Paper 1 Network Security Answers

These answers correspond to Paper 1 Network Security Drills.

Answer 1: Malware

Two harmful effects are:

  • the malware appears to encrypt or lock files in the Documents folder, making the user’s data unavailable;
  • it sends emails to contacts without permission, which can spread the malware or leak information.

Mark points:

  • identifies file encryption/locking or loss of access to data;
  • identifies unauthorised email sending, spreading, or misuse of the device.

Common weak answer:

  • saying only “the computer has a virus”. The question asks for effects seen in the scenario.

Answer 2: Denial of Service

The attack floods the results website with far more requests than normal. Because the traffic comes from many different IP addresses, this is a DDoS-style distributed denial-of-service attack. Server processing, bandwidth, or connection capacity may be exhausted, so legitimate student requests are delayed or rejected. This reduces availability because authorised users cannot access the service when needed.

Mark points:

  • identifies flooding or excessive requests;
  • explains resource exhaustion, overload, delay, or rejection of requests;
  • links this to loss of availability for legitimate users.

Common weak answer:

  • saying the attacker steals the results. A DoS attack targets availability; data theft is a different threat.

Answer 3: Firewall Rule

The firewall should block the incoming packet to port 22 because rule 3 says that traffic to port 22 has action block.

Mark points:

  • states the packet is blocked;
  • refers to matching the port 22 rule.

Common weak answer:

  • saying port 22 is allowed because ports are numbers used by services. The configured rule decides the action.

Answer 4: IDS vs IPS

An IDS would monitor the traffic or login events and raise an alert/log entry about the repeated failed logins. It would not normally stop the traffic by itself. An IPS can take automatic preventive action, such as blocking traffic from 203.0.113.9 or dropping further login attempts that match the rule.

Mark points:

  • IDS detects or monitors suspicious activity;
  • IDS alerts/logs rather than directly blocking by default;
  • IPS detects the same suspicious activity;
  • IPS can automatically block, drop, or prevent matching traffic/actions.

Common weak answer:

  • treating IDS and IPS as identical. The key distinction is detection/alerting versus prevention/blocking.

Answer 5: Encryption

Encryption transforms the plaintext exam_result=85 into ciphertext using a key. If the traffic is intercepted, an unauthorised person sees unreadable ciphertext rather than the original result, unless they have the correct key.

Mark points:

  • plaintext is transformed into ciphertext using a key;
  • intercepted data is not understandable without the correct key, preserving confidentiality.

Common weak answer:

  • saying encryption stops interception. Encryption does not necessarily stop capture; it protects meaning.

Answer 6: Digital Signature

The different hashes show that the received file is not the exact file that was signed, so integrity has failed. Because the signed hash does not match the received file, the student should not rely on the signature as proof that this received file is authentic from the teacher; it may have been altered or the wrong file may have been supplied.

Mark points:

  • explains that the file has changed or does not match the signed content;
  • links the mismatch to failed integrity;
  • explains that the signature cannot authenticate this received file;
  • states that the file should not be trusted as the teacher’s unchanged file.

Common weak answer:

  • saying the teacher’s private key has definitely been stolen. A mismatch proves the file/signature pair does not verify; it does not by itself prove key theft.

Answer 7: Authentication Factors

The password is something the user knows. The one-time code from the phone app is something the user has, because it depends on possession of the phone or authenticator app.

Mark points:

  • password: knowledge factor / something known;
  • phone-app code: possession factor / something possessed.

Common weak answer:

  • saying both are passwords. They are different factors because one is remembered and the other depends on a device.

Answer 8: Password Policy

Two suitable controls are:

  • minimum length, for example rejecting alex because it has only four characters;
  • rejecting common or easily guessed passwords, for example rejecting 12345678 or password1.

Other valid applied controls include requiring letters and digits together, blocking dictionary words, or checking a banned-password list.

Mark points:

  • gives one suitable password-policy control;
  • applies it to one listed weak password;
  • gives a second suitable password-policy control;
  • applies it to one listed weak password.

Common weak answer:

  • saying “make passwords strong” without specifying an enforceable rule.

Answer 9: Security and Usability

Security benefit: requiring the one-time code makes stolen passwords less useful, because the attacker also needs the second factor.

Usability cost: users must complete an extra step at every login, which takes more time and may block them if the phone/app is unavailable.

Mark points:

  • states a security improvement from the extra factor;
  • states a usability cost from the extra login step.

Common weak answer:

  • saying security and usability both always improve. Stronger security often introduces extra user effort.

Answer 10: Control Choice

A suitable control is an IDS, IPS, or rate limiter that counts repeated requests from the same IP address to /login. An IDS could alert or log when the count crosses a threshold. An IPS or rate limiter could block, drop, or slow matching requests from 203.0.113.8, reducing brute-force or DoS-style pressure on the login page. A firewall rule could block or limit a source IP, but a simple port-based firewall would not normally inspect the URL path /login.

Mark points:

  • chooses a relevant control such as IDS, IPS, rate limiting, or firewall rule;
  • links the control to repeated /login requests from the same IP address;
  • explains the response, such as alerting, blocking, throttling, or reducing attack impact.

Common weak answer:

  • choosing encryption alone. Encryption protects confidentiality of data in transit; it does not detect repeated login requests.