UNIVERSITY OF ELDORET

SCHOOL OF SCIENCE

COMP 425 : NETWORK SECURITY AND CRYPTOGRAPHY

Course Content

LECTURE
1 Key concepts in Information Security. Threats and vulnerabilities in
Computer Networks, Authentication applications,
2 Electronic Mail security, IP security,
3 Web security, Other Web security issues:- Intruders and viruses, firewalls,
Digital cash, secret sharing Schemes,
4 Cat 1
5 Conventional Encryption :- Classical Systems, DES, 3DES, AES,
Symmetric Ciphers, RC4, RC5).
6 Zero-Knowledge Techniques, FolkLore.
7 Public Key cryptography:- Introduction to Number Theory, Key
Management, Message Authentication and Hash Functions.
8 Hash and MAC Algorithms, Digital Signatures, Passwords and Password
Management
9 Penetration testing
10 Trends in Network security.
11 Presentations
12 CAT II

Lecture 1:
.

Assessment
Continuous Assessment Tests (CATs): 30%
End of Semester Written Examinations: 70%

Learning Materials

Cryptography and Network Security – by Atul Kahate – TMH.

Data Communications and Networking- by Behourz A Forouzan
Cyber Security Operations Handbook – by J.W. Rittiaghouse and William M.Hancok – Elseviers.

1
LECTURE 1
Key concepts in Information Security

Information security is the practice of defending information from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or destruction.
It is also defined as preservation of confidentiality, integrity and availability of information. Other
properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.
Security attack – Any action that compromises the security of information owned by an organization.
Security mechanism – A means used to detect, prevent or recover from a security attack.
Security service –The tools intended to counter security attacks and make use of one or more security
mechanisms to provide the service.
Confidentiality - limiting information access and disclosure to authorized users -- "the right people" --
and preventing access by or disclosure to unauthorized ones -- "the wrong people."
Integrity - Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.
Availability - This means that the computing systems used to store and process the information, the
security controls used to protect it, and the communication channels used to access it must be functioning
correctly.
Non-repudiation - It implies that one party of a transaction cannot deny having received a transaction
nor can the other party deny having sent a transaction.
Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the
loss of the asset).
Vulnerability is a weakness that could be used to endanger or cause harm to an informational asset.
A threat is anything (manmade or act of nature) that has the potential to cause harm. The likelihood that
a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to
inflict harm, it has an impact
Cryptography - The art or science encompassing the principles and methods of transforming an
intelligible message into one that is unintelligible, and then retransforming that message back to its
original form.
Information Infrastructure comprises communications networks, computers, databases, management,
applications, and consumer electronics and can exist at the global, national, or local level.
The network and infrastructure equipment that provides connectivity between enclaves can be logically
grouped into three areas:
 Public/commercial networks and network technologies
 Dedicated network services
 Government-owned and services-operated
Organizational and government information systems and their corresponding networks offer attractive
targets to hackers. They must be able to withstand the ever-growing quantity of threats from hackers of all
types in order to limit damage and recover rapidly when such attacks do occur.

Network Vulnerabilities
Passive: Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting
weakly encrypted traffic, and capturing authentication information (e.g., passwords). Passive intercept of
network operations can give adversaries indications and warnings of impending actions. Passive attacks
can result in the disclosure of information or data files to an attacker without the consent or knowledge of
the user. Examples include the disclosure of personal information such as credit card numbers and
medical files.
Active: Active attacks include attempts to circumvent or break protection features, introduce malicious
code, or steal or modify information. These include attacks mounted against a network backbone,
exploitation of information in transit, electronic penetrations into an enclave, or attacks on an authorized
remote user when attempting to connect to an enclave. Active attacks can result in the disclosure or
dissemination of data files, denial of service, or modification of data.

2
Close-in: Close-in attacks are where an unauthorized individual is in physical close proximity to
networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information.
Close proximity is achieved through surreptitious entry, open access, or both.
Insider: Insider attacks can be malicious or non-malicious. Malicious insiders have the intent to
eavesdrop, steal or damage information, use information in a fraudulent manner, or deny access to other
authorized users. Non-malicious attacks typically result from carelessness, lack of knowledge, or
intentionally circumventing security for non-malicious reasons, such as to "get the job done."
Distribution: Distribution attacks focus on the malicious modification of hardware or software at the
factory or during distribution. These attacks can introduce malicious code into a product such as a back
door to gain unauthorized access.to information or a system function at a later date.

Network vulnerabilities come in many forms but the most common types are:
1. Malware, short for malicious software, such as Trojans, viruses, and worms that are installed on a
user’s machine or a host server.
2. Social engineering attacks that fool users into giving up personal information such as a username or
password.
3. Outdated or unpatched software that exposes the systems running the application and potentially the
entire network.
4. Misconfigured firewalls / operating systems that allow or have default policies enabled.
5. Gaps in your application security: when applications are not kept up-to-date, tested and patched, the
doors are open to code injection, cross-site scripting, insecure direct object references, and much
more

TYPES OF CYBER SECURITY THREATS

There are numerous threats that can affect hardware, software, and the information you store. Some of the
major ones include the following:
 Viruses are designed in such a way that can be easily transmitted from one computer or system to
another. Often sent as email attachments, viruses corrupt and co-opt data, interfere with your security
settings, generate spam, and may even delete content.
 Computer worms are similar; they spread from one computer to the next by sending itself to all of
the user’s contacts and subsequently to all of the contacts’ contacts.
 Trojans – these malicious pieces of software insert themselves into a legitimate program. Often,
people voluntarily let trojans into their systems in the form of email messages from a person or an
advertiser they trust. As soon as the accompanying attachment is open, your system becomes
vulnerable to the malware within.
 Bogus security software that tricks users into believing that their system has been infected with a
virus. The accompanying security software that the threat actor provides to fix the problem causes it.
 The adware tracks your browsing habits and causes particular advertisements to pop up.
 Spyware is an intrusion that may steal sensitive data such as passwords and credit card numbers from
your internal systems.
 Denial of service (DOS) attack: occurs when hackers deluge a website with traffic, making it
impossible for users to access its content. A distributed denial of service (DDOS) attack is more
forceful and aggressive since it is initiated from several servers simultaneously. As a result, a DDOS
attack is harder to mount defenses against.
 Phishing attacks are social engineering infiltrations whose goal is to wrongfully obtain sensitive
data: passwords and credit card numbers. Via emails or links coming from trusted companies and
financial institutions, the hacker causes malware to be downloaded and installed.
 SQL injections are network threats that involve using malicious code to infiltrate cyber
vulnerabilities in data systems. As a result, data can be stolen, changed, or destroyed.

3
 Man-in-the-middle attacks involve a third party intercepting and exploiting communications
between two entities that should remain private. Not only does eavesdropping occur but also
information can be changed or misrepresented by the intruder, causing inaccuracy and even security
breaches.
This is a vulnerability that allows attackers to spy on or alter the communication between devices in
your network. A man-in-the-middle attack could lead to the installation of viruses, warms, or
Ransomware. Cybercriminals can carry out man-in-the-middle attack through:
 IP spoofing
 DNS spoofing
 HTTPS spoofing
 SSL hijacking
 Wi-Fi hacking
 Machine learning
 Rootkit tools gain remote access to systems without permission and can lead to the installation of
malware and the stealing of passwords and other data.

Superuser accounts
Superuser accounts can turn into network vulnerabilities. These accounts have unlimited privileges,
data, and devices and are often used for administrative purposes by IT team leaders.
The user can create, modify, and delete files, install software, or copy information. If a cybercriminal
gets hold of such an account, the damage to your network and your business could be catastrophic.

Causes of Vulnerabilities
 Design and development errors: There can be flaws in the design of hardware and software. These
bugs can put your business-critical data at risk of exposure.
 Poor system configuration: This is another cause of vulnerability. If the system is poorly configured,
then it can introduce loopholes through which attackers can enter into the system & steal the
information.
 Human errors: Human factors like improper disposal of documents, leaving the documents
unattended, coding errors, insider threats, sharing passwords over phishing sites, etc. can lead to
security breaches.
 Connectivity: If the system is connected to an unsecured network (open connections) then it comes
in the reach of hackers.
 Complexity: The security vulnerability rises in proportion to the complexity of a system. The more
features a system has, the more chances of the system being attacked.
 Passwords: Passwords are used to prevent unauthorized access. They should be strong enough that
no one can guess your password. Passwords should not be shared with anyone at any cost and
passwords should be changed periodically. In spite of these instructions, at times people reveal their
passwords to others, write them down somewhere and keep easy passwords that can be guessed.
 User Input: You must have heard of SQL injection, buffer overflows, etc. The data received
electronically through these methods can be used to attack the receiving system.
 Management: Security is hard & expensive to manage. Sometimes organizations lack behind in
proper risk management and hence vulnerability gets induced in the system.
 Lack of training to staff: This leads to human errors and other vulnerabilities.
 Communication: Channels like mobile networks, internet, telephone opens up security theft scope.

Note
The threats are too great, too fast, and too powerful, and the day you are hacked will arrive much sooner
rather than later. Basic security is NOT ENOUGH.

4
 Throw out any notion you might have that you will be able to completely eliminate risks. Shift those
security goals around minimizing and managing risks - keeping the impact of incidents low and the
efforts to resolve incidents as efficient as possible.
The tools you implement to make those goals possible is what makes it all work, including:
 Complete managed security including all your end points
 Encrypt EVERYTHING – in transit and at rest
 Secure EVERYTHING – with dual factor authentication
 Trust no one and no account (Zero trust!)
 Patch, patch, and keep patching
 Leverage third party specialists for audits and monitoring
 Stay on top of patch management, revisit and validate alerting infrastructure at every point of
egress/ingress,
 Use defense in depth (layered security measures), and
 Teach users to protect their accounts and report suspicious events.

INTRUDERS
One of the most publicized attacks to security is the intruder, generally referred to as hacker or cracker.
Three classes of intruders are as follows:
Masquerader – an individual who is not authorized to use the computer and who penetrates a
system’s access controls to exploit a legitimate user’s account.
Misfeasor – a legitimate user who accesses data, programs, or resources for which such access is not
authorized, or who is authorized for such access but misuse his or her privileges.
Clandestine user – an individual who seizes supervisory control of the system and uses this control to
evade auditing and access controls or to suppress audit collection.
The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user
can be either an outsider or an insider.
Intruder attacks range from the benign to the serious. At the benign end of the scale, there are many
people who simply wish to explore internets and see what is out there. At the serious end are individuals
who are attempting to read privileged data, perform unauthorized modifications to data, or disrupt the
system. Benign intruders might be tolerable, although they do consume resources and may slow
performance for legitimate users.

Intrusion techniques
The objective of the intruders is to gain access to a system or to increase the range of privileges
accessible on a system. Generally, this requires the intruders to acquire information that should be
protected. In most cases, the information is in the form of a user password.
Typically, a system must maintain a file that associates a password with each authorized user. If such a
file is stored with no protection, then it is an easy matter to gain access to it. The password files can be
protected in one of the two ways:
One way encryption – the system stores only an encrypted form of user’s password.
In practice, the system usually performs a one way transformation (not reversible) in which the
password is used to generate a key for the encryption function and in which a fixed length output is
produced.
Access control – access to the password file is limited to one or a very few accounts.

The following techniques are used for learning passwords.

 Try default passwords used with standard accounts that are shipped with the system.
 Many administrators do not bother to change these defaults.
 Exhaustively try all short passwords.
 Try words in the system’s online dictionary or a list of likely passwords.

5
  Collect information about users such as their full names, the name of their spouse and
children, pictures in their office and books in their office that are related to hobbies.
 Try user’s phone number, social security numbers and room numbers.
 Try all legitimate license plate numbers.
 Use a Trojan horse to bypass restriction on access.
 Tap the line between a remote user and the host system.
Two principle countermeasures:
Detection – concerned with learning of an attack, either before or after its success.
Prevention – challenging security goal and an uphill bottle at all times.

INTRUSION DETECTION:
Inevitably, the best intrusion prevention system will fail. A system's second line of defense is intrusion
detection, and this has been the focus of much research in recent years.
This interest is motivated by a number of considerations, including the following:
1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system
before any damage is done or any data are compromised.
2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions.
3. Intrusion detection enables the collection of information about intrusion techniques that can be used
to strengthen the intrusion prevention facility.
4. Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a
legitimate user in ways that can be quantified.

Approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the behavior of
legitimate users over a period of time. Then statistical tests are applied to observed behavior to
determine with a high level of confidence whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent of
user,for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to detect
changes in the behavior of individual accounts.
2. Rule-based detection: Involves an attempt to define a set of rules that can be used to decide that a
given behavior is that of an intruder.
a. Anomaly detection: Rules are developed to detect deviation from previous usage patterns.
b. Penetration identification: An expert system approach that searches for suspicious behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is effective against
masqueraders. On the other hand, such techniques may be unable to deal with misfeasors. For such
attacks, rule-based approaches may be able to recognize events and sequences that, in context, reveal
penetration. In practice, a system may exhibit a combination of both approaches to be effective against a
broad range of attacks.

Defend the enclave boundary

In order to defend reserved boundaries, an organization must deploy firewalls and intrusion detection
systems to resist active network attacks.
Security staff must ensure that physical and logical enclaves are adequately protected. The following
steps defend the enclave boundary:
 Enable dynamic throttling of services in response to changing threats.
 Ensure systems and networks in protected enclaves maintain acceptable levels of availability and are
adequately defended against denial-of-service intrusions.
 Ensure data exchanged between enclaves or via remote access is protected.

6
 Provide boundary defenses for systems within the enclave that cannot defend themselves due to
technical or configuration problems.
 Provide a risk-managed means of selectively allowing information to flow across the enclave
boundary.
 Provide protection against the undermining of systems and data within the protected enclave by
external entities.
 Provide strong authentication, and thereby authenticated access control, of users sending or receiving
information from outside their enclave.

Incident handling process planning

A primary objective of the entire security planning process is preventing security incidents from
occurring. Incident Handling Process Planning (IHPP) can help achieve this objective. The IHPP can be
accomplished in a five-step process:
 Identify measures to help prevent incidents from occurring, such as use of antivirus software,
firewalls, instituting patch and upgrade policies, and so on.
 Define measures that will detect an incident when it occurs, such as Intrusion Detection Systems
(IDS), firewalls, router table, and antivirus software.
 Establish procedures to report and communicate the occurrence of an incident. These procedures
should notify all affected parties when an incident is detected, including parties internal and external
to the affected organization.
 Define processes used to respond to a detected incident. In order to minimize damage, isolate the
problem, resolve it, and restore the affected system(s) to normal operation.
 Develop procedures for conducting a postmortem. During this postmortem, identify and implement
lessons learned regarding the incident in order to prevent future occurrences.

In order to achieve information protection and accountability, it is necessary that:

• All evidence is accounted for at all times (i.e., use of evidentiary procedures).
• The passage of evidence from one party to the next is fully documented.
 The passage of evidence from one location to the next is fully documented.
 All critical information is duplicated and preserved both onsite and offsite in a secure location.

Detection tools
It is important to supplement system and network logs with additional tools that watch for signs that an
incident has occurred or has been attempted.
These include tools that monitor and inspect system resource use, network traffic, network connections,
user accounts, file access, virus scanners, tools that verify file and data integrity, vulnerability scanners,
and tools to process log files.
Examples of detection tools include tools that:
• Report system events, such as password cracking, or the execution of unauthorized programs
• Report network events, such as access during nonbusiness hours, or the use of Internet Relay Chat
(IRC), a common means of communication used by intruders
• Report user-related events, such as repeated login attempts, or unauthorized attempts to access
restricted information
• Verify data, file, and software integrity, including unexpected changes to the protections of files or
improperly set access control lists on system tools
• Examine systems in detail on a periodic basis to check log file consistency or known vulnerabilities

Detection techniques
Incident detection is based on three simple steps:
1. Observe and monitor information systems for signs of unusual activity.

7
2. Investigate anything that appears to be unusual.
3. If something is found that cannot be explained by authorized activity, immediately initiate
predetermined incident response procedures.

Recommended detection practices

When looking for signs of an incident, administrators should ensure that the software used to examine
systems has not been compromised.
Additional steps in the detection process include:-
• looking for any unexpected modifications that have been made to system directories or files,
• inspecting logs,
• reviewing alert notifications from monitoring mechanisms,
• inspecting triggers that occur for unexpected behavior,
• investigating unauthorized hardware attached to the network,
• looking for signs of unauthorized access to physical resources, and
• reviewing reports submitted by users or external contacts about suspicious system behavior.
Containment
Containment consists of immediate, short-term, tactical actions designed to remove access to
compromised systems. Containment can help to limit the extent of damage that occurs and prevent
additional damage from occurring. The specific steps to be followed in a containment process often
depend on the type of incident (intrusion, virus, theft, etc.) and whether the incident is ongoing (e.g., an
intrusion) or is over (e.g., a theft of equipment).
Considerations in planning for containment include:
• Defining an acceptable level of risk to business processes and the systems and networks that support
them, and to what extent these processes, systems, and networks must remain operational, even
during a major security incident
• Methods for performing a rapid assessment of the situation as it currently exists (scope, impact,
damage, etc.)
• Determining whether to quickly inform users an incident has occurred, or is occurring, that could
affect their ability to continue work
• Identifying the extent to which containment actions might destroy or mask information required to
assess the cause of the incident later
• If the incident is ongoing, identifying the extent to which containment actions might alert the
perpetrator (e.g., an intruder, thief, or other individual with malicious intent)
• Identifying when to involve senior management in containment decisions, especially when
containment includes shutting systems down or disconnecting them from a network
• Identifying who has the authority to make decisions in situations not covered by existing containment
policy.
Containment strategies include temporarily shutting down a system, disconnecting it from a network,
disabling system services, changing passwords, disabling accounts, changing physical access
mechanisms, and so on.
Specific strategies should be developed for serious incidents, such as:
• Denial of service due to e-mail spamming (sending a large volume of electronic messages to a
targeted recipient) or flooding (filling a channel with garbage, thereby denying others the ability to
communicate across it)
• Programmed threats, such as new viruses not yet detected and eliminated by antivirus software, or
malicious applets, such as those using ActiveX o r Java
• Scanning, probing, or mapping attempts made by intruders for the purpose of conducting system
hacking attempts
• Major password compromises (e.g., an intruder with a password sniffer tool), requiring the changing
of all user or account passwords at a specific site or at a specific organizational level

8
Eradication
Removal of the root cause of a security incident often requires a great deal of analysis, followed by
specific corrective actions, such as the improvement of detection mechanisms, changes in reporting
procedures, installation of enhanced protection mechanisms (such as firewalls), implementation of more
sophisticated physical access controls, development of methods that improve user community awareness
and provide training on what to do when an incident occurs, or making specific changes to security policy
and procedures to prevent reoccurrence of an incident.
Recovery
Restoring a compromised information system to normal operation should be accomplished when the root
cause of the incident has been corrected. This prevents the same or a similar type of incident from
occurring and helps to ensure that a recurring incident will be detected in a more timely fashion.
The determination to return a system to normal operation prior to fully resolving the root problem should
require the involvement of senior management.
System restoration steps may include the following:
• Using the latest trusted backup to restore user data: Users should review all restored data files to
ensure that they have not been affected by the incident.
• Enabling system and application services: Only those services actually required by the users of the
system should be enabled initially.
• Reconnecting the restored system to its LAN: Validate the system by executing a known series of
tests, where prior test results are available for comparison.
• Being alert for problem recurrence: A recurrence of a viral or intrusion attack is a real possibility.
Once a system has been compromised, especially by an intruder, the system will likely become a
target for future attacks.
COMP 425 : INFORMATION SYSTEMS SECURITY
CAT 1
a) Explain the following:- IP spoofing, DNS spoofing , HTTPS spoofing , SSL hijacking, Wi-
Fi hacking. [6 MKS]
b) Explain three hacking tools, which are useful in securing networks. [6 MKS]
c) Explain how SQL injection works in a network. [6 MKS]
d) Name six penetration testing tools and one disadvantage of each. [6 MKS]
e) Which options do you have in executing a Denial of Service Attack? [6 Mks]