You are on page 1of 11


Ques. 1. What is an “information security breach” and what are its common causes? Ans:Security Breach:-A breach of security is where a stated organizational policy or legal requirement regarding Information Security has been contravened. However every incident which suggests that the Confidentiality, Integrity and Availability of the information have been inappropriately changed can be considered a Security Incident. Every Security Breach will always be initiated via a Security Incident, only if confirmed does it become a security breach. The recent government guides define “security breaches” to include the loss or theft of devices (e.g., laptops or external drives) and storage media (e.g., disks or USB drives) that happen to contain personal data, even in the absence of any evidence that the data have been accessed. Breaches are also defined to include misdirected or undelivered faxes, emails, and parcels, or other errors involving responsible parties who have no interest in accessing or misusing the data. Common causes of IT security breaches Historically, the approach to enterprise security has been to make the fortress bigger and stronger – to install more products, and write more policies. Yet despite heightened security awareness and Cutting edge tools, 2006 was the worst year yet on record for corporate security breaches – continuing the year on year escalation of security risk. The problem is, attackers are as advanced as the defenders – and the attacks don’t always come from the expected direction. 1. Inside job The fact is that the biggest threat to an organization lies within its boundaries. In its 2006 survey, “Information Security Breaches,” the DTI and PricewaterhouseCoopers found that 32% of Information Security attacks originated from internal employees while 28% came from ex-employees and partners. Similarly, law enforcement experts in Europe and the US estimate that over 50% of breaches result from employees misusing access privileges, whether maliciously or unwittingly. So securing the enterprise isn’t just about stopping external threats. It’s just as important to contain the threat from hapless or hazardous employees. One of the key internal threats to corporate is spyware, because it’s all too often introduced without malicious intent, by employees that naively click through a couple of popup browser windows, or install an unapproved yet ‘cool’ application on the network. The situation isn’t helped by the myths that surround spyware. 2. Myth busting These are the six most common spyware myths: It’s an isolated problem; Blocking at the gateway is good enough; Locking down the desktop is good enough; Driveby downloads are a primary source of penetration; The problem comes from the outside in; No one wants spyware. But the truth of the matter is somewhat different. Let’s look at the real situation that’s masked by each myth.  Most spyware comes in as the direct result of user behavior, whether that user is naive or ill intentioned.  Stuff comes in at the desktop all day long. Blocking at the gateway without securing the desktop PC doesn’t make security sense. It’s like locking the doors and windows of the house – with the burglar still in the basement – and not bothering to call the police. What’s more, gateway defenses cannot detect threats already on desktop PCs.  If “locking down” the desktop and restricting user installation were effective, there would be no need for antivirus software. Spyware is designed to get around acceptable use policies and exploits users’ inquisitive nature.  “Driveby downloads” should never occur in a corporate environment, because they come from sites that users should not visit at work.  Sure, spyware comes from outside – because someone opened the door and let it in. Not recognizing this results in a porous security infrastructure.  True, no one actually wants spyware, but it comes as part of that cool application that users do want. So spyware gets installed anyway. 3. Spy trap So what can companies do to minimize internal threats? First, make a Web filter a required part of the network security arsenal. This should prohibit users from visiting known spyware and ‘drive by download’

Hobby Hacker This is someone that tends to focus more on home computing. unlock Apple iPhone. Academic Hacker This type is typically an employee or student at an institution of higher education. Second. This person could attack a network protected by a firewall or IPS by fragmenting packets. to keep the burglar out of the basement.2|Page sites. Ques. There also needs to be protection at the desktop to stop spyware as it’s introduced. Europe’s number one dedicated Information security event. deploy an effective email filter that blocks spyware from entering the network via active HTML. they use their skills to help organizations. Put simply. Such as. They could be employed as a legit network security administrator. 2. Hacktivist This is a person with political motivations. implement a solution that disallows running or installing programs that in turn install spyware. Finally. They would use the institutions computing resources to write malicious programs. For example a white hat might work for an organization to test for security weaknesses and vulnerabilities in the network. Black Hat Black Hat also known as a cracker uses his skills to break into computer systems for unethical reasons. such as someone defacing a website and leaving messages on the hacked site for the world to see. Computer Security Hacker This is someone who knows the technical aspects of computer networking and security. However. Phreaker A phreaker is simply a hacker of telecommunications. It's important to know these different types of hackers so we can properly defend our data. bank information. use software without a license. organizations need to remove the ability of employees to let the burglars in. They need to implement tamperproof solutions that users cannot easily evade – no matter what the external inducements. steal user data like. in the first place. attachments. The term hacker is a generic term to describe attackers. What are the different kinds of hackers? Ans:Various kind of hackers:-There are various types of computer hackers that all have different malicious intent. Not all have intent to steal our data. . For example. Below is a list of various types of hackers:White Hat White hat has the skills to break into computer systems and do damage. An example of this is tricking the phone system into letting you make free long distance calls. Script Kiddy A Script Kiddy is someone who lacks the skills of a typical hacker. credit card numbers. during this person's duties. username and password. Surf control is exhibiting at Info security Europe 2007. But. he may find an opportunity for gaining access to company data and stealing that data. Grey Hat This type can be thought of as a white hat attacker who sometimes acts unethically. phishing and spam. modifying existing hardware or software. They rely on downloading hacking programs or utilities sometimes calls scripts to perform an attack.

that holds the data. This includes: "Deliberate Exposure" Intentional release of sensitive data to an unauthorized entity. "Interception" A threat action whereby an unauthorized entity directly accesses sensitive data travelling between authorized sources and destinations. "Scavenging" Searching through data residue in a system to gain unauthorized knowledge of sensitive data. . "Inference" A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications. The popular term for this is “hacking”. "Signals analysis" Gaining indirect knowledge of communicated data by monitoring and analyzing a signal that is emitted by a system and that contains the data but is not intended to communicate the data. Explain the following terms as threat consequences: Ans :-Threat consequence is a security violation that results from a threat action. "Human error" Human action or inaction that unintentionally results in an entity gaining unauthorized knowledge of sensitive data. This includes: "Traffic analysis" Gaining knowledge of data by observing the characteristics of communications that carry the data. "Wiretapping (passive)" Monitoring and recording data that is flowing between two points in a communication system.3|Page Ques. It could happen in any number of ways. "Hardware/software error" System failure that results in an entity gaining unauthorized knowledge of sensitive data. "Emanations analysis" Gaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but is not intended to communicate the data. 3. such as a magnetic tape or disk. "Penetration" Gaining unauthorized logical access to sensitive data by circumventing a system's protections. but usually access is gained via unpatched software or other known vulnerabilities. and also list and describe the kinds of threat actions that cause each consequence:a) Unauthorize Access Unauthorized Access is when a person who does not have permission to connect to or use a system gains entry in a manner unintended by the system owner. The following threat actions can cause unauthorized disclosure: "Exposure" A threat action whereby sensitive data is directly released to an unauthorized entity. "Reverse engineering" Acquiring sensitive data by disassembling and analyzing the design of a system component. This includes: "Theft" Gaining access to sensitive data by stealing a shipment of a physical medium. "Cryptanalysis" Transforming encrypted data into plain text without having prior knowledge of encryption parameters or processes. b) (Unauthorized) Disclosure A circumstance or event whereby an entity gains access to data for which the entity is not authorized (data confidentiality). The following subentries describe threat consequences. "Intrusion" A threat action whereby an unauthorized entity gains access to sensitive data by circumventing a system's security protections. This includes: "Trespass" Gaining unauthorized physical access to sensitive data by circumventing a system's protections.

. any hardware. or software (e. "Human error" Human action or inaction that unintentionally results in the alteration of system functions or data. "Substitution" Altering or replacing valid data with false data that serves to deceive an authorized entity. "Malicious logic" In context of masquerade. data. "Insertion" Introducing false data that serves to deceive an authorized entity. "Repudiation" A threat action whereby an entity deceives another by falsely denying responsibility for an act. "Malicious logic" In context of incapacitation. . The following threat actions can cause deception: "Masquerade" A threat action whereby an unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity. "False denial of origin" Action whereby the originator of data denies responsibility for its generation.. Trojan horse) that appears to perform a useful or desirable function. logic bomb) intentionally introduced into a system to destroy system functions or resources. "False denial of receipt" Action whereby the recipient of data denies receiving and possessing the data. any hardware. any hardware. or wind) that disables a system component. but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. "Hardware or software error" Error that causes failure of a system component and leads to disruption of system operation. (See: denial of service. firmware. "Falsification" A threat action whereby false data deceives an authorized entity (active wiretapping).. firmware.. firmware. or control information to interrupt or prevent correct operation of system functions. power surge caused by lightning) that alters system functions or data.g. "Human error" Action or inaction that unintentionally disables a system component.g. "Physical destruction" Deliberate destruction of a system component to interrupt or prevent system operation. flood.g. fire.g. "Malicious logic" In context of corruption.) The following threat actions can cause disruption: "Incapacitation" A threat action that prevents or interrupts system operation by disabling a system component. "Corruption" A threat action that undesirably alters system operation by adversely modifying system functions or data. or software (e. lightning.g.4|Page c) Deception A circumstance or event that may result in an authorized entity receiving false data and believing it to be true. "Natural disaster" Any "act of God" (e. "Tamper" In context of corruption. "Natural disaster" Any "act of God" (e. earthquake.. "Spoof" Attempt by an unauthorized entity to gain access to a system by posing as an authorized user. deliberate alteration of a system's logic. "Hardware or software error" Error that results in the alteration of system functions or data. "Obstruction" A threat action that interrupts delivery of system services by hindering system operations. or software (e. a computer virus) intentionally introduced into a system to modify system functions or data. d) Disruption A circumstance or event that interrupts or prevents the correct operation of system services and functions.

. "Theft of service" Unauthorized use of service by an entity. and to intercept email and other private communications and data transmissions. For example. 4. or monitoring of. "Malicious logic" In context of misuse. or control information to cause the system to perform unauthorized functions or services. "Misuse" A threat action that causes a system component to perform a function or service that is detrimental to system security. software. governments may snoop on individuals to collect information and avert crime and terrorism. a snoop server is used to capture network traffic for analysis. transmissions. List various passive and active attacks.a) A telephone conversation. Ans: Passive Attacks:-Passive attacks are in the nature of eavesdropping on. an electronic mail message. The practice is similar to eavesdropping but is not necessarily limited to gaining access to data during its transmission. and a transferred file may contain sensitive or confidential information. "Theft of functionality" Unauthorized acquisition of actual hardware. Two types of passive attacks are:  Release of message contents (Figure 1. software. "Theft of data" Unauthorized acquisition and use of data. any hardware. and the snooping protocol monitors information on a computer bus to ensure efficient processing. is unauthorized access to another person's or company's data. deliberate alteration of a system's logic. (flooding. "Tamper" In context of misuse. More sophisticated snooping uses software programs to remotely monitor activity on a computer or network device. Snooping can include casual observance of an email that appears on another's computer screen or watching what someone else is typing. Corporations sometimes snoop on employees legitimately to monitor their use of business computers and track Internet usage. in computer technology snooping can refer to any program or utility that performs a monitoring function. f) Snooping Snooping. The following threat actions can cause usurpation: "Misappropriation" A threat action whereby an entity assumes unauthorized logical or physical control of a system resource. We would like to prevent an opponent from learning the contents of these transmissions. or firmware of a system component. Although snooping has a negative connotation in general.) e) Usurpation A circumstance or event that results in control of system services or functions by an unauthorized entity. or firmware intentionally introduced into a system to perform or control execution of an unauthorized function or service. in a security context. "Violation of permissions" Action by an entity that exceeds the entity's system privileges by executing an unauthorized function. Malicious users frequently use snooping techniques and equipment such as key loggers to monitor keystrokes. capture passwords and login information.5|Page "Interference" Disruption of system operations by blocking communications or user data or control information. The goal of the opponent is to obtain information that is being transmitted. Ques. "Overload" Hindrance of system operation by placing excess burden on the performance capabilities of a system component. data.

could not extract the information from the message. Thus. . This information might be useful in guessing the nature of the communication that was taking place.6|Page  Traffic Analysis (Figure 1. However. the emphasis in dealing with passive attacks is on prevention rather than detection. usually by means of encryption. even if they captured the message. the message traffic is sent and received in an apparently normal fashion and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern.b) Suppose that we had a way of masking the contents of messages or other information traffic so that opponents. Passive attacks are very difficult to detect because they do not involve any alteration of the data. The common technique for masking contents is encryption. Typically. If we had encryption protection in place. it is feasible to prevent the success of these attacks. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. an opponent might still be able to observe the pattern of these messages.

Active attacks present the opposite characteristics of passive attacks. either by disabling the network or by overloading it with messages so as to degrade performance.b). an entity may suppress all messages directed to a particular destination (e.”  Denial of service The denial of service prevents or inhibits the normal use or management of communications facilities (Figure 2. software.g. authentication sequences can be captured and replayed after a valid authentication sequence has taken place.d). . On the other hand. thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges. Another form of service denial is the disruption of an entire network.  Replay Attacks An attack in which a service already authorized and completed is forged by another "duplicate request" in an attempt to repeat authorized commands (Figure 2. For example. Instead. the security audit service). Whereas passive attacks are difficult to detect. A masquerade attack usually includes one of the other forms of active attack.  Modification of messages It simply means that some portion of a legitimate message is altered. or that messages are delayed or reordered.7|Page Active Attacks Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories:  Masquerade A masquerade takes place when one entity pretends to be a different entity (Figure 2.c). to produce an unauthorized effect (Figure 2. for example. This attack may have a specific target. the goal is to detect active attacks and to recover from any disruption or delays caused by them. because of the wide variety of potential physical. it is quite difficult to prevent active attacks absolutely. it may also contribute to prevention. If the detection has a deterrent effect. For example. a message meaning “Allow John Smith to read confidential file accounts” is modified to mean “Allow Fred Brown to read confidential file accounts. measures are available to prevent their success.a). and network vulnerabilities..

Active Attacks .8|Page Figure 2.

and tools.9|Page Ques. What are the different Security threats & what are their counter measures? Ans. Attackers trying to harm a system or disrupt normal business operations exploit vulnerabilities by using various techniques. . 5.5:. methods. System administrators need to understand the various aspects of security to develop measures and policies to protect assets and limit their vulnerabilities.The object of security is to protect valuable or sensitive information while making it readily available.

floods. Employees are the people most familiar with the organization's computers and applications. Threats Motives/Goals Methods • Employees • Deny services • Social engineering • Malicious • Steal information • Viruses. Although they are human-caused threats. lightning. both by automating traditional methods of fraud and by using new methods. Information can be lost. They might also want to steal information or even steal hardware such as laptop computers. Trojan horses. and they are most likely to know what actions might cause the most damage. confidential information could be revealed. Non-malicious threats usually come from employees who are untrained in computers and are unaware of security threats and vulnerabilities. Users who open up Microsoft Word documents using Notepad. they are classified as disastrous. Malicious attackers who delete or alter information. Committing information theft and fraud: Computer systems are exploited in numerous ways. or worms. or by causing the system to crash. By browsing through a system. Hackers can sell information that can be useful to competitors. and terrorist attacks could be included here. Trojan horses. Outside attackers might want to do this to prove that they can get in to the system or for the fun of it. Security Policies • Vulnerabilities • Assets • Information and data • Productivity • Hardware • Personnel Malicious attackers can gain access or deny services in numerous ways. because they know many of the codes and security measures that are already in place. Other threats such as riots. wars. Here are some of them: Viruses-Attackers can develop harmful code known as viruses. The most dangerous attackers are usually insiders (or former insiders). and Objectives of Malicious Attackers Various methods that attackers use: • • • • Deleting and altering information. worms • Ignorant • Alter information • Packet replay • Non-employees • Damage information • Packet modification • Outside attackers • Delete information • IP spoofing • Natural disasters • Make a joke • Mail bombing • Floods • Show off • Various hacking tools • Earthquakes • Password cracking • Hurricanes • Riots and wars Motives. they can break into systems and plant viruses. Insider attacks can affect availability by overloading the system's processing or storage capacity. objective. downtime or loss of productivity can occur. Malicious attackers normally will have a specific goal. Viruses in general are a threat to any environment. Goals. Following introduces basic security threats into different areas. Insiders are likely to have specific goals and objectives. edit the documents. Using hacking techniques. and damage to hardware can disrupt other essential services. Few safeguards can be implemented against natural disasters. or motive for an attack on a system. Trojan horses are a threat to both the integrity and confidentiality of information in the system. and fire can cause severe damage to computer systems. Human Threats: Malicious threats consist of inside attacks by malicious employees and outside attacks by non-employees just looking to harm and disrupt an organization. Viruses can also be spread via e-mail and disks. hurricanes. and then save them could cause serious damage to the information stored on the document. and have legitimate access to the system. Attackers may want to disrupt normal business operations. The following table gives various aspects discussed above. Insiders can plant viruses.10 | P a g e Goal + Method + Vulnerabilities = Attack. . Disrupting normal business operations. they always take up time. The insider attack can affect all components of computer security. Earthquakes. and they can browse through the file system. These goals could be to disrupt services and the continuity of business operations by using denial-of-service (DoS) attack tools. They come in different forms and although not always malicious. The best approach is to have disaster recovery plans and contingency plans in place. Natural Disasters: Nobody can stop nature from taking its course.

Worms-These are programs that run independently and travel from computer to computer across network connections. but can be prevented by using packet time stamping and packet sequence counting. When a user runs the normal program. In most cases. someone can potentially correspond with any one of millions of people worldwide. It can be used by outsiders and by people within an organization. Network spoofing-In network spoofing. Eavesdropping-E-mail headers and contents are transmitted in the clear text if no encryption is used. or using auxiliary ports on terminals. a hacker uses various hacking tools to gain access to systems. using radio. or to redirect the message. companies connected to the Internet should prepare for (DoS) attacks. They also are difficult to trace and allow other types of attacks to be subdued. It is also possible to eavesdrop using software that monitors packets sent over the network. then computer C can gain otherwise-denied access to computer A. Social engineering is a hacker term for tricking people into revealing their password or some form of security information. The header can be modified to hide or change the sender. • • • • • • • • • • • • . and procedures for performing functions. because an intruder could replay legitimate authentication sequence messages to gain access to a system. Packet modification-This involves one system intercepting and modifying a packet destined for another system. People can easily flood the Web server with communication in order to keep it busy. Packet replay-This refers to the recording and retransmission of message packets in the network. Packet replay is frequently undetectable.11 | P a g e • Trojan horses-These are malicious programs or software code hidden inside what looks like a normal program. it is difficult to detect eavesdropping. Trojan horses are normally spread by e-mail attachments. Therefore. It is a growing trend on the Internet because Web sites in general are open doors ready for abuse. computer A trusts computer B (this does not imply that system B trusts system A). data. It is possible for a cracker to eavesdrop by wiretapping. This is possible because users often select weak passwords. Packet replay is a significant threat for programs that require authentication sequences. Trust is imparted in a one-to-one fashion. With access to Internet e-mail. Network spoofing occurs in the following manner: if computer A trusts computer B and computer C spoofs (impersonates) computer B. Password cracking-This is a technique attackers use to surreptitiously gain system access through another user's account. a cracker can obtain sensitive information such as passwords. Denial-of-service attacks-This attack exploits the need to have a service available. Worms may have portions of themselves running on many different computers. a system presents itself to the network as though it were a different system (computer A impersonates computer B by sending B's address instead of its own). the contents of a message can be read or altered in transit. Intrusion detection tools often can help to detect changes and variants that take place within systems and networks. As a result. The reason for doing this is that systems tend to operate within a group of other trusted systems. Implied with this trust is that the system administrator of the trusted system is performing the job properly and maintaining an appropriate level of security for the system. Social engineering-This is a common form of cracking. Intrusion attacks-In these attacks. These can range from password-cracking tools to protocol hacking and manipulation tools. As a result. Eavesdropping-This allows a cracker (hacker) to make a complete copy of network activity. Some of the threats associated with e-mail are: Impersonation-The sender address on Internet e-mail cannot be trusted because the sender can create a false return address. It can then start deleting files and causing other damage to the computer. E-mail hacking-Electronic mail is one of the most popular features of the Internet. the hidden code runs as well.