UNIT CODE: BIT 4104 UNIT TITLE: SECURITY AND

CRYPTOGRAPHY
BBIT/2019/56044

You have been hired as cyber-space security administrator for MKU

a) Identify the five possible vulnerable areas that a threat may be directed to and suggest the
risk mitigation for each (5 Marks)

Answer
 premises access. Mitigated through intallation of biometrics and cctvs to all the
entrances
 Students and administration databases- mitigated through implimenting firewalls
and antivirus software as well as strong persons
 communication - Consider using a well-reputed endpoint security solution
across all network endpoint devices, especially since malware has a
tendency to infect the entire network.
 financial transactions –employ an address verification of the transactions made
use of receipts and strong passwords

a) Discuss the tools and procedures an ethical hacker would use to detect system penetration
for each area mentioned in (a) above and suggest suitable counter Measurers (5 marks)

Answer
Abusing trusted platforms that won't raise alarms
Upstream attacks that capitalize on a brand value, reputation or popularity.
Funelling crypto currency payments via hard-to-trace methods.
Using common channels and protocols
Using signed binaries to run obfuscated malware.

b) Computer security can be said to be the art or science of protecting computer resources
from unauthorized access, use or alteration. State and explain four key objectives that are
prioritized when protecting computer resources of the bank
(4 marks)
 Answer
Protect customer data
Cyber criminals sell personal information on the black market to be used in further
hacking schemes. As banks need to ensure proper cyber security systems are in place to
protect their network and most importantly, their customers' personal information.

Prevent financial losses

When a bank experiences a data breach that results in the loss of customer funds, this money can
take some time to recover. Not only does it impact the bank’s reputation but it also causes
considerable stress for the customer. To prevent breaches, banks need to implement a cyber risk
management plan that protects their network against all breach attempts and ensures financial
security for their customers.

Avoid penalties for FDIC non-compliance

Rules and regulations are in place for customer protection, and if these rules are broken or
bypassed, banks face huge penalties for non-compliance. It can be tough to recover from these
penalties and can make future customers question their bank's integrity.

Preserve bank’s reputation

Reputation is everything for a business, especially for a bank. Practicing good cyber security
methods and implementing continuous security monitoring reflects positively on a bank and
promotes trust.

c) How do you classify access control into key computer resource areas. With examples,
identify the three key areas to secure and suggest an access control measure for each area
within Military Department. (4 marks)

Answer
Discretionary access control (DAC)
With DAC models, the data owner decides on access. DAC is a means of assigning access rights
based on rules that users specify.

Mandatory access control (MAC)

MAC was developed using a non discretionary model, in which people are granted access based
on an information clearance. MAC is a policy in which access rights are assigned based on
regulations from a central authority.
 Role based access control (RBAC)
RBAC grants access based on a user’s role and implements key security principles, such as “least
privilege” and “separation of privilege.” Thus, someone attempting to access information can
only access data that’s deemed necessary for their role.

d) Briefly explain three types of identity authentication procedures within a A Sacco system.

(3 Marks)
Answer
Identification
Identity is the starting point of access security. Users are given unique identifiers, and are known
by these personal credentials – their username and password. When a sacco deploy an identity
management system, their primary goal is to properly, and with the highest level of confidence,
identify each user wishing to connect into the corporate IT system.

Authentication
Authentication is the stage in the security process where a user needs to prove their claimed
identity. Once users within a network can be securely identified and authenticated, it’s equally
important for them to have the appropriate authorizations.

Authorization
Even if a user’s digital identity can be authenticated, they should never be granted unrestricted
access within an IT network. Weak authorization can lead to over-privileged users and the risk of
accidental or deliberate abuse of root privileges.

e) Identify two future technologies that are under research and how they are anticipated to
negatively influence day to day human activities.
(5 marks)

Answer
Artificial Intelligence and robotics. Example self driving cars etc.s
The AI takeover of jobs will widen economic divides, leading to social upheaval. The
efficiencies and other economic advantages of code-based machine intelligence will continue to
disrupt all aspects of human work. While some expect new jobs will emerge, others worry about
massive job losses, widening economic divides and social upheavals, including populist
uprisings
Grover is one AI system capable of writing a fake news article from nothing more than a
headline. AI systems such as GROVER create articles more believable than those written by
humans.

f) Giving examples explain how as an IT Consultant you can develop a Computer Security
policy for an Airline Company.
(5 marks)

Answer
 Identify your risks - A good way to identify your risks can be through the use of
monitoring or reporting tools.
 Learn from others - There are many types of security policies, so it's important to
see what other organizations like yours are doing.
 Make sure the policy conforms to legal requirement. Depending on your data
holdings, jurisdiction and location, you may be required to conform to certain
minimum standards to ensure the privacy and integrity of your data, especially if
your company holds personal information. Having a viable security policy
documented and in place is one way of mitigating any liabilities you might incur
in the event of a security breach
 Policy construction – design the policy based on the knowledge acquired or
gathered.
 Policy implementation - A detailed implementation plan is now required to
translate the design into reality.
 Policy monitoring and maintenance- monitor the final system for errors and
improvement as well as maintaining it.

Refferences
https://www.tutorialspoint.com/internet_security/internet_security_quick_guide.htm

security and cryptography mku module