BSc Applied Business Computing- Year 2
Information Security: Tutorial 5
Students are expected to attempt all questions in this tutorial sheet.
1) Is the physical access control security adequate for your school? Observe the physical access
controls that are in place: locked doors, CCTV cameras, types of locks, security of computer
equipment, placement of equipment, etc. Next, address any weaknesses that you think may
result in vulnerabilities. Your Discussion should also include how the physical access control
security can be improved. Write a one-page report.
2) Locate at least three password policies on the Internet. Then, create two password policies
yourself. The first should be for your personal accounts, and the second should be for passwords
at your workplace or school. Be sure to include minimum password length, password expiration,
password reuse, using special characters, etc. Then, share your policies with three other users
for their reaction. Do their passwords meet your policy standards? What recommendations
would they have regarding the policies?
3) Consider the use of login passwords as a method of providing user authentication.
a) Your login is under threat from intruders, who are trying to guess your password. Explain,
giving reasons, the types of password that you should NOT use.
-Names of things/people that are important to you like a child’s name or their date of birth.
-Easy character combinations like qwerty or 12345
-a phrase you like to say.
b) The operating system needs to store all user passwords in some format, to allow passwords
to be checked during login. What methods can be used to avoid the password file itself
being a security risk?
-Encrypting the password file.
-Using administrator access to open the file
-Hiding the file.
c) An intruder may try to break into a computer system by repeatedly attempting to login with
different values for a user’s password. What techniques can be used to counter this form of
attack?
-locking the system when too many password attempts have failed.
-Making sure to use a complex password that cannot be easily guessed.
4) The ACME oil company has just built a new data center to store all the financial transactions
between the oil distribution centers. You are the Chief Security Officer (CSO) in the company,
and you need to make sure that no unauthorized physical access is allowed to the data servers.
You are approached by a company that produces biometric locks to restrict physical access.
a) Biometric access controls in general are more expensive than other electronic access
controls. Which arguments would you use in your presentation to management in defense
of your choice? (1 paragraph).
-Using biometrics as access controls removes the need for passwords which can be easily
stolen or hacked, giving access to unauthorized users and compromising the entire system.-
Using biometrics ensures high security clearance with more convenience as there’s no need
for smartcards and keys, helps avoid duplication and fraud, all while saving time needed to
create password databases.
b) After the implementation of the biometric controls, you get a call from security that one of
the employees refuses to have her iris information used by a biometric control. Her main
argument is: if someone steals her iris information, he can log in to other systems
masquerading as her. Since she cannot change her iris, she will be vulnerable of this attack
for the rest of her life. What measures have you taken to reassure her?
5) Logical access control includes Access Control lists, Group policies, Account Restrictions and
passwords. Explain Access Control lists and Group policy.
6) Methods of password attacks include brute force attack, Dictionary attack, and rainbow attack.
Briefly explain each type of attack.
7) What is the principle of least privilege? Why is it important?
8) Using examples differentiate between behavioral biometrics and cognitive biometrics
9) To address the weakness in standard biometrics, new types of biometrics known as behavioral
biometrics have been developed. Briefly discuss keystroke dynamics, voice recognition and
computer foot printing.
10) What is the purpose of defense in depth Strategy?
11) An attacker sees a building is protected by security guards, and attacks a building next door with
no guards. What control combination are the security guards?
12) Your company has hired a Third-party company to conduct a penetration test. Your CIO would
like to know if exploitation of critical business systems is possible. The two requirements the
company has are:
1. The tests will be conducted on live, business functional networks. These networks must be
functional in order for business to run and cannot be shut down, even for an evaluation.
2. The company wants the most in depth test possible.
What kind of test should be recommended? In your discussion you should include
comprehensive discussions of Zero knowledge, Partial knowledge, and Full knowledge
13) Identify a facility or an IT environment that you can visit (e.g. Botswana Accountancy College).
Study the environment; what assets are being protected? What controls can you find that are
used to protect assets? Write down all of the controls that you can find and describe how they
protect assets. If possible, have an employee give you a tour of the environment. What
additional controls can be found? When you list the controls that you find, identify their type:
detective, preventive, deterrent, compensating, recovery, corrective, or mitigating. Identify any
additional controls that could be implemented to further protect assets.
14) Describe the following access control categories: Detective controls, Deterrent control,
Preventive control, Corrective controls, Recovery controls, Compensating controls