Information Threats Attacks Vulnerabilities

Student Handbook Security Analyst SSC/N0901
Security concerning IT and information is normally categorised in three categories to facilitate the
management of information.
Confidentiality Integrity Availability
Prevention of Prevention of Ensuring authorized

unauthorized unauthorized access of information
disclosure or use of modification of assets when required
information assets information assets for the duration
required
Threats to information assets

Risk is the potential threat, and process of understanding and responding to factors that may lead to
a failure in the confidentiality, integrity or availability of an information system constitute risk
management. The key concerns in information assets security are:
theft
fraud/ forgery
unauthorized information access
interception or modification of data and
data management systems
The above concerns are materialised in the event of a breach caused by exploitation of vulnerability.
Vulnerabilities
Vulnerability is a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat source.
Threat agent or actor
of the vulnerability or a situation and method that may accidentally trigger the vulnerability.
threat vector actor uses to attack the target.
Threat targets
phone, online bank account or identity.
38
Threat classification
Microsoft has proposed a threat classification called STRIDE from the initials of threat categories:
Spoofing of user identity
Tampering
Repudiation
Information disclosure (privacy breach or data leak)
Denial of Service (D.o.S.)
Elevation of privilege
Threat agents (individuals and groups) can be classified as follows:

Non-Target specific: Non-Target specific threat agents are computer viruses, worms, Trojans
and logic bombs.
Employees: staff, contractors, operational/ maintenance personnel or security guards who are
annoyed with the company.
Organized crime and criminals: criminals target information that is of value to them, such as
bank accounts, credit cards or intellectual property that can be converted into money.
Criminals will often make use of insiders to help them.
Corporations: corporations are engaged in offensive information warfare or competitive
intelligence. Partners and competitors come under this category.
Unintentional human error: accidents, carelessness etc.
Intentional human error: insider, outsider etc.
Natural: Flood, fire, lightning, meteor, earthquakes etc.
Types of attacks
Virus
Virus is a malicious program able to inject its code into other programs/ applications or data files
and the targeted areas become "infected". Installation of a virus is done without user's consent,
and spreads in form of executable code transferred from one host to another. Types of viruses
include Resident virus , non-resident virus; boot sector virus; macro virus; file-infecting virus (file-
infector); Polymorphic virus; Metamorphic virus; Stealth virus; Companion virus and Cavity virus.
Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to spread itself.
In its design, worm is quite similar to a virus - considered even its sub-class. Unlike the viruses
though worms can reproduce/ duplicate and spread by itself. During this process worm does not
require to attach itself to any existing program or executable. Different types of worms based on
their method of spread are email worms; internet worms; network worms and multi-vector worms.
Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their
similarity in operation strategy. Trojans are a type of malware software that masquerades itself as
39
a not-malicious even useful application but it will actually do damage to the host computer after its
installation. Unlike virus, Trojans do not self-replicate unless end user intervene to install.
Types of Virus
Depending on virus "residence", we can classify viruses in following way:
Resident virus - virus that embeds itself in the memory on a target host. In such way it becomes
activated every time the OS starts or executes a specific action.
Non-resident virus - when executed, this type of virus actively seeks targets for infections either
on local, removable or network locations. Upon further infection it exits. This way is not residing
in the memory any more.
Boot sector virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Macro virus - virus written in macro language, embedded in Word, Excel, Outlook etc.
documents. This type of virus is executed as soon as the document that contains it, is opened.
This corresponds to the macro execution within those documents which under normal
circumstances is automatic.
Another classification of viruses can result from their characteristics:
File-infecting virus (file-infector) this is a classic form of virus. When the infected file is being
executed, the virus seeks out other files on the host and infects them with malicious code. The
malicious code is inserted either at the beginning of the host file code (prepending virus), in the
middle (mid-infector) or in the end (appending virus). A specific type of viruses called "cavity
virus" can even inject the code in the gaps in the file structure itself. The start point of the file
execution is changed to the start of the virus code to ensure that it is run when the file is
executed. Afterwards the control may or may not be passed on to the original program in turn.
Depending on the infections routing the host file may become otherwise corrupted and
completely non-functional. More sophisticated viral forms allow through the host program
execution while trying to hide their presence completely (see polymorphic and metamorphic
viruses).
Polymorphic virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Metamorphic virus - this virus is capable of changing its own code with each infection. The
rewriting process may cause the infection to appear different each time but the functionality of
40
the code remains the same. The metamorphic nature of this virus type makes it possible to infect
executables from two or more different operating systems or even different computer
architectures as well. The metamorphic viruses are ones of the most complex in build and very
difficult to detect.
Stealth virus - memory resident virus that utilises various mechanisms to avoid detection. This
avoidance can be achieved for example, by removing itself from the infected files and placing a
copy of itself in a different location. The virus can also maintain a clean copy of the infected files
in order to provide it to the antivirus engine for scan while the infected version still remains
undetected. Furthermore, the stealth viruses are actively working to conceal any traces of their
activities and changes made to files.
Armored virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Multipartite virus this attempts to attack both the file executables as well as the master boot
record of the drive at the same time. This type may be tricky to remove as even when the file
executable part is clean it can re-infect the system all over again from the boot sector if it wasn't
cleaned as well.
Camouflage virus this virus type is able to report as a harmless program to the antivirus
software. In such cases where the virus has similar code to the legitimate non-infected files code
the antivirus application is being tricked that it has to do with the legitimate program as well.
This would work only but in case of basic signature based antivirus software. Nowadays, antivirus
solutions have become more elaborate whereas the camouflage viruses are quite rare and not a
serious threat due to the ease of their detection.
Companion virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Cavity virus - unlike traditional viruses the cavity virus does not attach itself to the end of the
infected file but instead uses the empty spaces within the program files itself (that exists there
for variety of reasons). This way the length of the program code is not being changed and the
virus can more easily avoid detection. The injection of the virus in most cases is not impacting
the functionality of the host file at all. The cavity viruses are quite rare though.
41
us virus that
takes over a system until money is paid as ransom which has been detected by
cyber experts. Version 2.0 of the TeslaCrypt ransomware encryptor family, say
experts, is notorious for infecting computers of gamers. The malicious program
is now targeting online consumers and businesses via email attachments which
block access to a computer system until a sum of money, specifically in dollars,
is paid as ransom. If the victim delays, the ransom is doubled. Detected in
February 2015, TeslaCrypt began infecting systems in the US, Europe and
Southeast Asian countries. It then occurred in Indian cities including Delhi and
Mumbai. Two businessmen from Agra were targeted this year, from whom the
extortionist demanded more than $10,000. In the last six months, two cases
were reported in Agra, where the malware locked down its victim's most
important files and kept them hostage in exchange for a ransom to unlock it.
Source: News Articles
Types of Worms
The most common categorization of worms relies on the method how they spread:
Email worms: spread through email messages, especially through those with attachments.
Internet worms: spread directly over the internet by exploiting access to open ports or system
vulnerabilities.
Network worms: spread over open and unprotected network shares.
Multi-vector worms: having two or more various spread capabilities.
Types of Trojans
Computer Trojans or Trojan horses are named after the mythological Trojan horse from Trojan War,
in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the
horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city
gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar
to such strategy - it is a type of malware software that masquerades itself as not-malicious even useful
application but it will actually do damage to the host computer after its installation.
Trojans do not self-replicate since its key difference to a virus and require often end user intervention
to install itself - which happens in most scenarios where user is being tricked that the program he is
installing is a legitimate one (this is very often connected with social engineering attacks on end users).
One of the other common method is for the Trojan to be spammed as an email attachment or a link
in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging
42
client. Trojans can be spread as well by means of drive-by downloads or downloaded and dropped by
other Trojans itself or legitimate programs that have been compromised.
The results of Trojan activities can vary greatly - starting from low invasive ones that only change the
wallpaper or desktop icons through Trojans which open backdoors on the computer and allow other
threats to infect the host or allow a hacker remote access to the targeted computer system. It is up to
Trojans to cause serious damage on the host by deleting files or destroying the data on the system
using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not
advertise their presence on the computer.
The Trojan classification can be based upon performed function and the way they breach the systems.
An important thing to keep in mind is that many Trojans have multiple payload functions so any such
classification will provide only a general overview and not a strict boundary. Some of the most
common Trojan types are:
Remote Access Trojans (RAT) aka Backdoor. Trojan - this type of Trojan opens backdoor on the
targeted system to allow the attacker remote access to the system or even complete control
over it. This kind of Trojan is most widespread type and often has as well various other functions.
It may be used as an entry point for DOS attack or for allowing worms or even other Trojans to
the system. A computer with a sophisticated backdoor program installed may also be referred
to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet" (see
part 3 of the Security 1:1 series). Backdoor. Trojans are generally created by malware authors
who are organized and aim to make money out of their efforts. These types of Trojans can be
highly sophisticated and can require more work to implement than some of the simpler malware
seen on the Internet.
Trojan-DDoS - this Trojan is installed simultaneously on a large number of computers in order to
create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack
on a particular target.
Trojan-Proxy -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Trojan-FTP this Trojan is designed to open FTP ports on the targeted machine allow remote
attacker access to the host. Furthermore, the attacked can access as well network shares or
connections to further spread other threats.
Destructive Trojan this is designed to destroy or delete data. It is much like a virus.
Security Software Disabler Trojan this is designed to stop security programs like antivirus
solutions, firewalls or IPS either by disabling them or killing the processes. This kind of Trojan
functionality is often combined with destructive Trojan that can execute data deletion or
corruption only after the security software is disabled. Security Software Disablers are entry
Trojans that allow next level of attack on the targeted system.
Info Stealer (Data Sending/ Stealing Trojan) - this Trojan is designed to provide attacker with
confidential or sensitive information from compromised host and send it to a predefined location
(attacker). The stolen data comprise of login details, passwords, PII, credit card information etc.
43
Data sending Trojans can be designed to look for specific information only or can be more generic
like Key-logger Trojans. Nowadays more than ever before attackers are concentrating on
compromising end users for financial gain. The information stolen with use of Info stealer Trojan
is often sold on the black market. Info stealers gather information by using several techniques.
The most common techniques may include log key strokes, screen shots and web cam images,
monitoring internet activity often for specific financial websites. The stolen information may be
stored locally so that it can be retrieved later or it can be sent to a remote location where it can
be accessed by an attacker. It is often encrypted before posting it to the malware author.
Keylogger Trojan this is a type of data-sending Trojan that is recording every keystroke of the
end user. This kind of Trojan is specifically used to steal sensitive information from targeted host
and send it back to attacker. For these Trojans, the goal is to collect as much data as possible
without any direct specification what the data will be.
Trojan-PSW (Password Stealer) this is a type of data-sending Trojans designed specifically to
steal passwords from the targeted systems. In its execution routine, the Trojan will very often
first drop a keylogging component onto the infected machine.
Trojan-Banker a Trojan designed specifically to steal online banking information to allow
attacker further access to bank account or credit card information.
Trojan-IM a type of data-sending Trojan designed specifically to steal data or account
information from instant messaging programs like MSN, Skype etc.
Trojan-Game Thief a Trojan designed to steal information about online gaming account.
Trojan Mail Finder a Trojan used to harvest any emails found on the infected computer. The
email list is being then forwarded to the remote attacker.
Trojan-Dropper -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Trojan-Downloader a Trojan that can download other malicious programs to the target
computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders
that are encountered will attempt to download content from the internet rather than the local
network. In order to successfully achieve its primary function, a downloader must run on a
computer that is inadequately protected and connected to a network.
Trojan-FakeAV
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
44
This type of Trojan can be either targeted to extort money for "non-existing" threat removal or
in other cases the installation of the program itself injects other malware to the host machine.
FakeAV applications can perform fake scans with variable results, but always detect at least one
is
constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and
appear very professional to the end users.
Trojan-Spy this Trojan has a similar functionality to the Info stealer or Trojan-PSW and its
purpose is to spy on the actions executed on the target host. These can include tracking data
entered via keystrokes, collecting screenshots, listing active processes/ services on the host or
stealing passwords.
Trojan-ArcBomb -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
45
Trojan-Clicker or Trojan-AD clicker a Trojan that continuously attempts to connect to specific

websites in order to boost the visit counters on those sites. More specific functionality of the
Trojan can include generating traffic to pay-per-click web advertising campaigns in order to
create or boost revenue.
Trojan-SMS a Trojan used to send text messages from infected mobile devices to premium rate
paid phone numbers.
Trojan-Ransom (Trojan-Ransomlock) aka Ransomware Trojan
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
Cryptolock Trojan (Trojan.Cryptolocker) this is a new variation of Ransomware Trojan

emerged in 2013, in a difference to a Ransomlock Trojan (that only locks computer screen or
some part of computer functionality), the Cryptolock Trojan encrypts and locks individual files.
While the Cryptolocker uses a common Trojan spreading techniques like spam email and social
engineering in order to infect victims, the threat itself uses more sophisticated techniques likes
public-key cryptography with strong RSA 2048 encryption.
, Pune, the TeslaCrypt Ransomware

encryptor family exhibited a curious behaviour. In version 2.0 of the Trojan notorious for
infecting computer gamers, it displays an HTML page in the web browser which is an
exact copy of CryptoWall 3.0, another notorious ransomware program. TeslaCrypt were
detected in February 2015 and the new ransomware Trojan gained immediate notoriety
as a menace to computer gamers. Amongst other types of target files, it tries to infect
typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt
does not encrypt files that are larger than 268 MB. Few more examples of ransomware
Trojans are - CryptoLocker, CryptoWall, CoinVault, TorLocker, CoinVault and CTB-Locker.
Source: New articles
46
Other security threats
Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc. They
are designed to cause damage to a targeted computer or cause a certain degree of operational
disruption.
Rootkit are malicious software designed to hide certain processes or programs from detection.
Usually acquires and maintains privileged system access while hiding its presence in the same
time. It acts as a conduit by providing the attacker with a backdoor to a system
Spyware is a software that monitors and collects information about a particular user, computer
or organisation without knowledge. There are different types of spyware, namely system
monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies etc.
Tracking cookies are a specific type of cookies that are distributed, shared and read across two
or more unrelated websites for the purpose of gathering information or potentially to present
customized data to you.
Riskware is a term used to describe potentially dangerous software whose installation may pose
a risk to the computer.
Adware in general term adware is software generating or displaying certain advertisements to

the user. This kind of adware is very common for freeware and shareware software and can
analyz
Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV
software. Also well known, under the names "Rogue Security Software" or "Misleading
Software". This kind of software tricks user into belief that the computer has been infected and
offers paid solutions to clean the "fake" infection.
Spam is the term used to describe unsolicited or unwanted electronic messages, especially
advertisements. The most widely recognized form of spam is email spam.
Creepware is a term used to describe activities like spying others through webcams (very often
combined with capturing pictures), tracking online activities of others and listening to
conversation over the computer's microphone and stealing passwords and other data.
Blended threat defines an exploit that combines elements of multiple types of malware
components. Usage of multiple attack vectors and payload types targets to increase the severity
of the damage causes and as well the speed of spreading. Blended threat defines an exploit that
combines elements of multiple types of malware components. Usage of multiple attack vectors
and payload types targets to increase the severity of the damage causes and as well the speed of
spreading.
47
A. COHEN B. NORTON
In 1983, this person was

the first to offer the
definition of 'Computer
Virus'...
C. SMITH D. McAfee
ANSWER
Network attacks
Network attack is usually defined as an intrusion on the network infrastructure that will first analyse
the environment and collect information in order to exploit the existing open ports or vulnerabilities.
This may include unauthorized access to organisation resources.
Characteristics of network attacks:
Passive attacks: they refer to attack where the purpose is only to learn and get some
information from the system, but the system resources are not altered or disabled in any way.
Active attacks: in this type of network attack, the perpetrator accesses and either alters,
disables or destroys resources or data.
Outside attack: when attack is performed from outside of the organization by unauthorized
entity it is said to be an outside attack.
Inside attack: if an attack is performed from within the company by an "insider" that already
has certain access to the network it is considered to be an inside attack.
Others such as end users targeted attacks (like phishing or social engineering): these attacks
are not directly referred to as network attacks, but are important to know due to their
widespread occurrences.
48
What types of attack are there?
Social Phishing Social Spear phishing Watering hole

engineering attack phishing attack attack
Vishing (voice
Network
Whaling phishing or Port scanning Spoofing
sniffing
VoIP phishing
Buffer
DoS attack ICMP smurf Man-in-the-
overflow Botnet
& DDoS attack Denial of serv middle attack
attack
Session Cross-side
SQL injection Bluetooth
hijacking scripting attack
attack related attacks
attack (XSS attack)
*Denial of Service Attack

*Distributed Denial of Service Attack
Social engineering refers to a psychological manipulation of people (employees of a company)

to perform actions that potentially lead to leak of company's proprietary or confidential
information or otherwise can cause damage to company resources, personnel or company
image. Social engineers use various strategies to trick users into disclosing confidential
information, data or both. One of the very common technique used by social engineers is to
pretend to be someone else - IT professional, member of the management team, co-worker,
insurance investigator or even member of governmental authorities. The mere fact that the
addressed party is someone from the mentioned should convince the victim that the person has
right to know of any confidential or in any other way secure information. The purpose of social
engineering remains the same as purpose of hacking. Unauthorized access gain to confidential
information, data theft, industrial espionage or environment/ service disruption.
Phishing attack this type of attack use social engineering techniques to steal confidential
information. The most common purpose of such attack targets victim's banking account details
and credentials. Phishing attacks tend to use schemes involving spoofed emails sent to users that
lead them to malware infected websites designed to appear as real online banking websites.
Emails received by users in most cases will look authentic sent from sources known to the user
(very often with appropriate company logo and localised information). These emails will contain
a direct request to verify some account information, credentials or credit card numbers by
following the provided link and confirming the information online. The request will be
accompanied by a threat that the account may become disabled or suspended if the mentioned
details are not being verified by the user.
Social phishing in the recent years, phishing techniques evolved much to include social media
like Facebook or Twitter. This type of Phishing is often called Social Phishing. The purpose
49
remains the same to obtain confidential information and gain access to personal files. The
means of the attack are bit different though and include special links or posts posted on the
social media sites that attract the user with their content and convince them to click on them.
The link redirects then to malicious website or similar harmful content. The websites can mirror
the legitimate Facebook pages so that unsuspecting user does not notice the difference. The
website will require user to login with his real information. At this point, the attacker collects the
credentials gaining access to compromised account and all data on it. Other scenario includes
fake apps. Users are encouraged to download the apps and install them, apps that contain
malware used to steal confidential information.
Facebook Phishing attacks are often much more laboured. Consider the following scenario - link
posted by an attacker can include some pictures or phrase that will attract the user to click on it.
The user clicks upon which he/ she is redirected to a mirror website that ask him/ her to like the
post first before even viewing it. User not suspecting any harm, clicks on the "like" button but
doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the
fake app to access user's personal information. At this point, data is collected and account is
compromised.
Spear phishing attack this is a type of phishing attack targeted at specific individuals, groups
of individuals or companies. Spear phishing attacks are performed mostly with primary purpose
of industrial espionage and theft of sensitive information while ordinary phishing attacks are
directed against wide public with intent of financial fraud. It has been estimated that in last
couple of years targeted spear phishing attacks are more widespread than ever before.
The recommendations to protect your company against phishing and spear phishing include:
1. Never open or download a file from an unsolicited email, even from someone you know
(you can call or email the person to double check that it really came from them).
2. Keep your operating system updated.
3. Use a reputable anti-virus program.
4. Enable two factor authentication whenever available.
5. Confirm the authenticity of a website prior to entering login credentials by looking for a
reputable security trust mark.
6. Look for HTTPS in the address bar when you enter any sensitive personal information on a
website to make sure your data will be encrypted.
Watering hole attack this is a more complex type of a phishing attack. Instead of the usual way
of sending spoofed emails to end users in order to trick them into revealing confidential
information, attackers use multiple staged approach to gain access to the targeted information.
In first steps, attacker is profiling the potential victim, collecting information about his or her s
internet habits, history of visited websites etc. In next step attacker uses that knowledge to
inspect the specific legitimate public websites for vulnerabilities. If any vulnerabilities or
loopholes are found, the attacker compromises the website with its own malicious code. The
50
compromised website then awaits for the targeted victim to come back and then infects them
with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at
the watering hole for his prey.
Whaling it is a type of phishing attack specifically targeted at senior executives or other high
profile targets within a company.
Vishing (Voice Phishing or VoIP Phishing) it is a use of social engineering techniques over
telephone system to gain access to confidential information from users. This phishing attack is
often combined with caller ID spoofing that masks the real source phone number and instead of
it displays the number familiar to the phishing victim or number known to be of a real banking
institution. General practices of Vishing include pre-recorded automated instructions for users
requesting them to provide bank account or credit card information for verification over the
phone.
Port scanning an attack type where the attacker sends several requests to a range of ports to
a targeted host in order to find out what ports are active and open, which allows them to exploit
known service vulnerabilities related to specific ports. Port scanning can be used by the malicious
attackers to compromise the security as well by the IT professionals to verify the network
security.
Spoofing it is a technique used to masquerade a person, program or an address as another by
falsifying the data with purpose of unauthorized access.
A few of the common spoofing types include:
IP Address spoofing process of creating IP packets with forged source IP address to
impersonate legitimate system. This kind of spoofing is often used in DoS attacks
(Smurf Attack).
ARP spoofing (ARP Poisoning) process of sending fake ARP messages in the network.
The purpose of this spoofing is to associate the MAC address with the IP address of
another legitimate host causing traffic redirection to the attacker host. This kind of
spoofing is often used in man-in-the-middle attacks.
DNS spoofing (DNS Cache Poisoning) an attack where the wrong data is inserted into
DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP
addresses as results for client queries.
Email spoofing a process of faking the email's sender "from" field in order to hide
real origin of the email. This type of spoofing is often used in spam mail or during
phishing attack.
Search engine poisoning attackers take advantage of high profile news items or
popular events that may be of specific interest for certain group of people to spread
malware and viruses. This is performed by various methods that have in purpose
achieving highest possible search ranking on known search portals by the malicious
sites and links introduced by the hackers. Search engine poisoning techniques are often
used to distribute rogue security products (scareware) to users searching for legitimate
security solutions for download.
51
Network sniffing (Packet Sniffing) a process of capturing the data packets travelling in the
network. Network sniffing can be used both by IT professionals to analyse and monitor the traffic
for example, in order to find unexpected suspicious traffic, but as well by perpetrators to collect
data send over clear text that is easily readable with use of network sniffers (protocol analysers).
Best counter measure against sniffing is the use of encrypted communication between the hosts.
Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack)
an attack designed to cause an interruption or suspension of services of a specific host/ server
by flooding it with large quantities of useless traffic or external communication requests. When
the DoS attack succeeds the server is not able to answer even to legitimate requests anymore,
this can be observed in numbers of ways slow response of the server, slow network
performance, unavailability of software or web page, inability to access data, website or other
resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or
infected systems (botnet) flood a particular host with traffic simultaneously.
DoS (denial-of-service) attack
Few of the most common DoS attack types:
ICMP flood attack (Ping Flood) the attack that sends ICMP ping requests to the victim host
without waiting for the answer in order to overload it with ICMP traffic to the point where the
host cannot answer to them any more either because of the network bandwidth congestion
with ICMP packets (both requests and replies) or high CPU utilization caused by processing
the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is
either to disable propagation of ICMP traffic sent to broadcast address on the router or disable
ICMP traffic on the firewall level.
Ping of Death (PoD) this attack involves sending a malformed or otherwise corrupted
malicious ping to the host machine for example, PING having size bigger than usual which can
cause buffer overflow on the system that lead to a system crash.
Smurf attack this works in the same way as Ping Flood attack with one major difference that
the source IP address of the attacker host is spoofed with IP address of other legitimate non
malicious computer. Such attack will cause disruption both on the attacked host (receiving
large number of ICMP requests) as well as on the spoofed victim host (receiving large number
of ICMP replies).
ICMP Smurf Denial of Service
SYN flood attack this attack exploits the way the TCP 3-way handshake works during the
TCP connection is being established. In normal process, the host computer sends a TCP SYN
packet to the remote host requesting a connection. The remote host answers with a TCP
SYN-ACK packet confirming the connection can be made. As soon as this is received by the
first local host it replies again with TCP ACK packet to the remote host. At this point the TCP
socket connection is established. During the SYN flood attack, the attacker host or more
commonly several attacker hosts send SYN packets to the victim host requesting a
connection, the victim host responds with SYN-ACK packets but the attacker host never
respond with ACK packets as a result the victim host is reserving the space for all those
connections still awaiting the remote attacker hosts to respond, which never happens. This
52
keeps the server with dead open connections and in the end effect prevent legitimate host
to connect to the server any more.
Buffer overflow attack in this type of attack the victim host is being provided with traffic/ data
that is out of range of the processing specs of the victim host, protocols or applications,
overflowing the buffer and overwriting the adjacent memory. One example can be the
mentioned Ping of Death attack where malformed ICMP packet with size exceeding the normal
value can cause the buffer overflow.
Botnet a collection of compromised computers that can be controlled by remote perpetrators
to perform various types of attacks on other computers or networks. A known example of botnet
usage is within the distributed denial of service attack where multiple systems submit as many
request as possible to the victim machine in order to overload it with incoming packets. Botnets
can be otherwise used to send out span, spread viruses and spyware and as well to steal personal
and confidential information which afterwards is being forwarded to the botmaster.
Man-in-the-middle attack
connections and communication between victim hosts. This form of attack includes interaction
between both victim parties of the communication and the attacker. This is achieved by attacker
intercepting all part of the communication, changing the content of it and sending back as
legitimate replies. Both parties are not aware of the attacker presence and believing the replies
they get are legitimate. For this attack to be successful, the perpetrator must successfully
impersonate at least one of the endpoints. This can be the case if there are no protocols in place
that would secure mutual authentication or encryption during the communication process.
Session hijacking attack this attack is targeted as exploit of the valid computer session in order
to gain unauthorized access to information on a computer system. The attack type is often
referred to as cookie hijacking as during its progress, the attacker uses the stolen session cookie
to gain access and authenticate to remote server by impersonating legitimate user.
Cross-side scripting attack (XSS attack) the attacker exploits the XSS vulnerabilities found in
web server applications in order to inject a client side script onto the webpage that can either
point the user to a malicious website of the attacker or allow attacker to steal the user's session
cookie.
SQL injection attack the attacker uses existing vulnerabilities in the applications to inject a
code/ string for execution that exceeds the allowed and expected input to the SQL database.
Bluetooth related attacks
Bluesnarfing this kind of attack allows the malicious user to gain unauthorized access to
information on a device through its bluetooth connection. Any device with bluetooth
turned on and set to "discoverable" state may be prone to bluesnarfing attack.
Bluejacking this kind of attack allows the malicious user to send unsolicited (often spam)
messages over bluetooth enabled devices.
Bluebugging it is a hack attack on a bluetooth enabled device. Bluebugging enables the

attacker to initiate phone calls on the victim's phone as well as read through the address
book, messages and eavesdrop on phone conversations.
53
Fig: Top Network Attacks as per McAfee Labs, 2015
Few recent cyberattacks (or Network attacks) that shook some big businesses around the
globe:
Primera Blue Cross
March 2015
The company, a health insurer based in Washington State, said up to 11

million customers could have been affected by a cyberattack last year.
Hackers gained access to its computers on May 5, and the breach was not
discovered until Jan. 29, Primera said. The breach could have exposed
members' names, dates of birth, Social Security numbers, mailing and
email addresses, phone numbers and bank account information. The
company is working with the F.B.I. and a cybersecurity firm to
54
Anthem
February 2015
information of tens of millions of its customers and employees, including its
The company added that hackers were able to breach a database that
contained as many as 80 million records of current and former customers,
as well as employees. The information accessed included names, Social
Security numbers, birthdays, addresses, email and employment information,
including income data.
Sony Pictures
November 2014
A huge attack that essentially wiped clean several internal data centers and
led to cancellation of the theatrical release of "The Interview," a comedy
about the fictional assassination of the North Korean leader Kim Jong-un.
Contracts, salary lists, film budgets, entire films and Social Security numbers
were stolen, including -- to the dismay of top executives -- leaked emails
that included criticisms of Angelina Jolie and disparaging remarks about
President Obama.
Staples
October 2014
network and compromised the information of about 1.16 million credit

cards.
55
Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is a catalogue of known security threats. The catalogue
is sponsored by the United States Department of Homeland Security (DHS), and threats are divided
into two categories: vulnerabilities and exposures.
According to the CVE website, a vulnerability is a mistake in software code that provides an attacker
with direct access to a system or network. For example, the vulnerability may allow an attacker to
pose as a super user or system administrator who has full access privileges. An exposure, on the other
hand, is defined as a mistake in software code or configuration that provides an attacker with indirect
access to a system or network. For example, an exposure may allow an attacker to secretly gather
customer information that could be sold.
identified. This is important because standard IDs allow security administrators to quickly access
technical information about a specific threat across multiple CVE-compatible information sources.
CVE is sponsored by US-CERT, the DHS Office of Cybersecurity and Information Assurance (OCSIA).
MITRE, a not-for-profit organization that operates research and development centres sponsored by
the U.S. federal government, maintains the CVE catalogue and public website. It also manages the CVE
Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE
Numbering Authorities (CNAs).
56
Summary
Information security analysts protect information stored on computer networks, applications,
etc., using special software that allows them to keep a track of those who can access and who
have accessed data.
There are three categories of Information technology and information security:
o confidentiality
o integrity
o availability
Keys concerns in information assets security are theft, fraud/ forgery, unauthorized information
access, interception or modification of data and data management systems.
Vulnerability is a weakness in an information system, system security procedures, internal
controls or implementation that could be exploited or triggered by a threat source.
Microsoft has proposed a threat classification called STRIDE from the initials of threat
categories.
Types of attacks: virus, worms, Trojans and others.
Network attack is usually defined as an intrusion on the network infrastructure that will first
analyse the environment and collect information in order to exploit the existing open ports or
vulnerabilities. This may include unauthorized access to organisation resources.
The recommendations to protect against Phishing and Spear Phishing include:
o Never open or download a file from an unsolicited email, even from someone you
know.
o Keep your operating system updated.
o Use a reputable anti-virus program.
o Enable two factor authentication whenever available.
o Confirm the authenticity of a website prior to entering login credentials.
o Look for HTTPS in the address bar when you enter any sensitive personal information
on a website.
57
Practical activities:
Activity 1:
List various types of attacks, and get examples of each type of virus, trojan, worm and
other malware from the internet. Compare the list with your fellow students.
Activity 2:
Find out and study cases of attacks over the years and impact of those attacks on the
organisations where these occurred. Share details of 2-3 most interesting ones in the
class.
Activity 3:
Access the CVE and list all the types of information that they can get. Present the same in
class and elaborate upon the various ways in which that information can be used.
58
Check your understanding:
1. State the categories of security in IT security and information.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
2. Explain how is a virus different from a Trojan horse?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. State the reason why a Cavity virus is difficult to detect unlike traditional viruses?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. State True or False:
a) Trojans do not self-replicate. _________________

b) .________________________
5. Explain what is Riskware and Adware?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
6. List few common network attacks.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
59
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
60
UNIT II
Fundamentals of Information Security
This unit covers:
Lesson Plan
2.1 Elements of information security
2.2 Principles and concepts data security
2.3 Types of controls
61
Performance Ensuring
Outcomes Measures Work Environment/ Lab Requirement
To be competent, you must be able QA session and a PCs/ tablets/ laptops
to: descriptive write-up on Availability of labs (24/7)
understanding. Internet with Wi-Fi
PC3. carry out security
(min 2 Mbps dedicated)
assessment of information security Peer group, faculty group Networking equipment (routers &
systems using automated tools and industry experts. switches)
PC8. provide inputs to root Firewalls and access points
cause analysis and the resolution of Access to all security sites like ISO, PIC
information security issues, where DSS etc.
required Commercial tools like HP Web
Inspect and IBM AppScan etc.
Open source tools like sqlmap,
Nessus etc.
You need to know and understand: KA6, KA7, KA8. Peer PCs/ tablets/ laptops
review with faculty with Availability of labs (24/7)
KA5. how to analyse root causes appropriate feedback. Internet with Wi-Fi
of information security issues (min 2 Mbps dedicated)
Networking equipment (routers &
KA6. how to carry out KB1 KB4. switches)
information security assessments Going through the security Firewalls and access points
standards over internet by Access to all security sites like ISO, PIC
KB4. how to identify and resolve visiting sites like ISO, PCI DSS etc.
information security vulnerabilities DSS etc., and understand
Commercial Tools like HP Web
and issues various methodologies and
Inspect and IBM AppScan etc.
usage of algorithms.
Open Source tools like sqlmap,
Nessus etc.
62
Lesson
Network Security
Network security refers to any activity designed to protect your network. Specifically, these activities
protect the usability, reliability, integrity and safety of your network and data. Effective network
security targets a variety of threats and stops them from entering or spreading on your network.
No single solution protects you from a variety of threats. You need multiple layers of security. If one
fails, others still stand. Network security is accomplished through hardware and software. The
software must be constantly updated and managed to protect you from emerging threats.
Wireless networks, which by their nature, facilitate access to the radio, are more vulnerable than
wired networks and need to encrypt communications to deal with sniffing and continuously checking
the identity of the mobile nodes. The mobility factor adds more challenges to security, namely
monitoring and maintenance of secure traffic transport of mobile nodes. This concerns both
homogenous and heterogenous mobility (inter-technology), the latter requires homogenization of the
security level of all networks visited by the mobile.
and ensure the confidentiality of its data. In an ad hoc or sensor network, it becomes essential to
f router and terminal.
The difficulty of designing security solutions that could address these challenges is not only to ensure
robustness faced with potential attacks or to ensure that it does not slow down communications, but
also to optimize the use of resources in terms of bandwidth, memory, battery, etc. More importantly,
in this open context the wireless network is to ensure anonymity and privacy, while allowing
traceability for legal reasons. Indeed, the growing need for traceability is now necessary for the fight
against criminal organizations and terrorists, but also to minimize the plundering of copyright. It is
therefore facing a dilemma of providing a network support of free exchange of information while
controlling the content of the communication to avoid harmful content. Actually, this concerns both
wired and wireless networks. All these factors influence the selection and implementation of security
tools that are guided by a prior risk assessment and security policy.
Finally, we are increasingly thinking about trust models in the design of secured systems, that should
offer higher level of trust than classical security mechanisms, and it seems that future networks should
implement both models: security and trust models.
In fact, if communication nodes will be capable of building and maintaining a predefined trust level in
the network, then the communication system will be trustable all the time, thus allowing a trusted
and secure service deployment. However, such trust models are very difficult to design and the trust
level is generally a biased concept presently. It is very similar to the human based trust model. Note
that succeeding in building such trust models will allow infrastructure based networks but especially
infrastructure-less or self-organized networks such as ad hoc sensors to be trusted enough to deploy
several applications. This will also have an impact on current business models where the economic
model would have to change in order to include new players in the telecommunication value chain
63
such as users offering their machines to build an infrastructure-less network. For example, in the
context of ad hoc networks, we could imagine that ad hoc users become distributors of content or
provide any other networked services1, being a sort of service providers. In this case, an appropriate
charging and billing system needs to be designed.
A network security system usually consists of many components. Ideally, all components work
together, which minimizes maintenance and improves security.
Network security components often include:

Anti-virus and anti-spyware
Firewall to block unauthorized access to your network
Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as zero-day

or zero-hour attacks
Virtual Private Networks (VPNs) to provide secure remote access
Communication security
Application Security
Application security (AppSec) is the use of software, hardware and procedural methods to protect
applications from external threats. AppSec is the operational solution to the problem of software risk.
AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application
irrespective of the function, language or platform.
As a best practice, AppSec employs proactive and preventative methods to manage software
risk,
three distinct elements:
1) measurable reduction of risk in existing applications
2) prevention of introduction of new risks
3) compliance with software security mandates
A software vulnerability can be defined as a programmatic function that processes critical data
in an inse
cybercriminal as an entry point to steal sensitive, protected or confidential data.
64
The severity and frequency of cyber-attacks is increasing which is making the practice of AppSec
important. AppSec as a discipline is also becoming more complex the variety of business software
continues to proliferate. Here are some of the reasons why (and see if these sound familiar):
in-house development teams,

commercial vendors,
outsourced solution providers, and
open source projects.
Software developers have an endless choice of programming languages to choose from Java, .NET,
C++, PHP and more.
Applications can be deployed across myriad platforms installed to operate locally, over virtual
servers and networks, accessed as a service in the cloud or run on mobile devices.
AppSec products must provide capabilities for managing security risk across all of these options as
each of these development and deployment options can introduce security vulnerabilities. An
effective software security strategy addresses both immediate and systemic risk.
The Application Security market has reached sufficient maturity to allow organizations of all sizes to
follow a well-established roadmap:
Begin with software security testing to find and assess potential vulnerabilities:
Follow remediation procedures to prioritize and fix them.
Train developers on secure coding practices.
Leverage ongoing threat intelligence to keep up-to-date.
Develop continuous methods to secure applications throughout the development life

cycle.
Instantiate policies and procedures that instill good governance.
Testing and remediation form the baseline response to insecure applications, but the critical element
of a successful AppSec effort is ongoing developer training. Security conscious development teams
write bulletproof code, and avoid common errors. For example, data input validation the process of
ensuring that a program operates with clean, correct and useful data. Neglecting this important step,
to common attacks such as cross-site scripting and SQL injection.
When undertaken correctly, Application Security is an orderly process of reducing the risks associated
with developing and running business critical software. Properly managed, a good application security
program will move your organization from a state of unmanaged risk and reactive security to effective,
proactive risk mitigation.
65
Communications Security
Communications Security (COMSEC) ensures the security of telecommunications confidentiality and
integrity the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of
any information that is transmitted, transferred or communicated.
There are five COMSEC security types:

Cryptosecurity: This encrypts data, rendering it unreadable until the data is decrypted.
Emission Security (EMSEC): This prevents the release or capture of emanations from
equipment, such as cryptographic equipment, thereby preventing unauthorized
interception.
Physical Security: This ensures the safety of, and prevents unauthorized access to,
cryptographic information, documents and equipment.
Traffic-Flow Security: This hides messages and message characteristics flowing on a

network.
Transmission Security (TRANSEC): This protects transmissions from unauthorized access,

thereby preventing interruption and harm.
66
Critical Information Characteristics
Confidentiality
Integrity Availability
Information States
Information has three basic states, at any given moment, information is being transmitted, stored or
processed. The three states exist irrespective of the media in which information resides.
Transmission
Information
States
Processing Storage
Information systems security concerns itself with the maintenance of three critical characteristics of
information: confidentiality, integrity and availability. These attributes of information represent the
full spectrum of security concerns in an automated environment. They are applicable for any
organization irrespective of its philosophical outlook on sharing information.
67
Prevention vs. detection

Security efforts to assure confidentiality,
Basic information security concepts:
integrity and availability can be divided
into those oriented to prevention and Identification
those focused on detection. The latter Authentication
aims to rapidly discover and correct for Authorization
lapses that could not be (or at least were Confidentiality
not) prevented. The balance between Integrity
prevention and detection depends on the Availability
circumstances and the available security Non-repudiation
technologies.
Identification is the first step in the identify-authenticate-authorize sequence that is

performed every day countless times by humans and computers alike when access to
information or information processing resources are required. While particulars of
identification systems differ depending on who or what is being identified, some intrinsic
properties of identification apply regardless of these particular. Just three of these
properties are the scope, locality, and uniqueness of IDs.
refer to the familiar notation of email addresses. While many email accounts named Gaurav
may exist around the world, an email address Gaurav@company.com unambiguously refers
exactly to one such user in the company.com locality. Provided that the company in question
is a small one, and that only one employee is named Gaurav. His colleagues may refer to
that particular person by only using his first name. That would work because they are in the
same locality and only one Gaurav works there. However, if Gaurav were someone on the
other side of the world or even across town, to refer to Gaurav@company.com as simply
Gaurav would make no sense because user name Gaurav is not globally unique and refers
to different persons in different localities. This is one of the reasons why two user accounts
should never use the same name on the same system not only because you would not be
able to enforce access controls based on non-unique and ambiguous user names, but also
because you would not be able to establish accountability for user actions.
Authentication happens right after identification and before authorization. It verifies the
authenticity of the identity declared at the identification stage. In other words, it is at the
authentication stage that you prove you are indeed the person or the system you claim to
be. The three methods of authentication are what you know, what you have and what you
are. Regardless of the particular authentication method used, the aim is to obtain
reasonable assurance that the identity declared at the identification stage belongs to the
party in communication. It is important to note that reasonable assurance may mean
different degrees of assurance, depending on the particular environment and application,
and therefore may require different approaches to authentication. Authentication
requirements of a national security critical system naturally differ from authentication
68
requirements of a small company. As different authentication methods have different costs

and properties as well as different returns on investment, the choice of authentication
method for a particular system or organization should be made after these factors have
been carefully considered.
Authorization is the process of ensuring that a user has sufficient rights to perform the
requested operation, and preventing those without sufficient rights from doing the same.
After declaring identity at the identification stage and proving it at the authentication stage,
users are assigned a set of authorizations (also referred to as rights, privileges or
permissions) that define what they can do on the system. These authorizations are most
Confidentiality means persons authorized have access to receive or use information,

documents etc. Unauthorized access to confidential information may have devastating
consequences, not only in national security applications, but also in commerce and industry.
Main mechanisms of protection of confidentiality in information systems are cryptography
and access controls. Examples of threats to confidentiality are malware, intruders, social
engineering, insecure networks and poorly administered systems.
Integrity is concerned with the trustworthiness, origin, completeness and correctness of
information as well as the prevention of improper or unauthorized modification of
information. Integrity in the information security context refers not only to integrity of
information itself but also to the origin integrity i.e. integrity of the source of information.
Integrity protection mechanisms may be grouped into two broad types: preventive
mechanisms, such as access controls that prevent unauthorized modification of information,
and detective mechanisms, which are intended to detect unauthorized modifications when
preventive mechanisms have failed. Controls that protect integrity include principles of least
privilege, separation and rotation of duties.
Availability of information, although usually mentioned last, is not the least important pillar
of information security. Who needs confidentiality and integrity if the authorized users of
information cannot access and use it? Who needs sophisticated encryption and access
controls if the information being protected is not accessible to authorized users when they
need it? Therefore, despite being mentioned last in the C-I-A triad, availability is just as
important and as necessary a component of information security as confidentiality and
integrity. Attacks against availability are known as denial of service (DoS) attacks. Natural
and manmade disasters obviously may also affect availability as well as confidentiality and
integrity of information though their frequency and severity greatly differ. Natural disasters
are infrequent but severe, whereas human errors are frequent but usually not as severe as
natural disasters. In both cases, business continuity and disaster recovery planning (which
at the very least includes regular and reliable backups) is intended to minimize losses.
Non-repudiation in the information security context refers to one of the properties of
cryptographic digital signatures that offers the possibility of proving whether a particular
message has been digitally signed by th
69
Non-repudiation is a somewhat controversial subject, partly because it is an important one

in this day and age of electronic commerce, and because it does not provide an absolute
guarantee. A digital signature owner, who may like to repudiate a transaction maliciously
may always claim that his/ her digital signature key was stolen by someone who actually
signed the digital transaction in question, thus repudiating the transaction.
The following types of non-repudiation services are defined in international standard ISO
14516:2002 (guidelines for the use and management of trusted third party services).
o Approval: non-repudiation of approval provides proof of who is responsible for approval
of the contents of a message.
o Sending: non-repudiation of sending provides proof of who sent the message.
o Origin: non-repudiation of origin is a combination of approval and sending.
o Submission: non-repudiation of submission provides proof that a delivery agent has

accepted the message for transmission.
o Transport: non-repudiation of transport provides proof for the message originator that
a delivery agent has delivered the message to the intended recipient.
o Receipt: non-repudiation of receipt provides proof that the recipient received the
message.
o Knowledge: non-repudiation of knowledge provides proof that the recipient recognized

the content of the received message.
o Delivery: non-repudiation of delivery is a combination of receipt and knowledge, as it

provides proof that the recipient received and recognized the content of the message.
70
Fun-Facts about Top Data Center Security-GOOGLE
71
Central to information security is the concept of controls, which may be categorized by their
functionality (preventive, detective, corrective, deterrent, recovery and compensating) and plane of
application (physical, administrative or technical).
By functionality:
Preventive controls
Preventive controls are the first controls met by an adversary. These try to prevent security
violations and enforce access control. Like other controls, these may be physical, administrative
or technical. Doors, security procedures and authentication requirements are examples of
physical, administrative and technical preventive controls respectively.
Detective controls
Detective controls are in place to detect security violations and alert the defenders. They come
into play when preventive controls have failed or have been circumvented and are no less crucial
than detective controls. Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs and similar mechanisms.
Corrective controls
Corrective controls try to correct the situation after a security violation has occurred. Although a
violation occurred, but the data remains secure, so it makes sense to try and fix the situation.
Corrective controls vary widely, depending on the area being targeted, and they may be technical
or administrative in nature.
Deterrent controls
Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls
include notices of monitoring and logging as well as the visible practice of sound information
security management.
Recovery controls
Recovery controls are somewhat like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information and information processing
resources. Recovery controls may include disaster recovery and business continuity mechanisms,
backup systems and data, emergency key management arrangements and similar controls.
Compensating controls
Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used. When a second set of controls addresses the same
threats that are addressed by another set of controls, it acts as a compensating control.
72
By plane of application:
Physical controls include doors, secure facilities, fire extinguishers, flood protection and air
conditioning.
Administrative controls
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems and file encryption among others.
Access Control Models

Logical access control models are the abstract foundations upon which actual access control
mechanisms and systems are built. Access control is among the most important concepts in computer
security. Access control models define how computers enforce access of subjects (such as users, other
computers, applications and so on) to objects (such as computers, files, directories, applications,
servers and devices).
Three main access control models exist:
Discretionary Access Control model

Mandatory Access Control model
Role Based Access Control model
Discretionary Access Control (DAC)
The Discretionary Access Control model is the most widely used of the three models.
In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide
about and set access control restrictions on the object in question, which may, for example, be a file
or a directory. The advantage of DAC is its flexibility. Users may decide who can access information
and what they can do with it read, write, delete, rename, execute and so on. At the same time, this
flexibility is also a disadvantage of DAC because users may make wrong decisions regarding access
control restrictions or maliciously set insecure or inappropriate permissions. Nevertheless, the DAC
model remains the model of choice for the absolute majority of operating systems today, including
Solaris.
Mandatory Access Control (MAC)
Mandatory access control, as its name suggests, takes a stricter approach to access control. In systems
utilizing MAC, users have little or no discretion as to what access permissions they can set on their
information. Instead, mandatory access controls specified in a system-wide security policy are
enforced by the operating system and applied to all operations on that system. MAC based systems
use data classification levels (such as public, confidential, secret and top secret) and security clearance
labels corresponding to data classification levels to decide in accordance with the security policy set
by the system administrator what access control restrictions to enforce. Additionally, per group and/
73
or per domain access control restrictions may be imposed i.e. in addition to having the required
security clearance level, subjects (users or applications) must also belong to the appropriate group or
domain. For example, a file with a confidential label belonging only to the research group may not be
accessed by a user from the marketing group, even if that user has a security clearance level higher
than confidential (for example, secret or top secret). This concept is known as compartmentalization
or need to know .
Although MAC based systems, when used appropriately, are thought to be more secure than DAC
based systems, they are also much more difficult to use and administer because of the additional
restrictions and limitations imposed by the operating system. MAC based systems are typically used
in government, military and financial environments where higher than usual security is required and
where the added complexity and costs are tolerated. MAC is implemented in Trusted Solaris, a version
of the Solaris operating environment intended for high security environments.
Role-Based Access Control (RBAC)
In the role based access control model, rights and permissions are assigned to roles instead of
individual users. This added layer of abstraction permits easier and more flexible administration and
enforcement of access controls. For example, access to marketing files may be restricted only to the
marketing manager role, and users Ann, David, and Joe may be assigned the role of marketing
manager. Later, when David moves from the marketing department elsewhere, it is enough to revoke
his role of marketing manager, and no other changes would be necessary. When you apply this
approach to an organization with thousands of employees and hundreds of roles, you can see the
added security and convenience of using RBAC. Solaris has supported RBAC since release 8.
Centralized vs. Decentralized Access Control

Further distinction should be made between centralized and decentralized (distributed) access control
models. In environments with centralized access control, a single, central entity makes access control
decisions and manages the access control system whereas in distributed access control environments,
these decisions are made and enforced in a decentralized manner. Both approaches have their pros
and cons, and it is generally inappropriate to say that one is better than the other. The selection of a
particular access control approach should be made only after careful consideration of an
o s.
Security Vulnerability Management

Security vulnerability management is the current evolutionary step of vulnerability assessment
systems that began in the early 1990s with the advent of the network security scanner S.A.T.A.N.
best-in-class solutions deliver comprehensive discovery and support the entire security vulnerability
management lifecycle.
A vulnerability can occur anywhere in the IT environment, and can be the result of many different root
causes. Security vulnerability management solutions gather comprehensive endpoint and network
intelligence, and apply advanced analytics to identify and prioritize the vulnerabilities that pose the
most risk to critical systems. The result is actionable data that enables IT security teams to focus on
74
the tasks that will most quickly and effectively reduce overall network risk with the fewest possible
resources.
Security vulnerability management is a closed-loop workflow that generally includes identifying

networked systems and associated applications, auditing (scanning) the systems and applications for
vulnerabilities and remediating the vulnerabilities. Any IT infrastructure components may present
existing or new security concerns and weaknesses i.e. vulnerabilities. It may be product/ component
faults or it may be inadequate configuration. Malicious code or unauthorized individuals may exploit
those vulnerabilities to cause damage, such as disclosure of credit card data. Vulnerability
management is the process of identifying those vulnerabilities and reacting appropriately to mitigate
the risk.
Vulnerability assessment and management is an essential piece for managing overall IT risk
because:
Persistent threats
Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to
dominate headlines.
Regulation
Many government and industry regulations mandate rigorous vulnerability management

practices.
Risk management
Mature organizations treat it as a key risk management component. Organizations that follow
mature IT security principles understand the importance of risk management.
Properly planned and implemented threat and vulnerability management programs represent a key
hreat
mitigation that is proactive and business aligned, not just reactive and technology focused.
Vulnerability Assessment
Includes assessment the environment for known vulnerabilities, and to assess IT components, using
the security configuration policies (by device role) that have been defined for the environment. This
is accomplished through scheduled vulnerability and configuration assessments of the environment.
Network based vulnerability assessment (VA) has been the primary method employed to baseline
networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and
accurate vulnerability assessments can be accomplished for managed systems via credentialed access.
Unmanaged systems can be discovered and a basic assessment can be completed. The ability to
evaluate databases and web applications for security weaknesses is crucial, considering the rise of
attacks that target these components.
Database scanners check database configuration and properties to verify whether they comply with
database security best practices.
75
application. Additional tools can be leveraged to perform more in-depth testing and analysis.
All three scanning technologies (network, application and database) assess a different class of security
weaknesses, and most organizations need to implement all three.
Risk assessment
Larger issues should be expressed in the language of risk (e.g. ISO 27005), specifically expressing
impact in terms of business impact. The business case for any remedial action should incorporate
considerations relating to the reduction of risk and compliance with policy. This incorporates the basis
of the action to be agreed on between the relevant line of business and the security team.
Risk analysis
the risk by applying remedial action, which could be anything from a configuration change to
implementing a new infrastructure (e.g. data loss prevention, firewalls, host intrusion prevention
software).
Elimination of the root cause of security weaknesses may require changes to user administration and
system provisioning processes. Many processes and often several teams may come into play (e.g.
configuration management, change management, patch management etc.). Monitoring and incident
management processes are also required to maintain the environment.
Vulnerability enumeration
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e. CVE Identifiers)
share data across separate network security databases and tools, and provide a baseline for
incorporates CVE identifiers, you may then quickly and accurately access fix information in one or
more separate CVE compatible databases to remediate the problem.
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating
the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable,
accurate measurement while enabling users to see the underlying vulnerability characteristics that
were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for
industries, organizations and governments that need accurate and consistent vulnerability impact
scores.
Common Weakness Enumeration (CWE)
The Common Weakness Enumeration Specification (CWE) provides a common language of discourse
for discussing, finding and dealing with the causes of software security vulnerabilities as they are
found in code, design or system architecture. Each individual CWE represents a single vulnerability
type. CWEs are used as a classification mechanism that differentiates CVEs by the type of vulnerability
they represent. For more details see: Common Weakness Enumeration.
76
Remediation Planning
Prioritization
Vulnerability and security configuration assessments typically generate very long remediation work
lists, and this remediation work needs to be prioritized. When organizations initially implement
vulnerability assessment and security configuration baselines, they typically discover that a large
number of systems contain multiple vulnerabilities and security configuration errors. There is typically
more mitigation work to do than the resources available to accomplish it. Therefore, prioritization is
important.
Root Cause Analysis (RCA)
It is important to analyse security and vulnerability assessments in order to determine the root cause.
In many cases, the root cause of a set of vulnerabilities lies within the provisioning, administration and
maintenance processes of IT operations or within their development or the procurement processes of
applications. Elimination of the root cause of security weaknesses may require changes to user
administration and system provisioning processes.
What makes a good RCA?
An RCA is an analysis of a failure to determine the first (or root) failure that cause the ultimate
condition in which the system finds itself. For example, in an application crash one should be thinking,
why did it crash this way?
why" until one runs out

of room for questions, and then they are faced with the problem at the root of the situation.
Example: an application that had its database pilfered by hackers where the ultimate failure the
analyst may be investigating is the exfiltration of consumer private data, but SQL Injection isn't what
caused the failure. Why did the SQL Injection happen? Was the root of the problem that the developer
responsible simply didn't follow the corporate policy for building SQL queries? Or was the issue a
failure to implement something like the OWASP ESAPI (ESAPI - The OWASP Enterprise Security API is
a free, open source web application security control library that makes it easier for programmers to
write lower-risk applications.) in the appropriate manner? Or maybe the cause was a vulnerable open-
source piece of code that was incorporated into the corporate application without passing it through
the full source code lifecycle process?
Your job when you're performing an RCA is to figure this out. Root cause analysis is super critical in
the software security world. A number of automated solutions are also available for various types of
RCA. For example, HP's web application security testing technology which can link XSS issues to a single
line of code in the application input handler.
Decision tree and algorithms may be used for further detailed analysis as tools. To learn more about
it, visit: https://www.sans.org/reading-room/whitepapers/detection/decision-tree-analysis-
intrusion-detection-how-to-guide-33678 .
77
Ranking of Cyber security objectives in terms of business priority objective
5 4.4 4.7
4.5
4 3.5
3.5
3 2.8
2.5 1.9
2
1.5
1
0.5
0
65% of organizations had an average of 3 DDoS attacks in the past 12 months.

54 minutes downtime during one DDoS attack.
Average cost per minute downtime is $22,000
Average annual cost of DDoS attacks is $3000,000
78
Summary
Elements of information security include network security, application security and
communication security
Types of communication security are Cryptosecurity, Emission Security (EMSEC), Physical Security,
Traffic-Flow Security and Transmission Security (TRANSEC).
Critical information characteristics are Confidentiality, Integrity and Availability.
Information states include transmission, storage and processing.
Basic information security concepts:
o Identification
o Authentication
o Authorization
o Confidentiality
o Integrity
o Availability
o Non-repudiation
Types of control for information security can be classified into:
o Preventive
o Detective
o Corrective
o Deterrent
o Recovery
o Compensating
Three main access control models exist:
o Discretionary Access Control model
o Mandatory Access Control model
o Role Based Access Control model
A Root Cause Analysis is an analysis of a failure to determine the first (or root) failure that cause
the ultimate condition in which the system finds itself.
79
Practical activities:
Activity 1:
Investigate into the various types of threats to network security, application security
and, communication security and prepare a white paper on the same. Also, list the
various counter measures or security devices that may be used to address the same.
Present it in class.
Activity 2:
Collect information about various websites, and

understand the various security services they offer. Carry out a comparison of the
various services or products offered and list their features and benefits.
Activity 3:
Collect information about various categories of controls and state which various
controls are within each category? Discuss in groups the benefits and limitations of
examples of each type of control within a category.
Activity 4:
Collect information about various elements of a decision tree and an algorithm. Create
algorithms and decision trees for various situations in case of planning for security of
information assets.
80
Check your understanding:

1. Write a short note on your understanding of the following basic information security concepts.
Identification
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Authentication
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Authorization
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Confidentiality
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Integrity
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Availability
__________________________________________________________________________________
__________________________________________________________________________________
81
__________________________________________________________________________________
__________________________________________________________________________________
Non-repudiation
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
2. Which are the three states of Information?

______________________________________
______________________________________
______________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
82

Information Threats Attacks Vulnerabilities

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Threats Attacks Vulnerabilities

Uploaded by

Copyright:

Available Formats

Student Handbook Security Analyst SSC/N0901

Confidentiality Integrity Availability

Prevention of Prevention of Ensuring authorized

Threats to information assets

Threat agents (individuals and groups) can be classified as follows:

Source: News Articles

Trojan-Clicker or Trojan-AD clicker a Trojan that continuously attempts to connect to specific

Cryptolock Trojan (Trojan.Cryptolocker) this is a new variation of Ransomware Trojan

, Pune, the TeslaCrypt Ransomware

Other security threats

Adware in general term adware is software generating or displaying certain advertisements to

In 1983, this person was

Characteristics of network attacks:

What types of attack are there?

Social Phishing Social Spear phishing Watering hole

*Denial of Service Attack

Social engineering refers to a psychological manipulation of people (employees of a company)

Bluebugging it is a hack attack on a bluetooth enabled device. Bluebugging enables the

Fig: Top Network Attacks as per McAfee Labs, 2015

Primera Blue Cross

The company, a health insurer based in Washington State, said up to 11

information of tens of millions of its customers and employees, including its

network and compromised the information of about 1.16 million credit

Common Vulnerabilities and Exposures (CVE)

Check your understanding:

1. State the categories of security in IT security and information.

2. Explain how is a virus different from a Trojan horse?

4. State True or False:

a) Trojans do not self-replicate. _________________

5. Explain what is Riskware and Adware?

6. List few common network attacks.

This unit covers:

Network security components often include:

Firewall to block unauthorized access to your network

Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as zero-day

Virtual Private Networks (VPNs) to provide secure remote access

1) measurable reduction of risk in existing applications

2) prevention of introduction of new risks

3) compliance with software security mandates

in-house development teams,

Follow remediation procedures to prioritize and fix them.

Train developers on secure coding practices.

Leverage ongoing threat intelligence to keep up-to-date.

Develop continuous methods to secure applications throughout the development life

Instantiate policies and procedures that instill good governance.

to common attacks such as cross-site scripting and SQL injection.

There are five COMSEC security types:

Traffic-Flow Security: This hides messages and message characteristics flowing on a

Transmission Security (TRANSEC): This protects transmissions from unauthorized access,

Critical Information Characteristics

Prevention vs. detection

Identification is the first step in the identify-authenticate-authorize sequence that is

requirements of a small company. As different authentication methods have different costs

Confidentiality means persons authorized have access to receive or use information,

Non-repudiation is a somewhat controversial subject, partly because it is an important one

o Sending: non-repudiation of sending provides proof of who sent the message.

o Origin: non-repudiation of origin is a combination of approval and sending.

o Submission: non-repudiation of submission provides proof that a delivery agent has

o Knowledge: non-repudiation of knowledge provides proof that the recipient recognized

o Delivery: non-repudiation of delivery is a combination of receipt and knowledge, as it

Fun-Facts about Top Data Center Security-GOOGLE

Access Control Models

Three main access control models exist: