NIS Summer 24 Question Paper

1. Attempt any FIVE of the following:10

(a) Differentiate between viruses & worms.

Ans.
Basis Worms Viruses
of
Com
paris
on
Defin A Worm is a form of malware that A Virus is a malicious
ition replicates itself and can spread to executable code attached to
different computers via a Network. another executable file that can
be harmless or can modify or
delete data.
Obje The main objective of worms is to eat the The main objective of viruses is
ctive system’s resources. It consumes system to modify the information.
resources such as memory and
bandwidth and makes the system slow in
speed to such an extent that it stops
responding.
Host It doesn’t need a host to replicate from It requires a host is needed for
one computer to another. spreading.
Har It is less harmful as compared. It is more harmful.
mful
Dete Worms can be detected and removed by Antivirus software is used for
ction the Antivirus and firewall. protection against viruses.
and
Prot
ectio
n
Cont Worms can be controlled by remote. Viruses can’t be controlled by
rolle remote.
d by
Exec Worms are executed via weaknesses in Viruses are executed via
ution the system. executable files.
Com Worms generally come from the Viruses generally come from
es downloaded files or through a network shared or downloaded files.
from connection.
Sym 1. Hampering computer performance by 1. Pop-up windows linking to
ptom slowing down it malicious websites
s 2. Automatic opening and running of 2. Hampering computer
 programs performance by slowing down it
3. Sending of emails without your 3. After booting, starting of
knowledge unknown programs.
Type Internet worms, Instant messaging Boot sector viruses, Direct
s worms, Email worms, File sharing worms, Actionvirusess,
and Internet relay chat (IRC) worms are Polymorphicvirusess, Macro
different types of worms. viruses, Overwritevirusess, and
File Infector viruses are
different types of viruses
Exa Examples of worms include Morris worm, Examples of viruses include
mple storm worm, etc. Creeper, Blaster, Slammer, etc.
s
Inter It does not need human action to It needs human action to
face replicate. replicate.
Spee Its spreading speed is faster. Its spreading speed is slower as
d compared to worms.
(b) State any four advantages of Biometrics.
Ans.
 Security
Biometrics are linked to a single individual and are difficult to steal, share, or guess. This
reduces the risk of unauthorized access and protects confidential information.
 Accuracy
Biometrics are highly accurate and can be used to keep track of attendance.
 Scalability
Biometric systems are highly scalable, making them suitable for large organizations.
 Convenience
Biometrics are convenient because there is no need to remember or carry anything.
 Fraud prevention
Biometrics are highly fraud resistant and can help prevent fraud and protect confidential
information.
 Easy installation and setup
Biometric credentials are easy to install and set up.

(c) Explain the term cryptanalysis.

Ans.Cryptanalysis is the study and process of analyzing and decrypting ciphers, codes, and encrypted text
without using the real key. Alternately, we can say it's the technique of accessing a communication's plain
text content when you don't have access to the decryption key.
(d) Define term cyber crime.
Ans.Cybercrime is illegal activity involving computers, the internet, or network devices. Cybercriminals
commit identity theft, initiate phishing scams, spread malware, and instigate other digital attacks.Ex-
Cyber stalking,Email harassment.
(e) Explain the term assets.
Ans.Asset is any data, device, or other component of the environment that supports information-related
activities. Assets generally include hardware, software and confidential information.
(f) State any four limitations of firewall.
Ans.
1. Internal loose ends: A firewall can not be deployed everywhere when it comes to internal
attacks. Sometimes an attacker bypasses the firewall through a telephone lane that crosses paths
with a data lane that carries the data packets or an employee who unwittingly cooperates with an
external attacker.
2. Infected Files: In the modern world, we come across various kinds of files through emails or the
internet. Most of the files are executable under the parameter of an operating system. It becomes
impossible for the firewall to keep a track of all the files flowing through the system.
3. Effective Cost: As the requirements of a network or a system increase according to the level of
threat increases. The cost of devices used to build the firewall increases. Even the maintenance
cost of the firewall also increases. Making the overall cost of the firewall quite expensive.
4. User Restriction: Restrictions and rules implemented through a firewall make a network secure
but they can make work less effective when it comes to a large organization or a company. Even
making a slight change in data can require a permit from a person of higher authority making
work slow. The overall productivity drops because of all of this.
5. System Performance: A software-based firewall consumes a lot of resources of a system. Using
the RAM and consuming the power supply leaves very less resources for the rest of the functions
or programs. The performance of a system can experience a drop. On the other hand hardware
firewall does not affect the performance of a system much, because its very less dependent on the
system resources.

(g) Explain working of Kerberos in short.

Ans. Kerberos uses symmetric key cryptography and a key distribution center (KDC) to authenticate and
verify user identities. A KDC involves three aspects: A ticket-granting server (TGS) that connects the
user with the service server (SS) A Kerberos database that stores the password and identification of all
verified users.
Kerberos is a network authentication protocol. It is designed to provide strong authentication for
client/server
applications by using secret-key cryptography. It uses secret key cryptography. It is a solution to network
security problems. It provides tools for authentication and strong cryptography over the network to help
you secure your information system There are 4 parties involved in Kerberos protocol
i)User
ii)Authentication service (AS)
iii) Ticket granting server (TGS)
iv)Service server

2. Attempt any THREE of the following:12

(a) Enlist types of Biometrics & explain any one Biometrics type in detail.
Ans.Biometrics refers to the use of physical and behavioral characteristics to identify and authenticate
individuals. Biometrics can be broadly categorized into two types:
1. Physiological Biometrics: These are based on a person's physical traits and include
characteristics such as:
a. Fingerprint Recognition

b. Face Recognition

c. Iris Recognition

d. Retina Recognition

e. Hand Geometry

f. DNA Matching

2. Behavioral Biometrics: These are based on patterns of behavior unique to an individual and
include characteristics such as:
a. Voice Recognition

b. Gait Analysis

c. Signature Analysis

d. Keystroke Dynamics

Detailed Explanation of Four Biometrics Types

1. Fingerprint Recognition
 Definition: Fingerprint recognition is a biometric technique that uses the unique patterns of
ridges and valleys on a person's finger to authenticate or identify them.

 Working:
o A fingerprint scanner captures the image of the fingerprint.
o The scanner extracts key features such as minutiae points (ridge endings, bifurcations)
and creates a digital template.
o This template is then stored and used for comparison against other fingerprints in the
system.
o When a user places their finger on the scanner, it checks if the fingerprint matches the
stored template.
 Use Case: Commonly used in smartphones, laptops, and physical security systems to allow
access to authorized users.
 Advantages: High accuracy, low cost, and ease of use. Also non-intrusive as it requires only a
touch.
  Disadvantages: May not work if the finger is dirty, wet, or injured. Susceptible to spoofing using
molds or replicas of fingerprints.
2. Face Recognition
 Definition: Face recognition is a technique that analyzes the unique shape, structure, and features
of a person's face for identification or verification.
 Working:
o The system captures an image or video of the face.
o It detects key facial features like the distance between the eyes, nose, mouth, and jawline
to create a digital facial map.
o The facial map is converted into a mathematical representation and stored in the database.
o When a person stands in front of the camera, their facial features are compared to the
stored template to authenticate or identify them.
 Use Case: Used in smartphone unlocks, border security, airport check-ins, and surveillance
systems.
 Advantages: Contactless and can operate in the background without active user participation.
 Disadvantages: Accuracy can be affected by lighting, facial expressions, or changes in
appearance. Concerns about privacy and mass surveillance are common.
3. Iris Recognition
 Definition: Iris recognition is a biometric method that uses the unique patterns in the colored part
of the eye, known as the iris, to identify or authenticate individuals.
 Working:
o The system captures an image of the eye and isolates the iris.
o It analyzes the complex patterns, such as rings, furrows, and freckles, unique to each
person's iris.
o A digital template is created and stored for future comparison.
o When a user looks at the iris scanner, it matches the iris patterns with the stored template
for authentication.
 Use Case: Commonly used in high-security areas like military bases, airports, and government
facilities.
 Advantages: Extremely high accuracy due to the uniqueness of the iris patterns. Works even in
low light or with glasses/contact lenses.
 Disadvantages: Expensive equipment, and some users may find it intrusive as it requires looking
directly into a scanner.
4. Voice Recognition
 Definition: Voice recognition analyzes the unique vocal characteristics of an individual's voice to
identify or authenticate them.
 Working:
o The system captures a voice sample and extracts features like pitch, tone, frequency, and
rhythm.
o These features are used to create a digital voiceprint or template.
o When the user speaks again, the system compares the new voiceprint with the stored
template.
  Use Case: Commonly used in call centers for identity verification, voice-controlled devices like
virtual assistants, and banking applications.
 Advantages: Convenient and can be used for remote authentication. Works over the phone or
through voice commands.
 Disadvantages: Accuracy can be affected by background noise, illness, or changes in voice.
Susceptible to spoofing using voice recordings.

(b) Explain DOS with neat diagram.

Ans.
Denial Of Service Attack: Denial of service (DOS) attack scan exploits a known vulnerability in a
specific application or operating system, or they may attack features (or weaknesses) in specific protocols
or services. In this form of attack, the attacker is attempting to deny authorized users access either to
specific information or to the computer system or network itself. The purpose of such an attack can be
simply to prevent access to the target system, or the attack can be used in conjunction with other actions
in order to gain unauthorized access to a computer or network. SYN flooding is an example of a DOS
attack that takes advantage of the way TCP/IP networks were designed to function, and it can be used to
illustrate the basic principles of any DOS attack. SYN flooding utilizes the TCP three-way handshake that
is used to establish a connection between two systems. In a SYN flooding attack, the attacker sends fake
communication requests to the targeted system. Each of these requests will be answered by the target
system, which then waits for the third part of the handshake. Since the requests are fake the target will
wait for responses that will never come, as shown in Figure. The target system will drop these
connections after a specific time-out period, but if the attacker sends requests faster than the time-out
period eliminates them, the system will quickly be filled with requests. The number of connections a
system can support is finite, so when more requests come in than can be processed, the system will soon
be reserving all its connections for fake requests. At this point, any further requests are simply dropped
(ignored), and legitimate users who want to connect to the target system will not be able to. Use of the
system has thus been denied to them.

(c) Differentiate between symmetric and asymmetric cryptography.

Ans.
Symmetric Key Encryption Asymmetric Key Encryption
It only requires a single key for both It requires two keys, a public key and a
encryption and decryption. private key, one to encrypt and the
other to decrypt.
The size of ciphertext is the same or The size of ciphertext is the same or
smaller than the original plaintext. larger than the original plaintext.
The encryption process is very fast. The encryption process is slow.
It is used when a large amount of data It is used to transfer small amount of
needs to be transferred. data.
It only provides confidentiality. It provides confidentiality, authenticity,
and non-repudiation.
The length of key used is 128 or 256 bits The length of key used is 2048 or
higher
In symmetric key encryption, resource In asymmetric key encryption, resource
utilization is low compared to asymmetric utilization is high.
key encryption.
It is efficient as it is used for handling It is comparatively less efficient as it
large amount of data. can handle a small amount of data.
Security is lower as only one key is used Security is higher as two keys are used,
for both encryption and decryption one for encryption and the other for
purposes. decryption.
The Mathematical Representation is as The Mathematical Representation is as
follows- follows-
P = D (K, E(K, P)) P = D (Kd, E (Ke,P))
where K –> encryption and decryption where Ke –> encryption key
key Kd –> decryption key
P –> plain text D –> Decryption
D –> Decryption E(Ke, P) –> Encryption of plain text
E(K, P) –> Encryption of plain text using K using encryption key Ke. P –> plain text
Examples: 3DES, AES, DES and RC4 Examples: Diffie-Hellman, ECC, El
Gamal, DSA and RSA

(d) Illustrate digital signature and explain it with neat diagram.Ans. Digital Signature:

1. Digital signature is a strong method of authentication in electronic form.

2. It includes Message Authentication Code (MAC), hash value of a message, and digital pen pad
devices. It also includes cryptographically based signature protocols.
3. Digital Signature is used for the authentication of the message and the sender to verify the
integrity of the message.
4. Digital Signature may be in the form of text, symbol, image, or audio.
5. In today's world of electronic transactions, digital signature plays a major role in authentication.
For example, one can fill their income tax return online using their digital signature, which avoids
the use of paper and makes the process faster.
6. Asymmetric key encryption techniques and Public Key Infrastructure (PKI) are used in digital
signatures.
7. Digital signature algorithms are divided into two parts: a. Signing part: It allows the sender to
create their digital signature. b. Verification part: It is used by the receiver for verifying the
signature after receiving the message.

Generation and Verification of Digital Signatures:

Working:

1. Message Digest (MD) is used to generate the signature. The message digest is calculated from the
plaintext or message.
2. The message digest is encrypted using the user's private key.
 3. Then, the sender sends this encrypted message digest with the plaintext or message to the
receiver.
4. The receiver calculates the message digest from the plaintext or message they received.
5. The receiver decrypts the encrypted message digest using the sender's public key. If both the
message digests are not the same, then the plaintext or message is modified after signing.

Advantages of Digital Signatures:

 Speed: Businesses no longer have to wait for paper documents to be sent by courier. Contracts
are easily written, completed, and signed by all concerned parties in a short amount of time, no
matter how far the parties are geographically.
 Costs: Using postal or courier services for paper documents is much more expensive compared to
using digital signatures on electronic documents.
 Security: The use of digital signatures and electronic documents reduces the risks of documents
being intercepted, read, destroyed, or altered while in transit.
 Authenticity: An electronic document signed with a digital signature can stand up in court just as
well as any other signed paper document.
 Non-Repudiation: Signing an electronic document digitally identifies you as the signatory and
that cannot be later denied.
 Timestamp: By time-stamping your digital signatures, you will clearly know when the document
was signed.

3. Attempt any THREE of the following:12

(a) Define the following terms:

(i) Authentication
(ii) Authorization
Ans. Authorization: It is a process of verifying that the known person has
the authority to perform certain operation. It cannot occur without
authentication. It is nothing but granting permissions and rights to
individual so that he can use these rights to access computer resources
or information.
Authentication. Authentication is the process of determining identity
of a user or other entity. It is performed during log on process where
user has to submit his/her username and password. There are three
methods used in it. 1. Something you know User knows user id and
password. 2. Something you have Valid user has lock and key. 3.
Something about you User‟s unique identity like fingerprints, DNA
etc.

(b) Convert plain text into cipher text by using simple columnar technique of the following
sentence:ALL IS WELL FOR YOUR EXAM.
Ans.

(c) Describe packet filter router firewall with neat diagram.

Ans.1. Packet filter as a firewall : As per the diagram given below
Firewall will act according to the table given for example source IP
150.150.0.0 is the IP address of a network , all the packets which are
coming from this network will be blocked by the firewall in this way
it is acting as a firewall. Table also having port 80, IP Address
200.75.10.8 & port 23 firewall will act in the similar fashion. Port 23
is for Telnet remote login in this case firewall won’t allow to login
onto this server. IP Address 200.75.10.8 is the IP address of
individual Host, all the packet having this IP address as a destination
Address will be denied. Port 80 no HTTP request allowed by firewall

(d) Explain working of fingerprint mechanism and its limitations.

Ans.

Fingerprint registration & verification mechanism

1. During registration, first time an individual uses a biometric system
is called an enrollment.
2. During the enrollment, biometric information from an individual is
stored.
3. In the verification process, biometric information is detected and
compared with the information stored at the time of enrolment.
4. The first block (sensor) is the interface between the real world and
the system; it has to acquire all the necessary data.
5. The 2nd block performs all the necessary pre-processing.
6. The third block extracts necessary features. This step is an important
step as the correct features need to be extracted in the optimal way.
7. If enrollment is being performed the template is simply stored
somewhere (on a card or within a database or both).
8. If a matching phase is being performed the obtained template is
passed to a matcher that compares it with other existing templates,
estimating the distance between them using any algorithm.
9. The matching program will analyze the template with the input. This
will then be output for any specified use or purpose.
Limitations of Fingerprint Recognition Mechanism
Fingerprint recognition is one of the most widely used biometric authentication techniques due to its ease
of use, affordability, and generally high accuracy. However, it has several limitations and drawbacks that
can affect its effectiveness and security. Some of the key limitations are:
1. Environmental Factors:
a. Fingerprint scanners may not function properly if the fingers are wet, dirty, oily, or dry.
Dust, moisture, and grease can interfere with the ability of the sensor to capture clear and
accurate fingerprint images.
b. Extreme temperatures (too hot or cold) can cause the skin to contract or expand, leading
to poor readings.
2. Physical Condition of the Finger:
 a. People with injuries, scars, or cuts on their fingers may experience difficulties in
fingerprint recognition.
b. Fingerprints can wear out over time for people whose professions involve rough use of
hands (e.g., construction workers, factory workers), leading to reduced effectiveness.
c. Certain medical conditions, like eczema or dermatitis, can alter the fingerprint patterns,
making authentication difficult.
3. Susceptibility to Spoofing:
a. Fingerprint sensors can be tricked using artificial fingerprints made from materials like
silicone, gelatin, or molds of real fingerprints. This makes fingerprint systems vulnerable
to spoofing attacks.
b. High-quality images of fingerprints can also be used to create replicas, which can bypass
less sophisticated sensors.
4. Template Storage and Privacy Concerns:
a. Storing fingerprint templates securely is critical. If a fingerprint template is
compromised, it cannot be changed like a password, posing a permanent security risk.
b. The misuse or leakage of biometric data can lead to severe privacy concerns, as
fingerprints are unique and cannot be altered or replaced.
5. User Acceptance and Hygiene Issues:
a. Some users may be reluctant to use fingerprint scanners due to privacy concerns or the
fear of misuse of their biometric data.
b. Hygiene concerns may also arise, as shared fingerprint scanners (e.g., in public places)
may be perceived as unsanitary, leading to reluctance in use.
6. Failure to Enroll (FTE) Rate:
a. Certain groups of people, such as the elderly or infants, may have difficulty registering
their fingerprints due to insufficient ridge details or small finger sizes. This leads to a
high Failure to Enroll (FTE) rate.
b. People with genetic conditions like adermatoglyphia (absence of fingerprints) cannot
use fingerprint-based systems at all.
7. Latency and Response Time:
a. In some cases, fingerprint recognition systems can be slower than other methods like face
recognition or PIN entry, leading to user frustration, especially in high-traffic
environments.
b. Low-quality scanners may take multiple attempts to recognize a fingerprint, causing
delays and inconvenience.
8. Scalability Issues:
a. Fingerprint recognition systems may not scale well for large-scale applications (e.g.,
national identity programs) due to the time it takes to capture and compare fingerprints
accurately in huge databases.
b. It can become computationally expensive and time-consuming to match fingerprints
against a large number of stored templates.
9. Limited Application for Remote Authentication:
a. Fingerprint recognition is typically used for on-device authentication (e.g., unlocking
smartphones or physical access control). It is not well-suited for remote authentication
 scenarios, such as online transactions, where capturing fingerprints securely over the
internet is challenging.
10. Interoperability Issues:
a. Different fingerprint scanners use varying levels of resolution, sensing technologies (e.g.,
optical, capacitive, ultrasonic), and matching algorithms, which may not be compatible
with one another. This leads to interoperability issues when integrating systems from
multiple vendors.

4. Attempt any THREE of the following:12

(a) Explain Caesar's cipher substitution technique with example.

Ans. Caesar cipher technique is proposed by Julius Caesar. It is one of the
simplest and most widely known encryption techniques. It is a type of
substitution technique in which each letter in the plain text is replaced
by a letter some fixed number of position down the alphabet. The
Caesar cipher involves replacing each letter of the alphabet with the
letter three places further down the alphabet. For example, with a shift
of 3, A would be replaced by D, B would became E, and so on as
shown in the table below

PLAIN TEXT -COMPUTER ENGINEERING

CIPHER TEXT–FRPSXWHU HQJLQHHULQJ

(b) Describe host based IDS with its advantages and disadvantages.
Ans.(Host Intrusion Detection System (HIDS)
Host intrusion detection systems (HIDS) run on independent hosts or
devices on the network. A HIDS monitors the incoming and outgoing
packets from the device only and will alert the administrator if
suspicious or malicious activity is detected. It takes a snapshot of
existing system files and compares it with the previous snapshot. If
the analytical system files were edited or deleted, an alert is sent to
the administrator to investigate. Anexample of HIDS usage can be
seen on mission critical machines, which are not expected to change
their layout.

Basic Components HIDS:

ï‚· Traffic collector:
This component collects activity or events from the IDS to examine.
On Host-based IDS, this can be log files, audit logs, or traffic coming
to or leaving a specific system
Analysis Engine:
This component examines the collected network traffic & compares it
to known patterns of suspicious or malicious activity stored in the
signature database. The analysis engine acts like a brain of the IDS.
ï‚· Signature database:
It is a collection of patterns & definitions of known suspicious or
malicious activity.
ï‚· User Interface & Reporting:
This is the component that interfaces with the human element,
providing alerts & giving the user a means to interact with & operate
the IDS.

(c) Define Hacking. Explain different types of Hackers.

Ans.Hacking in simple terms means an illegal intrusion into a computer
system and/or network. Government websites are the hot target of the
hackers due to the press coverage, it receives. Hackers enjoy the
media coverage.
OR
Hacking is the act of identifying and then exploiting weaknesses in a
computer system or network, usually to gain unauthorized access to
personal or organizational data. Hacking is not always malicious
activity, but the term has mostly negative connotations due to its
association with cybercrime.
Types of Hackers:
White Hat Hackers
White hat hackers are the one who is authorized or certified hackers who work for the government and
organizations by performing penetration testing and identifying loopholes in their cybersecurity. They
also ensure the protection from the malicious cyber-crimes. They work under the rules and regulations
provided by the government, that’s why they are called Ethical hackers or Cybersecurity experts.
Black Hat Hackers
They are often called Crackers. Black Hat Hackers can gain unauthorized access to your system and
destroy your vital data. The method of attack they use common hacking practices they have learned
earlier. They are considered to be criminals and can be easily identified because of their malicious
actions.
Gray Hat Hackers
Gray hat hackers fall somewhere in the category between white hat and black hat hackers. They are not
legally authorized hackers. They work with both good and bad intentions, they can use their skills for
personal gain. It all depends upon the hacker. If a gray hat hacker uses his skill for his personal gains,
he/she is considered as black hat hackers.
Script Kiddies: They are the most dangerous people in terms of hackers. A Script kiddie is an unskilled
person who uses scripts or downloads tools available for hacking provided by other hackers. They attempt
to attack computer systems and networks and deface websites. Their main purpose is to impress their
friends and society. Generally, Script Kiddies are juveniles who are unskilled about hacking.
Green Hat Hackers: They are also amateurs in the world of hacking but they are bit different from script
kiddies. They care about hacking and strive to become full-blown hackers. They are inspired by the
hackers and ask them few questions about. While hackers are answering their question they will listen to
its novelty.
Blue Hat Hackers: They are much like the white hat hackers, they work for companies for security
testing of their software right before the product launch. Blue hat hackers are outsourced by the company
unlike white hat hackers which are employed by the (part of the) company.
Red Hat Hackers: They are also known as the eagle-eyed hackers. Like white hat hackers, red hat
hackers also aims to halt the black hat hackers. There is a major difference in the way they operate. They
become ruthless while dealing with malware actions of the black hat hackers. Red hat hacker will keep on
attacking the hacker aggressively that the hacker may know it as well have to replace the whole system.
State/Nation Sponsored Hackers: State or Nation sponsored hackers are those who are appointed by the
government to provide them cybersecurity and to gain confidential information from other countries to
stay at the top or to avoid any kind of danger to the country. They are highly paid government workers.
Hacktivist: These are also called the online versions of the activists. Hacktivist is a hacker or a group of
anonymous hackers who gain unauthorized access to government’s computer files and networks for
further social or political ends.
Malicious Insider or Whistleblower: A malicious insider or a whistleblower could be an employee of a
company or a government agency with a grudge or a strategic employee who becomes aware of any
illegal activities happening within the organization and can blackmail the organization for his/her
personal gain.
(d) Explain the features of IDS technique.
Ans.An Intrusion Detection System (IDS) is a security mechanism used to monitor and analyze network
traffic and system activities to detect malicious activities or policy violations. IDSs are essential
components in modern cybersecurity architectures as they help detect threats and potential intrusions that
may compromise the confidentiality, integrity, and availability of IT systems.
IDSs can be classified into two main categories:
 Network-based IDS (NIDS): Monitors network traffic to detect intrusions.
 Host-based IDS (HIDS): Monitors the activities on a specific host or device to identify
unauthorized actions.
Some of the key features of IDSs are described below:
1. Traffic Analysis and Monitoring
 IDSs monitor and analyze network or system traffic for suspicious patterns or unusual activity.
 They inspect incoming and outgoing traffic for signs of malicious behavior, such as port
scanning, traffic spikes, or unusual access patterns.
 Network-based IDS (NIDS) can capture packets and analyze packet headers and payloads, while
host-based IDS (HIDS) can monitor logs, file integrity, and system calls.
2. Signature-Based Detection
 Signature-based detection relies on predefined patterns, or "signatures," of known attacks to
identify malicious activity.
 When the IDS detects a packet or system event that matches a known signature, it generates an
alert.
 This method is effective against known threats but is not suitable for detecting zero-day attacks or
unknown threats because it relies on a database of existing attack signatures.
3. Anomaly-Based Detection
 Anomaly-based detection establishes a baseline of normal network or system behavior and flags
deviations from this baseline as potential threats.
  This technique uses statistical methods, machine learning, or artificial intelligence to detect
unusual patterns, such as excessive login attempts, abnormal data transfers, or unauthorized
access.
 It is useful for identifying new or unknown threats that do not match any known signatures but
can generate false positives due to benign deviations from the baseline.
4. Real-Time Alerting and Notification
 IDSs provide real-time alerts to security administrators when a potential intrusion is detected.
 Alerts can be delivered via various channels, including email, SMS, or dashboards, enabling
quick responses to potential threats.
 Alerts often include details like the type of attack, the source and destination IP addresses, and
the timestamp of the event, helping in quick incident investigation and response.
5. Log and Event Correlation
 IDSs collect and correlate logs and events from various sources, including firewalls, servers, and
other network devices, to provide a comprehensive view of potential security incidents.
 Event correlation helps identify multi-stage attacks or coordinated activities that might go
unnoticed if viewed in isolation.
 The IDS system can integrate with Security Information and Event Management (SIEM) systems
to enhance log management and incident response capabilities.
6. Detection of Known and Unknown Threats
 IDSs use both signature-based and anomaly-based detection methods to identify known and
unknown threats.
 Some IDSs also use heuristic analysis, which involves evaluating the behavior of traffic or system
activities based on predefined rules to identify potential intrusions.
7. Centralized Management and Reporting
 Many IDS solutions offer centralized management consoles that allow security teams to monitor,
configure, and manage multiple IDS sensors deployed across different locations.
 This centralized management enables consolidated reporting, making it easier to analyze trends,
generate reports, and understand the overall security posture.
8. Protocol Analysis and Packet Inspection
 IDSs can perform deep packet inspection (DPI) to analyze the contents of individual packets for
suspicious patterns.
 Protocol analysis allows the IDS to identify misuse of protocols like HTTP, DNS, or SMTP and
detect anomalies that may indicate tunneling, covert channels, or protocol-based attacks.
9. Response Mechanism and Integration
 While traditional IDSs are passive and do not block or prevent attacks, they can be configured to
trigger responses such as shutting down a connection or blocking an IP address.
 IDSs often integrate with other security mechanisms, such as firewalls, intrusion prevention
systems (IPS), and security incident response platforms to automate responses and mitigate
threats quickly.
10. Host-Based Analysis and File Integrity Monitoring
 Host-based IDSs (HIDS) provide detailed monitoring of activities on individual devices,
including user logins, file access, registry changes, and other system calls.
 They often include file integrity monitoring (FIM) to detect unauthorized changes to critical files
or system configurations.
11. Data Visualization and Analysis
 Modern IDSs include data visualization features, such as charts, graphs, and heatmaps, to help
security analysts understand patterns and trends in network or system activity.
 Visualization aids in identifying anomalies, tracking the spread of malware, and analyzing the
impact of attacks on network performance.
12. Customizability and Scalability
 IDSs offer customizable detection rules and configurations, allowing security teams to define
specific policies for their environment.
 They can be scaled to monitor multiple networks or hosts, making them suitable for both small-
scale and large-scale deployments.
13. Compliance and Regulatory Support
 IDSs can help organizations meet compliance and regulatory requirements by providing audit
trails, logs, and reports on security events and incidents.
 They support standards such as PCI-DSS, HIPAA, and GDPR by monitoring for policy violations
and security incidents related to sensitive data.
14. Integration with Threat Intelligence
 Some IDS solutions can integrate with external threat intelligence feeds to enhance detection
capabilities.
 By comparing network traffic or system events against known threat indicators (such as malicious
IP addresses, domain names, or file hashes), IDSs can identify threats more effectively.

(e) Differentiate between substitution and transposition techniques?

Ans.

5. Attempt any TWO of the following:12

(a) Explain active attack and passive attack with suitable example.
Ans.An active attack is a type of network or system attack where the attacker attempts to alter, modify,
or disrupt communication between the source and destination. Unlike passive attacks (where attackers
only observe the communication without affecting it), active attacks involve direct interference in the data
flow, making them more aggressive and potentially more harmful.
In an active attack, the attacker may change the content of messages, inject new data, delete existing data,
or even impersonate a legitimate user to gain unauthorized access to a system or network. Active attacks
can be further classified into several categories, including Masquerade, Replay, Modification of
messages, and Denial-of-Service (DoS).
Types of Active Attacks with Examples
1. Masquerade Attack

a. Description: In a masquerade attack, the attacker impersonates another user or system to

gain unauthorized access. The attacker typically uses stolen credentials (like username
and password) or exploits a vulnerability to assume the identity of a legitimate user.
b. Example: An attacker logs in to a system using a stolen set of user credentials to gain
access to sensitive files and data. For instance, if the attacker manages to obtain a bank
 employee's login credentials, they could log into the bank’s internal system and
manipulate financial records.
2. Replay Attack

a. Description: A replay attack involves capturing and reusing legitimate data transmission.
The attacker intercepts a valid data transmission and replays it to gain unauthorized
access or make the system believe it is a legitimate operation.
b. Example: An attacker captures a user’s login credentials sent over the network and
replays them at a later time to gain access to the system. For instance, if a user’s
authentication tokens are not properly encrypted, an attacker could reuse them to gain
unauthorized access.
3. Modification of Messages

a. Description: In this type of attack, the attacker alters the content of the messages being
exchanged between the sender and receiver. The modification can change the meaning or
operation of the message, resulting in unexpected behavior.
b. Example: An attacker intercepts a communication between two employees discussing the
transfer of funds. The attacker modifies the message to change the bank account number,
causing the funds to be transferred to the attacker’s account instead of the intended
recipient.
4. Denial-of-Service (DoS) Attack

a. Description: A DoS attack aims to disrupt the availability of a network or system by

overwhelming it with an excessive amount of traffic or requests. This prevents legitimate
users from accessing the service.
b. Example: An attacker floods a web server with thousands of requests per second, making
the server unable to respond to legitimate requests. This results in downtime for the
website and disrupts business operations.
Detailed Example: Man-in-the-Middle (MITM) Attack
Man-in-the-Middle (MITM) Attack is a prominent example of an active attack. In this attack, the
attacker intercepts and potentially alters the communication between two parties without their knowledge.
The attacker can inject new data, modify existing data, or eavesdrop on the communication.
 Scenario: Suppose Alice and Bob are communicating over an insecure network (e.g., public Wi-
Fi). If an attacker, Eve, positions herself between Alice and Bob, she can intercept the messages
being exchanged.
 Step-by-Step Process:
o Interception: Eve gains access to the communication channel and intercepts the
messages between Alice and Bob. This can be done by exploiting network vulnerabilities
or using tools like packet sniffers.
o Modification: Eve can then modify the messages, such as changing the content of a
message or injecting false information.
o Forwarding: After making changes, Eve forwards the modified messages to the intended
recipient, making it appear as though the communication is normal.
  Example: Alice sends a message to Bob saying, “Transfer $1000 to my account.” Eve intercepts
the message, modifies it to “Transfer $10,000 to Eve’s account,” and forwards it to Bob. Bob,
thinking the message is from Alice, transfers $10,000 to Eve’s account.
 Impact: This type of attack can lead to financial losses, data breaches, and unauthorized access.
The attacker can also use the intercepted information to conduct further attacks or gain additional
access to sensitive data.
Preventive Measures for Active Attacks
1. Encryption:
a. Encrypting communications using protocols like TLS/SSL ensures that even if an
attacker intercepts the messages, they cannot read or alter the content without the
encryption key.
2. Digital Signatures:
a. Digital signatures can be used to verify the authenticity and integrity of a message,
ensuring that the message has not been tampered with in transit.
3. Authentication Mechanisms:
a. Strong authentication mechanisms, like two-factor authentication (2FA), help prevent
attackers from gaining unauthorized access by requiring additional proof of identity.
4. Session Management:
a. Proper session management (e.g., using timeouts and unique session IDs) reduces the risk
of replay and session hijacking attacks.
5. Intrusion Detection Systems (IDS) and Firewalls:
a. IDS and firewalls can help detect unusual traffic patterns or unauthorized access
attempts, alerting security teams to potential active attacks.
6. Regular Security Audits and Updates:
a. Regularly auditing systems and applying security patches can help identify and mitigate
vulnerabilities that could be exploited in active attacks.

(b) Describe the DMZ with suitable example.

Ans.DMZ (Demilitarized Zone): It is a computer host or small network
inserted as a “neutral zone†in a company‟s private network and the
outside public network. It avoids outside users from getting direct
access to a company‟s data server. A DMZ is an optional but more
secure approach to a firewall. It can effectively acts as a proxy server.
The typical DMZ configuration has a separate computer or host in
network which receives requests from users within the private
network to access a web sites or public network. Then DMZ host
initiates sessions for such requests on the public network but it is not
able to initiate a session back into the private network. It can only
forward packets which have been requested by a host. The public
network‟s users who are outside the company can access only the
DMZ host. It can store the company‟s web pages which can be served
to the outside users. Hence, the DMZ can‟t give access to the other
company‟s data. By any way, if an outsider penetrates the DMZ‟s
security the web pages may get corrupted but other company‟s
information can be safe.

Examples:
1) Web servers
It’s possible for web servers communicating with internal database
servers to be deployed in a DMZ. This makes internal databases more
secure, as these are the repositories responsible for storing sensitive
information. Web servers can connect with the internal database
server directly or through application firewalls, even though the DMZ
continues to provide protection.
2) DNS servers
A DNS server stores a database of public IP addresses and their
associated hostnames. It usually resolves or converts those names to
IP addresses when applicable. DNS servers use specialized software
and communicate with one another using dedicated protocols. Placing
a DNS server within the DMZ prevents external DNS requests from
gaining access to the internal network. Installing a second DNS
server on the internal network can also serve as additional security.
3)Proxy servers
A proxy server is often paired with a firewall. Other computers use it
to view Web pages. When another computer requests a Web page, the
proxy server retrieves it and delivers it to the appropriate requesting
machine. Proxy servers establish connections on behalf of clients,
shielding them from direct communication with a server. They also
isolate internal networks from external networks and save bandwidth
by caching web content.

(c) Explain working principle of SMTP in detail.

Ans.1. Composition of Mail: A user sends an e-mail by composing an
electronic mail message using a Mail User Agent (MUA). Mail User
Agent is a program which is used to send and receive mail. The
message contains two parts: body and header. The body is the main
part of the message while the header includes information such as the
sender and recipient address. The header also includes descriptive
information such as the subject of the message. In this case, the
message body is like a letter and header is like an envelope that
contains the recipient's address.
2. Submission of Mail: After composing an email, the mail client
then submits the completed e-mail to the SMTP server by using
SMTP on TCP port 25.
3. Delivery of Mail: E-mail addresses contain two parts: username of
the recipient and domain name. For example, [email protected],
where “Vivek" is the username of the recipient and "gmail.com" is the
domain name.
If the domain name of the recipient's email address is different from
the sender's domain name, then MSA will send the mail to the Mail
Transfer Agent (MTA). To relay the email, the MTA will find the
target domain. It checks the MX record from Domain Name System
to obtain the target domain. The MX record contains the domain
name and IP address of the recipient's domain. Once the record is
located, MTA connects to the exchange server to relay the message.
1. Composition of Mail: A user sends an e-mail by composing an
electronic mail message using a Mail User Agent (MUA). Mail User
Agent is a program which is used to send and receive mail. The
message contains two parts: body and header. The body is the main
part of the message while the header includes information such as the
sender and recipient address. The header also includes descriptive
information such as the subject of the message. In this case, the
message body is like a letter and header is like an envelope that
contains the recipient's address.
2. Submission of Mail: After composing an email, the mail client
then submits the completed e-mail to the SMTP server by using
SMTP on TCP port 25.
3. Delivery of Mail: E-mail addresses contain two parts: username of
the recipient and domain name. For example, [email protected],
where "vivek" is the username of the recipient and "gmail.com" is the
domain name.
If the domain name of the recipient's email address is different from
the sender's domain name, then MSA will send the mail to the Mail
Transfer Agent (MTA). To relay the email, the MTA will find the
target domain. It checks the MX record from Domain Name System
to obtain the target domain. The MX record contains the domain
name and IP address of the recipient's domain. Once the record is
located, MTA connects to the exchange server to relay the message.

6. Attempt any TWO of the following:12

(a) Explain any three criteria for classification of information.

Ans.Classification of information is a fundamental process in information security and data management
that helps protect sensitive data from unauthorized access, disclosure, or misuse. It involves categorizing
data based on its sensitivity, value, and impact on the organization or individuals if disclosed or altered.
Proper classification helps in applying appropriate security measures and controls to safeguard the data.
Criteria for Classification of Information
There are several criteria used to classify information, but three key criteria include:
1. Confidentiality

2. Integrity
 3. Availability

Each of these criteria plays a vital role in determining how information should be protected and managed.
Let’s delve into each of these criteria in detail:
1. Confidentiality
Confidentiality refers to the need to protect information from unauthorized access and disclosure. It
ensures that sensitive information is only accessible to those who are authorized to view it. The
classification of information based on confidentiality helps identify the levels of sensitivity of the data
and prevents exposure to individuals or entities without the required permissions.
 Classification Levels: Information can be classified into various levels, such as Public, Internal
Use Only, Confidential, and Highly Confidential/Restricted.
o Public: Information that is meant for public distribution, such as press releases or
marketing materials.
o Internal Use Only: Information that is intended for internal use within an organization,
such as internal memos or meeting notes.
o Confidential: Information that could cause damage to the organization or individuals if
disclosed, such as personal employee information or business strategies.
o Highly Confidential/Restricted: Information that is extremely sensitive and could cause
severe damage if disclosed, such as financial records, intellectual property, or trade
secrets.
 Example: In a healthcare organization, patient medical records are classified as Highly
Confidential because their disclosure could lead to personal harm, legal issues, and regulatory
penalties.
 Security Measures: Confidentiality of information is often ensured through access controls,
encryption, and strong authentication mechanisms. Access to highly confidential data should be
restricted to only those with a need-to-know basis.
2. Integrity
Integrity refers to the need to ensure that information is accurate, complete, and unaltered. It guarantees
that data is not tampered with, modified, or destroyed, either intentionally or unintentionally. Integrity
classification is crucial for maintaining the trustworthiness and reliability of the information.
 Classification Levels: Information can be classified into levels based on the impact of data
alteration:
o Low: Minor modifications to the data will have little to no impact on the organization or
individuals.
o Medium: Modifications can cause disruptions, miscommunication, or errors that require
correction.
o High: Any change or loss of integrity could have severe consequences, such as financial
losses or safety risks.
 Example: In a financial institution, transaction records are classified with a High Integrity
requirement because any modification could result in incorrect account balances, fraudulent
transactions, and financial losses.
  Security Measures: Integrity is maintained using checksums, hashing, digital signatures, and
version control mechanisms. Regular audits and monitoring can detect and prevent unauthorized
alterations.
3. Availability
Availability ensures that information is accessible and usable upon demand by an authorized entity.
Classification based on availability helps identify critical systems and data that must be accessible to
ensure business continuity and operational efficiency.
 Classification Levels: Information can be classified into levels based on the impact of its
unavailability:
o Low: Temporary unavailability of the information has little to no effect on operations or
users.
o Medium: Unavailability could disrupt operations and require additional time or resources
to restore access.
o High: Unavailability could lead to severe business disruptions, financial loss, or even
life-threatening situations.
 Example: In an e-commerce platform, the availability of the website and payment processing
system is classified as High because any downtime would directly impact sales, revenue, and
customer satisfaction.
 Security Measures: Availability is ensured through redundancy, load balancing, failover
mechanisms, backup solutions, and protection against Denial-of-Service (DoS) attacks. Regular
testing of disaster recovery plans and continuity strategies is also essential.

(b) Describe COBIT framework with neat sketch.

Ans.

COBIT stands for ―Control Objectives for Information and related

Technology‖, it is a framework that was developed by ISACA
(Information System Audit and Control Association). It is a set of
guidance material for IT governance to manage their requirements,
technical issues, and business risks.
COBIT connects IT initiatives with business requirements, monitors
and improves IT management practices, and ensures quality control
and reliability of information systems in an organization.
ï‚· Plan and Organize: This domain addresses direction to solutions,
Information architecture, managing IT investments, assess the
risks, quality, and project.
ï‚· Acquire and Implement: This domain acquires and maintains
application software and technology infrastructure, develops as
well as maintains procedures and manages changes, implements
desired solutions and passes them to be turned into services.
ï‚· Deliver and Support: This domain defines and manages service
levels, ensures the security of the system, educates or trains, and
advises users. It receives solutions and makes them usable for end
users.
ï‚· Monitor and Evaluate: This domain monitors the process, assesses
internal control capability, finds independent assurance, and
provides independent audit.
Principle of COBIT:
ï‚· Providing service of delivering information that an organization
requires.
ï‚· Undesired events will be prevented, detected, and corrected.
ï‚· Managing and controlling IT resources using a structured set of
processes.
Fulfilling client’s requirements

(c) Explain policies, configuration & limitations of firewall in detail.

Ans.Policies of firewall:
a) All traffic from inside to outside and vice versa must pass through the
firewall. To achieve this all access to local network must first be
physically blocked and access only via the firewall should be
permitted. As per local security policy traffic should be permitted.
b) The firewall itself must be strong enough so as to render attacks on it
useless.
Configuration of firewall
There are 3 common firewall configurations.
1. Screened host firewall, single-homed bastion configuration
2. Screened host firewall, dual homed bastion configuration
3. Screened subnet firewall configuration
1. Screened host firewall, single-homed bastion configuration
In this type of configuration a firewall consists of following parts
i)A packet filtering router
(ii)An application gateway.
The main purpose of this type is as follows:ï‚·Packet filter is used to
ensure that incoming data is allowed only if it is destined for
application gateway, by verifying the destination address field of
incoming IP packet. It also performs the same task on outing data by
checking the source address field of outgoing IP packet.
ï‚·Application gateway is used to perform authentication and proxy
function. Here Internal users are connected to both application gateway
as well as to packet filters therefore if packet filter is successfully
attacked then the whole Internal Network is opened to the attacker

Fig single homed bastion configuration

2. Screened host firewall, dual homed bastion configuration
To overcome the disadvantage of a screened host firewall, single
homed bastion configuration, another configuration is available known
as screened host firewall, Dual homed bastion. n this, direct
connections between internal hosts and packet filter are avoided. As it
provide connection between packet filter and application gateway,
which has separate connection with the internal hosts. Now if the
packet filter is successfully attacked. Only application gateway is
visible to attacker. It will provide security to internal hosts.

Fig dual homed bastion configuration

3. Screened subnet firewall configuration
It provides the highest security among all firewall configurations. It is
improved version over all the available scheme of firewall
configuration. It uses two packet filters, one between the internet and
application gateway and another between the application gateway and
the internal network. Thus this configuration achieves 3 levels of
security for an attacker to break into.

Fig Screened subnet firewall configuration

Limitations: (one mark)
1. Firewall do not protect against inside threats.
2. Packet filter firewall does not provide any content based filtering.
3. Protocol tunneling, i.e. sending data from one protocol to another
protocol which negates the purpose of firewall.
4. Encrypted traffic cannot be examine and filter.