TM256

Cyber Security

Mock Examination (MTA)

With Answer Key

Number of Exam Pages: Time Allowed: 2 Hours

(including this cover sheet)

Instructions:
• Total Marks: 30
• This exam consists of 3 parts.
• ALL questions must be answered in the External Answer booklet.
• Be sure you write your name and ID on the External Answer booklet.
• Calculators are not allowed.

PART 1: True or False questions [8 Marks]

Code / MTA Page 1 of 5 2023/2024 Fall

Question 1: answer True or False to the following statements:
1. An advertising email sent to a company’s customers in which the “From: line
shows the email address of every customer”. This is a breach of Availability. F
2. A bug in an online shopping service results in customers being able to access
other people’s accounts and make orders using their payment cards. This is a
breach of confidentiality and integrity. T
3. A critical asset is an asset without which an individual or organisation cannot
function. For instance, a bank’s customer account database is a critical asset
to that bank; the loss of, damage to, or inability to access the database would
prevent the bank from functioning. T
4. An unhappy worker makes copies of confidential medical records with the
intention of selling them to a newspaper. This could be considered as insider
human threat. T
5. Hundreds of businesses receive emails claiming to come from international
courier companies. The emails contain links to online forms where import duties
can supposedly be paid on parcels entering the country. A number of these
organizations follow the link and are defrauded by criminals. This scenario is
considered as Targeted attack. F
6. Two-Factor Authentication could be used to enhance the password security
against Brute-Force Attacks and dictionary attacks. T
7. A multi-server operating system places all the components within a single trust
boundary. This trusted boundary ensures that the user is authenticated and
authorized to access the entire system. F
8. Server hardening is the process of securing a server’s configuration and
settings to reduce IT vulnerability. T

PART 2: Short Questions [10 Marks]

Question 2: Email addresses are the most used form of computer identity; they are
familiar and relatively simple to remember. Users can reuse them on many different
systems. Briefly discuss the downsides of an email address as an identity. [3 Marks]

Any three points of the following:

• User losing access to that identity if they lose access to that email address
(such as by changing job or their email provider closing down).
• Reusing an identity across several systems potentially makes that identity
vulnerable in multiple systems.
• Losing control of the identity if an attacker compromises the email account
• Email addresses are effectively public, making that identity also public.

Question 3: A vulnerability is a weakness in an asset or the security of a system that

can be subjected to threats in an attack. Based on your understanding provide a

Code / MTA Page 2 of 5 2023/2024 Fall

comparison between the technological vulnerability and the organizational
vulnerability. [4 Marks]

• A technological vulnerability includes weaknesses in the design,

implementation, and configuration of technical components such as hardware
or software: for example, network ports on an organization’s internet-facing
firewall that are open unnecessarily, weak access controls and important data
that is unencrypted.
• An organizational vulnerability includes weaknesses associated with people,
processes, and procedures: for example, no cyber security training for staff,
poor password policies and allowing personal devices to connect to a
corporate network.

Question 4: Penetration testing (a.k.a., pentesting) is widely used to test

organizational security. During a penetration testing, attackers are authorized to try
and break security controls, exposing weaknesses in order to better understand the
risks, and more appropriate controls put in place. Pentesting is divided into three
categories based on the amount of knowledge the testers have about the system they
are examining. Identify these pentesting categories with a brief description for each
one. [3 Marks]

1. Black box, the pentesters are given no information about the target system.
2. Gray box, the pentesters are given a partial view of the system.
3. White box, the pentesters are given comprehensive information about a
system.

PART 3: Problems [12 Marks]

Question 5: Social engineering relies on exploiting vulnerabilities in humans rather

than machines. Each of these two fictional social engineering scenarios uses at least
one of the social engineering principles. Identify and discuss the principles based on
the following scenarios. [4 Marks]:
1. Alice receives an email claiming to come from Mallory, who recently left for
a competitor organisation. The email tells Alice that not only is Mallory
earning much more money and now has a new car but also that there is a
similar position opening soon. Competition for the new job is going to be
very strong and the place will not be open for very long, so Mallory strongly
recommends Alice completes a personal application form linked from the
email.
It uses two principles – Liking (Alice and Mallory are friends) and Scarcity
(the position is not going to be advertised for very long). Alice should make
contact with Mallory, preferably using another form of communication such
as a phone call, to check if the message actually came from her.
2. Bob works in an organisation where availability of assets is crucial.
Following a recent security alert, a major software upgrade must be
performed that will require a brief interruption in service. Shortly before the

Code / MTA Page 3 of 5 2023/2024 Fall

 work is scheduled to start, Bob receives a phone call and is told by someone
claiming to be a senior company official that the work must be delayed.
This scenario uses the principle of Authority. Bob receives a phone call from
a supposed manager who has seniority over Bob. In actuality, it could well
be an attacker impersonating a manager – Bob really had better check with
his managers to see if the upgrade has been delayed.

Question 6: Mandatory Access Control (MAC) is an access control policy that is

uniformly enforced across all subjects and objects within the boundary of an
information system. Based on your understanding of MAC, answer the following
questions [5 Marks]:
a. In the context of MAC, sensitivity is a label assigned to every object and subject
outlining what restrictions are placed on it. Whenever a subject requests access
to an object, the system uses a pair of rules to compare the subject’s sensitivity
to the object, discuss these pair of rules.
1. ‘No Read Up’ (NRU)
This rule states that a subject can read an object only if they have a
clearance greater than or equal to the object’s classification.
2. ‘No Write Down’ (NWD)
This rule states that a subject can write to an object only if they have a
clearance less than or equal to the object’s classification.
b. A computer system implements MAC using the Government Security
Classifications Policy (from least to most sensitive): OFFICIAL, SECRET and
TOP SECRET. The system contains the following three files:

1. Alice is a user who has a sensitivity of SECRET. Which files can she read?
war_plans.ppt
testing_data.xls
2. Bob has a sensitivity of OFFICIAL. Can he see SECRET data?
No, Bob cannot access SECRET files.
3. Charles can open the file ‘war_plans.ppt’. What is his sensitivity?
TOP SECRET

Code / MTA Page 4 of 5 2023/2024 Fall

Figure 1 Transactions associated with the doctor role Figure 2 Transactions associated with the nurse role

Question 7: Given that, Angela, Bob, and Charles are all doctors at the hospital and
have been given the role of doctor. As a doctor, they can perform any of the
transactions belonging to that role such as make diagnosis, prescribe medication, or
update records as shown in figure 1. Danny, Elaine, and Fred are nurses at the same
hospital. They are allocated with a different role nurse, which is linked to its own set of
transactions such as administer medicine and update records as shown in figure 2.
Under Role-Based Access Control (RBAC), anyone in the hospital assigned to the role
of doctor or nurse can perform all transactions allocated to their role, but only those
transactions. Based on your understanding, answer the following questions about
RBAC [3 Marks]:
1. Is Bob capable of administrating medication? Why?
2. What role does Elaine occupy, and what transactions is she authorized to
perform?
3. Which transaction can be performed by both a doctor and a nurse?

Answer:
1. No, the transaction Administer medicine is available only to people with the
role of ‘Nurse’. Bob is not a ‘Nurse’ (he is a ‘Doctor’).
2. Elaine is a ‘Nurse’; she can perform the transactions Administer medicine and
Update records.
3. Both a ‘Doctor’ and a ‘Nurse’ can perform the transaction Update records.

End of questions

Code / MTA Page 5 of 5 2023/2024 Fall