthorized modifications during transmission.
Based on the provided scenario and the technical controls, analyse how the financial
institution can effectively ensure the security of client communication and document
exchange. Address the following points in your response:
(a) Explain how end-to-end encryption works and how it safeguards data during
transmission.
(b)Discuss the benefits of Multi-Factor Authentication (MFA) and its significance in
preventing unauthorized access. Provide examples of possible authentication
factors.

(a) End-to-end encryption is a security measure that ensures that data is encrypted
on the sender's side and remains encrypted until it reaches the intended recipient, where
it is decrypted. This process prevents unauthorized parties, including service providers
and attackers, from accessing the data in its readable form during transmission. Here's
how it works:
Encryption: When a client sends financial documents or messages, the data is
encrypted on their device using a strong encryption algorithm and a unique encryption
key.
Transmission: The encrypted data is transmitted over the network to the financial
institution's servers. Even if intercepted, the encrypted data remains unreadable without
the decryption key.
Decryption: Upon reaching the account manager, the encrypted data is decrypted using
the corresponding decryption key, which is only possessed by the authorized recipient.
The data is then accessible in its original form.
End-to-end encryption safeguards data from interception and unauthorized
modifications during transmission. Even if a malicious actor gains access to the
communication channel, they would only see encrypted data that is computationally
infeasible to decrypt without the proper keys.

(b) Multi-Factor Authentication (MFA) is a security mechanism that requires users to

provide multiple forms of verification before gaining access to a system. This adds an
extra layer of security beyond just a username and password. MFA is significant in
preventing unauthorized access because even if an attacker obtains a user's credentials,
they won't be able to access the account without the additional factors. Examples of
authentication factors include:
Something You Know: This is usually a password or PIN. It's something only the user
should know.
Something You Have: This could be a physical token, a smartphone app, or an email
containing a one-time code. It's an item only the user possesses.
Something You Are: This refers to biometric factors like fingerprints, retina scans, or
facial recognition. These are unique to each individual.
Implementing MFA in the financial institution's communication and document
exchange system means that even if an attacker manages to steal a client's password,
they would still need access to the client's physical device or biometric information to
gain entry.
 Page 6 of 6

By combining end-to-end encryption to protect data during transmission and

implementing MFA to prevent unauthorized access, the financial institution can
effectively ensure the security of client communication and document exchange. These
measures not only enhance confidentiality but also integrity and availability, addressing
the concerns of data protection and secure interactions.

2. Provide an overview of the DES algorithm, including its fundamental building blocks,
the number of cycles it uses, and the key length. Explain how DES combines
substitution and transposition techniques to achieve its security. Additionally, describe
the suitability of DES for implementation in software and single-purpose hardware
chips.

DES is characterized by its careful combination of two fundamental encryption techniques:

substitution and transposition. These techniques are applied repeatedly, with 16 cycles in
total, forming the foundation of the algorithm's security.
It begins by encrypting data in blocks of 64 bits, utilizing a 64-bit key. Notably, the key can be
any 56-bit number, with the extra 8 bits often used as check digits but not affecting encryption
strength. Consequently, DES is regarded as using a 56-bit key for encryption.
The key selection process allows users to choose new keys when the security of the old one is
in doubt, providing flexibility and adaptability.

Substitution and Transposition Techniques:

DES derives its strength from the repetitive application of substitution (bit replacement) and
transposition (bit shuffling) techniques during its 16 iterations. This combination creates a
complex and robust encryption process.
Tracing a single bit through these 16 iterations proves exceedingly challenging, which
contributes to the algorithm's security. The sheer complexity has limited public researchers
from identifying more than a few general properties of the algorithm.

Suitability for Implementation:

DES is highly suitable for implementation in both software and single-purpose hardware chips
due to its use of standard arithmetic and logical operations on binary data up to 64 bits.
The algorithm's repetitive and table-driven nature makes it an excellent candidate for
hardware acceleration, where dedicated chips can efficiently perform DES encryption and
decryption.
Multiple specialized chips optimized for DES encryption are available in the market, facilitating
its practical application in various contexts, including secure communications and data
protection.
In summary, DES's historical significance, combined with its robust encryption techniques and
adaptability for both software and dedicated hardware implementations, has solidified its
place as a pivotal cryptographic standard.