Dec 1998 SC223: Computer Security (Question 1)

(a)	Describe two common methods for preventing attacks on computers, and in each case give one disadvantage of the approach.	[6]
	One mark should be awarded for each valid point, a further mark should be awarded for each satisfactory elaboration, and one mark should be awarded for a suitable disadvantage (up to a maximum of six marks). Examples include the following: Individual screening (1 mark). This involves checking the personal attributes of individuals who might potentially attack the system in question (1 mark). A drawback of this approach is that if unworthy individuals pass the screening process, then attacks may still be possible (1 mark). Physical security (1 mark). This involves securing the environment surrounding the system in question (1 mark). A drawback of this approach is that such measures are useless if the system can be remotely accessed (1 mark). Care in operations (1 mark). This involves individuals being careful in their day-to-day activities in order to prevent common attacks (1 mark). A drawback of this approach is that some users may be lax in their efforts, which may lead to potential problems (1 mark). Other sensible answers should also receive credit.
(b)	List three security-related functions which are performed by an operating system.	[3]
	One mark should be awarded for each valid point. Examples include the following: Authentication of users. Protection of memory. File and i/o device access control. Enforcement of sharing. Allocation and access control to general objects. Guarantee of fair service. Inter-process communication and synchronisation. Other sensible answers should also receive credit.
(c)	Give one example of each of the following types of attack:	[3]
	One mark should be awarded for each valid example. Examples include the following:
	(i) Pest programs.
	An example of a pest program is a Trojan horse attack.
	(ii) External masquerading.
	An individual tapping into a communications medium, recording the information which is being transferred, and then playing back the information at a later date.
	(iii) External information theft.
	An individual glancing at a colleague’s terminal to gain access to information to which they are not entitled. Other sensible answers should also receive credit.
(d)	Describe two benefits associated with careful risk analysis.	[4]
	One mark should be awarded for each valid point, a further mark should be awarded for each satisfactory elaboration (up to a maximum of four marks). Examples include the following: Improves awareness (1 mark). Discussing issues of security can raise the general level of interest and concern among employees (1 mark). Identifies assets, vulnerabilities, and controls (1 mark). Some companies are unaware of their computing assets and the vulnerabilities associated with them (1 mark). Justifies expenditure for security (1 mark). A careful risk analysis can help to identify instances which are worth the expense of a major security mechanism and also the much larger risks from not spending money on security (1 mark). Other sensible answers should also receive credit.
(e)	Describe two approaches to minimising disaster risk.	[4]
	One mark should be awarded for each valid point, a further mark should be awarded for each satisfactory elaboration (up to a maximum of four marks). Examples include the following: Avoid it (1 mark). Protect the equipment and data against any kind of risk and include protective measures against instances such as natural disasters and sabotage (1 mark). Reduce it (1 mark). It is not always possible to completely eliminate a risk; in such circumstances, the risk should be minimised as much as possible (1 mark). Control it (1 mark). Should the disaster occur, despite the best efforts to avoid it or minimise the risk associated with it, the damage should be controlled as much as possible (1 mark). Other sensible answers should also receive credit.