TKK | Networking Laboratory | Studies | S-38.153

Example questions for S-38.153, spring 2005

Following questions are examples of possible exam questions. These questions are not provided as reading guidance but as an example of what kind of questions there will be.

The list is underway, so more questions will be provided later.

  1. What are three components in information security
  2. Using five-step evaluation of security mechanism, evaluate following mechanisms (firewall, smart card, fingerprint reader, ...) in following usage scenarios (company internal network, AAA system, disk encryption,...)
  3. What assets (a company selling goods over internet, stock broker,..) has to protect
  4. Consider (mobile operator, access to call records,...). What kind of mechanisms whould be implemented for prevent-detect-respond/recover?
  5. See (additional material; news item). Why security failed?
  6. Why system security may not improve if a new security mechanism is implemented?
  7. What kind of relation there is between security policy, specification, assurance and implementation.
  8. You need to decide sufficient security for (customer database, warehouse db, bookkeeping db,...). What kind analysis you would select?
  9. Consider assets in following table. Rank each column (conf, int, avail) from 5 to 1 (ultimate importanatance to marginal importance).
  10. Why denial of service is hard to protect from in current Internet?
  11. To defeat phishing, it has been proposed that common sites start sending their email signed. Why you think this has not taken place?
  12. Consider security requirements for medical records. Some proposals have been embedding health information to smart card where it can be read by physicians. How this relates to centralised database? What are strengths and weaknees of each method?
  13. You are buying a new GPS receiver from previously unknown shop from Internet using your credit card. What kind assumptions you make about security? How about if you are buing with advance bank transfer? What kind of possibilities you have to confirm assumptions.
  14. Why mandatory access control may not work as generic access control method?
  15. Explain Kerckhoffs desing principles for encryption system
  16. What are desing principles for encryption
  17. Why stream chiphers are popular in communications?
  18. Why asymmetric chiphers are slow?
  19. Explain different usage modes for block chipers? Give some scenario for each mode.
  20. Why message digest algorithms are imporant?
  21. Encryption can be on several layers of communication. Give strengths and weaknees of each level.
  22. Why PKI is not widely deployed.
  23. Explain Kerberos 5 authentication. Why there is not need to trust much on each computer?
  24. What methods can be used for authentication? What are threats on authentication?
  25. How autentication can be defeated.
  26. What kind of costs there incur from implementing company-wide authentication.
  27. Compare following authentication methods (password, smart card, fingerprint,...)
  28. Compare following authentication methods for recovery of authenticator (password, smart card, fingerprint,...)
  29. How FAR and FRR relate to each other?
  30. Explain how an authentication method can be used as a denial of service?
  31. Describe GSM security system.
  32. Describe UMTS security system.
  33. What kind of advances there are in UMTS compared to GSM
  34. How IPSec can be implemented?
  35. Describe relations between IPsec databases?
  36. What security threats there are in MobileIP? Why route optimisation is so complex?
  37. What types of firewalls there exists?
  38. What threats firewall protects from and what not?
  39. Describe Intrusion Prevention System.
  40. Describe Intrusion Detection System.
  41. Why it is difficult to trace back attacker in IP networks? Why this is much easier in POTS network?
  42. Why denial of service is much easier attack than other?
  43. What kind of attacks are possible against routing protocols?
  44. Why goverment is interested about information security?
  45. According to Finnish law, what is identification data and who has right to process it and for what purposes.
  46. Are following cases allowed by Finnish legislation:
  47. Analyse Ficora 11/2004M (attached) regulation on email: what problems it solves and what new problems it may generate?
  48. Build a threat tree for (case, maybe with additional material). Based on analysis, propose security improvement(s).
  49. What kind of malicious code exists? How to protect from each type?
  50. What kind of assurance one gets from penetration testing?
  51. Analyse following threats using STRIDE classification.
  52. Why highest levels of system evaluation are rare in commercial systems?
This page is maintained by Webmaster and Markus Peuhkuri.
Last update on the page 2005-05-10 11:55
URL: http://www.netlab.tkk.fi/opetus/s38153/k2005/questions.shtml
[TKK > Electrical and Communications Engineering > Studies ]