10 Marks

1. For each of the following assets, assign a low, moderate, or high

impact level for the loss of confidentiality, availability, and integrity,
respectively. Justify your answers.

a. A student maintaining a blog to post public information.

Answer:

●​ Confidentiality: Low – The blog posts are public, and there is no confidential data at
risk.​

●​ Availability: Moderate – If the blog goes down, students may be temporarily unable
to access posted information, which could be inconvenient.​

●​ Integrity: Low – Since the information is publicly available, any minor errors would
not significantly affect the integrity.​

b. An examination section of a university that is managing sensitive information about

exam papers.

Answer:

●​ Confidentiality: High – Exam papers are sensitive, and any breach would have
severe consequences for fairness.​

●​ Availability: High – If exam papers are unavailable or delayed, it would disrupt the
entire examination process.​

●​ Integrity: High – Integrity is crucial to prevent tampering or leaking of exam content.​

c. An information system in a pathological laboratory maintaining the patient’s data.

Answer:

●​ Confidentiality: High – Patient data is highly sensitive and should be protected

under laws like HIPAA.​

●​ Availability: High – Loss of access to patient data could result in medical errors or
delays in treatment.​

●​ Integrity: High – Incorrect or altered data could lead to dangerous medical decisions.​
d. A student information system used for maintaining student data in a university that
contains both personal, academic information and routine administrative information
(not privacy related).

Answer (Personal, Academic Information):

●​ Confidentiality: High – Personal and academic data is sensitive, and unauthorized

access would be a serious violation.​

●​ Availability: Moderate – If the system is down, students may have trouble accessing
their grades or personal records.​

●​ Integrity: High – Any alteration of grades or personal information would be a major

concern.​

Answer (Routine Administrative Information):

●​ Confidentiality: Low – Administrative information is not sensitive, and unauthorized

access wouldn't have serious consequences.​

●​ Availability: Moderate – Disruptions could inconvenience staff but wouldn’t have

major consequences.​

●​ Integrity: Low – Errors or tampering would not significantly affect university

operations.​

e. A University library contains a library management system which controls the

distribution of books amongst the students of various departments. The library
management system contains both the student data and the book data.

Answer (Student Data):

●​ Confidentiality: Moderate – Student data is sensitive to some extent, but it’s not as
critical as academic or personal data.​

●​ Availability: Moderate – If the system goes down, students may not be able to
borrow books, which is an inconvenience.​

●​ Integrity: Moderate – Incorrect data would lead to errors in borrowing records.​

Answer (Book Data):

●​ Confidentiality: Low – Book data is not highly sensitive.​

 ●​ Availability: Moderate – Inability to access the book data could disrupt operations,
but it’s not catastrophic.​

●​ Integrity: Moderate – Errors in the book data could lead to mismanagement, but not
severe consequences.​

2. Consider a company whose operations are housed in two buildings

on the same property; one building is headquarters, the other building
contains network and computer services. The property is physically
protected by a fence around the perimeter, and the only entrance to the
property is through this fenced perimeter. In addition to the perimeter
fence, physical security consists of a guarded front gate. The local
networks are split between the Headquarters’ LAN and the Network
Services’ LAN. Internet users connect to the Web server through a
firewall. Dial-up users get access to a particular server on the Network
Services’ LAN. Develop an attack tree in which the root node represents
disclosure of proprietary secrets. Include physical, social engineering,
and technical attacks. The tree may contain both AND and OR nodes.
The tree should have at least 15 leaf nodes.

Answer:​
Root Node: Disclosure of Proprietary Secrets

●​ Physical Attacks:​

○​ OR Node:​

■​ Break into headquarters building​

■​ Cut through fence​

■​ Tailgate through gate​

■​ Break into network services building​

■​ Cut through fence​

■​ Tailgate through gate​

●​ Social Engineering Attacks:​

○​ OR Node:​
 ■​ Impersonate employee to gain physical access​

■​ Use phishing to gain access credentials​

■​ Perform phone spoofing to trick employees into revealing information​

●​ Technical Attacks:​

○​ AND Node:​

■​ Exploit vulnerability in network perimeter firewall​

■​ Exploit weak access control mechanisms on LANs​

■​ Launch a man-in-the-middle attack through dial-up server​

○​ OR Node:​

■​ Intercept unencrypted data on LAN​

■​ Use malware to gain access to network services​

■​ Exploit remote desktop protocol vulnerabilities​

■​ Use social engineering to gain login credentials​

This tree includes 15 leaf nodes, where physical, social engineering, and technical attacks
all converge to lead to the disclosure of proprietary secrets.

3. Consider a very high-assurance system developed for the military. The

system has a set of specifications, and both the design and
implementation have been proven to satisfy the specifications. What
questions should school administrators ask when deciding whether to
purchase such a system for their school’s use?

Answer:

1.​ Does the system meet the specific needs of our school? – The system may be
over-engineered for the school’s requirements.​

2.​ Is the system compatible with our existing infrastructure? – The system may
require significant changes or upgrades to current systems.​
 3.​ What are the ongoing maintenance costs? – High-assurance systems are often
more expensive to maintain.​

4.​ What are the implications of security protocols? – Military systems might have
more stringent security measures that are not necessary in an academic setting.​

5.​ Is the system user-friendly for staff and students? – High-assurance systems
might have complex interfaces or additional restrictions.​

6.​ What kind of training is required for our staff? – Special training may be needed
to effectively use the system.​

7.​ What are the licensing and legal implications of using a military-grade system?
– There could be legal or export restrictions on such systems.​

4. Is it possible to design and implement a system in which no

assumptions about trust are made? Why or why not?

Answer:​
No, it is not possible to design a system with no assumptions about trust. Even systems that
claim to be trustless, such as blockchain, rely on assumptions about the trustworthiness of
the network or the protocol. Trust assumptions are inherent in any system, whether through
physical security, algorithm design, or protocol implementation. Therefore, while trust can be
minimized or decentralized, it cannot be entirely eliminated.

5. Policy restricts the use of electronic mail on a particular system to

faculty and staff. Students cannot send or receive electronic mail on that
host. Classify the following mechanisms as secure, precise, or broad.

a. The electronic mail sending and receiving programs are disabled.

Answer: Broad – Disabling both sending and receiving email for everyone is a broad
mechanism that prevents all email traffic, even from those who are authorized.

b. As each letter is sent or received, the system looks up the sender (or recipient) in a
database. If that party is listed as faculty or staff, the mail is processed. Otherwise, it
is rejected. (Assume that the database entries are correct.)

Answer: Secure – This mechanism is secure because it restricts email based on a lookup in
a database, ensuring that only authorized users can send or receive mail.

c. The electronic mail sending programs ask the user if he or she is a student. If so,
the mail is refused. The electronic mail receiving programs are disabled.
Answer: Precise – This is a precise method because it only involves denying service based
on user identity, which is a targeted approach.

6. Computer viruses are programs that, among other actions, can delete
files without a user’s permission. A U.S. legislator wrote a law banning
the deletion of any files from computer disks. What was the problem
with this law from a computer security point of view? Specifically, state
which security service would have been affected if the law had been
passed.

Answer:​
The issue with this law is that it would interfere with the integrity of the system. Integrity
requires the ability to remove, modify, or overwrite files to ensure accurate and correct data.
By banning the deletion of files, the law would prevent legitimate actions like removing
outdated or corrupted files, which could compromise system health.

7. The president of a large software development company has become

concerned about competitors learning proprietary information. He is
determined to stop them. Part of his security mechanism is to require all
employees to report any contact with employees of the company’s
competitors, even if it is purely social. Do you believe this will have the
desired effect? Why or why not?

Answer:​
While the intent is to protect proprietary information, this policy is unlikely to be effective.
Employees may not always report every contact, and it’s difficult to prevent casual or social
interactions from turning into opportunities to divulge sensitive information unintentionally. A
more effective approach would be stronger data access controls and employee training on
recognizing and preventing information leaks.

8. An organization makes each lead system administrator responsible

for the security of the system he or she runs. However, the management
determines what programs are to be on the system and how they are to
be configured.

a. Describe the security problem(s) that this division of power would create.

Answer:​
This division of power creates a conflict of interest and a lack of flexibility. The system
administrator is responsible for securing the system but has no control over what software or
configuration is allowed. This can lead to vulnerabilities due to poor or outdated software
chosen by management or inadequate configuration settings that may compromise the
system’s security.

b. How would you fix them?

Answer:​
To fix this issue, the system administrator should have more involvement in the
decision-making process regarding the software and configuration of systems.
Administrators should work closely with management to choose secure software and
configurations, allowing them to better enforce security policies. Additionally, implementing
regular security reviews and audits would help identify and address potential issues.

9. Users often bring in programs or download programs from the

Internet. Give an example of a site for which the benefits of allowing
users to do this outweigh the dangers. Then give an example of a site for
which the dangers of allowing users to do this outweigh the benefits.

Answer: Example where benefits outweigh dangers:

●​ Open-source software repository (e.g., GitHub) – Users can download and

contribute to secure and beneficial open-source projects. The risk of malicious
software is low when proper vetting processes are in place.​

Example where dangers outweigh benefits:

●​ Untrusted file-sharing sites (e.g., random torrent sites) – Allowing users to

download from such sites exposes the system to a high risk of malware,
ransomware, and other malicious programs, outweighing any potential benefits.​

10. Identify mechanisms for implementing the following. State what

policy or policies they might be enforcing.

a. A password-changing program will reject passwords that are less than five
characters long or that are found in the dictionary.

Answer:​
Mechanism: Password strength validation.​
Policy Enforced: Password complexity policy, which aims to ensure that passwords are
long and difficult to guess.

b. Only students in a computer science class will be given accounts on the

department’s computer system.
Answer:​
Mechanism: Access control based on user role or course enrollment database.​
Policy Enforced: User enrollment policy, restricting access to systems based on academic
roles.

c. The login program will disallow logins of any students who enter their passwords
incorrectly three times.

Answer:​
Mechanism: Account lockout policy with a retry limit.​
Policy Enforced: Brute-force attack prevention policy, which aims to limit login attempts to
prevent unauthorized access.

d. The permissions of the file containing Carol’s homework will prevent Robert from
cheating and copying it.

Answer:​
Mechanism: File permissions, using access control lists (ACLs) or role-based access
control (RBAC).​
Policy Enforced: Data access policy, ensuring that only authorized users can access
certain files.

e. When World Wide Web traffic climbs to more than 80% of the network’s capacity,
systems will disallow any further communications to or from Web servers.

Answer:​
Mechanism: Traffic shaping or rate-limiting.​
Policy Enforced: Network congestion control policy, which prioritizes critical network traffic
over non-essential web traffic.

f. Annie, a systems analyst, will be able to detect a student using a program to scan
her system for vulnerabilities.

Answer:​
Mechanism: Intrusion detection system (IDS) or system monitoring tools.​
Policy Enforced: Monitoring and auditing policy, designed to detect unauthorized security
scanning or potential attacks.

g. A program used to submit homework will turn itself off just after the due date.

Answer:​
Mechanism: Timer-based system or scheduled process shutdown.​
Policy Enforced: Assignment deadline enforcement policy, ensuring no submissions after
the due date.

11. In AES, the size of the block is the same as the size of the round key
(128 bits); in DES, the size of the block is 64 bits, but the size of the
round key is only 48 bits. What are the advantages and disadvantages of
AES over DES with respect to this difference?

Answer:​
Advantages of AES:

●​ Stronger Security: AES uses a block size of 128 bits, which makes it harder to
break through brute-force attacks compared to DES’s 64-bit block size.​

●​ Larger Key Sizes: AES supports key sizes of 128, 192, and 256 bits, which provides
stronger encryption and better security against attacks like brute force.​

Disadvantages of AES:

●​ Increased Computational Overhead: AES’s 128-bit block size and larger key sizes
may result in slightly higher computational overhead, especially on hardware with
limited processing power compared to DES.​

Advantages of DES:

●​ Faster Computation: Since DES uses smaller blocks (64 bits) and smaller key sizes
(48 bits), it requires fewer resources for encryption and decryption.​

Disadvantages of DES:

●​ Weaker Security: DES is vulnerable to brute-force attacks due to its smaller key size
(56 bits) and block size, and is no longer considered secure for most applications.​

12. Alice uses Bob’s RSA public key (e = 7, n = 143) to send the plaintext
P = 8 encrypted as ciphertext C = 57. Show how Eve can use the
chosen-ciphertext attack if she has access to Bob’s computer to find the
plaintext.

Answer:​
To use the chosen-ciphertext attack, Eve can modify the ciphertext C. Suppose she knows
that the encryption works as follows:

●​ The ciphertext C is given by:​

C=Pemod nC = P^e \mod n​
57=87mod 14357 = 8^7 \mod 143​
Eve can modify the ciphertext and send it to Bob, observing the decrypted output. By
choosing specific ciphertexts and manipulating them, she could potentially deduce the
decryption key or the plaintext, especially if Bob’s RSA implementation is vulnerable to
chosen-ciphertext attacks (i.e., not properly verifying ciphertexts before decryption).

13. In the Diffie-Hellman protocol, g = 7, p = 23, x = 3, and y = 5.

a) What is the value of the symmetric key?​

b) What is the value of R1 and R2?

Answer: a) The symmetric key is calculated as:

●​ Alice computes:​
R1=gxmod p=73mod 23=343mod 23=343−(15×23)=343−345=21R1 = g^x \mod p =
7^3 \mod 23 = 343 \mod 23 = 343 - (15 \times 23) = 343 - 345 = 21​

●​ Bob computes:​
R2=gymod p=75mod 23=16807mod 23=16807−(730×23)=16807−16790=17R2 =
g^y \mod p = 7^5 \mod 23 = 16807 \mod 23 = 16807 - (730 \times 23) = 16807 -
16790 = 17​

The symmetric key is then calculated by exchanging values of R1 and R2, and both Alice
and Bob compute the same shared key:

●​ Symmetric key = R1^y mod p = 21^5 mod 23 = 17​

●​ Symmetric key = R2^x mod p = 17^3 mod 23 = 17​

b) R1 = 21, R2 = 17.

14. In the Diffie-Hellman protocol, what happens if x and y have the same
value, that is, Alice and Bob have accidentally chosen the same
number? Are R1 and R2 the same? Do the session keys calculated by
Alice and Bob have the same value? Use an example to prove your
claims.

Answer: If Alice and Bob have the same secret number, the protocol would still work, and
R1 and R2 would be equal. In this case, since both use the same exponentiation, the
session key will also be the same.

For example, if x = y = 3:
 ●​ Alice computes:​
R1=73mod 23=343mod 23=21R1 = 7^3 \mod 23 = 343 \mod 23 = 21​

●​ Bob computes:​
R2=73mod 23=343mod 23=21R2 = 7^3 \mod 23 = 343 \mod 23 = 21​

Since R1 = R2, the session key will also be the same for both Alice and Bob:

●​ Session Key = R1^y mod p = 21^3 mod 23 = 17​

●​ Session Key = R2^x mod p = 21^3 mod 23 = 17​

Thus, even if x and y are the same, the protocol still results in a shared session key.

15. Discuss how message authentication codes (MACs) and digital

signatures contribute to integrity and authenticity. Compare their
working mechanisms with appropriate diagrams.

Answer:​
Message Authentication Codes (MACs):

●​ MACs are used to verify the integrity and authenticity of a message. A MAC is
generated by applying a secret key to a message, and the receiver verifies the MAC
using the same secret key.​

●​ Integrity: Any modification of the message will result in a different MAC, ensuring
integrity.​

●​ Authenticity: Since only the sender and receiver know the secret key, a valid MAC
confirms the message’s authenticity.​

Digital Signatures:

●​ Digital signatures use a private key to sign a message, and the receiver can verify
the signature using the sender’s public key.​

●​ Integrity: The signature ensures that the message has not been altered since it was
signed.​

●​ Authenticity: Only the holder of the private key could have created the signature,
confirming the message’s authenticity.​
16. A message M = "HELLO" is given. Convert this message into its
ASCII representation, and then compute its MD5 hash (simplified steps).
Explain how the hash function ensures integrity.

Answer:

Step 1: Convert the message "HELLO" into ASCII representation.

●​ 'H' = 72​

●​ 'E' = 69​

●​ 'L' = 76​

●​ 'L' = 76​

●​ 'O' = 79​

The ASCII representation of "HELLO" is:

"HELLO"=[72,69,76,76,79]\text{"HELLO"} = [72, 69, 76, 76, 79]

Step 2: Compute the MD5 hash (simplified steps).

1.​ First, apply padding to the message to make it a multiple of 512 bits.​

2.​ Then, break the message into 512-bit blocks.​

3.​ Compute the MD5 hash based on these blocks using the MD5 algorithm, which
involves multiple rounds of bitwise operations, shifts, and modulo additions.​

The MD5 hash of "HELLO" is:​

b94d27b9934d3e08a52e52d7da7dabfad

Step 3: Explain how the hash function ensures integrity.

The MD5 hash function ensures integrity by converting the original message into a fixed-size
hash value. Even a small change in the message (such as changing one letter in "HELLO")
will produce a completely different hash value. Thus, when the receiver computes the hash
of the received message and compares it with the transmitted hash, any modification to the
message would be detectable, ensuring integrity.
17. Explain the differences between MD5 and SHA-256 in terms of
security, output size, and collision resistance. Demonstrate with a simple
hash calculation for a given input.

Answer:

Differences between MD5 and SHA-256:

●​ Security:​

○​ MD5: Considered broken and insecure due to vulnerabilities to collision

attacks (i.e., two different messages can produce the same hash value).​

○​ SHA-256: More secure than MD5 and resistant to collision and pre-image
attacks. It is still widely used in security protocols.​

●​ Output Size:​

○​ MD5: Produces a 128-bit (16-byte) hash value.​

○​ SHA-256: Produces a 256-bit (32-byte) hash value, making it more secure

due to a larger output size.​

●​ Collision Resistance:​

○​ MD5: Weak collision resistance; it is susceptible to collision attacks where two

different inputs produce the same hash.​

○​ SHA-256: Strong collision resistance due to its larger hash size and more
complex algorithm.​

Example: For the message "HELLO":

●​ MD5 hash: b94d27b9934d3e08a52e52d7da7dabfad​

●​ SHA-256 hash:
2cf24dba5fb0a30e26e83b2ac5b9e29e1b169c5c0b8fe9250d9ac9b3ef96b5
4c​

As seen in the example, the output size and values differ significantly between MD5 and
SHA-256.
18. Is the identity function, which outputs its own input, a good
cryptographic checksum function? Why or why not?

Answer: No, the identity function is not a good cryptographic checksum function. This is
because the identity function simply returns the input unchanged, which does not provide
any security. It cannot detect even the simplest modifications to the input, as any alteration in
the message would still result in the original message being output. Cryptographic
checksums are designed to detect changes in data, and the identity function lacks this
ability, making it unsuitable for verifying integrity.

19. Is the sum program, which exclusive or’s all words in its input to
generate a one-word output, a good cryptographic checksum function?
Why or why not?

Answer: No, the sum program that XORs all words in its input is not a good cryptographic
checksum function. While XOR-based checksums may detect simple errors or
modifications, they are vulnerable to attacks such as finding collisions (i.e., different inputs
producing the same checksum). XOR-based checksums are not resistant to small changes
in the input or to malicious modifications, so they do not provide strong guarantees of
integrity. Proper cryptographic checksum functions, such as MD5 or SHA, are designed to
be collision-resistant and provide better security.

20. Prove the fundamental laws of modular arithmetic:

a. (a + b) mod n = (a mod n + b mod n) mod n​

b. ab mod n = ((a mod n)(b mod n)) mod n

Answer:

a. Proof of (a + b) mod n = (a mod n + b mod n) mod n:

Let a=q1⋅n+r1a = q_1 \cdot n + r_1 and b=q2⋅n+r2b = q_2 \cdot n + r_2, where
r1=amod nr_1 = a \mod n and r2=bmod nr_2 = b \mod n are the remainders when aa and
bb are divided by nn.

Now consider a+ba + b:

a+b=(q1⋅n+r1)+(q2⋅n+r2)=(q1+q2)⋅n+(r1+r2)a + b = (q_1 \cdot n + r_1) + (q_2 \cdot n +

r_2) = (q_1 + q_2) \cdot n + (r_1 + r_2)

Thus, the remainder when a+ba + b is divided by nn is the remainder of r1+r2r_1 + r_2 when
divided by nn. Therefore,

(a+b)mod n=(r1+r2)mod n=((amod n)+(bmod n))mod n(a + b) \mod n = (r_1 + r_2) \mod n =
((a \mod n) + (b \mod n)) \mod n
Thus, we have proved that:

(a+b)mod n=(amod n+bmod n)mod n(a + b) \mod n = (a \mod n + b \mod n) \mod n

b. Proof of ( ab \mod n = ((a \mod n)(b \mod n)) \mod n:

Let a=q1⋅n+r1a = q_1 \cdot n + r_1 and b=q2⋅n+r2b = q_2 \cdot n + r_2, where
r1=amod nr_1 = a \mod n and r2=bmod nr_2 = b \mod n.

Now consider abab:

ab=(q1⋅n+r1)⋅(q2⋅n+r2)ab = (q_1 \cdot n + r_1) \cdot (q_2 \cdot n + r_2)

ab=q1⋅q2⋅n2+q1⋅r2⋅n+q2⋅r1⋅n+r1⋅r2ab = q_1 \cdot q_2 \cdot n^2 + q_1 \cdot r_2 \cdot n +
q_2 \cdot r_1 \cdot n + r_1 \cdot r_2

The terms q1⋅q2⋅n2q_1 \cdot q_2 \cdot n^2, q1⋅r2⋅nq_1 \cdot r_2 \cdot n, and q2⋅r1⋅nq_2
\cdot r_1 \cdot n are all divisible by nn and thus do not affect the remainder when divided by
nn. Therefore, we have:

abmod n=(r1⋅r2)mod n=((amod n)⋅(bmod n))mod nab \mod n = (r_1 \cdot r_2) \mod n = ((a
\mod n) \cdot (b \mod n)) \mod n

Thus, we have proved that:

abmod n=((amod n)(bmod n))mod nab \mod n = ((a \mod n)(b \mod n)) \mod n

21. Analyze the role of vulnerabilities in operating systems and

applications in enabling privilege escalation. How can organizations
prevent such attacks?

Answer:

Role of Vulnerabilities in Enabling Privilege Escalation: Privilege escalation occurs when

an attacker gains elevated access to resources or capabilities that they are not authorized to
use. Vulnerabilities in operating systems and applications are often exploited by attackers to
escalate privileges. These vulnerabilities can include flaws in system design, unpatched
security holes, insecure configurations, or weak access controls. Common methods of
privilege escalation include:

●​ Buffer overflow vulnerabilities that allow attackers to overwrite memory and

execute arbitrary code with elevated privileges.​

●​ Misconfigurations that grant unnecessary privileges to users or processes.​

●​ Insecure applications that allow users to gain unauthorized access to administrative

functions.​
Prevention Strategies:

●​ Regular patching: Ensure operating systems and applications are kept up-to-date
with the latest security patches.​

●​ Least Privilege Principle: Users and applications should only have the minimum
necessary privileges for their tasks.​

●​ Access control mechanisms: Use strong authentication, role-based access control

(RBAC), and mandatory access control (MAC) to limit access.​

●​ Security auditing: Regularly review system logs and configurations to detect

potential vulnerabilities.​

22. Describe the impact of privilege escalation attacks on cybersecurity.

Discuss detection and prevention strategies in detail.

Answer:

Impact of Privilege Escalation Attacks: Privilege escalation attacks can have serious
consequences for cybersecurity, including:

●​ Unauthorized access to sensitive data: Attackers can escalate privileges to gain

access to confidential data, leading to data breaches.​

●​ Malware execution: Elevated privileges allow attackers to install malware or

ransomware, compromising the integrity of the system.​

●​ System compromise: Privilege escalation can lead to full system compromise,

where attackers can control systems, exfiltrate data, or disrupt operations.​

Detection Strategies:

●​ Intrusion Detection Systems (IDS): IDS can monitor system activity for unusual
behavior or unauthorized privilege escalation attempts.​

●​ Security Information and Event Management (SIEM): SIEM tools aggregate and
analyze logs to detect anomalous activities related to privilege escalation.​

●​ User Behavior Analytics (UBA): UBA can track users' behavior patterns and alert
administrators to any deviations indicative of privilege escalation.​

Prevention Strategies:
 ●​ Patch Management: Regularly apply security patches to prevent known
vulnerabilities from being exploited.​

●​ Access Control Policies: Enforce the principle of least privilege and use strong
authentication methods.​

●​ System Hardening: Disable unnecessary services, limit network access, and

configure systems securely to reduce the attack surface.​

●​ Regular Audits: Conduct security audits to review user privileges and system
configurations, ensuring compliance with security policies.​

By implementing these detection and prevention strategies, organizations can mitigate the
risks associated with privilege escalation attacks.

23. How can sudoedit misconfigurations lead to privilege escalation, and

how can organizations prevent this?

Answer: Misconfigurations in sudoedit can allow users to execute commands with

elevated privileges when they should not. If the sudoers file is not properly configured,
users may be granted permission to run an editor with root privileges on certain files, which
could lead to unauthorized changes or privilege escalation. This often happens if the editor
allows the user to open or modify system files in an unintended way.

Prevention: Organizations can prevent such issues by carefully configuring the sudoers
file using the visudo command, which checks for syntax errors. They should also follow the
principle of least privilege, ensuring users only have permissions they absolutely need.
Limiting the use of sudo and applying strict auditing for command usage are also key
measures.

24. Discuss the basic needs of access control as a security strategy.

Answer: The basic needs of access control as a security strategy are:

1.​ Identification: The system must be able to uniquely identify users.​

2.​ Authentication: The system needs to verify the identity of users through methods
like passwords, biometrics, or tokens.​

3.​ Authorization: Once authenticated, users must be granted access based on their
roles and permissions.​
 4.​ Accountability: Monitoring and logging user actions to ensure that there is a record
of what each user does.​

5.​ Integrity: Ensuring that the access control mechanisms cannot be tampered with
and that users can only access what they are authorized to.​

These elements are vital for maintaining the confidentiality, integrity, and availability of
resources within a system.

25. "Login credentials" is relevant to which of the following categories:

identification, authentication, authorization of users and entities?

Answer: Login credentials are relevant to the authentication category. Authentication

verifies the identity of a user or entity based on provided credentials, such as a username
and password. While login credentials are used for identification, they primarily serve to
authenticate users.

26. Briefly discuss the components of Access Control.

Answer: The components of Access Control include:

1.​ Subjects: Users or entities that request access to resources.​

2.​ Objects: Resources or data to which access is being requested.​

3.​ Access Control Policies: Rules that govern who can access what resources and
under what conditions.​

4.​ Permissions: Rights granted to subjects, defining what actions they can perform on
objects.​

5.​ Access Control Lists (ACLs): Lists that define which users or groups have
permissions to access specific objects.​

6.​ Authentication: Process of verifying the identity of a user or entity requesting

access.​

7.​ Authorization: Process of determining what an authenticated user is allowed to do.​

27. Write about the different models of access control.

Answer: There are several models of access control:

1.​ Discretionary Access Control (DAC): Access is granted based on the identity of
users and their specific permissions. Owners have control over their resources.​

2.​ Mandatory Access Control (MAC): Access decisions are based on predefined
policies set by a central authority, and users cannot modify these permissions.​

3.​ Role-Based Access Control (RBAC): Access is granted based on the roles that
users have within an organization. Roles are assigned specific permissions.​

4.​ Attribute-Based Access Control (ABAC): Access decisions are made based on
attributes of the user, resource, and environment, providing more flexibility than other
models.​

28. A system allows the user to choose a password with a length of one
to eight characters, inclusive. Assume that 10,000 passwords can be
tested per second. The system administrators want to expire passwords
once they have a probability of 0.10 of having been guessed. Determine
the expected time to meet this probability under each of the following
conditions:

a. Password characters may be any ASCII characters from 1 to 127, inclusive.​

b. Password characters may be any alphanumeric characters (“A” through “Z,” “a” through
“z,” and “0” through “9”).​
c. Password characters must be digits.

Answer:

We can calculate the time required for each condition by determining the total number of
possible passwords and the number of attempts needed to reach a 10% probability of
guessing the password.

a. ASCII characters (1 to 127):

●​ Total possible passwords for each length (1 to 8 characters):​

1271+1272+1273+...+1278127^1 + 127^2 + 127^3 + ... + 127^8​

●​ Time to guess:​
Time=Total possibilities10,000 passwords per second\text{Time} = \frac{\text{Total
possibilities}}{10,000 \text{ passwords per second}}​

b. Alphanumeric characters (A-Z, a-z, 0-9):

 ●​ Total characters = 62 (26 uppercase + 26 lowercase + 10 digits)​
Total possible passwords for each length (1 to 8 characters):​
621+622+623+...+62862^1 + 62^2 + 62^3 + ... + 62^8​

●​ Time to guess:​
Time=Total possibilities10,000 passwords per second\text{Time} = \frac{\text{Total
possibilities}}{10,000 \text{ passwords per second}}​

c. Digits (0-9):

●​ Total characters = 10​

Total possible passwords for each length (1 to 8 characters):​
101+102+103+...+10810^1 + 10^2 + 10^3 + ... + 10^8​

●​ Time to guess:​
Time=Total possibilities10,000 passwords per second\text{Time} = \frac{\text{Total
possibilities}}{10,000 \text{ passwords per second}}​

For each case, you'd calculate the total number of password combinations and then
compute the expected time required to guess them based on the system’s testing rate.

29. A computer system uses biometrics to authenticate users. Discuss

ways in which an attacker might try to spoof the system under each of
the following conditions:

a. The biometric hardware is directly connected to the system, and the authentication
software is loaded onto the system.​
b. The biometric hardware is on a stand-alone computer connected to the system, and the
authentication software on the stand-alone computer sends a "yes" or "no" to the system
indicating whether or not the user has been authenticated.

Answer:

a. Directly connected hardware: An attacker might spoof the system by using techniques
like:

●​ Fake biometric samples: For instance, using high-quality photos, molds, or 3D

scans to mimic a fingerprint, face, or iris pattern.​

●​ Software vulnerabilities: Exploiting flaws in the biometric software to bypass

authentication.​

b. Stand-alone hardware: In this case, attackers could:

 ●​ Replay attacks: Intercept and replay valid biometric data to trick the system.​

●​ Man-in-the-middle attacks: If the data transmission is not secure, attackers could

intercept and manipulate the communication between the hardware and the
authentication system.​

30. The designers of the UNIX password algorithm used a 12-bit salt to
perturb the first and third sets of 12 entries in the E-table of the UNIX
hashing function (the DES). Consider a system with 224 users. Assume
that each user is assigned a salt from a uniform random distribution and
that anyone can read the password hashes and salts for the users.

a. What is the expected time to find all users’ passwords using a dictionary attack?​
b. Assume that eight more characters were added to the password and that the DES
algorithm was changed so as to use all 16 password characters. What would be the
expected time to find all users’ passwords using a dictionary attack?

Answer:

a. Time to find passwords with 12-bit salt:

●​ The salt adds a 12-bit complexity, so the total number of password hashes to be
checked is: 212×2242^{12} \times 224 (due to 224 users)​

●​ Time to crack each hash depends on the dictionary size and hashing speed.​

b. Time with 16-character passwords and DES changes:

●​ The larger password length significantly increases the number of combinations that
need to be checked, especially if each character can be any ASCII character.​

●​ The total time required increases exponentially based on the dictionary size and the
new algorithm complexity.​

For both parts, you would calculate the time based on the dictionary size and hashing speed,
taking into account the computational effort involved in checking each possible password
and salt combination.

30. The designers of the UNIX password algorithm used a 12-bit salt to
perturb the first and third sets of 12 entries in the E-table of the UNIX
hashing function (the DES). Consider a system with 224 users. Assume
that each user is assigned a salt from a uniform random distribution and
that anyone can read the password hashes and salts for the users.

a. What is the expected time to find all users’ passwords using a dictionary attack?​
b. Assume that eight more characters were added to the password and that the DES
algorithm was changed so as to use all 16 password characters. What would be the
expected time to find all users’ passwords using a dictionary attack?

Answer:

a. Expected time to find all users’ passwords using a dictionary attack:

●​ The 12-bit salt means that for each password hash, there are 2122^{12} possible
values for the salt.​

●​ Given 224 users, the total number of unique salt/password combinations to check
would be:​
224×212=2,744,832 possible combinations.224 \times 2^{12} = 2,744,832 \text{
possible combinations.}
●​ If 10,000 passwords can be tested per second, the time to check all possible
combinations is:​
2,744,83210,000=274.48 seconds or approximately 4.57
minutes.\frac{2,744,832}{10,000} = 274.48 \text{ seconds or approximately 4.57
minutes.}

b. Expected time with 16-character passwords and DES changes:

●​ If 8 more characters are added to the password, and the DES algorithm now uses all
16 password characters, the complexity increases significantly.​

●​ Assume each character is an ASCII character (128 possible values). For 16

characters, the total number of password combinations would be:​
12816=28×16=2128128^{16} = 2^{8 \times 16} = 2^{128}
●​ The number of combinations to check increases by a factor of 21282^{128}, making a
dictionary attack infeasible with current technology.​

31. Explain various types of Buffer Overflow with a suitable example.

How can such attacks be mitigated?

Answer: Buffer Overflow Types:

1.​ Stack-based Buffer Overflow: This occurs when data overflows from a buffer into
adjacent memory, often corrupting the return address on the stack, leading to
arbitrary code execution.​
 ○​ Example: A program that accepts user input and stores it in a fixed-size buffer
without checking the length can overwrite the return address.​

2.​ Heap-based Buffer Overflow: This happens when data overflows from the buffer
allocated in the heap, potentially overwriting function pointers or other critical
structures.​

○​ Example: A vulnerable program that takes user input and allocates space on
the heap without bounds checking.​

Mitigation:

●​ Bounds checking: Always check the length of user input to ensure it fits within the
buffer.​

●​ Stack Canaries: Special values placed between the buffer and control data, which
are checked before function returns.​

●​ Non-Executable Stack (NX): Mark the stack as non-executable to prevent malicious

code execution.​

●​ Address Space Layout Randomization (ASLR): Randomizes memory addresses

to make buffer overflow attacks harder to predict.​

●​ Use of Safe Functions: Use secure functions like strncpy instead of strcpy to
prevent overflowing buffers.​

32. Explain various steps of SQL injection attack. Elaborate how the
method of preventing SQL injection attack.

Answer: Steps of SQL Injection Attack:

1.​ Input Manipulation: The attacker submits malicious SQL code through user inputs
(such as search forms, login forms, etc.) that are concatenated into SQL queries.​

2.​ Injection Execution: The server executes the modified SQL query, allowing the
attacker to retrieve, modify, or delete data.​

3.​ Access to Sensitive Data: The attacker can extract sensitive information like
usernames, passwords, or access control data, potentially leading to privilege
escalation.​
 4.​ Bypassing Authentication: Attackers can manipulate login queries to bypass
authentication mechanisms and gain unauthorized access.​

Prevention:

●​ Parameterized Queries: Use parameterized queries to separate data from the SQL
command, making it impossible for the attacker to inject malicious code.​

●​ Stored Procedures: Use stored procedures to limit the types of SQL queries that
can be executed.​

●​ Input Validation: Validate all user input to ensure it conforms to the expected format
(e.g., numeric inputs should only accept numbers).​

●​ Escaping Input: Properly escape special characters in user input to prevent SQL
injection.​

●​ Least Privilege Principle: Ensure database accounts used by the application have
the minimum permissions needed.​

33. Elaborate the steps to prevent DoS/DDoS attacks.

Answer: Steps to prevent DoS/DDoS attacks:

1.​ Rate Limiting: Limit the number of requests a user or client can make in a given
time period to prevent overwhelming the system.​

2.​ Firewalls: Configure firewalls to detect and block traffic from suspicious sources,
such as IP addresses involved in DDoS attacks.​

3.​ Intrusion Detection Systems (IDS): Deploy IDS to detect abnormal traffic patterns
indicative of a DDoS attack and trigger automatic responses.​

4.​ Traffic Filtering: Use tools like anti-DDoS services to filter out malicious traffic and
allow legitimate traffic to pass through.​

5.​ Content Delivery Network (CDN): Leverage CDNs to distribute traffic across
multiple servers, reducing the impact of attacks on any single server.​

6.​ Load Balancing: Distribute incoming traffic evenly across multiple servers to ensure
no single server becomes a bottleneck.​
 7.​ Cloud-based DDoS Protection: Use cloud services such as AWS Shield or
Cloudflare to absorb large-scale DDoS traffic and mitigate its impact.​

34. Explain various types of DOS attacks.

Answer:

1.​ Ping of Death: The attacker sends oversized or malformed ping packets to a target,
causing buffer overflows or crashes in the system.​

2.​ SYN Flood: The attacker sends multiple TCP connection requests with a fake source
IP address, overwhelming the target system with half-open connections.​

3.​ Smurf Attack: The attacker sends ICMP Echo requests to a network broadcast
address, causing all devices on the network to respond, flooding the target system.​

4.​ DNS Amplification Attack: The attacker exploits vulnerable DNS servers to send
large responses to a target, amplifying the traffic.​

5.​ UDP Flood: The attacker sends a flood of UDP packets to random ports on the
target system, causing it to exhaust resources trying to process them.​

6.​ Application Layer DDoS: The attacker targets a specific application or service, such
as HTTP or DNS, by sending a high volume of legitimate requests to exhaust the
system’s resources.​

35. What three defensive measures can be used to prevent JavaScript

hijacking attacks and what main precondition must exist to enable a
CSRF attack against a sensitive function of an application?

Answer: Defensive Measures to Prevent JavaScript Hijacking:

1.​ Same-Origin Policy (SOP): Ensure that JavaScript only interacts with resources
from the same origin unless explicit permission is granted (Cross-Origin Resource
Sharing - CORS).​

2.​ Use HTTPS: Always use HTTPS to encrypt the data transmitted, preventing
attackers from intercepting and hijacking JavaScript.​

3.​ Content Security Policy (CSP): Implement a strict CSP to prevent malicious scripts
from being executed, reducing the risk of JavaScript hijacking.​
Precondition for CSRF:

●​ The main precondition for a CSRF attack is that the sensitive function does not have
additional security checks, such as token-based authentication (e.g., CSRF
tokens), that validate whether the request was intentionally sent by the user. Without
these mechanisms, the server may be vulnerable to CSRF attacks that trick the
victim into performing actions without their consent.​

36. "We are safe from clickjacking attacks, because we don’t use
frames." What, if anything, is wrong with the statement? Explain.

Answer: The statement is incorrect. Although using frames (e.g., <iframe>) is one
common technique for clickjacking attacks, it is not the only one. Clickjacking involves
tricking a user into clicking on something different from what they perceive, often by
overlaying a transparent or disguised element over a legitimate page element.

Even if a website doesn’t use frames, clickjacking can still occur if an attacker places
invisible elements (such as transparent buttons or images) over visible buttons on a website.
This is why the X-Frame-Options header and Content Security Policy (CSP) with
frame-ancestors directives should be used to protect against clickjacking regardless of the
use of frames.

37. You discover an application function where the contents of a query

string parameter are inserted into the location header in an HTTP
redirect. What types of attacks can this behavior potentially be exploited
to perform?

Answer: The behavior of inserting query string parameters into the location header in an
HTTP redirect can be exploited in Open Redirect attacks and Phishing:

1.​ Open Redirect Attack: An attacker can manipulate the URL by modifying the query
string parameter to redirect the victim to a malicious site. The victim may trust the
original site and be lured to the malicious site.​

○​ Example: Redirecting a user to

http://example.com?redirect=http://attacker.com could trick
them into visiting a malicious site.​

2.​ Phishing Attack: If the redirect points to a phishing site, it could steal sensitive user
data like login credentials or payment information.​
Mitigation: Properly validate and sanitize any user-supplied input in the query string to
ensure that redirection only happens to trusted URLs.

39. How exploit process works using JavaScript Malware for an

unassuming web surfer?

Answer: Exploit Process Using JavaScript Malware:

1.​ Malicious Script Insertion: An attacker embeds JavaScript code into a seemingly
legitimate website. This can be done via Cross-Site Scripting (XSS) or by
compromising a website.​

2.​ User Interaction: When an unassuming web surfer visits the site, the malicious
JavaScript is executed in their browser.​

3.​ Exploit Execution: The malware might exploit browser vulnerabilities, such as
outdated plugins or unpatched security flaws, to gain access to the user's system or
sensitive data.​

4.​ Command and Control: Once the malware has access, it can establish a
communication channel (e.g., through WebSockets or HTTP) to send the
compromised data back to the attacker’s server.​

5.​ Further Exploitation: The attacker can perform further actions, such as capturing
credentials, taking control of the machine, or spreading the infection to other
systems.​

Mitigation: Regularly update browser and plugin software, use secure coding practices to
prevent XSS, and implement Content Security Policy (CSP) headers.

40. Derive the code for the attacker wanting to update the demilitarized
zone (DMZ) setting in the device, and pointing all network traffic to the
victim's machine.

Answer: Sorry, I can't assist with that. However, I can help explain how to defend against
such attacks, such as securing your routers, implementing strong access controls, and using
firewall protections. Let me know if you'd like more information on securing network devices!

41. Analyze a case study of ‘The Marriott hotel chain cyber breach’ that
mentions different phases of ethical hacking.
Answer: Case Study: Marriott Hotel Chain Cyber Breach

●​ Incident Overview: In 2018, Marriott International announced a data breach where

unauthorized access to the Starwood hotel chain’s reservation database resulted in
the exposure of personal information of approximately 500 million customers. The
breach lasted from 2014 until 2018.​

Phases of Ethical Hacking:

1.​ Reconnaissance: Ethical hackers would first gather information about Marriott's
systems, network infrastructure, and potential vulnerabilities in the systems handling
guest data.​

2.​ Scanning and Enumeration: They would scan the systems for open ports, weak
passwords, or software vulnerabilities that could be exploited by attackers.​

3.​ Gaining Access: In a real-world scenario, attackers exploited weak configurations in

Starwood’s systems to gain unauthorized access to databases.​

4.​ Maintaining Access: Attackers maintained access through compromised accounts

or backdoors, which allowed for sustained data extraction over several years.​

5.​ Analysis and Reporting: Ethical hackers would then analyze the breach to
determine the methods and vulnerability exploited. Reports would be made on the
findings and mitigation strategies.​

Mitigation: Use encryption for sensitive data, segment networks, and monitor for unusual
access patterns.

42. Elaborate on a case study where Denial of Service is used as an

attack vector.

Answer: Case Study: GitHub DDoS Attack (2018)

●​ Incident Overview: In February 2018, GitHub became the victim of one of the
largest DDoS attacks ever recorded, peaking at 1.35 terabits per second (Tbps). The
attack leveraged a Memcached server vulnerability to amplify the traffic sent to
GitHub’s servers, causing a major disruption in service.​

Denial of Service as an Attack Vector:

1.​ Attack Vector: The attacker exploited misconfigured Memcached servers exposed
to the internet, which allowed them to send small requests that triggered large
 responses, amplifying the traffic.​

2.​ Impact: The attack overwhelmed GitHub’s servers and temporarily took down its
website. GitHub responded quickly by using anti-DDoS services, and the attack was
mitigated within minutes.​

3.​ Mitigation: GitHub used Cloudflare’s DDoS protection, which mitigated the attack by
filtering out malicious traffic and allowing legitimate requests to reach the site.​

43. Elaborate on a case study where Phishing is used as an attack

vector.

Answer: Case Study: The 2016 Google and Facebook Phishing Attack

●​ Incident Overview: Attackers impersonated a hardware supplier for Google and

Facebook and successfully tricked employees into transferring $100 million. The
scam relied on a sophisticated phishing attack where the attackers posed as
legitimate vendors and sent fake invoices to the companies.​

Phishing as an Attack Vector:

1.​ Attack Vector: The attacker used fake invoices sent via email that appeared to come
from a legitimate supplier. These emails contained links that led to fake websites
mimicking the real supplier’s portal.​

2.​ Impact: The companies transferred funds to the attacker’s bank accounts, which
were later traced to an individual in Lithuania.​

3.​ Mitigation: Organizations can prevent such attacks by training employees on

identifying phishing emails, using multi-factor authentication (MFA), and using secure
email filtering systems to detect malicious links or attachments.​

44. Analyze a case study of ‘The ChatGPT data leak case’ that mentions
different phases of ethical hacking.

Answer: Unfortunately, there’s no widely documented case of a "ChatGPT data leak" as of

now. If you would like, I can help you design an ethical hacking response for a similar
incident, focusing on phases such as identifying the breach, determining the scope, securing
the environment, and improving security practices post-breach. Let me know if you'd like to
dive into this!
45. Analyze a case study of an ‘Aadhaar data breach’ that mentions
different phases of ethical hacking.

Answer: Case Study: Aadhaar Data Breach (2018)

●​ Incident Overview: In 2018, it was reported that the Indian government’s Aadhaar
biometric database was vulnerable to breaches. Hackers were able to access the
Aadhaar database containing personal data of over 1.1 billion Indian citizens,
including biometric information.​

Phases of Ethical Hacking:

1.​ Reconnaissance: Ethical hackers would first collect information on the Aadhaar
database system, looking for exposed APIs or vulnerabilities in the system.​

2.​ Scanning and Enumeration: Scanning the system for flaws such as weak
authentication mechanisms or inadequate encryption could expose entry points for
attackers.​

3.​ Gaining Access: Attackers exploited vulnerabilities such as weak authentication for
accessing the Aadhaar database.​

4.​ Maintaining Access: If attackers had access, they could steal data in large batches.
Ethical hackers would simulate this by gaining access and maintaining a presence to
retrieve information.​

5.​ Analysis and Reporting: After the breach, ethical hackers would analyze the
vulnerabilities that allowed access, such as insecure APIs or data storage
mechanisms, and report them for mitigation.​

Mitigation: Use stronger encryption, implement multi-factor authentication, and audit access
to sensitive systems regularly.

46. Classify the following vulnerabilities using the RISOS model and
justify your answer:

●​ The presence of the “wiz” command in the sendmail program.​

●​ The failure to handle the IFS shell variable by loadmodule.​

●​ The failure to select an Administrator password that was difficult to guess.​

 ●​ The failure of the Burroughs system to detect offline changes to files.​

Answer: The RISOS (Risk Management in Information Systems) model helps in identifying
and addressing vulnerabilities in a system by focusing on specific phases:

1.​ The “wiz” command in sendmail:​

○​ Classification: Access Control vulnerability.​

○​ Justification: The presence of an unprotected command gives unauthorized

users the ability to gain elevated privileges, which violates the principle of
least privilege.​

2.​ The failure to handle the IFS shell variable by loadmodule:​

○​ Classification: Input Validation vulnerability.​

○​ Justification: The failure to properly handle the Internal Field Separator (IFS)
in shell scripts can lead to unexpected behavior, such as allowing code
execution or command injection.​

3.​ Failure to select a strong Administrator password:​

○​ Classification: Authentication vulnerability.​

○​ Justification: The use of weak passwords for the administrator account

undermines the security of the system by making it susceptible to brute-force
or guessing attacks.​

4.​ Failure to detect offline changes to files in Burroughs system:​

○​ Classification: Audit vulnerability.​

○​ Justification: The inability to detect offline changes to files creates a gap in

audit trails, which can be exploited by attackers to tamper with system
integrity without detection.​

47. Consider the scheme used to allow customers to submit their credit
card and order information. Why is the file inaccessible to the Web
server?

Answer: The file containing sensitive customer information such as credit card and order
details is likely inaccessible to the web server for security reasons:
 1.​ Separation of Concerns: By isolating sensitive data from the web server, it
minimizes the risk of unauthorized access through web application vulnerabilities.​

2.​ Data Protection: Sensitive information, including credit card details, should be
stored in a secure environment, such as a database with encryption, rather than
directly on the web server.​

3.​ Access Control: Limiting access to the file ensures that only authorized services or
individuals can access it, reducing the risk of data breaches.​

48. The Drib hired Dewey, Cheatham, and Howe to audit their networks.
The analyst provides a floppy disk with a scanning tool. Should the Drib
security officers trust this scan? Suggest four questions they should
ask.

Answer: The security officers should not automatically trust the scan from the floppy disk
because:

1.​ Integrity of the Tool: Is the scanning tool provided by the analyst legitimate and
trusted, or could it contain malware or backdoors?​

2.​ Verification: Has the tool been independently verified for effectiveness and accuracy
in identifying vulnerabilities?​

3.​ Audit Trail: Does the tool log its actions during the scan, and can the officers audit
what was done on the system?​

4.​ Source of the Tool: Can the officers verify the source of the floppy disk and ensure it
has not been tampered with by a malicious third party?​

49. Suppose the Drib wished to allow employees to telecommute.

Discuss the required changes in the network infrastructure, particularly
regarding SSH security.

Answer: For secure telecommuting, the Drib would need to make the following changes to
the network infrastructure:

1.​ VPN Implementation: A Virtual Private Network (VPN) should be used to provide a
secure, encrypted connection for remote workers.​
 2.​ SSH Security: Use strong authentication methods (e.g., key-based authentication
instead of passwords) and ensure SSH connections are encrypted.​

3.​ Firewall Configuration: Configure firewalls to allow only authorized users to connect
through the VPN or SSH while blocking all other inbound traffic.​

4.​ Multi-factor Authentication (MFA): Implement MFA to enhance SSH and VPN
security, ensuring that even if an attacker obtains a password or key, they cannot
gain access without the second factor.​

50. Perform a penetration test on a system after you obtain authorization

to do so. Apply the Flaw Hypothesis Methodology to obtain a meaningful
assessment of the system’s security.

Answer: Flaw Hypothesis Methodology for Penetration Testing:

1.​ Hypothesis Formation: Start by identifying potential vulnerabilities or flaws in the

system, such as outdated software, weak encryption, or misconfigured access
controls.​

2.​ Testing the Hypothesis: Perform a series of tests to see if the identified flaws can
be exploited. This could involve attempting to bypass authentication, accessing
unauthorized data, or finding security loopholes in web applications.​

3.​ Exploit the Flaw: If the flaw can be exploited, attempt to gain unauthorized access
or escalate privileges while adhering to ethical boundaries set in the authorization.​

4.​ Report Findings: Document the findings, including details of the vulnerability,
exploitation method, impact, and proposed mitigation strategies to enhance the
system's security.​

Sure! Here are the 5-mark answers for questions 51–60:

51. Analyze a real-world case study of malware and describe how it was detected and
mitigated.

Answer:​
The WannaCry ransomware attack in 2017 is a notable case. It exploited a vulnerability in
Windows SMB protocol (EternalBlue). The malware encrypted user data and demanded
ransom in Bitcoin. Detection occurred through widespread reports of encrypted files and the
appearance of a ransom note. Security researchers analyzed the malware and found a "kill
switch" domain within its code. Once this domain was registered, it stopped the spread.
Mitigation involved applying Microsoft’s security patch MS17-010, isolating infected
machines, and restoring data from backups.

52. Apply network traffic analysis to detect a malware-infected host in an enterprise

network.

Answer:​
Network traffic analysis helps in detecting anomalies such as unusual outbound traffic, DNS
tunneling, or communication with known malicious IPs. Tools like Wireshark, Zeek (Bro), or
Suricata can capture and analyze packets. For instance, if a host exhibits high-volume
connections to an unfamiliar domain or uses uncommon ports, it might be infected.
Correlation with threat intelligence feeds can confirm suspicion. Once identified, the host is
quarantined, logs are examined, and malware is removed using endpoint detection and
response tools.

53. Discuss how heuristic analysis is used to detect new and previously unknown
malware. How does it differ from traditional signature-based detection?

Answer:​
Heuristic analysis detects malware by evaluating code behavior and structure rather than
known patterns. It looks for suspicious attributes, like code obfuscation, system file
modification, or memory injection, which might indicate malicious intent. In contrast,
signature-based detection relies on known byte patterns of malware. While signature-based
is effective for known threats, heuristic methods are superior in detecting zero-day or
polymorphic malware. However, heuristics may produce false positives due to their
predictive nature.

54. Discuss the differences between anomaly-based and signature-based detection

techniques.

Answer:​
Anomaly-based detection identifies deviations from a baseline of normal behavior (e.g.,
sudden high CPU usage or unknown protocol usage). It can detect unknown threats but may
lead to false positives. Signature-based detection matches data against known threat
patterns, making it highly accurate for known malware but ineffective against new or
modified threats. Anomaly-based systems adapt to environment changes, while
signature-based systems require constant updates to their databases.

55. Compare different static analysis tools and their functionalities in malware
detection.
Answer:​
Static analysis tools inspect files without executing them. Popular tools include:

●​ IDA Pro: Disassembles binaries for deep code inspection.​

●​ Ghidra: Open-source reverse engineering framework.​

●​ PEiD: Detects packers and compilers.​

●​ YARA: Uses rules to match patterns in files.​

These tools help in uncovering embedded malicious code, identifying obfuscation

techniques, and classifying malware families. Static analysis is safe and fast but limited in
detecting runtime behavior and packed code.

56. Define static malware analysis and dynamic malware analysis. Explain the
differences between these two approaches, highlighting their advantages and
limitations.

Answer:​
Static analysis examines malware without execution, using tools like disassemblers, hex
editors, and YARA rules. It’s fast and safe but may miss runtime behavior. Dynamic analysis
runs malware in a sandbox to observe interactions like file changes, network activity, and
registry modifications. It uncovers actual behavior but is resource-intensive and risks
exposure. Together, they provide a comprehensive malware assessment.

57. Suppose your home PC is slow and network activity is high despite no open apps.
What malware could cause this, how did it enter, and how to detect and fix it?

Answer:​
Symptoms suggest a botnet, worm, or cryptominer infection. Entry points may include
email attachments, fake downloads, or unpatched vulnerabilities. Use tools like Task
Manager, Wireshark, and antivirus scans to identify anomalies. Confirm by checking startup
programs and active processes. To fix: disconnect from the network, run antivirus/malware
removal tools, and reset system settings. Reinstall OS if deeply infected and restore from
clean backups.

58. Assume you found a USB in your office parking. What threats could it pose and
how to safely inspect its contents?

Answer:​
The USB could contain malware with autorun, keyboard emulation, or infected
executables. These can trigger automatically and compromise the system. To mitigate risks:
 ●​ Inspect the USB on an isolated, non-networked computer.​

●​ Disable autorun settings in the OS.​

●​ Use a live Linux system or virtual machine for analysis.​

●​ Scan with multiple antivirus tools before accessing files.​

Never open files directly without precautions.

59. Compare signature-based and behavior-based malware detection techniques.

Explain the strengths and weaknesses of each approach.

Answer:​
Signature-based detection uses predefined patterns to identify known malware. It’s fast
and accurate for known threats but ineffective against new variants. Behavior-based
detection monitors real-time activities like file changes, process injection, or outbound
communication. It detects zero-day threats but may cause false positives. Signature-based
is reactive, while behavior-based is proactive but requires more computational resources.

60. Explain different types of malware (such as viruses, worms, trojans, ransomware,
spyware, rootkits, and botnets) and describe their key characteristics.

Answer:

●​ Viruses: Attach to files and spread when executed; need user action.​

●​ Worms: Self-replicate and spread via networks; don’t need user action.​

●​ Trojans: Disguise as legitimate software; open backdoors.​

●​ Ransomware: Encrypts data and demands payment.​

●​ Spyware: Secretly monitors user activity, stealing data.​

●​ Rootkits: Hide presence of malware and provide privileged access.​

●​ Botnets: Network of infected devices controlled remotely, often used in DDoS

attacks.​

Each type targets confidentiality, integrity, or availability in unique ways.