1(a) Briefly describe the following:

i. Computer Security:
It is the protection of computer systems from theft, damage, unauthorized access, and disruption
of services. It ensures confidentiality, integrity, and availability of information.
ii. Network Security:
This is the process of protecting data during transmission across networks by preventing
unauthorized access, misuse, or malfunction using firewalls, encryption, and intrusion detection
systems.
iii. Internet Security:
It focuses on protecting online activities, transactions, and communication from cyber threats
such as malware, phishing, and hacking.

1(b) Itemize at least 3 reasons why an organization needs to protect its computer system:
1. To prevent data theft or unauthorized access.
2. To ensure business continuity and avoid downtime.
3. To protect the integrity and confidentiality of sensitive information.

2(a) Describe incident response and list 3 of its key objectives:

Incident response:
It is a structured approach for handling and managing the aftermath of a security breach or
cyberattack to minimize damage and recovery time.
Key objectives:
1. Detect and contain the security incident.
2. Minimize damage and reduce recovery cost/time.
3. Restore normal operations quickly.

2(b) Explain 5 importance of incident response:

1. Helps minimize the impact of security breaches.
2. Ensures quick recovery from attacks.
3. Protects organizational data and reputation.
4. Helps identify and fix vulnerabilities.
5. Ensures legal and regulatory compliance.

3(a) List 3 reasons why traditional computers must be protected:

1. They store sensitive and confidential data.
2. They are vulnerable to malware and hacking attacks.
3. They are critical to the operation of many organizations.

3(b) Write short notes on the following:

i. Attack:
An attempt by hackers or malicious users to compromise system security or data integrity.
ii. Threat:
Any potential danger or event that can exploit a vulnerability to harm a system.
iii. Vulnerability:
A weakness or flaw in a system that can be exploited by a threat or attacker.
iv. Social Networking:
Online platforms that allow people to interact and share information, which can be exploited for
phishing, identity theft, or spreading malware.

4. Network Intrusion Detection (NID):

Definition:
It is a cybersecurity technology that monitors network traffic in real-time to detect and respond
to unauthorized or suspicious activities.
Main goal:
To identify and stop malicious activities or policy violations early before damage occurs.
Categories:
1. Network-based IDS (NIDS): Monitors traffic on the entire network.
2. Host-based IDS (HIDS): Monitors activity on a specific computer or device.

5. Common Types of Cyberattacks (at least 5):

1. Phishing: Tricking users into revealing sensitive information.
2. Malware attack: Using malicious software to harm or steal data.
3. Denial of Service (DoS): Overloading a system to make it unavailable.
4. Man-in-the-Middle (MITM): Intercepting communication between two parties.
5. Ransomware: Encrypting files and demanding payment to restore access.

6. Smartphone Security
Meaning:
Smartphone security is the protection of mobile devices from unauthorized access, data theft, and
malware.
Five ways to secure your mobile phone:
1. Use strong passwords, PINs, or biometric locks.
2. Install apps only from trusted stores (Google Play, App Store).
3. Keep your operating system and apps updated.
4. Avoid connecting to unsecure public Wi-Fi.
5. Install and update antivirus or mobile security apps.
Question 1: Discuss common security threats and vulnerabilities in software systems.
Answer:
Common security threats include:
1. Malware: Harmful software like viruses or ransomware that damages data.
2. Phishing: Fake messages that trick users into revealing personal details.
3. SQL Injection: Attackers insert code into input fields to access a database.
4. Denial of Service (DoS): Overloading a system to make it crash.
5. Man-in-the-Middle: Intercepting data during transmission.

Question 2: Discuss the concept of defense in depth and its role in layered security.
Answer:
Defense in Depth means using several layers of security to protect data. If one layer fails, others
still protect the system.
Example: Combining firewall, antivirus, passwords, and encryption.
Role:
1. Reduces risk of total system compromise.
2. Slows down attackers.
3. Provides backup protection if one layer fails.

Question 3: Discuss Digital Signature as a mitigation technique that can be used to fight
against a data tampering threat.
Answer:
A digital signature is an electronic mark used to confirm that a file or message is genuine and
not altered.
It uses cryptography to verify the sender and protect data integrity.

Question 4: Define the CIA Triad and explain its significance in software security.
Answer:
The CIA Triad forms the foundation of security, every system must protect data privacy,
accuracy, and access.

The CIA Triad stands for:

1. Confidentiality: Keeping data private using passwords or encryption.
2. Integrity: Making sure data is accurate and not changed.
3. Availability: Ensuring systems are accessible when needed.
✅ Significance:
The CIA Triad forms the foundation of security, every system must protect data privacy,
accuracy, and access.

Question 5: Discuss scenarios where maintaining confidentiality, ensuring integrity or

availability is crucial.
Answer:
1. Confidentiality:
In banking systems, customer details must be hidden from unauthorized users.
2. Integrity:
In hospitals, patient records must stay correct and unchanged.
 3. Availability:
In online shopping, websites must stay active for customers anytime.
✅ Each part of the CIA Triad protects information in different real-life situations.

Question 6: Discuss how breaches in confidentiality, integrity or availability can impact

software systems and organizations.
Answer:
1. Breach of Confidentiality:
When private data is exposed, users lose trust and the company may face legal issues.
Example: A hacker leaks customer passwords online.*
2. Breach of Integrity:
When data is changed or corrupted, decisions made from it become wrong.
Example: Altered financial records cause wrong reports.*
3. Breach of Availability:
When systems are down, users can’t access services, leading to losses.
Example: A DoS attack shuts down an online store.*
✅ Impact: It leads to financial loss, damaged reputation, and legal consequences.

Question 7: Discuss the benefits of incorporating security early in the development process
to reduce vulnerabilities and associated costs.
Answer:
1. Early Detection: Security issues are found before software is released.
2. Lower Cost: Fixing problems early is cheaper than after deployment.
3. Better Quality: Ensures a stronger, safer, and more reliable system.
4. User Trust: Users feel safe using the software.
✅ Including security from the start reduces risks and saves time and money.

Question 8: Explain each threat and vulnerability, and how they can be exploited and their
potential impact.
Answer:
1. Threat: A danger that can harm a system.
Example: Malware attack, phishing, or data theft.*
2. Vulnerability: A weakness attackers exploit.
Example: Weak password or unpatched software.*
Exploitation:
Attackers use these weaknesses to steal data, install malware, or crash systems.
Impact:
It can lead to loss of data, system downtime, and reputation damage.
✅ A secure system must find and fix vulnerabilities early.

Question 9: Discuss the importance of secure defaults and secure by design principles in
software security.
Answer:
• Secure Defaults: Systems should start with safe settings (e.g., strong password rules).
• Secure by Design: Security is built into the system from the beginning, not added later.
Importance:
 1. Reduces user mistakes.
2. Prevents easy attacks.
3. Ensures long-term safety.
✅ These principles make systems strong and safe by default.

Question 10: Explain how starting with secure defaults and designing with security in mind
can prevent vulnerabilities.
Answer:
When systems begin with secure settings and are built with safety in mind:
1. Common attacks are blocked from the start.
2. Users are guided to follow safe practices.
3. Vulnerabilities are fewer because developers think about threats early.
✅ Security-first design helps stop many problems before they happen.

Question 11: Discuss the CIA triad, defining each component (Confidentiality, Integrity,
and Availability) and their significance in software security.
Answer:
The CIA Triad is the foundation of information security. It includes:
1. Confidentiality:
Protects information from unauthorized access.
Example: Using passwords and encryption.*
2. Integrity:
Ensures information is accurate and not changed by attackers.
Example: Using digital signatures or checksums.*
3. Availability:
Ensures systems and data are accessible when needed.
Example: Backups and recovery plans.*
✅ Significance:
The CIA triad helps developers design secure systems that protect data privacy, correctness, and
access at all times.

Question 12: What is Phishing, and what strategies can be used to defend against it?
Answer:
Phishing is a cyberattack where fake emails or websites trick users into giving personal
information like passwords or credit card details.
Example:
A user gets an email pretending to be from their bank asking for login details.
Defense Strategies:
1. Be cautious of unknown links or attachments.
2. Verify email senders before replying.
3. Use spam filters and updated antivirus software.
4. Educate users about phishing signs.
✅ Summary:
Phishing relies on human error, so awareness and strong email security help stop it.
Question 13: Differentiate between Symmetric and Asymmetric Encryption (Public-Key
Cryptography).
Answer:
1. Symmetric Encryption:
Uses one key for both encryption and decryption.
Example: AES.
✅ It is fast but requires safe key sharing.
2. Asymmetric Encryption:
Uses two keys – a public key to encrypt and a private key to decrypt.
Example: RSA.
✅ It is slower but more secure for data exchange.
✅ Difference:
Symmetric = one shared key.
Asymmetric = public and private keys for secure communication.

Question 14: Discuss the stages of the SDLC.

Answer:
The Software Development Life Cycle (SDLC) has key stages:
1. Planning: Define goals and security needs.
2. Analysis: Study requirements and risks.
3. Design: Create secure architecture and models.
4. Development: Write code with secure practices.
5. Testing: Check for bugs and security issues.
6. Deployment: Release the software safely.
7. Maintenance: Update and fix security flaws.
✅ Summary:
Each stage includes security to prevent risks before release.

Question 15: Discuss the purpose, sequence, planning, design, development, testing,
deployment, and maintenance in SDLC.
Answer:
• Purpose: To build reliable, secure software in steps.
• Sequence: Follows a clear order from planning to maintenance.
Phases:
1. Planning: Identify goals and resources.
2. Design: Outline system structure and security features.
3. Development: Write code with best practices.
4. Testing: Find errors and vulnerabilities.
5. Deployment: Launch the application safely.
6. Maintenance: Keep improving and updating the software.
✅ Security is added at each stage to ensure safe and quality software.

Question 16: Explain using visual aids (like flowcharts or diagrams) the typical phases and
their interrelationships within the SDLC.
Answer:
The Software Development Life Cycle (SDLC) follows a step-by-step process.
Each phase connects to the next, and feedback can move backward if needed.
📘 Flow (Text Format):
Planning → Analysis → Design → Development → Testing → Deployment → Maintenance
Explanation:
1. Planning: Set project goals.
2. Analysis: Study user and system needs.
3. Design: Plan how the system will work securely.
4. Development: Write and build the software.
5. Testing: Find and fix errors or security issues.
6. Deployment: Release software to users.
7. Maintenance: Keep updating and improving security.

Question 17: Identify the benefits of incorporating security early in the development
process to reduce vulnerabilities and associated costs.
Answer:
1. Early Detection: Security issues are found before release.
2. Lower Cost: Fixing problems during coding is cheaper than after deployment.
3. Better Software Quality: Fewer bugs and attacks after launch.
4. Compliance: Meets legal and industry security standards.
5. User Trust: Users feel safer using secure applications.

Question 18: What are Secure Coding Practices and why are they essential?
Answer:
Secure Coding Practices are methods developers use to write safe, attack-resistant code.
Examples: Input validation, proper error handling, and avoiding weak passwords.
Importance:
1. Prevents common attacks like SQL injection and XSS.
2. Reduces system vulnerabilities.
3. Improves reliability and trust.

Question 19: Mention any three (3) different types of Malware, which is designed to harm
or exploit systems and discuss them.
Answer:
1. Virus: Attaches to files and spreads when files are opened.
Example: Corrupts data or slows down computers.*
2. Worm: Spreads automatically through networks.
Example: Uses network weaknesses to copy itself.*
3. Ransomware: Locks files and demands payment to unlock.
Example: Encrypts important business data.*

Question 20: Explain the importance of integration of security testing (e.g., code review,
penetration testing) into the testing phase of the SDLC.
Answer:
Integrating security testing helps find weaknesses before deployment.
Examples:
 • Code Review: Checks code for errors and unsafe logic.
• Penetration Testing: Simulates attacks to find weak points.
Importance:
1. Detects vulnerabilities early.
2. Prevents real-world attacks.
3. Improves software quality and safety.

Question 21: What is a Firewall and how does it work?

Answer:
A Firewall is a security tool that controls incoming and outgoing network traffic based on set
rules.
How It Works:
• It acts as a barrier between a trusted network (like your computer) and untrusted
networks (like the internet).
• It allows safe traffic and blocks harmful or unauthorized access.
Example:
A firewall can block hackers or malware from entering a company’s network.

Question 22: Explain the concept of Intrusion Detection Systems (IDS) and Intrusion
Prevention System (IPS).
Answer:
1. Intrusion Detection System (IDS):
o Monitors network or system activities for suspicious behavior.
o Example: Alerts admins when it detects an attack attempt.
2. Intrusion Prevention System (IPS):
o Detects and automatically blocks threats in real-time.
o Example: Stops malicious packets before they reach the system.
✅ Difference:
IDS detects and alerts, IPS detects and blocks.
✅ Summary:
Both IDS and IPS help monitor and protect networks from attacks.

Question 23: Explain the differences between authentication and authorization and
describe their roles in access control.
Answer:
• Authentication: Confirms a user’s identity.
Example: Logging in with a username and password.*
• Authorization: Decides what an authenticated user is allowed to do.
Example: A user may view data but not edit it.*
Roles in Access Control:
They ensure only the right people access the right resources.
✅ Summary:
Authentication = “Who are you?”
Authorization = “What can you do?”

Question 24: Explain the importance of secure coding practices and the role they play in
mitigating security risks.
Answer:
Secure coding means writing code that is safe from common attacks.
Importance:
1. Prevents vulnerabilities like SQL injection or XSS.
2. Protects data and users from hackers.
3. Builds trust and system reliability.

Question 25: What is Two-Factor Authentication (2FA) and why is it important?

Answer:
Two-Factor Authentication (2FA) adds an extra step to verify a user’s identity.
How It Works:
You log in with a password (something you know) and a code sent to your phone (something
you have).
Importance:
1. Makes it harder for attackers to access accounts.
2. Protects users even if passwords are stolen.

Question 26: Discuss common security risks, such as input validation, output encoding, and
error handling.
Answer:
1. Input Validation:
Ensures only correct data is accepted.
Example: Prevents attackers from entering harmful code in a form.*
✅ Risk: Without validation, hackers can run commands (like SQL injection).*
2. Output Encoding:
Converts data before showing it on a webpage.
Example: Prevents attackers from injecting scripts (XSS attacks).*
3. Error Handling:
Shows friendly messages without exposing system details.
Example: Hiding technical errors that could help attackers.*

Question 27: Explain how to identify and avoid common coding vulnerabilities, including
SQL injection, XSS, CSRF, and buffer overflows.
Answer:
1. SQL Injection:
o Attackers insert harmful SQL code in inputs.
o Prevention: Use prepared statements or parameterized queries.
2. Cross-Site Scripting (XSS):
o Attackers inject scripts into web pages.
o Prevention: Use output encoding and input validation.
3. Cross-Site Request Forgery (CSRF):
o Tricks users into performing unwanted actions.
o Prevention: Use security tokens and session checks.
4. Buffer Overflow:
o When a program writes more data than memory can handle.
o Prevention: Validate input length and use safe coding functions.
Question 28: Explain how to write secure code that adheres to industry best practices and
coding standards.
Answer:
Secure code follows safe rules and standards to protect against attacks.
Best Practices:
1. Validate all user inputs.
2. Use encryption for sensitive data.
3. Avoid hardcoding passwords.
4. Handle errors safely.
5. Keep software updated.

Question 29: Explain authentication and authorization.

Answer:
• Authentication: Verifies the identity of a user.
Example: Logging in with a password or fingerprint.*
• Authorization: Grants permission to use certain features.
Example: Admins can edit, users can only view.*

Question 30: Explain security testing, including penetration testing and vulnerability
scanning, to identify and remedy security weaknesses.
Answer:
1. Security Testing:
Ensures the software is free from weaknesses.
2. Penetration Testing:
Simulates real attacks to find system flaws.
Example: Ethical hackers test network defenses.*
3. Vulnerability Scanning:
Automatically checks for known weaknesses.
Example: Tools detect outdated or unpatched software.*

Question 31: Discuss common traditional access control models (such as discretionary
access control (DAC) and mandatory access control (MAC)) and dynamic access control
models (like risk-based access control, adaptive access control) to illustrate the concepts.
Answer:
Access control models decide who can access what in a system.
1. Traditional Models:
• Discretionary Access Control (DAC):
The resource owner decides who can access files or data.
Example: A user shares a file with another user.*
• Mandatory Access Control (MAC):
Access is based on fixed security levels set by the system.
Example: Military systems classify data as “Secret” or “Top Secret.”*
2. Dynamic Models:
• Risk-Based Access Control:
Access changes based on the risk level.
Example: Extra verification when logging in from an unknown location.*
 • Adaptive Access Control:
Adjusts permissions in real-time using user behavior.
Example: System blocks unusual login attempts automatically.*

Question 32: Explain encryption techniques, including symmetric, asymmetric and hybrid
cryptography, and their applications in securing data.
Answer:
Encryption turns readable data into coded form to prevent unauthorized access.
1. Symmetric Encryption:
Uses one key for both encryption and decryption.
Example: AES, DES.*
✅ Used for: Encrypting files and backups.
2. Asymmetric Encryption:
Uses two keys – public and private.
Example: RSA.*
✅ Used for: Secure emails and digital signatures.
3. Hybrid Encryption:
Combines both symmetric and asymmetric methods for speed and security.
✅ Used for: Online banking and secure communication (HTTPS).

Question 33: Discuss methods for securely storing and handling sensitive data, such as
password hashing and encryption.
Answer:
1. Password Hashing:
Converts passwords into fixed, unreadable values.
Example: Using SHA-256 or bcrypt algorithms.*
✅ Even if stolen, hashed passwords can’t be easily reversed.
2. Encryption:
Protects data so only authorized users can read it.
Example: Encrypting user data before saving to a database.*
3. Access Control:
Only authorized users can view or modify sensitive data.

Question 34: Explain secure communication protocols, such as HTTPS, SSL/TLS, and
their significance in protecting data during transmission.
Answer:
1. HTTPS (HyperText Transfer Protocol Secure):
Ensures safe web browsing by encrypting data between browser and server.
2. SSL (Secure Sockets Layer) / TLS (Transport Layer Security):
Create encrypted connections to stop hackers from reading or changing messages.
Significance:
• Prevents eavesdropping and tampering.
• Builds user trust by showing a secure padlock symbol on websites.

Question 35: Explain the components of an incident response plan and the steps to take in
response to a security incident.
Answer:
An Incident Response Plan (IRP) helps manage and recover from attacks.
Components / Steps:
1. Preparation: Train staff and set up tools.
2. Identification: Detect and confirm the security incident.
3. Containment: Stop the attack from spreading.
4. Eradication: Remove the cause of the attack.
5. Recovery: Restore systems and verify they’re safe.
6. Lessons Learned: Review what happened and improve future response.

Question 36: Explain the various legal frameworks and regulations relevant to software
security, including international laws like GDPR, HIPAA, NDPR, and industry-specific
standards.
Answer:
Several laws and standards guide how organizations handle and protect user data:
1. GDPR (General Data Protection Regulation – EU):
Protects the privacy of individuals in the European Union.
✅ Organizations must get user consent before collecting data.
✅ Violations attract heavy fines.
2. HIPAA (Health Insurance Portability and Accountability Act – USA):
Ensures the protection of medical records and patient information.
✅ Common in hospitals and health software systems.
3. NDPR (Nigeria Data Protection Regulation):
Protects personal data of Nigerian citizens.
✅ Ensures organizations handle data responsibly and transparently.
4. Industry Standards (like PCI-DSS):
Used for financial data, especially in credit card transactions.
✅ Ensures safe handling of payment details.

Question 37: Discuss ethical considerations in software development, including responsible

handling of user data and respecting user privacy.
Answer:
Ethics in software development ensures that technology benefits users and does not harm them.
Key Ethical Considerations:
1. Responsible Data Handling:
Collect only necessary data and keep it safe.
2. User Privacy:
Respect user consent and avoid spying or unauthorized data use.
3. Transparency:
Inform users about how their data is used.
4. Fairness:
Avoid creating software that discriminates or misleads users.
5. Security:
Implement proper measures to protect user information from attacks.
Question 38: Explain the potential legal consequences of non-compliance with regulations
and unethical behavior in software development, emphasizing fines, legal actions, and
reputational damage.
Answer:
When organizations break data laws or act unethically, they face serious consequences:
1. Fines and Penalties:
Laws like GDPR and NDPR impose huge fines for data misuse.
2. Legal Actions:
Users can sue companies for violating privacy or mishandling information.
3. Reputational Damage:
Public trust is lost, and customers may stop using the company’s products.
4. Business Loss:
Non-compliance can lead to suspension of licenses or operations.

Question 39: Discuss how to apply principles of secure software design (including threat
modelling) to create software architectures that consider security from the outset.
Answer:
Secure software design means planning for security early in development.
Principles to Apply:
1. Threat Modelling:
Identify possible threats before building the system.
Example: Predict how hackers might attack login systems.*
2. Least Privilege:
Give users and programs only the access they need.
3. Defense in Depth:
Use multiple layers of security (e.g., firewall + encryption + access control).
4. Secure by Default:
Make security settings active automatically.
5. Regular Review:
Continuously test and improve the design against new threats.

Question 40: Discuss common security risks, vulnerabilities, and best practices.
Answer:
Common Security Risks:
1. Weak passwords
2. Unpatched software
3. Phishing attacks
4. Poor input validation
Common Vulnerabilities:
• SQL Injection – Inserting malicious queries.
• Cross-Site Scripting (XSS) – Injecting harmful scripts.
• Buffer Overflow – Overloading memory to crash a program.
Best Practices:
• Use strong passwords.
• Keep systems updated.
• Validate all user inputs.
• Conduct regular security testing.
 • Encrypt sensitive data.

Explain Authentication, Authorization, encryption and data protection

1️. Authentication
Meaning:
Authentication is the process of verifying the identity of a user or system before granting
access.
Example:
When you log in with a username and password, the system checks if you are the real user.
Purpose:
To make sure only authorized individuals can access an account or system.

2️. Authorization
Meaning:
Authorization happens after authentication. It determines what actions a verified user is
allowed to perform.
Example:
An admin can delete users, but a normal user cannot — this is authorization.
Purpose:
To control permissions and access levels within a system.

3️. Encryption
Meaning:
Encryption is the process of converting readable data into an unreadable form (cipher text) so
that only authorized users can read it.
Example:
When sending a message over WhatsApp, encryption ensures no one else can read it except the
receiver.
Purpose:
To protect data from being read or altered by unauthorized people.

4️. Data Protection

Meaning:
Data protection involves safeguarding personal and sensitive information from misuse, loss,
or unauthorized access.
Methods include:
• Encryption (to protect data)
• Access control (to restrict access)
• Backups (to prevent loss)
• Compliance with privacy laws (like GDPR or NDPR)
Purpose:
To ensure data is handled securely and ethically throughout its life cycle.