MAHARASHTRA STATE BOARD OF TECHNICAL EDUCATION (Autonomous) (ISO/IEC - 27001 - 2005 Certified) Winter – 14 EXAMINATION Model Answer Subject Code: 17514 Page 1/ 26 Important Instructions to examiners: 1) The answers should be examined by key words and not as word-to-word as given in the model answer scheme. 2) The model answer and the answer written by candidate may vary but the examiner may try to assess the understanding level of the candidate. 3) The language errors such as grammatical, spelling errors should not be given more importance (Not applicable for subject English and Communication Skills. 4) While assessing figures, examiner may give credit for principal components indicated in the figure. The figures drawn by candidate and model answer may vary. The examiner may give credit for any equivalent figure drawn. 5) Credits may be given step wise for numerical problems. In some cases, the assumed constant values may vary and there may be some difference in the candidate’s answers and model answer. 6) In case of some questions credit may be given by judgement on part of examiner of relevant answer based on candidate’s understanding. 7) For programming language papers, credit may be given to any other program based on equivalent concept. Q.1. a) i. Attempt any Three of the following: Describe the need for computer security. (1 Mark – for this statement) (1 Marks each for explanation of following points, example optional) The need of computer security has been threefold: confidentiality, integrity, and availability—the “CIA” of security. 1. Confidentiality: the principle of confidentiality specifies that only sender and intended recipients should be able to access the contents of a message. Confidentiality gets compromised if an unauthorized person is able to access the contents of a message. Example of compromising the Confidentiality of a message is shown in fig. A Secret B C Fig. Loss of confidentiality Here, the user of a computer A send a message to user of computer B. another user C gets access to this message, which is not desired and therefore, defeats the purpose of Confidentiality. This type of attack is also called as interception. 2. Authentication: Authentication helps to establish proof of identities. The Authentication process ensures that the origin of a message is correctly identified.
MAHARASHTRA STATE BOARD OF TECHNICAL EDUCATION (Autonomous) (ISO/IEC - 27001 - 2005 Certified) Winter – 14 EXAMINATION Model Answer Subject Code: 17514 Page 2/ 26 For example, suppose that user C sends a message over the internet to user B. however, the trouble is that user C had posed as user A when he sent a message to user B. how would user B know that the message has come from user C, who posing as user A? This concept is shown in fig. below. This type of attack is called as fabrication. A I am user A B C Fig. absence of authentication 3. Integrity: when the contents of the message are changed after the sender sends it, but before it reaches the intended recipient, we say that the integrity of the message is lost. For example, here user C tampers with a message originally sent by user A, which is actually destined for user B. user C somehow manages to access it, change its contents and send the changed message to user B. user B has no way of knowing that the contents of the message were changed after user A had sent it. User A also does not know about this change. This type of attack is called as modification. Ideal route of message B A Actual route of message C Fig. Loss of Integrity ii. Explain any four the password selection strategies.( 4 marks for 4 points) The major security problems are because of user is not following established security policies. User always chooses a password that is easy to remember but easier passwords are easy to crack by attacker but when user choose difficult passwords that again it is difficult to remember. To make the job of attacker difficult organization encourage their users to use mixture of upper case & lower character & also include numbers & special symbols in their passwords. This may make the guessing of password difficult. Organization also includes additional policies & rules related to password selection. In the organization, user may frequently change their passwords. Password should not written down on paper & do not kept in purse or wallet because if attacker get physical access then they will find a password of user somewhere in drover or desk ,inside of desk calendar.
MAHARASHTRA STATE BOARD OF TECHNICAL EDUCATION (Autonomous) (ISO/IEC - 27001 - 2005 Certified) Subject Code: 17514 Winter – 14 EXAMINATION Model Answer Page 3/ 26 Many users have many accounts & password to remember. Selecting different password for each account, following the guidelines mentioned above for character selection & frequency of changes, aggravates the problem of remembering the passwords. This results that the users frequently use the same password for all accounts. If user does this, then one of account is broken, all other accounts are subsequently under threat. Good password selection & protection is applied to electronic world also. OR There are four basic techniques to reduce guessable passwords: a) User education: Tell the importance of hard-to-guess passwords to the users and provide guidelines for selecting strong password. b) Computer generated password: Computer generated passwords are random in nature so difficult for user to remember it and may note down somewhere.. c) Reactive password checking: the system periodically runs its own password cracker program to find out guessable passwords. If the system finds any such password, the system cancels it and notifies the user. d) Proactive password checking: It is a most promising approach to improve password security. In this scheme, a user is allowed to select his own password, if password is allowable then allow or reject it. iii. Define the following terms: (each 1Mark) 1. Cryptography 2. Crypt analysis 3. Plain text 4. Cipher text. 1. Cryptography: Cryptography is art & science of achieving security by encoding messages to make them non-readable. 2. Cryptanalysis: Cryptanalysis is the technique of decoding messages from a non-readable format without knowing how they were initially converted from readable format to non-readable format. 3. Plain text: Plain text or clear text significance that can be understood by sender, the recipient & also by anyone else who gets an access to that message. 4. Cipher Text: When plain text message is codified using any suitable scheme, the resulting message is called as cipher text. iv. Describe SYN flooding attack with diagram. (1 marks for diagram, 3 marks for explanation) Denial of service (DOS) attacks can exploit a known vulnerability in a specific application or operating system, or they may attack features (or weaknesses) in specific protocols or services. In this form of attack, the attacker is attempting to deny authorized users access either to specific information or to the computer system or network itself. The purpose of such an attack can be simply to prevent access to the target system, or the attack can be used in conjunction with other actions in order to gain unauthorized access to a computer or network. SYN flooding is an example of a DOS attack that takes advantage of the way TCP/IP networks were designed to function, and it can be used to illustrate the basic principles of any DOS
MAHARASHTRA STATE BOARD OF TECHNICAL EDUCATION (Autonomous) (ISO/IEC - 27001 - 2005 Certified) Subject Code: 17514 Winter – 14 EXAMINATION Model Answer Page 4/ 26 attack.SYN flooding utilizes the TCP three-way handshake that is used to establish a connection between two systems. In a SYN flooding attack, the attacker sends fake communication requests to the targeted system. Each of these requests will be answered by the target system, which then waits for the third part of the handshake. Since the requests are fake the target will wait for responses that will never come, as shown in Figure . The target system will drop these connections after a specific time-out period, but if the attacker sends requests faster than the time-out period eliminates them, the system will quickly be filled with requests. The number of connections a system can support is finite, so when more requests come in than can be processed, the system will soon be reserving all its connections for fake requests. At this point, any further requests are simply dropped (ignored), and legitimate users who want to connect to the target system will not be able to. Use of the system has thus been denied to them. Following are types of DOS: 1. POD (ping-of-death) 2. DDOS (Distributed Denial of Service attack) b) Attempt any one of the following: i. Define the term virus and describe the different phases of virus. (2 –marks for term virus & 1-mark for each phase) Virus is a program which attaches itself to another program and causes damage to the computer system or the network. It is loaded onto your computer without your knowledge and runs against your wishes. During the lifecycle of virus it goes through the following four phases: 1. Dormant phase: The virus is idle and activated by some event. 2. Propagation phase: It places an identical copy of itself into other programs or into certain system areas on the disk. 3. Triggering phase: The virus is activated to perform the function for which it was intended. 4. Execution phase: The function of virus is performed.