Visit for more Learning Resources

Chapter 1 (22M)

Introduction to computer
security and security trends
 Computer Security
• Computer security is designed to protect your computer and
everything associated with it the workstations and printers,
cabling, and disks and other storage media. Most importantly,
computer security protects the information stored in your
system.

• Computer security deals with prevention and detention of

unauthorized actions of user at computer system.

• It involves security majors such as a Data encryption,

passwords, antivirus, firewalls etc.
 Need /Model / CIA model of Security

• The need of computer security has been

threefold: confidentiality, integrity, and
availability—the “CIA” of security.
1. Confidentiality:
2.Integrity:
3.Availability/Authentication
 1. Confidentiality:
•The principle of confidentiality specifies that only sender and intended recipients
should be able to access the contents of a message.
•Confidentiality gets compromised if an unauthorized person is able to access the
contents of a message .
•Example of compromising the Confidentiality of a message is shown in fig.

•Here, the user of a computer A send a message to user of computer B. another user C
gets access to this message, which is not desired and therefore, defeats the purpose of
Confidentiality. This type of attack is also called as interception.
2.Integrity:
• when the contents of the message are changed after the sender sends it, but before it
reaches the intended recipient, we say that the integrity of the message is lost.
• For example,

• here user C tampers with a message originally sent by user A, which is actually
destined for user B. user C somehow manages to access it, change its contents and
send the changed message to user B. user B has no way of knowing that the contents
of the message were changed after user A had sent it. User A also does not know
about this change. This type of attack is called as modification.
 3.Availability/Authentication
• Authentication helps to establish proof of identities. The Authentication process
ensures that the origin of a message is correctly identified.
• For example,

• suppose that user C sends a message over the internet to user B. however, the
trouble is that user C had posed as user A when he sent a message to user B.
how would user B know that the message has come from user C, who posing
as user A? This concept is shown in fig. below. This type of attack is called
as fabrication
 Key Principles of Security

• Confidentiality
• Integrity
• Availability
• Authentication
• Non repudiation
• Access Control
 Authentication
• It determines the identity of user or other entity.
• Authentication methods are as follows:
1.Password Based Authentication(Something user knows)
2.Devise Based Authentication (Something user has)
3.Biometric Authentication(Something about user)
1.Password Based Authentication
(Something user knows)

• It requires user to know something like User ID ,Passwords etc.

• For an example to log onto a computer or network, you enter a user account name and the
password assigned to that account. This password is checked against a database that contains all
authorized users and their passwords. 
• Advantages:
1. Easy to implement
2. Requires no special equipment
• Disadvantages:
1. Easy to forget
2. Easily copied
3. It is vulnerable to a password “cracker”
2. Devise Based Authentication
(Something user has)

• It requires the user to pass some items such as a key ,map strip, card etc.
• Advantages:
1. It is difficult to copy
2. User can’t forget a password

• Disadvantages:
1. Easy target for theft
2. User has to carry it every time
3.Biometric Authentication
(Something about user)

• It identifies some physical characteristics of user that can’t be separated from their
body like voice ,fingerprint ,retina etc.
• Advantages:
1. User don’t need to carry anything
2. User don’t need to remember passwords
• Disadvantages:
1. Complex implementation
2. High Cost
• Availability:
– It ensures that data or system itself is available for user when user wants it.

• Non repudiation:
– It is a way to guarantee that the sender of a message can’t later deny having
sent the message and that the receiver can’t deny having received the
message
• Access Control:
– It gives organization the ability to control ,restrict , monitor and protect
resource availability ,integrity ,confidentiality
Network Security Model
Working of Network Security Model
1. Sender: it sends a message in a network in encrypted format.
2. Trusted 3rd party: It provides encryption key to sender .
3. Information Channel: Message is transferred through the information channel.
4. Opponent: It hacks the secret message to capture information but it is useless because message
is in encrypted format so it is not readable for opponent.
5. Trusted 3rd party: It provides a key to receiver for decryption of message.
6. Recipient : when receiver receives a key then original message is display or read by receiver.
 Threats to Security
1.Virus
2.Worms
3.Intruder
4.Insiders
5.Criminal Organizations
6.Terrorists
7.Information Warfare
 What is a Virus?
Computer virus is a software program written with
malicious intentions.
Computer virus is a harmful software program written
intentionally to enter a computer without the user's
permission or knowledge.
It has the ability to replicate itself, thus continuing to
spread.
 Phases(Life Cycle) of Virus
1) Dormant Phase

Here, the virus remains idle and gets activated based on a certain action or

event(for example, a user pressing a key or on a certain date and time etc)

2)Propagation Phase

The virus starts propagating, that is multiplying itself. A piece of code copies

itself and each copy starts copying more copies of self, thus propagating.
 Phases(Life Cycle) of Virus

3)Triggering Phase

A Dormant virus moves into this phase when it gets activated, that is, the event it was

waiting for gets initialised.

4)Execution Phase

The function of virus is performed. It can be destructive(deleting files on disk) or

harmless(popping messages on screen).

 Types of Computer Viruses
Parasitic viruses
Memory Resident virus
Non-Resident virus
Boot Sector virus
Overwriting virus
Stealth virus
Macro virus
Polymorphic virus
Email viruses
Metamorphic virus
 Parasitic viruses
A parasitic virus attaches itself to a file in order to
propagate.

. COM and EXE files are easiest to infect, as they are

simply loaded directly into memory and execution always
starts at the first instruction.
 Memory Resident Virus
These viruses fix themselves in the computer memory and
get activated whenever the OS runs and infects all the files
that are then opened.

This type of virus hides in the RAM and stays there even
after the malicious code is executed.
Non-Resident virus
A Non-Resident Computer Virus is a computer virus that is
not stored on the hard drive of the computer that is impacted.

Rather, the virus is housed in an executable file that infects a

computer each time it is accessed and run.
 Boot Sector Virus

This type of virus affects the boot sector of a hard disk. .

It hides in the memory until DOS accesses the floppy disk,
and whichever boot data is accessed, the virus infects it.
 Overwrite Viruses
The virus replaces the file content. However, it does not
change the file size.
 Stealth virus
A stealth virus is complex malware that hides itself after
infecting a computer.

Stealth viruses hide in files, partitions and boot sectors .

It uses various mechanisms to avoid detection by

antivirus software.
 Macro Virus
Macro viruses infect files that are created using certain
applications or programs that contain macros, like .doc,
.xls, .pps, .mdb, etc.
These are not executable viruses.
These hide in documents that are shared via e-mail or
networks.

Examples: Relax, Melissa.A, Bablas,

O97M/Y2K
 Polymorphic Virus
Polymorphic viruses encrypt or encode themselves in a
different way (using different algorithms and encryption keys)
every time they infect a system.

This makes it impossible for antivirus software to find them.

 Companion Viruses
This is the virus which creates a new program instead of
modifying an existing file.
These generally use the same filename and create a different
extension of it.
For example: If there is a file "Me.exe", the virus creates
another file named "Me.com" and hides in the new file. When
the system calls the filename "Me", the ".com" file gets
executed (as ".com" has higher priority than ".exe"), thus
infecting the system.
 Email viruses
An e-mail virus is computer code sent to you as an e-mail note
attachment which, if activated, will cause some unexpected and
usually harmful effect, such as destroying certain files on your
hard disk and causing the attachment to be re mailed to
everyone in your address book.
 Metamorphic virus
This type of virus keeps rewriting itself every time.

It may change their behavior as well as appearance.

 Computer Anti-Virus
Antivirus software is a computer program that detects,
prevents, and takes action to disarm or remove malicious
software programs, such as viruses and worms.
There are certain types of anti-viruses.
 Worms
• Definition
– Piece of code that automatically reproduces itself over the network.
It doesn’t need the user intervention to propagate (autonomous).
• Infection
– Via buffer overflow, file sharing, configuration errors and other
vulnerabilities.
 Sr. Virus Worm
No
1. A virus is a piece of code that A worm is a malicious program that spread
attaches itself to legitimate program. automatically.

2. Virus modifies the code. Worm does not modify the code.

3. It does not replicate itself. It replicate itself.

4. Virus is a destructive in nature. Worm is non destructive in nature.

5. Aim of virus is to infect the code or Aim of worm is to make computer or

program stored on computer system. network unusable.

6. Virus can infect other files. Worm does not infect other files but it
occupies memory space by replication.

7. Virus may need a trigger for Worm does not need any trigger.
execution.
Intruder
• An intruder is a person that enters territory that does not belong to that
person .
• Intruders are said to be of three types, as below:
1. Masquerader:
2. Misfeasor:
3. Clandestine user:
1. Masquerader:
i. A user who does not have the authority to use a computer, but penetrates
into a system to access a legitimate user‘s account is called a masquerader.
ii. It is generally an external user.
iii. It pretend to be someone which is not.
2. Misfeasor:
There are two possible cases for an internal user to be called as a misfeasor:
i) A legitimate user, who does not have access to some
applications, data or resources, accesses them.
ii) A legitimate user, who has access to some applications,
data or resources, misuses these privileges.
• 3.Clandestine user:
1. An individual who seizes supervisory control of the system and uses this
control to evade auditing and access controls to suppress the audit
collection.
2. An internal or external user who tries to work using the privileges of a
supervisor user to avoid auditing information being captured and
recorded is called as a clandestine user.
3. It can be insider or outsider.
Insiders
• Insiders are authorized users who try to access system or
network for which he is unauthorized.
• Insiders are legal users.
• They have easy access to the system because they are authorized
users.
Why insiders are more dangerous than intruder?
– More dangerous than Intruders as they have knowledge about the security
system.
– They have easy access to the system because they are authorized users.
– There is no security mechanism to protect system from Insiders. Insiders are
more dangerous than intruders because:
– The insiders have the access and necessary knowledge to cause immediate
damage to an organization..
– So they can have all the access to carry out criminal activity like fraud.
– They have knowledge of the security systems and will be better able to avoid
detection
Difference between Insider and Intruder
Risk and Threat Analysis:
• Assets:
• Vulnerability :
• Threats:
• Counter measures:
Risks = Assets * Vulnerability * Threats
• Asset:
– Assets are nothing but all H/W and S/W components like ,CPU,
cables, RAM etc..

• Vulnerability:
– It s weakness in the system
– It is a point where a system is susceptible to attack
– Vulnerabilities cab be exploited to cause a harm or damage
• Threat :
– It is a set of circumstances that has potential to cause loss or
harm.
– is a possible danger to the system
– The danger might be a person (a system cracker or a spy), a
thing (a faulty piece of equipment), or an event (a fire or a
flood) that might exploit a vulnerability of the system
• Countermeasures:
– These are actions,device,procedures or
techniques for protecting your system.
Threat: Bridge may collapse, vulnerability-crack in cement
controls -repairs the cracks in cement

Vulnerabilit
y exploited
Attack
 An attack is any attempt to destroy, expose, alter, disable, steal
or gain unauthorized access to or make unauthorized use of an
asset.
 An attack occurs when an individual or a group of individuals
attempts to access, modify, or damage your systems or
environment.
Steps in Attacks 1
Step1: Reconnaissance/Planning/Investigation
Step2: Scanning
Step3: Gaining access
Step4: Maintaining access
Step5: Covering tracks
Step1: Reconnaissance/Planning/Investigation

In this attacker will need to collect more information about
organization that will helf later to gain unauthorized access to
computer system.

Attacker can use “Software Engineering” and “Dumpster
Diving” to find sensitive information

Attackker can also install virus,worms,spywares softwares to
gain informations.
Step2: Scanning
 Once an attacker gets a sensitive information attacker
starts scanning to find entry points such as
backdoors,trapdoors or finding vulnerabilities of syatem.
Step3: Gaining access
 Once attacker gains access he take over a system
that exploit a vulnerabilities of system by installing
“Trojan Horse” or automatic “Bot” that allow an attacker
to send a command from internet.
Step4: Maintaining access

 Once an attacker gains full access to

system they will reconfigure a system .
 They also install software patches to close
previous security vulnerabilities just to
keep hackers out.
Step5: Covering tracks
 Attacker must stay hidden to maintain
control and gather more intelligence to
maximize the damage.
Steps in Attacks 2
Step1: Interception:
Step2: Fabrication:
Step3: Modification:
Step4: Interruption:
Step1: Interception:
 It is related concept of confidentiality.
 Here an unauthorized party has gained access to a
resource, it can be person, program, or computer based
system. i.e. copying of data or programs, listening to
network traffic.
Step2: Fabrication

 concept of authorization, It involves the

creation of illegal objects on a computer
system. i.e. attacker adds fake records to
data base.
Step3: Modification

Its under Integrity, Here attacker may modify

the values in the database.
Step4: Interruption

 It‘s related to availability, Here Resources

become unavailable, Lost or unusable, i.e.
denial of service, problem causing to a
hardware device, erasing program, data,or
operating system components.

For more detail contact us

 Security Attacks
1. Active & passive attacks
2. Denial of service attack
3. Backdoors & trapdoors
4. Sniffing
5. Spoofing
6. Man-in Middle attack
7. TCP/IP Hacking
8. Replay attack
9. Encryption attack.
10. Malware- Virus, Worms
 1. Active Attacks
1. In active attacks, the contents of the original message are modified
in some way.
2. The active attacks can not be prevented easily.
3. These types of attacks are subdivided into four categories :
a. Masquerade
b. Replay
c. Modification of Message
d. Denial of service
 2. Passive Attacks
1. Passive attacks are those, where attacker aims to obtain information
that is in transit.
2. In passive attack, attacker does not involve any modifications to the
contents of an original message.
3. They are hard to detect.
4. There are two types of passive attacks:
a. Release of Message contents
b. Traffic Analysis
 3.Denial Of Service Attack.
1. Denial of service (DOS) attack scan exploits a known vulnerability in a specific application or operating system, or
they may attack features (or weaknesses) in specific protocols or services.
2. In this form of attack, the attacker is attempting to deny authorized users access either to specific information or to
the computer system or network itself.
3. The purpose of such an attack can be simply to prevent access to the target system, or the attack can be used in
conjunction with other actions in order to gain unauthorized access to a computer or network.
4. Examples:
a. SYN Flood
1. Types:
a. POD (ping-of-death)
b. DDOS (Distributed Denial of Service attack)
 4.SYN flooding Attack
1.SYN flooding is an example of a DOS attack that takes advantage of the way TCP/IP networks were designed to
function, and it can be used to illustrate the basic principles of any DOS attack.
2.SYN flooding utilizes the TCP three-way handshake that is used to establish a connection between two systems.
3.In a SYN flooding attack, the attacker sends fake communication requests to the targeted system.
4.Each of these requests will be answered by the target system, which then waits for the third part of the handshake.
5. Since the requests are fake the target will wait for responses that will never come, as shown in Figure .
6. The target system will drop these connections after a specific time-out period, but if the attacker
sends requests faster than the time-out period eliminates them, the system will quickly be filled with
requests.
7. The number of connections a system can support is finite, so when more requests come in than can be
processed, the system will soon be reserving all its connections for fake requests.
8. At this point, any further requests are simply dropped (ignored), and legitimate users who want to
connect to the target system will not be able to.
9. Use of the system has thus been denied to them.
 POD (ping-of-death)
1. In the POD attack, the attacker sends an Internet Control Message Protocol (ICMP) ―ping ‖ packet equal to, or
exceeding 64KB (which is to say, greater than 64 * 1024 = 65,536 bytes).
2. This type of packet should not occur naturally (there is no reason for a ping packet to be larger than 64KB).

3. Certain systems were not able to handle this size of packet, and the system would hang or crash.
 DDOS (Distributed Denial of Service attack)

1. These types of attacks are difficult to prevent because the behavior of whole networks needs to be analyzed,
not only the behavior of small piece of code.
2. A denial of service attack employing multiple attacking systems is known as a distributed denial of service
(DDOS) attack.
3. The goal of a DDOS attack is the same: to deny the use of or access to a specific service or system.
4. In a DDOS attack, the method used to deny service is simply to flood the target with traffic from many
different systems.
5. A network of attack agents (sometimes called zombies) is created by the attacker, and upon
receiving the attack command from the attacker, the attack agents commence sending a specific
type of traffic against the target.

6. If the attack network is large enough, even ordinary web traffic can quickly overwhelm the largest
of sites, such as the ones targeted in 2000. ed attacks on eBay, CNN, Amazon, and Yahoo.
 3.Backdoor/Trapdoor attack
i. These are the methods used by software developers to make sure that they can
gain access to an application even if something were to happen in future to
prevent normal access methods.
ii. It allows to gain access without going through the usual security access
procedures.
iii. These attacks are initiated by gaining access to network and inserting a program
that creates a backdoor for an attacker.
iv. NetBus and Back Orifice are common backdoors that allows attacker to remotely
access the system and perform various operations on it.
v. It is often only known by the programmer. A backdoor is a potential security
risk.
 4. Sniffing Attack
sniffers is a software or hardware device that is used to observe traffic as it passes
through a network on shared broadcast media.
The device can be used to views all traffic or it can target a specific protocol,
service, or even string of characters.
Objective of sniffing is to steal:
• Password
• Email text
• Files in transfer
 5.Spoofing
• In the context of network security, a spoofing
attack is a situation in which one person or
program successfully masquerades as another
by falsifying data and thereby gaining an
illegitimate advantage.
• An attacker alters his identity so that some one
thinks he is some one else
 Types of Spoofing
• IP Spoofing
• URL spoofing
• Referrer spoofing
• Caller ID spoofing
• E-mail Address Spoofing
 IP Spoofing
Definition:
Attacker spoofs the address of another machine and inserts itself
between the attacked machine and the spoofed machine to
intercept replies

Attacker intercepts packets From Address: 10.10.20.30

as they go to 10.10.20.30 To Address: 10.10.5.5

Replies sent back

to 10.10.20.30
Attacker John
10.10.50.50 10.10.5.5

• thus gaining access to all messages in both directions without the trouble of
any cryptanalytic effort. The attacker must monitor the packets sent from
Alice to Bob and then guess the sequence number of the packets. Then the
attacker knocks out Alice and injects his own packets, claiming to have the
address of Alice.
 URL Spoofing and Phishing
• Another kind of spoofing is "webpage spoofing," also known as phishing.
In this attack, a legitimate web page such as a bank's site is reproduced in
"look and feel" on another server under control of the attacker. The main
intent is to fool the users into thinking that they are connected to a trusted
site, for instance to harvest user names and passwords.

• This attack is often performed with the aid of URL spoofing, which
exploits web browser bugs in order to display incorrect URLs in the
browsers location bar; in order to direct the user away from the legitimate
site and to the fake one. Once the user puts in their password, the attack-
code reports a password error, then redirects the user back to the legitimate
site.
 Referrer Spoofing
• Referrer spoofing or ref tar spoofing is the sending of incorrect
referrer information in an HTTP request, sometimes with the
aim of gaining unauthorized access to a web site. It is also
used to improve the privacy of an individual using a web
browser to view World Wide Web sites, by replacing valid
referrer data with incorrect data, though most users simply
suppress their web browser from sending referrer data, and
may also modify other HTTP headers.
 Caller ID Spoofing
• In public telephone networks, it has for a long
while been possible to find out who is calling
you by looking at the Caller ID information
that is transmitted with the call. There are
technologies that transmit this information on
landlines, on cell phones and also with VoIP.
Unfortunately, there are now technologies
(especially associated with VoIP) that allow
callers to lie about their identity, and present
false names and numbers, which could of
course be used as a tool to defraud or harass.
Because there are services and gateways that
interconnect VoIP with other public phone
networks, these false Caller IDs can be
transmitted to any phone on the planet, which
makes the whole Caller ID information now
next to useless
That’s easy. You can use a spoof card. A Caller ID Spoofer and Voice Changer
is a calling card you can use to make a call to anyone and hide or mask your
caller ID.
http://www.spoofcard.com/?
utm_source=pj&utm_medium=Affiliate&source=p
 E-mail Address Spoofing
• The sender information shown in e-mails (the "From" field) can be spoofed
easily. This technique is commonly used by spammers to hide the origin of
their e-mails and leads to problems such as misdirected bounces (i.e. e-
mail spam backscatter).
• E-mail spoofing is a term used to describe (usually fraudulent) e-mail
activity in which the sender address and other parts of the e-mail header
are altered to appear as though the e-mail originated from a different
source.
• By changing certain properties of the e-mail, such as the From, Return-
Path and Reply-To fields (which can be found in the message header), ill-
intentioned users can make the e-mail appear to be from someone other
than the actual sender. The result is that, although the e-mail appears to
come from the address indicated in the From field (found in the e-mail
headers), it actually comes from another source.
 6.Man in the middle attack.

1. A man in the middle attack occurs when attackers are able to place themselves
in the middle of two other hosts that are communicating in order to view or
modify the traffic.
2. This is done by making sure that all communication going to or from the target
host is routed through the attacker‘s host.
3. Then the attacker is able to observe all traffic before transmitting it and can
actually modify or block traffic.
4. To the target host, communication is occurring normally, since all expected
replies are received.
5. Prevention:
– To prevent this attack both sender and receiver must authenticate each other.
7.TCP/IP hijacking Attack

It is called as active sniffing.
 It is the process of taking control of an already existing session
between client and a server.
 It involve attacker gaining access to a host in the network and
logically disconnecting it from the network.
8.Replay Attacks
 This are the network attacks in which attacker captures
the conversation between sender and receiver and takes
the authenticated information and reply it again later.
Example
An attacker might replay a series of
commands and codes used in financial
transcation order to cause the transaction
to be conducted multiple times.
Prevention:-
1.Encryption
2.Timestamps
3.Cryptography authentication
Trojan Horse
Logic Bomb attack:
• Logic bombs are a type of malicious software that is
deliberately installed, generally by an authorized user.
• A logic bomb is a piece of code that sits dormant for a period of
time until some event invokes its malicious payload.
• An example of a logic bomb might be a program that is set to
load & run automatically and that periodically checks an
organization‘s payroll or personal database for a specific
employee.
• If the employee is not found, the malicious payload executes,
deleting vital corporate files.
• Logic bombs are difficult to detect because they are often
installed by authorized users & by administrators.
Time bomb attack:
• A time bomb refers to a computer program that has been
written so that it will stop functioning after a predetermined
date or time is reached.
• Time bombs are commonly used in beta (pre-release) software
when the manufacturer of the software does not want the beta
version being used after the final release date.
• Example of time bomb software would be Microsoft's
Windows Vista Beta 2, which was programmed to expire on
May 31, 2007.
• The time limits on time bomb software are not usually as
heavily enforced as they are on trial software, since time bomb
software does not usually implement secure clock functions.