Scribd
Upload
13 views5 pages

2008 Iym005

Uploaded by

klegendfc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views5 pages

2008 Iym005

Uploaded by

klegendfc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

THIS PAPER IS NOT TO BE REMOVED FROM THE EXAMINATION HALLS

UNIVERSITY OF LONDON

MSc Examination
For External Students

INFORMATION SECURITY

Secure Electronic Commerce and other Applications

Friday 16th May 2008

Time allowed: 2 hours

DO NOT TURN OVER UNTIL TOLD TO BEGIN

Candidates should answer THREE questions from the following FIVE questions.

PLEASE TURN OVER


© University of London 2008
UL08/
Question 1

a) Define the term digital identity and briefly specify three roles it
plays in application security. [4]

b) Explain the difference between an identity and an entity and


give an example of a human and a non -human entity commonly
found in applicat ions. [3]

c) Identify and briefly explain two potential problems when


conducting an identity audit if a digital identity has been deleted
rather than disabled. [4]

d) Define the term phishing attack and briefly explain what phase of
identity management might be most effective in the prevention
of such an attack. [4]

e) Explain the term attack tree and provide an example of an


attack tree that describes a phishing attack. In your example
specify whether the tiers of the attack tree are linked using AND
or OR logic. [5]

f) Explain how the concept of the attack surface relates to an


attack tree. [2]

g) Explain why the use of an attack tree is particularly helpful in the


analysis of complex attacks such as phishing. [3]

TURN OVER
Question 2

a) There are a number of threats that can be specifically applied to


applications.

i) Explain, using examples, why the threat categories of


tampering and information disclosure are relevant to web
applications. [2]

ii) Why are application data verification mechanisms helpful in


protecting an application against these threats? [2]

b) Briefly explain two threats that can exploit weaknesses in the


management of application administration information. [4]

c) Select two types of testing found in application development and,


using an example for each, explain how they might specifically help
identify the weaknesses in the management of application
administration information. [6]

d) In the context of application security, explain the role of risk assessment


in configuration and change management. [2]

e) “plan do check act” are the generic stages assigned to a continuous


management process loop. Explain, including brief examples, how
these four stages apply to the process of incident management. [4]

f) Explain the term feedback loop in the context of application security


management. Identify four feedback loops present in the incident
management process and the information that each outputs. [5]
Question 3

a) TETRA is a form of Private Mobile Radio. Briefly explain the term Private
Mobile Radio [2]

b) Explain why error extension is a problem for TETRA communications and


in what ways it affects the use of block and stream ciphers in TETRA. [4]

c) Give an example of a successful stream cipher synchronisation


mechanism deployed in TETRA and state the positive and negative
implications of using this mechanism. [4]

d) Why is TETRA’s implicit authentication regarded as continuous and


explicit authentication is not? [3]

e) Loss from information security incidents can be presented as a


probability of losing a certain amount of revenue.

i) Explain the term risk appetite. [1]

ii) Explain why calculating losses in terms of the probability of


losing a certain amount of revenue helps to quantify risk
appetite. [2]

f) Calculating loss from information security incidents requires the output


of a specific security management process.

i) What information security management process can be used


to calculate loss from an information security incident? [1]

ii) How can the probability of losing a certain amount of revenue


be calculated using the output of this security management
process? [6]

g) List two decision criteria, in addition to loss from information security


incidents, for justifying security control expenditure. [2]

TURN OVER
Question 4

a) Explain the advantages and disadvantages of using a smart card for


user authentication to an electronic healthcare record system. [6]

b) What smart card features help to protect against fraud? [4]

c) How could the anti-fraud protection measures found in a smart card be


used to guard against fraudulent prescriptions in an electronic
healthcare record system? [4]

d) In terms of an electronic payment system explain the terms on-line


payment system, off-line payment system and semi-online payment
syst em. How might you classify the payment system application EMV
and why? [6]

e) Describe the steps in the electronic payment model that corresponds


to the conventional bank transfer payments and name this model. In
what ways is this model different to the one that corresponds to
conventional debit advice payments? [5]

Question 5

a) Briefly explain what is meant by a trust relationship in a payment system


and explain the trust mechanisms in a cash based payment system. In
your explanation include a description of at least two techniques for
implementing trust in a cash based payment system. [5]

b) Describe three ways in which payment schemes engender trust. [3]

c) Explain the acronyms CVM and CAM and provide two examples of
each. [6]

d) In EMV why is the cost of the card increased when Dynamic Data
Authentication (DDA) is used? What are the weaknesses in Static Data
Authentication which might justify this cost and how does DDA address
them? [6]

e) Explain the message flow when EMV invokes on-line authentication. In


your answer briefly explain the purpose of each message. [5]

END OF PAPER

You might also like