Professional Documents
Culture Documents
Computer Net Security
Computer Net Security
pg. 1
Chapter 1: Introduction and Security Threats
Data security is the means of ensuring that data is kept safe from corruption and
that access to it
is suitably controlled. Thus data security helps to ensure privacy. It also helps
in protecting
personal data. Data Security Technologies are:
Disk Encryption
Hardware based Mechanisms for Protecting Data
Backups
Data Masking
Data Erasure
"Network security" refers to any activity designed to protect the usability and
integrity of your
network and data. It includes both hardware and software technologies. Effective
network security
manages access to the network. It targets a variety of threats and stops them from
entering or
spreading on your network.
The terms information security, computer security and information assurance are
frequently
incorrectly used interchangeably. These fields are interrelated often and share the
common goals
of protecting the confidentiality, integrity and availability of information;
however, there are some
subtle differences between them.
2. Threats to Security
2.1 Viruses: A computer virus is a piece of software that can “infect” other
programs by modifying
them;
• The modification includes injecting the original program with a routine to make
copies of
the virus program, which can then go on to infect other programs.
A computer virus carries in its instructional code the recipe for making perfect
copies of
itself.
pg. 2
• The typical virus becomes embedded in a program on a computer.
• Then, whenever the infected computer comes into contact with an uninfected piece
of
software, a fresh copy of the virus passes into the new program.
Trigger:
• The event or condition that determines when the payload is activated or
delivered.
Payload:
• What the virus does, besides spreading.
• The payload may involve damage or may involve benign but noticeable
activity.
During its lifetime, a typical virus goes through the following four phases:
Dormant phase:
• The virus is idle.
• The virus will eventually be activated by some event, such as a date, the
presence of another
program or file, or the capacity of the disk exceeding some limit.
• Not all viruses have this stage.
Propagation phase:
• The virus places an identical copy of itself into other programs or into
certain system areas
on the disk.
• Each infected program will now contain a clone of the virus, which will
itself enter a
propagation phase.
Triggering phase:
• The virus is activated to perform the function for which it was intended.
• As with the dormant phase, the triggering phase can be caused by a variety
of system events,
including a count of the number of times that this copy of the virus has made
copies of
itself.
Execution phase:
• The function is performed.
• The function may be harmless, such as a message on the screen, or damaging,
such as the
destruction of programs and data files.
pg. 3
2.2 Worm: It is a program that can replicate itself and send copies from computer
to computer
across network connections.
• Upon arrival, the worm may be activated to replicate and propagate again.
In addition to propagation, the worm usually performs some unwanted function.
• An e-mail virus has some of the characteristics of a worm because it
propagates itself from
system to system.
A worm actively seeks out more machines to infect and each machine that is infected
serves as an
automated launching pad for attacks on other machines.
Masquerader: An individual who is not authorized to use the computer and who
penetrates a
system’s access controls to exploit a legitimate user’s account
Misfeasor: A legitimate user who accesses data, programs, or resources for which
such access is
not authorized, or who is authorized for such access but misuses his or her
privileges
Clandestine user: An individual who seizes supervisory control of the system and
uses this
control to evade auditing and access controls or to suppress audit collection.
2.4 Insiders:
• An Insider threat is a malicious threat to an organization that comes from people
within the
organization, such as employees, former employees, contractors or business
associates, who
have inside information concerning the organization's security practices, data and
computer
systems.
• The threat may involve fraud, the theft of confidential or commercially valuable
information.
• Insiders are more dangerous than outside intruders.
• They have the access and knowledge necessary to cause immediate damage to an
organization.
• Most security is designed to protect against outside intruders and thus lies at
the
boundary between the organization and the rest of the world.
• Besides employees, insiders also include a number of other individuals who have
physical access
INTRUDERS INSIDERS
Intruders are authorized or unauthorized users
who are trying to access the system or network.
Insiders are authorized users who try to
access system or network for which he is
unauthorized.
Intruders are hackers or crackers. Insiders are not hackers.
Intruders are illegal users. Insiders are legal users.
Intruders are less dangerous than Insiders Insiders are more dangerous than
Intruders.
Intruders do not have access to system Insiders have easy access to the system
because they are authorized users
Many security mechanisms are used to protect
system from Intruders.
There is no such mechanism to protect
system from Insider
5. Avenue of Attack
There are two general reasons a particular computer system is attacked: either it
is specifically
targeted by the attacker, or it is an opportunistic target. In the first case, the
attacker has chosen
the target not because of the hardware or software the organization is running but
for another
reason, perhaps a political reason. An example of this type of attack would be an
individual in one
Virus Worm
A virus is a piece of code that attaches itself to
legitimate program
A worm is a malicious program that spread
automatically.
Virus modifies the code. Worm does not modifies the code
Virus does not replicate itself Worm replicate itself
Virus is a destructive in nature Worm is non-destructive in nature
Aim of virus is to infect the code or program
stored on computer system
Aim of worm is to make computer or
network unusable
Virus can infect other files Worm does not infect other files but it
occupies memory space replication.
Virus may need a trigger for execution Worm does not need any trigger
pg. 5
country attacking a government system in another. Second type of attack, an attack
against a target
of opportunity, is conducted against a site that has software that is vulnerable to
a specific exploit.
7. Security Basics
When we talk about computer security, we mean that we are addressing three
important aspects of
any computer-related system: confidentiality, integrity, and availability.
Confidentiality ensures that computer-related assets are accessed only by
authorized
parties. That is, only those who should have access to something will actually get
that
access. By "access," we mean not only reading but also viewing, printing, or simply
knowing that a particular asset exists. Confidentiality is sometimes called secrecy
or
privacy.
Integrity means that assets can be
modified only by authorized parties or only
in authorized ways. In this context,
modification includes writing, changing,
changing status, deleting, and creating.
Availability means that assets are
accessible to authorized parties at
appropriate times. In other words, if some
person or system has legitimate access to a
particular set of objects, that access should
not be prevented.
Passive Attacks: Passive attacks are kind of a read only attack where attacker is
usually interested
in just gathering information without disruption of computer system’s operations
and service.
Passive attack usually involves monitoring and analysis of data transmission to
gain some
Relationship between confidentiality,
integrity, and availability.
Without security measures and controls in place, our data might be subjected to an
attack. Some
attacks are passive, meaning information is monitored; others are active, meaning
the information
is altered with intent to corrupt or destroy the data or the network itself.
Our networks and data are vulnerable to any of the following types of attacks if
you do not have a
security plan in place.
pg. 7
Flood a computer or the entire network with traffic until a shutdown occurs
because of the
overload.
Block traffic, which results in a loss of access to network resources by
authorized users.
9.5 Spoofing
Spoofing is nothing more than making data look like it has come from a different
source. This is
possible in TCP/IP because of the friendly assumptions behind the protocols.
When the protocols were developed, it was assumed that individuals who had access
to the network
layer would be privileged users who could be trusted. When a packet is sent from
one system to
another, it includes not only the destination IP address and port but the source IP
address as well.
You are supposed to fill in the source with your own address, but there is nothing
that stops you
from filling in another system’s address. This is one of the several forms of
spoofing.
1. Spoofing E-Mail
2. IP address Spoofing
3. Spoofing and Trusted Relationships
4. Spoofing and Sequence Numbers
pg. 8
House. The www.whitehouse.com URL takes you to a pornographic site. In this case,
nobody is
likely to take the pornographic site to be the official government site, and it was
not intended to be
taken that way. If, however, the attackers made their spoofed site appear similar
to the official one,
they could easily convince many viewers that they were at the official site.
pg. 9
attacks tend to use schemes involving spoofed emails send to users that lead them
to malware
infected websites designed to appear as real on-line banking websites. Emails
received by users in
most cases will look authentic sent from sources known to the user (very often with
appropriate
company logo and localized information) - those emails will contain a direct
request to verify some
account information, credentials or credit card numbers by following the provided
link and
confirming the information on-line. The request will be accompanied by a threat
that the account
may become disabled or suspended if the mentioned details are not being verified by
the user.
A computer virus is a computer program that can replicate itself and spread from
one computer
to another. The term "virus" is also commonly, but erroneously, used to refer to
other types
of malware, including but not limited to adware and spyware programs that do not
have a
reproductive ability.
Malware includes computer viruses, computer worms, ransomware, trojan horses,
keyloggers,
most rootkits, spyware, dishonest adware, and other malicious software.
Computer Network Security Chapter 1: Introduction and Security Threats
pg. 10
In order to replicate itself, a virus must be permitted to execute code and write
to memory. For this
reason, many viruses attach themselves to executable files that may be part of
legitimate programs
(code injection). If a user attempts to launch an infected program, the virus' code
may be executed
simultaneously. Viruses can be divided into two types based on their behavior when
they are
executed:
Nonresident viruses
Nonresident viruses can be thought of as consisting of a finder module and a
replication module.
The finder module is responsible for finding new files to infect. For each new
executable file the
finder module encounters, it calls the replication module to infect that file.
Resident viruses
Resident viruses contain a replication module that is similar to the one that is
employed by
nonresident viruses. This module, however, is not called by a finder module. The
virus loads the
replication module into memory when it is executed instead and ensures that this
module is
executed each time the operating system is called to perform a certain operation.
The replication
module can be called, for example, each time the operating system executes a file.
In this case the
virus infects every suitable program that is executed on the computer.
Computer virus is a harmful software program written intentionally to enter a
computer without
the user's permission or knowledge. It has the ability to replicate itself, thus
continuing to spread.
Some viruses do little but replicate, while others can cause severe harm or
adversely affect the
program and performance of the system. A virus should never be assumed harmless and
left on a
system.
There are different types of viruses which can be classified according to their
origin, techniques,
types of files they infect, where they hide, the kind of damage they cause, the
type of operating
system, or platform they attack. Let us have a look at few of them.
pg. 11
However, this type of virus has minimal effect on the computer's performance.
Overwrite Viruses
A virus of this kind is characterized by the fact that it deletes the information
contained in the files
that it infects, rendering them partially or totally useless once they have been
infected. The virus
replaces the file content. However, it does not change the file size.
Examples: Way, Trj.Reboot, Trivial.88.D For protection the only way to clean a file
infected by
an overwrite virus is to delete the file completely, thus losing the original
content. However, it is
very easy to detect this type of virus, as the original program becomes useless.
Macro Virus
Macro viruses infect files that are created using certain applications or programs
that contain
macros, like .doc, .xls, .pps, .mdb, etc. These mini-programs make it possible to
automate series
of operations so that they are performed as a single action, thereby saving the
user from having to
carry them out one by one. These viruses automatically infect the file that
contains macros, and
also infects the templates and documents that the file contains. It is referred to
as a type of e-mail
virus.These hide in documents that are shared via e-mail or networks. Examples:
Relax, Melissa.A,
Bablas, O97M/Y2K. The best protection technique is to avoid opening e-mails from
unknown
senders. Also, disabling macros can help to protect your useful data.
Directory Virus
Directory viruses (also called Cluster Virus/File System Virus) infect the
directory of your
computer by changing the path that indicates the location of a file. When you
execute a program
file with an extension .EXE or .COM that has been infected by a virus, you are
unknowingly
running the virus program, while the original file and program is previously moved
by the virus.
Once infected, it becomes impossible to locate the original files. It is usually
located in only one
location of the disk, but infects the entire program in the directory. Examples:
Dir-2 virus. For
protection all you can do is, reinstall all the files from the backup that are
infected after formatting
the disk.
Polymorphic Virus
Polymorphic viruses encrypt or encode themselves in a different way (using
different algorithms
and encryption keys) every time they infect a system. This makes it impossible for
antivirus
software to find them using string or signature searches (because they are
different in each
encryption). The virus then goes on to create a large number of copies. Examples:
Elkern, Marburg,
pg. 12
Satan Bug and Tuareg. Install a high-end antivirus as the normal ones are incapable
of detecting
this type of virus.
Companion Viruses
Companion viruses can be considered as a type of file infector virus, like resident
or direct action
types. They are known as companion viruses because once they get into the system
they
'accompany' the other files that already exist. In other words, to carry out their
infection routines,
companion viruses can wait in memory until a program is run (resident virus), or
act immediately
by making copies of themselves (direct action virus).
Hideout: These generally use the same filename and create a different extension of
it. For example:
If there is a file "Me.exe", the virus creates another file named "Me.com" and
hides in the new file.
When the system calls the filename "Me", the ".com" file gets executed (as ".com"
has higher
priority than ".exe"), thus infecting the system.
Examples: Stator, Asimov.1539 and Terrax.1069. For protection install an antivirus
scanner and
also download Firewall.
FAT Virus
The file allocation table (FAT) is the part of a disk used to store all the
information about the
location of files, available space, unusable space, etc. FAT virus attacks the FAT
section and may
damage crucial information. It can be especially dangerous as it prevents access to
certain sections
of the disk where important files are stored. Damage caused can result in loss of
information from
individual files or even entire directories.
Examples: Link Virus. Before the virus attacks all the files on the computer,
locate all the files that
are actually needed on the hard drive, and then delete the ones that are not
needed. They may be
files created by viruses.
Multipartite Virus
These viruses spread in multiple ways possible. It may vary in its action depending
upon the
operating system installed and the presence of certain files. In the initial phase,
these viruses tend
to hide in the memory as the resident viruses do; then they infect the hard disk.
Examples: Invader,
Flip and Tequila. You need to clean the boot sector and also the disk to get rid of
the virus, and
then reload all the data in it. However, ensure that the data is clean.
Logic Bombs
Logic bombs are small programs or sections of a program triggered by some event
such as a certain
date or time, a certain percentage of disk space filled, the removal of a file, and
so on. For example,
a programmer could establish a logic bomb to delete critical sections of code if
he/she is terminated
pg. 13
from the company. Logic bombs are most commonly installed by insiders with access
to the
system. Logic bombs go undetected until launched, the results can be destructive,
and your entire
data can be deleted!