DEPARTMENT OF COMPUTER SCIENCE AND BUSINESS SYSTEMS

YEAR & SEM: III & V

Subject Code and Name: CW3551- Data and Information Security

Big Questions with answer
UNIT 1 – INTRODUCTION
PART B
1. Illustrate briefly about SDLC waterfall methodology and its relation in respect to
information security. (Nov/Dec 2023)

It is the most important phase and it begins with an examination of the event or plan that
initiates the process.
During this phase, the objectives, constraints, and scope of the project are specified.
 Investigation
 Analysis
 Logical Design
 Physical Design
 Implementation
 Maintenance and change

2. Infer about Information Security Project Team. (Nov/Dec 2023)

 Champion
 Team Leader
 Security policy developers
 Risk assessment specialists
 Security Professionals
 System Administrators
 End users
3. Discuss in detail the NSTISSC security model.
National Security Telecommunications & Information systems security committee’
document.
It is now called the National Training Standard for Information security
professionals.
 The NSTISSC Security Model provides a more detailed perspective on security.

4. Explain the Components of an Information System.

• Software
• Hardware
• People
• Data
• Procedures
• Networks
5. What are the phases in the Security Systems development life cycle (SSDLC)?
Explain in detail.
The Secure Systems Development Lifecycle (SSDLC) defines security requirements and
tasks that must be considered and addressed within every system, project or application that
is created or updated to address a business need.

UNIT II SECURITY INVESTIGATION

PART B
1. List the Computer Security Hybrid Policies and explain. (Nov/Dec 2023)

Hybrid policies in computer security refer to a combination of different types of security

models or policies that integrate various elements to create a more robust and flexible
security system.

Some are
 Role-Based Access Control (RBAC) + Discretionary Access Control (DAC)
 Mandatory Access Control (MAC) + Discretionary Access Control (DAC)
 Role-Based Access Control (RBAC) + Attribute-Based Access Control (ABAC)

2. Describe the types of Computer Security. (Nov/Dec 2023)

 Network Security. Most attacks occur over the network, and network security
solutions are designed to identify and block these attacks. ...
 Cloud Security
 Endpoint Security
  Mobile Security
 IoT Security
 Application Security
 Zero Trust

3. Explain about Access Control Matrix in detail.

An access control matrix is a table that defines access permissions between
specific subjects and objects. A matrix is a data structure that acts as a table lookup
for the operating system.
4. Write about different Policies in Detail.
 Security policies
 Confidentiality policies
 Integrity policies
 Hybrid policies
5. Explain in detail the different types of attacks.
An attack is an act of or action that takes advantage of a vulnerability to compromise a
controlled system.
Attack Replication Vectors
1. IP scan & attack
2. Web browsing
3. Virus

UNIT III DIGITAL SIGNATURE AND AUTHENTICATION

PART A
1. Describe digital signature algorithm and show how signing and verification is done
using DSS. Provide example for the same. (Nov/Dec 2023)

The Digital Signature Algorithm (DSA) is a cryptographic algorithm used to generate and
verify digital signatures, ensuring the authenticity and integrity of digital messages or
documents.

The primary purpose of DSA is to provide a means for authenticating the sender of a message
and ensuring that the message has not been altered during transmission. It is commonly used
in various security protocols, including SSL/TLS, and is a key component of digital
certificates.

2. Explain the format of the X.509 certificate. Provide any one real time case study for
the use of X.509 certificate. (Nov/Dec 2023)
X. 509 digital certificate is a certificate-based authentication security framework that can be
used for providing secure transaction processing and private information. These are primarily
used for handling the security and identity in computer networking and internet-based
communications.

3. Explain briefly about Kerberos.

Kerberos provides a centralized authentication server whose function is to authenticate users
to servers and servers to users. In Kerberos Authentication server and database is used for
client authentication. Kerberos runs as a third-party trusted server known as the Key
Distribution Center (KDC). Each user and service on the network is a principal.
The main components of Kerberos are:

 Authentication Server (AS):

The Authentication Server performs the initial authentication and ticket for Ticket
Granting Service.
 Database:
The Authentication Server verifies the access rights of users in the database.
 Ticket Granting Server (TGS):
The Ticket Granting Server issues the ticket for the Server

4. Explain Elgamal Digital Encryption Scheme.

the ElGamal encryption algorithm is a key method in modern cryptography. It provides a
secure way to send data and create digital signatures using public and private keys. Its
security is based on complex math problems, making it reliable
5. Outline the working of X.509 certificate along with its format.
X. 509 certificates are used to authenticate users in virtual private network (VPN)
connections. Document Signing: X. 509 certificates are used to sign electronic documents,
providing assurance that the document is from a trusted source and has not been modified
since it was signed.

UNIT IV E-MAIL AND IP SECURITY

PART B

1. Explain in detail about architecture of IP Security. Depict how email message could
be sent secured with a neat example. (Nov/Dec 2023)
The IPSec (IP Security) architecture utilizes two protocols to protect traffic or data transfers.
These protocols are ESP and AH (Encapsulation Security Payload) (Authentication Header).
The IPSec Architecture includes protocols, algorithms, DOI, and key management.
2. Explain the operation description of PGP. Provide real time case study for
understanding its real time working. (Nov/Dec 2023)

PGP uses the public key system in which every user has a unique encryption key known
publicly and a private key that only they know. A message is encrypted when a user sends it
to someone using their public key, then decrypted when the recipient opens it with their
private key.
3. Explain S/MIME operational descriptions, message content types and enhanced
security services.
S/MIME - Secure Multipurpose Internet Mail ExtensionS/MIME is compatible with
most enterprise email clients. In simple terms, S/MIME is an encryption protocol used
to digitally sign and encrypt an email to ensure that the email is authenticated and its
content is not altered.
4. Illustrate email architecture and explain its protocols.
Email clients use Mail Access protocols like the POP/ IMAP protocols to retrieve/
sync emails from the server. Basically, mail access protocols are used to download or
sync emails from the server. Email clients use transfer protocol - the SMTP protocol to
transfer/ send emails through the server.
5. Illustrate the ESP along with its modes.
Encapsulating security payload, also abbreviated as ESP plays a very important role in
network security. ESP or Encapsulating security payload is an individual protocol in
IPSec. ESP is responsible for the CIA triad of security (Confidentiality, Integrity,
Availability), which is considered significant only when encryption is carried along
with them. Securing all payload/ packets/ content in IPv4 and IPv6 is the responsibility
of ESP.
 UNIT V WEB SECURITY
PART B
1. Describe the SSL Architecture in detail and explain how it helps in maintaining
secure end-to-end Communication. (Nov/Dec 2023)

Secure Socket Layer (SSL) provides security to the data that is transferred between web
browser and server. SSL encrypts the link between a web server and a browser which ensures
that all data passed between them remain private and free from attack. In this article, we are
going to discuss SSL in detail, its protocols, the silent features of SSL, and the version of
SSL.

2. Describe the working of SET with neat diagram and elaborate its role in transaction
processing. (Nov/Dec 2023)

Secure Electronic Transaction (SET) is a system and electronic protocol to ensure the
integrity and security of transactions conducted over the internet. E-commerce websites
implemented this early protocol to secure electronic payments made via debit and credit
cards.
SET blocks out all personal details on the card, preventing hackers and data thieves from
accessing or stealing the cardholder's information. The merchant also cannot see these
personal details, which are transferred directly to the credit card company for
user authentication and verification.
3. Explain about S-HTTP.
Also known as HTTPS, this is an extension of Hypertext Transport Protocol (HTTP) that
provides security services for transaction confidentiality, authenticity and integrity between
HTTP servers and clients.
4. List the parameters of session state in TLS. Explain briefly.
The parameters that define an SSL/TLS session state include: Session ID: A unique identifier
assigned by the server to a particular SSL/TLS session, which allows the client to resume the
session later without the need for a full handshake.
5. Explain about Heartbeat protocol.
A heartbeat protocol is generally used to negotiate and monitor the availability of a resource,
such as a floating IP address, and the procedure involves sending network packets to all the
nodes in the cluster to verify its reachability. The Heartbeat <0> is useful for monitoring the
status of the communication link and to identify when the last of a string of messages was not
received. When either end of a FIX connection has not sent any data for [HeartBtInt <108>]
seconds, it will transmit a Heartbeat <0> message.