Introduction to Information Security

Security can be defined as state of freedom from a danger, risk or attack. Information security can be defined as the task of guarding information which is processed by a server, stored on a storage device, and transmitted over a network like Local Area Network or the public Internet. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction

Introduction to AAA
AAA stands for Authentication, Authorization and Accounting. AAA are a set of primary concepts that aid in understanding computer and network security as well as access control. These concepts are used daily to protect property, data, and systems from intentional or even unintentional damage. AAA is used to support the Confidentiality, Integrity, and Availability (CIA) security concept. Confidentiality: The term confidentiality means that the data which is confidential should remain confidential. In other words, confidentiality means secret should stay secret. Integrity: The term integrity means that the data being worked with is the correct data, which is not tampered or altered. Availability: The term availability means that the data you need should always be available to you. Authentication provides a way of identifying a user, typically requiring a Userid/Password combo before granting a session. Authentication process controls access by requiring valid user credentials. After the Authentication process is completed successfully, a user must be given authorization (permission) for carrying out tasks within the server. Authorization is the process that determines whether the user has the authority to carry out a specific task. Authorization controls access to the resources after the user has been authenticated. The last one is Accounting. Accounting keeps track of the activities the user has performed in the server.

Authentication
Authentication is the process which allows a sender and receiver of information to validate each other. If the sender and receiver of information cannot properly authenticate each other, there is no trust in the activities or information provided by either party. Authentication can involve highly complex and secure methods or can be very simple. The simplest form of authentication is the transmission of a shared password between entities wishing to authenticate each other. Today’s authentication methods uses some of the below factors. 1) What you know An example of this type of Authentication is a "Password". The simple logic here is that if you know the secret password for an account, then you must be the owner of that account. The problems associated with this type of Authentication is that the password can be stolen, someone might read it if you wrote it somewhere. If anyone came to know your password, he might tell someone else. If you have a simple dictionary password, it is easy to crack it by using password cracking software. 2) What you have Examples of this type of Authentication are smart cards, tokens etc. The logic here is if you have the smart card with you, you must be the owner of the account. The problems associated with this type of authentication are you might lose the smart card, it can be stolen, or someone can duplicate the smart card etc. 3) What you are Examples of this type of authentication are your fingerprint, handprint, retina pattern, voice, keystroke pattern etc. Problems associated with this type of authentication are that there is a chance of false

and Microsoft Challenge Handshake Authentication Protocol (MSCHAP) etc. which can be viewed from http://www. Kerberos Authentication Kerberos was originally developed by Massachusetts Institute of Technology (MIT) Project Athena. MS-CHAPv1 and MS-CHAPv2. Chances are there that a valid user is rejected and an invalid user is accepted. and it provides mutual authentication between a client and a server. Key Distribution Center (KDC) issues a Ticket Granting Ticket (TGT) to the client. Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is the Microsoft implementation of Challenge Handshake Authentication Protocol (CHAP). If the user credentials are successfully verified in the Key Distribution Center (KDC). The client presents the session ticket to the remote resource server. if the information matches. Challenge Handshake Authentication Protocol (CHAP) uses a challenge method for authentication. There are two versions of Microsoft ChallengeHandshake Authentication Protocol (MS-CHAP). Challenge Handshake Authentication Protocol (CHAP) doesn’t use a user ID/password mechanism. The default expiry time is one day (86400 seconds). Kerberos is extremely efficient for authenticating clients in large enterprise network environments. The verification the identity of the peer is done initially. It was published as a suite of free software by Massachusetts Institute of Technology (MIT) that implements this protocol. the session is denied. smart card etc. such as providing a method for changing passwords and retrying in the event of a failure. biometrics) are presented to the Key Distribution Center (KDC) for authentication. the client authenticates against the server and also the server authenticates itself against the client. Microsoft ChallengeHandshake Authentication Protocol (MS-CHAP) has some additional features. When a client needs to access a resource on the server. Challenge Handshake Authentication Protocol (CHAP) Authentication Challenge Handshake Authentication Protocol (CHAP) is a remote access authentication protocol used in conjunction with Point to Point Protocol (PPP) to provide security and authentication to users of remote resources. the initiator sends a logon request to the server. The Kerberos protocol is a secure protocol.rfc-editor. Username/Password. When the client wants to access a resource on a remote server. If the response fails. CHAP is described in RFC 1994. Smart Card. In Kerberos protocol.positives and false negatives. Some of the most important authentication protocols which are used today are Kerberos. The server compares the value from the client and. called as Key Distribution Center (KDC). The Ticket Granting Ticket (TGT) is cached in the local machine for future use. Often people are not comfortable with this type of authentication. We will learn about these protocols in coming lessons. and the request phase starts over.org/. an inherently insecure environment. the user credentials (password. The server sends a challenge back to the client. The Ticket Granting Ticket (TGT) expires when the user disconnects or log off the network. Digital Certificates. Challenge Handshake Authentication Protocol (CHAP) periodically verifies the identity of the peer using a three-way handshake. Challenge Handshake Authentication Protocol (CHAP). and may be repeated anytime after the link has been established. The authenticating Key Distribution Center (KDC) returns a session ticket to the client to access to the resource. The remote server allows the session to be established to the resource after accepting the session ticket. Kerberos is designed to work across the Internet. or after it expires. Kerberos uses secret key encryption for authentication traffic from the client. Network Authentication are usually based on Authentication protocols. the client presents the previously granted and cached Ticket Granting Ticket (TGT) to the authenticating KDC. The challenge is encrypted and then sent back to the server. With mutual authentication. Key Distribution Center (KDC) acts as both an Authentication Server and as a Ticket Granting Server. The name "Kerberos" is taken from the three-headed dog of Greek mythology. each computer or a user and computer can verify the identity of each other. The same secret key is also used by the Kerberos protocol on the server to decrypt the authentication traffic. In Challenge Handshake Authentication Protocol (CHAP). . Kerberos protocol is built on top of a trusted third party. grants the session.

voice patterns. Iris Scans Biometric Systems Iris scan verify the identity by scanning the colored part of the front of the eye. Handprints Biometric Systems As in the case of finger print. and it is used for analysis and then verified against the original specimen stored in the system. keystroke patterns etc for authentication. everybody has unique handprints. . The theoretical working of the fingerprint scanner is as described below. But the users are reluctant in using biometric authentication. fingerprint and handprint systems are properly classified as biometric systems. Biometric identification systems normally work by obtaining unique characteristics from you. iris patterns. Voice Patterns Biometric Systems examine the unique characteristics of user’s voice. fingerprints. many users feel that retina scanner biometric authentication system may cause loss of their vision. Retina Pattern Biometric Systems are highly reliable. Voice Patterns Biometric Systems Voice Patterns Biometric Systems can also be used for user authentication. For example. like a handprint. Biometrics authentication is much better when compared with other types of authentication methods. iris patterns. Retina Pattern Biometric Systems Everybody has a unique retinal vascular pattern. A handprint Biometric Systems scans hand and finger sand the data is compared with the specimen stored for you in the system. Retina Pattern Biometric system uses an infrared beam to scan your retina. handprints. Light flashes inside the machine. Retina pattern biometric systems examine the unique characteristics of user’s retina and compare that information with stored pattern to determine whether user should be allowed access. Others are more classified as behavioral systems. Iris scan is is much easier and very accurate. Today’s Biometric systems examine retina patterns. a retina pattern etc. The user is allowed or denied based on the result of this verification.Biometric Authentication Each person has a set of unique characteristics that can be used for authentication. Fingerprint Biometric Systems examine the unique characteristics of your fingerprints and use that information to determine whether or not you should be allowed access. only retina pattern. False positives and false negatives are a serious problem with Biometric authentication. and the reflection is captured by a scanner. The user is allowed or denied based on the result of this verification. Users are often worried in using retina scanners because they fear that retina scanners will blind or injure their eyes. But most of the biometric devices which are available on the market. The user’s finger is placed on the scanner surface. The biometric system then compares that to the specimen data stored in the system. Biometrics uses these unique characteristics for authentication. Fingerprints of each individual are unique. Fingerprints Biometric Systems Fingerprints are used in forensic and identification for long time. Some other biometric systems also perform iris and pupil measurements.

the account is authenticated. A simple form of Discretionary Access Control (DAC) might be file passwords. If the value from the token matches a value the server has calculated. because it adds steps that increase the layers of security. Multi-factor authentication is more secure single factor authentication. The user inputs this response and sends it to the server. • Discretionary access control (DAC) • Mandatory access control (MAC) • Role-based access control (RBAC) Discretionary Access Control (DAC) Discretionary Access Control (DAC) allows authorized users to change the access control attributes of objects.Keystrokes Biometric Systems Keystroke Biometric Systems examine the unique characteristics of user’s keystrokes and use that information to determine whether the user should be allowed access. The user who needs the authentication should key in this time based values also at the time of authentication. Remote Access Service (RAS). GNU/Linux's ext2/ext3/ext4 etc. etc. most password-based single authentication methods use a password. Token Authentication Token technology is another method that can be used to authenticate users. Tokens are physical devices used for the randomization of a code that can be used to assure the identity of the user. Access control can be by using devices like biometric device. The server issues a challenge with a number when the user try to login. thereby specifying whether other users have access to the object. In multi-factor authentication methods. Multi-Factor Authentication In multi-factor authentication. we expand on the traditional requirements that exist in a single factor authentication. multi-factor authentication will use another factor for authentication in addition to the traditional password authentication. we can tighten the authentication by adding a finger print biometric scanner system also. the user is allowed access. which calculates the same result it expects to see from the token. and the card displays a response. switches. Tokens provide an extremely high level of authentication. Access control can also be implemented on File System level like Microsoft's New Technology File System (NTFS). There are different types of tokens. The following are the three main concepts of Access Control. The user keys this number into the token card. routers. If the numbers match. or a hardware device which is used to allow or deny access to a resource. Another type of token is based on time. This type of token display numbers at different intervals of time. software. Access Control Access control can be a policy. where access to a file requires the knowledge of a . A particular type token is a small device with a keypad to key in values. For example. the user is authenticated. To accomplish this. virtual private networks (VPNs).

password created by the file owner. Whenever a subject attempts to access an object. normally at kernel level. and can control access by processes. The owner of the object (normally the user who created the object) in most operating system (OS) environments applies discretionary access controls. we can track the activities in computer or computer network and link these activities to specific user accounts or sources of activity. or Role. directories. later we can collect evidences for finding illegal activities. Subjects and objects each have a set of security attributes. an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. In Role-based Access Control (RBAC). The Discretionary Access Control (DAC) mechanisms have a basic weakness. Discretionary Access Control (DAC) is controlled by the owner or root/administrator of the Operating System. All the latest Operating Systems include functions for auditing. These Roles have different types and levels of access to objects. This ownership may be transferred or controlled by root/administrator accounts. By using auditing or audit logs. Mandatory Access Control (MAC) Mandatory Access Control (MAC) is another type of access control which is hard-coded into Operating System. . Mandatory Access Control (MAC) can be applied to any object or a running process within an operating system. applications. rather than being hard coded into the system. In Linux. Auditing Auditing is useful in tracking and logging the activities on computers and computer networks. devices. Mandatory Access Control (MAC) can be applied to each object. By auditing. and access controls are based on that role. Mandatory Access Control (MAC) cannot be modified by the owner of the object. and Mandatory Access Control (MAC) allows a high level of control over the objects and processes. and that is they fail to recognize a fundamental difference between human users and computer programs. Introduction to Auditing in Windows 2003 Auditing is specifically designed into most features in Windows Server 2003. the system administrator establishes Roles based on functional requirements or similar criteria. Next lesson we will learn how to configure auditing in Windows Server 2003 for illegal access to open files. where users have access to objects based on their own and the object's permissions. Under Mandatory Access Control (MAC). Role-based Access Control (RBAC) Role-based Access Control (RBAC) is another method of controlling user access to file system objects. users in an Role-based Access Control (RBAC) system must be members of the appropriate group. In contrast to DAC or MAC systems. the super user (root) controls all interactions of software on the system. before they can interact with files. etc. and shared resources. directories. Discretionary Access Control (DAC) is the setting of permissions on files. Mandatory Access Control (MAC) mechanism constrains the ability of a subject (users or processes) to access or perform some sort of operation on an object (files. folders. A role definition should be defined and created for each job in an organization. and users to the object. The easy way to describe Role-based Access Control (RBAC) is user group concept in Windows and GNU/Linux Operating Systems. TCP/UDP ports etc). the file permission is the general form of Discretionary Access Control (DAC).

Auditing can be used for user logon/logoff events and file access events. Audit process tracking: Reports events that is related to processes running on the computer. Audit Policy Change: Reports changes to group policies Audit privilege use: Reports events that is related to a user performing a task that is controlled by a user right. Auditing can be configured on Audit Policy. which is a part of Group Policy. Audit System Events: Reports standard system events. Audit Object Access: Reports file and folder access. Auditing can be turned on through a Audit Policy. There are nine auditing settings that can be configured on Windows 2003 computer Audit Account Logon Events: Tracks user logon and logoff events. .Auditing waits for a specific event to occur. Not security related. Audit Account Management: Reports changes to user accounts Audit Directory Service Access: Reports access and changes to the directory service. which is a part of Group Policy as shown below. Audit Logon Events: Reports user logging in and logging off or making a network connection to the computer configured to audit logon events. Auditing events in Windows 2003 can be divided into two types and they are success events and failure events. and then reports on it within the Event Viewer. You should select the corresponding GPO according to your requirement.

or by sending network packets that that may cause extreme confusion at target network or target server.Denial of Service (DoS) attack The idea of DOS attack is to reduce the quality of service offered by server. The following tips can help in minimizing the Denial of Service (DoS) attack. or to crash server with heavy work load. thereby preventing access to a service. Using ping tool. thereby preventing legitimate network traffic. If you have not implemented proper security measures and controls in your network. which are listed below. Some of the examples are • Attempts to "flood" a network. • Implement network security devices which can detect any Denial of Service (DoS) attack. • Monitor the amount of network packets and the type of nature that travel through your network or gateways. Log and report the following details. • Update your softwares with any available update and always watch reports from security organizations about any new threat." The Ping of Death was able to exploit simple TCP/IP troubleshooting ping tool. there is a chance for network attacks from inside and outside your network. • Attempts to prevent a particular individual from accessing a service. • Record the details of any Denial of Service (DoS) attack to prevent future attacks. 1) The time of the attack 2) Your IP address at the time of attack 3) The attacker's IP address 4) Other details and the nature of attack . DoS (Denial of Service) attack does not involve breaking into the target server. and network traffic. Monitor the server's system performance to detect any deviation from above values. • Monitor the server's system performance and tabulate normal operating activity for disk. Types of attacks . A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. CPU. • Attempts to disrupt connections between two machines. How to minimize the Denial of Service (DoS) attack impact The impact of Denial of Service (DoS) attack can be minimized if you take precaution against it. One simple DoS (Denial of Service) attack was called the "Ping of Death. Following chapters explain different types of networks attacks. This is normally achieved by either overloading the target network or target server. • Attempts to disrupt service to a specific system or person. hackers would flood a network with large packet requests that may ultimately crash the target server.Types of Network Attacks Networks are always susceptible to unauthorized monitoring and different types of network attacks.

the contents of packets can be analyzed. Types of attacks . Types of attacks -Distributed Denial of Service (DDoS) attack A Distributed Denial of Service (DDoS) attack is a type of Denial of Service (DoS). The source address of these SYN packets in a SYN flood attack is typically set to an unreachable host. While protocol analyzers are really network troubleshooting tools. to which the responding host will issue a SYN/ACK and wait for an ACK reply from the initiator.Man-In-The-Middle (MITM) attack Man-In-The-Middle (MITM) attack is the type of attack where attackers intrude into an existing communication between two computers and then monitor. The other end of the communication path might believe it is you and keep on exchanging the data. Once the packet is captured using a sniffer. Etherpeek.• Report the details of attack to your Service Provider and seek their help. they are also used by hackers for hacking network. Here thousands of compromised computers are flooding or overloading the resources of the target server preventing the legitimate users from accessing the services offered by the server. account information etc. Using this Distributed Denial of Service (DDoS) master. . Dsniff. bringing down the service. In Man-in-the-middle attack. capture.Sniffer Attack A sniffer is an application that can capture network packets. Sniffers are used by hackers to capture sensitive network information. the intruder instructs the compromised computers to launch flood attacks against the target server. Since the host is waiting for large number of replies. SYN/ACK and ACK to initiate a session. Types of attacks . an intruder compromise one computer and make it Distributed Denial of Service (DDoS) master. As a result it is impossible to find the attacking computer. Sniffers are also know as network protocol analizers. Click the following link to learn more about TCP/IP three-way handshake mechanism.SYN attack Before understanding what is SYN attack. Importenet sniffers are wireshark. In Distributed Denial of Service (DDoS) attack multiple systems flood the bandwidth or overload the resources of a targeted server. A SYN cookie is implemented by using a specific initial TCP sequence number by TCP software and is used as a defense against SYN Flood attacks. the real service requests are not processed. Sniffing refers to the process used by attackers to capture network traffic using a sniffer. forcing them to wait for replies that never come. The two communicating computers exchange a SYN. The initiating computer sends a SYN packet. Many sniffers are available for free download. we can reduce the effect of SYN attack. the intruder identifies and communicates with other systems that can be compromised. If the network packets are not encrypted. SYN cookies provide protection against the SYN flood. sniffit etc. and control the communication. The SYN flood attack is the most common type of flooding attack. The third part of the TCP three-way handshake is not executed. By using stateful firewalls which reset the pending TCP connections after a specific timeout. Transmission Control Protocol/Internet Protocol (TCP/IP) session is initiated with a threeway handshake. Then the intruder installs Distributed Denial of Service (DDoS) tools on all compromised systems. With a single command. such as passwords. Types of attacks . The attack occurs when the attacker sends large number of SYN packets to the victim. In Distributed Denial of Service (DDoS). we need to know about TCP/IP three-way handshake mechanism. an intruder assumes a legitimate users identity to gain control of the network communication. the data within the network packet can be read using a sniffer.

the IP address information placed on the source field of the IP header is not the real IP address of the source computer. the IP address information placed on the source field of the IP header is not the real IP address of the source computer. the actual sender can make it look like the packet was sent by another computer and therefore the response from the target computer will be sent to the fake address specified in the packet and the identity of tha attacker is also protected.IP Address Spoofing Attack IP address spoofing is a type of attack when an attacker assumes the source Internet Protocol (IP) address of IP packets to make it appear as though the packet is coming from another valid IP address. Other address is the IP address. By changing the source IP address. In IP address spoofing. Packet filtering is a method to prevent IP spoofing attacks. Blocking of packets from outside the network with a source address inside the network (ingress filtering) and blocking of packets from inside the network with a source address outside the network (egress filtering) can help preventing IP spoofing attacks. IP packets are generated with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender.Man-in-the-Middle (MITM) attacks are also known as "session hijacking attacks". which means that the attacker hijacks a legitimate user's session to control the communication. Blocking of packets from outside the network with a source address inside the network (ingress filtering) and blocking of packets from inside the network with a source address outside the network (egress filtering) can help preventing IP spoofing attacks. Ethernet send and receive data based on MAC addresses. physical address or Hardware address. By changing the source IP address. To explain this clearly. the actual sender can make it look like the packet was sent by another computer and therefore the response from the target computer will be sent to the fake address specified in the packet and the identity of tha attacker is also protected. IP is a protocol used by applications. MAC addresses are necessary so that the Ethernet protocol can send data back and forth.IP Address Spoofing Attack IP address spoofing is a type of attack when an attacker assumes the source Internet Protocol (IP) address of IP packets to make it appear as though the packet is coming from another valid IP address. independent of whatever network technology operates underneath it. Each computer on a network must have a unique IP address to . MAC address is also known as Layer2 address. where the packet was originated. Many preventive methods are available for Man-In-The-Middle (MITM) attack and some are listed below. Types of attacks . in IP address spoofing. IP packets are generated with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender. • Public Key Infrastructure (PKI) technologies. independent of whatever application protocols are used on top of it. ARP (Address Resolution Protocol) Spoofing Attacks A computer connected to an IP/Ethernet Local Area Network has two addresses. • Verifying delay in communication • Stronger mutual authentication Types of attacks . Packet filtering is a method to prevent IP spoofing attacks. where the packet was originated. In IP address spoofing. To explain this clearly. in IP address spoofing. One is the MAC (Media Access Control) which is a globally unique and unchangeable address which is burned on the network card itself.

Operating Systems keep a cache of ARP replies to minimize the number of ARP requests. Computers in the network communicate using IP address. . IP address is also known as Layer 3 address or Logical address. Domain names are alphabetic and for humans they are easier to remember. generally the default gateway. ARP is a stateless protocol and most operating systems will update their cache if a reply is received. DNS cache poisoning and DNS ID Spoofing. ARP (Address Resolution Protocol) Spoofing attacks (ARP flooding or ARP poisoning) help an attacker to sniff data frames on a local area network (LAN). because the lower layer Ethernet technologies use MAC addresses to deliver data. IP addresses are a 32 bit numbers which are difficult to remember. Normally the link’s anchor text will be the real URL of the bank’s website but anchor will be a URL with IP address of the web site which is in attacker’s control. IN DNS ID spoofing. Normally the phishing attack emails seems to be from legitimate financial organizations like banks. The purpose of this is to associate the attacker's MAC address with the IP address of another computer. DNS (Domain Name System) Spoofing Attacks DNS is the short for Domain Name System. Click the following link to learn more about ARP (Address Resolution Protocol). Once the user enters the userid/password combination and submits those values. the attacker collect those values and the web page is redirected to the real site. modify the traffic etc. In DNS cache poisoning a DNS server is made to cache entries which are not originated from authoritative Domain Name System (DNS) sources. If an application running on a computer need to communicate with another computer using IP address. alerting the user that they need to login to their account for one reason or another. When we use a domain name to communicate with another host. an attacker hack the random identification number in DNS request and reply a fake IP address using the hacked identification number. DNS Spoofing attacks are made by changing a domain name entry of a legitimate server in the DNS server to point to some IP other than it. Here any traffic sent to the default gateway would be mistakenly sent to the attacker instead. the applications use IP address for communication and the low lying hardware use MAC address for communication. Generally there are two types of DNS poisoning attacks. even though the browser seems to be displaying the Web address you wanted to visit. regardless of whether they have sent out an actual request. DNS Servers keep a database of domain names and corresponding IP addresses. and then hijacking the identity of the server. Pharming is another spoofing attack. To explain it more clearly. The attacker can then forward the traffic to the actual default gateway after sniffing or modify the data before forwarding it. which is designed very similar to the bank web site.communicate. where the attacker tampers the DNS (Domain Name System) so that traffic to a Web site is secretly redirected to a fake site altogether. the first computer should resolve the MAC address of the second computer. ARP Spoofing attacks are made by sending fake ARP messages to an Ethernet LAN. Phishing attacker starts the phishing attack by sending bulk e-mails impersonating a web site they have spoofed. DNS service must translate the name into the corresponding IP address. The link also will be provided in the email which is a fake web site. DNS is a required service in TCP/IP networks and it translates domain names into IP addresses. Phishing and Pharming attacks Phishing spoofing attack is a combination of e-mail spoofing and Web site spoofing attack. Applications use IP address to communicate.

Firewall is a device and/or software that stands between a local network and the Internet. Dictionary Attack: A dictionary attack is another type of password guessing attack which uses a dictionary of common words to identify the user’s password. Defense against Network Attack The following tips will help you to keep your network secure against unauthorized monitoring and network attacks. the vendor releases a maintenance upgrade or patch to close the back door. at the application level or hybrid. The installed program may allow a user log on to the computer without a password with administrative privileges. This type of attack may take long time to complete. When a backdoor is detected. Brute Force Attack: A Brute Force attack is a type of password guessing attack and it consists of trying every possible code. • If the machines in your network should be running up-to-date copies of the operating system and they are immediately updated whenever a new service pack or patch is released.Types of attacks . Firewalls Another weapon for defense against network attack is Firewall. The backdoors are removed when the product is ready for shipping or production. The following measures should be strictly implemented as part of configuration management. . One of the more popular tools is Back Orifice which is also available for free download on internet.Backdoor Attacks A backdoor in an Operating System or a complex application is a method of bypassing normal authentication and gain access. Here a legitimate users access rights to a computer and network resources are compromised by identifying the user id/password combination of the legitimate user. programmers add back doors for different purposes. Types of attacks . A complex password can make the time for identifying the password by brute force long. which is not removed. • All your configuration files in your Operating Systems or Applications should have enough security. Another type of back door can be an installed program or could be a modification to an existing program.Password Guessing Attacks Another type of network attack is Password Guessing attack. • All the default passwords in your Operating Systems or Applications should be changed after the installation. During the development of an Operating System or application. and filters traffic that might be harmful. Many programs are available on internet to create back door attacks on systems. at the TCP session level. Firewalls can be classified in to four based on whether they filter at the IP packet level. or password until you find the correct one. combination. • You should implement tight security for root/Administrator passwords. Password guessing attacks can be classified into two. Configuration Management The main weapon in network attack defense is tight configuration management.

.1. can secure you network against network attacks. Types of Malwares Malware is abbreviation of "malicious software". Hybrid: A hybrid firewall may consist of a pocket filtering combined with an application proxy firewall. Encryption Encryption is another great weapon used in defense against network attacks. Circuit Gateways: Circuit gateways firewalls operate at the transport layer. Following lessons give you a basic knowledge in different types of malwares like Adwares. Packet filtering firewalls can be used as a weapon in network attack defense against Denial of Service (DoS) attacks and IP Spoofing attacks. Internet Protocol Security (IPSec). Other tips for defense against network attack are • Privilege escalation at different levels and strict password policies • Tight physical security for all your machines. Malware includes all the malicious software like tracking cookies (which are used to monitor your surfing habits). examine or block all the packets in a TCP or UDP connection. Toolbars and Hijackers Adwares Adware is a type of malware which download advertisement content from internet and displays advertisements in the form of pop-ups. Ask toolbar etc. Packet Filtering: Packet filtering firewalls are functioning at the IP packet level. Once the Adware in installed on computer. Application Proxies can provide very comprehensive protection against a wide range of threats. Trojan horses. Click the following link to get a basic idea of encryption. especially servers. Circuit gateway firewalls can also Virtual Private Network (VPN) over the Internet by doing encryption from firewall to firewall. Adware is always an annoyance to the computer user. you can block or control traffic generated by applications. worms. and viruses. pop-unders etc. Encryption can provide protection against eavesdropping and sniffer attacks. 3. At this level. • Tight physical security and isolation for your back up data. which means that they can reassemble. keyloggers. they are not dependent on your browsers and they can display advertisements stand-alone. Private Key Infrastructure (PKI) Technologies. Examples of useful toolbars are Google Toolbar. Application Proxies: Application proxy-based firewalls function at the application level. 4. and Virtual Private Networks (VPN) when implemented properly. Malware programs are designed to infiltrate a computer without the owner's knowledge. The pop-up blockers also cannot block these pop-ups. Yahoo toolbar. or a circuit gateway combined with an application proxy firewall. Toolbars Toolbars are available as plug-ins to browsers which provide additional functionality such as search forms or pop-up blockers. There are malware toolbar plug-ins which are installed without the users consent and display advertisements and perform other nuisance activities. Packet filtering firewalls filters packets based on addresses and port number. 2.

The key difference between virus and other malwares is this self-replication capability. enabling it to control the computer. Hijackers are annoyance to the users who use the browser often. toolbar etc. If a computer is infected with Boot Sector Virus. A hardware key logger is a small hardware device which is normally installed between the keyboard port and the keyboard. A software keylogger is a program which can track and save all the key strokes of the user in to computer. and credit card numbers. Hijackers can also prevent you from opening a particular web site. Computer Viruses A Computer Virus is another type of malware which when executed tries to replicate itself into other executable code which is available in the infected computer. The Master Boot Record (MBR) stores the disk's primary partition table and to store bootstrapping instructions which are executed after the computer's BIOS passes execution to machine code. • File Deleting Viruses: A File Deleting Virus is designed to delete critical files which are the part of Operating System or data files. the virus launches immediately and is loaded into memory. Normally. • Boot Sector Virus: A Boot Sector Virus infects the first sector of the hard drive. to who is controlling the malware. Hijackers redirect your browser to another URL if you mistype the URL of the website you want to visit. The hardware key logger then track all user keystrokes and save the keystrokes to it's internal memory. A Computer Virus program normally has the following mechanisms. it is then infected with the computer virus.Hijackers Hijackers are another type of malware that take control of the behavior of your web browser like the home page. . viruses propagate within a single computer. The software keyloggers run invisibly to the user being monitored and hide itself from the Task Manager and from the Add/Remove Programs. where the Master Boot Record (MBR) is stored. • A different tasks to perform the mischievous activities on the victim computer. • A trigger mechanism that is designed to execute the replication mechanism of the virus. Software keyloggers are normally cheaper than hardware keyloggers. If the virus was able to replicate it to other executable code. bank account numbers. When the infected executable code is executed can infect again other executable codes. • A propagation mechanism that allows the virus to move from one computer to another computer. Different types of computer virus classification are given below. including passwords. or may travel from one computer to another using storage media like CD-ROM. DVD-ROM. Many software keyloggers support remote installation also. Keyloggers A keylogger or keystroke logger is a program or a hardware that logs every keystroke you make in your computer and then sends that information. when the computer is turned on. default search pages. Hardware keyloggers is available in different memory capacities. USB flash drive etc. • A replication mechanism that allows the virus to attach itself to another executable program. Types of Computer Viruses Computer Viruses are classified according to their nature of infection and behavior.

Worms are standalone and when it is infected on a computer. An Armored Virus may also have the ability to protect itself from antivirus programs. . • IRC Worms: IRC Worms spread through IRC chat channels. Different types of Computer Worms are: • Email Worms: Email Worms spread through infected email messages as an attachment or a link of an infected website. • Instant Messaging Worms: Instant Messaging Worms spread by sending links to the contact list of instant messaging applications. These macros are usually stored as part of the document or spreadsheet and can travel to other systems when these files are transferred to another computers. • Internet Worms: Internet worm will scan all available network resources using local operating system services and/or scan the Internet for vulnerable machines. a worm normally consumes much system resources including network bandwidth. • Macro viruses: Macro viruses are written by using the Macro programming languages like VBA. Stealth viruses are anti-heuristic nature which helps them to hide from heuristic detection. • Multiple Characteristic viruses: Multiple Characteristic viruses has different characteristics of viruses and have different capabilities. causing network servers to stop responding. Worms A worm has similar characteristics of a virus. • Stealth viruses: Stealth viruses have the capability to hide from operating system or anti-virus software by making changes to file sizes or directory structure. sending infected files or links to infected websites.• Mass Mailer Viruses: Mass Mailer Viruses search e-mail programs like MS outlook for e-mail addresses which are stored in the address book and replicate by e-mailing themselves to the addresses stored in the address book of the e-mail program. • Polymorphic Viruses: Polymorphic viruses change their form in order to avoid detection and disinfection by anti-virus applications. • Retrovirus: Retrovirus is another type virus which tries to attack and disable the anti-virus application running on the computer. A retrovirus can be considered anti-antivirus. A macro is a way to automate and simplify a task that you perform repeatedly in MS office suit (MS Excel. making it more difficult to disinfect. which is a feature of MS office package. • Polymorphic Viruses: Polymorphic Viruses have the capability to change their appearance and change their code every time they infect a different system. • Armored Viruses: Armored Viruses are type of viruses that are designed and written to make itself difficult to detect or analyze. it searches for other computers connected through a local area network (LAN) or Internet connection. This is known as mutation. After the work. Some Retroviruses attack the anti-virus application and stop it from running or some other destroys the virus definition database. When a worm finds another computer. these types of viruses try to hide from the anti-virus application by encrypting parts of the virus itself. This helps the Polymorphic Viruses to hide from antivirus software. it replicates itself to the new computer and continues to search for other computers on the network to replicate. If a computer is found vulnerable it will attempt to connect and gain access to them. Worms are also self-replicating. MS word etc). but self-replication of a worm is in a different way. Due to the nature of replication through the network.

and hiding Greek soldiers inside. A rootkit provide continuous root level (super user) access to a computer where it is installed. or a part of another program. and therefore they can intercept or subvert operating system operations. injected code etc. which is an action to perform which normally. rootkits can make the installed computer as a zombie computer for network attacks. disable anti-virus applications etc. Trojans pulled the Horse into their city as a victory trophy. normally appear to be useful software but will actually do damage once installed or run on your computer. . Kernel rootkits are difficult to detect because they have the same privileges of the Operating System. the user logged in conditions. The name rootkit came from the UNIX world. a Boolean condition that is evaluated and controls when the payload is executed. damage or alter files. rootkits can conceal other malwares which are installed on the target computer. which will trigger a malicious function when specified conditions are met. Normally a logic bomb does not replicate itself and therefore logic bomb will not spread to unintended victims. The trigger can be date. or monitor users on computers etc. Logic Bombs A logic bomb is a program. steal passwords. Rootkits can be used to hack encryption keys and passwords etc. Trojan Horses will appear as useful programs but gives hackers the ability to change file settings. Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. has malicious effect. Application Level Rootkits: Application level rootkits operate inside the victim computer by changing standard application files with rootkit files. Rootkits are more dangerous than other types of malware because they are difficult to detect and cure. or changing the behavior of present applications with patches. Logic bombs are written and targeted against a specific victim. Root kits can provide the attacker root level access to the computer via a back door. Trojan Horses The Trojan Horse is another malware which got its name from mythological Trojan horse. At night the Greek soldiers came out of the Horse and opened the gates for the rest of the Greek army to capture the Troy city. steal files or passwords. Different types of Rootkits are explained below. with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). The Trojan Horse malware. In Trojan War. Rootkits A rootkit is another type of malware that has the capability to conceal itself from the Operating System and antivirus application in a computer. A logic bomb is code which consists of two parts: • A pay load.• File-sharing Networks Worms: File-sharing Networks Worms place a copy of them in a shared folder and spread via P2P network. modify registry settings. Trojan Horses can alter or delete files from the infected computer. Greeks conquered and destroyed the city of Troy by constructing a huge wooden horse. where the super user is "root" and a kit. download files to the infected computer. • A trigger. Kernel Level Rootkits: Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system. Trojan Horses are normally designed to give hackers access to system. network conditions etc. Rootkits are installed by an attacker for a variety of purposes. log keystrokes.

var UserID. var InfoUser = "select * from UserInfo where UserID = '" + UserID + "'". UserID = Request. F827781. SQL Injection Attacks SQL injection attack is another type of attack to exploit applications that use client-supplied data in SQL statements. drop table UserInfo-After the execution of the script. The common method of SQL injection attack is direct insertion of malicious code into user-input variables that are concatenated with SQL commands and executed. Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system.form ("UserID"). Boot loader Level (Bootkit) Rootkits: Boot loader Level (Bootkit) Rootkits replaces or modifies the legitimate boot loader with another one thus enabling the Boot loader Level (Bootkit) to be activated even before the operating system is started.Hardware/Firmware Rootkits: Hardware/Firmware rootkits hide itself in hardware such a network card. Another type of SQL injection attack injects malicious code into strings and are stored in tables. Boot loader Level (Bootkit) Rootkits are serious threat to security because they can be used to hack the encryption keys and passwords. after the script execution the above SQL query will look like SELECT * FROM UserInfo WHERE UserID = 'F827781' Consider a case when a user fills the field with the below entry. the SQL code will look like SELECT * FROM UserInfo WHERE UserID = ' F827781'.drop table UserInfo-This will ultimately result in deletion of table UserInfo. Here malicious code is inserted into strings that are later passed to database application for parsing and execution. system BIOS etc. If the user fills the field with correct information of his UserID (F827781). Following example shows the simplest form of SQL injection. Hypervisor (Virtualized) Level Rootkits: Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware assisted virtualization technologies). . An SQL injection attack is made later by the attacker.