Section A:

Brief Essay Questions 1-4 (Answer ANY Two (2) Questions 20 points each)

1. a. Why is phishing, and social engineering generally, difficult to address or prevent with technological controls? [5 points]

b. An internet site starts distributing a program that gets a popular word processor to send a copy of whatever files it produces to be emailed to a specific email address. Is this a vulnerability, an exploit, or a security incident? [5 points]

c. Briefly explain the Cyber-Risk function below: { Threats , Vulnerability, Asset Value} [5 points]

d. What is a hash function, and what can it be used for? [5 points]

2. a. A Banking systems analysts is reported to siphoning a customers account. Briefly discuss if this is a vulnerability, an exploit or a security incident? [5 points]

b. Based on the Asset Value, briefly discuss the statement: Computer security should be periodically reassessed. You may be guided by the urgency and criticality of the information assets. [5 points]

c. Briefly discuss the extent to which insiders or frenemies may pose security challenges to the organization. [5 points]

d. What is a cryptographic key, and what is it used for? [5 points]

3. a. What is an open port? Why is it important to limit the number of open ports a system has to only those that are absolutely essential? [5 points]

b. Discuss some pertinent Internet and Network attacks, and provide measures to mitigate those attacks. [5 points]

c. As a security functionary, youve been called upon to advice the local Small Business Owners association on zero-day vulnerabilities, pirated software and patch management. Clearly discuss the key points that you would raise, enumerate and dilate upon with them. [10 points]

4. a. What are computer viruses and worms, and how do they attack computers? [5 points].

b. For each of the following assets, examine and assign a low, moderate or high impact level for the loss of confidentiality, integrity and availability respectively. Justify your answers. [9 points]

i. An organization managing public information on its web server

. ii. A law enforcement organization managing extremely sensitive investigative information.

iii. A financial organization managing routine administrative information (not privacy-related information).

3 c. Consider the first step of the common attack methodology; which is to gather publicly available information on possible targets. Briefly discuss how an attacker or a social engineer could utilize tailgating, Phishing, SMiShing and Vishing in executing this step. [6 points]

Section B: Essay Questions 5-7 (Answer ANY Question 30 points)

5. a. Covid-19 has re-introduced the need for telecommuting amongst public sector employees in Ghana. Examine why it is important to consistently enforce security policy and not go easy on these telecommuting network users? [15 points]

b. A renowned cyber-security consultant, Charles Cresson Wood has said that Information Security is basically people and management issues, rather than a technology issue. In summary, Cyber-security is a business concern, and not a technical problem. The above statement underscores the business value of security; carefully evaluate the statement with its implications. [15 points]

6. a. A new organization is yet to be fully launched into operation, you have been asked to access their systems and resources and compile a detailed and comprehensive IT Risk Assessment Report for them. Discuss how you would accomplish this task and present a report that can guide them in making strategic decisions on mitigating against the potential risks. Please name your company and discuss what they do? [20 points]

b. Briefly discuss the four (4) key protection mechanisms of deterrence, prevention, detection and response. [10 points]

7. a. Kontonkyi Rural Bank (KRB) is a mid-range bank with over 30 branches connected to a centralized computing system. A couple of the branches are connected via leased lines and others use Multiprotocol Label Switching (MPLS). Each branch has a variety of client computers and ATMs connected to a server. The server stores the branchs daily transaction data and transmits it several times during the day to the centralized system. Tellers at each branch use a four-digit numeric password, and each Tellers computer is transaction-coded to accept only its authorized transactions. As the System Administrator perform a risk assessment. [20 points]

b. Three (3) major concerns of system developers and users are disaster (as a disruption of normal business functions), security and human errors. Of these three, which do you think is most difficult to deal with? Why? [10 points]

SUBJECT : COMPUTER SECURITY