Cyber Security

LONG TYPE Q & A

1. Discuss security architecture.

ANSWER-

Security architecture is a unified security design that addresses the necessities and potential
risks involved in a certain scenario or environment. It also specifies when and where to apply
security controls. The design process is generally reproducible.

In security architecture, the design principles are reported clearly, and in-depth security
control specifications are generally documented in independent documents. System
architecture can be considered a design that includes a structure and addresses the connection
between the components of that structure.

2. Mention the difference between symmetric and asymmetric encryption.

ANSWER-

Symmetric Key Encryption Asymmetric Key Encryption

It requires two keys, a public key and a

It only requires a single key for both
private key, one to encrypt and the other
encryption and decryption.
one to decrypt.

The size of cipher text is the same or smaller The size of cipher text is the same or larger
than the original plain text. than the original plain text.

The encryption process is very fast. The encryption process is slow.

It is used when a large amount of data is

It is used to transfer small amounts of data.
required to transfer.

It provides confidentiality, authenticity,

It only provides confidentiality.
and non-repudiation.

The length of key used is 128 or 256 bits The length of key used is 2048 or higher

In symmetric key encryption, resource In asymmetric key encryption, resource

utilization is low as compared to utilization is high.

Page | 1
 Symmetric Key Encryption Asymmetric Key Encryption

asymmetric key encryption.

It is efficient as it is used for handling large It is comparatively less efficient as it can

amount of data. handle a small amount of data.

It is more secure as two keys are used

Security is less as only one key is used for
here- one for encryption and the other for
both encryption and decryption purpose.
decryption.

3. Write the steps to analyze the E-mail Application’s security vulnerabilities.

ANSWER-

1. Learn to Inspect Message Headers

Your email message headers are usually hidden by default, but you can Google ways to view
the original message headers for your specific email client. For example, if you‘re using the
Outlook 365 email client:

 Double-click on an email to open it in a new window.

 Go to the File menu and select Properties.
 In the Properties window, you‘ll see a field at the bottom that contains email header
information.
 Once you can see the headers, look for the ―Received From‖ field that tracks the route
the message traveled across the net via servers to reach you. If you get a suspicious
email, search for the sender‘s IP and do a reverse lookup to trace the message back to
where it originated. You can also check if the message fails sender policy framework
(SPF) and domain keys identification mail (DKIM) checks.

 Though most mail programs have email security indications like a red question mark
for unauthenticated emails in Gmail, knowing how to examine email headers is a
useful skill to have.

 2. Avoid Clicking on Links or Downloading Attachments

 As most of us know, email security‘s biggest weakness often boils down to human
error. This fact is continuously hammered into our brains by security experts and tech
gurus. However, getting too curious to know what an attachment is, or being too
absentminded to notice that we‘ve accidentally clicked on a link are not impossible
scenarios. Even the best of us can fall prey to phishing attacks — at least, the well-
crafted ones. This is why, in addition to having spam filters and antimalware installed,
we must be careful not to open any attachments or click on links from unknown
senders (or attackers pretending to be Gary from the accounts department).

 3. Update Your DMARC Records With the Domain Registrar

Page | 2
 DMARC, aside from running checks on the messages using SPF and DKIM
standards, is the only method that informs a receiving server of the action it should
take in the event that a message fails these tests. If you‘re a domain owner, besides
configuring SPF and DKIM, consider setting up DMARC records with your domain
registrar. iIn case you‘re unsure about the process, they should be able to help you
with it.

 Neither SPF nor DKIM can prevent attackers from forging the ―From‖ address that
you see displayed in your inbox. However, DMARC verifies that the ―from‖ matches
the return-path checked by SPF and the domain name in the DKIM signature.

 4. Test Your SMTP Server

 To do this, try sending test emails to see how it responds to genuine and spam
messages alike by monitoring the SPF, DMARC records. If it‘s possible to tweak the
SMTP configurations, change the default settings and update them with more secure
alternatives (starting with changing default admin usernames and passwords).

 5. Make Use of SMTP SSL/TLS Ports

 SMTPS traditionally has used port 465 as a way to secure SMTP at the transport layer
by running it over a TLS connection. When we refer to an SMTP SSL port (or, more
accurately, SMTP TLS port), that‘s exactly what we mean — it‘s a way to have a
secure exchange of messages between the email client and the email server over
SSL/TLS channels.

 TLS implementation can be done using two approaches – opportunistic TLS or forced
TLS. With opportunistic (explicit) TLS, we try to shift from the use of unencrypted
SMTP to a secure TLS encrypted channel utilizing the STARTTLS SMTP command.
If the attempt fails, the transmission resumes in plain text, meaning without the use of
any encryption. However, with forced (implicit) TLS, the email client and server are
either able to negotiate an encryption version they can both support, or the
transmission stops and the email communication doesn‘t progress. You can make
your choice depending on whether you want maximum deliverability or maximum
privacy.

 The Internet Assigned Numbers Authority (IANA) had registered port 465 for
SMTPS, though it was never published as an official SMTP channel by the Internet
Engineering Task Force (IETF). A new service had been assigned to port 465 by the
end of 1998. while 465 functioned as a secure SMTP port, port 25 continues to be
used as the default port for SMTP relaying. ISPs and hosting providers have restricted
the use of port 25 for SMTP connections (to send mails across the net), and most
modern email clients don‘t use this port at all. Unless you‘re managing a mail server
(a message transfer agent or an MTA), typically, you should see no traffic over this
port.

 Port 587, along with TLS encryption, should be used as the default secure SMTP port
for message submission as recommended by IETF in accordance with RFC 6409 that
separates message submission (port 587) from message relay (port 25). Because many
legacy systems continue using port 465 for SMTPS, you may still be able to find

Page | 3
 support for it from your ISP or hosting provider, but it is not recommended to use this
port. Lastly, if port 587 is blocked, port 2525 though not officially recognized, is a
commonly used alternative supported by most email service providers.

4. What is a response code? List them.

ANSWER- An HTTP status code is a server response to a browser‘s request. When you visit
a website, your browser sends a request to the site‘s server, and the server then responds to
the browser‘s request with a three-digit code: the HTTP status code.

These status codes are the Internet equivalent of a conversation between your browser and the
server. They communicate whether things between the two are A-okay, touch-and-go, or
whether something is wrong. Understanding status codes and how to use them will help you
to diagnose site errors quickly to minimize downtime on your site. You can even use some of
these status codes to help search engines and people access your site; a 301 redirect, for
example, will tell bots and people that a page that has moved somewhere else permanently.

The first digit of each three-digit status code begins with one of five numbers, 1 through 5;
you may see this expressed as 1xx or 5xx to indicate status codes in that range. Each of those
ranges encompasses a different class of server response.

Common HTTP status code classes:

1xxs – Informational responses: The server is thinking through the request.

2xxs – Success! The request was successfully completed and the server gave the browser the
expected response.

3xxs – Redirection: You got redirected somewhere else. The request was received, but
there‘s a redirect of some kind.

4xxs – Client errors: Page not found. The site or page couldn‘t be reached. (The request was
made, but the page isn‘t valid — this is an error on the website‘s side of the conversation and
often appears when a page doesn‘t exist on the site.)

5xxs – Server errors: Failure. A valid request was made by the client but the server failed to
complete the request.

The most important status codes for SEOs

It‘s important for every professional SEO and website owner to understand the status codes
that have the biggest impact on SEO.

Imagine you‘re working on a site that‘s showing a lot of 5xx errors; you‘ll want to know off
the top of your head that this is a server issue. 4xx errors affect visitor experience, so right
away you can start thinking about any changes you may have made to your URLs, or whether
you‘ve any deleted pages. Once you understand the cause of the issue, you can look at
implementing a custom 404 page, or look into using the all-powerful 301 redirect to send
visitors to the right place.

Page | 4
It‘s worth learning — and committing to memory — the most impactful status codes every
SEO should know:

HTTP Status Code 200 - OK

This is your ideal status code for your normal, everyday, properly functioning page. Visitors,
bots, and link equity pass through linked pages like a dream. You don‘t need to do anything
and you can happily go about your day secure in the knowledge that everything is just as it
should be.

HTTP Status Code 301 - Permanent Redirect

A 301 redirect should be utilized any time one URL needs to be redirected to
another permanently. A 301 redirect means that visitors and bots that land on that page will
be passed to the new URL. In addition, link equity — the power transmitted by all those
hard-earned links to your content — is also passed to the new URL through a 301 redirect.
Despite talk from Google that all 3xx redirects are treated equally, tests have shown this is
not completely true. A 301 redirect remains the preferred method of choice for permanent
page redirects.

HTTP Status Code 302 - Temporary Redirect

A 302 redirect is similar to a 301 in that visitors and bots are passed to the new page, but link
equity may not be passed along. We do not recommend using 302 redirects for permanent
changes. Using 302s will cause search engine crawlers to treat the redirect as temporary,
meaning that it may not pass along the link equity that the magical 301 does.

HTTP Status Code 404 - Not Found

This means the file or page that the browser is requesting wasn‘t found by the server. 404s
don‘t indicate whether the missing page or resource is missing permanently or only
temporarily. You can see what this looks like on your site by typing in a URL that doesn't
exist. It‘s like hitting a brick wall. Just as you‘ve experienced, your visitors will hit a page
that has a 404 error and either try again (if you‘re lucky) or wander away to another site that
has the information they‘re seeking.

Every site will have some pages that return 404 status codes. These pages don‘t always have
to be redirected; there are other options. One common misconception is that it‘s an SEO best
practice to simply 301 redirect pages that return a 404 status code to the homepage of the
given domain. This is actually a bad idea for the majority of cases, because it can confuse
users who may not realize that the webpage they were trying to access doesn't exist.

If the pages returning 404 codes are high-authority pages with lots of traffic or have an
obvious URL that visitors or links are intended to reach, you should employ 301 redirects to
the most relevant page possible. For example, if your page on sugar-free cupcakes no longer
exists, you may want to redirect this URL with a 301 to your sugar-free recipe category page.

Outside of these instances, it may be necessary for a URL return a 404 on purpose — this
will keep them from getting indexed and repeatedly crawled by search engines. Give your
visitors the best experience possible with a custom 404 page, as suggested by this Google
Search Console guide. For example, e-commerce sites often produce 404 pages when

Page | 5
products go out of stock, so these sites are great candidates for creating a custom e-commerce
404 page.

HTTP Status Code 410 - Gone

A 410 is more permanent than a 404; it means that the page is gone. The page is no longer
available from the server and no forwarding address has been set up. Any links you have on
your site that are pointing to a 410 page are sending bots and visitors to a dead resource, so if
you see them, remove any references or links to them from your content.

HTTP Status Code 500 - Internal Server Error

Instead of the problem being with pages missing or not found, this status code indicates a
problem with the server. A 500 is a classic server error and will affect access to your site.
Human visitors and bots alike will be lost, and your link equity will go nowhere fast. Search
engines prefer sites that are well maintained, so you‘ll want to investigate these status codes
and get these fixed as soon as you encounter them.

HTTP Status Code 503 - Service Unavailable

Another variety of the 500, a 503 response means that the server is unavailable. Everyone
(human or otherwise) is asked to come back later. This could be due to temporarily
overloading the server or maintenance of the server. A 503 status code ensures that the search
engines know to come back soon because the page or site is only going to be down for a short
time.

5. Discuss matrix mining.

ANSWER- Cyber security is concerned with protecting computer and network system from
corruption due to malicious software including Trojan horses and virus. Security of our
network system is becoming imperative as massive sensitive information is transmitted
across the network. In this research paper, data mining application for cyber security is highly
explored. We discussed various cyber-terrorism or attack committed across the network such
as malicious intrusion, credit card fraud, identity thefts, and infrastructure attack. Data mining
techniques such as classification, anomaly, link analysis and so on are being applied to detect
or prevent the aforementioned cyber-terrorism or attack. Recommendations were made and
suggestion for further study was indicated.

6. With a diagram, explain handshake protocol action. Explain SSL protocol stack.

ANSWER- Handshake Protocol is used to establish sessions. This protocol allows the
client and server to authenticate each other by sending a series of messages to each other.
Handshake protocol uses four phases to complete its cycle.
 Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this IP
session, cipher suite and protocol version are exchanged for security purposes.
 Phase-2: Server sends his certificate and Server-key-exchange. The server end phase-2
by sending the Server-hello-end packet.
 Phase-3: In this phase, Client replies to the server by sending his certificate and Client-
exchange-key.

Page | 6
 Phase-4: In Phase-4 Change-cipher suite occurs and after this the Handshake Protocol
ends.

** Explain SSL protocol stack.

Secure Socket Layer (SSL) provides security to the data that is transferred between web
browser and server. SSL encrypts the link between a web server and a browser which
ensures that all data passed between them remain private and free from attack.
Secure Socket Layer Protocols:
 SSL record protocol
 Handshake protocol
 Change-cipher spec protocol
 Alert protocol

SSL Protocol Stack:

SSL Record Protocol:

SSL Record provides two services to SSL connection.
 Confidentiality
 Message Integrity
In the SSL Record Protocol application data is divided into fragments. The fragment is
compressed and then encrypted MAC (Message Authentication Code) generated by

Page | 7
algorithms like SHA (Secure Hash Protocol) and MD5 (Message Digest) is appended. After
that encryption of the data is done and in last SSL header is appended to the data.

7. Discuss security policy database. With a neat diagram explain IP traffic processing.

ANSWER-
Database security defines the collective measures used to protect and secure a database or
database management software from unauthorized use and malicious cyber threats and
attacks. Database security is a layer of information security. It is generally concerned with
physical protection of data, encryption of data in storage and data remanence problem.
Data security is generally defined as the confidentiality, availability and integrity of data. In
another terms, it is all of the practices and processes that are in place to provide data is not
being used or accessed by permitted individuals or parties. Data security provides that the
data is accurate and reliable and is accessible when those with authorized access require it.
An acceptable data security plan should target on collecting only the required data
information, maintaining it safe and destroying some data that is no longer needed. A plan
that places priority on these three components will support some business meet the legal
obligations of possessing sensitive information.
Database security process are aimed at securing not just the data inside the database, but the
database management system and all the applications that access it from intrusion, misuse of
information, and damage.
An Information Technology (IT) Security Policy recognizes the rules and procedures for
some individuals accessing and using an organization's IT assets and resources. Effective IT
Security Policy is a model of the organization‘s culture, in which rules and processes are
driven from its employees approach to their data and work.
Therefore, an effective IT security policy is a unique file for each organization, cultivated
from its people‘s perspectives on risk tolerance, how they look and value their data, and the
resulting availability that they support of that information. For this reason, some companies
will discover a boilerplate IT security policy inappropriate because of its lack of
consideration for how the organization‘s people generally use and share information between
themselves and to the public.

Page | 8
The goals of an IT security policy is the preservation of confidentiality, integrity, and
availability of systems and data used by an organization‘s members. The IT Security Policy
is a living document that is always upgraded to adapt with evolving business and IT
requirements. Institutions including the International Organization of Standardization (ISO)
and the U.S. National Institute of Standards and Technology (NIST) have published
standards and best practices for security policy standard.
An organization‘s security policy will play an essential role in its decisions and direction, but
it should not change its strategy or mission. Thus, it is essential to write a policy that is
drawn from the company existing cultural and structural framework to provide the continuity
of best productivity and innovation, and not as a generic policy that impedes the organization
and its people from meeting its mission and objective.

** With a neat diagram explain IP traffic processing.

Both inbound and outbound traffic passes through the IPsec module when IPsec is enabled
in the system. The SPD controls how packets are processed.
For each outgoing packet, the packet fields chosen as the selector are matched against
outbound security policy entries. For a matching SP entry that calls for security processing,
the search for the corresponding SA or SA bundle in the SAD follows. A new SA or SA
bundle is created in the SAD if no matching entries are found. Finally the packets are
processed according to the security specification given by the SA.
For each incoming packet, the presence of either the AH or the ESP header implies that the
packet requires IPsec processing. The packet destination address and the SPI in the security
protocol header identify the SA entry in the SAD. A matching SA entry must have the same
source address selector as the source address of the packet. The packet is discarded if the SPI
does not map to an existing SA in the SAD. IPsec processing is performed on the packet
according to the specification given in the matching SA. For tunneled packets, the same
process continues for each IPsec header carried in the packet until encountering an upper
layer protocol, or until reaching an IP header with a destination address not of the local node.

Page | 9
8. Explain the different Threats to Information System? What do you mean by
Information Assurance?

ANSWER-

Information Security threats can be many like Software attacks, theft of intellectual
property, identity theft, theft of equipment or information, sabotage, and information
extortion.
Threat can be anything that can take advantage of a vulnerability to breach security and
negatively alter, erase, harm object or objects of interest.
Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe
that malware, virus, worms, bots are all same things. But they are not same, only similarity
is that they all are malicious software that behaves differently.
Malware is a combination of 2 terms- Malicious and Software. So Malware basically
means malicious software that can be an intrusive program code or anything that is
designed to perform malicious operations on system. Malware can be divided in 2
categories:
1. Infection Methods
2. Malware Actions
Malware on the basis of Infection Method are following:

1. Virus – They have the ability to replicate themselves by hooking them to the program
on the host computer like songs, videos etc and then they travel all over the Internet.
The Creeper Virus was first detected on ARPANET. Examples include File Virus,
Macro Virus, Boot Sector Virus, Stealth Virus etc.
2. Worms – Worms are also self-replicating in nature but they don‘t hook themselves to
the program on host computer. Biggest difference between virus and worms is that
worms are network-aware. They can easily travel from one computer to another if
network is available and on the target machine they will not do much harm, they will,
for example, consume hard disk space thus slowing down the computer.
3. Trojan – The Concept of Trojan is completely different from the viruses and worms.
The name Trojan is derived from the ‗Trojan Horse‘ tale in Greek mythology, which
explains how the Greeks were able to enter the fortified city of Troy by hiding their
soldiers in a big wooden horse given to the Trojans as a gift. The Trojans were very
fond of horses and trusted the gift blindly. In the night, the soldiers emerged and
attacked the city from the inside.
Their purpose is to conceal themselves inside the software that seem legitimate and
when that software is executed they will do their task of either stealing information or
any other purpose for which they are designed.
They often provide backdoor gateway for malicious programs or malevolent users to
enter your system and steal your valuable data without your knowledge and permission.
Examples include FTP Trojans, Proxy Trojans, Remote Access Trojans etc.

4. Bots –: can be seen as advanced form of worms. They are automated processes that are
designed to interact over the internet without the need for human interaction. They can
be good or bad. Malicious bot can infect one host and after infecting will create
connection to the central server which will provide commands to all infected hosts
attached to that network called Botnet.

Page | 10
**What is Information Assurance (IA)?
Information Assurance (IA) is the practice of managing information-related risks and the
steps involved to protect information systems such as computer and network systems.

The US Government's definition of information assurance is:

―measures that protect and defend information and information systems by ensuring their
availability, integrity, authentication, confidentiality, and non-repudiation. These measures
include providing for restoration of information systems by incorporating protection,
detection, and reaction capabilities.‖

The 5 pillars of Information Assurance

Information Assurance (IA) is essentially protecting information systems, and is often

associated with the following five pillars:

1. Integrity
2. Availability
3. Authentication
4. Confidentiality
5. Nonrepudiation

The five pillars of information assurance can be applied various ways, depending on the
sensitivity of your organization‘s information or information systems. Currently, these five
pillars are used at the heart of the US Government‘s ability to conduct safe and secure
operations in a global environment.

9. What do you mean by packet filtering in Firewall? Explain firewall and working of
Firewall? Explain the need to Back up?

ANSWER-

Packet filtering in Firewall-

A packet filtering firewall is a network security technique that regulates data flow to and
from a network. It is a security mechanism that allows packets to move across networks while
controlling their flow through the use of a set of rules, protocols, IP addresses, and ports.

A packet filtering firewall is a network security feature that regulates the flow of incoming
and outgoing network data. Each packet containing user data and control information is
examined and tested by the firewall using a set of pre-defined rules. If the packet passes the
test, the firewall allows it to proceed to its destination. Those who fail the test are
disqualified. Firewalls inspect packets by looking at rule sets, protocols, ports, and
destination addresses.

Page | 11
**Explain firewall and working of Firewall?

The answer to what is a firewall is a firewall helps protect your network from attackers. A
firewall shields your network because it acts as a 24/7 filter, scanning the data that attempts
to enter your network and preventing anything that looks suspicious from getting through.

A simple way to explain how a firewall works is to think of it as a security guard with
intimate knowledge of millions of potential criminals. If the guard sees one, he or she keeps
the criminal out of the building. Similarly, a firewall‘s protection comes from monitoring and
regulating traffic that goes in and out of your network. This is accomplished using a few
different methods, including packet filtering, a proxy service, and stateful inspection.

Firewalls can be either hardware or software, and they form a wall between your network and
the internet or between segments of your network and the rest of your system. Not only do
firewalls keep malicious code out of your network, but some, because they can examine data
both as it comes in and goes out, can also prevent an attacker from using your system to
spread harmful code.

Hardware Firewalls

A hardware firewall is a system that works independently from the computer it is protecting
as it filters information coming from the internet into the system. If you have a broadband
internet router, it likely has its own firewall.

To protect your system, a hardware firewall checks the data coming in from the various parts
of the internet and verifies that it is safe. Hardware firewalls that use packet filtering examine
each data packet and check to see where it is coming from and its location. The data the
firewall collects about each packet is then compared to a permissions list to see if it fits the
profile of data that should be discarded. A hardware firewall can protect all the computers
attached to it, making it an easily scalable solution.

Software Firewalls

A software firewall is a program used by a computer to inspect data that goes in and out of
the device. It can be customized by the user to meet their needs. Like hardware firewalls,
software firewalls filter data by checking to see if it—or its behavior—fits the profile of
malicious code.

Software firewalls can monitor traffic trying to leave your computer as well, preventing it
from being used to attack other networks or devices. A software firewall has to be installed
on each computer in the network. Therefore, a software firewall can only protect one
computer at a time.

Firewalls use different methods to protect your network or computer. They include the
following:
Packet Filtering

Page | 12
Data is organized in packets. When a firewall executes packet filtering, it examines the
packets of data, comparing it against filters, which consist of information used to identify
malicious data. If a data packet meets the parameters of a threat as defined by a filter, then it
is discarded and your network is protected. Data packets that are deemed safe are allowed to
pass through.
Proxy Service

With a proxy service, the firewall acts as a go-between positioned between your computer
and anything that tries to connect to it. A proxy firewall is like a mirror of your computer and
detects malicious actors attempting to get through to your device.

Proxy firewalls are a secure solution because of the separation they provide between your
computer and the internet. Attackers often need to connect directly to your computer to attack
it. Because a proxy is between your computer and the internet, hackers cannot form a direct
connection to it, rendering their attack useless.

However, there are applications that proxies are not capable of supporting, and if one of these
is important to your business, this could pose an issue. For example, Spotify, Google Play,
and QWebView have all been known to have issues when interfacing with a proxy. Proxies
also tend to work slower than other types of firewalls, which could reduce throughput and
impact important business processes.
Stateful Inspection

A stateful inspection firewall inspects every data packet and compares it against a threat
database. During the inspection process, the firewall checks where the data is coming from,
the ports it uses, and the applications it is associated with. If the data packet checks out, it is
allowed to pass. Otherwise, it is discarded.

Stateful inspection can also collect information about the data packets that go through it and
use that to gain more insights into data that may pose potential threats in the future.

** Explain the need to Backup?

The purpose of the backup is to create a copy of data that can be recovered in the event of a
primary data failure. Primary data failures can be the result of hardware or software failure,
data corruption, or a human-caused event, such as a malicious attack (virus or malware), or
accidental deletion of data. Backup copies allow data to be restored from an earlier point in
time to help the business recover from an unplanned event.

Storing the copy of the data on separate medium is critical to protect against primary data loss
or corruption. This additional medium can be as simple as an external drive or USB stick, or
something more substantial, such as a disk storage system, cloud storage container, or tape
drive. The alternate medium can be in the same location as the primary data or at a remote
location. The possibility of weather-related events may justify having copies of data at remote
locations.

Page | 13
For best results, backup copies are made on a consistent, regular basis to minimize the
amount data lost between backups. The more time passes between backup copies, the more
potential for data loss when recovering from a backup. Retaining multiple copies of data
provides the insurance and flexibility to restore to a point in time not affected by data
corruption or malicious attacks.

Page | 14