Topic 3

Web Security
[December 2018]
The web presents us with some security issues that may not be present in other networks, state
FOUR (4) security issues presented when using the web: 4
 Two-way systems
 Multiple types of communication
 Importance to business
 Complex software
 Multiple connections to a server
 Untrained users
 Transmission over a public network

[December 2018]
Internet Protocol Security (IPSec) provides security at the IP layer for other TCP/IP protocols and
applications to use. There are four steps for an IPSec connection. State the FOUR (4) steps.
4
 Agree a set of security protocols
 Decide on an encryption algorithm
 Exchange the keys
 Use the agreed protocols, algorithm and keys to encode data and send it across the
network

[December 2018] [September 2017]

Internet Protocal Security (IPSec) has TWO (2) core protocols. State them both, giving their full name
and acronym. 2

IPSec has TWO (2) core protocols. State them both, giving their full name and acronym. 2

 Authentication Header (AH)

 Encapsulating Security Payload (ESP)

[September 2017] [Sept 2018]

State the second core IPSec protocol including the full name and acronym and state TWO (2) ways
in which it differs from AH. 3
 Encapsulating Security Payload (ESP)
 AH ensures integrity but not privacy
 Datagram can be further protected using ESP
 Encrypts the payload of the IP datagram

[September 2017] [Sept 2018]

Internet Protocol Security (IPSec) provides security for other TCP/IP protocols and applications to use.
One IPSec Core Protocol is the IPSec Authentication Header (AH). State THREE (3) actions the AH
provides. 3

 Provides authentication services

 Verifies the originator of a message
 Verifies that the data has not been changed on route
 Provides protection against replay attacks
Topic 3 Page 1
[Sept 2018] [June 2017]
1) Below is a diagram of the Open Systems Interconnection (OSI) 7 layer model for open
networks. Complete the corresponding diagram to show how the TCP/IP model is used over the
Internet. 4

[September 2017]

PSec also has another core protocol Encapsulating Security Payload (ESP). State TWO (2) security
services it provides. IP SSL PGP TLSall security protocol
2
 Authentication
 Integrity
 Confidentiality 3 chat phay py

[Dec 2017] [March 2018] [March 19]

1) State what TCP/IP stands for and its core purpose. 2

 Transmission Control Protocol/Internet Protocol. The basic purpose is as a
communication language or protocol of the Internet.

2) Produce a diagram to demonstrate how TCP/IP fits with other common Internet protocols in a
protocol stack. Your table should be illustrated by showing named protocols. 6
3) Produce a diagram to demonstrate how Transport Level Security (TLS) fits with other common
Internet protocols in a protocol stack. Your table should be illustrated by showing named
protocols. 6

Topic 3 Page 2
 Transport layer security (TLS)
Simple mail transport protocol (SMTP)
Hypertext Transfer Protocol (HTTP)
Secure Sockets Layer (SSL)
4) TLS is typically implemented as Secure Sockets Layer (SSL). What is a SSL Connection? 2

 SSL connections are peer-to-peer relationships

 These SSL connections are transient, only last for a certain length of time and each
connection is associated with a session

// [June 2017]

Internet Protocol Security (IPSec) provides security at the Internet Protocol (IP) layer for other TCP/IP
protocols and applications to use. There are four steps for an IPSec connection. State what the FOUR
(4) steps are. 4

 Agree a set of security protocols

 Decide on an encryption algorithm
 Exchange the keys)
 Use the agreed protocols, algorithm and keys to encode data and send it across the
network
//

[December 2016]
1) TLS is a security protocol developed from SSL. Explain what is meant by the acronym TLS and
briefly explain the primary purpose of TLS/SSL. 2

 TLS = Transport Layer Security

 Originally developed by Netscape in 1995 to provide secure and authenticated
connections between browsers and servers

2) List THREE (3) security services provided by TLS. For each security service, explain how it
works. 6

 Authentication of Server (and possibly Client) via Digital Certificate

 Confidentiality of the message transmitted via Encryption
 Integrity via Message Digest

Topic 3 Page 3
 3) In April 2014, the ‘Heartbleed’ security bug was disclosed. It was a vulnerability in the
implementation of TLS in the OpenSSL Library. It was believed to leave around half a million
secure Internet web servers open to attack.
One of your friends says that this information proves that the ‘Web is broken and TLS must be
redesigned’.
Do you agree with this assessment? Explain your answer. 2

 It is an implementation bug not design

 It has been fixed by patch so the Web is not broken

September 2016
You are the IT manager of an insurance company that provides laptop computers to its sales
employees. You are concerned about the confidentiality, integrity and availability of information on the
laptop.

1) Provide ONE (1) example of how confidentiality of information could be compromised on a

laptop and explain TWO (2) methods of how you would reduce the risk of it happening. 5

 Malware is downloaded to the laptop, and exfiltrate the data.

 The laptop is used by a friend or family who views the information
 Install anti-malware and ensure it is automatically updated and schedule of scans to
detect & remove malware infection
 Employ disk encryption such as Bit locker which uses AES to encrypt the volume, so
loss of the PC does not compromise confidentiality of data.
 Employ file encryption or file passwords to reduce the risk of confidentiality /
integrity compromise so files cannot be understood.
 Ensure automatic updates for Windows/ Application software to remove
vulnerabilities when patched.

2) Provide ONE (1) example of how availability of information could be compromised on a laptop
and explain ONE (1) method of how you would reduce the risk of it happening. 3

 Backup on exchangeable media- available to other devices.

 Cloud based storage of information – available to other devices.

3) Provide ONE (1) example of how integrity of information could be compromised on a laptop and
explain ONE (1) method of how you would reduce the risk of it happening. 2

 E.g. Hardware failure – disk corruption

 Control: Backup to external media.

June 2016
Your friend wishes to set up an E-commerce site for her business and she is worried about security. In
particular, she is worried that:
Customers might not trust her website – a cyber-criminal may have set up a ‘spoof site’
Customers’ credit card details could be stolen by intercepting traffic on the Internet.

She has been told that TLS is a possible solution but does not understand what it means.

1) What does TLS stands for? 1

 TLS – Transport Layer Security

Topic 3 Page 4
 2) Explain how TLS helps customers trust that her website is authentic. 4

 TLS employs a Digital Certificate on the E-commerce Server which is bound to her
domain
 The browser checks validity of the Certificate and indicates validity by a green
padlock/ URL / https

3) Explain how TLS helps ensure credit card details transmitted to the E-commerce server cannot
be easily stolen. You should discuss the TLS handshake. 5

 Data is encrypted

TLS Handshake
 Browser requests certificate with Public Key
 Browser generates Symmetric ( session) Key
 And, then encrypts with public key, sending to Server
 Server decrypts with Private key
 And, then uses Symmetric (session) Key for all subsequent data exchange.

December 2015
1) TLS is widely used security protocol. Explain how it provides Confidentiality, Integrity and
Authentication. 3
 Confidentiality: Through Encryption of data (Asymmetric & Symmetric)
 Integrity: Message authentication code (MAC) is used for data integrity.
 Authentication: Through Signatures and Certificates

2) Explain how the handshake mechanism ensures a symmetric key is securely distributed to both
a browser and a web server. 6
 Browser requests certificate from Server.
 Browser generates session (symmetric key) and encrypts with Server public key, )
and sends to server.
 Server decrypts session key with its private key and the session is established, the
symmetric session key is used for subsequent data encryption.

3) Draw a diagram to show where TLS fits in relation to the TCP/IP model 1

Topic 3 Page 5