Please do not share these notes on apps like WhatsApp or Telegram.

The revenue we generate from the ads we show on our website and app
funds our services. The generated revenue helps us prepare new notes
and improve the quality of existing study materials, which are
available on our website and mobile app.

If you don't use our website and app directly, it will hurt our revenue,
and we might not be able to run the services and have to close them.
So, it is a humble request for all to stop sharing the study material we
provide on various apps. Please share the website's URL instead.
Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Subject Notes
Subject Name: Information Security Subject Code: IT 801
Syllabus: System Security: Intruders, Intrusion Detection, Password management; Malicious Software:
Different type of malicious software, Viruses and related threats, Virus Countermeasures, Threats and
attacks on Information Security, DoS and DDos Attacks; Security controls required for Information
Security, Firewalls: Firewall design principles, Trusted Systems, Common criteria for information
technology security evaluation.
__________________________________________________________________________________________
Course Objective: The objective of this course is to familiarize the students with the fundamentals of
information security and the methods used in protecting both the information present in computer storage as
well as information traveling over computer networks.
____________________________________________________________________________________________
Course Outcome : Design operational and strategic information security strategies and policies.
Unit V:

Intruders

Intruders are the attackers who attempt to breach the security of a network. They attack the network in order
to get unauthorized access.

Intrusion Detection

• An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and
alerts the system or network administrator. In some cases, the IDS may also respond to anomalous or
malicious traffic by acting such as blocking the user or source IP address from accessing the network.
• There is network based (NIDS) and host based (HIDS) intrusion detection systems.
• There are IDS that detect based on looking for specific signatures of known threats- similar to the way
antivirus software typically detects and protects against malware- and there are IDS that detect based
on comparing traffic patterns against a baseline and looking for anomalies.
• There are IDS that simply monitor and alert and there are IDS that perform an action or actions in
response to a detected threat
Types of IDS:

Network Intrusion Detection Systems

NIDS are placed at a strategic point or points within the network to monitor traffic to and from all devices on
the network. Ideally you would scan all inbound and outbound traffic; however, doing so might create a
bottleneck that would impair the overall speed of the network.

Host Intrusion Detection Systems

HIDS are run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound
packets from the device only and will alert the user or administrator of suspicious activity is detected

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Signature Based

• A signature-based IDS will monitor packets on the network and compare them against a database of
signatures or attributes from known malicious threats.
• This is similar to the way most antivirus software detects malware. The issue is that there will be a lag
between a new threat being discovered in the wild and the signature for detecting that threat being
applied to your IDS. During that lag time your IDS would be unable to detect the new threat.
Anomaly Based

• An IDS which is anomaly based will monitor network traffic and compare it against an established
baseline.
• The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used,
what protocols are used, what ports and devices generally connect to each other- and alert the
administrator or user when traffic is detected which is anomalous, or significantly different, then the
baseline.
Passive IDS

A passive IDS simply detects and alerts. When suspicious or malicious traffic is detected an alert is generated
and sent to the administrator or user and it is up to them to act to block the activity or respond in some way.

Reactive IDS

• Reactive IDS will not only detect suspicious or malicious traffic and alert the administrator but will take
pre-defined proactive actions to respond to the threat.
• Typically this means blocking any further network traffic from the source IP address or user.
Password management

There are many reasons password management in network security is one of the most important aspects of
overall cybersecurity for all businesses. Passwords are some of the longest established and most ubiquitous
cybersecurity measures available.
In order to prevent unauthorized access and breaches of information, password management involves
creating, storing, managing, and organizing your passwords.
Password managers are software applications that allow users to store and manage their online credentials. A
master password is usually used to store these passwords in an encrypted database.
Malicious Software

Malicious Software refers to any malicious program that causes harm to a computer system or network.
Malicious Malware Software attacks a computer or network in the form of viruses, worms, trojans, spyware,
adware or rootkits.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Figure 5.1 : Malicious Software

Type of malicious software

Computer Virus
A computer virus is a malicious software which self-replicates and attaches itself to other files/programs. It is
capable of executing secretly when the host program/file is activated. The different types of Computer virus
are Memory-Resident Virus, Program File Virus, Boot Sector Virus, Stealth Virus, Macro Virus, and Email Virus.
Worms
A worm is a malicious software which similar to that of a computer virus is a self-replicating program,
however, in the case of worms, it automatically executes itself. Worms spread over a network and are capable
of launching a cumbersome and destructive attack within a short period.
Trojan Horses
Unlike a computer virus or a worm – the trojan horse is a non-replicating program that appears legitimate.
After gaining the trust, it secretly performs malicious and illicit activities when executed. Hackers make use of
trojan horses to steal a user’s password information, destroy data or programs on the hard disk. It is hard to
detect!
Spyware/Adware
Spyware secretly records information about a user and forwards it to third parties. The information gathered
may cover files accessed on the computer, a user’s online activities or even user’s keystrokes.
Adware as the name interprets displays advertising banners while a program is running. Adware can also work
like spyware, it is deployed to gather confidential information. Basically, to spy on and gather information
from a victim’s computer.
Rootkit
A rootkit is a malicious software that alters the regular functionality of an OS on a computer in a stealthy
manner. The altering helps the hacker to take full control of the system and the hacker acts as the system
administrator on the victim’s system. Almost all the rootkits are designed to hide their existence.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Viruses and related threats

A virus is a piece of software that can "infect" other programs by modifying them; the modification includes a
copy of the virus program, which can then go on to infect other programs.
A virus can do anything that other programs do. The only difference is that it attaches itself to
another program and executes secretly when the host program is run. Once a virus is executing, it can
perform any function, such as erasing files and programs.

Threat can be anything that can take advantage of a vulnerability to breach security and negatively alter,
erase, harm object or objects of interest.
Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that malware, virus,
worms, bots are all same things. But they are not same, only similarity is that they all are malicious software
that behaves differently.
Malware is a combination of 2 terms- Malicious and Software. So Malware basically means malicious software
that can be an intrusive program code or anything that is designed to perform malicious operations on system.
Malware can be divided in 2 categories:
• Infection Methods
• Malware Actions
Virus Countermeasures

The ideal solution to the threat of viruses is prevention: Do not allow a virus to get into the system in the first
place, or block the ability of a virus to modify any files containing executable code or macros.
This goal is, in general, impossible to achieve,although prevention can reduce the number of successful viral at
tacks. The next best approach is to be able to do the following:

• Detection: Once the infection has occurred, determine that it has occurred and locate the virus.

• Identification: Once detection has been achieved, identify the specific virus that has infected a program.

• Removal: Once the specific virus has been identified, remove all traces of virus from the infected
program and restore it to its original state. Remove the
virus from all infected systems so that the virus cannot spread further.

If detection succeeds but either identification or removal is not possible, then the alternative is to discard the
infected file and reload a clean backup version.

Advances in virus and antivirus technology go hand in hand. Early viruses were relatively simple code
fragments and could be identified and purged with relatively simple antivirus software packages. As the virus
arms race has evolved, both viruses and, necessarily, antivirus software have grown more complex and
sophisticated.

Threats and attacks on Information Security

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Information Security threats can be many like Software attacks, theft of intellectual property, identity theft,
theft of equipment or information, sabotage, and information extortion.
Threat can be anything that can take advantage of a vulnerability to breach security and negatively alter,
erase, harm object or objects of interest.
Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that malware, virus,
worms, bots are all same things. But they are not same, only similarity is that they all are malicious software
that behaves differently.
Malware is a combination of 2 terms- Malicious and Software. So Malware basically means malicious software
that can be an intrusive program code or anything that is designed to perform malicious operations on system.

Common Types of Cybersecurity Attacks

Malware. The term “malware” encompasses various types of attacks including spyware, viruses, and worms.
• Phishing.
• Man-in-the-Middle (MitM) Attacks.
• Denial-of-Service (DOS) Attack.
• SQL Injections.
• Zero-day Exploit.
• Password Attack.
• Cross-site Scripting.
DoS and DDos Attacks

A DoS attack is a denial of service attack where a computer is used to flood a server with TCP and UDP
packets. A DDoS attack is where multiple systems target a single system with a DoS attack. The targeted
network is then bombarded with packets from multiple locations.

During this type of attack, the service is put out of action as the packets sent over the network to overload the
server’s capabilities and make the server unavailable to other devices and users throughout the network.
DoS attacks are used to shut down individual machines and networks so that they can’t be used by other
users.
There are a number of different ways that DoS attacks can be used. These include the following:
• Buffer overflow attacks – This type of attack is the most common DOS attack experienced. Under this
attack, the attacker overloads a network address with traffic so that it is put out of use.
• Ping of Death or ICMP flood – An ICMP flood attack is used to take unconfigured or misconfigured
network devices and uses them to send spoof packets to ping every computer within the target
network. This is also known as a ping of death (POD) attack.
• SYN flood – SYN flood attacks send requests to connect to a server but don’t complete the handshake.
The end result is that the network becomes inundated with connection requests that prevent anyone
from connecting to the network.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

• Teardrop Attack – During a teardrop DoS attack, an attacker sends IP data packet fragments to a
network. The network then attempts to recompile these fragments into their original packets. The
process of compiling these fragments exhausts the system and it ends up crashing. It crashes because
the fields are designed to confuse the system so that it can not put them back together.
The ease with which DoS attacks can be coordinated has meant that they have become one of the most
pervasive cybersecurity threats that modern organizations have to face. DoS attacks are simple but effective
and can bring about devastating damage to the companies or individuals they are aimed at. With one attack,
an organization can be put out of action for days or even weeks.
Security controls required for Information Security

There are three main types of IT security controls including technical, administrative, and physical. The
primary goal for implementing a security control can be preventative, detective, corrective, compensatory, or
act as a deterrent. Controls are also used to protect people as is the case with social engineering awareness
training or policies.
Information security controls are measures taken to reduce information security risks such as information
systems breaches, data theft, and unauthorized changes to digital information or systems. These security
controls are intended to help protect the availability, confidentiality, and integrity of data and networks, and
are typically implemented after an information security risk assessment.
Types of information security controls include security policies, procedures, plans, devices and software
intended to strengthen cybersecurity. There are three categories of information security controls:
Preventive security controls, designed to prevent cyber security incidents
Detective security controls, aimed at detecting a cyber security breach attempt (“event”) or successful breach
(“incident”) while it is in progress, and alerting cyber security personnel
Corrective security controls, used after a cyber security incident to help minimize data loss and damage to the
system or network, and restore critical business systems and processes as quickly as possible (“resilience”)
Security controls come in the form of:
• Access controls including restrictions on physical access such as security guards at building entrances,
locks, and perimeter fences
• Procedural controls such as security awareness education, security framework compliance training,
and incident response plans and procedures
• Technical controls such as multi-factor user authentication at login (login) and logical access
controls, antivirus software, firewalls
• Compliance controls such as privacy laws and cyber security frameworks and standards.

Firewall design principles

• A Firewall is hardware or software to prevent a private computer or a network of computers from, it

acts as a filter to avoid unauthorized users from accessing private computers and networks. It is a vital
component of network security. It is the first line of defense for network security. It filters network
packets and stops malware from entering the user’s computer or network by blocking access and

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

preventing the user from being infected.

A firewall is a hardware or software system that prevents unauthorized access to or from a network.

• It can be implemented in both hardware and software, or a combination of both.

• Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks
connected to the Internet.
• All data entering or leaving the intranet pass through the firewall, which examines each packet and
blocks those that do not meet the specified security criteria.
• Generally, firewalls are configured to protect against unauthenticated interactive logins from the
outside world.
• This helps prevent hackers from logging into machines on your network. More sophisticated firewalls
block traffic from the outside to the inside, but permit users on the inside to communicate a little more
freely with the outside.
• Firewalls are essential since they provide a single block point, where security and auditing can be
imposed.
• Firewalls provide an important logging and auditing function; often, they provide summaries to the
administrator about what type/volume of traffic has been processed through it.
Firewall Policy
• A firewall policy dictates how firewalls should handle network traffic for specific IP addresses and
address ranges, protocols, applications, and content types (e.g., active content) based on the
organization’s information security policies.
• Before a firewall policy is created, some form of risk analysis should be performed to develop a list of
the types of traffic needed by the organization and categorize how they must be secured—including
which types of traffic can traverse a firewall under what circumstances
• This risk analysis should be based on an evaluation of threats; vulnerabilities; countermeasures in place
to mitigate vulnerabilities; and the impact if systems or data are compromised.
• Firewall policy should be documented in the system security plan and maintained and updated
frequently as classes of new attacks or vulnerabilities arise, or as the organization’s needs regarding
network applications change.
Access Control
An access control list can be used for many different purposes (such as filtering traffic on an interface or be
used in a distribute list to filter routing updates or be used in a dialer list to identify interesting traffic or be
used in Policy Based Routing to make a routing decision, and other purposes). I believe that your question
relates to the function of filtering traffic on an interface). An access control list is an implementation of a type
of logic that can selectively permit or deny certain packets to go through an interface
Types of firewalls:
The National Institute of Standards and Technology (NIST) divide firewalls into three basic types:
• Packet filters
• Stateful inspection
• Proxys

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

These three categories, however, are not mutually exclusive, as most modern firewalls have a mix of
abilities that may place them in more than one of the three.

• One way to compare firewalls is to look at the Transmission Control Protocol/Internet Protocol (TCP/IP)
layers that each can examine.
• TCP/IP communications are composed of four layers; they work together to transfer data between
hosts.
• When data transfers across networks, it travels from the highest layer through intermediate layers to
the lowest layer; each layer adds more information.
• Then the lowest layer sends the accumulated data through the physical network; the data next moves
upward, through the layers, to its destination.
• Simply put, the data a layer produces are encapsulated in a larger container by the layer below it.
Firewall implementation
The firewall remains a vital component in any network security architecture, and today's organizations have
several types to choose from. It's essential that IT professionals identify the type of firewall that best suits the
organization's network security needs
• Once selected, one of the key questions that shapes a protection strategy is "Where should the firewall
be placed?" There are three common firewall topologies: the bastion host, screened subnet and dual-
firewall architectures. Enterprise security depends on choosing the right firewall topology.
• The next decision to be made, after the topology chosen, is where to place individual firewall systems
in it. At this point, there are several types to consider, such as bastion host, screened subnet and multi-
homed firewalls.
• Remember that firewall configurations do change quickly and often, so it is difficult to keep on top of
routine firewall maintenance tasks. Firewall activity, therefore, must be continuously audited to help
keep the network secure from ever-evolving threats.

Characteristics of Firewall
Physical Barrier: A firewall does not allow any external traffic to enter a system or a network without its
allowance. A firewall creates a choke point for all the external data trying to enter into the system or
network and hence can easily block the access if needed.
Multi-Purpose: A firewall has many functions other than security purposes. It configures domain names
and Internet Protocol (IP) addresses. It also acts as a network address translator. It can act as a meter for
internet usage.
Flexible Security Policies: Different local systems or networks need different security policies. A firewall
can be modified according to the requirement of the user by changing its security policies.
Security Platform: It provides a platform from which any alert to the issue related to security or fixing
issues can be accessed. All the queries related to security can be kept under check from one place in a
system or network.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Access Handler: Determines which traffic needs to flow first according to priority or can change for a
particular network or system. specific action requests may be initiated and allowed to flow through the
firewall.

Trusted Systems

Trusted Systems related to web application security comes in many ways, most of the vulnerabilities start in
the web application side, as developers we need to follow certain principles, test our code and learn as much
as possible about the subject, as a foundation of web application security in order to know how to prevent
issues to the most significant treats.

Web application security is defined as the methods, principles and implementation used to prevent and
identify security threats. Security can be understood as an effective measure solution against threats. A threat
is considered a malicious danger that can exploit vulnerabilities against our resources. In web application this
security weakness is the result of poor coding, mistakes in the development and bad design techniques.
However, in order to code our applications in a hack-resilient way, consider the following: -

• To have organizational Management.

• Use testing tools.
• Follow Methodologies for development.
• Use standards, policies.

Common criteria for information technology security evaluation.

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC)
is an international standard for computer security certification. Common Criteria is a framework in which
computer system users can specify their security functional requirements (SFRs) and security
functional assurance requirements (SARs) using Protection Profiles (PPs). Technology vendors can
then implement and/or make claims about the security attributes of their products, and hire testing
laboratories to evaluate their products to determine if they meet these claims

Security architecture is a unified security design that addresses the necessities and potential risks involved in a
certain scenario or environment. It also specifies when and where to apply security controls. The design
process is generally reproducible.
In security architecture, the design principles are reported clearly, and in-depth security control specifications
are generally documented in independent documents. System architecture can be considered a design that
includes a structure and addresses the connection between the components of that structure.
The key attributes of security architecture are as follows:

• Relationships and Dependencies: Signifies the relationship between the various components inside IT
architecture and the way in which they depend on each other.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

• Benefits: The main advantage of security architecture is its standardization, which makes it affordable.
Security architecture is cost-effective due to the re-use of controls described in the architecture.
• Form: Security architecture is associated with IT architecture; however, it may take a variety of forms.
It generally includes a catalog of conventional controls in addition to relationship diagrams, principles,
and so on.
• Drivers: Security controls are determined based on four factors:
• Risk management
• Benchmarking and good practice
• Financial
• Legal and regulatory

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Thank you for using our services. Please support us so that we can
improve further and help more people.
https://www.rgpvnotes.in/support-us

If you have questions or doubts, contact us on

WhatsApp at +91-8989595022 or by email at hey@rgpvnotes.in.

For frequent updates, you can follow us on

Instagram: https://www.instagram.com/rgpvnotes.in/.