CIT 315: INTERNET SECURITY

Unit 1
INTRODUCTION
➢ Internet
➢ Security in Computing
➢ Components of Security
➢ Taxonomies of Information Security
➢ Key Concepts in Information Security
➢ Internet Security
➢ Security Policy
➢ Ethics of Computer Security

WHAT IS SECURITY
Security means safety, as well as the measures taken to be safe or protected.
... Often this word is used in compounds such as a security measure, security
check or security guard. The security department in a business is sometimes
just called security.
Security means safety, as well as the measures taken to be safe or protected.
Often this word is used in compounds such as a security measure, security
check or security guard. The security department in a business is sometimes
just called security.
Security is freedom from, or resilience against, potential harm caused by
others. Beneficiaries (technically referents) of security may be of persons and
Security is defined as being free from danger, or feeling safe. An example of
security is when you are at home with the doors locked and you feel safe. ...
An organization or department whose task is protection or safety, esp. a
private police force hired to patrol or guard a building, park, or other area.
Security refers to all the measures that are taken to protect a place, or to
ensure that only people with permission enter it or leave it.

1.1: Internet
➢ Provides wealth of information and services
Communication: video calls, emails, instant messaging
✓ Transaction: shopping, financial services
✓ Entertainment: music film
✓ Many others
✓ Communications and transactions are private and secure
✓ Credit card details
✓ Secret communication
✓ Serious security risks
✓ Fraud

1
 ✓ Cyber bullying
✓ Terrorism
✓ Identity theft
✓ Espionage

1.2: Security in computing

➢ Security means
✓ finance, banking, portfolio management and computing
✓ security in computing means:
the extent to which a computer system is protected from data
corruption, destruction, interception, loss, or unauthorized access.
(Business dictionary)
✓ techniques for ensuring that data stored in a computer cannot be read
or compromised by any individuals without authorization. (webopedia)
✓ the ability of a system to protect information and system resources with
respect to confidentiality and integrity. (Albion)

1.3: Components of security

➢ Security can be divided into separate components or areas for simplified
management
✓ Physical security: physical items, objects, or areas
✓ Personnel security
✓ Operations security: particular operation or series of activities
✓ Communications security: communications media, technology, and
content
✓ Network security: networking components, connections, and contents
✓ Information security: ensures CIA of information whether in storage,
processing, or transmission

1.4 Taxonomies of information security

➢ Two taxonomies: CIA and AAA
✓ Confidentiality: information is not accessed by unauthorized persons.
✓ Integrity: information is not altered by unauthorized persons.
✓ Availability:
data is obtainable regardless of how it is stored, accessed, or protected.
Or
data is available regardless of the malicious attack that might be perpetrated
on it.

➢ Two taxonomies: CIA and AAA

✓ Authentication: person’s identity is established with proof.
✓ Authorization: access to certain (restricted) data or areas of a building.
✓ Auditing: tracking of data, computer usage, and network resources. It
mmeans logging, accounting (nonrepudiation) and monitoring.

2
 1.5 Key Concepts in Security
Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or
object. (Authorized users and hackers).
Asset: The organizational resource that is being protected: software, hardware or people.
Attack: An intentional or unintentional act that can cause damage to or otherwise
compromise information and/or the systems that support it.
✓ Active or passive
✓ Intentional or unintentional
✓ Direct or indirect

Loss: A single instance of an information asset suffering damage or unintended or

unauthorized modification or disclosure. When an organization’s information is stolen, it has
suffered a loss.
Protection profile or security posture: The entire set of controls and safeguards, including
policy, education, training and awareness, and technology, that the organization implements
(or fails to implement) to protect the asset.
Risk: The probability that something unwanted will happen.
Subjects and objects: A computer can be either the subject of an attack - an agent entity used
to conduct the attack—or the object of an attack — the target entity.
Threat: A category of objects, persons, or other entities that presents a danger to an asset.
Threats are always present hackers, storm, fire etc.
Threat agent: The specific instance or a component of a threat. For example, all hackers in the
world present a collective threat, while Kevin Mitnick is a specific threat agent. Likewise, a
lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of severe
storms.
Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it to
attack or damage. E.g.
✓ flaw in a software package
✓ unprotected system port
✓ unlocked door
Some well-known vulnerabilities have been examined, documented, and published; others
remain latent (or undiscovered).
Exposure: A condition or state of being exposed. In information security, exposure exists when
a vulnerability known to an attacker is present.
Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that can
successfully:
✓ prevent attacks
✓ reduce risk
✓ resolve vulnerabilities
✓ otherwise improve the security within an organization
Exploit: A technique used to compromise a system.
Or, an exploit can be a documented process to take advantage of a vulnerability or exposure,
usually in software, that is either inherent in the software or is created by the attacker.
✓ Threat agents may use systems and information asset illegally for their
personal gain.
✓ Exploits make use of existing software tools or custom-made software.

3
 1.6 What Does Internet Security Mean?
➢ Internet security is a catch-all term for a very broad issue covering security for
transactions made over the Internet:
✓ Browser security
✓ the security of data entered through a Web form
✓ Overall authentication
✓ protection of data sent via Internet Protocol
➢ Internet security relies on specific resources and standards for protecting data
that gets sent or received through the Internet:
✓ encryption such as Pretty Good Privacy (PGP)
✓ firewalls, which block unwanted traffic
✓
anti-malware, anti-spyware and anti-virus programs that work from
specific networks
✓ devices to monitor Internet traffic for dangerous attachments.

1.7 Why require a security on the Internet?

➢ Internet security is generally becoming a top priority for both businesses and
governments.
➢ Good Internet security protects:
✓ Financial details
✓ Server
✓ network hardware
Insufficient Internet security can collapse:
✓ e-commerce business
✓ any other operation where data gets routed over the Web.
1.8 Security policy
➢ It provides management direction and support for information security across
the organization.
➢ A document that states in writing how a company plans to protect information
assets.
➢ Considered to be a living document
✓ never finished
✓ continuously updated
➢ May contain
✓ acceptable use policy
✓ plans to educate its employees
✓ explanation of how security measurements will be carried out and
enforced.
✓ procedure for evaluating the effectiveness of the security policy
➢ process of creating security policy.
✓ Get management support: Time, money and other resources.
✓ Write policy: information security professional or other stakeholders
write, copy or adapt existing policy.
✓ Written policy increases the knowledge of:
▪ how our infrastructure is structured
▪ internal traffic flow

4
 ▪ point of contact for different IT infrastructures
▪ How to implementing the policy
✓ Sections within a policy
i. Overview – Background information of issue addressed by the policy.
ii. Purpose – Why the policy is created.
iii. Scope – To what areas this policy covers.
iv. Targeted Audience – Tells to whom the policy is applicable.
v. Policy – A good description of the policy.
vi. Definitions – A brief introduction of the technical jargon used inside the
policy.
vii. Version – A version number to control the changes made to the document.
✓ Implement the Policy
▪ security experts implement the technical aspect of the policy
▪ user awareness and education
▪ all concerned employees should adhere to policy. E.g.
❖ sending email
❖ accessing VOIP
❖ browsing the Internet
❖ accessing confidential data in a system
✓ Monitor policy
▪ solutions to monitor and report violators
▪ For fair of raising violators use automated reporter
▪ violators should be dealt with
✓ Review the Policy
▪ organization change
▪ security incidence
▪ lifecycle of security policy starts all over

1.9 Ethics of computer security

➢ Emergence:
concerns right away that computers would be used inappropriately to the detriment
of society
▪ replace human
▪ loss of jobs
➢ Purpose:
to exercise due diligence to prevent and detect criminal conduct and otherwise
promote an organizational culture that encourages ethical conduct and a
commitment to compliance with the law
➢ Requirement:
▪ Organization should report non-ethical incidence without
delay
➢ Examples
▪ computers in the workplace
▪ computer crime
▪ privacy and anonymity
▪ intellectual property
▪ professional responsibility

5
 ▪ globalization
1.10 Security Threats and Levels
➢ Assignment
Assignment: Discuss security threats and levels.

1.11 Security Plan (RFC 2196)

➢ Site Security Handbook (RFC 2196)
✓ a guide or framework for setting computer security policies and procedures
for sites that have systems on the Internet
✓ lists issues and factors for site policies
✓ makes a number of recommendations
✓ provides discussions of relevant security areas

1.12 Security Plan (RFC 2196)

➢ To have effective policies and procedures, a site must:
✓ make many decisions
✓ gain agreement
✓ communicate and implement these policies

Unit 2: CLASSES OF ATTACK

❑ Stealing Passwords
❑ Bugs
❑ Backdoors
❑ Logic Bombs
❑ Botnets and Zombies
❑ Denial-of-Service Attacks
❑ Authentication Failures
❑ Protocol Failures
❑ Information Leakage
❑ Exponential Attacks
❑ Social Engineering

2.1 Stealing passwords

➢ Password stealing is a process whereby hackers extract digital password using
techniques and tools depending on:
✓ on the strength of the password
✓ security of communication channel
✓ client and host machines vulnerabilities
➢ Compromised account can be used for cybercrime
✓ personal and organization damages
➢ Password from uneven combination of characters
➢ USB password stealer: batch or autoexec scripts are saved on USB flash drive.
➢ Mass Theft: hackers run programs that enter stolen username and password
details on tens of thousands of sites until one hits.
➢ Wi-Fi Traffic Monitoring Attacks: hacker uses a simple application available
from the internet for free to watch all traffic on a public Wi-Fi network.

6
➢ Phishing Attacks Type 1: Tab Nabbing –
✓ Hackers often send fake web links (cloned website) via emails for
victims to update their profiles.
✓ Hackers extract username and password through cloned site.

➢ Phishing Attacks Type 2: Key Logger Attacks –

✓ Email attachment containing malicious JavaScript is injected into
your browser.
✓ Every detail you type, including username and passwords, are
recorded and sent to the hacker.
✓ Back in 2006, fake e-greeting cards.
➢ Brute Force Attacks –
✓ Guessing or entering different passwords over and over until it’s
cracked.
✓ “123456” is still the most common password on the planet.
✓ The tools can easily be downloaded for free.
➢ Dictionary Attack –
✓ Common words which can be obtained from dictionary.
✓ Hackers simply run script that tries each of the dictionary words
as password.
➢ Examples of password stealing software
✓ SpyAgent
✓ Realtime-spy
✓ Wifi-hacker

2.2 BUGS
➢ A bug is an error or defect in software or hardware that causes a program to
malfunction.
➢ Causes
✓ oversight during programming
✓ error in programming language
✓ mistake in language in translator (compiler or interpreter)
✓ conflicts in software when applications try to run in tandem
➢ Prevention
✓ a well-designed program developed using a well-controlled
process.
✓ search for and correct it during program development phase using
debugging tools and techniques.
✓ patch or update is given out to fix bug after deployment.
➢ Danger
✓ gain unauthorized access to IT resources
✓ disrupt the smooth usage of IT product

2.3 Backdoor
➢ Backdoors are used in computer programs to bypass normal authentication
and other security mechanisms.
➢ used by developers as a legitimate way of accessing an application

7
 ➢ Hackers would use existing backdoors to make changes to IT resources.
OR
➢ create a completely new application that would act as a backdoor:
✓ example Back Orifice, which enables a user to control a Windows
computer from a remote location.
✓ application is installed via remote access Trojan or RAT.
✓ some worms install backdoors on computers so that remote
spammers can send junk e-mail or attempt privilege escalation.
➢ Prevention: Unfortunately, there isn’t much that can be done about
backdoors
✓ patching the system infected
✓ keeping on top of updates.
✓ network administrators should inform the manufacturer of device
or application
✓ encrypt access to backdoor
➢ Backdoors attacks are less common nowadays because of prevention
mechanism and awareness.

➢ In general terms, a backdoor attack is a type of breach where hackers install

malware that can surpass a network's normal security requirements and
authentication by deceit and proper hiding.

➢ What is the difference between a backdoor and a Trojan?

A trojan is a type of malware that masquerades as a legitimate program to trick the
recipient into running it. ... A backdoor is a specific type of trojan that aims to infect
a system without the knowledge of the user

2.4 LOGIC BOMBs

➢ Logic bombs are unwanted code that has, in some way, been inserted into
software
➢ It is meant to initiate malicious functions when specific criteria are met
➢ Do not occur frequently, but have grave consequences
➢ Often detected before they are set off
➢ It intended to activate viruses, worms, or Trojans at a specific time, date, and
other parameters.
Causative Agent
✓ Trojans set off on a certain date are also referred to as time bombs.
✓ It ticks away until the conditions are met.
✓ It could be contained within a virus or loaded separately.
Prevention
❑ Once detected, notify your superior immediately
❑ Check your organization’s policies before taking actions like:
✓ Placing network disaster recovery processes on stand-by
✓ Notifying the software vendor
✓ Closely managing usage of the software: withdrawing it from service until
the threat is mitigated.

8
 2.5 Botnets and Zombies
➢ Malware is distributed on the Internet by a group of compromised computers,
known as a botnet, and controlled by a master computer (where the attacker
resides).
➢ Each compromised computer in the botnet is zombie.
➢ Zombies are unaware of the malware installed on them.
➢ Installation is automated by distribution of the malware from one zombie to
another.
➢ Zombie could have virus, logic bomb, DDoS, login IDs, credit card numbers etc.
➢ Botnet controller community features:
✓ constant and continuous struggle over most bots
✓ highest overall bandwidth
✓ most "high-quality" infected machines, like university, corporate, and even
government machines.

How it works
➢ A botnet operator sends out malware, infecting ordinary users' computers,
whose payload is a malicious application called the bot.
➢ The bot on the infected PC logs into a particular command and control server.
➢ A spammer purchases the services from botnet operator.
➢ The spammer provides the spam messages to the operator
➢ Operator instructs the compromised machines via the control panel on the
web server, to send spam messages.

2.6 Denial-of-Service Attacks

➢ Denial-of-service attack (DoS) is a type of attack on a network that is designed
to:
✓ bring the network to its knees by flooding it with useless traffic
✓ user is deprived of the services: e-mail, database, file servers, web sites
➢ But DoS attack does not usually result in the theft of information or other
security loss
➢ It can cost great deal of time and money
➢ Attack can destroy programs and files
➢ In DDOS large numbers of compromised systems (botnet) attack a single target

Common DoS Attacks

1. Buffer Overflow Attacks
➢ DoS attack is simply to send more traffic to a network address than data buffer
anticipated by programmer
➢ The attacker may:
✓ be aware of target system has a weakness
✓ simply try the attack in case it might work
2. Synchronization (SYN) Attack
➢ Small buffer space exists to handle the usually rapid "hand-shaking" between
client (TCP) and server session

9
 ➢ The session-establishing packets include a SYN field that identifies the
sequence in the message exchange.
➢ An attacker can send a number of connection requests very rapidly and then
fail to respond to the reply.
➢ Some operating systems allow network administrator to tune the size of the
buffer and the timeout period.
3. Teardrop Attack
➢ Exploits the way the Internet Protocol (IP) requires large data to be divided into
fragments
➢ The fragment packets are assembled using offset to the beginning of the first
packet
➢ In the teardrop attack, the attacker's IP puts a confusing offset value in the
second or later fragment
➢ If the receiving operating system does not have a plan for this situation then it
crashes
4. Smurf Attack
➢ Perpetrator sends IP ping (or "echo my message back to me") request to a
receiving site
➢ The ping packet specifies that it be broadcast to some hosts within the
receiving site's local network
➢ The packet also indicates that the request is from another site (Sending a
packet with someone else's return address in it is called spoofing the return
address)
➢ lots of ping replies will flood back to the innocent, spoofed host
➢ The spoofed host will no longer be able to receive or distinguish real traffic
5. Viruses
➢ Computer viruses which replicate across a network in various ways, can be
viewed as DoS attacks
➢ The victim is not usually specifically targeted but simply a host unlucky enough
to get the virus
➢ computer Depending on the particular virus, the DoS can be hardly noticeable
ranging all the way through disastrous

Characteristics of DoS
i. unusually slow network performance (opening files or accessing websites)
ii. unavailability of a particular website
iii. inability to access any website
iv. dramatic increase in the amount of spam you receive in your account

What to do in case of DoS Attack

Unfortunately, there are no effective ways to prevent being the victim of a DoS
or DDoS attack, but effort to reduce it include:
i. Install and maintain anti-virus software
ii. Install a firewall, and configure it to restrict traffic coming into and leaving your
computer
iii. Follow good security practices for distributing your email address. Applying
email filters may help you manage unwanted traffic

10
 2.7 Authentication Failures
➢ Failed authentication packets are sent to the wireless client (mobile unit) with
a reason code of previous authentication failure
➢ While sending the packets, the source Media Access Control (MAC) is spoofed
to that of the wireless access point to which the client is associated, this makes
the client think that the authentication failure is sent by the original wireless
access point and as per the 802.11 standard the client removes itself from the
wireless local area network (WLAN).
➢ A slight variation to the above attack is to send invalid authentication request
frames to the Access point to by spoofing the MAC address of an associated
client
➢ In this case the Access point receives the invalid authentication requests, thinks
that those requests came from the associated client and aborts its wireless
service to that client.

What can the WLAN Administrator do?

➢ The best bet would be to monitor the WLAN and particularly the associations
pattern in the WLAN. If there are too many authentication failures, then it is
better to analyze and find out the reason for the same.
➢ WiFi Manager when deployed, does this automatically and keeps the
administrator warned of potential problems.

2.8 Protocol Failures

➢ The Internet is assemblage of many protocols which are developed to support
the need of billions users and services.
➢ These protocols are not error proof in their designs and implementations.
➢ Errors in a protocol can be used to attack devices on the Internet.
➢ A protocol failure occurs when it fails to meet the goals for which it is intended,
➢ Adversary gains advantage not by breaking an underlying primitive, e.g.
encryption directly, but by manipulating the protocol or mechanism itself.

Attacker studies the loopholes and take advantage of them to:

i. Cause the protocol to crash, thereby denying legitimate access to services and
information that the protocol is meant to provide.
ii. Participate covertly in a protocol initiated by one party with another and
influence it, e.g. by altering messages so as to be able to steal information.
iii. Initiate one or more protocol executions (possibly simultaneously) and
combine (interleave) messages from one with another
Example
The most elementary of errors, that is complete lack of any authentication capability, was
discovered in SSL 1.0 just 10 minutes into the first public presentation on the design.
That error was fixed in SSL 2.0, but this time the designers made no effort to obtain public
review prior to release, and further design errors were identified. It wasn’t until the design of
SSL 3.0 that an experienced designer of cryptographic protocols was engaged to evaluate the
design – but for only 10 days.

11
 2.9 Information Leakage
➢ Information leakage is an application weakness where an application reveals
sensitive data like:
✓ technical details of the web application
✓ environment variables
✓ user-specific data
➢ Sensitive data may be used by an attacker to exploit:
✓ Target web application
✓ Hosting network
✓ Web application users
➢ Leakage of sensitive data should be limited or prevented whenever possible
➢ Information leakage of web application is mostly as a result of one or more of
the following conditions:
1. A failure to scrub out HTML/Script comments containing sensitive information.
<TBODY>
<TR>
<!--If the image files fail to load, check/restart 192.168.0.110 -->
<TD bgColor="#ffffff" colSpan="5" height="17" width="587"> </TD>
</TR>

2. Improper application or server configurations.

Error Message:
System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression
'username = ''' and password = 'g''. at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling ( Int32 hr) at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult( tagDBPARAMS
dbParams, Object& executeResult) at

3. Differences in page responses for valid versus invalid data.

The password recovery flow performs the following steps:
1. Ask user for username/email
- If username/email is valid continue to steps 2 & 3
- If username/email is invalid error with following message: "The username/email you
submitted was invalid!"
2. Message the user that a mail has been sent to their account
3. Send user a link allowing them to change their password

2.10 Exponential Attacks

➢ Exponential attacks involve the act of recruiting vulnerable hosts on the Internet
to perpetrate attacks at a very fast rate.
➢ Different attack types belong to exponential attacks but notable among them are
worms and cross site scripting (XSS) attacks.
Example I
Slammer is a worm that was envisaged to cripple the Internet in early 2000 but it did not quite
succeed, because it happened to pick on an occasionally used interface that is not essential
to the core operation of the Internet.

12
 ➢ Read more about slammer in course material
Example II
✓ Cross-site scripting (XSS) is perhaps the most well-known Web application
vulnerability that occurs when a Web page displays user input - via
JavaScript and VBScript - that isn’t properly validated.
✓ A hacker can take advantage of the absence of input filtering and cause a
Web page to execute malicious code on any user’s computer that views
the page
If a window pops up that reads XSS, as shown below, when this script
<script>alert(‘XSS’)</script> is entered into input field then the application is vulnerable
➢ So when single XSS can transverse multiple domains and attack many different
sites instead of just one then exponential XSS attack is might be initiated.
➢ You can consult XSS Attacks: Cross Site Scripting Exploits and Defense By Seth
Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, Petko D. Petkov

2.11 Social Engineering Attacks

(In the context of information security) the use of deception to manipulate individuals into
divulging confidential or personal information that may be used for fraudulent purposes
"people with an online account should watch for phishing attacks and other forms of social
engineering"

➢ Social engineering is a term that encompasses a broad spectrum of malicious

activity.

What are examples of social engineering:

Examples of social engineering range from phishing attacks where victims are
tricked into providing confidential information, vishing attacks where an urgent
and official sounding voice mail convinces victims to act quickly or suffer severe
consequences, or physical tailgating attacks that rely on trust to gain

Other types of social engineering

• Baiting. Enticing victims into inadvertently compromising their security, for example
by offering free giveaways or distributing infected devices. ...
• Honey trap. ...
• Pretexting. ...
• Scareware. ...
• Vishing/voice phishing

What is the most common method of social engineering?

Phishing:
The most common form of social engineering attack is phishing. Phishing attacks exploit
human error to harvest credentials or spread malware, usually via infected email
attachments or links to malicious websites.

13
 Unit 3
ACTIVE ATTACKS
❑ Computer Virus, Worms and Trojan Horse
❑ Firewalls
❑ What can firewall do?
❑ Demilitarized zone and proxy
❑ Implementing policies
❑ Reasonable domain name services to filter

3.1: Computer virus

What is a computer virus simple definition?

Definition: A computer virus is a malicious software program loaded onto a user's computer
without the user's knowledge and performs malicious actions. ... It can self-replicate,
inserting itself onto other programs or files, infecting them in the process. Not all computer
viruses are destructive though.

How can virus harm your computer?

Some computer viruses are programmed to harm your computer by damaging programs,
deleting files, or reformatting the hard drive. Others simply replicate themselves or flood a
network with traffic, making it impossible to perform any internet activity.

Many instances of malware fit into multiple categories: for instance, Stuxnet is a worm,
a virus and a rootkit.

A Trojan horse is not a virus. It is a destructive program that looks as a genuine application.
Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive.
Computer worm
A computer worm is a type of malware that, once it infects a machine, can automatically
copy and extend itself to connected devices.

• You can avoid being infected by a worm using common anti-malware advice. Use
antivirus software, keep your computer up to date, and never open links or files
which you don't completely trust.

Viruses vs. Worms and Trojans

A virus cannot execute or reproduce unless the app it has infected is running. This
dependence on a host application makes viruses different from trojans, which require
users to download them, and worms, which do not use applications to execute. Worms
are stand-alone malicious programs that can self-replicate and propagate independently.

14
What is Malware?

Malware is malicious software that enables unauthorized access to networks for

purposes of theft, sabotage, or espionage. There are many types of malware, and
many cyberattacks use a combination of several types to achieve their goals.

Malware is usually introduced into a network through phishing, malicious attachments,

or malicious downloads, but it may gain access through social engineering or flash
drives as well.

How a computer worm works

Like any malware, a computer worm requires a human being to initiate the infection. The
primary vectors of infection are email and websites. A worm can be embedded in a
compromised email attachment or link within the message and often comes as part of a
phishing scheme , where the infected file is masquerading as something legitimate, like a
document or spreadsheet. Less commonly, worms can be installed if you visit a
compromised website and click a link that activates the worm.

After the worm has been installed on your computer, it goes to work making copies of itself.
Some are programmed to automatically infect any computer on the same local network.
Worms might also be able to infect any device that connects to that computer
automatically.

How you can avoid getting infected with a worm

Once infected, you can try to remove it in the same way as any malware with antivirus or
anti-malware software. Likewise, you can avoid getting infected to begin with in the same
way: by taking common-sense precautions to avoid malware.

• Keep your computer up to date by manually updating Windows or letting it install

automatic updates. This can have a substantial impact on limiting your security
vulnerabilities.
• Use some kind of antivirus or anti-malware software. You can use the virus and
thread protection built into Windows or employ more comprehensive third-party
antivirus apps.
• Be careful when you click links and open attachments. The same advice always
applies when it comes to malware: Never click or open anything you do not trust,
whether it's in an email or on a website.

How to Prevent Computer Worms

1. Install good Anti-virus Software
2. Don’t Download Suspicious Email Attachments
3. Never Download Software from Unreliable Websites
4. Keep All Software Updated
5. Never Open Suspicious Email Attachments
6. Regularly Backup your Important Files

15
 7. Regular Scan your Computer
8. Use a Firewall
9. Use SSL Certificate
10. Avoid Unsolicited Email

The use of a Firewall

If your computer ports are open, then a malicious script can sent by an attacker and gain
unauthorized access. A windows firewall can acts as a simple defence by closing all ports.

Tips
• In Windows operating system, this can be found by navigating to:
o First, Choose Start→ Control Panel→ System and Security→ Windows
Firewall.
o Then, click the Turn Windows Firewall On or off link in the left pane of
the window.
o Select the Turn on Windows Firewall radio button for one or both of the
network locations.
o And Click OK.
• You also can use a web application Firewall to protect your software application form
cyber threats.

The use of SSL Certificate

Secure Sockets Layer (SSL) is a global standard web security protocol which creates a secure
connection between a website and browser. SSL ensure that all data passed between a web
server and browser remains encrypted and secure. This encryption technique prevents from
hackers to stealing sensitive information such as credit card details, names and addresses.

In case, if a site is secure by SSL then a padlock is displayed or the address bar shows the URL
as HTTPS instead of HTTP.

How computer worm spread in a network?

Worms can be transmitted via software vulnerabilities. Or computer worms could arrive as
attachments in spam emails or instant messages (IMs). Once opened, these files could
provide a link to a malicious website or automatically download the computer worm

Does a worm spread through a network?

Worms are more infectious than traditional viruses. They not only infect local computers,
but also all servers and clients on the network based on the local computer. Worms can
easily spread through shared folders, e-mails, malicious web pages, and servers with a
large number of vulnerabilities in the network.

16
How to Remove Computer Worms

To remove a computer worm, simply install antivirus software and run a scan for computer
virus and worms. Once viruses and worms are detected then it will be deleted by antivirus.
So your computer will be completely safe to use.

Finally, use antivirus software and keep updated in order to protect from computer worms.
We have discussed the important tips on how to prevent computer worms. Hope the article
will be helpful for you!.

What do you mean by Trojan?

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software.
Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data,
and gain backdoor access to your system.

A Trojan horse is not a virus. It is a destructive program that looks as a genuine application.
Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive.
How to protect yourself against Computer Viruses and Worms

It’s recommended that you install anti-malware software on all of your devices – including
PCs, laptops, Macs and smartphones – and that your anti-malware solution receives regular
updates, in order to protect against the latest threats. A good anti-malware software
product – such as Kaspersky Anti-Virus – will detect and prevent virus and worm infections
on your PC, while Kaspersky Internet Security for Android is an excellent choice for
protecting Android smartphones.

3.2: Firewalls

➢ A firewall is a security tools which is designed to monitors incoming and outgoing

network traffic based on security rules and protects your system. Its main purpose is
to create an obstacle between internal and external network in order to protect cyber
threats.
➢ A device that selectively discriminates against information flowing into or out of the
organization
✓ A computing device
✓ Specially configured computer
➢ Combines with routers to define organisation network perimeters.
➢ Serves as front-line defense between organisation and outside networks.
➢ Can act singly or form group of firewall called firewall subnets
➢ Operates based on three versions:
✓ Operating system
✓ Software
✓ Basic input/output system (BIOS) firmware

3.2: Types of Firewalls

➢ Packet filtering
➢ Application gateways

17
 ➢ Circuit gateways
➢ MAC layer firewalls
➢ Hybrids
➢ Distributed Firewall

3.2.1 Packet Filters

➢ Simply called a filtering firewall, examines the header
information of data packets that come into or goes outside a
network.
➢ A packet-filtering firewall installed on a TCP/IP- based network
typically functions at the IP level
➢ It determines whether to drop a packet (deny) or forward it to
the next network connection (allow) based on the rules
programmed into the firewall.
➢ Filters packets based on header information such as destination
address, source address, packet type, and other key information.
➢ It can be classified as:
➢ Static filtering
➢ Dynamic filtering
➢ Stateful/inspection
➢ Dynamic stateful

Packet Filtering Firewall works with following restrictions:

➢ IP source and destination address
➢ Direction (inbound or outbound)
➢ Protocol
➢ Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source

1. Static filtering:
➢ Requires that the filtering rules be developed and installed with the firewall.
➢ The rules are created and sequenced either by a person directly editing the rule
set or using a programmable interface.
➢ Changes to the rules require human intervention.
➢ It allows entire sets of one type of packet to enter in response to authorized
requests.
➢ This type of filtering is common in network routers and gateways.

2. Dynamic filtering:
➢ Reacts to an emergent events or factors and update or create rules to deal with
that event.
➢ It allows only a particular packet with a particular source, destination, and port
address to pass through.
➢ This reaction could be
✓ Positive (allow)
OR
✓ Negative (deny)due to a particular type of malformed
packet is detected.

18
 ✓ It is an intermediate form between traditional static packet
filters and application proxies

3. Stateful (Inspection firewalls):

➢ Keeps track of each network connection between internal and external systems
using a state table.
➢ A state table tracks the state and context of each packet in the conversation by
recording which station sent what packet and when.
➢ Unlike simple packet-filtering firewalls that only allow or deny certain packets
based on their address, it can expedite incoming packets that are responses to
internal requests.
➢ It refers to its ACL to determine whether to allow the packet to pass if
information about the packet is not available in state table.
Advantage of stateful firewall:
➢ Can track connectionless packet traffic, such as UDP and remote procedure
calls (RPC) traffic
Disadvantage of stateful firewall:
➢ Additional processing required to manage and verify packets against the state
table can be used to exercise DOS or DDOS
4. Dynamic stateful:
➢ Keeps a dynamic state table to make changes (within predefined limits) to the
filtering rules based on events as they happen.
➢ The state table contains the familiar information -source IP information and
port.
➢ Additional information on the protocol, total time in seconds, and time
remaining in seconds.
➢ Many state table implementations allows timeout for entry in state table.
3.2.2 Application-Level Filtering
➢ Application-level firewall is also known as an application gateway firewall,
application firewall or proxy firewall.
➢ It works in application layer.
➢ It is frequently installed on a dedicated computer, separate from the filtering
router.
➢ It is commonly used in conjunction with a filtering router.
➢ The application firewall is also known as a proxy server since it runs special
software that acts as a proxy for a service request.
➢ This technique is still widely used to implement electronic commerce
functions.
➢ Most users of application firewall have upgraded to take advantage of the DMZ
approach.
3.2.2 Application-Level Filtering
Disadvantages
➢ They are designed for one or a few specific protocols and cannot easily be
reconfigured to protect against attacks on other protocols.
➢ That is, since application firewalls work at the application layer they are
typically restricted to a single application (e.g., FTP, Telnet, HTTP and SMTP).
3.2.4 Circuit-Level Gateways

19
 ➢ The circuit gateway firewall operates at the transport layer.
➢ The firewalls prevent direct connections between one network and another.
➢ They accomplish this by creating tunnels connecting specific processes or
systems on each side of the firewall.
➢ Only authorized traffic such as a specific type of TCP connection for authorized
users utilize the tunnels.
➢ They are firewalls component often included in the category of application
firewall, but it is in fact a separate type of firewall.

3.2.5 Media Access Control Layer Firewall

It is not as well known or widely referenced as the other firewall approaches.
It is designed to operate at the media access control sublayer of the data link layer (Layer 2)
of the OSI network model.
This enables these firewalls to consider the specific host computer’s identity using MAC or NIC
address in its filtering decisions.
It links the addresses of specific host computers to ACL entries that identify the specific types
of packets that can be sent to each host, and block all other traffic.

3.2.5 Hybrid Firewalls

It combines the elements of other types of firewalls - that is, the elements of packet filtering
and proxy services, or of packet filtering and circuit gateways.
A hybrid firewall system may actually consist of two separate firewall devices; each is a
separate firewall system, but they are connected so that they work in tandem.
An added advantage to the hybrid firewall approach is that it enables an organization to make
a security improvement without completely replacing its existing firewalls.

3.2.6 Distributed Firewalls

➢ Each individual host enforces the security policy; however, the policy itself is
set by a central management node.
➢ The administrator creates security rules and ships them out to every host
within its management domain.
Advantages
➢ Lack of a central point of failure
➢ The ability to protect machines that aren't inside a topologically isolated space
e.g. telecommuters' machines.

3.3: What Firewalls Cannot do.

➢ Employee misconduct or carelessness cannot be controlled by firewalls. E.g.
password issue, management issue and errors from other end point devices.
➢ Also, firewall cannot prevent attacks on network resulting from social
engineering, dumpster diving (garbology).
➢ Firewalls are useless against attacks from the inside. E.g. legitimate user who
has turned to the dark side.
➢ Each firewall act at a layer of the protocol stack, which means that they are not
looking at anything at higher layers.

20
 ➢ Another firewall problem is that of transitive trust. You have it whether you like
it or not. If A trusts B through its firewall, and B trusts C, then A trusts C,
whether it wants to or not (and whether it knows it or not).
➢ A firewall cannot prevent individual users with modems from dialing into or
out of the network, bypassing the firewall altogether.
➢ Firewall may have errors, or not work as expected. The best administration can
do nothing to counter a firewall that does not operate as advertised.

3.4 Demilitarized Zone (DMZ) and Proxy Servers

In addition to using firewalls, organization resources and perimeter networks can be protected
by using other security devices and configurations such as demilitarized zone and proxy
servers.

3.4.1 Demilitarized Zone

➢ Demilitarized Zone (DMZ) frequently refers to as a buffer against outside
attacks.
➢ The DMZ is a no-man’s-land between the inside and outside networks
➢ It is also where some organizations place Web servers, without allowing Web
requests to enter the interior networks.

3.4.2 Proxy Servers

➢ Proxy Server is an alternative to firewall subnets or DMZs.
➢ It performs actions on behalf of another system.
➢ It gives requestors the response they need without allowing them to gain direct
access to the internal and more sensitive server.
➢ The proxy server may be hardened and become a bastion host placed in the
public area of the network, or it might be placed within the firewall subnet or
the DMZ for added protection.
➢ For more frequently accessed web pages, proxy servers can cache or
temporarily store the page, and thus are sometimes called cache servers

3.5 Implementing policies (Default allow, Default deny) on proxy

➢ Once the firewall architecture and technology have been selected, the
organization must provide for the initial configuration and ongoing
management of the firewall(s).
➢ Good policy and practice dictates that each firewall device must have its own
set of configuration rules.
➢ Whitelist - configures the firewall to allow all traffic specified in list accessible
to the firewall, and block traffic only for known bad IP addresses.
➢ Blacklist - configures the firewall to stop all traffic contained in a list accessible
to the firewall, and allow traffic to only known good IP addresses
➢ Configuration of firewall policies can be complex and difficult
➢ When security rules conflict with the performance of business, security often
loses
➢ Organizations are much more willing to live with potential risk than certain
failure

21
 Unit 4
SECURITY CONTROLS
❑ Intrusion Detection and Prevention Systems
❑ Honeypots and Honeynet
❑ Padded Cell Systems
❑ Trap-and-Trace Systems
❑ Scanning and Analysis Tools
➢ Port Scanners
➢ Firewall Analysis Tools
➢ Detecting Operating System
❑ Biometric Access Controls
➢ Signature Recognition
➢ Voice Recognition
➢ Problem with Biometric
➢ Measuring Biometric Effectiveness

4.1: Intrusion Detection and Prevention Systems

➢ Protects organisation resources from possible attacks.
➢ Detects unauthorized activity within the inner network or on individual machines
➢ The prevention component enables IDPSs to create a new filtering rule for severs
communications or other activity as configured by the administrator
➢ Host-based, Network-based or Hybrid

Host-based IDPSs
➢ Protects by monitoring the status of various files stored on those machines.
➢ Learns the configuration of the system, assigns priorities to various files depending
on their value
➢ Alerts the administrator of suspicious activity.
➢ Catalog of common attacks signatures
➢ Database of file attributes

Network-based IDPSs
➢ Looks at patterns of network traffic and attempt to detect unusual activity based on
previous baselines.
➢ Catalog of common attacks signatures
➢ Database of normal network activities
Example of network attack detection
✓ IP spoofing
✓ High volumes of traffic going to outside addresses (data theft)
✓ Traffic coming into the network (DDOS).

4.2: Honeypots and honeynet

➢ Honeypots are decoy systems designed to lure potential attackers away from critical
systems.
➢ Honeynet is a collection of honeypots within a sub network.
➢ Otherwise known as:
✓ padded cell systems

22
 ✓ Industry ➔ decoys, lures, and fly-traps
➢ Contains pseudo-services that emulate well-known services.
➢ It is configured in ways that make it look vulnerable to attacks.
➢ Lure potential attackers into committing an attack thereby revealing
themselves.

Purpose of Honeypot
➢ Divert an attacker from critical systems.
➢ Collect information about the attacker’s activity.
➢ Encourage the attacker to stay on the system long enough for administrators to:
✓ Document the event
✓ Perhaps respond
Instrument of Honeypot
✓ sensitive monitors
✓ event loggers

4.3: Padded Cell Systems

➢ A padded cell is a honeypot that has been protected so that that it cannot be
easily compromised, in other words, a hardened honeypot.
➢ It operates in tandem with a traditional IDPS
➢ Like honeypots, padded cells are well-instrumented
➢ It is important to seek guidance from legal counsel before deciding to use it
because of lawsuit of back hack or counterstrike.

Advantages of Honeypots and Padded Cell

➢ Attackers can be diverted to targets that they cannot damage.
➢ Administrators have time to decide how to respond to an attacker.
➢ Attacker’s actions can be easily and more extensively monitored, and the records
can be used to refine threat models and improve system protections.
➢ Honeypots may be effective at catching insiders who are snooping around a
network.

Disadvantages of Honeypots and Padded Cell

➢ The legal implications of using such devices are not well understood.
➢ Honeypots and padded cells have not yet been shown to be generally useful
security technologies.
➢ An expert attacker, once diverted into a decoy system, may become angry and
launch a more aggressive attack against an organization’s systems.
➢ Administrators and security managers need a high level of expertise to use these
systems.

4.4: Trap-and-Trace Systems

➢ It is a combination of techniques to detect an intrusion and then trace it back to
its source.

23
 ➢ The trap usually consists of a honeypot or padded cell and an alarm.
➢ The trace feature is an extension to the honeypot or padded cell approach.
➢ The trace (similar to caller ID) is a process by which the organization attempts to
identify an entity discovered in unauthorized:
✓ Internal intruder turn him or her over to internal authorities.
✓ External intruder leads to numerous legal issues arise.

4.5: Scanning and Analysis Tools

➢ Defense-in-depth
➢ Scanner and analysis tools can find vulnerabilities in
✓ systems
✓ holes in security components
✓ unsecured aspects of the network

4.5.1 Port Scanners

➢ Port scanning utilities are tools used by both attackers and defenders to
✓ identify active computers in a network
✓ recognize the ports available on computer (65,536 port numbers in use for
TCP UDP)
✓ get the services active on computers
✓ know the functions and roles the computer is fulfilling
✓ other useful information

4.5.1 Port Scanners

➢ These tools can scan for:
✓ specific types of computers
✓ protocols
✓ Resources
✓ scans can be generic.

nbtstat is used to identify a Windows computer in a typical network

Nmap runs on both Unix and Windows systems.

For instance:
4.5.2 Firewall Analysis Tools
➢ Firewall administration is an important step for security administration
➢ They allow administrator to:
✓ know the location of firewall
✓ automate the remote discovery of firewall rules
✓ assist the user in analyzing the rules to determine exactly what they allow
and what they reject

4.5.2 Firewall Analysis Tools

Nmap
Firewalk
HPING

24
4.5.3 Detecting Operating System
➢ Detecting a target computer’s operating system is very valuable to an attacker
➢ Once the OS is known, its vulnerabilities will be determined
➢ Xprobe uses Internet Control Message Protocol (ICMP) to determine the remote
OS
➢ XProbe sends many different ICMP queries to the target host

4.5.3 Detecting Operating System

➢ XProbe matches the responses from the target’s host with known responses.
➢ Most OSs have a unique way of responding to ICMP requests.
Remedy:
➢ Restrict the use of ICMP through their organization’s firewalls.

4.6: Biometric Access Controls

➢ It is based on the use of some measurable human characteristics or traits to
authenticate user’s identity.
➢ It relies on same traits to identify friends, family etc.
➢ It will have significant impact in the future as technical and ethical issues with it
being are resolved.
Biometric authentication technologies
➢ Fingerprint
➢ Palm print
➢ Hand geometry
➢ Retinal print
➢ Iris pattern
➢ Voice recognition
➢ Facial recognition (photographic ID card, digital camera)

Only three human characteristics are usually considered truly unique.

➢ Fingerprints
➢ Retina of the eye (blood vessel pattern)
➢ Iris of the eye (random pattern of features found in the iris, including freckles,
pits, striations, vasculature, coronas, and crypts)

4.6.1. Signature Recognition

➢ Signature is as biometric access controls measures
➢ It has become commonplace like retail store
➢ The user signs a digital pad with a special stylus that captures the signature.
➢ The signature is either saved or compared with a signature on a database for
validation.
➢ Signatures change due age, fatigue and the speed with which the signature is
written.

4.6.2. Voice Recognition

➢ Capturing of voiceprint of the user reciting a phrase is captured and stored.
➢ The authentication process requires the user to speak this same phrase for
comparison against the stored value.

25
4.6.3. Problem with Biometric
➢ Some human characteristics can change over time, due to:
✓ normal development
✓ Injury
✓ Illness
Remedy:
System designers must create fallback or failsafe authentication mechanisms.

4.6.4 Measuring Biometric Effectiveness

Three basic criteria:
➢ False reject rate: which is the percentage of supplicants who are in fact
authorized users but are denied access
➢ False accept rate: which is the percentage of supplicants who are unauthorized
users but are granted access
➢ Crossover error rate: which is the level at which the number of false rejections
equals the false acceptances.

26