1.

Introduction to Security
Security refers to any measures taken to protect something. Examples of security
in the real world include locks on doors, alarms in our cars, police officers.

Computer security is a field of computer science concerned with the control of risks
related to computer use. It describe the methods of protecting the integrity of data stored
on a computer.In computer security the measures taken are focused on securing
individual computer hosts.

Network security consists of the provisions made in an underlying computer network

infrastructure, policies adopted by the network administrator to protect the network and
the network-accessible resources from unauthorized access and the effectiveness (or lack)
of these measures combined together. It starts from authenticating any user. Once
authenticated, firewall enforces access policies such as what services are allowed to be
accessed by the network users. Even though it prevents unauthorized access, it prevents
harmful contents such as computer worms being transmitted over the network. An
intrusion prevention system (IPS) helps detect and prevent such malware.

1.1 Threats in Network Security

The following describe the general threats to the security of the distributed systems

Disclosure of information

Organizations maintain valuable information on their computer systems. This information

may be used by other parties in such a way as to damage the interest of the organization
owning the information. Therefore information stored on or processed by computer
systems must be protected against disclosure both internal and external to the user
organization.

Contamination of information

Valuable information may become worthless if unauthorized information is mixed with

it. The damage may be as great as the damage through information disclosure.

Unauthorized use of resources

Unauthorized use of resources may lead to destruction, modification, loss of integrity etc.
of resources and thus the authorization of individual users will be limited.

Misuse of resources

Authorized use of resources may give authorized individuals the opportunity to perform
activities that are harmful to the organization. Misuse of resources, intentional or
accidental, may be harmful to the organization through corruption, destruction,

1
disclosure, loss or removal of resources. Such misuse may affect the liability of an
organization for information entrusted to it or for transactions and information exchanged
with other organizations.

Unauthorized information flow

In a distributed system, information flow must be controlled not only between users of
end-systems but also between end-systems. Depending on the prevailing security policy
information flow restrictions may be applied to the basis of classification of data objects
and end-systems, user clearances, etc.

Repudiation of information flow

Repudiation of information flow involves denial of transmission or receipt of messages.

Since such messages may carry purchasing agreement, instructions for payment etc., the
scope for criminal repudiation of such messages is considerable.

Denial of service

Because of the wide range of services performed with the aid of computer systems, denial
of service may significantly affect the capability of a user organisation to perform its
functions and to fulfill its obligations. Detection and prevention of denial of service must
be considered as part of any security policy.

1.2 Security Services

In order to protect against perceived threats, various security services need to be

provided, the main security services are:

Authentication
Authentication is the process of proving the identity of a user of a system by
means of a set of credentials. Credentials are the required proof needed by the system to
validate the identity of the user. The user can be the actual customer, a process, or even
another system. A person is a validated through a credential. The identity is who the
person is. If a person has been validated through a credential, such as attaching a name to
a face, the name becomes a principal.
An authentication service is concerned with assuring that the communication is
authentic. In the case of a single message, such as warning or alarm signal, the function
of the authentication service is to assure the recipient that the message is from the source
that it claims to be from. In the case of an ongoing interaction, such as the connection of a
terminal to a host, two aspects are involved. First, at the time of connection initiation, the
service assures that the two entities are authentic, that is, that each is the entity that it
claims to be. Second, the service must assure that the connection is not interfered with in
such a way that a third party can masquerade as one of the two legitimate parties for the
purpose of unauthorized transmission or reception.

2
Authorization
The process by which a user is given access to a system resource is known as
authorization. The authorization process is the check by the organization’s system to see
whether the user should be granted access to the user’s record. The user has logged in to
the system, but he still may not have the permission necessary from the system to access
the records.
When deploying a system, access to system resources should also be
mapped out. Security documents that detail the rights of individuals to specific resources
must be developed. These documents must distinguish between the owners and the users
of resources as well as read, write, delete, and execute privileges.

Confidentiality

Confidentiality is the protection of transmitted data from passive attack. With

respect to the release of message contents, several levels of protection can be identified.
The broadest service protects all user data transmitted between two users over a period of
time. Narrower forms of this service can also be defined, including the protection of
single message or even a specific fields within a message. The other aspect of
confidentiality is the protection of traffic flow from analysis. This requires the prevention
of the attacker from observing destination, frequency, length, or other characteristics of
the traffic on a communications facility.

When the information is in a protected form, it is called a cipher text. Cipher text
uses a cipher, which changes the plaintext into cipher text. The cipher requires keys to
change the information from one form to the other.

Integrity
During the transmission or storage of data, information can be corrupted or
changed, maliciously or otherwise, by a user. Validation is the process of ensuring data
integrity. When data has integrity, it means that the data has not been modified or
corrupted. One technique for ensuring data integrity is called data hashing.

Integrity can apply to a stream of messages, a single message, or selected fields

within a message. Again the most useful and straightforward approach is total stream
protection. A connection-oriented integrity service, one that deals with a stream of
messages, assures that messages are received as sent, with no duplication, insertion,
modification, reordering or replay. The destruction of data is also covered under this
service. Thus, the connection-oriented integrity service addresses both message stream
modification and denial of service. On the other hand, a connection-less integrity service,
one that deals with individual messages only without regard to any larger context,
generally provides protection against message modification only.

3
Non-repudiation

Non repudiation prevents either sender or receiver from denying a transmitted

message. Thus, when a message is sent, the receiver can prove that the message was in
fact sent by the alleged sender. Similarly, when a message is received, the sender can
prove that the message was in fact received by the alleged receiver. In other words, non-
repudiation of origin proves that data has been sent, and non-repudiation of delivery
proves it has been received.

Access Control

Access control is the ability to limit and control the access to host systems and
applications links. To achieve this control, each entity trying to gain access must first be
identified, or authenticated. The goal of access control is to be able to specify and restrict
access to subjects and resources to those users and processes which have the appropriate
permission. Access control is implemented according to a policy that defines methods for
both authentication and authorization, and applies to a security domain.

Availability

A variety of attacks can result in a form of reduction in availability. Some of these

attacks are amenable to automated countermeasures, such as authentication and
encryption, whereas others require some sort of physical action to prevent or recover
from loss of availability of elements of a distributed system.

4
1.3 Security Mechanism
A mechanism that is designed to detect, prevent, or recover from a security attack.
No single mechanism will support all required functions. Cryptography is one of the
security mechanisms. Some of the common security mechanisms are:
• Encryption
• Digital padding
• Traffic padding
• Routing control
• Trusted functionality
• Security labels
• Access controls
• Event detection
• Audit trials

1.4 Security Attacks

Any action that compromises security of information is called a security attack. Some of
the common security attacks are given below.

Ref: http://www.cse.ohio-state.edu/~anish/694KNotes/694Lecture0.ppt#473,9,Security Attacks

Attacks can be active or passive

Passive Attacks

• Learn or make use of information from system, but does not affect system
resources.
• Intercept or read data without changing it.
• Goal of opponent is to obtain information that is being transmitted.
• This type of attack has been perpetrated against communication systems ever
since the invention of the electric telegraph.
• Two types of passive attacks are release of message contents and traffic analysis
(masking the content of message. e.g. Encryption).

5
 • Difficult to detect, because no alteration of data. Normally done using encryption.

Active Attacks

• Involve modification of data stream or creation of a false stream.

• The active threat is potentially far more serious.
• Use of encryption can protect against alteration of the data by arranging that the
encrypted data is structured in such a way that meaningful alteration cannot take
place without cryptanalysis.
• Subdivided into four categories: masquerade, replay, modification of messages,
and denial of service.

Masquerade: One entity pretends to be a different entity. e.g., Authentication

sequences can be captured and replayed after a valid authentication sequence takes
place.

Replay: Passive capture of data unit and its subsequence retransmission to produce an
unauthorized effect.

Modification of message: Some portion of message altered, or delayed or reordered.

Denial of Service: Prevents normal use or management of communication facilities.

e.g., suppressing all messages directed to a particular destination.

Other active attacks include:

• Flooding
• Jamming
• Routing attacks: False routes, Configuration changes
• Trap doors, Logic bombs etc,
• Remote arbitrary code execution via., worms and viruses.

1.5 Hackers and Crackers

A hacker (also called a White Hat) is often someone who creates and modifies computer
software and computer hardware, including computer programming, administration, and
security-related items. A hacker is also someone who modifies electronics, for example,
ham radio transceivers, printers or even home sprinkler systems to get extra functionality
or performance. A hacker obtains advanced knowledge of operating systems and
programming languages. They may know the holes within systems and the reasons for
such holes. Hackers constantly seek further knowledge, freely share what they have
discovered, and never, ever intentionally damage data.

For further reading: http://en.wikipedia.org/wiki/Hacker

http://catb.org/~esr/faqs/hacker-howto.html

6
A cracker (also called a Black Hat) is a person who uses their skills with computers and
other technological items in a malicious or criminal manner. He breaks into or otherwise
violates the system integrity of remote machines, with malicious intent. Crackers, having
gained unauthorized access, destroy vital data, deny legitimate users service, or basically
cause problems for their targets. Usually a Black Hat is a person who uses their
knowledge of vulnerabilities and exploits for private gain, rather than revealing them
either to the general public or the manufacturer for correction.

For further reading: http://en.wikipedia.org/wiki/Cracker_%28computing%29

1.6 Common Intrusion Techniques

Virus
In computer security technology, a virus is a self-replicating program that spreads
by inserting copies of itself into other executable code or documents. A virus is a
program that can copy itself and infect various parts of your computer, such as
documents, programs, and parts of your operating system. Most viruses attach themselves
to a file or part of your hard disk and then copy themselves to other places within the
operating system. Some viruses contain code that inflicts extra damage by deleting files
or lowering your security settings, inviting further attacks. Usually to avoid detection, a
virus disguises itself as a legitimate program that a user would not normally suspect to be
a virus. Viruses are designed to corrupt or delete date on the hard disk, i.e. on the FAT
(File Allocation Table).

A computer virus behaves in a way similar to a biological virus, which

spreads by inserting itself into living cells. Extending the analogy, the insertion of the
virus into a program is termed infection, and the infected file (or executable code that is
not part of a file) is called a host. Viruses are one of the several types of malware or
malicious software. Computer viruses cannot directly damage hardware, only software is
damaged directly. The software in the hardware however may be damaged.

Types of Viruses
System or Boot Sector Virus
System sectors are special areas on the disk containing programs that are
executed when we boot (start) the PC. Every disk (even if it only contains data) has a
system sector of some sort. System sector viruses infect executable code found in
certain system areas on a disk. There are boot-sector viruses, which infect only the DOS
boot sector, this kind of virus can prevent us from being able to boot the hard disk. All
common boot sector and MBR viruses are memory resident. System sector viruses spread
easily via floppy disk infections and, in some cases, by cross infecting files which then
drop system sector viruses when run on clean computers.

7
File or Program Virus
These viruses infect applications. These viruses usually infect COM
and/or EXE programs, though some can infect any program for which execution or
interpretation is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files. The
simplest file virus work by locating a type of file they know how to infect (usually a file
name ending in .COM or .EXE) and overwriting part of the program they are infecting.
When this program is executed, the virus code executes and infects more files. The more
sophisticated file viruses save (rather than overwrite) the original instructions when they
insert their code into the program. This allows them to execute the original program after
the virus finishes so that everything appears normal.
File viruses have a wide variety of infection techniques and infect a large
number of file types, but are not the most widely found in the wild.

Macro Virus
These are the most common viruses striking computers today. While some can be
destructive, most just do annoying things, such as changing your word processing
documents into templates or randomly placing a word such as "Wazoo" throughout a
document. While these actions may not permanently damage data, they can hurt
productivity. The reasons these viruses have become so widespread, and the reasons they
are so troublesome, are twofold: They are easy to write, and they exist in programs
created for sharing.
It is a program or code segment written in the internal macro language of an
application and attached to a document file (such as Word or Excel). It infects files you
might think of as data files. But, because they contain macro programs they can be
infected.
When a document or template containing the macro virus is opened in the target
application, the virus runs, does its damage and copies itself into other documents.
Continual use of the program results in the spread of the virus. Some macros replicate,
while others infect documents.

Stealth Viruses
These viruses are stealthy in nature and use various methods to hide
themselves to avoid detection. They sometimes remove themselves from the memory
temporarily to avoid detection and hide from virus scanners. Some can also redirect the
disk head to read another sector instead of the sector in which they reside. Some stealth
viruses conceal the increase in the length of the infected file and display the original
length by reducing the size by the same amount as that of that of the increase, so as to
avoid detection from scanners, making them difficult to detect.

Polymorphic Viruses
They are the most difficult viruses to detect. They have the ability to
mutate implying that they change the viral code known as the signature (A signature is a
characteristic byte-pattern that is part of a certain virus or family of viruses) each time

8
they spread or infect. Thus, anti-viruses which look for specific virus codes are not able
to detect such viruses. Just like regular encrypted viruses, a polymorphic virus infects
files with an encrypted copy of itself, which is decoded by a decryption module. In the
case of polymorphic viruses however, this decryption module is also modified on each
infection. A well-written polymorphic virus therefore has no parts that stay the same on
each infection, making it impossible to detect directly using signatures.

Examples

Brain virus

The first computer virus for Microsoft DOS was apparently written in 1986 and
contains unencrypted text with the name, address, and telephone number of Brain
Computer Services, a store in Lahore, Pakistan. This virus infected the boot sector of
5¼ inch floppy diskettes with a 360 kbyte capacity.

Pathogen Virus

In April 1994, the Pathogen computer virus was released in the United Kingdom,
by uploading an infected file to a computer bulletin board, where victims could download
a copy of the file.

The Pathogen virus counted the number of executable (e.g., *.EXE and *.COM)
files that it infected. When the virus had infected 32 files, and an infected file was
executed between 17:00 and 18:00 on a Monday:

For further reading: http://en.wikipedia.org/wiki/Computer_virus

http://www.webopedia.com/TERM/v/virus.html

Worm
A worm is a self-replicating computer program. It uses a network to send
copies of itself to other nodes (computer terminals on the network) and it may do so
without any user intervention. A worm is self-contained and unlike a virus, it does not
need to be part of another program to propagate itself. They are often designed to exploit
the file transmission capabilities found on many computers.Worms always harm the
network (if only by consuming bandwidth), whereas viruses always infect or corrupt files
on a targeted computer.

In addition to replication, a worm may be designed to do any number of things,

such as delete files on a host system or send documents via email. More recent worms
may be multi-headed and carry other executables as a payload. However, even in the
absence of such a payload, a worm can wreak havoc just with the network traffic
generated by its reproduction.

9
For further reading: http://en.wikipedia.org/wiki/Computer_worm
http://www.webopedia.com/TERM/w/worm.html

Trojan horse
A Trojan horse is a program that masquerades as another common
program in an attempt to receive information. It is a harmless-looking program designed
to trick you into thinking it is something you want, but which performs harmful acts
when it runs. It is typically received through downloads from the Internet. Trojan horses
do not spread by themselves like viruses and worms. In practice, Trojan Horses in the
wild often contain spying functions or backdoor functions that allow a computer, to be
remotely controlled from the network, creating a zombie computer.
There are two common types of Trojan horses. One, is otherwise useful
software that has been corrupted by a cracker inserting malicious code that executes
while the program is used. Examples include various implementations of weather alerting
programs, computer clock setting software, and peer to peer file sharing utilities. The
other type is a standalone program that masquerades as something else, like a game or
image file, in order to trick the user into some misdirected complicity that is needed to
carry out the program's objectives.
The basic difference from computer viruses is: a Trojan horse is technically a
normal computer program and does not possess the means to spread itself. Originally
Trojan horses were not designed to spread themselves. They relied on fooling people to
allow the program to perform actions that they would otherwise not have voluntarily
performed. Trojans of recent times also contain functions and strategies that enable their
spreading. This moves them closer to the definition of computer viruses, and it becomes
difficult to clearly distinguish such mixed programs between Trojan horses and viruses.

Probably the most famous Trojan horse is a program called "back orifice" which
is an unsubtle play on words on Microsoft's Back Office suite of programs for NT server.
This program will allow anybody to have complete control over the computer or server it
occupies.

For further reading: http://en.wikipedia.org/wiki/Trojan_horse_(computing)

http://www.webopedia.com/TERM/T/Trojan_horse.html

Logic Bomb
A logic bomb is a piece of code intentionally inserted into a software
system that will set off a malicious function when specified conditions are met. They are
viruses having a delayed payload, which is sometimes called a bomb. For example, a
virus might display a message on a specific day or wait until it has infected a certain
number of hosts. A logic bomb occurs when the user of a computer takes an action that
triggers the bomb.

For further reading: http://en.wikipedia.org/wiki/Logic_bomb

10