COMP4121E1-21
The University of Nottingham
SCHOOL OF COMPUTER SCIENCE
A LEVEL 4 MODULE, AUTUMN SEMESTER 2021–2022
Cyber Security
Submit answers before DATE/TIME indicated in the Moodle dropbox.
Open-book examination.
Answer all FOUR questions
Suggested time to complete the examination ~ ONE hour.
This open-book examination will be marked out of 100.
You may write your answers by hand, and photograph or scan your answers, or type in your answers in an electronic document. Ensure that all images are clearly readable, and in the correct order as a single document not exceeding 100 megabytes.
Submit your answers containing all the work you wish to have marked as a single PDF file, with each page in the correct orientation, to the appropriate dropbox on the module’s Moodle page.
Use the standard naming convention for your document: [Student ID] [Module Code]. Write your student ID number at the top-right of each page of your answers. Do not include your name.
Although you may use any notes or resources you wish to help you complete this open-book examination, the academic misconduct policy that applies to your coursework also applies here. You must be careful to avoid plagiarism, collusion or false authorship. Please familiarise yourself with the Faculty of Science Statement on Academic Integrity. This statement refers to, and does not replace, the University policy which stipulates severe penalties for academic misconduct. Please check the box indicated on Moodle to confirm that you have read this statement and that you understand it. Strictly no communication with other students between the time of opening this file and submitting your answers.
Staff are not permitted to answer assessment or teaching queries during the period in which your open-book examination is live. If you spot what you think may be an error on the exam paper, note this in your submission but answer the question as written.
2 COMP4121E1-21
Question 1 Access Control and Authentication.
Take a scenario where an employee of a company is trying to access a file on a shared server.
[overall 25 marks]
a) Explain the difference between authentication and authorisation. Use the aforementioned scenario in your explanation. [9 marks]
b) Assume that the employee is a manager in the sales department. As such he has the salesperson role and the manager role. Consider the following access rights for the roles:
technical documents production read,modify
technical documents manager read,delete
technical documents salesperson read
employee records human resources read,modify,delete
employee records manager read,modify
client records manager read
client records salesperson read,modify,delete
financial data manager read,delete
financial data salesperson modify,delete
For which resources does the employee in question have read, modify and delete access?
[7 marks]
c) The owner of the company is frustrated with some people not being able to access specific resources outside of their area. He says that he trusts all his employees (it’s a fairly small company), so there is no reason to have strict access control. Do you (as a cyber security expert) agree or disagree? Explain why.
[9 marks]
3 COMP4121E1-21
Question 2 Networks and Protocols.
This question is about a typical HTTPS connection with only server-side authentication.
[overall 25 marks]
a) What important pieces of information are on a certificate, and what is the reason for them?
[10 marks]
b) You set up devices on your local network. An in-house developed sys- tem is running on the devices, and the devices communicate security- critical data via HTTP to each other. You want to use HTTPS securely instead. You do not want to rely on a public key infrastructure. What information do you need to store on the devices to allow you to do this?
[7 marks]
c) Your boss does not want to alter the in-house system to allow for com- munication via HTTPS, because the network used by the company is using port-based access control. Do you agree with your boss? Ex- plain your position.
[8 marks]
4 COMP4121E1-21
Question 3 Cyber Threat Intelligence and Cyber Kill Chains. [overall 29 marks]
a What are the differences between operational threat intelligence and tactical threat intelligence? Use examples to explain your answer.
[8 marks]
b Consider the following scenario:
“Alex Hacker has been hired to acquire details of a new solar power solution under development at Nottingham-based Advanced Power Technology (APT). Alex has developed a malware exploit that will crawl the company’s network in search of relevant design files and exfiltrate them via an encrypted channel. However, he needs a means of getting the exploit launched within the network, and so has been looking on the APT’s website and social media channels in order to understand how the organisation is structured and who might be a suitable person to ‘help’ him gain access. He identi- fies Bob Staffer, a member of the payroll team, and sends him an email. The email claims to be from Samantha Secure, APT’s Chief Information Security Officer, and advises that all recipients of the email should urgently use the link within it to install a critical security patch that will protect systems from an expected attack. Keen to do what the security team expects of him, Bob obediently follows the link to download and install the update and then goes off for a coffee, feeling pleased that he’s helped to keep APT safer from attack. Of course, what Bob has actually done is to open a route into the system for Alex, who is now able to gain further access and install the intended malware. Over the next few weeks, he periodically uses the malware to download the latest updates to the new solar design, which ultimately leaves APT without the competitive advantage that it was expecting to achieve. Samantha and Bob both lose their jobs as the company struggles. Alex moves on to a new target.”
i) Reframe the key events in this scenario in the context of the Cyber Kill Chain, noting that some stages may be represented more definitively than others, and some stages may be omitted in the context of the description.
[14 marks]
ii) For the stages that you have identified, recommend the steps that APT could consider in order to combat the activities that Alex
was able to undertake.
[7 marks]
5 COMP4121E1-21
Question 4 Security Management and Incident Response.
[overall 21 marks]
a Your organisation received a report about an incident that has brought down several critical business processes. This is caused by malware. Discuss what steps you might take to respond to this incident. Explain your answer.
[6 marks] b Consider attacks aiming to steal money via online banking account.
i) Draw an attack tree for this scenario.
[9 marks]
ii) Choose two attacks from your tree and explain how they can be carried out and prevented.
[6 marks]