www.moreacademy.

online

More Academy

Information
Security

Abhay More abhay_more

607A, 6th floor, Ecstasy business park, city of joy, JSD
road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

UNIT I
Information Security Overview
*1. What is the importance of information protection? Explain with examples.
 Prevents unauthorized access, data breaches, and identity theft.
 Ensures confidentiality, integrity, and availability (CIA Triad).
 Example: Protecting customer financial data from cybercriminals.
2. Explain various components used to build a security program.
 Policies & Procedures – Define security standards.
 Risk Management – Identify and mitigate security threats.
 Access Control – Restrict unauthorized access.
 Incident Response – Prepare for and handle security breaches.
 Security Awareness Training – Educate employees on security best practices.
 Monitoring & Auditing – Detect and analyze threats.
3. Comment on: “Achieving 100 percent protection against all conceivable
attacks is an impossible job.”
 Attackers constantly evolve their techniques.
 Zero-day vulnerabilities can be exploited before detection.
 Human errors remain a weak link.
 Security is about risk reduction, not absolute protection.
*4. Explain the best practices for network defense.
 Implement firewalls and intrusion detection/prevention systems (IDS/IPS).
 Use strong encryption for data transmission.
 Apply multi-factor authentication (MFA).
 Regularly update and patch systems.
 Conduct security audits and penetration testing.
 Train employees on cybersecurity awareness.
*5. Explain the Three D’s of Security (Defense, Detection, and Deterrence) with
examples.
 Defense – Use firewalls, antivirus, and secure networks.
 Detection – Monitor logs, IDS/IPS, and anomaly detection.
 Deterrence – Legal actions, security policies, and awareness training.

Page 1 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

Risk Analysis and Defense Models

*6. What are various types of attacks? Explain with examples.
 Phishing – Fake emails trick users into revealing credentials.
 Denial-of-Service (DoS) – Overloads systems to disrupt services.
 Man-in-the-Middle (MITM) – Attackers intercept communication.
 SQL Injection – Injecting malicious queries into a database.
 Ransomware – Encrypts files and demands payment for decryption.
7. Explain the CIA Triad Model with reference to Security in Computing.
 Confidentiality – Protects sensitive information (e.g., encryption).
 Integrity – Ensures data is accurate and not tampered with.
 Availability – Ensures authorized users have access when needed.
*8. Explain the Onion Model of security.
 Security is implemented in layers to provide multiple barriers.
 Outer layers (firewalls, access controls) protect the inner core (data).
 Each layer delays and weakens an attack before reaching critical assets.
9. With the help of a diagram, explain how the Onion Defence Model is better
than other models for security.
 Demonstrates layered security over a single-layered approach.
 Reduces risk of a single point of failure.
 Harder for attackers to penetrate all layers.
*10. What is meant by the Zone of Trust? Explain its importance in
communication with a diagram.
 Defines trusted, semi-trusted, and untrusted zones in a network.
 Example: Internal network (trusted), VPN (semi-trusted), internet (untrusted).
 Helps implement different security policies per zone.
11. What are the various countermeasures that can be implemented to
minimize the risk of a successful attack?
 Regular patching and updates.
 Strong access control and least privilege principle.
 Backup and disaster recovery planning.
 Employee security training.
 Monitoring and logging for anomaly detection.

Types of Attacks and Malware

12. Write a short note on Network-Layer Attack.
 Targets weaknesses in network protocols and infrastructure.
 Examples: DoS, DDoS, IP spoofing, ARP poisoning.
 Defense: Firewalls, IDS/IPS, encrypted communication.
*13. What are Application-Layer Attacks? Explain the following:
i. Buffer Overflows
 Overwriting memory space by exceeding buffer capacity.
 Can lead to code execution or crashes.

Page 2 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

 Prevention: Input validation, secure coding practices.

ii. Password Cracking
 Brute-force attack – Tries every possible password.
 Dictionary attack – Uses common passwords.
 Rainbow table attack – Uses precomputed hashes.
 Prevention: Strong passwords, multi-factor authentication.
*14. List and briefly describe different forms of Man-in-the-Middle (MITM)
attacks.
 Session Hijacking – Attacker takes control of an active session.
 Packet Sniffing – Intercepts unencrypted communication.
 SSL Stripping – Downgrades secure HTTPS to HTTP.
 DNS Spoofing – Redirects users to malicious sites.
 Prevention: End-to-end encryption, VPNs, HTTPS enforcement.
15. What are the three recognized variants of malicious mobile code? Explain.
 Viruses – Infects and spreads through files.
 Worms – Self-replicates over networks.
 Trojans – Disguised as legitimate software.
16. Explain different types of viruses and worms.
 Macro Virus – Targets application macros (e.g., MS Word).
 Polymorphic Virus – Changes code to evade detection.
 Rootkit – Hides malicious activities in the OS.
 Worms – Spread independently without user action.
*17. Explain the following:
i. E-mail Worms
 Spread via infected email attachments.
 Example: ILOVEYOU worm.
 Prevention: Avoid opening unknown attachments.
ii. Trojans
 Appears legitimate but contains hidden malicious functions.
 Example: Keyloggers, backdoor Trojans.
 Prevention: Use antivirus and endpoint security.

Page 3 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

Security Planning and Threat Vectors

18. List and explain the steps to create a Security Defense Plan.
1. Risk Assessment – Identify and evaluate threats.
2. Security Policies – Define access controls and rules.
3. Incident Response Plan – Prepare for security breaches.
4. Implementation of Security Measures – Firewalls, antivirus, MFA.
5. Training & Awareness – Educate employees on security.
6. Regular Audits & Monitoring – Continuous security improvement.
*19. Write a note on Threat Vector.
 Definition: A path or means by which a hacker can access a system.
 Examples: Phishing emails, malware, weak passwords, unpatched software.
 Mitigation: Security awareness, software updates, multi-layered defense.

UNIT II
Authentication and Authorization
1. Define authentication. Explain the two parts of authentication.
 Authentication: The process of verifying the identity of a user or system.
 Two parts of authentication:
1. Identification – Claiming an identity (e.g., entering a username).
2. Verification – Proving the identity (e.g., password, biometric scan).
*2. Explain different types of authentication in detail.
 Types of Authentication:
1. Password-based (static, dynamic, one-time passwords)
2. Biometric-based (fingerprint, iris scan)
3. Multi-Factor Authentication (MFA) (combination of methods)
4. Certificate-Based Authentication (uses digital certificates)
5. Kerberos Authentication (ticket-granting system)
6. Extensible Authentication Protocol (EAP) (supports multiple
authentication mechanisms)
*3. How does the Kerberos Authentication Process take place? Explain each
step with a diagram.
 Steps in Kerberos Authentication:
1. Client request authentication from the Key Distribution Center (KDC).
2. KDC issues a Ticket Granting Ticket (TGT) to the client.
3. Client requests service ticket using TGT.
4. KDC grants service ticket to the requested service.
5. Client accesses the service using the service ticket.
 Diagram needed.
4. Explain certificate-based authentication in detail.
 Uses digital certificates to verify identity.
 Involves Public Key Infrastructure (PKI).
 Steps:

Page 4 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

1. User requests certificate from a Certificate Authority (CA).

2. CA verifies the request and issues the certificate.
3. The system validates the certificate against a trusted CA.
4. If valid, access is granted.
*5. Explain the authorization system.
 Authorization: Process of granting or denying access to resources.
 Types of Authorization:
1. Role-Based Access Control (RBAC) – Access based on roles.
2. Discretionary Access Control (DAC) – Owner assigns permissions.
3. Mandatory Access Control (MAC) – Access enforced by policies.

Encryption
6. Explain public key cryptography.
 Uses two keys: Public Key (shared) and Private Key (kept secret).
 Example: RSA Algorithm
 Applications: Digital signatures, secure email, SSL/TLS.
7. Write a note on symmetric key cryptography.
 Uses a single key for encryption and decryption.
 Faster than public-key cryptography.
 Examples: AES, DES, Blowfish.
*8. Describe asymmetric and symmetric key encryption.
Feature Symmetric Key Encryption Asymmetric Key Encryption
Keys Used Single Key Public and Private Key
Speed Faster Slower
Security Less secure More secure
Examples AES, DES RSA, ECC
*9. Explain the role of PKI (Public Key Infrastructure) in Security and its
structure.
 PKI Role: Ensures secure communication using encryption and digital
certificates.
 PKI Components:
1. Certificate Authority (CA) – Issues digital certificates.
2. Registration Authority (RA) – Verifies identity.
3. Public & Private Keys – Used for encryption and authentication.
10. What are ciphers? Explain "Transposition Cipher" vs. "Substitution
Cipher."
 Cipher: Algorithm for encrypting and decrypting data.
 Transposition Cipher: Rearranges letters without changing them.
 Substitution Cipher: Replaces letters with other symbols (e.g., Caesar cipher).

Storage Security
Page 5 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

*11. What are the three primary categories of storage infrastructure in modern
storage security?
1. Direct Attached Storage (DAS)
2. Network Attached Storage (NAS)
3. Storage Area Network (SAN)
*12. What is the concept of zoning in fundamental storage infrastructure?
 Zoning: Restricts access between devices in a Storage Area Network (SAN).
 Types:
1. Hard zoning (hardware-based restrictions).
2. Soft zoning (software-based restrictions).

Database Security
13. Explain database-level security.
 Protects databases from unauthorized access.
 Includes:
1. User authentication (passwords, multi-factor authentication).
2. Data encryption (safeguarding data at rest and in transit).
3. Access control (role-based access, least privilege principle).
*14. Explain different types of database backups.
1. Full Backup – Copies the entire database.
2. Incremental Backup – Copies only changes since the last backup.
3. Differential Backup – Copies changes since the last full backup.
4. Log Backup – Captures database logs for recovery.
15. Explain the importance of database backups.
 Protects data from loss or corruption.
 Ensures quick recovery in case of failure.
 Prevents downtime in business operations.
16. Explain Role-Based Access Control (RBAC).
 Access is assigned based on user roles (e.g., Admin, User, Guest).
 Reduces risk by limiting permissions.
 Used in databases, operating systems, and cloud services.

Page 6 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

17. Explain object-level security.

 Controls access to specific objects (tables, views, stored procedures).
 Example: Granting SELECT permission only on a specific table.
*18. Explain CHAP and MS-CHAP.
 Challenge Handshake Authentication Protocol (CHAP):
o Uses challenge-response authentication.
o Prevents replay attacks.
 MS-CHAP (Microsoft CHAP):
o Adds encryption for Windows environments.
o Supports password changes during authentication.
19. Explain SSL and TLS.
 SSL (Secure Sockets Layer): Encrypts data between client and server.
 TLS (Transport Layer Security): Successor of SSL, more secure.
 Uses: HTTPS websites, secure email, VPNs.
*20. Explain the CA hierarchy and certificate templates and enrollment.
 CA Hierarchy: Root CA → Intermediate CA → End-Entity Certificates.
 Certificate Templates: Predefined certificate settings.
 Enrollment: Process of requesting and receiving a certificate.

Other Security Concepts

21. Write a short note on integrity risks.
 Integrity risks: Unauthorized modification or corruption of data.
 Examples:
1. Tampering attacks (changing bank records).
2. Man-in-the-Middle (MITM) attacks (modifying transmitted data).
22. Explain One-Time Password (OTP) systems.
 OTP: A unique password valid for a single login session.
 Examples:
1. Time-based OTP (TOTP) – Google Authenticator
2. SMS-based OTP – Bank transactions
*23. Explain Hijacking and Phishing.
 Hijacking: Taking control of a session or system.
 Phishing: Trick users into providing sensitive information via fake emails or
websites.

Page 7 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

UNIT III
Secure Network Design
1. *Explain the Cisco Hierarchical Internetworking model.
o Definition: A structured approach to designing scalable and reliable
networks.
o Three Layers:
 Core Layer: High-speed backbone to ensure fast data transport.
 Distribution Layer: Policy-based connectivity, routing, and filtering.
 Access Layer: Connects end devices like computers and phones.
o Diagram: Recommended to illustrate the three-layer model.
2. Explain network availability and security.
o Network Availability: Ensures continuous operation with minimal
downtime.
 Redundancy, load balancing, failover mechanisms.
o Network Security: Protects network infrastructure and data.
 Firewalls, encryption, access controls, intrusion detection.

Network Device Security

3. Write a short note on hubs and switches.
o Hub: Broadcasts data to all connected devices, causing network
congestion.
o Switch: Sends data only to the intended recipient, improving efficiency.
o Key Difference: Switches operate at Layer 2 (Data Link), hubs at Layer 1
(Physical Layer).
4. *Explain the role of hubs and switches in a network.
o Hubs: Simple connectivity devices, low security, used in legacy systems.
o Switches: Intelligent data forwarding, better security, essential for
modern networks.
5. Explain different layers of two-tier network fundamentals.
o Access Layer: Connects end devices, handles security policies.
o Core Layer: High-speed backbone, manages inter-network
communication.
6. *Explain role of ICMP, SNMP, and ECHO in network hardening.
o ICMP: Used for diagnostics (ping, traceroute), but can be exploited for
attacks.
o SNMP: Monitors network devices, needs strict access controls.
o ECHO: A request-response protocol used for testing connectivity.
7. Describe the concepts of Network Hardening.
o Reducing vulnerabilities to minimize security risks.
o Methods: Disabling unnecessary services, using strong authentication,
patching software.

Page 8 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

8. *List various techniques for network hardening. Explain any two.

o Techniques:
 Regular updates and patching.
 Firewalls and intrusion detection systems.
 Strong password policies.
 Example 1: Disabling unused ports to prevent unauthorized
access.
 Example 2: Implementing VLANs to segment network traffic.

Firewalls
9. *Explain the features of a firewall.
o Traffic Filtering: Blocks unauthorized access.
o Intrusion Prevention: Detects and blocks attacks.
o Logging & Monitoring: Records network activity.
o Types: Packet-filtering, Stateful Inspection, Next-Gen Firewalls.
10. Explain strengths and weaknesses of a firewall.
 Strengths: Controls access, prevents cyber threats, logs activity.
 Weaknesses: Cannot prevent internal threats, misconfiguration risks.
11. *Write a short note on different generations of firewalls.
 First Gen: Packet-filtering firewalls.
 Second Gen: Stateful inspection firewalls.
 Third Gen: Application layer firewalls.
 Next-Gen: Integrated threat intelligence and deep packet inspection.
12. Write a short note on outbound filtering.
 Prevents unauthorized outbound traffic, reducing malware communication.
 Used to stop data leaks and malicious activities.
13. *Write a short note on DMZ networks.
 Demilitarized Zone (DMZ): A subnet isolating public-facing services from the
internal network.
 Protects sensitive data by restricting external access.

Page 9 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

Wireless Network Security

14. *Explain the five different types of wireless attacks.
 Eavesdropping: Intercepting network traffic.
 Rogue Access Points: Unauthorized Wi-Fi devices.
 Man-in-the-Middle (MITM): Intercepting and altering communication.
 Denial-of-Service (DoS): Overloading the network.
 Password Cracking: Breaking Wi-Fi security keys.
15. Explain any two types of wireless attacks.
 Eavesdropping: Attackers listen to unencrypted communications.
 Rogue Access Points: Fake access points used to steal data.
16. *What are the countermeasures against the possible abuse of wireless
LAN?
 Strong encryption (WPA3 recommended).
 Disabling SSID broadcasting.
 MAC address filtering.
 Using Intrusion Detection Systems (IDS).
17. Explain the importance of antenna choice and positioning.
 Antenna Types: Omnidirectional (broad coverage) vs. Directional (focused
signal).
 Positioning: Central placement for optimal coverage, avoiding interference.
18. *With the help of a diagram, explain the working of the Bluetooth
Protocol Stack.
 Layers:
o Radio Layer (physical transmission).
o Baseband Layer (connection management).
o L2CAP (logical channel management).
o Higher layers (application protocols).
19. What is meant by Wireless Intrusion Detection and Prevention? Explain
its working.
 WIDPS: Detects and blocks unauthorized wireless activity.
 Components: Sensors, Analysis Engine, Response Mechanism.
 Working: Monitors wireless traffic, detects threats, and takes action.
20. *Explain the classification of corporate physical assets.
 Hardware: Servers, routers, laptops.
 Software: Operating systems, applications.
 Data: Confidential information, customer records.
 Infrastructure: Power supply, cooling systems, network cabling.
21. Explain Access Control Lists (ACLs).
 Definition: Rules controlling network traffic based on IP addresses, protocols,
ports.
 Types: Standard ACLs (IP-based), Extended ACLs (protocol/port-based).
 Use Cases: Firewalls, routers, security policies.
22. *Explain the following terms: NAT, PAT.
Page 10 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

 NAT (Network Address Translation): Translates private IP addresses to public

ones.
 PAT (Port Address Translation): Multiple devices share a single public IP
using different ports.
23. Explain different types of ICMP messages.
 Echo Request/Reply: Used for ping operations.
 Destination Unreachable: Packet cannot reach the destination.
 Time Exceeded: TTL expired in transit.
 Redirect: Suggests a better route for packet forwarding.
24. What is spread spectrum technique? List the two techniques to spread
the bandwidth.
 Definition: Wireless technique distributing signals over multiple frequencies.
 Types:
o Frequency Hopping Spread Spectrum (FHSS): Rapid frequency
changes.
o Direct Sequence Spread Spectrum (DSSS): Spreading signal over a
wide frequency band.
25. *Explain different forms of wireless attacks.
 Denial of Service (DoS)
 Eavesdropping
 Man-in-the-Middle (MITM)
 Rogue Access Points
 MAC Spoofing

UNIT IV
Intrusion Detection and Prevention Systems
1. *Explain Intrusion Defense System (IDS) types and detection models.
o Definition: IDS monitors network/system activities for malicious behavior.
o Types:
 Network-based IDS (NIDS): Monitors traffic across networks.
 Host-based IDS (HIDS): Installed on individual devices to detect
threats.
o Detection Models:
 Signature-based: Identifies threats based on known attack
patterns.
 Anomaly-based: Detects unusual behavior.
 Hybrid: Combines multiple approaches for better accuracy.
o Preventive Measures: Regular updates, integrating with SIEM, machine
learning models.
2. *Write a short note on Security Information and Event Management
(SIEM).
o Definition: A framework for real-time security monitoring and

Page 11 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

management.
o Features:
 Log management and correlation
 Real-time analysis of security alerts
 Incident response automation
o Examples: Splunk, IBM QRadar, ArcSight.
o Preventive Measures: Regular tuning, proper configuration, integration
with IDS.
3. List and explain steps to a successful IPS Deployment plan.
o Definition: IPS (Intrusion Prevention System) actively blocks threats.
o Deployment Steps:
 Assess security needs and risks.
 Choose the right IPS type (Network/Host-based).
 Configure policies and rules.
 Conduct testing and fine-tuning.
 Implement continuous monitoring and updates.
4. *Explain different types of IDS Generation.
o Definition: IDS detects threats using different approaches.
o Types:
 Prevention-based (Active IDS): Responds automatically.
 Detection-based (Passive IDS): Alerts administrators without
taking action.
o Preventive Measures: Regular updates, AI-driven analytics.

Voice over IP (VoIP) and PBX Security

5. *What are the components of Voice Over IP (VoIP)? Explain.

o Definition: VoIP transmits voice over IP networks.
o Components:
 VoIP Gateway: Converts analog voice to digital packets.
 IP Phones: Hardware/software-based phones.
 SIP Server: Manages call setup and termination.
o Preventive Measures: Secure VoIP protocols, encryption, firewalls.

6. *Write a short note on Private Branch Exchange (PBX) and its security
measures.
o Definition: A private telephone network for internal and external
communication.
o Features: Call forwarding, voicemail, conferencing.
o Common Attacks: Eavesdropping, Toll Fraud, Denial of Service (DoS).
o Security Measures: Strong authentication, encryption, firewall
configurations.

Page 12 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

7. Write a note on the H.323 protocol.

o Definition: A VoIP protocol standard for multimedia communication.
o Governing Standard: ITU-T H.323.
o Purpose: Defines protocols for audio, video, and data communication.
o Known Vulnerabilities: Buffer overflow attacks, signaling attacks.
o Recommendations: Use secure alternatives like SIP, encrypt signaling
traffic.

Operating System Security Models

8. Explain different classic security models.

o Definition: Security models define how access is granted in systems.
o Types:
 Bell-LaPadula Model: Enforces confidentiality with access control.
 Biba Model: Prevents data integrity violations.
 Clark-Wilson Model: Ensures data consistency through well-
formed transactions.
o Preventive Measures: Policy-based access control, audits.
9. *Explain the working of Biba and Clark Wilson Security Models.
o Biba Model: Protects data integrity by restricting unauthorized
modifications.
o Clark-Wilson Model: Uses well-formed transactions and separation of
duties to enforce security.
o Preventive Measures: Role-based access control, integrity monitoring.
10. *What is the reference monitor concept? Explain Windows Security
Reference Monitor.
 Definition: A mechanism ensuring all security policies are enforced.
 Windows Security Reference Monitor:
o Central component of Windows security.
o Enforces access control and security policies.
 Preventive Measures: Regular security patching, privilege minimization.

Page 13 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

11. Write a short note on Microsoft’s Trustworthy Computing initiative.

 Definition: A Microsoft initiative to improve software security and reliability.
 Key Areas: Security, privacy, reliability, and business integrity.
 Impact: Strengthened software development lifecycle (SDL).
12. *Explain how Mandatory Access Control Lists (MACL) differ from
Discretionary Access Control Lists (DACLs).
 MACL:
o Central authority enforces policies.
o Used in government/military systems.
 DACL:
o Users set access permissions.
o Common in commercial OS.
 Preventive Measures: Combine both for better security.

Network Security and Attacks

13. *Explain main problems of TCP/IP's lack of security.

 Definition: TCP/IP was designed without built-in security features.
 Problems:
o No encryption (prone to sniffing attacks).
o Vulnerable to spoofing.
o No authentication (MITM attacks possible).
 Preventive Measures: Use VPNs, TLS, IPSec.
14. *Explain Network Protocol Attacks.
 Definition: Attacks exploiting weaknesses in network protocols.
 Types:
o DoS/DDoS: Overloads resources.
o ARP Spoofing: Redirects network traffic.
 Preventive Measures: Firewalls, Intrusion Prevention Systems (IPS).
15. Write a short note on Access Control List (ACL).
 Definition: A security rule set controlling network access.
 Types:
o Standard ACL: Filters based on IP.
o Extended ACL: Filters based on multiple factors (IP, port, protocol).
 Preventive Measures: Regular review, logging, minimal privilege rules.

Page 14 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

UNIT V
Virtual Machines and Cloud Computing
1. *Define Virtual Machine and Explain Hypervisor Management
o Definition: A Virtual Machine (VM) is a software-based emulation of a
physical computer.
o Hypervisor Management:
 A hypervisor is responsible for managing guest OS installations on
a VM server.
 It allocates resources (CPU, RAM, Storage) dynamically.
 Types: Type-1 (Bare-metal) and Type-2 (Hosted).
 Ensures isolation between VMs.
2. *What is Cloud Computing? Explain Types of Cloud Services
o Definition: Cloud computing enables on-demand access to computing
resources over the internet.
o Types of Cloud Services:
 IaaS (Infrastructure as a Service) - Provides virtualized computing
resources.
 PaaS (Platform as a Service) - Offers development platforms and
environments.
 SaaS (Software as a Service) - Delivers applications over the
internet.
3. Explain How to Protect Guest OS, Virtual Storage, and Virtual Networks
in Virtual Machines
o Guest OS:
 Apply regular security patches.
 Use strong authentication and access control.
o Virtual Storage:
 Encrypt stored data.
 Implement access control policies.
o Virtual Networks:
 Use firewalls and network segmentation.
 Monitor traffic for anomalies.
4. *What is a Hypervisor? How to Protect It?
o Definition: A hypervisor is a software layer that enables virtualization.
o Protection Measures:
 Secure boot mechanisms.
 Regular updates and patches.
 Restricted administrative access.

Page 15 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

Secure Application Design

5. *Explain Secure Development Lifecycle (SDL) in Agile (with Diagram)
o Phases:
 Planning and Requirements
 Design and Threat Modeling
 Secure Coding and Code Review
 Security Testing
 Deployment and Monitoring
o Diagram Required: Illustrate iterative security integration.
6. Explain Various Application Security Practices
o Input validation to prevent SQL Injection.
o Secure authentication mechanisms (MFA, OAuth, etc.).
o Regular vulnerability assessments.
o Code obfuscation for software security.
7. *Explain Concerns for Web Application Security
o Common Threats:
 SQL Injection
 Cross-Site Scripting (XSS)
 Session Hijacking
o Mitigation Strategies:
 Input sanitization
 Use of HTTPS and secure headers
 Proper session management
8. Explain Client Application Security Issues and Resolution Methods
o Issues:
 Data leakage
 Weak authentication
 Insufficient encryption
o Resolutions:
 Strong encryption algorithms
 Secure storage techniques
 Enforcing least privilege principle

9. *Explain the Reasons for Remote Administration Security, Its

Advantages, and Disadvantages
o Reasons:
 Prevent unauthorized access.
 Secure sensitive operations remotely.
o Advantages:
 Remote troubleshooting.
 Faster response time.
o Disadvantages:
 Potential risk of breaches if poorly configured.
Page 16 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

Dependence on network availability.


10. Write a Note on Custom Remote Administration
o Tailored solutions for specific business needs.
o Enhanced security measures over generic tools.
o Allows integration with existing infrastructure.

Physical Security
11. *Explain Classification of Corporate Physical Assets
o Types:
 Tangible (Computers, Servers, Office Equipment)
 Intangible (Data, Intellectual Property)
 Human Resources
o Security Measures:
 Surveillance systems
 Controlled access zones
12. *Explain Locks and Entry Controls for Securing Assets
o Types of Locks:
 Mechanical locks (Deadbolts, Padlocks)
 Electronic locks (RFID, Biometric locks)
o Entry Controls:
 Smart card access
 Two-factor authentication for high-security areas
13. Explain Criteria for Choosing Site Location for Security
o Factors to Consider:
 Geographical stability (away from flood zones, earthquakes, etc.)
 Proximity to law enforcement and emergency services
 Access control feasibility
 Surveillance coverage potential
 Environmental risks assessment

Page 17 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 MORE ACADEMY BSC IT: SEM -VI SQA

Securing Assets
14. *Explain Factors for Securing Assets with Physical Security Devices
o Perimeter Security: Fences, Gates, Security Guards
o Surveillance: CCTV Cameras, Motion Sensors
o Alarm Systems: Intrusion detection and real-time alerts
15. *Explain Various Application Patching Mechanisms and Importance
o Importance:
 Fixes security vulnerabilities.
 Enhances software functionality.
o Mechanisms:
 Automatic Updates
 Manual Patching
 Rolling Updates (zero downtime)
16. *Give the Benefits of Cloud Computing Security Services
o Benefits:
 Scalable security solutions.
 Centralized threat monitoring.
 Data encryption and secure backups.
17. *Explain General Types of Attacks in Web Applications
o Types:
 Injection Attacks (SQL, Command Injection)
 Cross-Site Scripting (XSS)
 Cross-Site Request Forgery (CSRF)
 Distributed Denial of Service (DDoS)
o Mitigation:
 Secure coding practices
 Web Application Firewalls (WAF)
 Regular security audits
18. *Explain Two Confidentiality Risks in Cloud Computing and Their
Remediation
o Risks:
 Data Breaches: Encrypt data at rest and in transit.
 Unauthorized Access: Implement strong identity management.

Page 18 of 18
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622