Introduction to Information Security

Security can be defined as state of freedom from a danger, risk or attack. Information security can be
defined as the task of guarding information which is processed by a server, stored on a storage device,
and transmitted over a network like Local Area Network or the public Internet. Information security means
protecting information and information systems from unauthorized access, use, disclosure, disruption,
modification or destruction

Introduction to AAA

AAA stands for Authentication, Authorization and Accounting. AAA are a set of primary concepts that aid in
understanding computer and network security as well as access control. These concepts are used daily to
protect property, data, and systems from intentional or even unintentional damage. AAA is used to
support the Confidentiality, Integrity, and Availability (CIA) security concept.

Confidentiality: The term confidentiality means that the data which is confidential should remain
confidential. In other words, confidentiality means secret should stay secret.

Integrity: The term integrity means that the data being worked with is the correct data, which is not
tampered or altered.

Availability: The term availability means that the data you need should always be available to you.

Authentication provides a way of identifying a user, typically requiring a Userid/Password combo before
granting a session. Authentication process controls access by requiring valid user credentials. After the
Authentication process is completed successfully, a user must be given authorization (permission) for
carrying out tasks within the server. Authorization is the process that determines whether the user has
the authority to carry out a specific task. Authorization controls access to the resources after the user has
been authenticated. The last one is Accounting. Accounting keeps track of the activities the user has
performed in the server.

Authentication

Authentication is the process which allows a sender and receiver of information to validate each other. If
the sender and receiver of information cannot properly authenticate each other, there is no trust in the
activities or information provided by either party. Authentication can involve highly complex and secure
methods or can be very simple. The simplest form of authentication is the transmission of a shared
password between entities wishing to authenticate each other. Today’s authentication methods uses some
of the below factors.

1) What you know

An example of this type of Authentication is a "Password". The simple logic here is that if you know the
secret password for an account, then you must be the owner of that account. The problems associated
with this type of Authentication is that the password can be stolen, someone might read it if you wrote it
somewhere. If anyone came to know your password, he might tell someone else. If you have a simple
dictionary password, it is easy to crack it by using password cracking software.

2) What you have

Examples of this type of Authentication are smart cards, tokens etc. The logic here is if you have the
smart card with you, you must be the owner of the account. The problems associated with this type of
authentication are you might lose the smart card, it can be stolen, or someone can duplicate the smart
card etc.

3) What you are

Examples of this type of authentication are your fingerprint, handprint, retina pattern, voice, keystroke
pattern etc. Problems associated with this type of authentication are that there is a chance of false
positives and false negatives. Chances are there that a valid user is rejected and an invalid user is
accepted. Often people are not comfortable with this type of authentication.

Network Authentication are usually based on Authentication protocols, Digital Certificates,

Username/Password, smart card etc. Some of the most important authentication protocols which are used
today are Kerberos, Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge
Handshake Authentication Protocol (MSCHAP) etc. We will learn about these protocols in coming lessons.

Kerberos Authentication

Kerberos was originally developed by Massachusetts Institute of Technology (MIT) Project Athena. It was
published as a suite of free software by Massachusetts Institute of Technology (MIT) that implements this
protocol. The name "Kerberos" is taken from the three-headed dog of Greek mythology, Kerberos is
designed to work across the Internet, an inherently insecure environment.

The Kerberos protocol is a secure protocol, and it provides mutual authentication between a client and a
server. In Kerberos protocol, the client authenticates against the server and also the server authenticates
itself against the client. With mutual authentication, each computer or a user and computer can verify the
identity of each other. Kerberos is extremely efficient for authenticating clients in large enterprise network
environments. Kerberos uses secret key encryption for authentication traffic from the client.
The same secret key is also used by the Kerberos protocol on the server to decrypt the authentication
traffic.

Kerberos protocol is built on top of a trusted third party, called as Key Distribution Center (KDC). Key
Distribution Center (KDC) acts as both an Authentication Server and as a Ticket Granting Server. When a
client needs to access a resource on the server, the user credentials (password, Smart Card, biometrics)
are presented to the Key Distribution Center (KDC) for authentication. If the user credentials are
successfully verified in the Key Distribution Center (KDC), Key Distribution Center (KDC) issues a Ticket
Granting Ticket (TGT) to the client. The Ticket Granting Ticket (TGT) is cached in the local machine for
future use. The Ticket Granting Ticket (TGT) expires when the user disconnects or log off the network, or
after it expires. The default expiry time is one day (86400 seconds).

When the client wants to access a resource on a remote server, the client presents the previously granted
and cached Ticket Granting Ticket (TGT) to the authenticating KDC. The authenticating Key Distribution
Center (KDC) returns a session ticket to the client to access to the resource. The client presents the
session ticket to the remote resource server. The remote server allows the session to be established to the
resource after accepting the session ticket.

Challenge Handshake Authentication Protocol (CHAP)

Authentication

Challenge Handshake Authentication Protocol (CHAP) is a remote access authentication protocol used in
conjunction with Point to Point Protocol (PPP) to provide security and authentication to users of remote
resources. CHAP is described in RFC 1994, which can be viewed from http://www.rfc-editor.org/.
Challenge Handshake Authentication Protocol (CHAP) uses a challenge method for authentication.
Challenge Handshake Authentication Protocol (CHAP) doesn’t use a user ID/password mechanism. In
Challenge Handshake Authentication Protocol (CHAP), the initiator sends a logon request to the server.
The server sends a challenge back to the client. The challenge is encrypted and then sent back to the
server. The server compares the value from the client and, if the information matches, grants the session.
If the response fails, the session is denied, and the request phase starts over.

Challenge Handshake Authentication Protocol (CHAP) periodically verifies the identity of the peer using a
three-way handshake. The verification the identity of the peer is done initially, and may be repeated
anytime after the link has been established.

Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is the Microsoft implementation of

Challenge Handshake Authentication Protocol (CHAP). There are two versions of Microsoft Challenge-
Handshake Authentication Protocol (MS-CHAP), MS-CHAPv1 and MS-CHAPv2. Microsoft Challenge-
Handshake Authentication Protocol (MS-CHAP) has some additional features, such as providing a method
for changing passwords and retrying in the event of a failure.
 Biometric Authentication

Each person has a set of unique characteristics that can be used for authentication. Biometrics uses these
unique characteristics for authentication. Today’s Biometric systems examine retina patterns, iris patterns,
fingerprints, handprints, voice patterns, keystroke patterns etc for authentication. But most of the
biometric devices which are available on the market, only retina pattern, iris patterns, fingerprint and
handprint systems are properly classified as biometric systems. Others are more classified as behavioral
systems.

Biometric identification systems normally work by obtaining unique characteristics from you, like a
handprint, a retina pattern etc. The biometric system then compares that to the specimen data stored in
the system.

Biometrics authentication is much better when compared with other types of authentication methods. But
the users are reluctant in using biometric authentication. For example, many users feel that retina scanner
biometric authentication system may cause loss of their vision. False positives and false negatives are a
serious problem with Biometric authentication.

Retina Pattern Biometric Systems

Everybody has a unique retinal vascular pattern. Retina Pattern Biometric system uses an infrared beam
to scan your retina. Retina pattern biometric systems examine the unique characteristics of user’s retina
and compare that information with stored pattern to determine whether user should be allowed access.
Some other biometric systems also perform iris and pupil measurements. Retina Pattern Biometric
Systems are highly reliable. Users are often worried in using retina scanners because they fear that retina
scanners will blind or injure their eyes.

Iris Scans Biometric Systems

Iris scan verify the identity by scanning the colored part of the front of the eye. Iris scan is is much easier
and very accurate.

Fingerprints Biometric Systems

Fingerprints are used in forensic and identification for long time. Fingerprints of each individual are
unique. Fingerprint Biometric Systems examine the unique characteristics of your fingerprints and use that
information to determine whether or not you should be allowed access.

The theoretical working of the fingerprint scanner is as described below. The user’s finger is placed on the
scanner surface. Light flashes inside the machine, and the reflection is captured by a scanner, and it is
used for analysis and then verified against the original specimen stored in the system. The user is allowed
or denied based on the result of this verification.

Handprints Biometric Systems

As in the case of finger print, everybody has unique handprints. A handprint Biometric Systems scans
hand and finger sand the data is compared with the specimen stored for you in the system. The user is
allowed or denied based on the result of this verification.

Voice Patterns Biometric Systems

Voice Patterns Biometric Systems can also be used for user authentication. Voice Patterns Biometric
Systems examine the unique characteristics of user’s voice.
 Keystrokes Biometric Systems

Keystroke Biometric Systems examine the unique characteristics of user’s keystrokes and use that
information to determine whether the user should be allowed access.

Token Authentication

Token technology is another method that can be used to authenticate users. Tokens are physical devices
used for the randomization of a code that can be used to assure the identity of the user. Tokens provide
an extremely high level of authentication.

There are different types of tokens. A particular type token is a small device with a keypad to key in
values. The server issues a challenge with a number when the user try to login. The user keys this number
into the token card, and the card displays a response.
The user inputs this response and sends it to the server, which calculates the same result it expects to see
from the token. If the numbers match, the user is authenticated.

Another type of token is based on time. This type of token display numbers at different
intervals of time. The user who needs the authentication should key in this time based
values also at the time of authentication. If the value from the token matches a value the
server has calculated, the account is authenticated, the user is allowed access.

Multi-Factor Authentication

In multi-factor authentication, we expand on the traditional requirements that exist in a single factor
authentication. To accomplish this, multi-factor authentication will use another factor for authentication in
addition to the traditional password authentication.

For example, most password-based single authentication methods use a password. In multi-factor
authentication methods, we can tighten the authentication by adding a finger print biometric scanner
system also.

Multi-factor authentication is more secure single factor authentication, because it adds steps that increase
the layers of security.

Access Control

Access control can be a policy, software, or a hardware device which is used to allow or deny access to a
resource. Access control can be by using devices like biometric device, switches, routers, Remote Access
Service (RAS), virtual private networks (VPNs), etc. Access control can also be implemented on File
System level like Microsoft's New Technology File System (NTFS), GNU/Linux's ext2/ext3/ext4 etc. The
following are the three main concepts of Access Control.

• Discretionary access control (DAC)

• Mandatory access control (MAC)

• Role-based access control (RBAC)

Discretionary Access Control (DAC)

Discretionary Access Control (DAC) allows authorized users to change the access control attributes of
objects, thereby specifying whether other users have access to the object. A simple form of Discretionary
Access Control (DAC) might be file passwords, where access to a file requires the knowledge of a
password created by the file owner. In Linux, the file permission is the general form of Discretionary
Access Control (DAC).

Discretionary Access Control (DAC) is the setting of permissions on files, folders, and shared resources.
The owner of the object (normally the user who created the object) in most operating system (OS)
environments applies discretionary access controls. This ownership may be transferred or controlled by
root/administrator accounts. Discretionary Access Control (DAC) is controlled by the owner or
root/administrator of the Operating System, rather than being hard coded into the system.

The Discretionary Access Control (DAC) mechanisms have a basic weakness, and that is they fail to
recognize a fundamental difference between human users and computer programs.

Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is another type of access control which is hard-coded into Operating
System, normally at kernel level. Mandatory Access Control (MAC) can be applied to any object or a
running process within an operating system, and Mandatory Access Control (MAC) allows a high level of
control over the objects and processes. Mandatory Access Control (MAC) can be applied to each object,
and can control access by processes, applications, and users to the object. Mandatory Access Control
(MAC) cannot be modified by the owner of the object.

Mandatory Access Control (MAC) mechanism constrains the ability of a subject (users or processes) to
access or perform some sort of operation on an object (files, directories, TCP/UDP ports etc). Subjects and
objects each have a set of security attributes. Whenever a subject attempts to access an object, an
authorization rule enforced by the operating system kernel examines these security attributes and decides
whether the access can take place.

Under Mandatory Access Control (MAC), the super user (root) controls all interactions of software on the
system.

Role-based Access Control (RBAC)

Role-based Access Control (RBAC) is another method of controlling user access to file system objects. In
Role-based Access Control (RBAC), the system administrator establishes Roles based on functional
requirements or similar criteria. These Roles have different types and levels of access to objects. The easy
way to describe Role-based Access Control (RBAC) is user group concept in Windows and GNU/Linux
Operating Systems. A role definition should be defined and created for each job in an organization, and
access controls are based on that role.

In contrast to DAC or MAC systems, where users have access to objects based on their own and the
object's permissions, users in an Role-based Access Control (RBAC) system must be members of the
appropriate group, or Role, before they can interact with files, directories, devices, etc.

Auditing

Auditing is useful in tracking and logging the activities on computers and computer networks. By auditing,
we can track the activities in computer or computer network and link these activities to specific user
accounts or sources of activity. By using auditing or audit logs, later we can collect evidences for finding
illegal activities.

All the latest Operating Systems include functions for auditing. Next lesson we will learn how to configure
auditing in Windows Server 2003 for illegal access to open files.

Introduction to Auditing in Windows 2003

Auditing is specifically designed into most features in Windows Server 2003.

Auditing waits for a specific event to occur, and then reports on it within the Event Viewer. Auditing events
in Windows 2003 can be divided into two types and they are success events and failure events. Auditing
can be used for user logon/logoff events and file access events. Auditing can be turned on through a Audit
Policy, which is a part of Group Policy.

There are nine auditing settings that can be configured on Windows 2003 computer

Audit Account Logon Events: Tracks user logon and logoff events.

Audit Account Management: Reports changes to user accounts

Audit Directory Service Access: Reports access and changes to the directory service.

Audit Logon Events: Reports user logging in and logging off or making a network connection to the
computer configured to audit logon events.

Audit Object Access: Reports file and folder access.

Audit Policy Change: Reports changes to group policies

Audit privilege use: Reports events that is related to a user performing a task that is controlled by a user
right.

Audit process tracking: Reports events that is related to processes running on the computer.

Audit System Events: Reports standard system events. Not security related.

Auditing can be configured on Audit Policy, which is a part of Group Policy as shown below. You should
select the corresponding GPO according to your requirement.
 Types of Network Attacks

Networks are always susceptible to unauthorized monitoring and different types of network attacks. If
you have not implemented proper security measures and controls in your network, there is a chance for
network attacks from inside and outside your network. Following chapters explain different types of
networks attacks, which are listed below.

Types of attacks - Denial of Service (DoS) attack

The idea of DOS attack is to reduce the quality of service offered by server, or to crash server with heavy
work load. DoS (Denial of Service) attack does not involve breaking into the target server. This is normally
achieved by either overloading the target network or target server, or by sending network packets that
that may cause extreme confusion at target network or target server.

A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users

of a service from using that service. Some of the examples are

• Attempts to "flood" a network, thereby preventing legitimate network traffic.

• Attempts to disrupt connections between two machines, thereby preventing access to a service.

• Attempts to prevent a particular individual from accessing a service.

• Attempts to disrupt service to a specific system or person.

One simple DoS (Denial of Service) attack was called the "Ping of Death." The Ping of Death was able to
exploit simple TCP/IP troubleshooting ping tool. Using ping tool, hackers would flood a network with large
packet requests that may ultimately crash the target server.

How to minimize the Denial of Service (DoS) attack impact

The impact of Denial of Service (DoS) attack can be minimized if you take precaution against it. The
following tips can help in minimizing the Denial of Service (DoS) attack.

• Monitor the server's system performance and tabulate normal operating activity for disk, CPU, and
network traffic. Monitor the server's system performance to detect any deviation from above values.

• Monitor the amount of network packets and the type of nature that travel through your network or
gateways.

• Update your softwares with any available update and always watch reports from security organizations
about any new threat.

• Implement network security devices which can detect any Denial of Service (DoS) attack.

• Record the details of any Denial of Service (DoS) attack to prevent future attacks. Log and report the
following details.

1) The time of the attack

2) Your IP address at the time of attack

3) The attacker's IP address

4) Other details and the nature of attack

• Report the details of attack to your Service Provider and seek their help.

Types of attacks -Distributed Denial of Service (DDoS) attack

A Distributed Denial of Service (DDoS) attack is a type of Denial of Service (DoS). In Distributed Denial of
Service (DDoS) attack multiple systems flood the bandwidth or overload the resources of a targeted
server.

In Distributed Denial of Service (DDoS), an intruder compromise one computer and make it Distributed
Denial of Service (DDoS) master. Using this Distributed Denial of Service (DDoS) master, the intruder
identifies and communicates with other systems that can be compromised. Then the intruder installs
Distributed Denial of Service (DDoS) tools on all compromised systems. With a single command, the
intruder instructs the compromised computers to launch flood attacks against the target server. Here
thousands of compromised computers are flooding or overloading the resources of the target server
preventing the legitimate users from accessing the services offered by the server.

Types of attacks - SYN attack

Before understanding what is SYN attack, we need to know about TCP/IP three-way handshake
mechanism. Transmission Control Protocol/Internet Protocol (TCP/IP) session is initiated with a three-
way handshake. The two communicating computers exchange a SYN, SYN/ACK and ACK to initiate a
session. The initiating computer sends a SYN packet, to which the responding host will issue a SYN/ACK
and wait for an ACK reply from the initiator. Click the following link to learn more about TCP/IP three-way
handshake mechanism.

The SYN flood attack is the most common type of flooding attack. The attack occurs when the attacker
sends large number of SYN packets to the victim, forcing them to wait for replies that never come. The
third part of the TCP three-way handshake is not executed. Since the host is waiting for large number of
replies, the real service requests are not processed, bringing down the service. The source address of
these SYN packets in a SYN flood attack is typically set to an unreachable host. As a result it is impossible
to find the attacking computer.

SYN cookies provide protection against the SYN flood. A SYN cookie is implemented by using a specific
initial TCP sequence number by TCP software and is used as a defense against SYN Flood attacks. By
using stateful firewalls which reset the pending TCP connections after a specific timeout, we can reduce
the effect of SYN attack.

Types of attacks - Sniffer Attack

A sniffer is an application that can capture network packets. Sniffers are also know as network protocol
analizers. While protocol analyzers are really network troubleshooting tools, they are also used by hackers
for hacking network. If the network packets are not encrypted, the data within the network packet can be
read using a sniffer. Sniffing refers to the process used by attackers to capture network traffic using a
sniffer. Once the packet is captured using a sniffer, the contents of packets can be analyzed. Sniffers are
used by hackers to capture sensitive network information, such as passwords, account information etc.

Many sniffers are available for free download. Importenet sniffers are wireshark, Dsniff, Etherpeek, sniffit
etc.

Types of attacks - Man-In-The-Middle (MITM) attack

Man-In-The-Middle (MITM) attack is the type of attack where attackers intrude into an existing
communication between two computers and then monitor, capture, and control the communication. In
Man-in-the-middle attack, an intruder assumes a legitimate users identity to gain control of the network
communication. The other end of the communication path might believe it is you and keep on exchanging
the data.
Man-in-the-Middle (MITM) attacks are also known as "session hijacking attacks", which means that the
attacker hijacks a legitimate user's session to control the communication.

Many preventive methods are available for Man-In-The-Middle (MITM) attack and some are listed below.

• Public Key Infrastructure (PKI) technologies,

• Verifying delay in communication

• Stronger mutual authentication

Types of attacks - IP Address Spoofing Attack

IP address spoofing is a type of attack when an attacker assumes the source Internet Protocol (IP)
address of IP packets to make it appear as though the packet is coming from another valid IP address. In
IP address spoofing, IP packets are generated with fake source IP addresses in order to impersonate other
systems or to protect the identity of the sender.

To explain this clearly, in IP address spoofing, the IP address information placed on the source field of the
IP header is not the real IP address of the source computer, where the packet was originated. By changing
the source IP address, the actual sender can make it look like the packet was sent by another computer
and therefore the response from the target computer will be sent to the fake address specified in the
packet and the identity of tha attacker is also protected.

Packet filtering is a method to prevent IP spoofing attacks. Blocking of packets from outside the network
with a source address inside the network (ingress filtering) and blocking of packets from inside the
network with a source address outside the network (egress filtering) can help preventing IP spoofing
attacks.

Types of attacks - IP Address Spoofing Attack

IP address spoofing is a type of attack when an attacker assumes the source Internet Protocol (IP)
address of IP packets to make it appear as though the packet is coming from another valid IP address. In
IP address spoofing, IP packets are generated with fake source IP addresses in order to impersonate other
systems or to protect the identity of the sender.

To explain this clearly, in IP address spoofing, the IP address information placed on the source field of the
IP header is not the real IP address of the source computer, where the packet was originated. By changing
the source IP address, the actual sender can make it look like the packet was sent by another computer
and therefore the response from the target computer will be sent to the fake address specified in the
packet and the identity of tha attacker is also protected.

Packet filtering is a method to prevent IP spoofing attacks. Blocking of packets from outside the network
with a source address inside the network (ingress filtering) and blocking of packets from inside the
network with a source address outside the network (egress filtering) can help preventing IP spoofing
attacks.

ARP (Address Resolution Protocol) Spoofing Attacks

A computer connected to an IP/Ethernet Local Area Network has two addresses. One is the MAC (Media
Access Control) which is a globally unique and unchangeable address which is burned on the network card
itself. MAC addresses are necessary so that the Ethernet protocol can send data back and forth,
independent of whatever application protocols are used on top of it. Ethernet send and receive data based
on MAC addresses. MAC address is also known as Layer2 address, physical address or Hardware address.

Other address is the IP address. IP is a protocol used by applications, independent of whatever network
technology operates underneath it. Each computer on a network must have a unique IP address to
communicate. Applications use IP address to communicate. IP address is also known as Layer 3 address
or Logical address.

To explain it more clearly, the applications use IP address for communication and the low lying hardware
use MAC address for communication. If an application running on a computer need to communicate with
another computer using IP address, the first computer should resolve the MAC address of the second
computer, because the lower layer Ethernet technologies use MAC addresses to deliver data. Click the
following link to learn more about ARP (Address Resolution Protocol).

Operating Systems keep a cache of ARP replies to minimize the number of ARP requests. ARP is a
stateless protocol and most operating systems will update their cache if a reply is received, regardless of
whether they have sent out an actual request.

ARP (Address Resolution Protocol) Spoofing attacks (ARP flooding or ARP poisoning) help an attacker to
sniff data frames on a local area network (LAN), modify the traffic etc. ARP Spoofing attacks are made by
sending fake ARP messages to an Ethernet LAN. The purpose of this is to associate the attacker's MAC
address with the IP address of another computer, generally the default gateway. Here any traffic sent to
the default gateway would be mistakenly sent to the attacker instead. The attacker can then forward the
traffic to the actual default gateway after sniffing or modify the data before forwarding it.

DNS (Domain Name System) Spoofing Attacks

DNS is the short for Domain Name System. DNS is a required service in TCP/IP networks and it translates
domain names into IP addresses. Computers in the network communicate using IP address. IP addresses
are a 32 bit numbers which are difficult to remember. Domain names are alphabetic and for humans they
are easier to remember. When we use a domain name to communicate with another host, DNS service
must translate the name into the corresponding IP address.

DNS Servers keep a database of domain names and corresponding IP addresses. DNS Spoofing attacks
are made by changing a domain name entry of a legitimate server in the DNS server to point to some IP
other than it, and then hijacking the identity of the server.

Generally there are two types of DNS poisoning attacks; DNS cache poisoning and DNS ID Spoofing.

In DNS cache poisoning a DNS server is made to cache entries which are not originated from authoritative
Domain Name System (DNS) sources. IN DNS ID spoofing, an attacker hack the random identification
number in DNS request and reply a fake IP address using the hacked identification number.

Phishing and Pharming attacks

Phishing spoofing attack is a combination of e-mail spoofing and Web site spoofing attack. Phishing
attacker starts the phishing attack by sending bulk e-mails impersonating a web site they have spoofed.
Normally the phishing attack emails seems to be from legitimate financial organizations like banks,
alerting the user that they need to login to their account for one reason or another. The link also will be
provided in the email which is a fake web site, which is designed very similar to the bank web site.
Normally the link’s anchor text will be the real URL of the bank’s website but anchor will be a URL with IP
address of the web site which is in attacker’s control. Once the user enters the userid/password
combination and submits those values, the attacker collect those values and the web page is redirected to
the real site.

Pharming is another spoofing attack, where the attacker tampers the DNS (Domain Name System) so that
traffic to a Web site is secretly redirected to a fake site altogether, even though the browser seems to be
displaying the Web address you wanted to visit.
 Types of attacks - Backdoor Attacks

A backdoor in an Operating System or a complex application is a method of bypassing normal

authentication and gain access. During the development of an Operating System or application,
programmers add back doors for different purposes. The backdoors are removed when the product is
ready for shipping or production. When a backdoor is detected, which is not removed, the vendor releases
a maintenance upgrade or patch to close the back door.

Another type of back door can be an installed program or could be a modification to an existing program.
The installed program may allow a user log on to the computer without a password with administrative
privileges. Many programs are available on internet to create back door attacks on systems. One of the
more popular tools is Back Orifice which is also available for free download on internet.

Types of attacks - Password Guessing Attacks

Another type of network attack is Password Guessing attack. Here a legitimate users access rights to a
computer and network resources are compromised by identifying the user id/password combination of the
legitimate user.

Password guessing attacks can be classified into two.

Brute Force Attack: A Brute Force attack is a type of password guessing attack and it consists of trying
every possible code, combination, or password until you find the correct one. This type of attack may take
long time to complete. A complex password can make the time for identifying the password by brute force
long.

Dictionary Attack: A dictionary attack is another type of password guessing attack which uses a dictionary
of common words to identify the user’s password.

Defense against Network Attack

The following tips will help you to keep your network secure against unauthorized
monitoring and network attacks.

Configuration Management

The main weapon in network attack defense is tight configuration management. The following measures
should be strictly implemented as part of configuration management.

• If the machines in your network should be running up-to-date copies of the operating system and they
are immediately updated whenever a new service pack or patch is released.

• All your configuration files in your Operating Systems or Applications should have enough security.

• All the default passwords in your Operating Systems or Applications should be changed after the
installation.

• You should implement tight security for root/Administrator passwords.

Firewalls

Another weapon for defense against network attack is Firewall. Firewall is a device and/or software that
stands between a local network and the Internet, and filters traffic that might be harmful. Firewalls can be
classified in to four based on whether they filter at the IP packet level, at the TCP session level, at the
application level or hybrid.
1. Packet Filtering: Packet filtering firewalls are functioning at the IP packet level. Packet filtering firewalls
filters packets based on addresses and port number. Packet filtering firewalls can be used as a weapon in
network attack defense against Denial of Service (DoS) attacks and IP Spoofing attacks.

2. Circuit Gateways: Circuit gateways firewalls operate at the transport layer, which means that they can
reassemble, examine or block all the packets in a TCP or UDP connection. Circuit gateway firewalls can
also Virtual Private Network (VPN) over the Internet by doing encryption from firewall to firewall.

3. Application Proxies: Application proxy-based firewalls function at the application level. At this level, you
can block or control traffic generated by applications. Application Proxies can provide very comprehensive
protection against a wide range of threats.

4. Hybrid: A hybrid firewall may consist of a pocket filtering combined with an application proxy firewall,
or a circuit gateway combined with an application proxy firewall.

Encryption

Encryption is another great weapon used in defense against network attacks. Click the following link to get
a basic idea of encryption.

Encryption can provide protection against eavesdropping and sniffer attacks. Private Key Infrastructure
(PKI) Technologies, Internet Protocol Security (IPSec), and Virtual Private Networks (VPN) when
implemented properly, can secure you network against network attacks.

Other tips for defense against network attack are

• Privilege escalation at different levels and strict password policies

• Tight physical security for all your machines, especially servers.

• Tight physical security and isolation for your back up data.

Types of Malwares

Malware is abbreviation of "malicious software". Malware programs are designed to infiltrate a computer
without the owner's knowledge. Malware includes all the malicious software like tracking cookies (which
are used to monitor your surfing habits), keyloggers, Trojan horses, worms, and viruses.

Following lessons give you a basic knowledge in different types of malwares like

Adwares, Toolbars and Hijackers

Adwares

Adware is a type of malware which download advertisement content from internet and displays
advertisements in the form of pop-ups, pop-unders etc. Once the Adware in installed on computer, they
are not dependent on your browsers and they can display advertisements stand-alone. The pop-up
blockers also cannot block these pop-ups. Adware is always an annoyance to the computer user.

Toolbars

Toolbars are available as plug-ins to browsers which provide additional functionality such as search forms
or pop-up blockers. Examples of useful toolbars are Google Toolbar, Yahoo toolbar, Ask toolbar etc. There
are malware toolbar plug-ins which are installed without the users consent and display advertisements
and perform other nuisance activities.
 Hijackers

Hijackers are another type of malware that take control of the behavior of your web browser like the home
page, default search pages, toolbar etc. Hijackers redirect your browser to another URL if you mistype the
URL of the website you want to visit. Hijackers can also prevent you from opening a particular web site.
Hijackers are annoyance to the users who use the browser often.

Keyloggers

A keylogger or keystroke logger is a program or a hardware that logs every keystroke you make in your
computer and then sends that information, including passwords, bank account numbers, and credit card
numbers, to who is controlling the malware.

A hardware key logger is a small hardware device which is normally installed between the keyboard port
and the keyboard. The hardware key logger then track all user keystrokes and save the keystrokes to it's
internal memory. Hardware keyloggers is available in different memory capacities.

A software keylogger is a program which can track and save all the key strokes of the user in to computer.
Software keyloggers are normally cheaper than hardware keyloggers. The software keyloggers run
invisibly to the user being monitored and hide itself from the Task Manager and from the Add/Remove
Programs. Many software keyloggers support remote installation also.

Computer Viruses

A Computer Virus is another type of malware which when executed tries to replicate itself into other
executable code which is available in the infected computer. If the virus was able to replicate it to other
executable code, it is then infected with the computer virus. When the infected executable code is
executed can infect again other executable codes. The key difference between virus and other malwares is
this self-replication capability.

Normally, viruses propagate within a single computer, or may travel from one computer to another using
storage media like CD-ROM, DVD-ROM, USB flash drive etc.

A Computer Virus program normally has the following mechanisms.

• A propagation mechanism that allows the virus to move from one computer to another computer.

• A replication mechanism that allows the virus to attach itself to another executable program.

• A trigger mechanism that is designed to execute the replication mechanism of the virus.

• A different tasks to perform the mischievous activities on the victim computer.

Types of Computer Viruses

Computer Viruses are classified according to their nature of infection and behavior. Different types of
computer virus classification are given below.

• Boot Sector Virus: A Boot Sector Virus infects the first sector of the hard drive, where the Master Boot
Record (MBR) is stored. The Master Boot Record (MBR) stores the disk's primary partition table and to
store bootstrapping instructions which are executed after the computer's BIOS passes execution to
machine code. If a computer is infected with Boot Sector Virus, when the computer is turned on, the virus
launches immediately and is loaded into memory, enabling it to control the computer.

• File Deleting Viruses: A File Deleting Virus is designed to delete critical files which are the part of
Operating System or data files.
• Mass Mailer Viruses: Mass Mailer Viruses search e-mail programs like MS outlook for e-mail addresses
which are stored in the address book and replicate by e-mailing themselves to the addresses stored in the
address book of the e-mail program.

• Macro viruses: Macro viruses are written by using the Macro programming languages like VBA, which
is a feature of MS office package. A macro is a way to automate and simplify a task that you perform
repeatedly in MS office suit (MS Excel, MS word etc). These macros are usually stored as part of the
document or spreadsheet and can travel to other systems when these files are transferred to another
computers.

• Polymorphic Viruses: Polymorphic Viruses have the capability to change their appearance and change
their code every time they infect a different system. This helps the Polymorphic Viruses to hide from anti-
virus software.

• Armored Viruses: Armored Viruses are type of viruses that are designed and written to make itself
difficult to detect or analyze. An Armored Virus may also have the ability to protect itself from antivirus
programs, making it more difficult to disinfect.

• Stealth viruses: Stealth viruses have the capability to hide from operating system or anti-virus
software by making changes to file sizes or directory structure. Stealth viruses are anti-heuristic nature
which helps them to hide from heuristic detection.

• Polymorphic Viruses: Polymorphic viruses change their form in order to avoid detection and
disinfection by anti-virus applications. After the work, these types of viruses try to hide from the anti-virus
application by encrypting parts of the virus itself. This is known as mutation.

• Retrovirus: Retrovirus is another type virus which tries to attack and disable the anti-virus application
running on the computer. A retrovirus can be considered anti-antivirus. Some Retroviruses attack the
anti-virus application and stop it from running or some other destroys the virus definition database.

• Multiple Characteristic viruses: Multiple Characteristic viruses has different characteristics of viruses
and have different capabilities.

Worms

A worm has similar characteristics of a virus. Worms are also self-replicating, but self-replication of a
worm is in a different way. Worms are standalone and when it is infected on a computer, it searches for
other computers connected through a local area network (LAN) or Internet connection. When a worm finds
another computer, it replicates itself to the new computer and continues to search for other computers on
the network to replicate.

Due to the nature of replication through the network, a worm normally consumes much system resources
including network bandwidth, causing network servers to stop responding.

Different types of Computer Worms are:

• Email Worms: Email Worms spread through infected email messages as an attachment or a link of an
infected website.

• Instant Messaging Worms: Instant Messaging Worms spread by sending links to the contact list of
instant messaging applications.

• Internet Worms: Internet worm will scan all available network resources using local operating system
services and/or scan the Internet for vulnerable machines. If a computer is found vulnerable it will
attempt to connect and gain access to them.

• IRC Worms: IRC Worms spread through IRC chat channels, sending infected files or links to infected
websites.
• File-sharing Networks Worms: File-sharing Networks Worms place a copy of them in a shared folder
and spread via P2P network.

Logic Bombs

A logic bomb is a program, or a part of another program, which will trigger a malicious function when
specified conditions are met. Normally a logic bomb does not replicate itself and therefore logic bomb will
not spread to unintended victims. Logic bombs are written and targeted against a specific victim.

A logic bomb is code which consists of two parts:

• A pay load, which is an action to perform which normally, has malicious effect.

• A trigger, a Boolean condition that is evaluated and controls when the payload is executed. The trigger
can be date, the user logged in conditions, network conditions etc.

Trojan Horses

The Trojan Horse is another malware which got its name from mythological Trojan horse. In Trojan War,
Greeks conquered and destroyed the city of Troy by constructing a huge wooden horse, and hiding Greek
soldiers inside. Trojans pulled the Horse into their city as a victory trophy. At night the Greek soldiers
came out of the Horse and opened the gates for the rest of the Greek army to capture the Troy city.

The Trojan Horse malware, normally appear to be useful software but will actually do damage once
installed or run on your computer. Trojan Horses are normally designed to give hackers access to system.
Trojan Horses will appear as useful programs but gives hackers the ability to change file settings, steal
files or passwords, damage or alter files, or monitor users on computers etc.

Trojan Horses can alter or delete files from the infected computer, download files to the infected
computer, modify registry settings, steal passwords, log keystrokes, disable anti-virus applications etc.

Rootkits

A rootkit is another type of malware that has the capability to conceal itself from the Operating System
and antivirus application in a computer. A rootkit provide continuous root level (super user) access to a
computer where it is installed. The name rootkit came from the UNIX world, where the super user is "root"
and a kit.

Rootkits are installed by an attacker for a variety of purposes. Root kits can provide the attacker root level
access to the computer via a back door, rootkits can conceal other malwares which are installed on the
target computer, rootkits can make the installed computer as a zombie computer for network attacks,
Rootkits can be used to hack encryption keys and passwords etc. Rootkits are more dangerous than other
types of malware because they are difficult to detect and cure.

Different types of Rootkits are explained below.

Application Level Rootkits: Application level rootkits operate inside the victim computer by changing
standard application files with rootkit files, or changing the behavior of present applications with patches,
injected code etc.

Kernel Level Rootkits: Kernel is the core of the Operating System and Kernel Level Rootkits are created
by adding additional code or replacing portions of the core operating system, with modified code via
device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious
effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect
because they have the same privileges of the Operating System, and therefore they can intercept or
subvert operating system operations.
Hardware/Firmware Rootkits: Hardware/Firmware rootkits hide itself in hardware such a network card,
system BIOS etc.

Hypervisor (Virtualized) Level Rootkits: Hypervisor (Virtualized) Level Rootkits are created by
exploiting hardware features such as Intel VT or AMD-V (Hardware assisted virtualization technologies).
Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can
intercept all hardware calls made by the target operating system.

Boot loader Level (Bootkit) Rootkits: Boot loader Level (Bootkit) Rootkits replaces or modifies the
legitimate boot loader with another one thus enabling the Boot loader Level (Bootkit) to be activated even
before the operating system is started. Boot loader Level (Bootkit) Rootkits are serious threat to security
because they can be used to hack the encryption keys and passwords.

SQL Injection Attacks

SQL injection attack is another type of attack to exploit applications that use client-supplied data in SQL
statements. Here malicious code is inserted into strings that are later passed to database application for
parsing and execution. The common method of SQL injection attack is direct insertion of malicious code
into user-input variables that are concatenated with SQL commands and executed. Another type of SQL
injection attack injects malicious code into strings and are stored in tables. An SQL injection attack is
made later by the attacker.

Following example shows the simplest form of SQL injection.

var UserID;
UserID = Request.form ("UserID");
var InfoUser = "select * from UserInfo where UserID = '" + UserID + "'";

If the user fills the field with correct information of his UserID (F827781), after the script execution the
above SQL query will look like

SELECT * FROM UserInfo WHERE UserID = 'F827781'

Consider a case when a user fills the field with the below entry.

F827781; drop table UserInfo--

After the execution of the script, the SQL code will look like

SELECT * FROM UserInfo WHERE UserID = ' F827781';drop table UserInfo--

This will ultimately result in deletion of table UserInfo.