Professional Documents
Culture Documents
Chapter 1 (22M)
Introduction to computer
security and security trends
Computer Security
• Computer security is designed to protect your computer and
everything associated with it the workstations and printers,
cabling, and disks and other storage media. Most importantly,
computer security protects the information stored in your
system.
•Here, the user of a computer A send a message to user of computer B. another user C
gets access to this message, which is not desired and therefore, defeats the purpose of
Confidentiality. This type of attack is also called as interception.
2.Integrity:
• when the contents of the message are changed after the sender sends it, but before it
reaches the intended recipient, we say that the integrity of the message is lost.
• For example,
• here user C tampers with a message originally sent by user A, which is actually
destined for user B. user C somehow manages to access it, change its contents and
send the changed message to user B. user B has no way of knowing that the contents
of the message were changed after user A had sent it. User A also does not know
about this change. This type of attack is called as modification.
3.Availability/Authentication
• Authentication helps to establish proof of identities. The Authentication process
ensures that the origin of a message is correctly identified.
• For example,
• suppose that user C sends a message over the internet to user B. however, the
trouble is that user C had posed as user A when he sent a message to user B.
how would user B know that the message has come from user C, who posing
as user A? This concept is shown in fig. below. This type of attack is called
as fabrication
Key Principles of Security
• Confidentiality
• Integrity
• Availability
• Authentication
• Non repudiation
• Access Control
Authentication
• It determines the identity of user or other entity.
• Authentication methods are as follows:
1.Password Based Authentication(Something user knows)
2.Devise Based Authentication (Something user has)
3.Biometric Authentication(Something about user)
1.Password Based Authentication
(Something user knows)
• It requires the user to pass some items such as a key ,map strip, card etc.
• Advantages:
1. It is difficult to copy
2. User can’t forget a password
• Disadvantages:
1. Easy target for theft
2. User has to carry it every time
3.Biometric Authentication
(Something about user)
• It identifies some physical characteristics of user that can’t be separated from their
body like voice ,fingerprint ,retina etc.
• Advantages:
1. User don’t need to carry anything
2. User don’t need to remember passwords
• Disadvantages:
1. Complex implementation
2. High Cost
• Availability:
– It ensures that data or system itself is available for user when user wants it.
• Non repudiation:
– It is a way to guarantee that the sender of a message can’t later deny having
sent the message and that the receiver can’t deny having received the
message
• Access Control:
– It gives organization the ability to control ,restrict , monitor and protect
resource availability ,integrity ,confidentiality
Network Security Model
Working of Network Security Model
1. Sender: it sends a message in a network in encrypted format.
2. Trusted 3rd party: It provides encryption key to sender .
3. Information Channel: Message is transferred through the information channel.
4. Opponent: It hacks the secret message to capture information but it is useless because message
is in encrypted format so it is not readable for opponent.
5. Trusted 3rd party: It provides a key to receiver for decryption of message.
6. Recipient : when receiver receives a key then original message is display or read by receiver.
Threats to Security
1.Virus
2.Worms
3.Intruder
4.Insiders
5.Criminal Organizations
6.Terrorists
7.Information Warfare
What is a Virus?
Computer virus is a software program written with
malicious intentions.
Computer virus is a harmful software program written
intentionally to enter a computer without the user's
permission or knowledge.
It has the ability to replicate itself, thus continuing to
spread.
Phases(Life Cycle) of Virus
1) Dormant Phase
Here, the virus remains idle and gets activated based on a certain action or
event(for example, a user pressing a key or on a certain date and time etc)
2)Propagation Phase
The virus starts propagating, that is multiplying itself. A piece of code copies
itself and each copy starts copying more copies of self, thus propagating.
Phases(Life Cycle) of Virus
3)Triggering Phase
A Dormant virus moves into this phase when it gets activated, that is, the event it was
4)Execution Phase
This type of virus hides in the RAM and stays there even
after the malicious code is executed.
Non-Resident virus
A Non-Resident Computer Virus is a computer virus that is
not stored on the hard drive of the computer that is impacted.
It hides in the memory until DOS accesses the floppy disk,
and whichever boot data is accessed, the virus infects it.
Overwrite Viruses
The virus replaces the file content. However, it does not
change the file size.
Stealth virus
A stealth virus is complex malware that hides itself after
infecting a computer.
2. Virus modifies the code. Worm does not modify the code.
6. Virus can infect other files. Worm does not infect other files but it
occupies memory space by replication.
7. Virus may need a trigger for Worm does not need any trigger.
execution.
Intruder
• An intruder is a person that enters territory that does not belong to that
person .
• Intruders are said to be of three types, as below:
1. Masquerader:
2. Misfeasor:
3. Clandestine user:
1. Masquerader:
i. A user who does not have the authority to use a computer, but penetrates
into a system to access a legitimate user‘s account is called a masquerader.
ii. It is generally an external user.
iii. It pretend to be someone which is not.
2. Misfeasor:
There are two possible cases for an internal user to be called as a misfeasor:
i) A legitimate user, who does not have access to some
applications, data or resources, accesses them.
ii) A legitimate user, who has access to some applications,
data or resources, misuses these privileges.
• 3.Clandestine user:
1. An individual who seizes supervisory control of the system and uses this
control to evade auditing and access controls to suppress the audit
collection.
2. An internal or external user who tries to work using the privileges of a
supervisor user to avoid auditing information being captured and
recorded is called as a clandestine user.
3. It can be insider or outsider.
Insiders
• Insiders are authorized users who try to access system or
network for which he is unauthorized.
• Insiders are legal users.
• They have easy access to the system because they are authorized
users.
Why insiders are more dangerous than intruder?
– More dangerous than Intruders as they have knowledge about the security
system.
– They have easy access to the system because they are authorized users.
– There is no security mechanism to protect system from Insiders. Insiders are
more dangerous than intruders because:
– The insiders have the access and necessary knowledge to cause immediate
damage to an organization..
– So they can have all the access to carry out criminal activity like fraud.
– They have knowledge of the security systems and will be better able to avoid
detection
Difference between Insider and Intruder
Risk and Threat Analysis:
• Assets:
• Vulnerability :
• Threats:
• Counter measures:
Risks = Assets * Vulnerability * Threats
• Asset:
– Assets are nothing but all H/W and S/W components like ,CPU,
cables, RAM etc..
• Vulnerability:
– It s weakness in the system
– It is a point where a system is susceptible to attack
– Vulnerabilities cab be exploited to cause a harm or damage
• Threat :
– It is a set of circumstances that has potential to cause loss or
harm.
– is a possible danger to the system
– The danger might be a person (a system cracker or a spy), a
thing (a faulty piece of equipment), or an event (a fire or a
flood) that might exploit a vulnerability of the system
• Countermeasures:
– These are actions,device,procedures or
techniques for protecting your system.
Threat: Bridge may collapse, vulnerability-crack in cement
controls -repairs the cracks in cement
Vulnerabilit
y exploited
Attack
An attack is any attempt to destroy, expose, alter, disable, steal
or gain unauthorized access to or make unauthorized use of an
asset.
An attack occurs when an individual or a group of individuals
attempts to access, modify, or damage your systems or
environment.
Steps in Attacks 1
Step1: Reconnaissance/Planning/Investigation
Step2: Scanning
Step3: Gaining access
Step4: Maintaining access
Step5: Covering tracks
Step1: Reconnaissance/Planning/Investigation
In this attacker will need to collect more information about
organization that will helf later to gain unauthorized access to
computer system.
Attacker can use “Software Engineering” and “Dumpster
Diving” to find sensitive information
Attackker can also install virus,worms,spywares softwares to
gain informations.
Step2: Scanning
Once an attacker gets a sensitive information attacker
starts scanning to find entry points such as
backdoors,trapdoors or finding vulnerabilities of syatem.
Step3: Gaining access
Once attacker gains access he take over a system
that exploit a vulnerabilities of system by installing
“Trojan Horse” or automatic “Bot” that allow an attacker
to send a command from internet.
Step4: Maintaining access
3. Certain systems were not able to handle this size of packet, and the system would hang or crash.
DDOS (Distributed Denial of Service attack)
1. These types of attacks are difficult to prevent because the behavior of whole networks needs to be analyzed,
not only the behavior of small piece of code.
2. A denial of service attack employing multiple attacking systems is known as a distributed denial of service
(DDOS) attack.
3. The goal of a DDOS attack is the same: to deny the use of or access to a specific service or system.
4. In a DDOS attack, the method used to deny service is simply to flood the target with traffic from many
different systems.
5. A network of attack agents (sometimes called zombies) is created by the attacker, and upon
receiving the attack command from the attacker, the attack agents commence sending a specific
type of traffic against the target.
6. If the attack network is large enough, even ordinary web traffic can quickly overwhelm the largest
of sites, such as the ones targeted in 2000. ed attacks on eBay, CNN, Amazon, and Yahoo.
3.Backdoor/Trapdoor attack
i. These are the methods used by software developers to make sure that they can
gain access to an application even if something were to happen in future to
prevent normal access methods.
ii. It allows to gain access without going through the usual security access
procedures.
iii. These attacks are initiated by gaining access to network and inserting a program
that creates a backdoor for an attacker.
iv. NetBus and Back Orifice are common backdoors that allows attacker to remotely
access the system and perform various operations on it.
v. It is often only known by the programmer. A backdoor is a potential security
risk.
4. Sniffing Attack
sniffers is a software or hardware device that is used to observe traffic as it passes
through a network on shared broadcast media.
The device can be used to views all traffic or it can target a specific protocol,
service, or even string of characters.
Objective of sniffing is to steal:
• Password
• Email text
• Files in transfer
5.Spoofing
• In the context of network security, a spoofing
attack is a situation in which one person or
program successfully masquerades as another
by falsifying data and thereby gaining an
illegitimate advantage.
• An attacker alters his identity so that some one
thinks he is some one else
Types of Spoofing
• IP Spoofing
• URL spoofing
• Referrer spoofing
• Caller ID spoofing
• E-mail Address Spoofing
IP Spoofing
Definition:
Attacker spoofs the address of another machine and inserts itself
between the attacked machine and the spoofed machine to
intercept replies
• thus gaining access to all messages in both directions without the trouble of
any cryptanalytic effort. The attacker must monitor the packets sent from
Alice to Bob and then guess the sequence number of the packets. Then the
attacker knocks out Alice and injects his own packets, claiming to have the
address of Alice.
URL Spoofing and Phishing
• Another kind of spoofing is "webpage spoofing," also known as phishing.
In this attack, a legitimate web page such as a bank's site is reproduced in
"look and feel" on another server under control of the attacker. The main
intent is to fool the users into thinking that they are connected to a trusted
site, for instance to harvest user names and passwords.
• This attack is often performed with the aid of URL spoofing, which
exploits web browser bugs in order to display incorrect URLs in the
browsers location bar; in order to direct the user away from the legitimate
site and to the fake one. Once the user puts in their password, the attack-
code reports a password error, then redirects the user back to the legitimate
site.
Referrer Spoofing
• Referrer spoofing or ref tar spoofing is the sending of incorrect
referrer information in an HTTP request, sometimes with the
aim of gaining unauthorized access to a web site. It is also
used to improve the privacy of an individual using a web
browser to view World Wide Web sites, by replacing valid
referrer data with incorrect data, though most users simply
suppress their web browser from sending referrer data, and
may also modify other HTTP headers.
Caller ID Spoofing
• In public telephone networks, it has for a long
while been possible to find out who is calling
you by looking at the Caller ID information
that is transmitted with the call. There are
technologies that transmit this information on
landlines, on cell phones and also with VoIP.
Unfortunately, there are now technologies
(especially associated with VoIP) that allow
callers to lie about their identity, and present
false names and numbers, which could of
course be used as a tool to defraud or harass.
Because there are services and gateways that
interconnect VoIP with other public phone
networks, these false Caller IDs can be
transmitted to any phone on the planet, which
makes the whole Caller ID information now
next to useless
That’s easy. You can use a spoof card. A Caller ID Spoofer and Voice Changer
is a calling card you can use to make a call to anyone and hide or mask your
caller ID.
http://www.spoofcard.com/?
utm_source=pj&utm_medium=Affiliate&source=p
E-mail Address Spoofing
• The sender information shown in e-mails (the "From" field) can be spoofed
easily. This technique is commonly used by spammers to hide the origin of
their e-mails and leads to problems such as misdirected bounces (i.e. e-
mail spam backscatter).
• E-mail spoofing is a term used to describe (usually fraudulent) e-mail
activity in which the sender address and other parts of the e-mail header
are altered to appear as though the e-mail originated from a different
source.
• By changing certain properties of the e-mail, such as the From, Return-
Path and Reply-To fields (which can be found in the message header), ill-
intentioned users can make the e-mail appear to be from someone other
than the actual sender. The result is that, although the e-mail appears to
come from the address indicated in the From field (found in the e-mail
headers), it actually comes from another source.
6.Man in the middle attack.
1. A man in the middle attack occurs when attackers are able to place themselves
in the middle of two other hosts that are communicating in order to view or
modify the traffic.
2. This is done by making sure that all communication going to or from the target
host is routed through the attacker‘s host.
3. Then the attacker is able to observe all traffic before transmitting it and can
actually modify or block traffic.
4. To the target host, communication is occurring normally, since all expected
replies are received.
5. Prevention:
– To prevent this attack both sender and receiver must authenticate each other.
7.TCP/IP hijacking Attack
It is called as active sniffing.
It is the process of taking control of an already existing session
between client and a server.
It involve attacker gaining access to a host in the network and
logically disconnecting it from the network.
8.Replay Attacks
This are the network attacks in which attacker captures
the conversation between sender and receiver and takes
the authenticated information and reply it again later.
Example
An attacker might replay a series of
commands and codes used in financial
transcation order to cause the transaction
to be conducted multiple times.
Prevention:-
1.Encryption
2.Timestamps
3.Cryptography authentication
Trojan Horse
Logic Bomb attack:
• Logic bombs are a type of malicious software that is
deliberately installed, generally by an authorized user.
• A logic bomb is a piece of code that sits dormant for a period of
time until some event invokes its malicious payload.
• An example of a logic bomb might be a program that is set to
load & run automatically and that periodically checks an
organization‘s payroll or personal database for a specific
employee.
• If the employee is not found, the malicious payload executes,
deleting vital corporate files.
• Logic bombs are difficult to detect because they are often
installed by authorized users & by administrators.
Time bomb attack:
• A time bomb refers to a computer program that has been
written so that it will stop functioning after a predetermined
date or time is reached.
• Time bombs are commonly used in beta (pre-release) software
when the manufacturer of the software does not want the beta
version being used after the final release date.
• Example of time bomb software would be Microsoft's
Windows Vista Beta 2, which was programmed to expire on
May 31, 2007.
• The time limits on time bomb software are not usually as
heavily enforced as they are on trial software, since time bomb
software does not usually implement secure clock functions.