NIS Winter 23 Question Paper

1. Attempt any FIVE of the following : 10

(a) List any four virus categories.
Ans.
1. File Infector Virus: Attaches itself to executable files (e.g., .exe or .com files) and spreads when the infected file
is run.
2. Macro Virus: Targets applications that use macros (e.g., Microsoft Word or Excel) and spreads by exploiting
macro functions.
3. Boot Sector Virus: Infects the master boot record (MBR) or boot sector of a disk, making it active when the
computer starts up.
4. Polymorphic Virus: Alters its code every time it replicates, making it harder for antivirus programs to detect.
5. Metamorphic Virus: Rewrites its own code every time it infects a new system, changing its structure without
altering its behavior.
6. Multipartite Virus: Infects multiple parts of a system, such as boot sectors and executable files, making it more
complex to remove.
7. Stealth Virus: Conceals itself by intercepting and modifying system calls, making it invisible to antivirus
software.
8. Resident Virus: Installs itself in the system memory and can remain active even when its host program is not
running.

(b) List any four biometric mechanisms.

Ans.
 Fingerprints: A common and old method that uses the measurement of unique finger ridges to identify a person
 Facial recognition: A common biometric mechanism that can be used in airports to verify passenger identity
 Voice recognition: A technology that uses audio patterns to authenticate users by creating a "voiceprint"
 Iris recognition: A biometric mechanism that can be used for identification
 Hand or finger veins: The arrangement of veins in fingers and hands is unique to each person
 Heartbeat: Each person has a distinctive heartbeat, regardless of their heart rate or level of exertion
 Signatures: Handwritten signatures can be used to authenticate paper documents
 DNA matching: A biometric mechanism that can be used for identification

(c) Define the following terms :

(i) Cryptography
(ii) Cryptanalysis
Ans.Cryptography: Cryptography is the art and science of achieving
security by encoding messages to make them non-readable.

Cryptology: It is the art and science of transforming the intelligent

data into unintelligent data and unintelligent data back to intelligent
data.
Cryptology = Cryptography + Cryptanalysis

(d) Give examples of Active & Passive Attacks (two each).

Ans.Active Attack:
Masquerade
Replay
Message Modification
Denial-Of-Service
Passive Attack:
Eavesdropping
Traffic Analysis
(e) State the two types of firewall with its use.
Ans.
 Next-generation firewall (NGFW)
Combines traditional firewall functions with advanced features like intrusion prevention systems and application
awareness. NGFWs offer comprehensive security but may require more resources and management.
 Proxy firewall
Acts as an intermediary between the internet and the internal network. It evaluates traffic against security rules
before routing requests.
 Hardware firewall
An independent piece of hardware that filters incoming and outgoing traffic for a network. Hardware firewalls
are also called appliance firewalls.
 Cloud firewall
Also called firewall as a service (FaaS), cloud firewalls filter malicious traffic away from a company's internal
network. They often work with proxy firewalls.
 Application-level firewall
Also called an application-level gateway or proxy firewall, this firewall filters network traffic at the application
layer of the OSI network model.
 Circuit-level gateway firewall
Operates on the session level and checks for functional packets in an attempted connection.
 Web application firewall (WAF)
Protects web applications, web servers, and APIs by examining and filtering HTTP traffic. WAFs protect against
threats like cross-site-scripting (XSS), SQL injection, and file inclusion.

(f) List two protocols in IP Sec. State its function.

Ans.
 Authentication Header (AH)
Ensures data integrity, authenticates data, and prevents repeated transmissions. AH creates a message
authentication code (MD5) for each data packet that passes through the IPSec VPN.
 Encapsulating Security Payload (ESP)
Encrypts and authenticates data.
 Internet Key Exchange (IKE)
Negotiates secret keys and establishes security associations (SAs) between two tunnel endpoints. IKE operates
in two phases, with the first phase establishing the IKE SA.
 IKEv2
A tunneling protocol that transmits data over UDP ports 4500 and/or 500. IKEv2 is secured by 3DES/AES
encryption algorithms.

(g) Classify the following cyber crime :

(i) Cyber terrorism against a government organization
(ii) Cyber – Stalking
(iii) Copyright infringement
(iv) Email harassment
Ans.
(i) Cyber Terrorism against a Government Organization
 Description: Involves politically motivated attacks on information systems, networks, and databases of
government organizations to cause harm, disrupt operations, or create fear. The primary objective is to
destabilize government services or influence political decisions.
(ii) Cyber Stalking
 Description: Refers to the use of digital platforms (e.g., social media, emails, messaging) to stalk or harass an
individual. It involves persistent and unwanted attention that causes the victim emotional distress or fear.
(iii) Copyright Infringement
 Description: Involves the illegal reproduction, distribution, or use of copyrighted material (e.g., software, music,
movies) without permission from the rights holder. This can include piracy, unauthorized downloading, or
distribution of copyrighted works.
(iv) Email Harassment
 Description: Involves sending threatening, abusive, or offensive emails to an individual or group, often with the
intention to intimidate, cause emotional harm, or annoy the recipient. It falls under cyber harassment due to the
use of electronic communications to harass the target

2. Attempt any THREE of the following : 12

(a) Explain basic principles of information security.
Ans.Basic Principles of information security

Fig CIA Triad of information security

1. Confidentiality: The goal of confidentiality is to ensure that only
those individuals who have the authority can view a piece of
information, the principle of confidentiality specifies that only
sender and intended recipients should be able to access the contents
of a message. Confidentiality gets compromised if an unauthorized
person is able to access the contents of a message.
2. Authentication helps to establish proof of identities. Authentication
process ensures that the origin of a message is correctly identified.
Authentication deals with the desire to ensure that an individual is
who they claim to be.
3.Integrity: Integrity is a related concept but deals with the generation
and modification of data. Only authorized individuals should ever be
able to create or change (or delete) information. When the contents
of the message are changed after the sender sends it, but before it
reaches the intended recipient, we say that the integrity of the
message is lost.
(b) Explain any two password attacks.
Ans.Password attack is also known as Password cracking where hackers try multiple attempts to crack your password
digitally. If they successfully crack the password in that case they steal your sensitive information. They use a brute force
approach, various combinations, and techniques to crack your password. Let’s see if you created a LinkedIn account by
putting easy passwords such as your name with numbers like pooja123, and your date of birth and you created another
account on Facebook where you put the same password as your LinkedIn account in that case if a hacker cracks the
password in the LinkedIn account so they easily crack the password in Facebook account because the password in both
accounts are same.
1. Non-Electronic Attacks –This is most likely the hacker’s first go-to to acquire the target system password.
These sorts of password-cracking hacks don’t need any specialized ability or information about hacking or
misuse of frameworks. Along these lines, this is a non-electronic hack. A few strategies used for actualizing
these sorts of hacks are social engineering, dumpster diving, shoulder surfing, and so forth.
 2. Active Online Attacks – This is perhaps the most straightforward approach to acquiring unapproved manager-
level mainframe access. To crack the passwords, a hacker needs to have correspondence with the objective
machines as it is obligatory for password access. A few techniques used for actualizing these sorts of hacks are
word reference, brute-forcing, password speculating, hash infusion, phishing, LLMNR/NBT-NS Poisoning,
utilizing Trojan/spyware/keyloggers, and so forth.
3. Passive Online Attacks –An uninvolved hack is a deliberate attack that doesn’t bring about a change to the
framework in any capacity. In these sorts of hacks, the hacker doesn’t have to deal with the framework. In light
of everything, he/she idly screens or records the data ignoring the correspondence channel to and from the
mainframe. The attacker then uses the critical data to break into the system. Techniques used to perform passive
online hacks incorporate replay attacks, wire-sniffing, man-in-the-middle attacks, and so on.
4. Offline Attacks –attacksDisconnected hacks allude to password attacks where an aggressor attempts to
recuperate clear content passwords from a password hash dump. These sorts of hacks are habitually dreary yet
can be viable, as password hashes can be changed due to their more modest keyspace and more restricted length.
Aggressors utilize preprocessed hashes from rainbow tables to perform disconnected and conveyed network
hacks.

(c) Describe digital signature technique using message digest.

Ans.
Digital Signatures are a cryptographic technique used to verify the authenticity and integrity of a digital message. They
provide a way to ensure that a message has not been altered or tampered with since it was sent, and that it originated from
the claimed sender.
Message Digest is a cryptographic hash function that takes an input message and produces a fixed-size output, often
referred to as a hash value or digest. This hash value is a unique representation of the original message.
How Digital Signatures Work with Message Digest
1. Message Hashing:

a. The sender calculates the hash of the original message using a cryptographic hash function (e.g., SHA-
256, SHA-3). This hash value serves as a digital fingerprint of the message.
2. Digital Signing:

a. The sender uses their private key to encrypt the hash value. This encrypted hash value is called the
digital signature. The digital signature along with the digital signature to the recipient.
3. Signature Verification:

a. The recipient receives the message and the digital signature.

b. They use the sender's public key to decrypt the digital signature.
c. The recipient calculates the hash of the received message using the same hash function used by the
sender.
d. If the decrypted hash value matches the calculated hash value, the signature is verified, and the message
is considered authentic and unaltered.
Key Components
 Cryptographic Hash Function: A function that takes an input and produces a fixed-size output. It should be
collision-resistant, meaning it's unlikely that two different messages will produce the same hash.
 Public-Key Cryptography: A system using a pair of keys: a public key and a private key. The public key is
used to encrypt messages, while the private key is used to decrypt them.
 Digital Signature Algorithm: The specific algorithm used to create and verify digital signatures (e.g., DSA,
RSA).
Benefits of Digital Signatures
 Authentication: Verifies the identity of the sender.
  Integrity: Ensures that the message has not been altered or tampered with.
 Non-Repudiation: Prevents the sender from denying that they sent the message.
 Confidentiality: While not directly providing encryption, digital signatures can be used in conjunction with
encryption to ensure both confidentiality and authenticity.

(d) Explain steganography technique with an example.

Ans.Steganography: Steganography is the art and science of writing
hidden message in such a way that no one apart from sender and
intended recipient suspects the existence of the message.
Steganography works by replacing bits of useless or unused data in
regular computer files (such as graphics, sound, text, html or even
floppy disks) with bits of different, invisible information. This hidden
information can be plain text, cipher text or even images. In modern
steganography, data is first encrypted by the usual means and then
inserted, using a special algorithm, into redundant data that is part of
a particular file format such as a JPEG image.
Steganography process:
Cover-media + Hidden data + Stego-key = Stego-medium

Cover media is the file in which we will hide the hidden data, which
may also be encrypted using stego-key. The resultant file is stego
medium. Cover-media can be image or audio file. Stenography takes
cryptography a step further by hiding an encrypted message so that
no one suspects it exists. Ideally, anyone scanning your data will fail
to know it contains encrypted data. Stenography has a number of
drawbacks when compared to encryption. It requires a lot of overhead
to hide a relatively few bits of information. I.e. One can hide text,
data, image, sound, and video, behind image.
Applications :
1. Confidential communication and secret data storing
2. Protection of data alteration
3. Access control system for digital content distribution
4. Media Database systems
3. Attempt any THREE of the following : 12
(a) Describe :
(i) Piggybacking
(ii) Dumpster diving
Ans.Piggybacking: It is the simple process of following closely behind a
person who has just used their own access card or PIN to gain
physical access to a room or building. An attacker can thus gain
access to the facility without having to know the access code or
having to acquire an access card. i.e. Access of wireless internet
connection by bringing one's own computer within range of another
wireless connection & using that without explicit permission, it
means when an authorized person allows (intentionally or
unintentionally) others to pass through a secure door. Piggybacking
on Internet access is the practice of establishing a wireless Internet
connection by using another subscriber's wireless Internet access
service without the subscriber’s explicit permission or knowledge.
Piggybacking is sometimes referred to as "Wi-Fi squatting." The
usual purpose of piggybacking is simply to gain free network access
rather than any malicious intent, but it can slow down data transfer
for legitimate users of the network.
Dumpster Diving :There is a famous saying that most of you might have listened, “One man’s trash is another man’s
treasure”. That means what one person considers worthless might be of high value to the other. The concept of Dumpster
Diving relies upon the above stated idiom.
In the world of Information Security and Cyber threats, Dumpster diving is the process of searching trash to obtain useful
information about a person/business that can later be used for the hacking purpose. This attack mostly targets large
organizations or business to carry out phishing (mostly) by sending fake emails to the victims that appear to have come
from a legitimate source. The information obtained by compromising the confidentiality of the victim is used for Identity
frauds.

(b) Consider plain text “CERTIFICATE” and convert it into cipher text using Caesar Cipher with a shift of
position 4. Write steps for encryption.
Ans.

(c) State the use of packet filters. Explain its operation.

Ans.Uses of Packet Filters
1. Traffic Control:Packet filters can manage and control the flow of network traffic by allowing or blocking
packets based on defined rules. This helps in optimizing bandwidth usage and preventing congestion.
2. Access Control:By examining packet headers, packet filters can enforce access control policies. They can allow
or deny traffic based on IP addresses, protocols (e.g., TCP, UDP), and port numbers, which helps to restrict
unauthorized access to the network.
3. Network Security:Packet filtering is a critical component of network security. It can help protect against various
types of attacks, including:
i. Denial of Service (DoS) attacks: Blocking traffic from suspicious sources.
ii. Port Scanning: Preventing scanning attempts by filtering packets sent to specific ports.
4. Firewall Functionality:Packet filters serve as a foundational element of firewalls. They analyze incoming and
outgoing packets, applying security rules to determine whether to allow or block them based on the
organization's security policies.
5. Protocol Filtering:Packet filters can inspect specific protocols and filter out unwanted traffic. For example,
blocking certain protocols (like ICMP) can help prevent ping-based attacks.
6. Network Monitoring:Packet filters can log traffic patterns, which can be useful for monitoring network activity,
identifying unusual behavior, and gathering statistics for performance analysis.
7. Quality of Service (QoS):Packet filtering can be used to prioritize certain types of traffic. For instance, allowing
high-priority traffic (such as VoIP or video conferencing) while deprioritizing less critical traffic (like file
downloads).
8. NAT (Network Address Translation):Packet filters can be involved in NAT processes, allowing private IP
addresses to be translated to a public IP address for Internet access while filtering incoming traffic.

(d) State the features of (i) DAC (ii) MAC.

Ans.DAC:
DAC is identity-based access control. DAC mechanisms will be controlled by user identification such as username and
password. DAC is discretionary because the owners can transfer objects or any authenticated information to other users. In
simple words, the owner can determine the access privileges.
Examples: Permitting the Linux file operating system is an example of DAC.
Features:
 1. Owner-Based Control: In DAC, the owner or creator of a resource (e.g., file, directory) has the authority to
determine who can access or modify that resource. The owner can grant or revoke access permissions at their
discretion.
2. Flexible Access Control: Permissions in DAC can be easily modified, making it flexible. Users can share
resources with others by changing the access control list (ACL) or file permissions.
3. Granular Permissions: Access can be granted at different levels, such as read, write, execute, or delete
permissions, allowing for fine-grained control over resource usage.
4. Access Control Lists (ACLs): DAC typically uses ACLs to specify which users or groups have what types of
access to a resource. Each resource may have a list that defines access rights for various users.
5. Less Secure Compared to MAC: Because users have control over the resources they own, it is easier for
malicious or careless users to share sensitive information with unauthorized users, making DAC less secure for
highly sensitive environments.
6. Common in General Systems: DAC is widely used in general-purpose operating systems like Windows and
UNIX/Linux, where individual users manage permissions for their files and directories.
7. Identity-Based Access: Access is granted based on the identity of the user or a group to which the user belongs.
This means permissions are tied to user accounts or groups defined in the system.
MAC:
The operating system in MAC will provide access to the user based on their identities and data. To gain access, the user
has to submit their personal information. It is very secure because the rules and restrictions are imposed by the admin and
will be strictly followed. MAC settings and policy management will be established in a secure network and are limited to
system administrators.
Examples: Access level of Windows for ordinary users, admins, and guests are some of the examples of MAC.
Features:
1. Centralized Policy Management: Access control policies are defined and enforced by a central authority, not
by individual users. This ensures that access control is consistent and cannot be altered by end users.
2. Hierarchical Classification: MAC uses security labels or classifications (e.g., Top Secret, Secret, Confidential,
Unclassified) and assigns these labels to both subjects (users, processes) and objects (files, directories). Users can
only access objects if their clearance level meets or exceeds the object’s classification level.
3. Strict Access Control: Access decisions are made based on predefined rules and security labels, not user
discretion. Even if a user owns a file, they cannot change its security label or grant access to others.
4. No User-Driven Permission Changes: Users cannot alter access permissions for resources. This helps prevent
unintentional or malicious sharing of sensitive data.
5. Highly Secure Environment: MAC provides a high level of security by ensuring that only authorized users can
access sensitive information based on their clearance level. It is designed to prevent unauthorized information
flow and maintain confidentiality.
6. Non-Discretionary Access: The access control policy is enforced across the entire system based on predefined
rules, independent of the user's desires or discretion.
7. Policy Enforcement Based on Sensitivity Labels: MAC uses sensitivity labels to define the clearance levels of
users and the classification levels of data. These labels are used to enforce access control rules, ensuring that
users can only access data for which they are cleared.

4. Attempt any THREE of the following : 12

(a) Convert the given plain text into cipher text using simple columnar technique using the following data :
 Plain text : NETWORK SECURITY

 Number columns : 06
  Encryption key : 632514

Ans.

(b) State the working principle of application gateways. Describe circuit gateway operation.
Ans.Working Principle of Application Gateways
1. Proxy Server Functionality:
a. Application gateways act as intermediaries between clients and servers. When a client wants to access a
service (e.g., a web server, email server), the request is sent to the application gateway rather than
directly to the server.
b. The application gateway forwards the client's request to the intended server and receives the server's
response, which it then sends back to the client. This process effectively hides the identity of the client
from the server and vice versa.
2. Protocol Inspection:
a. Application gateways are designed to understand specific application protocols (e.g., HTTP, FTP,
SMTP). They analyze the content of the traffic at a deeper level than traditional packet filters, which
only examine header information.
b. By inspecting the application data, the gateway can enforce security policies, such as preventing
malicious commands or filtering out harmful content.
3. Access Control:
a. Application gateways implement access control measures to ensure that only authorized users can
access specific services. This is done by checking user credentials and permissions before forwarding
requests to the server.
b. For example, a web proxy might require users to authenticate themselves before allowing them to
access certain websites.
4. Traffic Filtering:
a. Application gateways can filter traffic based on content, such as blocking specific URLs, keywords, or
file types. This is particularly useful for enforcing corporate policies regarding web usage or for
blocking access to malicious sites.
b. By filtering content, they help prevent the download of malware or other harmful files.
5. Logging and Monitoring:
a. Application gateways log all traffic that passes through them, which can be used for monitoring,
auditing, and troubleshooting purposes. Administrators can analyze these logs to detect suspicious
activities or compliance violations.
b. The logging feature also aids in forensic investigations following security incidents.
6. Translation and Encryption:
a. Application gateways can perform data translation, converting data formats or protocols as needed. For
instance, a gateway might convert FTP traffic into HTTP traffic to facilitate a secure transfer over the
web.
b. They can also provide encryption and decryption services for secure communication, ensuring that data
transmitted between clients and servers is protected against eavesdropping.
7. Session Management:
a. Application gateways manage sessions between clients and servers. They can maintain state
information about ongoing sessions, allowing for more efficient handling of requests and responses.
b. This feature is particularly useful for applications that require a persistent connection, such as online
gaming or video conferencing.
8. Load Balancing:
a. Some application gateways can also perform load balancing, distributing incoming requests among
multiple backend servers to ensure optimal resource utilization and minimize response times.
b. This improves the overall performance and reliability of the services being accessed.
Circuit Gateways

Circuit gateways are a type of network gateway that operates at the transport layer (Layer 4) of the OSI model. They are
designed to facilitate communication between different networks by establishing and managing circuits or connections for
the data being transmitted. Below is a detailed description of the operation of circuit gateways:
Circuit gateways, also known as circuit-level gateways, function as intermediaries that allow network packets to be
forwarded between different networks while ensuring that the communication adheres to the rules and protocols
established by both networks. They are particularly useful for enabling secure connections between clients and servers
across different networks, especially in scenarios where a direct connection is not possible.
Key Functions of Circuit Gateways
1. Connection Establishment:
a. Circuit gateways establish a connection (or circuit) between a client and a server. This process typically
involves negotiating parameters, such as protocol type and communication settings, before any data is
transmitted.
b. The gateway acts as a session manager, ensuring that both ends of the connection are properly
synchronized.
2. Packet Forwarding:
a. Once the connection is established, circuit gateways forward packets between the client and the server.
They do not inspect the packet content at a deep level; instead, they focus on the transport layer
information (like TCP/UDP headers) to make forwarding decisions.
b. The circuit gateway can keep track of the connection state and ensure that packets are delivered in the
correct order, which is critical for maintaining the integrity of the communication.
3. Protocol Translation:
a. Circuit gateways can perform protocol translation if the client and server use different communication
protocols. For example, if a client uses TCP and the server uses a different protocol, the circuit gateway
can translate the packets as they pass through.
b. This capability allows for greater interoperability between different networks or systems.
4. Security and Access Control:
a. Circuit gateways enhance security by acting as a barrier between the client and server networks. They
can enforce access control policies, only allowing authorized users or applications to establish
connections.
b. Security features may include authentication, encryption, and logging of traffic that passes through the
gateway.
5. Session Management:
a. Circuit gateways maintain the state of active connections, which helps ensure that packets are delivered
reliably and in order. This stateful management allows for better error handling and retransmission of
lost packets.
b. They can also manage multiple sessions simultaneously, efficiently allocating resources as needed.
Circuit Gateway Operation
The operation of a circuit gateway can be broken down into the following steps:
1. Connection Request:
a. The client initiates a connection request to the circuit gateway. This request typically includes
information about the destination server and the desired protocol.
2. Establishing the Circuit:
a. The circuit gateway evaluates the connection request, checking if the client is authorized to connect to
the specified server.
b. Once authorized, the gateway establishes a circuit by creating a session for the communication and
negotiating the necessary parameters with the client and server.
3. Data Transmission:
 a. After establishing the circuit, data packets can be transmitted between the client and the server. The
circuit gateway forwards these packets, ensuring that they reach their intended destination without
inspection of the application data.
b. The gateway handles any necessary translation or adjustment of headers based on the protocols used by
the client and server.
4. Monitoring and Management:
a. The circuit gateway continuously monitors the active connection, ensuring that packets are delivered in
the correct sequence and that session state is maintained.
b. If any issues arise (e.g., packet loss or timeout), the gateway can take corrective actions, such as
retransmitting lost packets or terminating the connection.
5. Connection Termination:
a. When the client or server decides to end the session, a termination request is sent to the circuit gateway.
The gateway then cleans up resources, closes the circuit, and logs the session details for auditing
purposes.
Advantages of Circuit Gateways
 Simplicity: Circuit gateways are relatively simple to configure and manage compared to more complex
application-layer gateways.
 Performance: Since they primarily operate at the transport layer and do not perform deep packet inspection,
circuit gateways can offer lower latency and better performance for data transmission.
 Transparency: They provide a level of transparency to the users, as the connection details are abstracted away,
and users can focus on the applications rather than the underlying network configurations.
Use Cases
 Virtual Private Networks (VPNs): Circuit gateways are often used in VPN implementations, allowing secure
connections between remote users and corporate networks.
 Interconnecting Different Networks: They enable communication between networks that use different
protocols, such as connecting a TCP/IP network to an older network protocol.

(c) Describe DMZ with an example.

Ans.DMZ (Demilitarized Zone): It is a computer host or small network
inserted as a “neutral zone†in a company‟s private network and the
outside public network. It avoids outside users from getting direct
access to a company‟s data server. A DMZ is an optional but more
secure approach to a firewall. It can effectively acts as a proxy server.
The typical DMZ configuration has a separate computer or host in
network which receives requests from users within the private
network to access a web sites or public network. Then DMZ host
initiates sessions for such requests on the public network but it is not
able to initiate a session back into the private network. It can only
forward packets which have been requested by a host. The public
network‟s users who are outside the company can access only the
DMZ host. It can store the company‟s web pages which can be served
to the outside users. Hence, the DMZ can‟t give access to the other
company‟s data. By any way, if an outsider penetrates the DMZ‟s
security the web pages may get corrupted but other company‟s
information can be safe.

Examples:
1) Web servers
It‟s possible for web servers communicating with internal database
servers to be deployed in a DMZ. This makes internal databases more
secure, as these are the repositories responsible for storing sensitive
information. Web servers can connect with the internal database
server directly or through application firewalls, even though the DMZ
continues to provide protection.
2) DNS servers
A DNS server stores a database of public IP addresses and their
associated hostnames. It usually resolves or converts those names to
IP addresses when applicable. DNS servers use specialized software
and communicate with one another using dedicated protocols. Placing
a DNS server within the DMZ prevents external DNS requests from
gaining access to the internal network. Installing a second DNS
server on the internal network can also serve as additional security.
3)Proxy servers
A proxy server is often paired with a firewall. Other computers use it
to view Web pages. When another computer requests a Web page, the
proxy server retrieves it and delivers it to the appropriate requesting
machine. Proxy servers establish connections on behalf of clients,
shielding them from direct communication with a server. They also
isolate internal networks from external networks and save bandwidth
by caching web content.
(d) State the use of Digital Certificates. Describe the steps for digital certificate creation.
Ans.Uses of Digital Certificates
1. Authentication:
a. Digital certificates are used to authenticate the identity of an entity (e.g., a user, server, or device) in a
digital transaction.
b. For example, when accessing a secure website (HTTPS), the server presents a digital certificate to
prove its identity to the client (browser). This ensures that the client is connecting to the intended server
and not an imposter.
2. Data Encryption:
a. Digital certificates enable data encryption by providing the public key that can be used to encrypt
messages sent to the certificate owner.
b. This is commonly used in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to
secure communication between a client and server, ensuring that data transmitted over the network is
confidential and protected against eavesdropping.
3. Digital Signatures:
a. Digital certificates are used to create digital signatures, which verify the integrity and authenticity of a
message, document, or piece of code.
b. When a digital certificate is used to sign data, it confirms that the data has not been altered since it was
signed and that it originated from the certificate holder.
4. Secure Web Browsing (HTTPS):
a. Web servers use digital certificates to implement HTTPS (Hypertext Transfer Protocol Secure), which
ensures secure communication between the browser and the web server.
b. When a user visits a secure website, the web server presents its digital certificate to the browser, which
verifies its authenticity before establishing an encrypted connection.
5. Email Security:
a. Digital certificates can be used in Secure/Multipurpose Internet Mail Extensions (S/MIME) to sign and
encrypt email messages.
b. This ensures that the recipient of an email can verify the sender's identity and that the contents of the
email have not been tampered with during transmission.
6. Code Signing:
a. Digital certificates are used by software developers to sign their code or software applications.
 b. This assures users that the software they are downloading or installing comes from a trusted source and
has not been modified since it was signed by the developer.
7. User and Device Authentication:
a. Digital certificates can be used to authenticate users and devices in a network. For example, they are
often used in VPNs (Virtual Private Networks) and WLANs (Wireless Local Area Networks) to
authenticate remote users and devices connecting to the network.
8. Secure Financial Transactions:
a. Digital certificates are used in securing financial transactions, such as those performed on banking
websites or payment gateways.
b. They help confirm the authenticity of the payment service provider and enable secure transmission of
sensitive financial data.
9. Single Sign-On (SSO):
a. In SSO systems, digital certificates can be used to authenticate users across multiple applications or
systems without requiring them to log in multiple times.
b. This provides a seamless user experience and enhances security by reducing the number of credentials
that need to be managed.
10. Establishing Trust in Public Key Infrastructure (PKI):
a. Digital certificates play a critical role in the functioning of PKI systems, where they serve as the
foundation of trust by binding public keys to the identities of their owners.
b. Certificate Authorities (CAs) issue digital certificates, and entities rely on these CAs to validate the
authenticity of the certificates.

(e) Considering DES, find the output of the initial permutation box when the input is given in hexadecimal as,
0×0000 0080 0000 0002
Ans.

5. Attempt any TWO of the following : 12

(a) State the criteria for information classification. Explain information classification.
Ans.i) Useful life
A data is labeled „more useful‟ when the information is available
ready for making changes as and when required. Data might need to
be changed from time to time, and when the „change‟ access is
available, it is valuable data.
ii) Value of data
This is probably the most essential and standard criteria for
information classification. There is some confidential and valuable
information of every organization, the loss of which could lead to
great losses for the organization while creating organizational issues.
Therefore, this data needs to be duly classified and protected.
iii) Personal association
It is important to classify information or data associated with
particular individuals or addressed by privacy law.
iv) Age
The value of information often declines with time. Therefore, if the
given data or information comes under such a category, the data
classification gets lowered.

(b) State the features of the following IDS : (i) Network based IDS (ii) Host based IDS (iii) Honey pots
Ans.A Network-based Intrusion Detection System (NIDS) is a security solution that monitors and analyzes network
traffic to detect malicious activities or policy violations. It operates at the network layer and captures network packets,
inspecting their contents for signs of intrusions, such as unusual traffic patterns, known attack signatures, or anomalous
behaviors. NIDS is typically deployed at critical points in a network, like at the perimeter or within subnets, to provide a
comprehensive view of network activity.
Features of Network-based IDS (NIDS)
1. Network Traffic Monitoring and Analysis:
a. NIDS continuously monitors network traffic in real-time and captures data packets for analysis.
b. It inspects various network protocols (e.g., TCP, UDP, ICMP) and payload data to identify suspicious
activities or patterns.
c. Monitoring can be done passively (no interference with network traffic) or actively (interacting with
traffic flow).
2. Signature-based Detection:
a. NIDS uses predefined attack signatures or patterns to detect known threats, similar to how antivirus
software detects malware.
b. When a packet or series of packets matches a signature, the NIDS triggers an alert.
c. Signature-based detection is effective for known attacks but may not detect new or unknown threats.
3. Anomaly-based Detection:
a. NIDS uses a baseline of normal network behavior and identifies deviations from this baseline as
potential threats.
b. It can detect new or unknown attacks by flagging unusual traffic patterns, excessive bandwidth usage,
or unauthorized protocol use.
c. Anomaly-based detection is more adaptable but may produce more false positives compared to
signature-based systems.
4. Protocol Analysis and Packet Decoding:
a. NIDS can analyze specific network protocols, such as HTTP, FTP, DNS, and SMTP, and ensure that
they adhere to expected standards.
b. It decodes packets to understand the structure and identify any protocol anomalies that may indicate an
attack or misconfiguration.
5. Real-time Alerts and Notifications:
a. NIDS generates real-time alerts and notifications when a suspicious activity or security incident is
detected.
b. Alerts can be sent via email, syslog, or integration with Security Information and Event Management
(SIEM) systems for centralized logging and analysis.
6. Network Forensics and Logging:
a. NIDS captures and logs detailed information about network activities, including packet headers,
payload data, and timestamps.
b. These logs can be used for forensic analysis, allowing security analysts to investigate security incidents
and reconstruct attack scenarios.
7. Integration with Other Security Systems:
a. NIDS can integrate with other security tools, such as firewalls, routers, and SIEM systems, to create a
unified security architecture.
b. Integration allows automated responses, such as blocking IP addresses or adjusting firewall rules in
response to detected threats.
8. Scalability and Placement:
a. NIDS can be deployed at various points within a network, such as at the network perimeter, within
subnets, or near critical servers, depending on the network architecture and security needs.
b. It can scale to monitor large, complex networks with high-speed traffic by using distributed or cluster-
based NIDS solutions.
9. Detecting Multi-stage Attacks:
 a. Advanced NIDS solutions can correlate multiple suspicious events over time to identify multi-stage
attacks or complex intrusion techniques, such as Advanced Persistent Threats (APTs).
b. This feature helps identify sophisticated attacks that might not be detectable by single-packet
inspection.
10. Encrypted Traffic Analysis:
a. While NIDS typically analyzes unencrypted traffic, some systems have capabilities to handle encrypted
traffic using techniques such as SSL/TLS decryption, deep packet inspection, or integration with
decrypting proxies.
b. This feature is critical for identifying threats hidden within encrypted traffic, which is increasingly
common in modern networks.
11. Zero-day Threat Detection:
a. NIDS can utilize heuristic analysis, machine learning, or behavior analysis to detect previously
unknown threats or zero-day attacks.
b. These techniques analyze patterns and behaviors to identify potential threats that do not match any
known signature.
12. Policy Violation Detection:
a. NIDS can detect policy violations, such as the use of forbidden applications, unauthorized access
attempts, or the transmission of sensitive data over the network.
b. It helps enforce organizational security policies and compliance requirements.
13. Bandwidth and Network Usage Analysis:
a. NIDS provides insights into network bandwidth usage and can identify issues like network congestion,
abnormal traffic spikes, or potential Denial-of-Service (DoS) attacks.
b. This analysis helps network administrators maintain optimal network performance and security.
14. Bypass-resistant Features:
a. Some NIDS are designed to resist evasion techniques used by attackers, such as packet fragmentation,
traffic obfuscation, or IP spoofing.
b. They use advanced detection mechanisms to identify and analyze fragmented or reassembled packets
accurately.

Host Intrusion Detection System(HIDS):

Host intrusion detection systems (HIDS) run on independent hosts or
devices on the network. A HIDS monitors the incoming and outgoing
packets from the device only and will alert the administrator if
suspicious or malicious activity is detected. It takes a snapshot of
existing system files and compares it with the previous snapshot. If
the analytical system files were edited or deleted, an alert is sent to
the administrator to investigate. Anexample of HIDS usage can be
seen on mission critical machines, which are not expected to change
their layout.

Traffic collector:
This component collects activity or events from the IDS to examine.
On Host-based IDS, this can be log files, audit logs, or traffic coming
to or leaving a specific system
Analysis Engine:
This component examines the collected network traffic & compares it
to known patterns of suspicious or malicious activity stored in the
signature database. The analysis engine acts like a brain of the IDS.
ï‚· Signature database:
It is a collection of patterns & definitions of known suspicious or
malicious activity.
ï‚· User Interface & Reporting:
This is the component that interfaces with the human element,
providing alerts & giving the user a means to interact with & operate
the IDS.
Features of Host-based IDS (HIDS)
1. File Integrity Monitoring (FIM):
a. HIDS tracks changes to critical files and directories, such as system binaries, configuration files, and
registry keys.
b. It detects unauthorized modifications, deletions, or additions to these files, which may indicate a
security breach, malware infection, or policy violation.
c. This feature is crucial for identifying rootkit installations, configuration changes, and tampering with
critical system files.
2. System Log Analysis:
a. HIDS continuously monitors and analyzes log files generated by the operating system and applications,
such as event logs, syslogs, and application-specific logs.
b. It detects abnormal log entries, unauthorized login attempts, suspicious process activity, or
configuration changes that could signal an intrusion.
3. Process and Application Monitoring:
a. HIDS keeps track of running processes, application behavior, and system calls to identify suspicious or
unauthorized activities.
b. It can detect the execution of unauthorized programs, privilege escalation attempts, and malware
activity.
4. User Activity Monitoring:
a. HIDS monitors user behavior and actions, such as login attempts, file access patterns, and command
execution.
b. It can detect unauthorized access, privilege misuse, or abnormal user activities, which are indicative of
insider threats or account compromise.
5. Kernel and System Call Monitoring:
a. HIDS can inspect system-level activities, including kernel calls and system functions.
b. It provides deep visibility into operating system behavior to identify sophisticated threats, such as
kernel-level rootkits or privilege escalation exploits.
6. Policy Compliance Enforcement:
a. HIDS helps enforce security policies and compliance requirements by monitoring configurations and
system states.
b. It ensures that the host adheres to predefined security policies, such as permitted applications, user
permissions, and system configurations.
7. Rootkit and Malware Detection:
a. HIDS can detect rootkits and other forms of malware by analyzing hidden processes, files, or registry
keys that are not visible to traditional security tools.
b. It uses techniques like memory analysis, behavior analysis, and file integrity monitoring to identify and
remove stealthy threats.
8. Alerting and Reporting:
a. HIDS generates alerts and notifications for suspicious activities or security incidents.
b. Alerts can be integrated with other security solutions, such as Security Information and Event
Management (SIEM) systems, for centralized monitoring and correlation.
9. Behavioral Analysis and Anomaly Detection:
a. HIDS uses baselines of normal host behavior and identifies deviations that
Honey Pots
A relatively recent innovation in intrusion detection technology is the
honey pot. Honey pots are decoy systems that are designed to lure a
potential attacker away from critical systems. Honey pots are designed
to:
ï‚· divert an attacker from accessing critical systems
ï‚· collect information about the attacker's activity
It encourages the attacker to stay on the system long enough for
administrators to respond. These systems are filled with fabricated
information designed to appear valuable but that a legitimate user of
the system wouldn‟t access. Thus, any access to the honey pot is
suspect.

Features of Honeypots
1. Deception and Luring:
a. Honeypots are designed to appear as legitimate systems or devices, enticing attackers to interact with
them.
b. They often emulate real services, open ports, or network configurations to attract malicious actors.
2. Attack Detection:
a. Honeypots can detect and log various types of attacks, including reconnaissance, exploitation attempts,
and malware infections.
b. Since honeypots have no legitimate user activity, any interaction is likely to be suspicious, allowing for
precise detection of unauthorized access attempts.
3. Data Collection and Analysis:
a. Honeypots record detailed information about an attack, such as the attacker's IP address, tools used,
command inputs, and payloads.
b. This data can be analyzed to understand attacker behavior, techniques, and intentions.
4. Classification of Attacks:
a. Honeypots can help classify different types of attacks, such as Denial-of-Service (DoS), port scanning,
brute force attempts, and zero-day exploits.
b. They provide visibility into the types and frequency of attacks targeting an organization.
5. Decoy Services and Systems:
a. Honeypots can simulate various types of services and systems, such as web servers, databases, and
email servers, to observe how attackers interact with them.
b. They may also emulate vulnerabilities commonly exploited in real systems to attract attackers.
6. Early Warning System:
a. Honeypots act as an early warning system by detecting attacks that may not be visible to traditional
security mechanisms like firewalls or Intrusion Detection Systems (IDS).
b. By identifying malicious activities early, honeypots can help organizations mitigate potential risks
before they reach critical systems.
7. Minimal False Positives:
a. Since honeypots are designed to have no legitimate traffic or activity, any interaction with the honeypot
is almost always an indication of malicious intent.
b. This significantly reduces false positives compared to other security tools that monitor legitimate
network traffic.
8. Isolation and Containment:
a. Honeypots are isolated from production systems, ensuring that any attack or malicious activity within
the honeypot does not affect actual network resources.
b. They can be used to safely observe and contain malware or attack behavior without risking harm to real
systems.
9. Research and Intelligence Gathering:
a. Honeypots are valuable tools for gathering intelligence on emerging threats and new attack techniques.
 b. Security researchers use honeypots to study malware, hacker behavior, and attack strategies, improving
overall knowledge of cybersecurity threats.
10. Decoy Network (Honeynet):
a. Honeypots can be deployed in a network of multiple interconnected honeypots, known as a honeynet,
to simulate an entire network environment.
b. Honeynets provide a broader perspective on how attackers navigate through network resources, making
them ideal for tracking lateral movements.
11. Types of Honeypots:
a. Low-interaction Honeypots: These simulate only a few aspects of a real system and provide limited
interaction. They are easier to deploy and less risky, but they can only collect basic information about
the attacker.
b. High-interaction Honeypots: These simulate entire systems with complete services, offering deeper
interaction. They provide more detailed information about attacker behavior but are more complex and
riskier to manage.
12. Countermeasure Analysis:
a. Honeypots can be used to test the effectiveness of security countermeasures, such as intrusion
prevention systems or firewall rules.
b. They allow security teams to observe whether attackers bypass these defenses and how they adapt to
them.
13. Post-Attack Analysis:
a. Honeypots enable detailed post-attack analysis by providing complete logs of the attack process,
command sequences, and changes made to the honeypot.
b. This helps in forensic investigations and understanding how an attack unfolded.

(c) Explain step-by-step procedure of Kerberos with diagrams.

Ans.Kerberos: Kerberos is a network authentication protocol. It is
designed to provide strong authentication for client/server
applications by using secret-key cryptography. It uses secret key
cryptography. It is a solution to network security problems. It
provides tools for authentication and strong cryptography over the
network to help you secure your information system There are 4
parties involved in Kerberos protocol
i)User
ii)
Authentication service (AS)
iii) Ticket granting server (TGS)
iv)
Service server
Working of Kerberos:
1. The authentication service, or AS, receivers the request by the
client and verifies that the client is indeed the computer it claims to
be. This is usually just a simple database lookup of the user‟s ID.

2. Upon verification, a timestamp is created. This puts the current

time in a user session, along with an expiration date. The default
expiration date of a timestamp is 8 hours. The encryption key is then
created. The timestamp ensures that when 8 hours is up, the
encryption key is useless.
3. The key is sent back to the client in the form of a ticket-granting
ticket, or TGT. This is a simple ticket that is issued by the
authentication service. It is used for authentication the client for
future reference.

4. The client submits the ticket-granting ticket to the ticket-granting

server, or TGS, to get authenticated.

5. The TGS creates an encrypted key with a timestamp, and grants the
client a service ticket.

6. The client decrypts the ticket, tells the TGS it has done so, and then
sends its own encrypted key to the service.

7. The service decrypts the key, and makes sure the timestamp is still
valid. If it is, the service contacts the key distribution center to
receive a session that is returned to the client.

8. The client decrypts the ticket. If the keys are still valid,
communication is initiated between client and server.

6. Attempt any TWO of the following : 12

(a) Explain the following attacks using an example :
(i) Sniffing
(ii) Spoofing
(iii) Phishing
Ans.Sniffing attack:
This is software or hardware that is used to observe traffic as it passes
through a network on shared broadcast media. It can be used to view
all traffic or target specific protocol, service, or string of characters
like logins. Some network sniffers are not just designed to observe
the all traffic but also modify the traffic. Network administrators use
sniffers for monitoring traffic. They can also use for network
bandwidth analysis and to troubleshoot certain problems such as
duplicate MAC addresses.
Example: Suppose a user is accessing their email account through an unsecured Wi-Fi network in a coffee shop. An
attacker using a packet-sniffing tool like Wireshark can intercept and view the packets transmitted between the user's
device and the email server. If the communication is not encrypted (e.g., using HTTP instead of HTTPS), the attacker can
easily read the user's email credentials and gain unauthorized access to the account.
Spoofing: Spoofing is an attack in which an attacker impersonates another device, user, or entity on a network to deceive
other systems or users. Common types of spoofing include IP spoofing, email spoofing, and DNS spoofing.
How It Works: The attacker sends malicious data packets or messages that appear to originate from a trusted source. This
can be done by modifying the packet headers or altering other identifying information.
Example: In an IP spoofing attack, the attacker modifies the source IP address of a packet to make it appear as though it is
coming from a legitimate user or system. For instance, an attacker could send a fake request to a server with the IP address
of a trusted host. If the server trusts that IP address, it may process the request, potentially granting the attacker access to
sensitive data or services. Another example is email spoofing, where an attacker sends an email that appears to come from
a trusted source (e.g., a known colleague) to trick the recipient into revealing confidential information or clicking on a
malicious link.
Phishing: Phishing is a social engineering attack where an attacker disguises themselves as a legitimate entity to deceive
individuals into disclosing sensitive information such as login credentials, credit card details, or personal identification
numbers (PINs).
How It Works: Phishing attacks typically involve sending fraudulent emails or creating fake websites that look identical
to legitimate ones. The emails or sites trick the user into entering their personal information, which is then collected by the
attacker.
Example: A common phishing scenario is when a user receives an email that appears to be from their bank, informing
them of suspicious activity on their account. The email contains a link that directs the user to a fake bank login page.
When the user enters their username and password on this page, the information is captured by the attacker. This enables
the attacker to gain access to the user's bank account and potentially steal money or personal data.
(b) Describe ITIL framework with different stages of life cycle.
Ans.

(c) State and explain 3 types of firewall configurations with a neat diagram.
Ans.