Chapter 1.

Introduction And security Trends

1. Define Computer Security.
Ans :
The computer security includes protection of information and property from theft, corruption, or natural
disaster, while allowing the information and property to remain accessible and productive to its intended users.
The term computer system security means the collective processes and mechanisms by which sensitive and
valuable information and services are protected
OR
It is a collection of tools to design to protect the data from the hacker or unauthorized person.

2. Describe the basic component of computer security.

Ans :
The computer security is based on the confidentially, integrity and availability. These are the basic
component of computer security.
a) Confidentially: The purpose of this is to ensure that only those individuals who have the authority
to view a piece of information may do so. No unauthorized individual should ever be able to view data
they are not eligible.
b) Integrity: it is a related concept but deals with the generation and modification of data. Only
authorized individuals should ever be able to create or change information.
c) Availability: The goal of availability is ti ensure that the data or the system itself, is available
for use when the authorized user wants it.
Two additional security goals have been added to the original three in the CIA of security:
1. Non-Repudiation : which deals with the ability to verify that a message has been sent and received
and that the sender can be identified and verified. The requirement for this capability in online
transaction should also be readily apparent.
2. Authentication: it deals with the desire to ensure that an individuals is who they claim to be. The
need for this in an online transaction is obvious.

3. Define the following term

a. Attack
b. Vulnerabilities
c. Threat
Ans
Attack: Attack are the attempts by unauthorized individuals to access or modify
information to device the system.
Vulnerability:A Vulnerability is a weakness in the security system.
Threat: A threat to a computing system is a set of circumstances that has the potential to
cause loss or harm.

1|Page
 4. What is computer security?
Ans :
The term computer security has different interpretation based on what era the term describes.
Early on, computer security specialized in keeping the glass house in which the computer core was positioned
safe from vandalism, along with providing constant cooling and electricity. As computer become more
dispersed, security became more of an issue of preserving data and protecting its validity, as well as keeping the
secrete.

5. Describe the term virus & worms.

Ans
Virus is a program or piece of code that is loaded onto your computer without your knowledge and runs
against your wishes.
Virus can also replicate themselves. All computer viruses are manmade. A simple virus that can make a
copy of itself over and over again is relatively easy to produce.
Even such a simple virus is dangerous because it will quickly use all available memory and bring the system
halt.
Dangerous type of virus is one capable of transmitting itself across network and bypassing security system.
Worms is a special type of virus that can replicate itself and use memory, but cannot attach itself to other
programs.
Worms are malicious program that spread themselves automatically. Worms spread by exploiting
vulnerabilities in computer system, then using network connection find and attack other vulnerable system.
The lack of human intervention allows worms to spread much faster than virus.

6. Explain the threats to security in details.

Ans
1. Virus and worms: Virus is a program of piece of code that is loaded into your computer
without your knowledge and they can replicate themselves. Worms is a special type of virus that
can replicate itself and use memory, but cannot attach itself to other programs.
2. Intruders: Intruder are those who are accessing computer system and network
without the authorization. Intruders are extremely patient since the process to gain access to the
system takes persistence and dogged determination. If first attack may fail, then intruders will try
in another angle. They will search for another possible vulnerability that may not have been
patched.
3. Trojan. Trojan is one of the most complicated threats among all. Most of the popular banking
threats come from the Trojan family such as Zeus and SpyEye. It has the ability to hide itself
from antivirus detection and steal important banking data to compromise your bank account. If
the Trojan is really powerful, it can take over your entire security system as well. As a result, a
Trojan can cause many types of damage starting from your own computer to your online
account.

2|Page
 4. Spyware. Is a Malware which is designed to spy on the victim’s computer. If you are infected
with it, probably your daily activity or certain activity will be spied by the spyware and it will
find itself a way to contact the host of this malware.
5. Backdoor. Backdoor is not really a Malware, but it is a form of method where once a system is
vulnerable to this method, attacker will be able to bypass all the regular authentication service. It
is usually installed before any virus or Trojan infection because having a backdoor installed will
ease the transfer effort of those threats.
6. DDoS. One of the most famous thing done by Anonymous, which is to send millions of traffic to
a single server to cause the system to down with certain security feature disable so that they can
do their data stealing. This kind of trick which is to send a lot of traffic to a machine is known as
Distributed Denial of Service, also known as DDoS.

7. Explain the type of attack in details.

Ans :
Passive Attack
1. A passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive
information that can be used in other types of attacks.
2. Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly
encrypted traffic, and capturing authentication information such as passwords.
3. Passive interception of network operations enables adversaries to see upcoming actions.
4. Passive attacks result in the disclosure of information or data files to an attacker without the consent or
knowledge of the user.
Active Attack
1. In an active attack, the attacker tries to bypass or break into secured systems.
2. This can be done through stealth, viruses, worms, or Trojan horses.
3. Active attacks include attempts to circumvent or break protection features, to introduce malicious code,
and to steal or modify information.
4. These attacks are mounted against a network backbone, exploit information in transit, electronically
penetrate an enclave, or attack an authorized remote user during an attempt to connect to an enclave.
5. Active attacks result in the disclosure or dissemination of data files, DoS, or modification of data.

8. What do you mean by authentication? Explain the human authentication.

Ans :
1. Computer security authentication means verifying the identity of a user logging onto a network.
Passwords, digital certificates, smart cards and biometrics can be used to prove the identity of the user to
the network.
2. Computer security authentication includes verifying message integrity, e-mail authentication and MAC
(Message Authentication Code), checking the integrity of a transmitted message.
3. There are human authentication, challenge-response authentication, password, digital signature, IP
spoofing and biometrics.

3|Page
 4. Human authentication is the verification that a person initiated the transaction, not the computer.
Challenge-response authentication is an authentication method used to prove the identity of a user
logging onto the network.
5. When a user logs on, the network access server (NAS), wireless access point or authentication server
creates a challenge, typically a random number sent to the client machine.
6. The client software uses its password to encrypt the challenge through an encryption algorithm or a one-
way hash function and sends the result back to the network. This is the response.

9. Describe the different phases of viruses.

Ans :
a. Dormant Phase This virus is idle one and activated by some event such as a file.
b. Propagation Phase: Virus places an identical copy of itself
c. Triggering Phase :Virus is activated to perform the functions
d. Execution Phase :Virus is performed!

10. Describe the key principle of security.

Ans :
1. The CIA principle
A simple but widely-applicable security model is the CIA triad; standing for Confidentiality, Integrity and
Availability; three key principles which should be guaranteed in any kind of secure system. This principle is
applicable across the whole subject of Security Analysis, from access to a user's internet history to security of
encrypted data across the internet. If any one of the three can be breached it can have serious consequences for
the parties concerned.
2. Confidentiality
Confidentiality is the ability to hide information from those people unauthorized to view it. It is perhaps the
most obvious aspect of the CIA triad when it comes to security; but correspondingly, it is also the one which is
attacked most often. Cryptography and Encryption methods are an example of an attempt to ensure
confidentiality of data transferred from one computer to another.
3. Integrity
The ability to ensure that data is an accurate and unchanged representation of the original secure information.
One type of security attack is to intercept some important data and make changes to it before sending it on to
the intended receiver.
4. Availability
It is important to ensure that the information concerned is readily accessible to the authorized viewer at all
times. Some types of security attack attempt to deny access to the appropriate user, either for the sake of
inconveniencing them, or because there is some secondary effect. For example, by breaking the web site for a
particular search engine, a rival may become more popular.

11. Compare intruders and insider.

Ans:
Insiders:
 Are more dangerous than outside intruders.
 Have the access and knowledge necessary to cause immediate damage to an organization.
intruders

4|Page
 o Generally referred to as hacker, cracker
o unauthorized user
o authorized but misuse privileges
o accessing computer systems and networks without authorization
Intruders
1. Intruders are authorized or unauthorized
users who are trying to access the system or
network
2. Intruders are hacker or cracker
3. Illegal user
4. Less dangerous than insider
5. Intruders have to study/gain knowledge
about the security system
6. Intruders do not have to access to system
7. Many security mechanism are used to
protect system from intruders
Insider
1. Insider are authorized users who try to
access system or network for which he is
authorized
2. Insider are not hacker
3. legal user
4. more dangerous than intruders
5. insider have a knowledge about the security
system
6. easy access to the system
7. there is no such mechanism to protect
system from insider.

12. Explain the Denial of service attack.

Ans
1. In a denial-of-service (DoS) attack, an attacker attempts to prevent specified users from accessing
information or services. By targeting your computer and its network connection, or the computers and
network of the sites you are trying to use, an attacker may be able to prevent you from accessing email,
websites, online accounts (banking, etc.), or other services that rely on the affected computer.
2. The most common and obvious type of DoS attack occurs when an attacker "floods" a network with
information. When you type a URL for a particular website into your browser, you are sending a request
to that site's computer server to view the page. The server can only process a certain number of requests
at once, so if an attacker overloads the server with requests, it can't process your request. This is a
"denial of service" because you can't access that site.
3. An attacker can use spam email messages to launch a similar attack on your email account. Whether you
have an email account supplied by your employer or one available through a free service such as Yahoo
or Hotmail, you are assigned a specific quota, which limits the amount of data you can have in your
account at any given time. By sending many, or large, email messages to the account, an attacker can
consume your quota, preventing you from receiving legitimate messages.
SYN Flood Attack
Normally when a client attempts to start a TCP connection to a server, the client and
server exchange a series of messages which normally runs like this:
1. The client requests a connection by sending a SYN (synchronize) message
to the server.
2. The server acknowledges this request by sending SYN-ACK back to the
client.
3. The client responds with an ACK, and the connection is established.

5|Page
This is called the TCP three-way handshake, and is the foundation for every connection established using the
TCP protocol.
A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client
can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the
server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it "knows" that it
never sent a SYN.
The server will wait for the acknowledgement for some time, as simple network congestion could also be the
cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will bind
resources on the server until no new connections can be made, resulting in a denial of service to legitimate
traffic. Some systems may also malfunction badly or even crash if other operating system functions are starved
of resources in this way.
DDOS:
1. DDOS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised

systems -- which are usually infected with a Trojan -- are used to target a single system causing a Denial
of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all
systems maliciously used and controlled by the hacker in the distributed attack.
2. DDoS stands for Distributed Denial of Service. As the name suggests, a DDoS is typically launched
from a distributed network of computers, and may be coordinated by one computer.
3. By overloading the target computer or network with requests to access some part of it, the computers
carrying out a DDoS may be able to overwhelm the target system.
4. As a result, the target computer or network’s resources are totally consumed by its attempts to respond to
these requests and the target is consequently unable to carry out its routine tasks. This means that its
users are denied the services which it usually provides.
5. Credit card and bank websites have been the targets of such attacks in the past, and this has resulted in
their customers being unable to use their pages.

13. What are different ways of spoofing? Explain.

Ans:

6|Page
 Spoofing is making data similar to it has come from a different source. This is possible in
TCP/IP because of the friendly assumptions behind the protocols. The assumption at the time of
protocol development is that an individual who is having access to the network layer will be privileged
users who can be trusted.
When a packet is sent from one system to another, it includes not only the destination IP
address and port but the source IP address as well. This is one of the several forms of spoofing.
1.Spoofing E-mail :
a. E-mail spoofing can be easily accomplished, and there are several different ways to do
it and programs that can assist you in doing so. E-mail spoofing refers to email that
appears to have been originated from one source but it was actually send from another
source. Best example of Email Spoofing is Spam Mail and Junk mails.
b. A very simple method to spoof an e-mail address is to telnet to port 25, the port is
associated with e-mail on a system. From there, you can fill in any address for the From
and To sections of the message, whether or not the addresses are yours and whether
they actually exist or not. There are simple ways to determine that an e-mail message
was probably not sent by the source, but most users do not question their e-mail and
will accept it.
2.URL Spoofing :
a. An Attacker acquires a URL close to the one they want to spoof so that e-mail sent from
their system appears to have come from the official site.
b. For example, if attackers wanted to spoof XYZ Corporation, which owned XYZ.com,
the attackers might gain access to the URL XYZ.Corp.com. An individual receiving a
message from the spoofed corporation site would not normally suspect it to be a spoof
but would take it to be official. This same method can be, and has been, used to spoof
web sites.
3.IP Address Spoofing :
a. The IP protocol is designed to work to have the originators own IP address in the “From”
portion of the packet. There are nothing that prevents a system from inserting a different address
in the “From” portion of the packet is known as IP Address Spoofing.
b. An IP address may be spoofed for several reasons like in a specific DOS attack known as a
smurf attack, the attacker sends a spoofed packet to the broadcast address for a network, which
distributes the packet to all systems on that network.
c. In this attack, the packet sent by the attacker to the broadcast address is an echo request with the
fake from address so that it appears that another system has made the echo request. The system’s
normal response to an echo request is an echo reply, and it is used in the ping utility to let a user
know if a remote system is reachable and is responding. In the smurf attack, the request is sent
to all systems on the network, so all systems will respond with an echo reply to the target system
14. Explain different models of access controls.

7|Page
Ans:

Access control: It is the process of deciding who can use specific systems, resources, and applications.
An access control model is a defined set of criteria a system administrator utilizes to define system users’
rights. There are three main access control models. These are Mandatory Access Control (MAC), Discretionary
Access Control (DAC), and Role Based Access Control (RBAC). In addition, a Rule Based Access Control
(RBAC) model is useful for managing permissions across multiple systems.

The mandatory access control model assigns users’ roles strictly according to the system administrator’s
wishes. This is the most restrictive access control method because the end user cannot set any access controls on
files. Mandatory access control is popular in highly secretive environments, such as, the defense industry where
errant files can jeopardize national security.

Discretionary access control is at the other end of the access spectrum differing from the mandatory access
model in that it is the least restrictive of the three models. Under the discretionary access model the end user has
complete freedom to assign any rights to objects that he wishes. This level of complete control over files can be
dangerous because if an attacker or malware compromises the account then the malicious user or code will have
complete control as well.

Role based access control creates permissions by assigning access rights to specific roles or jobs within the
company; RBAC then assigns users to those roles, thereby granting privileges. This access control model
functions effectively in actual organizations because files and resources are assigned permissions according to
the roles that require them. For instance, a system administrator may create an access role for managers only. So
a user would need to be assigned the role of a manager to use those resources.

15. Discuss different threats of web security.

Ans :
Security threats :
Security threats to web sites and web applications (webapps) come in many forms. Data centers and other assets
used for hosting web sites and their associated systems need to be protected from all types of threat. Threats
should be identified using application threat modeling and then evaluated with a vulnerability assessment.
Vulnerabilities can be removed or reduced and countermeasures put in place to mitigate the effects of an
incident should the threat be realised. The main types of threats to web systems are listed below:
Physical
Physical threats include loss or damage to equipment through fire, smoke, water & other fire suppressants, dust,
theft and physical impact. Physical impact may be due to collision or the result of malicious or accidental
damage by people. Power loss will affect the ability for servers and network equipment to operate depending
upon the type of back-up power available and how robust it is.
Human error
Errors caused by people include operator/user error such as accidental deletion of data or destruction of
software programs, configurations or hardware. The other major error caused by people is leaving weaknesses
(vulnerabilities) in software. This can include escalation of privileges, authentication which can be bypassed,
incorrect implementation of encryption, failure to validate input and output data, weak session management,
failure to handle errors correctly, etc. Good programming practices can reduce the vulnerabilities which human
error can exploit.

8|Page
Malfunction
Both equipment and software malfunction threats can impact upon the operations of a website or web
application. All assets required for the operation of the web system must be identified to be able to evaluate the
threats. Malfunction of software is usually due to poor development practices where security has not been built
into the software development life cycle.
Malware
Malware, or malicious software, comes in many guises. Web servers are popular targets to aid distribution of
such code and sites which have vulnerabilities that allow this are popular targets.
Spoofing
Spoofing where a computer assumes the identity of another and masquerading where a user pretends to be
another, usually with higher privileges, can be used to attack web systems to poison data, deny service or
damage systems.
Scanning
Scanning of web systems are usually part of network or application fingerprinting prior to an attack, but also
include brute force and dictionary attacks on username, passwords and encryption keys.
Eavesdropping
Monitoring of data (on the network, or on user's screens) may be used to uncover passwords or other sensitive
data.
Scavenging
Examining 'found' data from accessible sources such as the network, search engines and waste. The actual target
information could be found, but more often scavenging is used as a way to select other threats for vulnerabilities
that are known to exist for the web system (e.g. operating system, firewall type, server software, application
software).
Spamming
Overloading a system through excessive traffic can lead to denial of service for other users or system failure.
Out of band
Network attack techniques such as tunneling to access low level system functions can mean the target such as a
router or server can be taken over. Once an attacker has control, this can be used to attack other assets required
for the continued operation of a web site.

16. Describe the term authentication. Explain authenticity method.

Ans : Authentication:
The process of identifying an individual, message, file, and other data. The two major roles for
authentication, therefore, are as follows: (1) confirming that the user is who he or she claims to be; and (2) that
the message is authentic and not altered or forged. The term authentication should not be confused with a
closely related term, authorization, which means determining what a user is allowed to do or see.
Authenticity method:
1. Verifying the integrity of a transmitted message.
2. Verifying the identity of a user logging into a network. Passwords, digital certificates, smart cards and
biometrics can be used to prove the identity of the client to the network.
3. Passwords and digital certificates can also be used to identify the network to the client. The latter is
important in wireless networks to ensure that the desired network is being accessed

17. Differentiate between virus and worms.

9|Page
Virus
1. A virus is a piece of code that attaches itself
to legitimate program
2. Virus modified the code
3. It does not replicate itself
4. Aim of virus is to infect the code or program
stored on computer system
5. Virus can infect other files
6. Virus may need a trigger for execution
7. Virus is a destruction on nature
10 | P a g e
Worms
1. A worms is a malicious program that spread
automatically
2. Worms does not modified the code
3. It replicate itself
4. Aim of program is to make computer or network
unusable
5. Worms does not infect other files but occupies
memory space by replication
6. Worms does not need any trigger
7. Worms is non destructive in nature