Chapter 1 Introduction To Computer Security and Security Trends - Pps

Chapter 1
Introduction to Computer
Security and Security Trends
Marks 14
Ganesh N. Jorvekar
Need for security
 Information is a strategic resource
 A significant portion of organizational budget
is spent on managing information
 Have several security related objectives
• Confidentiality (secrecy) - protect info value
• Integrity - protect info accuracy
• Availability - ensure info delivery
2 Ganesh .N.Jorvekar April 22, 2024

?Why we need security
Good news: Your employees and partners
can now access your critical business
information
Bad news: Your employees and partners can

now access your critical business
information

?Why we need security
FBI:
– 40% of security loss due to insider information leak
– Loss due to insider information leak has increased on
average 49% per year for the last 5 years

Some Statistics
Financial loss reported due to attacks ~ $500 million
Not every one reports loss due to attacks
Type of attack Percentage
Virus 85%
Denial of Service 40%
Intrusion 40%
Internet as source of attack: 74%

?What is Security
Security is the protection of assets. The three
main aspects are:
• Prevention
• Detection
• Re-action

Some differences between traditional
security and information security
• Information can be stolen - but you still have it
• Confidential information may be copied and

sold - but the theft might not be detected
• The criminals may be on the other side of the

world
Computer Security
Security is the protection of assets. The three
main aspects are:
• Prevention
• Detection
• Re-action

?What is Security
“Deals with the prevention and detection of
unauthorised actions by users of a computer
system.”
“The protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the integrity,
availability, and confidentiality of information
system resources (includes hardware, software,
firmware, information/data, and
telecommunications).”
Security basics
• Data Confidentiality –protection
– of data from
unauthorized disclosure. (Secrecy)
• Data Integrity - assurance that data received is as sent
by an authorized entity. (Trust worthiness)
• Availability – resource accessible/usable
• Authentication - assurance that communicating entity is
the one claimed
– have both peer-entity & data origin authentication
• Access Control - prevention of the unauthorized use of a
resource
Confidentiality
 Preserving authorized restrictions on information
access and disclosure
 Protecting personal privacy and proprietary
information
 Loss of confidentiality is the unauthorized
disclosure of information.

Integrity
 Guarding against improper information modification
or destruction
 Loss of integrity is the unauthorized modification or
destruction of information.
 A B
Modifies data
Attacker

Availability
 Ensuring timely and reliable access to and use of
information
 Loss of availability is the disruption of access to

or use of information
 Assures that systems work promptly and service

is not denied to authorized users

Security basics (cont…)
Availability
Ideal Information
Security
Integrity Confidentiality

Authentication
 Authentication is the process of verifying
communicating entity is the one who claim to be.
 Authenticity is the property of being genuine, valid
or trusted.
 Authentication helps to establish proof of identities.
 Authentication gives confidence in the validity of
transmission, a message, or originator.
 The task of authentication mechanism is to make
sure that only valid user is admitted.

Authentication Method
Something you know
Authentication based on users remembrance Ex.
Username and password
Something you have
Authentication based on some thing that user needs
to carry Ex. Access card,
Something you are
Authentication based on humans unique physical
characteristics. Biometrics.
Access Control
 Access is the ability of a subject to interact with
an object.
 It is ability to specify, control and limit the access
to the host system or application, which prevents
unauthorized use to access or modify data or
resources
 prevention of the unauthorized use of a resource

Non Repudiation
 Nonrepudiation prevents either sender or receiver
from denying a transmitted message.
 Thus, when a message is sent, the receiver can
prove that the alleged sender in fact sent the
message.
 Similarly, when a message is received, the sender
can prove that the alleged receiver in fact
received the message

Authorization
 Authorization is a process of verifying that a
known person has the authority to perform
certain operation.
 Authorization cannot occur without
authentication.

Example of Security
Low
• Loss should have a limited effect on Org
operations, assets or individuals
• Cause degradation in mission capability
• Reduce effectiveness of function
• Minor damage to assets
• Minor functional loss
• Minor harm to individual
Example of Security
Moderate
• Loss should have a serious effect on Org
• Cause significant degradation in mission
capability
• significantly reduce effectiveness of
function
• significant damage to assets
• significant functional loss
• significant harm to individual
Example of Security
High
• Loss should have a sever effect on Org
• Cause sever degradation in mission
capability
• Organization is not able to perform one or
more primary function
• major damage to assets
• Major functional loss
• Major harm to individual
Example of Security
Confidentiality
example
Integrity
example
Availability
example

Challenges for Security
• Not simple, major requirement of CIA,
• While designing security mechanism
consider potential attack.
• Security mechanism is complex
• It is necessary to decide where to use
them (physical / logical).
• Involves more than one protocol/algorithm,
problem of secret information (encryption
key)
Challenges for Security
• War between attacker and admin/designer
• Problem of human tendency, security
investment until failure
• Need regular, constant monitoring
• It is essential to add security at time of
designing rather than after design.
• Security is often afterthought (consider at
design time)
• Tendency, strong security is obstacle
Model for Security
Security means protecting assets, and assets are
 Hardware
 Software
 Data
 Communication facilities and networks
Following are possible vulnerabilities
 Data can be Corrupted.
 Data can be leak.
 Data can be unavailable.
Risk and Threat Analysis
• Risk
• Risk is some incident or attack that can
cause damage to system.
• An attack is done by sequence of actions
like, Exploiting weak points

• Risk analysis is review of data gathered
and analysis of risk
• Risk assessment team determine asset
values, system criticality, likely threats,
and existence of vulnerabilities.
• Risk calculations
Risk = Assets X Threats X Vulnerabilities

Assets
• Those items that an organization wishes to
protect.
• Asset can be any data, device or other
component that support information
related security.
• Assets can be hardware, software,
confidential information.
• Valuing of assets scope and guide security
risk assessment
Threats
• An undesired event that may result in loss,
disclosure or damage to org asset.
• Threat is potential for violation of security
• When exist there is circumstance, capability,
action or event could breach security
• Threat can identified by damage done in asset.
– Spoofing identity of users
– Information may be disclosure
– User get more privileges
Vulnerability
• Vulnerability is a weakness in the information
infrastructure of org.
• It will accidentally or intentionally damage the
asset
• Vulnerabilities can be
– Programs with unnecessary privilege
– Accounts default password not changed
– Program with known faults.
– Weak access control
– Weak firewall.
Threats to Security
• Viruses
• Worms
• Intruders
• Insiders
• Criminal organizations
• Terrorists
• Information warfare

Malicious Software

Backdoor and Trapdoors
• Secret entry point into a program
• Allows those who know access bypassing
usual security procedures
• Have been commonly used by developers
• A threat when left in production programs
allowing exploited by attackers
• Avery hard to block in O/S
• Requires good s/w development & update
Logic Bomb
• One of oldest types of malicious software
• Code embedded in legitimate program
• Activated when specified conditions met
– eg presence/absence of some file
– particular date/time
– particular user
• When triggered typically damage system
– modify/delete files/disks
Trojan Horse
• Program with hidden side-effects
• Which is usually superficially attractive
– eg game, s/w upgrade etc
• When run performs some additional tasks
– allows attacker to indirectly gain access they do
not have directly
• Often used to propagate a virus/worm or
install a backdoor
• Or simply to destroy data
Zombie
• Program which secretly takes over another
networked computer
• Then uses it to indirectly launch attacks
• Often used to launch distributed denial of
service (DDoS) attacks
• Exploits known flaws in network systems

Viruses
• Piece of software that infects programs
– Modifying them to include a copy of the virus
– So it executes secretly when host program is run
• Specific to operating system and hardware
– Taking advantage of their details and weaknesses
• A typical virus goes through phases of:
– Dormant
– Propagation
– Triggering
– Execution
Virus Structure
• Components:
– Infection mechanism - enables replication
– Trigger - event that makes payload activate
– Payload - what it does, malicious activity
• Pre appended / post appended / embedded
• When infected program invoked, executes
virus code then original program code

Virus Classification
• Boot sector
• File infector
• Macro virus
• Stealth virus
• Polymorphic virus
• Metamorphic virus

Types of Viruses
Can classify on basis of how they attack
• Parasitic virus
-Attaches itself to executable files and replicates
• memory-resident virus
-Lodges in the main memory and infects every
program that executes.
• Boot sector virus
-Infects a boot record and spreads when the
system is booted from the disk
…Types of Viruses
• Stealth
-Designed to hide itself from antivirus software
• Polymorphic virus
-A virus that mutates with every infection, making
detection very difficult
• Metamorphic virus
-Mutates with every infection, but rewrites itself
completely every time. Making it extremely
difficult to detect.
Macro Virus
• Became very common in mid-1990s since
– Platform independent
– Infect documents
– Easily spread
• Exploit macro capability of office apps
– Executable program embedded in office doc
– Often a form of Basic
• More recent releases include protection
• Recognized by many anti-virus programs
E-Mail Viruses
• More recent development
• e.g. Melissa
– Exploits MS Word macro in attached doc
– If attachment opened, macro activates
– Sends email to all on users address list
– And does local damage
• Much faster propagation

Virus Countermeasures
• Prevention - ideal solution but difficult
• Realistically need:
– Detection
– Identification
– Removal
• If detect but can’t identify or remove, must
discard and replace infected program

Add i to j Add i to j Delete all files
Print Virus Job send copy to
Close Close all users
end end return
Original Code Infected code due

To virus Virus Code

Worm
• A worm is a program that can replicate itself
• It is a malicious s/w which does not require a
host program for its execution.
• Replicating program that propagates over net
but not infecting program
(does not attach itself to a program)
• worm is non destructive
• A worm can harm a computer system by filling
main memory with its replicated copies.
Worm
• Worm is able to send multiple copies of itself
to other computer on network
• A worm can harm a network and consume
network bandwidth.
• Has phases like a virus:
– Dormant, propagation, triggering, execution
– Propagation phase: searches for other systems,
connects to it, copies self to it and runs

Morris Worm
• One of best know worms
• Released by Robert Morris in 1988
• Various attacks on UNIX systems
– Cracking password file to use login/password to
logon to other systems
– Exploiting a bug in the finger protocol
– Exploiting a bug in sendmail
• If succeed have remote shell access
– Sent bootstrap program to copy worm over
Some Worm Attacks
• Code Red
– July 2001 exploiting MS IIS bug
– probes random IP address, does DDoS attack
• Code Red II variant includes backdoor
• SQL Slammer
– early 2003, attacks MS SQL Server
• Mydoom
– mass-mailing e-mail worm that appeared in 2004
– installed remote access backdoor in infected systems
• Warezov family of worms
– scan for e-mail addresses, send in attachment
Virus vs Worm
Worm Virus
A malicious program that spread A piece of code that attaches itself to
automatically other program
Worm does not modify code Virus modifies code
It can replicate itself Some viruses cannot replicate itself
Worm is non destructive Virus is destructive in nature
Aim of worm is to make computer or Aim of virus is to infect other
network unusable program stored on computer system
Worm does not infect other files but it Virus infect files
occupies memory space by
replication
Worm does not need any trigger. Virus may need trigger for execution

Intruders
• Hacking means act of accessing computer
system/n/w without authorization. (includes
authorized users)
• Intruders are extremely patience since the
process to gain access is requires persistence and
dogged determination
• If first attack gets fail they try in different angle
(search for another possible vulnerability)
• Second attack may be blocked/fail, they try for
third and so on till they get vulnerability or
access

Intruders
Levels
•At low end the individuals who are not technically
experts to develop new script or find new vulnerability
•They use readymade scripts (downloaded) for known
vulnerability
•Next level, the peoples who are capable of writing
scripts to exploit known vulnerabilities.
•8 to 12 % malicious internet activity
•Top end, called elite hackers.
•Capable of writing scripts that exploit vulnerability.
•Also capable of discovering new vulnerabilities.
Intruders
• Often referred to as a hacker or cracker
• Three classes of intruders:
– Masquerader: An individual who is not authorized to
use the computer and who penetrates a system’s access
controls to exploit a legitimate user’s account
– Misfeasor: A legitimate user who accesses data,
programs, or resources for which such access is not
authorized, or who is authorized for such access but
misuses his or her privileges
– Clandestine user: An individual who seizes
supervisory control of the system and uses this control
to evade auditing and access controls or to suppress
audit collection

Insiders
• More dangerous than outside intruders
• Most difficult to detect and prevent
• Have access and knowledge to cause immediate
damage to an organization.
• Have knowledge of the security systems in place
and will be better able to avoid detection.
• Employees are not the only insiders but there are
other people who have access like contractors or
partners.

Insiders
For Preventing Insider attacker
• Enforce least privilege, allow access to
resources that employee need to do their job
• Set logs to see what users access and what
commands they are entering.
• Protect sensitive resources with strong
authentication
• Upon termination, delete employees computer
and network access.

Insiders Intruders
Insiders are authorized users Intruders are authorized or
who try to access system or unauthorized users who are
network for which he is trying to access the system or
unauthorized network
Insiders are not hackers Intruders are hackers or
crackers
Insiders are legal user Intruders are illegal users
Insiders are more dangerous Intruders are less dangerous
Insiders have a knowledge Intruders have to study or gain
about the security system. knowledge about security
system
Insiders have easy access to Intruders do not have access
system to system
There
57
is no such mechanism to Many security mechanisms
Ganesh .N.Jorvekar
are
April 22, 2024
protect system from insider used to protect from intrudes
Criminal organizations
• Organized groups of hackers now a threat
– Corporation / government / loosely affiliated gangs
– Typically young
– Often target credit cards on e-commerce server
• Criminal activities on the internet same as criminal
activities in physical world
– Fraud, extortion, theft, forgery
• Criminal hackers usually have specific targets
• Once penetrated act quickly and get out
• IDS / IPS help but less effective
• Sensitive data needs strong protection
Terrorists and Information Warfare
• Nations are dependent on computer and
network
• Information is conducted against information
and information processing equipments.
• It is highly structured threat/attack
• It requires a longer period of penetration, large
financial backing, and large organized group
of attackers
• Military forces are key target

Avenues of Attack
• The two most frequent types of attacks:
– viruses and insider abuse.
• 2 general reasons a particular computer system is
attacked:
– It is either specifically targeted by the attacker, not because
of the hardware or software the organization is running but
for some other reason, such as a political reason
– Or it is an opportunistic target, is conducted against a site
that has hardware or software that is vulnerable to a
specific exploit.
• Targeted attacks are more difficult and take more
time than attacks on a target of opportunity

The Steps in an Attack
• The steps an attacker takes are similar to the ones that a
security consultant performing a penetration test would take.
– gather as much information about the organization as
possible.
– determine what target systems are available and active.
1. ping sweep, sends an ICMP echo request to the target machine.
2. perform a port scan to identify the open ports, which indicates
the services running on the target machine.
3. Determine OS – refer
• An attacker can search for known vulnerabilities and tools that
exploit them, download the information and tools, and then use
them against a site.
• If the exploits do not work, other, less system-specific, attacks
may be attempted.

Passive Attacks
• Eavesdropping on transmissions
• Attacker aims to obtain information in transit
– Release of possibly sensitive/confidential message
contents
– Traffic analysis which monitors frequency and
length of messages to get info on senders
• Does not perform any modification to data.
• Difficult to detect
• Can be prevented using encryption
Passive Attacks

Passive Attacks Types
• Release of Message contents
– A confidential message should be accessed by
authorized user otherwise a message is released
against our wishes
• Traffic analysis
– Attacker may try to find out similarities between
encodes message for some clues regarding
communication

Active Attacks
• The contents of original message are modified by the
attacker
• These attacks can not be prevented easily.
• Types of active attack
• Interruption:
• Modification
• Fabrication.

Active Attacks
• Masquerade
– pretending to be a different entity
• Replay
• Modification of messages
• Denial of service
• Easy to detect
– Detection may lead to deterrent
• Hard to prevent
– Focus on detection and recovery
Active Attacks

Denial of Service Attack
• Attacker is attempting to deny authorized users
access to specific information.
• Aim of DOS attack is to prevent access to target
system.
• Denial-of-service (DoS) attack aims at disrupting
the authorized use of networks, systems, or
applications.
68 Dheeraj
GaneshS..N.Jorvekar
Sadawarte April 22, 2024
SYN Flooding Attack
• Used to prevent to prevent services to the system.
• Takes advantage of trusted relationship of TCP
SYN
SYN+ACK
ACK
TCP 3 Way Handshake
69 Dheeraj
GaneshS..N.Jorvekar
SYN Flooding Attack
• The attacker sends fake request of communication
• Each of these requests will be answered by the
target system, which then waits for the third part of
the handshake.
• Since the requests are fake the target will wait for
responses that will never come.
• The target system will drop these connections after
a specific time-out period
70 Dheeraj
GaneshS..N.Jorvekar
SYN Flooding Attack
Target
Attacker
SYN Reserve
With Fake IP address Connection
C K Wait for
A
YN+ ACK
S
Response to
Fake IP address SYN Flooding Attack
71 Dheeraj
GaneshS..N.Jorvekar
SYN Flooding Attack
• If the attacker sends requests faster than the time-
out period eliminates them, the system will quickly
be filled with requests.
• The number of connections a system can support is
finite, when more requests come in than can be
processed, the system will soon be reserving all its
connections for fake requests.
• Any further requests are simply dropped
72 Dheeraj
GaneshS..N.Jorvekar
Ping of Death (POD) Attack
• In the POD attack, the attacker sends an Internet
Control Message Protocol (ICMP) ping packet
equal to, or exceeding 64KB.
• Certain systems were not able to handle this size of
packet, and the system would hang or crash.
73 Dheeraj
GaneshS..N.Jorvekar
Distributed Denial of Service
Attack
• DoS attacks are conducted using single system
• A DOS attack employing multiple attacking
systems is known as a distributed denial of service
(DDOS) attack
• The goal of a DDOS attack is the same: to deny
the use of or access to a specific service or system.
• Aim of DDOS is to overwhelm the target with
traffic from many different systems.
74 Dheeraj
GaneshS..N.Jorvekar
Attack
75 Dheeraj
GaneshS..N.Jorvekar
Attack
• A network of attack agents (Zombies) created by
attacker.
• When zombies/agent receives command attacker,
the agents commence sending a specific type of
traffic against the target.
• Systems are compromised and DDOS S/W agent is
installed
• Sleep zombies are activated after receiving attack
command.
76 Dheeraj
GaneshS..N.Jorvekar
Sniffing
• It is software or hardware that is used to observe
traffic as it passes through a network on shared
broadcast media.
• used to view all traffic or target specific protocol,
service, or string of characters like logins.
• Some network sniffers are not just designed to
observe the all traffic but also modify the traffic.
• Network administrators use sniffers for monitoring
traffic.
77 Dheeraj
GaneshS..N.Jorvekar
Sniffing
• used for network bandwidth analysis
Attacker
R
78 Dheeraj
GaneshS..N.Jorvekar
Man_In_The_Middle Attack (MITM)
• A Man_in_The_Middle attack generally occurs when
attacker are able to place themselves in the middle of
two other hosts that are communicating in order to view
and/or modify the traffic.
Communication appears to be direct
Host 1 Host 2
Attacker relays Communication

message to dest. actually sent to
host attacker
Attacker
79 Dheeraj
GaneshS..N.Jorvekar
Man_In_The_Middle Attack (MITM)
 This is done by ensuring that all communication going to
or from the target host routed through the attacker host.
 The attacker can observe all traffic before relaying it and
can actually modify or block traffic.
 To the target host it appears that communication is
occurring normally, since all expected replies are
received
 A MITM attack can only be successful when the attacker
can impersonate each endpoint to the satisfaction of the
other.
80 Dheeraj
GaneshS..N.Jorvekar
Replay Attack
 A replay attack is a form of network attack in which a
valid data transmission is maliciously or fraudulently
repeated or delayed.
 A replay attack is an attack where the attacker captures a
portion of a comm. between two parties and retransmits
it after some time.
 A best way to prevent replay attacks is with encryption,
cryptographic authentication and time stamps .
81 Dheeraj
GaneshS..N.Jorvekar
Replay Attack
82 Dheeraj
GaneshS..N.Jorvekar
Malware
• The term malware also known as malicious code.
• Malware refers to S/W that has been designed for some
nefarious purpose.
• Designed to cause damage to a system such as deleting
all files,
• It may be designed to create a backdoor in the system in
order to grant access to unauthorized users.
• Different types of malicious S/W, such as viruses,
worms, Trojan horse, logic bomb.
• Malicious code runs under the users authority.
• Malicious code can read, write, modify, append or even
delete data or files without users permission.
Virus
• A virus attaches itself to program and
propagates copies of itself to other programs.
• The essential component of virus is set of
instruction which, when executed, spreads
itself to other, previously unaffected, programs
or files.
• performs two functions:
I. It copies itself into previously uninfected programs
or files.
II. it executes whatever other instructions the virus
author included in.
Virus
• It may damage by replicating itself and taking up
system resources, disk space, CPU time, or network
connection.
• A virus is a program that can pass on malicious code
to other non-malicious program by modifying them.
• The term ‘virus’ was coined acts like biological virus
• A virus can be either transient or resident.
– A transient virus has a life that depends on the life of its
host;
– The virus runs when its attached program executes and
terminates when its attached program ends.
– A resident virus locates itself in memory, then it can
remain active or be activated as a stand alone program,
85 even after its attached program
Ganesh ends.
.N.Jorvekar April 22, 2024
Virus types
• Two main classes
1. File infectors
– Which attach themselves to ordinary program files.
– These usually infect arbitrary .COM and/or .EXE files. though
some can infect any program for which execution is requested,
such as .SYS, .OVL, .PRG and .MNU files.
– File infectors can be either DIRECT ACTION or RESIDENT.
– A DIRECT ACTION Virus selects one or more other programs
to infect each time the program which contains it is executed.
– A RESIDENT virus hides itself somewhere in memory the first
time an infected program is executed, and thereafter infects
other programs when they are executed.
Virus types
2. SYSTEM or BOOT-RECORD INFECTORS
– Those viruses infects executable code found

in certain system areas on a disk which is not
ordinary file.
– There are boot-sector viruses which infect
only the DOS boot sector,
– MBR virus which infect master boot record.
– E.g. Brain, Empire, Azusa, Michelangelo
Virus types
• Stealth Virus
– A stealth virus is one which hides the modification it has
made in the file or boot record
– By monitoring the system functions used by programs to
read files or physical blocks from storage media
– undetected by anti viral programs
• Polymorphic Virus
– A polymorphic virus is one which produces varied and
fully operational copies of itself, in an attempt to avoid
signature detection.

Virus types
• Fast and Slow Infectors
– A fast infector is a virus which, when it is active in
memory, infects not only programs which are executed,
but even those programs which are merely opened.
– A slow infector virus, when it is active in memory, infects
only those files as they are modified.
• Companion Virus
– A COMPANION virus is one which, instead of modifying
an existing file, creates new program which gets executed
instead of original program.

Virus types
• Armored Virus
– Armored virus uses special tricks to make the tracing,
disassembling and understanding of their code more difficult.
• Macro Virus
Macro
• Macro allows a particular task that is performed by a user quite
often to be repeated again and again.
• Set of automated instructions or tasks.
– Viruses that consist of evil or viral macro VBA code that
can create havoc in the computer it is executed.
– Spread quickly
– Macro viruses are not Ganesh
90 platform specific.
.N.Jorvekar April 22, 2024
Phases of Virus
a typical virus goes through phases of:
 Dormant
 Propagation
 Triggering
 Execution

Categories of Viruses
1. Destructive Viruses
 Massive destruction i.e. low level format of disk
 Partial destruction i.e. Erasure or modification of a portion
of disk.
 Selective Destruction i.e. Erasure or modification of
specific files or file groups.
 Random havoc - randomly changing data on disk or RAM,
changing keystroke values
2. Non Destructive Viruses intended to cause attention
to the author or to harass the end user.
 Annoyances
• Displaying a message, changing display colors, changing
keystroke values
Triggers of the Virus Attacks
Attacks begin upon the occurrence of a certain event
 On a certain Date/ time of year.
 At a certain time of day
 When a certain job is run
 After cloning itself n times
 when a certain combination of keystrokes occurs
 When a computer is restarted.
The virus code must put itself into a position to either
start itself when the computer is turned on, or when a
specific program is run
Protection against viruses
1. Education
2. Backup and recovery procedures
3. Isolate software libraries
4. Implement software library management

procedures
5. Develop a virus alert procedure

Anti-Virus Software Anti-Virus
Software
• Anti virus S/W continuously monitors the
system.
• When it detects an infected file, or when it
sees suspicious activity, it uses three
methods to identify the virus.
1. The Signature Approach
2. The Sandbox Approach
3. The Heuristic Approach
Anti-Virus Software
1. The Signature Approach
 Just like police trace.
 Every virus has signature (which is mostly
unique)
 This signature is added to database
 So when a antivirus performs a virus scan each
file is scanned for matches with anti virus
signature.
 This is reason why antivirus s/w must update

Anti-Virus Software
2. The Sandbox Approach
 A sandbox is an advanced program that
emulates an OS.
 A suspect executable file is run within the
confines of sandbox
 Then the sandbox is examined to see what
changes were made
 These changes are used to determine which
viruses infect the file
Anti-Virus Software
3. The Heuristic Approach
 This analyses a program for seemingly
malicious behavior.
 Heuristic is effective against undocumented
viruses.
 The Blaster of the future might eliminate the
need for continual monitoring of new viruses.

Removing Viruses
1. Removal of the virus code
Removing of viral code from file, best case scenario, no harm
2. Quarantine of the infected file

Buster tries to make file inaccessible to programs without deleting it
3. Deleting the infected file
Buster simply Deletes the file if the code cannot be removed
4. Physical removal of the infected file
If the file is se by OS, user needs to manually delete it (not critical file)
or Manually replace it from a clean backup (if Critical)
5. Seeking help
users are directed to the company’s
99 web site.
Ganesh .N.Jorvekar April 22, 2024
Mechanism of Virus Attachment
 A printed copy of virus does nothing and
threatens no one.
 Even executable virus code sitting on a
disk does nothing.
 To do malicious work and spread itself,
virus must be activated by being executed
 The setup program that you initiate on
your computer.
Mechanism of Virus Attachment
 A more common means of virus activation is an
attachment to an email message.
 The virus writer tries to convince the victim to open the
attachment.
 Once the viral attachment is opened, the activated virus
can do its work.
 Some modern email handlers automatically open
attachments as soon as the receiver opens body of email.
 The virus can be executable code embedded in an
executable attachment.
 It is safer to force users to open files on their own rather
101
automatically. Ganesh .N.Jorvekar April 22, 2024
Appended Viruses
A virus attaches itself to a program.
Whenever the program run, the virus is activated.
This kind of attachment is usually simple, easy and
effective to program.
A virus inserts a copy of itself into the executable
program file before the first executable instruction.
Then, all the virus instructions execute first; after
the last virus instruction, control flows naturally to
the first program instruction.
Appended Viruses
• The virus writer does not need to know anything
about the program to which the virus will attach.
Virus Code
+ Virus Code =
Original
Program
Original
Program
Virus Appended to a program

Viruses that surround a program
• An alternative to the attachment is a virus that
runs the original program but has control before
and after its execution
• A virus writer might want to prevent the virus
from being detected.
• The virus writer might arrange for the virus to
attach itself to the program that constructs the
listing of files on the disk.

Logically
Physically Virus code
Part (a)
Virus code
Original Original
Program Program
Virus code
Part (b)
Virus Surrounding a Program


Chapter 1 Introduction To Computer Security and Security Trends - Pps

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 1 Introduction To Computer Security and Security Trends - Pps

Uploaded by

Copyright:

Available Formats

Chapter 1

2 Ganesh .N.Jorvekar April 22, 2024

Bad news: Your employees and partners can

3 Ganesh .N.Jorvekar April 22, 2024

4 Ganesh .N.Jorvekar April 22, 2024

Type of attack Percentage

Denial of Service 40%

Internet as source of attack: 74%

5 Ganesh .N.Jorvekar April 22, 2024

6 Ganesh .N.Jorvekar April 22, 2024

• Information can be stolen - but you still have it

• Confidential information may be copied and

• The criminals may be on the other side of the

8 Ganesh .N.Jorvekar April 22, 2024

11 Ganesh .N.Jorvekar April 22, 2024

12 Ganesh .N.Jorvekar April 22, 2024

 Loss of availability is the disruption of access to

 Assures that systems work promptly and service

13 Ganesh .N.Jorvekar April 22, 2024

14 Ganesh .N.Jorvekar April 22, 2024

15 Ganesh .N.Jorvekar April 22, 2024

17 Ganesh .N.Jorvekar April 22, 2024

18 Ganesh .N.Jorvekar April 22, 2024

19 Ganesh .N.Jorvekar April 22, 2024

23 Ganesh .N.Jorvekar April 22, 2024

27 Ganesh .N.Jorvekar April 22, 2024

28 Ganesh .N.Jorvekar April 22, 2024

32 Ganesh .N.Jorvekar April 22, 2024

33 Ganesh .N.Jorvekar April 22, 2024

37 Ganesh .N.Jorvekar April 22, 2024

39 Ganesh .N.Jorvekar April 22, 2024

40 Ganesh .N.Jorvekar April 22, 2024

44 Ganesh .N.Jorvekar April 22, 2024

45 Ganesh .N.Jorvekar April 22, 2024

Original Code Infected code due

46 Ganesh .N.Jorvekar April 22, 2024

48 Ganesh .N.Jorvekar April 22, 2024

51 Ganesh .N.Jorvekar April 22, 2024

52 Ganesh .N.Jorvekar April 22, 2024

54 Ganesh .N.Jorvekar April 22, 2024

55 Ganesh .N.Jorvekar April 22, 2024

56 Ganesh .N.Jorvekar April 22, 2024

59 Ganesh .N.Jorvekar April 22, 2024

60 Ganesh .N.Jorvekar April 22, 2024

61 Ganesh .N.Jorvekar April 22, 2024

63 Ganesh .N.Jorvekar April 22, 2024

64 Ganesh .N.Jorvekar April 22, 2024

65 Ganesh .N.Jorvekar April 22, 2024

67 Ganesh .N.Jorvekar April 22, 2024

TCP 3 Way Handshake

Attacker relays Communication

– Those viruses infects executable code found

88 Ganesh .N.Jorvekar April 22, 2024

89 Ganesh .N.Jorvekar April 22, 2024

91 Ganesh .N.Jorvekar April 22, 2024

2. Backup and recovery procedures

3. Isolate software libraries

4. Implement software library management

5. Develop a virus alert procedure

96 Ganesh .N.Jorvekar April 22, 2024

98 Ganesh .N.Jorvekar April 22, 2024

2. Quarantine of the infected file

Virus Appended to a program