QUESTION ONE

Types of Cyber Attackers

1. White Hat Hackers (1 Mark): Ethical hackers who use their skills to identify vulnerabilities in systems
and improve security for organizations with legal permission.

2. Grey Hat Hackers (1 Mark): Hackers who fall between black and white hats. They exploit
vulnerabilities without malicious intent but might break the law by hacking without permission.

3. Black Hat Hackers (1 Mark): Malicious hackers who break into systems with the intent to steal,
destroy, or cause harm for personal or financial gain.

4. Hacktivists (1 Mark): Individuals or groups who use hacking as a form of protest to promote political,
social, or ideological agendas.

5. State-sponsored Hackers (1 Mark): Hackers employed by governments to conduct cyber espionage,

sabotage, or warfare against foreign nations or organizations.

Confidentiality, Integrity, and Availability (3 Marks)

Confidentiality: Ensures that sensitive information is accessible only to authorized individuals and not
disclosed to unauthorized parties.

Integrity: Ensures that data is accurate and unaltered, protecting it from unauthorized modifications.

Availability: Ensures that systems and data are available and accessible to authorized users whenever
needed.

Methods of Ensuring Information Availability (8 Marks)

1. Redundancy: Duplicating critical systems, such as having backup servers or data storage, ensures that
if one fails, another takes over.

2. Regular Backups: Performing frequent data backups allows quick recovery in case of data loss or
corruption.

3. Disaster Recovery Plans: Having a structured plan for restoring services after a natural disaster,
system failure, or cyberattack.

4. Load Balancing: Distributing network traffic across multiple servers to ensure no single point of failure
and improve system performance.
Malicious Software Impacting Information Systems (4 Marks)

1. Ransomware (1 Mark): Malware that encrypts a user's data, demanding payment (ransom) to restore
access.

2. Trojan Horse (1 Mark): Malicious software disguised as legitimate software, which allows
unauthorized access or harm to a system.

3. Adware (1 Mark): Software that automatically displays or downloads advertising material, often
slowing down the system.

4. Worm (1 Mark): Self-replicating malware that spreads across networks without needing to attach to a
program or file.

QUESTION TWO

Ethics in Cybersecurity (2 Marks)

Ethics in cybersecurity is critical because professionals have the same technical skills as cybercriminals.
Ethical guidelines ensure that cybersecurity experts use their knowledge to protect systems and data,
respecting privacy, legal frameworks, and moral principles, rather than exploiting vulnerabilities for
personal or malicious gain.

Uganda Government MDAs Responsible for Cybersecurity (6 Marks)

1. Ministry of ICT and National Guidance: Oversees the formulation of national ICT policies and ensuring
secure and reliable ICT infrastructure.

2. National Information Technology Authority (NITA-U): Regulates and coordinates ICT functions in
Uganda, including overseeing national cybersecurity.

3. Uganda Communications Commission (UCC): Regulates telecommunications and ensures secure

communications infrastructure.

National Laws on Cybersecurity (6 Marks)

1. The Computer Misuse Act, 2011: Criminalizes unauthorized access, modification, or interference with
computer systems and data.

2. The Electronic Transactions Act, 2011: Regulates electronic records, communications, and online
transactions for security.

3. The Data Protection and Privacy Act, 2019: Governs the collection, storage, and processing of
personal data to protect individual privacy.
Ethical Judgement Scenario (6 Marks)

You should immediately reject the USB drive, as there are significant security risks. The flash drive could
contain malware, and downloading software from an unverified source without proper authorization
violates cybersecurity principles. Subsequent steps would include reporting the incident to school
authorities or IT security teams, ensuring the integrity and security of the systems, and avoiding
downloading any software from untrusted or unknown sources.

QUESTION THREE

Information Security Governance (1 Mark)

Information security governance refers to the policies, processes, and structures that ensure the
effective management of information security risks and alignment with organizational goals.

Difference between Information Security Governance and Management (2 Marks)

Information Security Governance: Focuses on establishing policies, strategies, and oversight to align
security with business objectives.

Information Security Management: Involves implementing and operating security controls and
processes on a day-to-day basis.

Cybersecurity Policy (1 Mark)

A cybersecurity policy is a formal document outlining the guidelines, procedures, and measures an
organization must follow to protect its information systems and data.

Importance of a Cybersecurity Policy (4 Marks)

1. Provides a Framework: Establishes guidelines for managing and protecting sensitive information.

2. Enhances Awareness: Ensures employees understand security expectations and risks.

3. Compliance: Helps the organization meet legal and regulatory security requirements.

4. Risk Management: Reduces the risk of cyberattacks by promoting best security practices.

Types of Security Policies (6 Marks)

1. Acceptable Use Policy: Specifies what users are allowed and prohibited from doing when accessing
company systems.

2. Incident Response Policy: Outlines steps to respond to and recover from security incidents.

3. Data Classification Policy: Defines how data should be handled based on its sensitivity (confidential,
internal, public).
ISO/IEC 27000 Framework Domains (6 Marks)

1. Risk Assessment (2 Marks): Identifies potential risks to information security and evaluates their
likelihood and impact to implement appropriate controls.

2. Human Resources Policy (2 Marks): Establishes security measures for employees, from hiring to
termination, to prevent insider threats and ensure security awareness.

3. Access Control (2 Marks): Defines rules for managing access to information systems, ensuring only
authorized personnel have access to sensitive data.

QUESTION FOUR

Cryptography (1 Mark)

Cryptography is the practice of securing information by converting it into unreadable formats

(encryption) that can only be deciphered by those with the proper decryption key.

Differences Between Asymmetric and Symmetric Encryption (3 Marks)

1. Key Usage: Symmetric encryption uses one key for both encryption and decryption, while asymmetric
encryption uses two keys (public and private).
2. Speed: Symmetric encryption is faster, while asymmetric encryption is slower due to more complex
algorithms.

3. Security: Asymmetric encryption provides better security for key distribution since public and private
keys are distinct.

Message Transmission Using Private Key Cryptography (3 Marks)

In Private Key Cryptography, the same secret key is used for both encryption and decryption. The sender
encrypts the message with the key, and the receiver, who possesses the same key, decrypts it.

Message Transmission Using Public Key Cryptography (3 Marks)

In Public Key Cryptography, the sender encrypts the message with the recipient’s public key, and the
recipient decrypts it using their private key. Only the intended recipient can decrypt the message,
ensuring confidentiality.

How Asymmetric Encryption Ensures

Confidentiality (2 Marks): The message is encrypted with the recipient’s public key, ensuring that only
the recipient with the corresponding private key can decrypt it.

Authentication (2 Marks): The sender can sign the message with their private key, which can be verified
using the sender’s public key.

Integrity (2 Marks): A cryptographic hash (digital signature) ensures that any modification to the
message will result in a mismatch, alerting the recipient of tampering.
Social Engineering Attacks

1. Email Phishing (1 Mark): A fraudulent attempt to obtain sensitive information by pretending to be a

trustworthy entity via email.

2. USB Drop Key (1 Mark): An attack where an attacker leaves infected USB drives in public places,
hoping a victim will plug one into their computer.

3. Tailgating (1 Mark): Following an authorized person into a restricted area without permission.

4. Shoulder Surfing (1 Mark): Observing someone’s private information by looking over their shoulder as
they enter sensitive information, such as passwords.