Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Chapter-1 : Computer Security – Gscheme -- 2014 Chapter-1 INTRODUCTION TO COMPUTER SECURITY AND SECURITY TRENDS Syllabus --- 22 Marks ---- 10 Hours Objectives: To understand CIA model. To identify the risks and threats. To understand security attacks. Contents : 1.1. Definition of Computer Security, Need for security, Security basics: Confidentiality, Integrity, Availability, Accountability, Non-repudiation. Example of Security, Challenges for security, Model for Security. 1.2. Risk and Threat Analysis: Assets, Vulnerability, Threats, Risks, Counter measures. 1.3. Threat to Security: Viruses and Worms, Intruders, Insiders , Criminal organizations, Terrorists, Information warfare Avenues of attack, steps in attack 1.4. Security attacks: Active and Passive attacks, Denial of service, backdoors and trapdoors, sniffing, spoofing, man in the middle, replay, TCP/IP Hacking, encryption attacks. 1.5. Malware : Viruses, Logic bombs Q.What is computer security means? Ans. Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users. The term computer system security means the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively. The strategies and methodologies of computer security often differ from most other computer technologies because of its somewhat elusive objective of preventing unwanted computer behavior instead of enabling wanted computer behavior. Q.What is Data Security? Ans. Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. Data Security Technologies Disk Encryption Hardware based Mechanisms for Protecting Data Backups Data Masking Data Erasure Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 1 Chapter-1 : Computer Security – Gscheme -- 2014 Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer. Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures. The field of information security has grown and evolved significantly in recent years. As a career choice there are many ways of gaining entry into the field. It offers many areas for specialization including: securing network(s) and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning and digital forensics science, to name a few, which are carried out by Information Security Consultants Q.What is Network Security ? In the field of networking, the specialist area of network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access, and consistent and continuous monitoring and measurement of its effectiveness (or lack) combined together. Network security concepts Network security starts from authenticating the user, commonly with a username and a password. Since this requires just one thing besides the user name, i.e. the password which is something you 'know', this is sometimes termed one factor authentication. With two factor authentication something you 'have' is also used (e.g. a security token or 'dongle', an ATM card, or your mobile phone), or with three factor authentication something you 'are' is also used (e.g. a fingerprint or retinal scan). Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 2 Chapter-1 : Computer Security – Gscheme -- 2014 Once authenticated, a firewall enforces access policies such as what services are allowed to be accessed by the network users. Though effective to prevent unauthorized access, this component may fail to check potentially harmful content such as computer worms or Trojans being transmitted over the network. Anti-virus software or an intrusion prevention system (IPS) help detect and inhibit the action of such malware. An anomaly-based intrusion detection system may also monitor the network and traffic for unexpected (i.e. suspicious) content or behavior and other anomalies to protect resources, e.g. from denial of service attacks or an employee accessing files at strange times. Individual events occurring on the network may be logged for audit purposes and for later high level analysis. Communication between two hosts using a network could be encrypted to maintain privacy. Honeypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to further tighten security of the actual network being protected by the honeypot. Q.What Does "Secure" Mean? Ans.How do we protect our most valuable assets? One option is to place them in a safe place, like a bank. We seldom hear of a bank robbery these days, even though it was once a fairly lucrative undertaking. Communications and transportation were primitive enough that it might have been hours before the legal authorities were informed of a robbery and days before they could actually arrive at the scene of the crime, by which time the robbers were long gone. To control the situation, a single guard for the night was only marginally effective. Should you have wanted to commit a robbery, you might have needed only a little common sense and perhaps several days to analyze the situation; you certainly did not require much sophisticated training. Indeed, you usually learned on the job, assisting other robbers in a form of apprenticeship. On balance, all these factors tipped very much in the favor of the criminal, so bank robbery was, for a time, considered to be a profitable business. Protecting assets was difficult and not always effective. Today, however, asset protection is easier, with many factors working against the potential criminal. Very sophisticated alarm and camera systems silently protect secure places like banks whether people are around or not. The techniques of criminal investigation have become so effective that a person can be identified by genetic material (DNA), fingerprints, retinal patterns, voice, a composite sketch, ballistics evidence, or other hard-to-mask characteristics. The assets are stored in a safer form. For instance, many bank branches now contain less cash than some large retail stores because much of a bank's business is conducted with checks, electronic transfers, credit cards, or debit cards. Sites that must store large amounts of cash or currency are protected with many levels of security: several layers of physical systems, complex locks, multiple-party systems requiring the agreement of several people to allow access, and other schemes. Significant improvements in transportation and communication mean that police can be at the scene of a crime in minutes; dispatchers can alert other officers in seconds Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 3 Chapter-1 : Computer Security – Gscheme -- 2014 about the suspects to watch for. From the criminal's point of view, the risk and required sophistication are so high that there are usually easier ways than bank robbery to make money. Q.Describe the term Interception , Interruption , Modification and Fabrication related to threats Ans. An interception means that some unauthorized party has gained access to an asset. The outside party can be a person, a program, or a computing system. Examples of this type of failure are illicit copying of program or data files, or wiretapping to obtain data in a network. Although a loss may be discovered fairly quickly, a silent interceptor may leave no traces by which the interception can be readily detected. In an interruption, an asset of the system becomes lost, unavailable, or unusable. An example is malicious destruction of a hardware device, erasure of a program or data file, or malfunction of an operating system file manager so that it cannot find a particular disk file. If an unauthorized party not only accesses but tampers with an asset, the threat is a modification. For example, someone might change the values in a database, alter a program so that it performs an additional computation, or modify data being transmitted electronically. It is even possible to modify hardware. Some cases of modification can be detected with simple measures, but other, more subtle, changes may be almost impossible to detect. Finally, an unauthorized party might create a fabrication of counterfeit objects on a computing system. The intruder may insert spurious transactions to a network communication system or add records to an existing database. Sometimes these Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 4 Chapter-1 : Computer Security – Gscheme -- 2014 additions can be detected as forgeries, but if skillfully done, they are virtually indistinguishable from the real thing. These four classes of threats interception, interruption, modification, and fabrication describe the kinds of problems we might encounter. Q.Describe the term Confidentiality, Integrity, availability related to Security Ans. Security Goals We use the term "security" in many ways in our daily lives. A "security system" protects our house, warning the neighbors or the police if an unauthorized intruder tries to get in. "Financial security" involves a set of investments that are adequately funded; we hope the investments will grow in value over time so that we have enough money to survive later in life. And we speak of children's "physical security," hoping they are safe from potential harm. Just as each of these terms has a very specific meaning in the context of its use, so too does the phrase "computer security." When we talk about computer security, we mean that we are addressing three important aspects of any computer-related system: confidentiality, integrity, and availability. Confidentiality ensures that computer-related assets are accessed only by authorized parties. That is, only those who should have access to something will actually get that access. By "access," we mean not only reading but also viewing, printing, or simply knowing that a particular asset exists. Confidentiality is sometimes called secrecy or privacy. Integrity means that assets can be modified only by authorized parties or only in authorized ways. In this context, modification includes writing, changing, changing status, deleting, and creating. Availability means that assets are accessible to authorized parties at appropriate times. In other words, if some person or system has legitimate access to a particular set of objects, that access should not be prevented. For this reason, availability is sometimes known by its opposite, denial of service. Security in computing addresses these three goals. One of the challenges in building a secure system is finding the right balance among the goals, which often conflict. For example, it is easy to preserve a particular object's confidentiality in a secure system simply by preventing everyone from reading that object. However, this system is not secure, because it does not meet the requirement of availability for proper access. That is, there must be a balance between confidentiality and availability. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 5 Chapter-1 : Computer Security – Gscheme -- 2014 Confidentiality You may find the notion of confidentiality to be straightforward: Only authorized people or systems can access protected data. However, as we see in later chapters, ensuring confidentiality can be difficult. For example, who determines which people or systems are authorized to access the current system? By "accessing" data, do we mean that an authorized party can access a single bit? the whole collection? pieces of data out of context? Can someone who is authorized disclose those data to other parties? Confidentiality is the security property we understand best because its meaning is narrower than the other two. We also understand confidentiality well because we can relate computing examples to those of preserving confidentiality in the real world. Integrity Integrity means different things in different contexts. When we survey the way some people use the term, we find several different meanings. For example, if we say that we have preserved the integrity of an item, we may mean that the item is precise accurate unmodified modified only in acceptable ways modified only by authorized people modified only by authorized processes consistent internally consistent meaningful and usable Integrity can also mean two or more of these properties. Welke and Mayfield recognize three particular aspects of integrity, authorized actions, separation and protection of resources, and error detection and correction. Integrity can be enforced in much the same way as can confidentiality: by rigorous control of who or what can access which resources in what ways. Some forms of integrity are well represented in the real world, and those precise representations can be implemented in a computerized environment. But not all interpretations of integrity are well reflected by computer implementations. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 6 Chapter-1 : Computer Security – Gscheme -- 2014 Availability Availability applies both to data and to services (that is, to information and to information processing), and it is similarly complex. As with the notion of confidentiality, different people expect availability to mean different things. For example, an object or service is thought to be available if It is present in a usable form. It has capacity enough to meet the service's needs. It is making clear progress, and, if in wait mode, it has a bounded waiting time. The service is completed in an acceptable period of time. We can construct an overall description of availability by combining these goals. We say a data item, service, or system is available if There is a timely response to our request. Resources are allocated fairly so that some requesters are not favored over others. The service or system involved follows a philosophy of fault tolerance, whereby hardware or software faults lead to graceful cessation of service or to workarounds rather than to crashes and abrupt loss of information. The service or system can be used easily and in the way it was intended to be used. Concurrency is controlled; that is, simultaneous access, deadlock management, and exclusive access are supported as required. Because of the increased use of networks, two additional security goals have been added to the original three in the CIA of security those are 1.Authentication : It deals with the desire to ensure that an individual is who they claim to be. The need for this in an online transaction is obvious. 2.Non-repudiation : which deals with the ability to verify that a message has been sent and received and that the sender can be identified and verified. The requirement for this capability in online transactions should also be readily apparent. Q.Write Short Note on Non-repudiation Non-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged. In such an instance, the authenticity is being "repudiated". Regarding digital security, the cryptological meaning and application of non-repudiation shifts to mean: A service that provides proof of the integrity and origin of data. An authentication that can be asserted to be genuine with high assurance. Proof of data integrity is typically the easiest of these requirements to accomplish. A data hash, such as SHA2, is usually sufficient to establish that the likelihood of data being undetectably changed is extremely low. Even with this safeguard, it is still possible to tamper with data in transit, either through a man-in-the-middle attack or phishing. Due to this flaw, data integrity is best asserted when the recipient already possesses the necessary verification information. The most common method of asserting the digital origin of data is through digital certificates, a form of public key infrastructure, to which digital signatures belong. Note that the public key scheme is not used for encryption in this form, confidentiality is not achieved by signing a message with a private key (since anyone can obtain the public Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 7 Chapter-1 : Computer Security – Gscheme -- 2014 key to reverse the signature). Verifying the digital origin means that the certified/signed data can be, with reasonable certainty, trusted to be from somebody who possesses the private key corresponding to the signing certificate. If the key is not properly safeguarded by the original owner, digital forgery can become a major concern. Nonrepudiation can be obtained through the use of: digital signatures-- function as a unique identifier for an individual, much like a written signature. confirmation services -- the message transfer agent can create digital receipts to indicated that messages were sent and/or received. timestamps -- timestamps contain the date and time a document was composed and proves that a document existed at a certain time. Q.Write Short Note on Authentication Q.State need of Security Q.Describe Examples of Security and Challenges Q.Describe Operational Model of Security Ans. For many years, the focus of security was on prevention. If we could prevent somebody from gaining access to our computer systems and networks, then we assumed that we had obtained security. Protection was thus equated with prevention. While the basic premise of this is true, it fails to acknowledge the realities of the networked environment our systems are part of. No matter how well we seem to do in prevention technology, somebody always seems to find a way around our safeguards. When this happens, our system is left unprotected. What is needed is multiple prevention techniques and also technology to alert us when prevention has failed and to provide ways to address the problem. This results in a modification to our original security equation with the addition of two new elements—detection and response. Our security equation thus becomes: Protection = Prevention + (Detection + Response) Protection = Prevention Access Control Firewall Encryption ( Detection + Audit Logs Intrusion Detection System Honey Pots Response) Backups Incident Response Team Computer Forensic This is known as the operational model of computer security, Every security technique and technology falls into at least one of the three elements of the equation. Examples of the types of technology and techniques that represent each are depicted in Figure. Q.Write short note on Security Principles Ans. There are three ways an organization can choose to address the protection of its networks: 1) Ignore security issues, 2) Provide host security, and Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 8 Chapter-1 : Computer Security – Gscheme -- 2014 3) Approach security at a network level. The last two, host and network security, have prevention as well as detection and response components. If an organization decides to ignore security, it has chosen to utilize the minimal amount of security that is provided with its workstations, servers, and devices. No additional security measures will be implemented. Each “out of the box” system has certain security settings that can be configured, and they should be. To actually protect an entire network however, requires work in addition to the few protection mechanisms that come with systems by default. Host security Host security takes a granular view of security by focusing on protecting each computer and device individually instead addressing protection of the network as a whole. When host security is used, each computer is relied upon to protect itself an organization decides to implement only host security and does not include network security, there is a high probability of introducing or overlooking vulnerabilities. Most environments are filled with different operating systems (Windows, UNIX. Linux, Macintosh), different versions of those operating systems, and different types of installed applications. Each operating system has security configurations that differ from other systems, and different versions of the same operating system may in fact have variations between them. Ensuring that every computer is ‘locked down” to the same degree as every other system in the environment can be overwhelming and often results in an unsuccessful and frustrating effort. Least Privilege One of the most fundamental approaches to security is least privilege. This concept is applicable to many physical environments as well as network and host security. Least privilege means that a subject (which may be a user, application, or process) should have only the necessary rights and privileges to perform its task with no additional permissions. Limiting an object’s privileges limits the amount of harm that can be caused, thus limiting an organization’s exposure to damage. Users may have access to the files on their workstations and a select set of files on a file server, but no access to critical data that is held within the database. This rule helps an organization protect its most sensitive resources and helps ensure that whoever is interacting with these resources has a valid reason to do so. Different operating systems and applications have different ways of implementing rights, permissions, and privileges. Before they are actually configured, an overall plan should be devised and standardized methods developed to ensure that a solid security baseline is actually implemented. For example, a company may want all of the Accounting employees, but no one else, to be able to access employee payroll and profit margin spreadsheets held on a server. The easiest way to implement this is to develop an Accounting group, put all Accounting employees in this group, and assign rights to the group instead of each individual person. As another example, there maybe a requirement to implement a hierarchy of administrators that perform different functions and require specific types of rights. Two people may be tasked with performing backups of individual workstations and servers; thus they do not need administrative permissions with full access to all resources. Three people may be in charge of setting up new user accounts and password management, Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 9 Chapter-1 : Computer Security – Gscheme -- 2014 which means they do not need full, or perhaps any, access to the company’s routers and switches. Once these lines are delineated, indicating what subjects require which rights and permissions, then it is much easier to configure settings to provide the least privileges for different subjects. The concept of least privilege applies to more network security issues than just providing users with specific rights and permissions. When trust relationships are created, they should not be implemented in such a way that everyone trusts each other simply because it is easier. One domain should trust another for very specific reasons and the implementers should have a full understanding of what the trust relationship allows between two domains. If one domain trusts another, do all of the users automatically become trusted, and can they thus easily access any and all resources on the other domain? Is this a good idea? Is there a more secure way of providing the same functionality? If a trusted relationship is implemented such that users in one group can access a plotter or printer that is available on only one domain, it might make sense to simply purchase another plotter so that other, more valuable or sensitive, resources are not accessible by the entire group. Another issue that falls under the least privilege concept is the security context in which an application runs. All applications, scripts and batch files run in the security context of a specific user on an operating system. They will execute with specific permissions as if they were a user. The application may be Microsoft Word and run in the space of a regular user, or it maybe a diagnostic program that needs access to more sensitive system files and so must run under an administrative user account, or it may be a program that performs backups and so should operate within the security context of a backup operator. The crux of this issue is that programs should execute only in the security context that is needed for that program to perform its duties successfully. In many environments, people do not really understand how to make programs run under different security contexts or it just seems easier to have them all run under the administrator account. If attackers can compromise a program or service running under the administrative account, they have effectively elevated their access level and have much more control over the system and many more possibilities to cause damage. Layered Security A bank does not just protect the money that it stores only by using a vault. It has one or more security guards as a first defense to watch for suspicious activities and to secure the facility when the bank is closed. It may have monitoring systems that watch various activities that take place in the bank, whether involving customers or employees. The vault is usually located in the center of the facility, and thus there are layers of rooms or walls before arriving at the vault. There is access control, which ensures that the people entering the vault have to be given the authorization beforehand the systems, including manual switches, are connected directly to the police station in case determined bank robber successfully penetrates any one of these layers of protection. Networks should utilize the same type of layered security architecture. There is no 100 percent secure system, and there is nothing that is foolproof, so a single specific protection mechanism should never be solely relied upon. Every piece of software and every device can be compromised in some way, and every encryption algorithm can be broken, given enough time and resources. The goal of security is to make the effort of actually accomplishing a compromise more costly in time and effort than it is worth to a potential attacker. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 10 Chapter-1 : Computer Security – Gscheme -- 2014 As an example, consider the steps an intruder might have to take to access critical data held within a company’s back-end database. The intruder will first need to penetrate the firewall and use packets and methods that will not be identified and detected by the intrusion detection system (more on these devices can be found in Chapter 8). The attacker will then have to circumvent an internal router performing packet filtering and possibly penetrate another firewall that is used to separate one internal network from another. From here, the intruder must break the access controls that are on the database, which means having to do a dictionary or brute-force attack to be able to authenticate to the database software. Once the intruder has gotten this far, the data still needs to be located within the database. This may in turn be complicated by the use of access control lists outlining who can actually view or modify the data. That is a lot of work. This example illustrates the different layers of security many environments employ. It is important to implement several different layers because if intruders succeed at one layer, you want to be able to stop them at the next. The redundancy of different protection layers ensures that there is no one single point of failure pertaining to security. If a net- work used only a firewall to protect its assets, an attacker successfully able to penetrate this device would find the rest of the network open and vulnerable. It is important that every environment have multiple layers of security. These layers may employ a variety of methods such as routers, firewalls, network segments, IDSs, encryption, authentication software, physical security, and traffic control. The layers need to work together in a coordinated manner so that one does not impede another’s functionality and introduce a security hole. Security at each layer can be very complex and putting different layers together can increase the complexity exponentially. Although having layers of protection in place is very important, it is also important to understand how these different layers interact either by working together or in some cases by working against each other. One case of how different security methods can work against each other is exemplified when firewalls encounter encrypted network traffic. An organization may utilize encryption so that an outside customer communicating with a specific web server is assured that sensitive data being exchanged is protected. If this encrypted data is encapsulated within Secure Sockets layer (SSL) packets and then is sent through a firewall, the firewall will not be able to read the payload information in the individual packets. This may enable the customer, or an outside attacker, to send malicious code or instructions through the SSL connection undetected. There are other mechanisms that can be introduced in these situations, such as designing web pages to accept information only in certain formats and having the web server parse through the data for malicious activity. The important piece is to understand the level of protection that each layer provides and how each level of protection can be affected by things that take place in other layers. The layers usually are depicted starting at the top with more general types of protection, and progressing downward through each layer, with increasing granularity at each layer as you get closer to the actual resource, as you can see in Figure 2-2. This is because the top-layer protection mechanism is responsible for looking at an enormous amount of traffic and it would be overwhelming and cause too much of a performance degradation Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 11 Chapter-1 : Computer Security – Gscheme -- 2014 if each aspect of the packet were inspected. Instead, each layer usually digs deeper into the packet and looks for specific items. Layers that are closer to the resource have to deal with only a fraction of the traffic that the top-layer security mechanism does, and thus it will not cause much of a performance hit to look deeper and at more granular aspects of the traffic. Q.List and Describe the security goals Ans. A "security system" protects our house, warning the neighbors or the police if an unauthorized intruder tries to get in. "Financial security" involves a set of investments that are adequately funded; we hope the investments will grow in value over time so that we have enough money to survive later in life. And we speak of children's "physical security," hoping they are safe from potential harm. Just as each of these terms has a very specific meaning in the context of its use, so too does the phrase "computer security." When we talk about computer security, we mean that we are addressing three important aspects of any computer-related system: confidentiality, integrity, and availability. Confidentiality ensures that computer-related assets are accessed only by authorized parties. That is, only those who should have access to something will actually get that access. By "access," we mean not only reading but also viewing, printing, or simply knowing that a particular asset exists. Confidentiality is sometimes called secrecy or privacy. Integrity means that assets can be modified only by authorized parties or only in authorized ways. In this context, modification includes writing, changing, changing status, deleting, and creating. Availability means that assets are accessible to authorized parties at appropriate times. In other words, if some person or system has legitimate access to a particular set of objects, that access should not be prevented. For this reason, availability is sometimes known by its opposite, denial of service. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 12 Chapter-1 : Computer Security – Gscheme -- 2014 Security in computing addresses these three goals. One of the challenges in building a secure system is finding the right balance among the goals, which often conflict. For example, it is easy to preserve a particular object's confidentiality in a secure system simply by preventing everyone from reading that object. However, this system is not secure, because it does not meet the requirement of availability for proper access. That is, there must be a balance between confidentiality and availability. Q.Describe Assets, Vulnerability, Threat, Risk, counter Measures A security risk analysis is a procedure for estimating the risk to computer related assets and loss because of manifested threats. The procedure first determines an asset's level of vulnerability by identifying and evaluating the effect of in-place countermeasures. An asset's level of vulnerability to the threat population is determined solely by countermeasures [controls/safeguards] that are in-place at the time the risk analysis is done. Next, detailed information about the asset is used to determine the significance of the asset's vulnerabilities. This includes how the asset is (or will be) used, data sensitivity levels, mission criticality, inter-connectivity, etc. Finally, the negative impact [expected loss] to the asset is estimated by examining various combinations of threats and vulnerability areas. Risk Analysis Terminology Asset - Anything with value and in need of protection. Threat - An action or potential action with the propensity to cause damage. Vulnerability - A condition of weakness. If there were no vulnerabilities, there would be no concern for threat activity. Countermeasure - Any device or action with the ability to reduce vulnerability. Expected Loss - The anticipated negative impact to assets due to threat manifestation. Impact - Losses as a result of threat activity are normally expressed in one or more impact areas. Four areas are commonly used; Destruction, Denial of Service, Disclosure, and Modification. Detailed Description Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 13 Chapter-1 : Computer Security – Gscheme -- 2014 System System is a cluster of software modules and/or hardware components together with sets of operational and business procedures. Systems are the target of the threat analysis process. Each system is characterized by its specific goals, functionality, architecture, configuration and users. System's Maximal Risk is a calculated value that expresses the maximal financial damage that may be caused to the system's assets due to the identified threats. It reflects the potential risks of all threats to the system's assets and is displayed in $ value as well as in percents of the total system assets. System's Minimal Risk is a calculated value that expresses the financial damage that may be caused to the system's assets and the remaining risks of all threats after full implementation of all mitigation plans. It is displayed in $ value as well as in percents of the total system assets. AKA Residual Risk - "The risk left over after all proposed countermeasures, safeguards and mitigation strategies have been implemented" System's Current Risk is a calculated value that expresses the financial damage that may be caused to the system's assets according to current implementation level of mitigation plans. It is displayed in $ value as well as in percents of the total system assets. System's Total Value of Assets is the calculated total value of all the system assets. System's Countermeasures Implementation Cost is the calculated cost of implementing all countermeasures in all mitigation plans. System's Current Investment in Implementation is the cost of countermeasures already applied to the system. Asset Asset is information, capability, an advantage, a feature, a financial or a technical resource that may be damaged, lost or disrupted. Assets may be digital (software sources), physical (a server machine) or commercial (the corporate brand). Damage to an asset may affect the normal function of the system as well as that of individuals and/or organizations involved with the system. Assest’s Fixed Value is the estimated one-time expense (in $) associated with the loss of the asset. For example: financial losses caused by blocking the company's e-commerce operation for 7 days etc. Asset's Fixed Value Period is the number of years over which the asset's fixed value lasts (for economical and accounting considerations). Asset's Recurring Value is the estimated recurring value (in $) of losses that may be caused when the asset is damaged. For example: recurring expense due to the nonavailability of a software service. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 14 Chapter-1 : Computer Security – Gscheme -- 2014 Asset's Weighted Value is the calculated financial value of the loss when asset is totally damaged, destroyed or stolen. The value is displayed in 'annual $' and expresses the weighted average of the asset's fixed and recurring values. Asset's Relative Value is the calculated percentage of the specific asset's value from the total value of all system assets. Asset's Maximal Risk is the calculated maximal risk (in percents of the asset's value) that threatens the asset. The calculation is based on the parameters of all threats that might damage the asset. Asset's Minimal Risk is the calculated risk that threatens the asset after all mitigation plans are implemented. It reflects the actual lowest value of risk that can be achieved after the full implementation of all mitigation plans of the threats that threaten the asset. Asset's Current Risk is the calculated risk that threatens the asset according to current implementation level of mitigation plans. Vulnerability Vulnerability is a weakness, limitation or a defect in one or more of the system's elements that can be exploited to disrupt the normal function of the system. Vulnerabilities may be in specific modules of the system, its layout, its users and operators, and/or in its associated regulations, operational and business procedures. Threat Threat is a specific scenario or a sequence of actions that exploits a set of vulnerabilities and may cause damage to one or more of the system's assets. Threat's Probability is the likelihood that the threat scenario will materialize. PTA defines the threat's probability as the "expected number of threat incidents per year". In some documentation the threat's probability is termed as the "Annual Rate of Occurrence" (ARO). Threat's Damage Level to Asset is the financial value of damage caused by one incident of a specific threat to a specific asset, expressed in percents of the asset's value - if level is 100% the damage to the asset is maximal. Threat's Damage is the total damage (in percents of the total value of all assets) that the specific threat may cause to the system. The calculation is based on the damage caused to each of the threatened assets. Threat's Maximal Risk is a calculated value that expresses the maximal potential financial damage to system assets due to the specific threat. It is displayed in $ value as well as in percents of the total system assets. In some documentation the threat's risk is termed "Annual Loss Expectancy" (ALE). Threat's Minimal Risk is a calculated value that expresses the potential financial damage to system assets after all countermeasures relevant to the specific threat are implemented. It is displayed in $ value as well as in percents of the total system's assets. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 15 Chapter-1 : Computer Security – Gscheme -- 2014 Threat's Current Risk is a calculated value that expresses the potential financial damage to system assets according to current implementation level of the threat's mitigation plan. It is displayed in $ value as well as in percents of the total system's assets. Threat's Recommended Countermeasures is a set of all possible countermeasures that mitigate the threat's vulnerabilities and reduce the threat's risk. Threat's Mitigation Plan is a subset of recommended countermeasures that is assumed to be the most effective for mitigating a specific threat. The analyst uses his/her expertise to decide which of the recommended countermeasures are most effective when applied together and will be included in the Threat's Mitigation Plan. A threat mitigation plan is said to be implemented only if all of its countermeasures are implemented. Threat's Maximal Mitigation is the maximal mitigation level (as percentage of the specific threat's risk) that may be achieved by applying all countermeasures in the threat's mitigation plan. Threat's Current Mitigation is the portion of mitigation (as percentage of the specific threat's risk) that is provided by the countermeasures that are currently implemented. Countermeasure Countermeasure is a procedure, action or mean of mitigating a specific vulnerability. One countermeasure may mitigate several different vulnerabilities. In some standards documentation countermeasures are termed "controls" or "safeguards". Countermeasure's Fixed Cost is the estimated one-time expense (in $) for implementing a countermeasure. For example purchase of equipment, enhancing the software, etc. Countermeasure's Fixed Cost Period is the number of years over which the fixed expense lasts (for economical and accounting considerations). Countermeasure's Recurring Cost is the estimated recurring cost (in $) of implementing a countermeasure. For example: administrator's salary, insurance payment etc. Countermeasure's Weighted Cost is the calculated weighted average of the countermeasure's fixed and recurring implementation costs, displayed in "annual $" units. Countermeasure's Overall Mitigation is the calculated degree of mitigation provided by a specific countermeasure to the overall system risk, displayed as percentage of the overall risk. Countermeasure's Cost-Effectiveness is the degree of mitigation provided by a specific countermeasure to the overall system risk relative to the countermeasure's implementation cost. The value is displayed in "percents of overall mitigation per $1,000" units. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 16 Chapter-1 : Computer Security – Gscheme -- 2014 Q.Explain what are active and Passive Attacks Main aim of a security system is to detect and prevent such security attacks. Security attacks have been classified as passive attacks and active attacks. Passive Attacks: Passive attacks are kind of a read only attack where attacker is usually interested in just gathering information without disruption of computer system’s operations and service. Passive attack usually involves monitoring and analysis of data transmission to gain some meaningful information out of it. Passive attacks are made by directly laying hands on message contents in the form of emails, sensitive files etc. consisting confidential information. Another way in which a passive attack is made is by analysis of traffic where raw data is studied and analyzed to deduce interesting patterns out - of it. For example an attack by studying the data traffic rate of a victim can deduce at what is the peak time of data transfer when his operations can be disrupted and will affect most. Since passive attacks are silent in nature and show no immediate and visible signs of attack, they are very difficult to detect. Active Attacks: Involves alteration of data or disruption of normal working of a system. Active attacks are usually made by masquerading attackers identity with someone else’s to either gain extra privileges or save attackers butt when the attack is detected. IP masquerading is one widely used technique for active attacks. Denial Of Service (DOS) attacks are the active attacks which disrupts the services and operations of a specific target to an extent that the target starts denying any genuine request for the services. This is done by sending a large number of messages and overloading the victim. One famous attack is ‘ping of death’ (POD)where a system is pinged with packets of very large size that cannot be replied and thus leading to manual rebooting of the system for normal operations. Modification of message involves altering of data packets to change the original meaning of the same giving a differed effect. Eg. Transfer 1000 Rs. from account A to account B can be changed to transfer 1000 Rs. from account A to account C. Active attacks can usually be detected immediately but require very sophisticated, methods and controls to prevent. Classification of security and Attacks Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 17 Chapter-1 : Computer Security – Gscheme -- 2014 Classification of security and Attacks Classification of Attacks Q.What is the characteristics of Computer Intrusion Ans. Any part of a computing system can be the target of a crime. When we refer to a computing system, we mean a collection of hardware, software, storage media, data, and people that an organization uses to perform computing tasks. Sometimes, we assume that parts of a computing system are not valuable to an outsider, but often we are mistaken. For instance, we tend to think that the most valuable property in a bank is the cash, gold, or silver in the vault. But in fact the customer information in the bank's computer may be far more valuable. Stored on paper, recorded on a storage medium, resident in memory, or transmitted over telephone lines or satellite links, this information can be used in myriad ways to make money illicitly. A competing bank can use this information to steal clients or even to disrupt service and discredit the bank. An unscrupulous individual could move money from one account to another without the owner's permission. A group of con artists could contact large depositors and convince them to invest in fraudulent schemes. The variety of targets and attacks makes computer security very difficult. Any system is most vulnerable at its weakest point. A robber intent on stealing something from your house will not attempt to penetrate a two-inch-thick metal door if a window gives easier access. Similarly, a sophisticated perimeter physical security system does not compensate for unguarded access by means of a simple telephone line and a modem. We can codify this idea as one of the principles of computer security. Principle of Easiest Penetration: An intruder must be expected to use any available means of penetration. The penetration may not necessarily be by the most obvious means, nor is it necessarily the one against which the most solid defense has been installed. And it certainly does not have to be the way we want the attacker to behave. This principle implies that computer security specialists must consider all possible means of penetration. Moreover, the penetration analysis must be done repeatedly, and especially whenever the system and its security change. People Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 18 Chapter-1 : Computer Security – Gscheme -- 2014 sometimes underestimate the determination or creativity of attackers. Remember that computer security is a game with rules only for the defending team: The attackers can (and will) use any means they can. Perhaps the hardest thing for people outside the security community to do is to think like the attacker. One group of creative security researchers investigated a wireless security system and reported a vulnerability to the system's chief designer, who replied "that would work, but no attacker would try it". Don't believe that for a minute: No attack is out of bounds. Strengthening one aspect of a system may simply make another means of penetration more appealing to intruders. For this reason, let us look at the various ways by which a system can be breached. Q.Describe the term Threat , Vulnerability , Attack an Control related to computer security Ans. Vulnerabilities, Threats, Attacks, and Controls A computer-based system has three separate but valuable components: hardware, software, and data. Each of these assets offers value to different members of the community affected by the system. To analyze security, we can brainstorm about the ways in which the system or its information can experience some kind of loss or harm. For example, we can identify data whose format or contents should be protected in some way. We want our security system to make sure that no data are disclosed to unauthorized parties. Neither do we want the data to be modified in illegitimate ways. At the same time, we must ensure that legitimate users have access to the data. In this way, we can identify weaknesses in the system. A vulnerability is a weakness in the security system, for example, in procedures, design, or implementation, that might be exploited to cause loss or harm. For instance, a particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user's identity before allowing data access. A threat to a computing system is a set of circumstances that has the potential to cause loss or harm. To see the difference between a threat and a vulnerability, consider the illustration in Figure. Here, a wall is holding water back. The water to the left of the wall is a threat to the man on the right of the wall: The water could rise, overflowing onto the man, or it could stay beneath the height of the wall, causing the wall to collapse. So the threat of harm is the potential for the man to get wet, get hurt, or be drowned. For now, the wall is intact, so the threat to the man is unrealized. However, we can see a small crack in the wall a vulnerability that threatens the man's security. If the water rises to or beyond the level of the crack, it will exploit the vulnerability and harm the man. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 19 Chapter-1 : Computer Security – Gscheme -- 2014 There are many threats to a computer system, including human-initiated and computer-initiated ones. We have all experienced the results of inadvertent human errors, hardware design flaws, and software failures. But natural disasters are threats, too; they can bring a system down when the computer room is flooded or the data center collapses from an earthquake, for example. A human who exploits a vulnerability perpetrates an attack on the system. An attack can also be launched by another system, as when one system sends an overwhelming set of messages to another, virtually shutting down the second system's ability to function. Unfortunately, we have seen this type of attack frequently, as denial-of-service attacks flood servers with more messages than they can handle. How do we address these problems? We use a control as a protective measure. That is, a control is an action, device, procedure, or technique that removes or reduces a vulnerability. In Figure , the man is placing his finger in the hole, controlling the threat of water leaks until he finds a more permanent solution to the problem. In general, we can describe the relationship among threats, controls, and vulnerabilities in this way: A threat is blocked by control of a vulnerability. Q.Write short note on computer criminals Ans For the purposes of studying computer security, we say computer crime is any crime involving a computer or aided by the use of one. Although this definition is admittedly broad, it allows us to consider ways to protect ourselves, our businesses, and our communities against those who use computers maliciously. To be sure, some computer criminals are mean and sinister types. But many more wear business suits, have university degrees, and appear to be pillars of their communities. Some are high school or university students. Others are middle-aged business executives. Some are mentally deranged, overtly hostile, or extremely committed to a cause, and they attack computers as a symbol. Others are ordinary people tempted by personal profit, revenge, challenge, advancement, or job security. No single profile captures the characteristics of a "typical" computer criminal, and many who fit the profile are not criminals at all. Amateurs Amateurs have committed most of the computer crimes reported to date. Most embezzlers are not career criminals but rather are normal people who observe a weakness in a security system that allows them to access cash or other valuables. In the same sense, most computer criminals are ordinary computer professionals or users who, while doing their jobs, discover they have access to something valuable. When no one objects, the amateur may start using the computer at work to write letters, maintain soccer league team standings, or do accounting. This apparently innocent time-stealing may expand until the employee is pursuing a business in accounting, stock portfolio management, or desktop publishing on the side, using the employer's computing facilities. Alternatively, amateurs may become disgruntled over some negative work situation (such as a reprimand or denial of promotion) and vow to "get even" with management by wreaking havoc on a computing installation. Crackers or Malicious Hackers System crackers, often high school or university students, attempt to access computing facilities for which they have not been authorized. Cracking a computer's Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 20 Chapter-1 : Computer Security – Gscheme -- 2014 defenses is seen as the ultimate victimless crime. The perception is that nobody is hurt or even endangered by a little stolen machine time. Crackers enjoy the simple challenge of trying to log in, just to see whether it can be done. Most crackers can do their harm without confronting anybody, not even making a sound. In the absence of explicit warnings not to trespass in a system, crackers infer that access is permitted. An underground network of hackers helps pass along secrets of success; as with a jigsaw puzzle, a few isolated pieces joined together may produce a large effect. Others attack for curiosity, personal gain, or self-satisfaction. And still others enjoy causing chaos, loss, or harm. There is no common profile or motivation for these attackers. The security community distinguishes between a "hacker," someone who (nonmaliciously) programs, manages, or uses computing systems, and a "cracker," someone who attempts to access computing systems for malicious purposes. Crackers are the "evildoers." Now, hacker has come to be used outside security to mean both benign and malicious users. Career Criminals By contrast, the career computer criminal understands the targets of computer crime. Criminals seldom change fields from arson, murder, or auto theft to computing; more often, criminals begin as computer professionals who engage in computer crime, finding the prospects and payoff good. There is some evidence that organized crime and international groups are engaging in computer crime. Recently, electronic spies and information brokers have begun to recognize that trading in companies' or individuals' secrets can be lucrative. Terrorists The link between computers and terrorism is quite evident. We see terrorists using computers in three ways: targets of attack: denial-of-service attacks and web site defacements are popular for any political organization because they attract attention to the cause and bring undesired negative attention to the target of the attack. propaganda vehicles: web sites, web logs, and e-mail lists are effective, fast, and inexpensive ways to get a message to many people. methods of attack: to launch offensive attacks requires use of computers. We cannot accurately measure the amount of computer-based terrorism because our definitions and measurement tools are rather weak. Still, there is evidence that all three of these activities are increasing. Threat to Security Q. what are virus and Worms Ans. Viruses and Worms While your organization may be exposed to viruses and worms as a result of your employees not following certain practices or procedures, generally you will not have to worry about your employees writing or releasing viruses and worms, It is important to draw a distinction between the writers of malware and those who release them. Debates over the ethics of writing viruses permeate the industry, but currently simply writing them is not considered a criminal activity. Like a baseball bat, it is not the bat that is evil. it is the inappropriate use of the bat (such as to smash a car’s window) that falls into the category of criminal activity. (Some may argue that this is not a very good Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 21 Chapter-1 : Computer Security – Gscheme -- 2014 analogy since baseball bat has a useful purpose—to play ball-—but viruses have no useful purpose. In general, this is true but in some limited environments, such as in specialized computer science courses, the study and creation of viruses can be considered a useful learning experience.) By far, viruses and worms will be the most common problem that an organization fares since there are literally thousands of them that have been created. Fortunately, antivirus software and procedures can eliminate the largest portion of this threat. Viruses and worms are also generally nondiscriminating threats that are released on the Internet in a general fashion and aren’t targeted at a specific organization. They are also typically highly visible once released, so they aren’t the best tool to use in highly structured attacks where secrecy is vital. This is not to say that the technology used in virus and worm propagation won’t be used by highly organized criminal groups, but their use for what these individuals are normally interested in accomplishing is limited. The same cannot be said for terrorist organizations that generally want to create a large impact and have it be highly visible. Q.Explain the term Intruder Ans. The act of deliberately accessing computer systems and networks without authorization is generally referred to as hacking. The term also applies to the act of exceeding ones authority in a system. This would include authorized users who attempt to gain access to files or obtain permissions that they have not been granted. While the act of breaking into computer systems and networks has been glorified in the media and movies, the physical act does not live up to the Hollywood hype. Intruders are, if nothing else, extremely patient since the process to gain access to a system takes persistence and dogged determination. The first attack may fail, so the intruders will need to try another angle, they will need to search for another possible vulnerability that may not have been patched. This second attempt may also be blocked so a third will be tired, and so until either a new target is selected or the attackers eventually find a hole left unpatched. Generally, attacks by an individual or even small group of attackers fall into the unstructured threat category. Attacks at this level are generally conducted over short periods of time (lasting at most a few months), do not involve a large number of individuals, have little financial backing, and are accomplished by insiders or outsiders who do not seek collusion with insiders. Intruders, or those who are attempting to conduct an intrusion, definitely come in many different varieties and have varying degrees of sophistication. At the low end technically are what are generally referred to as script kiddies, individuals who do not have the technical expertise to develop scripts or discover new vulnerabilities in software but who have just enough understanding of computer systems to be able to download and run scripts that others have developed. These individuals are generally not-as interested in attacking specific targets, but instead simply want to find any organization that may not have patched a newly discovered vulnerability for which the script kiddie has located a script to exploit. It is hard to estimate how many of the individuals performing activities, such as probing networks or scanning individual systems are part of this group, but it is undoubtedly the fastest growing group and at least 85 to 90 percent of the “unfriendly” activity occurring on the Internet is probably carried out by these individuals. At the next level are those people who are capable of writing scripts to exploit known vulnerabilities. These individuals are much more technically competent than Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 22 Chapter-1 : Computer Security – Gscheme -- 2014 script kiddies and they account for an estimated 8 to 12 percent of malicious Internet activity. At the top end of this spectrum are those highly technical individuals, often referred to as elite hackers who not only have the ability to write scripts that exploit vulnerability ties but who also are capable of discovering new vulnerabilities. This group is the smallest of the lot, however, for at most only 1 to 2 percent of them are responsible for intrusive activity. Q.Describe who are Insiders in terms of computer security Ans.It is generally acknowledged by security professionals that insiders are more dangerous in many respects than outside intruders. The reason for this is simple— insiders have access and knowledge necessary to cause immediate damage to an organization. Security is designed to protect against outside intruders and thus lies at the boundary between the organization and the rest of the world. Insiders may actually already have all the access they need to perpetrate criminal activity such as fraud. In addition to unprecedented access, insiders also frequently have knowledge of the security systems in place and will be better able to avoid detection. Employees are not the only insiders that organizations need to be concerned with. There are often a number of other individuals who have physical access to faci1ities. Custodial crews will frequently have unescorted access throughout the facility, often when nobody else is around. Other individuals, such as contractors or partners, may not only have physical access to the organizations facilities but may also have access to computer systems and networks. Q.Write short note on Criminal Organizations Ans.As businesses became increasingly reliant upon computer s and networks, and as the amount of financial transactions conducted via the Internet increased, it was inevitable that criminal organizations would eventually turn to the electronic world as a new target to exploit. Criminal activity on the Internet at its most basic is no different than criminal activity in the physical world. Fraud, extortion, theft, embezzlement, and forgery all take place in the electronic environment. One difference between criminal groups and the “average” hacker is the level of organization that criminal elements may employ in their attack. Criminal groups may have more money to spend on accomplishing the criminal activity and are willing to spend extra time accomplishing the task provided the level of reward at the conclusion is great enough. With the tremendous amount of money that is exchanged via the Internet on a daily basis, the level of reward for a successful attack is high enough to interest criminal elements. Attacks by criminal organizations can fall into the structured threat category, which is characterized by a greater amount of planning, a longer period of time to conduct the activity, more financial backing to accomplish it, and possibly corruption of, or collusion with, insiders. Q.Write short note on Terrorists and Information Warfare Ans.As nations have increasingly become dependent on computer systems and networks, the possibility that these essential elements of society might become a target for organizations or nations determined to adversely affect another nation became a reality. Many nations today have developed to some extent the capability to conduct information warfare. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 23 Chapter-1 : Computer Security – Gscheme -- 2014 There are several definitions for information warfare, but a simple one is that it is warfare conducted against the information and information processing equipment used by an adversary. In practice, this is a much more complicated subject since information may not only be the target of an adversary, it may also be used as a weapon. Whatever definition you use, information warfare falls into the highly structured threat category. This type of threat is characterized by a much longer period of preparation (years is not uncommon), tremendous financial backing, and a large and organized group of attackers. The threat may not only include attempts to subvert insiders but might also consist of attempts to plant individuals inside of a potential target in advance of a planned attack. An interesting aspect of information warfare is the list of possible targets available. We have grown accustomed to the idea that, during war, military forces will target opposing military forces but will generally attempt to destroy as little civilian infrastructure as possible. In information warfare, military forces are certainly still a key target, but much has been written about other targets, such as the various infrastructures that a nation relies on for its daily existence, Water, electricity, oil and gas refineries and distribution, banking and finance and telecommunications—all fall into the category of critical infrastructures for a nation. Critical infrastructures are those whose loss would have severe repercussions on the nation. With countries relying so heavily on these infrastructures, it is inevitable that they would be viewed as valid targets during conflict. Given how dependent these infrastructures are on computer systems and networks, it is also inevitable that these same computer systems and networks may be targeted for a cyber attack in an information war. Another interesting aspect of information warfare is the potential list of attackers. As mentioned, several countries are currently capable of conducting this type of warfare. Nations, however, are not the only ones that can conduct information, or cyber, warfare. Terrorist organizations can also accomplish this. Such groups fall into the category of highly structured threats since they too are willing to conduct long-tern operations, have in some cases tremendous financial support, and often have a large following. Reports out of Afghanistan related stories of soldiers and intelligence officers finding laptop computers formerly owned by members of Al Qaeda that contained information about various critical infrastructures in the United States. This showed that terrorist organizations were not only considering targeting such infrastructures, but were doing so at an unexpected level of sophistication. Q.What is Avenues of Attack Ans. There are two general reasons a particular computer system is attacked: 1. either it is specifically targeted by the attacker, or 2. it is an opportunistic target. In the first case, the attacker has chosen the target not because of the hardware or software the organization is running but for another reason, perhaps a political reason. An example of this type of attack would be an individual in one country attacking a government system in another. Alternatively, the attacker may be targeting the organization as part of a hacktivist attack. An example, in this case, might be an attacker who defaces the web site of a company that sells fur coats because the attacker feels using animals this way is unethical. Perpetrating some sort of electronic fraud is another reason a specific system might be targeted. Whatever the reason, an attack of Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 24 Chapter-1 : Computer Security – Gscheme -- 2014 this nature is decided upon before the hardware and software of the organizations known. The second type of attack, an attack against a target of opportunity, is conducted against a site that has hardware or software that is vulnerable to a specific exploit. The attackers, in this case, are not targeting the organization; they have instead learned of vulnerability and are simply looking for an organization with this vulnerability that they can exploit. This is not to say that an attacker might not be targeting a given sector and looking for a target of opportunity in that sector, however. For example, an attacker may desire to obtain credit card or other personal information and may search for any exploitable company with credit card information in order to carry out the attack. Targeted attacks are more difficult and take more time than attacks on a target of opportunity. The latter simply relies on the fact that with any piece of widely distributed software, there will almost always be somebody who has not patched the system as they should have. Q.Describe the steps in an Attack Ans. The steps an attacker takes in attempting to penetrate a targeted network are similar to the ones that a security consultant performing a penetration test would take. The attacker will need to gather as much information about the organization as possible. There are numerous ways to do this, 1. including studying the organizations own web site, 2. looking for postings on newsgroups, or 3. consulting resources such as the Securities and Exchange Commission’s (SEC’s) EDGAR web site (www.sec.gov/edgar.shtml). A number of different financial reports are available through the EDGAR website that can provide information about an organization that is useful for an attack— particularly a social engineering attack. The type of information that the attacker wants includes IP addresses, phone numbers, names of individuals, and what networks the organization maintains. Typically, the first step in the technical part of an attack is to determine what target systems are available and active. This is usually done with a ping sweep, which simply sends a “ping” (an ICMP echo request) to the target machine. If the machine responds, it is reachable. The next step is often to perform a port scan. This will help identify which ports are open, thus giving an indication of which services may be running on the target machine. Determining the operating system that is running on the target machine, as well as specific application programs, follows along with determining the services that are available. Various techniques can be used to send specifically formatted packets to the ports on a target system to view the response. Often this response provides dues as to which operating system and specific application is running on the target system. Once this is done, the attacker would have a list of possible target machines, the operating system running on them, and some specific applications or services to target. Up until this point, the attacker has simply been gathering the information needed to take the next step: an actual attack on the target. Knowing the operating system and ser vices on the target helps the attacker decide which tools to use in the attack. Numerous web sites provide information on the vulnerabilities of specific application programs and operating systems. This information is valuable to administrators, since they need to know what problems exist and how to patch them. In Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 25 Chapter-1 : Computer Security – Gscheme -- 2014 addition to in formation about specific vulnerabilities, some sites may also provide tools that can be used to exploit the vulnerabilities. An attacker can search for known vulnerabilities and tools that exploit them, download the information and tools, and then use them against a site. If the administrator for the targeted system has not installed the correct patch, the attack maybe successful; if the patch has been installed, the attacker will move onto the next possible vulnerability. If the administrator has installed all of the appropriate patches so that all known vulnerabilities have been addressed, the attacker may have to resort to a brute force attack which involves guessing a userid and password combination. Unfortunately, this type of attack which could be easily prevented sometimes proves successful. As an summary it is the general process of : 1. gathering as much information about the target as possible (using both electronic and non-electronic means), 2. gathering information about possible exploits based on the information about the system, and 3. then systematically attempting to use each exploit. If the exploits don’t work other less system attacks may be attempted. Types of Attacks Q.List different types if attacks Ans. Different type of attacks are A.DOS –Denial of Service B.POD – Ping of Death C.DDOS – Distributed Denial of DOS Q.Describe the three way Handshake protocol Ans. The first system sends a SYN packet to the system it wishes to communicate with. The second system will respond with a SYN/ACK if it is able to accept the request. When the initial system receives the SYN/ACK from the second system, it responds with an ACK packet, and communication can then proceed. This process is shown in Figure. Q.Describe Denial of Service attack Ans. Denial of service (DOS) attacks can exploit a known vulnerability in a specific application or operating system, or they may attack features (or weaknesses) in specific protocols or services. In this form of attack, the attacker is attempting to deny authorized users access either to specific information or to the computer system or network itself. The purpose of such an attack can be to simply prevent access to the target system, or the attack can be used in conjunction with other actions in order to gain unauthorized access to a computer or network. For example, a SYN flooding attack may Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 26 Chapter-1 : Computer Security – Gscheme -- 2014 be used to temporarily prevent service to a system in order to take advantage of a trusted relationship that exists between that system and another. SYN flooding is an example of a DOS attack that takes advantage of the way TCP/IP networks were designed to function, and it can be used to illustrate the basic principles of any DOS attack. SYN flooding utilizes the TCP three-way handshake that is used to establish a connection between two systems. In a SYN flooding attack, the attacker sends fake communication requests to the targeted system. Each of these requests will be answered by the target system, which then waits for the third part of the handshake. Since the requests are fake (a nonexistent IP address is used in the requests, so the target system is responding to a system that doesn’t exist), the target will wait for responses that will never come, as shown in Figure . The target system will drop these connections after a specific time-out period, but if the attacker sends requests faster than the time-out period eliminates them, the system will quickly be filled with requests. The number of connections a system can support is finite, so when more requests come in than can be processed, the system will soon be reserving all its connections for fake requests. At this point, any further requests are simply dropped (ignored), and legitimate users who want to connect to the target system will not be able to. Use of the system has thus been denied to them. Q.Describe the Ping of Death type if attack Ans.Another simple DOS attack is the famous ping-of-death (POD), and it illustrates the other type of attack—one targeted at a specific application or operating system, as opposed to SYN flooding, which targets a protocol. In the POD attack, the attacker sends an Internet Control Message Protocol (ICMP) “ping” packet equal to, or exceeding 64KB (which is to say, greater than 64 * 1024 = 65,536 bytes). This type of packet should not occur naturally (there is no reason for a ping packet to be larger than 64KB). Certain systems were not able to handle this size of packet, and the system would hang or crash. Q.What is Distributed Denial of Service attack (DDOS) Ans.DOS attacks are conducted using a single attacking system. A denial of service attack employing multiple attacking systems is known as a distributed denial of service (DDOS) attack. The goal of a DDOS attack is the same: to deny the use of or access to a specific service or system. DDOS attacks were made famous in 2000 with the highly publicized attacks on eBay, CNN, Amazon, and Yahoo. In a DDOS attack, the method used to deny service is simply to overwhelm the target with traffic from many different systems. A network of attack agents (sometimes called zombies) is created by the attacker, and upon receiving the attack command from Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 27 Chapter-1 : Computer Security – Gscheme -- 2014 the attacker, the attack agents commence sending a specific type of traffic against the target. If the attack network is large enough, even ordinary web traffic can quickly overwhelm the largest of sites, such as the ones targeted in 2000. Creating a DDOS network is not a simple task. The attack agents are not willing agents—they are systems that have been compromised and on which the DDOS attack software has been installed. In order to compromise these agents, the attacker has to have gained unauthorized access to the system or tricked authorized users to run a program that installed the attack software. The creation of the attack network may in fact be a multistep process in which the attacker first compromises a few systems that are then used as handlers or masters, and which in turn compromise other systems. Once the network has been created, the agents wait for an attack message that will include data on the specific target before launching the attack. One important aspect of a DDOS attack that should be mentioned is that with just a few messages to the agents, the attacker can have a flood of messages sent against the targeted system. Figure illustrates a DDOS network with agents and handlers. Q.How can you stop or mitigate the effects of a DOS or DDOS attack? Ans.One important precaution is to ensure that you have applied the latest patches and upgrades to your systems and the applications running on them. Once a vulnerability is discovered, it does not take long before multiple exploits are written to take advantage of it. Generally you will have a small window of opportunity in which to patch your system between the time a vulnerability is discovered and the time exploits become widely available. Another approach involves changing the timeout option for TCP connections so that attacks such as the SYN flooding attack, described previously, are harder to perform because unused connections are dropped more quickly. For DDOS attacks, much has been written about distributing your own workload across several systems so that any attack against your system would have to target several hosts in order to be completely successful. While this is true, if large enough DDOS networks are created (with tens of thousands of zombies, for example) any network, no matter how much the load is distributed, can be successfully attacked. This approach also involves an additional cost to your organization in order to establish this distributed Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 28 Chapter-1 : Computer Security – Gscheme -- 2014 environment. Addressing the problem in this manner is actually an attempt to mitigate the effect of the attack, as opposed to preventing or stopping an attack. In order to prevent a DDOS attack, you have to either be able to intercept or block the attack messages or keep the DDOS network from being established in the first place. Tools have been developed that will scan your systems, searching for sleeping zombies waiting for an attack signal. The problem with this type of prevention approach, however, is that it is not something you can do to prevent an attack on your network—it is something you can do to keep your network from being used to attack other networks or systems. You have to rely on the rest of the community to test their own systems in order to prevent attacks on yours. A final option you should consider that will address several forms of DOS and DDOS attacks is to block ICMP packets at your border, since many attacks rely on ICMP. Careful consideration should be given to this approach, because it will also prevent the use of some possibly useful troubleshooting tools. Q.Write short note on BackDoor and Trap Doors Ans. Backdoors were originally (and sometimes still are) nothing more than methods used by software developers to ensure that they could gain access to an application even if something were to happen in the future to prevent normal access methods. An example would be a hard-coded password that could be used to gain access to the program in the event that administrators forgot their own system password. The obvious problem with this sort of backdoor (also sometimes referred to as a trapdoor) is that, since it is hard-coded, it cannot be removed. Should an attacker learn of the backdoor, all systems running that software would be vulnerable to attack. The term backdoor is also, and more commonly, used to refer to programs that attackers install after gaining unauthorized access to a system to ensure that they can continue to have unrestricted access to the system, even if their initial access method is discovered and blocked. Backdoors can also be installed by authorized individuals inadvertently, should they run software that contains a Trojan horse. Common backdoors include NetBus and Back Orifice. Both of these, if running on your system, will allow an attacker remote access to your system—access that allows them to perform any function on your system. A variation on the backdoor is the rootkit, and they are established not to gain root access but rather to ensure continued root access. Rootkits are generally installed at a lower level, closer to the actual kernel level of the operating system. Q.Write short note on Sniffing Ans. The group of protocols that make up the TCP/IP suite was designed to work in a friendly environment where everybody who connected to the network used the protocols as they were designed. The abuse of this Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 29 Chapter-1 : Computer Security – Gscheme -- 2014 friendly assumption is illustrated by network-traffic sniffing programs, sometimes referred to as sniffers. A network sniffer is a software or hardware device that is used to observe traffic as it passes through a network on shared broadcast media. The device can be used to view all traffic, or it can target a specific protocol, service, or even string of characters (for example, looking for logins). Normally the network device that connects a computer to a network is designed to ignore all traffic that is not destined for that computer. Network sniffers ignore this friendly agreement and observe all traffic on the network, whether destined for that computer or others, as shown in Figure . A network card that is listening to all network traffic and not just its own is said to be in “promiscuous mode.” Some network sniffers are designed not just to observe all traffic but to modify traffic as well. Network sniffers can be used by network administrators for monitoring network performance. They can be used to perform traffic analysis, for example, in order to determine what type of traffic is most commonly carried on the network and to determine which segments are most active. They can also be used for network bandwidth analysis and to troubleshoot certain problems (such as duplicate MAC addresses). Q.What is Spoofing?List the types if Spoofing Ans. Spoofing is nothing more than making data look like it has come from a different source. This is possible in TCP/IP because of the friendly assumptions behind the protocols. When the protocols were developed, it was assumed that individuals who had access to the network layer would be privileged users who could be trusted. When a packet is sent from one system to another, it includes not only the destination IP address and port but the source IP address as well. You are supposed to fill in the source with your own address, but there is nothing that stops you from filling in another system’s address. This is one of the several forms of spoofing. 1. Spoofing E-Mail 2. IP address Spoofing 3. Spoofing and Trusted Relationships 4. Spoofing and Sequence Numbers Q.Describe what is Email Spoofing Ans. E-mail spoofing is where you send a message with a From address different than your own. This can be easily accomplished, and there are several different ways to do it and programs that can assist you in doing so. A very simple method often used to demonstrate how simple it is to spoof an e-mail address is to telnet to port 25 (the port associated with e-mail) on a system. From there, you can fill in any address for the From and To sections of the message, whether or not the addresses are yours and whether they actually exist or not. There are some simple ways to determine that an e-mail message was probably not sent by the source it claims to have been sent from, but most users do not question their e-mail and will accept where it appears to have come from. A variation on e-mail spoofing, though it is not technically spoofing, is for the attacker to acquire a URL close to the one they want to spoof so that e-mail sent from their system appears to have Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 30 Chapter-1 : Computer Security – Gscheme -- 2014 come from the official site unless you read the address carefully. For example, if attackers wanted to spoof XYZ Corporation, which owned XYZ.com, the attackers might gain access to the URL XYZ.Corp.com. An individual receiving a message from the spoofed corporation site would not normally suspect it to be a spoof but would take it to be official. This same method can be, and has been, used to spoof web sites. The most famous example of this is probably www.whitehouse.com. The www.whitehouse.gov site is the official site for the White House. The www.whitehouse.com URL takes you to a pornographic site. In this case, nobody is likely to take the pornographic site to be the official government site, and it was not intended to be taken that way. If, however, the attackers made their spoofed site appear similar to the official one, they could easily convince many viewers that they were at the official site. Q.Describe what is IP address Spoofing Ans. The way the IP protocol is designed to work is to have the originators of any IP packet include their own IP address in the “From” portion of the packet. While this is the intent, there is nothing that prevents a system from inserting a different address in the “From” portion of the packet. This is known as IP Address Spoofing. An IP address may be spoofed for several reasons. In a specific DOS attack known as a smurf attack, the attacker sends a spoofed packet to the broadcast address for a network, which distributes the packet to all systems on that network. In the smurf attack, the packet sent by the attacker to the broadcast address is an echo request with the From address forged so that it appears that another system (the target system) has made the echo request. The normal response of a system to an echo request is an echo reply, and it is used in the ping utility to let a user know if a remote system is reachable and is responding. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 31 Chapter-1 : Computer Security – Gscheme -- 2014 In the smurf attack,the request is sent to all systems on the network, so all will respond with an echo reply to the target system, as shown in Figure. The attacker has sent one packet and has been able to generate as many as 254 responses aimed at the target. Should the attacker send several of these spoofed requests, or send them to several different networks, the target can quickly become overwhelmed with the volume of echo replies it receives. Q.Explain how trusted relation ship can be spoofed Ans. Spoofing can also take advantage of a trusted relationship between two systems. If two systems are configured to accept the authentication accomplished by each other, an individual logged on to one system might not be forced to go through an authentication process again to access the other system. An attacker can take advantage of this arrangement by sending a packet to one system that appears to have come from a trusted system. Since the trusted relationship is in place, the targeted system may perform the requested task without authentication. Since a reply will often be sent once a packet is received, the system that is being impersonated could interfere with the attack, since it would receive an acknowledgement for a request it never made. The attacker will often initially launch a DOS attack (such as a SYN flooding attack) to temporarily take out the spoofed system for the period of time that the attacker is exploiting the trusted relationship. Once the attack is completed, the DOS attack on the spoofed system would be terminated and possibly, apart from having a temporarily non-responsive system, the administrators for the systems may never notice that the attack occurred. Figure illustrates a spoofing attack that includes a SYN flooding attack. Because of this type of attack, administrators are encouraged to strictly limit any trusted relationships between hosts. Firewalls should also be configured to discard any packets from outside of the firewall that have From addresses indicating they originated from inside the network (a situation that should not occur normally and that indicates spoofing is being attempted). Q.Describe the Spoofing the sequence number technique of Spoofing Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 32 Chapter-1 : Computer Security – Gscheme -- 2014 Ans. How complicated the spoofing is depends heavily on several factors, including whether the traffic is encrypted and where the attacker is located in relationship to the target. Spoofing attacks from inside a network, for example, are much easier to perform than attacks from outside of the network because the inside attacker can observe the traffic to and from the target and can do a better job of formulating the necessary packets. Formulating the packets is more complicated for external attackers because there is a sequence number associated with TCP packets. A sequence number is a 32-bit number established by the host that is incremented for each packet sent. Packets are not guaranteed to be received in order, and the sequence number can be used to help reorder packets as they are received and to refer to packets that may have been lost in transmission. In the TCP three-way handshake, two sets of sequence numbers are created, as shown in Figure . The first system chooses a sequence number to send with the original SYN packet that it sends. The system receiving this SYN packet acknowledges with a SYN/ACK. It sends back the first sequence number plus one (that is, it increments the sequence number sent to it by one). It then also creates its own sequence number and sends that along with it. The original system receives the SYN/ACK with the new sequence number. It increments the sequence number by one and uses it in an ACK package it responds with. The difference in the difficulty of attempting a spoofing attack from inside a network and from outside involves determining the sequence number. If the attacker is inside of the network and can observe the traffic the target host responds with, the attacker can easily see the sequence number the system creates and can respond with the correct sequence number. If the attacker is external to the network, the sequence number the target system generates will not be observed, making it hard for the attacker to provide the final ACK with the correct sequence number. What the attacker has to do is guess what the sequence number might be. Predicting sequence numbers is possible, because sequence numbers are somewhat predictable. Sequence numbers for each session are not started from the same number, so that different packets from different concurrent connections will not have the same sequence numbers. Instead, the sequence number for each new connection is incremented by some large number to keep them from being the same. The sequence number may also be incremented by some large number every second (or some other time period). What an external attacker has to do is determine what the values used for these increments are. The attacker can do this by attempting connections at various time intervals in order to observe how the sequence numbers are incremented. Once the pattern is determined, the attacker can attempt a legitimate Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 33 Chapter-1 : Computer Security – Gscheme -- 2014 connection to determine the current value, and then immediately attempt the spoofed connection. The spoofed connection sequence number should be the legitimate connection incremented by the determined value or values. Q.Explain Man in middle attack Ans. A man-in-the-middle attack, as the name implies, generally occurs when attackers are able to place themselves in the middle of two other hosts that are communicating. Ideally, this is done by ensuring that all communication going to or from the target host is routed through the attacker’s host (which may be accomplished if the attacker can compromise the router for the target host). The attacker can then observe all traffic before relaying it and can actually modify or block traffic. To the target host, it appears that communication is occurring normally, since all expected replies are received. Figure. illustrates this type of attack. The amount of information that can be obtained in a man-in-the-middle attack will obviously be limited if the communication is encrypted. Even in this case, however, sensitive information may still be obtained, since knowing what communication is being conducted, and between which individuals, may in fact provide information that is valuable in certain circumstances. Q.Describe replay and TCP/IP hijacking attack Ans. Replay Attacks A replay attack is exactly what it sounds like: it is an attack where the attacker captures a portion of a communication between two parties and retransmits it at a later time. For example, an attacker might replay a series of commands and codes used in a financial transaction in order to cause the transaction to be conducted multiple times. Generally replay attacks are associated with attempts to circumvent authentication mechanisms, such as the capturing and reuse of a certificate or ticket. The best way to prevent replay attacks is with encryption, cryptographic authentication, and time stamps. If a portion of the certificate or ticket includes a date/time stamp or an expiration date/time, and this portion is also encrypted as part of the ticket or certificate, replaying it at a later time will prove useless, since it will be rejected as having expired. TCP/IP Hijacking TCP/IP hijacking and session hijacking are terms used to refer to the process of taking control of an already existing session between a client and a server. The advantage to an attacker of hijacking over attempting to penetrate a computer system or network is that the attacker doesn’t have to circumvent any authentication mechanisms, since the user has already authenticated and established the session. Once the user has completed the Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 34 Chapter-1 : Computer Security – Gscheme -- 2014 authentication sequence, the attacker can then usurp the session and carry on as if the attacker, and not the user, had authenticated with the system. In order to prevent the user from noticing anything unusual, the attacker may decide to attack the user’s system and perform a denial of service attack on it, taking it down so that the user, and the system, will not notice the extra traffic that is taking place. Hijack attacks generally are used against web and telnet sessions. The previous discussion on sequence numbers as they applied to spoofing also applies to session hijacking, since the hijacker will need to provide the correct sequence number to continue the appropriated sessions. Q.What is attack on Encryption Ans, Attacks on Encryption Cryptography is the art of “secret writing,” and encryption is the process of transforming plaintext into an unreadable format known as ciphertext using a specific technique or algorithm. Most encryption techniques use some form of key in the encryption process. The key is used in a mathematical process to scramble the original message to arrive at the unreadable ciphertext. Another key (sometimes the same one and sometimes a different one) is used to decrypt or unscramble the ciphertext to re-create the original plaintext. The length of the key often directly relates to the strength of the encryption. Cryptanalysis is the process of attempting to break a cryptographic system—it is an attack on the specific method used to encrypt the plaintext. Weak Keys Certain encryption algorithms may have specific keys that yield poor, or easily decrypted, ciphertext. Imagine an encryption algorithm that consisted solely of a single XOR function (an exclusive OR function where two bits are compared and a 1 is returned if either of the original bits, but not both, is a 1), where the key was repeatedly used to XOR with the plaintext. A key where all bits are 0’s, for example, would result in ciphertext that is the same as the original plaintext. This would obviously be a weak key for this encryption algorithm. In fact, any key with long strings of 0’s would yield portions of the ciphertext that were the same as the plaintext. In this simple example, there would be many keys that could be considered weak. Encryption algorithms used in computer systems and networks are much more complicated than a simple, single XOR function, but some algorithms have still been found to have weak keys that make cryptanalysis easier. Exhaustive Search of Key Space Even if the specific algorithm used to encrypt a message is complicated and has not been shown to have weak keys, the key length will still play a significant role in how easy it is to attack the method of encryption. Generally speaking, the longer a key is, the harder it will be to attack. Thus, a 40-bit encryption scheme will be easier to attack using a brute-force technique (which tests all possible keys, one by one) than a 256-bit method will be. This is easily demonstrated by imagining a scheme that employed a 2-bit key. Even if the resulting ciphertext were completely unreadable, performing a bruteforce attack until one key is found that can decrypt the ciphertext would not take long, since there are only four possible keys. Every bit that is added to the length of a key Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 35 Chapter-1 : Computer Security – Gscheme -- 2014 doubles the number of keys that have to be tested in a brute-force attack on the encryption. It is easy to understand why a scheme utilizing a 40-bit key would be much easier to attack than a scheme that utilized a 256-bit key. Indirect Attacks One of the most common ways of attacking an encryption system is to find weaknesses in mechanisms surrounding the cryptography. Examples include poor random number generators, unprotected key exchanges, keys stored on hard drives without sufficient protection, and other general programmatic errors, such as buffer overflows. In attacks that target these types of weaknesses, it is not the cryptographic algorithm itself that is being attacked, but rather the implementation of that algorithm in the real world. Password Guessing The most common form of authentication is the userid and password combination. While it is not inherently a poor mechanism for authentication, the userid and password combination can be attacked in several ways. All too often, these attacks will yield favorable results for the attacker not as a result of a weakness in the scheme but usually due to the user not following good password procedures. Poor Password Choices The least technical of the various password-attack techniques consists of the attacker simply attempting to guess the password of an authorized user of the system or network. It is surprising how often this simple method works, and the reason it does is because people are notorious for picking poor passwords. The problem the users face is that they need to select a password that they can remember. In order to do this, many select simple things, such as their birthday, their mother’s maiden name, the name of their spouse or one of their children, or even simply their userid itself. All it takes is for the attacker to obtain a valid userid (often a simple matter, because organizations tend to use an individual’s names in some combination—first letter of their first name combined with their last name, for example) and a little bit of information about the user before guessing can begin. Organizations sometimes make it even easier for attackers to obtain this sort of information by posting the names of their “management team” and other individuals, sometimes with short biographies, on their web sites. Even if the person doesn’t use some personal detail as their password, the attacker may still get lucky, since many people pick a common word for their password. Attackers can obtain lists of common passwords—there are a number of them on the Internet. Words such as “password” and “secret” have often been used as passwords. Names of favorite sports teams also often find their way onto lists of commonly used passwords. Dictionary Attack Another method of determining passwords is to use a password-cracking program. There are a number of both commercial and public-domain password cracking programs available. The programs use a variety of methods to crack passwords, including using variations on the userid. These programs often also use a dictionary of words—the words can be used by themselves, or two or more smaller ones may be combined to Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 36 Chapter-1 : Computer Security – Gscheme -- 2014 form a single possible password. The programs often permit the attacker to create various rules that tell the program how to combine words to form new possible passwords. Users commonly substitute certain numbers for specific letters. If the user wanted to use the word secret for a password, for example, the letter e may be replaced with the number 3 yielding s3cr3t. This password will not be found in the dictionary, so a pure dictionary attack will not crack it. At the same time, the password is still easy for the user to remember. If a rule were created that tried all words in the dictionary and then tried the same words substituting the number 3 for the letter e, the password would be cracked. Rules can also be defined so that the cracking program will substitute special characters for other characters, or combine words together. The ability of the attacker to crack passwords is directly related to the method the user employed to create the password in the first place, as well as the dictionary and rules used. Brute-Force Attack If the user has selected a password that will not be found in a dictionary, even if various numbers or special characters are substituted for other letters, the only way the password can be cracked is to attempt a brute-force attack. This entails the password cracking program attempting all possible password combinations. The length of the password and the size of the set of possible characters in the password will greatly affect the time a brute-force attack will take. A few years ago, this method of attack was very unreliable, since it took considerable time to generate all possible combinations. With the increase in computer speed, however, the time it takes to generate password combinations makes it much more feasible to launch brute-force attacks against certain computer systems and networks. A brute-force attack on a password can take place at two levels. It can be an attack on a system where the attacker is attempting to guess the password at a login prompt, or it can be an attack against the list of passwords contained in a password file. The first attack can be made more difficult by locking the account after a few failed login attempts. The second attack can be thwarted by securely maintaining your password file so that others may not obtain a copy of it. Birthday Attack The birthday attack is a special type of brute-force attack. It gets its name from something known as the birthday paradox, which states that in a group of at least 23 people, the chance that there will be two individuals with the same birthday is greater than 50 percent. Mathematically, we can use the equation 1.2k1/2 (with k equaling the size of the set of possible values), and in the birthday paradox, k would be equal to 365 (the number of possible birthdays). This same phenomenon applies to passwords, with k just being quite a bit larger. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 37 Chapter-1 : Computer Security – Gscheme -- 2014 Malwares – Virus and Worms Introduction A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly, but erroneously, used to refer to other types of malware, including but not limited to adware and spyware programs that do not have a reproductive ability. Malware includes computer viruses, computer worms, ransom ware, trojan horses, keyloggers, most rootkits, spyware, dishonest adware, malicious BHOs and other malicious software. The majority of active malware threats are usually trojans or worms rather than viruses. Malware such as trojan horses and worms is sometimes confused with viruses, which are technically different: a worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a trojan horse is a program that appears harmless but hides malicious functions. Worms and trojan horses, like viruses, may harm a computer system's data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to themselves. Some viruses do nothing beyond reproducing themselves. Classification In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs (code injection). If a user attempts to launch an infected program, the virus' code may be executed simultaneously. Viruses can be divided into two types based on their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. Nonresident viruses Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. Resident viruses Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. This module, however, is not called by a finder module. The virus loads the replication module into memory when it is executed instead and ensures that this module is executed each time the operating system is called to perform a certain operation. The replication module can be called, for example, each time the Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 38 Chapter-1 : Computer Security – Gscheme -- 2014 operating system executes a file. In this case the virus infects every suitable program that is executed on the computer. Computer virus is a harmful software program written intentionally to enter a computer without the user's permission or knowledge. It has the ability to replicate itself, thus continuing to spread. Some viruses do little but replicate, while others can cause severe harm or adversely affect the program and performance of the system. A virus should never be assumed harmless and left on a system. There are different types of viruses which can be classified according to their origin, techniques, types of files they infect, where they hide, the kind of damage they cause, the type of operating system, or platform they attack. Let us have a look at few of them. Memory Resident Virus These viruses fix themselves in the computer memory and get activated whenever the OS runs and infects all the files that are then opened. This type of virus hides in the RAM and stays there even after the malicious code is executed. It gets control over the system memory and allocate memory blocks through which it runs its own code, and executes the code when any function is executed.It can corrupt files and programs that are opened, closed, copied, renamed, etc. Examples: Randex, CMJ, Meve, and MrKlunky Protection is possible due by Installing an antivirus program. Direct Action Viruses The main purpose of this virus is to replicate and take action when it is executed. When a specific condition is met, the virus will go into action and infect files in the directory or folder that are specified in the AUTOEXEC.BAT file path. This batch file is always located in the root directory of the hard disk and carries out certain operations when the computer is booted. FindFirst/FindNext technique is used where the code selects a few files as its victims. It also infects the external devices like pen drives or hard disks by copying itself on them. The viruses keep changing their location into new files whenever the code is executed, but are generally found in the hard disk's root directory. It can corrupt files. Basically, it is a file-infecter virus.Examples: Vienna virus. Protection is possible due by Installing an antivirus scanner. However, this type of virus has minimal effect on the computer's performance. Overwrite Viruses A virus of this kind is characterized by the fact that it deletes the information contained in the files that it infects, rendering them partially or totally useless once they have been infected. The virus replaces the file content. However, it does not change the file size. Examples: Way, Trj.Reboot, Trivial.88.D For protection the only way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the original Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 39 Chapter-1 : Computer Security – Gscheme -- 2014 content.However, it is very easy to detect this type of virus, as the original program becomes useless. Boot Sector Virus This type of virus affects the boot sector of a hard disk. This is a crucial part of the disk, in which information of the disk itself is stored along with a program that makes it possible to boot (start) the computer from the disk. This type of virus is also called Master Boot Sector Virus or Master Boot Record Virus. It hides in the memory until DOS accesses the floppy disk, and whichever boot data is accessed, the virus infects it. Examples: Polyboot.B, AntiEXE. The best way of avoiding boot sector viruses is to ensure that floppy disks are write-protected. Also, never start your computer with an unknown floppy disk in the disk drive. Macro Virus Macro viruses infect files that are created using certain applications or programs that contain macros, like .doc, .xls, .pps, .mdb, etc. These mini-programs make it possible to automate series of operations so that they are performed as a single action, thereby saving the user from having to carry them out one by one. These viruses automatically infect the file that contains macros, and also infects the templates and documents that the file contains. It is referred to as a type of e-mail virus.These hide in documents that are shared via e-mail or networks.Examples: Relax, Melissa.A, Bablas, O97M/Y2K The best protection technique is to avoid opening e-mails from unknown senders. Also, disabling macros can help to protect your useful data. Directory Virus Directory viruses (also called Cluster Virus/File System Virus) infect the directory of your computer by changing the path that indicates the location of a file. When you execute a program file with an extension .EXE or .COM that has been infected by a virus, you are unknowingly running the virus program, while the original file and program is previously moved by the virus. Once infected, it becomes impossible to locate the original files. It is usually located in only one location of the disk, but infects the entire program in the directory. Examples: Dir-2 virus.For protection all you can do is, reinstall all the files from the backup that are infected after formatting the disk. Polymorphic Virus Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms and encryption keys) every time they infect a system. This makes it impossible for antivirus software to find them using string or signature searches (because they are different in each encryption). The virus then goes on to create a large number of copies.Examples: Elkern, Marburg, Satan Bug and Tuareg. Install a high-end antivirus as the normal ones are incapable of detecting this type of virus. Companion Viruses Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 40 Chapter-1 : Computer Security – Gscheme -- 2014 Companion viruses can be considered as a type of file infector virus, like resident or direct action types. They are known as companion viruses because once they get into the system they 'accompany' the other files that already exist. In other words, to carry out their infection routines, companion viruses can wait in memory until a program is run (resident virus), or act immediately by making copies of themselves (direct action virus). Hideout: These generally use the same filename and create a different extension of it. For example: If there is a file "Me.exe", the virus creates another file named "Me.com" and hides in the new file. When the system calls the filename "Me", the ".com" file gets executed (as ".com" has higher priority than ".exe"), thus infecting the system. Examples: Stator, Asimov.1539 and Terrax.1069. For protection install an antivirus scanner and also download Firewall. FAT Virus The file allocation table (FAT) is the part of a disk used to store all the information about the location of files, available space, unusable space, etc. FAT virus attacks the FAT section and may damage crucial information. It can be especially dangerous as it prevents access to certain sections of the disk where important files are stored. Damage caused can result in loss of information from individual files or even entire directories. Examples: Link Virus. Before the virus attacks all the files on the computer, locate all the files that are actually needed on the hard drive, and then delete the ones that are not needed. They may be files created by viruses. Multipartite Virus These viruses spread in multiple ways possible. It may vary in its action depending upon the operating system installed and the presence of certain files. In the initial phase,these viruses tend to hide in the memory as the resident viruses do; then they infect the hard disk.Examples: Invader, Flip and Tequila. You need to clean the boot sector and also the disk to get rid of the virus, and then reload all the data in it. However, ensure that the data is clean. Web Scripting Virus Many web pages include complex codes in order to create an interesting and interactive content. This code is often exploited to bring about certain undesirable actions. The main sources of web scripting viruses are the web browsers or infected web pages. Examples: JS.Fortnight is a virus that spreads through malicious e-mails. Protection: Install the microsoft tool application that is a default feature in Windows 2000, Windows 7 and Vista. Scan the computer with this application. Worms A worm is a program very similar to a virus; it has the ability to self-replicate and can lead to negative effects on your system. But they can be detected and eliminated by an antivirus software. These generally spread through e-mails and networks. They do not infect files or damage them, but they replicate so fast that the entire network may Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 41 Chapter-1 : Computer Security – Gscheme -- 2014 collapse.Examples: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, Mapson. Install an updated version of antivirus. Trojans Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike viruses, do not reproduce by infecting other files, nor do they self-replicate like worms. In fact, it is a program which disguises itself as a useful program or application. Beware of the fact that these viruses copy files in your computer (when their carrier program is executed) that can damage your data, and even delete it. The attacker can also program the trojans in such a manner that the information in your computer is accessible to them. Logic Bombs They are not considered viruses because they do not replicate. They are not even programs in their own right, but rather camouflaged segments of other programs. They are only executed when a certain predefined condition is met. Their objective is to destroy data on the computer once certain conditions have been met. Logic bombs go undetected until launched, the results can be destructive, and your entire data can be deleted! Malicious Code The term malicious code refers to software that has been designed for some nefarious purpose. Such software may be designed to cause damage to a system, such as by deleting all files, or it may be designed to create a backdoor in the system in order to grant access to unauthorized individuals. Generally the installation of malicious code is done so that it is not obvious to the authorized users. There are several different types of malicious software, such as viruses, Trojan horse, logic bombs, and worms, and they differ in the ways they are installed and their purposes. VIRUS (Vital Information Resources Under Siege) Viruses The best-known type of malicious code is the virus. Much has been written about viruses as a result of several high-profile security events that involved them. A virus is a piece of malicious code that replicates by attaching itself to another piece of executable code. When the other executable code is run, the virus also executes and has the opportunity to infect other files and perform any other nefarious actions it was designed to do. The specific way that a virus infects other files, and the type of files it infects, depends on the type of virus. The first viruses were of two types—boot sector or program viruses. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 42 Chapter-1 : Computer Security – Gscheme -- 2014 Boot Sector Virus A boot sector virus infects the boot sector portion of either a floppy disk or a hard drive (just a few years ago, not all computers had hard drives, and many booted from a floppy). When a computer is first turned on, a small portion of the operating system is initially loaded from hardware. This small operating system then attempts to load the rest of the operating system from a specific location (sector) on either the floppy or the hard drive. A boot sector virus infects this portion of the drive. An example of this type of virus was the Stoned virus, which moved the true Master Boot Record (MBR) from the first to the seventh sector of the first cylinder, and replaced the original MBR with itself. When the system was then turned on, the virus was first executed, which had a one in seven chance of displaying a message stating the computer was “stoned”; otherwise it would not announce itself and would instead attempt to infect other boot sectors. This virus was rather tame in comparison to other viruses of its time, which often were designed to delete the entire hard drive after a period of time in which they would attempt to spread. Program Virus A second type of virus is the program virus, which attaches itself to executable files—typically files ending in .exe or .com on Windows-based systems. The virus is attached in such a way that it is executed before the program. Most program viruses also hide a nefarious purpose, such as deleting the hard drive, which is triggered by a specific event, such as a date or after a certain number of other files were infected. Like other types of viruses, program viruses are often not detected until after they execute their malicious payload. One method that has been used to detect this sort of virus before it has an opportunity to damage a system is to calculate checksums for commonly used programs or utilities. Should the checksum for an executable ever change, it is quite likely that this is due to a virus infection. Macro Virus In the late 90s, another type of virus appeared that now accounts for the majority of viruses. As systems became more powerful, as well as the operating systems that managed them, the boot sector virus, which once accounted for most reported infections, became less common. Systems no longer commonly booted from floppies, which were the main method for boot sector viruses to spread. Instead, the proliferation of software that included macro-programming languages resulted in a new breed of virus the macro virus. The Concept virus was the first known example of this new breed. It appeared to be created to demonstrate the possibility of attaching a virus to a document file, something that had been thought to be impossible before the introduction of software that included powerful macro language capabilities. By this time, however, Microsoft Word documents could include segments of code written in a derivative of Visual Basic. Further development of other applications that allowed macro capability, and enhanced versions of the original macro language, had the side effect of allowing the proliferation of viruses that took advantage of this capability. This type of virus is so common today that it is considered a security best practice to advise users to never open a document attached to an e-mail if it seems at all suspicious. Many organizations now routinely have their mail servers eliminate any attachments containing Visual Basic macros. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 43 Chapter-1 : Computer Security – Gscheme -- 2014 Polymorphic virus A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program. In computer terminology, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence. Encryption is the most common method to hide code. With encryption, the main body of the code (also called its payload) is encrypted and will appear meaningless. For the code to function as before, a decryption function is added to the code. When the code is executed this function reads the payload and decrypts it before executing it in turn. Encryption alone is not polymorphism. To gain polymorphic behavior, the encryptor/decryptor pair are mutated with each copy of the code. This allows different versions of some code while all function the same. Polymorphic infections are difficult for virus detection programs to cleanse because one polymorphic virus could have hundreds or thousands of variants. Developers that design the detection programs have to write extra lines of code in order to make the programs better at detecting the virus infections. Even the best antivirus programs have trouble with detecting and cleansing polymorphic infections, although antivirus programs with heuristic do have a better time at detecting these types of viruses. The first known polymorphic virus was developed in 1990, in the early days of the Internet, illustrating the fact that virus creators have always been ahead of the curve when it comes to developing malicious code. These viruses operate with the assistance of an encryption engine which changes with each virus replication; this keeps the encrypted virus functional, while still hiding the virus from the computer it infects and allowing the virus to slip through security systems which are designed to prevent malicious code from entering or exiting a network. Metamorphic and polymorphic Malware (Malicious Software) Metamorphic and polymorphic malware are two categories of malicious software programs (malware) that have the ability to change their code as they propagate. Metamorphic malware is rewritten with each iteration so that each succeeding version of the code is different from the preceding one. The code changes makes it difficult for signature-based antivirus software programs to recognize that different iterations are the same malicious program. In spite of the permanent changes to code, each iteration of metamorphic malware functions the same way. The longer the malware stays in a computer, the more iterations it produces and the more sophisticated the iterations are, making it increasingly hard for antivirus applications to detect, quarantine and disinfect. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 44 Chapter-1 : Computer Security – Gscheme -- 2014 Polymorphic malware also makes changes to code to avoid detection. It has two parts, but one part remains the same with each iteration, which makes the malware a little easier to identify. For example, a polymorphic virus might have a virus decryption routine (VDR) and an encrypted virus program body (EVB). When an infected application launches, the VDR decrypts the encrypted virus body back to its original form so the virus can perform its intended function. Once executed, the virus is re-encrypted and added to another vulnerable host application. Because the virus body is not altered, it provides a kind of complex signature that can be detected by sophisticated antivirus programs. In another example, a new key might be randomly generated with each copy to change the appearance of the encrypted virus body -- but the virus decryption routine woud remain constant. In either scenario, it is the static part of the code that makes it possible for an anti-virus program to identify the presence of malware. Metamorphic malware is considered to be more difficult to write than polymorphic malware. The author may use may use multiple transformation techniques, including register renaming, code permutation, code expansion, code shrinking and garbage code insertion. Consequently, advanced techniques such as generic decryption scanning, negative heuristic analysis, emulation and access to virtualization technologies are required for detection. Stealth Virus A computer virus that actively hides itself from antivirus software by either masking the size of the file that it hides in or temporarily removing itself from the infected file and placing a copy of itself in another location on the drive, replacing the infected file with an uninfected one that it has stored on the hard drive. Definition - What does Stealth Virus mean? A stealth virus is a hidden computer virus that attacks operating system processes and averts typical anti-virus or anti-malware scans. Stealth viruses hide in files, partitions and boot sectors and are adept at deliberately avoiding detection. Stealth virus eradication requires advanced anti-virus software or a clean system reboot. In order to avoid detection, stealth viruses also self-modify in the following ways: Code Modification: The stealth virus changes the code and virus signature of each infected file. Encryption: The stealth virus encrypts data via simple encryption and uses a different encryption key for each infected file. Brain, the first stealth virus, spread internationally during the mid-1980s. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 45 Chapter-1 : Computer Security – Gscheme -- 2014 Example: The very first DOS virus, Brain, a boot-sector infector,monitors physical disk I/O and re-directs any attempt to read a Brain-infected boot sector to the disk area where the original boot sector is stored.The nextviruses to use this technique werethe fileinfectors Number of the Beast and Frodo (aka 4096, 4K). Countermeasures: A "clean" system is needed so that no virus is present to distort theresultsof system status checks. Thus the system should be started from a trusted, clean, bootable diskette before any virus-checkingis attempted; Fast and Slow Infectors A fast infector infects any file accessed, not just run. A slow infector only infects files as they are being created or modified. The term fast or slow when dealing with viruses pertains to how often and under what circumstances they spread the infection. Typically, a virus will load itself into memory when an infected program is run. It sits there and waits for other programs to be run and infects them at that time. Fast: A fast infector infects programs not just when they are run, but also when they are simply accessed. The purpose of this type of infection is to ride on the back of anti-virus software to infect files as they are being checked. By its nature, anti-virus software (a scanner, in particular) opens each file on a disk being checked in order to determine if a virus is present. A fast infector that has not been found in memory before the scanning starts will spread itself quickly throughout the disk. Slow: A slow infector does just the opposite. A slow infector will only infect files when they are created or modified. Its purpose is to attempt to defeat integrity checking software by piggybacking on top of the process which legitimately changes a file. Because the user knows the file is being changed, they will be less likely to suspect the changes also represent an infection. By its nature (and because executable code is not usually changed) a slow infector does not spread rapidly and if the integrity checker has a scanning component it will likely be caught. Also, an integrity checker that is run on a computer booted from a known-clean floppy disk will be able to defeat a slow infector. What are "fast" and "slow" infectors? (Computer virus) A typical file infector (such as the Jerusalem) copies itself to memory when a program infected by it is executed, and then infects other programs when they are executed. A FAST infector is a virus that, when it is active in memory, infects not only programs which are executed, but even those that are merely opened. The result is that if such a virus is in memory, running a scanner or integrity checker can result in all (or at least many) programs becoming infected. Examples are the Dark Avenger and the Frodo viruses. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can piggy-back on the virus scanner and in Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 46 Chapter-1 : Computer Security – Gscheme -- 2014 this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. The term "SLOW infector" is sometimes used to refer to a virus that only infect files as they are modified or as they are created. The purpose is to fool people who use integrity checkers into thinking that modifications reported by their integrity checker are due solely to legitimate reasons. An example is the Darth Vader virus. Companion Virus A type of computer virus that compromises a feature of DOS that enables software with the same name, but different extensions, to operate with different priorities. For example you may have program.exe on your computer, and the virus may create a file called program.com. When the computer executes program.exe, the virus runs program.com before program.exe is executed. In many cases, the real program will run so users believe that the system is operating normally and aren't aware that a virus was run on the system. A specific type of virus where the infected code is stored not in the host program, but in a separate ‘companion’ file. For example, the virus might rename the standard NOTEPAD.EXE file to NOTEPAD.EXD and create a new NOTEPAD.EXE containing the virus code. When the user subsequently runs the Notepad application, the virus will run first and then pass control to the original program, so the user doesn’t see anything suspicious. Companion viruses replicate by exploiting the precedence hierarchy according to which the operating system executes program files based on their filename extensions. For example, under MS-DOS files with the extension .BAT (batch files) are executed before those with the extension of .COM which, in turn, are executed before those of an extension of .EXE. Companion viruses can create standalone files containing their viral code, but have a higher-precedence file extension or rename the "targeted" file with a lower-precedence filename extension so the file containing the viral code is executed before transferring control to the original program file (or activating its payload). Another example of a companion virus on today’s Windows platforms is one that exploits the search order of DLL libraries. For example, if the malware copied itself as a DLL to an application’s directory, it would take precedence over the DLL with the same name in the system directory, or in one of the directories specified by the PATH environment variable. Armored Virus Placing “armor” around a virus makes it difficult and time consuming for computer experts to take the virus apart, understand how it works, and then design methods for defeating it. New forms of armor are constantly being developed by virus creators An ARMORED virus is one that uses special tricks to make tracing, disassembling and understanding of its code more difficult. A good example is the Whale virus. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 47 Chapter-1 : Computer Security – Gscheme -- 2014 An ARMORED virus is one which uses special tricks to make the tracing, disassembling and understanding of their code more difficult. A good example is the Whale virus. Go top a10) Miscellaneous Jargon and Abbreviations BSI = Boot Sector Infector: a virus which takes control when the computer attempts to boot (as opposed to a file infector). CMOS = Complementary Metal Oxide Semiconductor: A memory area that is used in AT and higher class PCs for storage of system information. CMOS is battery backed RAM (see below), originally used to maintain date and time information while the PC was turned off. CMOS memory is not in the normal CPU address space and cannot be executed. While a virus may place data in the CMOS or may corrupt it, a virus cannot hide there. DOS = Disk Operating System. We use the term "DOS" to mean any of the MS-DOS, PC-DOS, or DR DOS systems for PCs and compatibles, even though there are operating systems called "DOS" on other (unrelated) machines. MBR = Master Boot A type of virus that has been designed to thwart attempts by analysts from examining its code by using various methods to make tracing, disassembling and reverse engineering more difficult. An Armored Virus may also protect itself from antivirus programs, making it more difficult to trace. To do this, the Armored Virus attempts to trick the antivirus program into believing its location is somewhere other than where it really is on the system. Macro Virus In computing terminology, a macro virus is a virus that is written in a macro language: that is to say, a language built into a software application such as a word processor. Since some applications (notably, but not exclusively, the parts of Microsoft Office) allow macro programs to be embedded in documents, so that the programs may be run automatically when the document is opened, this provides a distinct mechanism by which viruses can be spread. This is why it may be dangerous to open unexpected attachments in e-mails. Modern antivirus software detects macro viruses as well as other types. A macro virus is a computer virus that "infects" a Microsoft Word or similar application and causes a sequence of actions to be performed automatically when the application is started or something else triggers it. Macro viruses tend to be surprising but relatively harmless. A typical effect is the undesired insertion of some comic text at certain points when writing a line. A macro virus is often spread as an e-mail virus. A well-known example in March, 1999 was the Melissa virus virus. Trojan Horse A Trojan Horse is an email virus usually released by an email attachment. If opened, it will scour your hard drive for any personal and financial information such as your social security, account, and PIN numbers. Once it has collected your info, it is sent to a thief’s database. Now, there are Trojan Horses and there are viruses, but there's no such thing as a Trojan Horse virus. In fact, the very definition of each precludes any chance of there being such a thing. A Trojan does not replicate. Viruses do. That fact alone means there can never be a "Trojan Horse virus". Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 48 Chapter-1 : Computer Security – Gscheme -- 2014 "A Trojan Horse is an email virus usually released by an email attachment." Not so. A Trojan may be sent as an attachment in email, but it's certainly not an email virus. (In fact there are few true email viruses, but that's a whole other topic). So it may or may not arrive in email, and it's equally likely to have been downloaded from a website or resulted from a P2P file transfer. In other words, vector has nothing to do with whether something is or isn't a Trojan. what is a Trojan? A Trojan is a program that appears to be legitimate, but in fact does something malicious. Quite often, that something malicious involves gaining remote, surreptitious access to a user's system. Unlike viruses, a Trojan does not replicate (i.e. infect other files), nor does it make copies of itself as worms do. There are several different types of Trojans. Some of these include: remote access Trojans (RATs), backdoor Trojans (backdoors), IRC Trojans (IRCbots), and keylogging Trojans. Many Trojan encompass multiple types. For example, a Trojan may install both a keylogger and a backdoor. IRC Trojans are often combined with backdoors and RATs to create collections of infected computers known as botnets. But one thing you probably won't find a Trojan doing is scouring your hard drive for personal details, as the Visa description alleges. Contextually, that would be a bit of a trick for a Trojan. Instead, this is where the keylogging functionality most often comes into play - capturing the user's keystrokes as they type and sending the logs to the attackers. Some of these keyloggers can be pretty sophisticated, targeting only certain websites (for example) and capturing any keystrokes involved with that particular session. But why is it important to know the difference between a virus, a worm, and a Trojan? Because a virus infects legitimate files, thus if antivirus software detects a virus, that file should be cleaned. Conversely, if antivirus software detects a worm or a Trojan, there is no legitimate file involved and action should be to delete the file. The seven main types of Trojan horses are: Remote Access Trojans Data Sending Trojans Destructive Trojans Proxy Trojans FTP Trojans security software disabler Trojans denial-of-service attack (DoS) Trojans A Trojan horse, or Trojan, is a non-self-replicating type of malware which gains privileged access to the operating system while appearing to perform a desirable function but instead drops a malicious payload, often including a backdoor allowing unauthorized access to the target's computer. These backdoors tend to be invisible to average users, but may cause the computer to run slow. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan horses may steal information, or harm their host computer systems. Trojans may use drive-by downloads or install via Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 49 Chapter-1 : Computer Security – Gscheme -- 2014 online games or internet-driven applications in order to reach target computers. The term is derived from the Trojan Horse story in Greek mythology because Trojan horses employ a form of “social engineering,” presenting themselves as harmless, useful gifts, in order to persuade victims to install them on their computers. The Difference Between a Computer Virus, Worm and Trojan Horse Viruses, worms and Trojan Horses are all malicious programs that can cause damage to your computer, but there are differences among the three. One common mistake that people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are often used interchangeably, they are not exactly the same thing. Viruses, worms and Trojan Horses are all malicious programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you better protect your computer from their often damaging effects. What Is a Virus? A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels. Like a human virus, a computer virus can range in severity: some may cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it actually cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. Because a virus is spread by human action people will unknowingly continue the spread of a computer virus by sharing infecting files or sending emails with viruses as attachments in the email. What Is a Worm? A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any human action. A worm takes advantage of file or information transport features on your system, which is what allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In recent worm attacks such as the much-talked-about Blaster Worm, the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 50 Chapter-1 : Computer Security – Gscheme -- 2014 What Is a Trojan horse? A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. What Are Blended Threats? Added into the mix, we also have what is called a blended threat. A blended threat is a more sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. Characteristics of blended threats are that they cause harm to the infected system or network, they propagates using multiple methods, the attack can come from multiple points, and blended threats also exploit vulnerabilities. To be considered a blended thread, the attack would normally serve to transport multiple attacks in one payload. For example it wouldn't just launch a DoS attack — it would also, for example, install a backdoor and maybe even damage a local system in one shot. Additionally, blended threats are designed to use multiple modes of transport. So, while a worm may travel and spread through e-mail, a single blended threat could use multiple routes including e-mail, IRC and file-sharing sharing networks. Lastly, rather than a specific attack on predetermined .exe files, a blended thread could do multiple malicious acts, like modify your exe files, HTML files and registry keys at the same time — basically it can cause damage within several areas of your network at one time. Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats also require no human intervention to propagate. Tips to Combat Viruses, Worms and Trojan Horses on Your Computer Keep The Operating System Updated The first step in protecting your computer from any malicious there is to ensure that your operating system (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you need to have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Additionally, you want to make sure your anti-virus program has the capability to scan e-mail and files as they are downloaded from the Internet, and you also need to run full disk scans periodically. This will help prevent malicious programs from even reaching your computer. Use a Firewall Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 51 Chapter-1 : Computer Security – Gscheme -- 2014 You should also install a firewall. A firewall is a system that prevents unauthorized use and access to your computer. A firewall can be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming from the outside world and can be purchased as a stand-alone product or in broadband routers. Unfortunately, when battling viruses, worms and Trojans, a hardware firewall may be less effective than a software firewall, as it could possibly ignore embedded worms in out going e-mails and see this as regular network traffic. For individual home users, the most popular firewall choice is a software firewall. A good software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides additional protection against the most common Trojan programs or e-mail worms. The downside to software firewalls is that they will only protect the computer they are installed on, not a network. It is important to remember that on its own a firewall is not going to rid you of your computer virus problems, but when used in conjunction with regular operating system updates and a good anti-virus scanning software, it will add some extra security and protection for your computer or network. What is a Worm? (Computer virus) Acomputer WORMis a self-contained program (or set of programs), that is able to spread functional copies of itself or its segments to other computer systems (usually via network connections). Note that unlike viruses, worms do not need to attach themselves to a host program. There are two types of worms--hostcomputer worms and network worms. Hostcomputer wormsare entirely contained in the computer they run on and use network connections only to copy themselves to other computers. Hostcomputer wormswhere the original terminates itself after launching a copy on another host (so there is only one copy ofthe wormrunning somewhere on the network at any given moment), are sometimes called "rabbits." Network worms consist of multiple parts (called "segments"), each running on different machines (and possibly performing different actions) and using the network for several communication purposes. Propagating a segment from one machine to another is only one of those purposes. Network worms that have one main segment which coordinates the work of the other segments are sometimes called "octopuses." The infamous Internet Worm (perhaps covered best in "The Internet Worm Program: An Analysis," Eugene H. Spafford, PurdueTechnical ReportCSD-TR-823) was a hostcomputer worm, while the Xerox PARC worms were network worms (a good starting point for these is "The WormPrograms--Early Experience with a DistributedComputation," Communications of theACM, 25, no.3, March 1982, pp. 172180). Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 52 Chapter-1 : Computer Security – Gscheme -- 2014 Avoiding Virus Infection Always being cautious about executing programs or opening documents given to you is a good security practice. “If you don’t know where it came from or where it has been, don’t open or run it” should be the basic guideline for all computer users. Another security best practice for protecting against virus infection is to install and run an antivirus program. Since these programs are designed to protect against known viruses, it is also important to maintain an up-to-date listing of virus signatures for your antivirus software. Antivirus software vendors provide this, and administrators should stay on top of the latest updates to the list of known viruses. Two advances in virus writing have made it more difficult for antivirus software to detect viruses. These advances are the introduction of stealth virus techniques and polymorphic viruses. A stealthy virus employs techniques to help evade being detected by antivirus software that uses checksums or other techniques. Polymorphic viruses also attempt to evade detection, but they do so by changing the virus itself (the virus “evolves”). Because the virus changes, signatures for that virus may no longer be valid, and the virus may escape detection by antivirus software. Virus Hoaxes Viruses have caused so much damage in the last few years that many Internet users have become extremely cautious anytime a rumor of a new virus is heard. Many users will not connect to the Internet when they hear about a virus outbreak, just to be sure they don’t get infected themselves. This has given rise to virus hoaxes, in which word is spread about a new virus and the extreme danger it poses. It may warn users to not read certain files or connect to the Internet. A good example of a virus hoax was the Good Times virus warning, which has been copied repeatedly and can still be seen in various forms today. It caused widespread panic as users read about this extremely dangerous virus, which could actually cause the processor to overheat (from being put into an “nth complexity infinite binary loop”) and be destroyed. Many folks saw through this hoax, but many less experienced users did not, and they passed the warning along to all of their friends. Hoaxes can actually be even more destructive than just wasting time and bandwidth. Some hoaxes warning of a dangerous virus have included instructions to delete certain files if found on the user’s system. Unfortunately for those who follow the advice, the files may actually be part of the operating system, and deleting them could keep the system from booting properly. This suggests another good piece of security advice: make sure of the authenticity and accuracy of any virus report before following somebody’s advice. Antivirus software vendors are a good source of factual data for this sort of threat as well. Trojan Horses A Trojan horse, or simply Trojan, is a piece of software that appears to do one thing (and may, in fact, actually do that thing) but that hides some other functionality. The analogy to the famous story of antiquity is very accurate. In the original case, the object appeared to be a large wooden horse, and in fact it was. At the same time, it hid something much more sinister and dangerous to the occupants of the city. As long as the horse was left outside the city walls, it could cause no damage to the inhabitants. It had to be taken in by the inhabitants, and it was inside the hidden purpose was activated. A computer Trojan works in much the same way. Unlike a virus, which reproduces by attaching itself to other files or programs, a Trojan is a standalone program that must be Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 53 Chapter-1 : Computer Security – Gscheme -- 2014 copied and installed by the user—it must be “brought inside” the system by an authorized user. The challenge for the attacker is enticing the user to copy and run the program. This generally means that the program must be disguised as something that the user would want to run—a special utility or game, for example. Once it has been copied and is “inside” the system, the Trojan will perform its hidden purpose with the user often still unaware of its true nature. A good example of a Trojan is Back Orifice (BO), originally created in 1999 and now in several versions. BO can be attached to a number of types of programs. Once it is, and once an infected file is run, BO will create a way for unauthorized individuals to take over the system remotely, as if they were sitting at the console. BO is designed to work with Windows-based systems. The single best method to prevent the introduction of a Trojan to your system is to never run software if you are unsure of its origin, security, and integrity. A virus-checking program may also be useful in detecting and preventing the installation of known Trojans. Logic Bombs Logic bombs, unlike viruses and Trojans, are a type of malicious software that is deliberately installed, generally by an authorized user. A logic bomb is a piece of code that sits dormant for a period of time until some event invokes its malicious payload. An example of a logic bomb might be a program that is set to automatically load and run, and that periodically checks an organization’s payroll or personnel database for a specific employee. If the employee is not found, the malicious payload executes, deleting vital corporate files. If the trigger is some event, such as not finding a specific name in the personnel file, the code is referred to as a logic bomb. If the event is a specific date or time, the program will often be referred to as a time bomb. In one famous example of a time bomb, a disgruntled employee left a time bomb in place just prior to being fired from his job. Two weeks later, thousands of client records were deleted. Police were able to eventually track the malicious code to the disgruntled ex-employee, who was prosecuted for his actions. He had hoped that the two weeks that had passed since his dismissal would have caused investigators to assume he could not have been the individual who had caused the deletion of the records. Logic bombs are difficult to detect because they are often installed by authorized users and, in particular, have been installed by administrators who are also often responsible for security. This demonstrates the need for a separation of duties and a periodic review of all programs and services that are running. It also illustrates the need to maintain an active backup program so that if your organization loses critical files to this sort of malicious code, you only lose transactions since the most recent backup and don’t permanently lose the data. Worms Originally it was easy to distinguish between a worm and a virus. Recently, with the introduction of new breeds of sophisticated malicious code, the distinction has blurred. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 54 Chapter-1 : Computer Security – Gscheme -- 2014 Worms are pieces of code that attempt to penetrate networks and computer systems. Once a penetration occurs, the worm will create a new copy of itself on the penetrated system. Reproduction of a worm thus does not rely on the attachment of the virus to another piece of code or to a file, which is the definition of a virus. The blurring of the distinction between viruses and worms has come about because of the attachment of malicious code to e-mail. Viruses were generally thought of as a system-based problem, and worms were network-based. If the malicious code is sent throughout a network, it may subsequently be called a worm. The important distinction, however, is whether the code has to attach itself to something else (a virus), or if it can “survive” on its own (a worm). The Morris Worm The most famous example of a worm was the Morris worm in 1988. Also sometimes referred to as the Internet worm, because of its effect on the early Internet, the worm was able to insert itself into so many systems connected to the Internet that it has been repeatedly credited with “bringing the Internet to its knees” for several days. It was this worm that provided the impetus for the creation of what was once the Computer Emergency Response Team Coordination Center though is now simply the CERT Coordination Center (CERT/CC) located at Carnegie Mellon University. The Morris worm was created by a graduate student named Robert Morris. It utilized several known vulnerabilities to gain access to a new system, and it also relied on password guessing to obtain access to accounts. Once a system had been penetrated, a small bootstrap program was inserted into the new system and executed. This program then downloaded the rest of the worm to the new system. The worm had some stealth characteristics to make it harder to determine what it was doing, and it suffered from one major miscalculation. The worm would not be loaded if a copy of it was already found on the new system, but it was designed to periodically ignore this check, reportedly to ensure that the worm could not be easily eliminated. The problem with this plan was that interconnected systems were constantly being reinfected. Eventually the systems were running so many copies of the worm that the system response time ground to a stop. It took a concerted effort by many individuals before the worm was eliminated. While the Morris worm carried no malicious payload, it is entirely possible for worms to do so. Protection Against Worms How you protect a system against worms depends on the type of worm. Those attached and propagated through e-mail can be avoided by following the same guidelines about not opening files and not running attachments unless you are absolutely sure of their origin and integrity. Protecting against the Morris type of Internet worm involves securing systems and networks against penetration in the same way you would protect your systems against human attackers. Install patches, eliminate unused and unnecessary services, enforce good password security, and utilize firewalls and intrusion detection systems. War-Dialing and War-Driving War-dialing is the term used to describe an attacker’s attempt to discover unprotected modem connections to computer systems and networks. The term’s origin is the 1983 movie War Games, in which the star has his machine systematically call a sequence of phone numbers in an attempt to find a computer connected to a modem. In Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 55 Chapter-1 : Computer Security – Gscheme -- 2014 the case of the movie, the intent was to find a machine with games the attacker could play, though obviously an attacker could have other purposes once access is obtained. War-dialing is surprisingly successful, mostly because of rogue modems. These are unauthorized modems attached to computers on a network by authorized users. Generally the reason for attaching the modem is not malicious—the individual may simply want to be able to go home and then connect to the organization’s network in order to continue working. The problem is that if a user can connect, so can an attacker. If the authorized user has not implemented any security protection, this means of access could be totally open. This is often the case. Most organizations have a strict policy against connecting unauthorized modems, but it is hard to enforce this kind of policy. Recently, new technology has been developed to address this common backdoor into corporate networks. Telephone firewalls have been created, which block any unauthorized modem connections into an organization. These devices make it impossible for an unauthorized modem connection to be established and can also enforce strict access policies on any authorized modems. Another avenue of attack on computer systems and networks has seen a tremendous increase over the last few years because of the increase in the use of wireless networks. Wireless networks have some obvious advantages—they free employees from the cable connection to a port on their wall, allowing them to wander throughout the building with their machine and still be connected. An employee could, for example, leave their desk with their laptop and move to a conference room where they could then make a presentation, all without ever having to disconnect their machine from the wall or find a connection in the conference room. The problem with wireless networks is that it is hard to limit access to them. Since there is no physical connection, the distance that a user can go and still remain connected is a function of the wireless network itself and where the various components of the network are placed. In order to ensure access throughout a facility, stations are often placed at numerous locations, some of which may actually provide access to areas outside of the organization in order to ensure that the farthest offices in the organization can be reached. Frequently access extends into adjacent offices or into the parking lot or street. Attackers can locate these access areas that fall outside of the organization and attempt to gain unauthorized access. The term war-driving has been used to refer to the activity where attackers wander throughout an area (often in a car) with a computer with wireless capability, searching for wireless networks they can access. There are security measures that can limit an attacker’s ability to succeed at this activity, but, just as in war-dialing, the individuals who set up the wireless networks don’t always activate these security mechanisms. Social Engineering Social engineering relies on lies and misrepresentation, which an attacker uses to trick an authorized user into providing information or access the attacker would not normally be entitled to. The attacker might, for example, contact a system administrator pretending to be an authorized user in order to have a password reset. Another common ploy is to pose as a representative from a vendor needing temporary access in order to perform some emergency maintenance. Social engineering also applies to physical access. Simple techniques include impersonating pizza or flower delivery personnel in order to gain physical access to a facility. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 56 Chapter-1 : Computer Security – Gscheme -- 2014 Attackers know that, due to poor security practices, if they can gain physical access to an office, the chances are good that, given a little unsupervised time, a userid and password pair might be found on a notepad or sticky note. Unsupervised access may noteven be required, depending on how poor the security practices of the organization are. One of the authors of this book was once considering opening an account at a bank near his home. As he sat down at the desk across from the bank employee taking his information, the author noticed one of the infamous little yellow notes attached to the computer monitor the employee was using. The note read “password for July is “julyjuly”. It probably isn’t too hard to guess what August’s password might be. Unfortunately, this is all too often the state of security practices in most organizations. With that in mind, it is easy to see how social engineering might work and might provide all the information needed to gain unauthorized access to a system or network. Security Basics Access Controls Q.What is Access Control?List Different types of it? Ans. The term access control has been used to describe a variety of protection schemes. It is sometimes used to refer to all security features used to prevent unauthorized access to a computer system or network. In this sense, it may be confused with authentication. More properly, access is the ability of a subject (such as an individual or a process running on a computer system) to interact with an object (such as a file or hardware device). Authentication, on the other hand, deals with verifying the identity of a subject. To help understand the difference, consider the example of an individual attempting to log in to a computer system or network. Authentication is the process used to verify to the computer system or network that the individual is who they claim to be. The most common method to do this is through the use of a userid and password. Once the individual has verified their identity, access controls regulate what the individual can actually do on the system. Just because a person is granted entry to the system, that does not mean that they should have access to all data the system contains. To further illustrate, consider another example. When you go to your bank to make a withdrawal, the teller at the window will verify that you are indeed who you claim to be. This is usually done by asking you to provide some form of identification with your picture on it, such as your driver’s license. You may also have to provide information such as your bank account number. Once the teller verifies your identity, you will have proved that you are a valid (authorized) customer of this bank. This does not, however, mean that you have the ability to view all information that the bank protects—such as your neighbor’s balance. The teller will control what information, and funds, you may have access to and will grant you access only to that which you are authorized. In this example, your identification and bank account number serve as your method of authentication and the teller serves as the access control mechanism. In computer systems and networks, there are several ways that access controls can be implemented. An access control matrix provides the simplest framework for illustrating the process. An example of an access control matrix is provided in Table 1-1. In this matrix, the system is keeping track of two processes, two files, and one hardware device. Process 1 can read both File 1 and File 2 but can write only to File 1. Process 1 cannot access Process 2, but Process 2 can execute Process 1. Both processes have the ability to write to the printer. While simple to understand, the access control matrix is seldom used in computer systems because it is extremely costly in terms of storage space and processing. Imagine the size of an access control matrix for a large network with hundreds of users and thousands of files. The actual mechanics of how access controls are implemented in a system varies, though access control lists (ACLs) are common. An ACL is nothing more than a list that contains the subjects that have access rights to a particular object. The list will identify not only the subject but the specific access that that subject has for the object. Typical types of access include read, write, and execute as indicated in our example access control matrix. No matter what specific mechanism is used to implement access controls in a computer system or network, the controls should be based on a specific model of access. Several different models are Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 57 Chapter-1 : Computer Security – Gscheme -- 2014 discussed in security literature, including discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). Discretionary Access Control Both discretionary access control and mandatory access control are terms originally used by the military to describe two different approaches to controlling what access an individual had on a system. As defined by the “Orange Book,” a Department of Defense document that at one time was the standard for describing what constituted a trusted computing system, discretionary access controls are “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.” While this may appear to many to be typical “government-speak” and confusing, the principle is really rather simple. In systems that employ discretionary access controls, the owner of an object can decide which other subjects may have access to the object and what specific access they may have. One common method to accomplish this is the permission bits used in UNIX-based systems. The owner of a file can specify what permissions (read/write/execute) members in the same group may have and also what permissions all others may have. Access control lists are another common mechanism used to implement discretionary access control. Mandatory Access Control A less frequently employed system for restricting access is mandatory access control. This system, generally used only in environments where different levels of security classifications exist, is much more restrictive of what a user is allowed to do. Again referring to the Orange Book, we can find a definition for mandatory access controls, which is “a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.” In this case, the owner or subject can’t determine whether access is to be granted to another subject; it is the job of the operating system to decide. In MAC, the security mechanism controls access to all objects and individual subjects cannot change that access. The key here is the label attached to every subject and object. The label will identify the level of classification for that object and the level that the subject is entitled to. Think of military security classifications such as Secret and Top Secret. A file that has been identified as Top Secret (has a label indicating that it is Top Secret) may be viewed only by individuals with a Top Secret clearance. It is up to the access control mechanism to ensure that an individual with only a Secret clearance never gains access to a file labeled as Top Secret. Similarly, a user cleared for Top Secret access will not be allowed by the access control mechanism to change the classification of a file labeled as Top Secret to Secret or to send that Top Secret file to a user cleared only for Secret information. The complexity of such a mechanism can be further understood when you consider today’s windowing environment. The access control mechanism will not allow a user to cut a portion of a Top Secret document and paste it into a window containing a document with only a Secret label. It is this separation of differing levels of classified Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 58 Chapter-1 : Computer Security – Gscheme -- 2014 information that results in this sort of mechanism being referred to as multilevel security. A final comment should be made: just because a subject has the appropriate level of clearance to view a document, that does not mean that they will be allowed to do so. The concept of “need to know,” which is a discretionary access control concept, also exists in mandatory access control mechanisms. Role-Based Access Control Access control lists can be cumbersome and can take time to administer properly. Another access control mechanism that has been attracting increased attention is the role-based access control (RBAC). In this scheme, instead of each user being assigned specific access permissions for the objects associated with the computer system or network, that user is assigned a set of roles that the user may perform. The roles are in turn assigned the access permissions necessary to perform the tasks associated with the role. Users will thus be granted permissions to objects in terms of the specific duties they must perform—not of a security classification associated with individual objects. Q.Write short note on Authentication Ans. Authentication Access controls define what actions a user can perform or what objects a user can have access to. These controls assume that the identity of the user has been verified. It is the job of authentication mechanisms to ensure that only valid users are admitted. Described another way, authentication is using some mechanism to prove that you are who you claim to be. There are three general methods used in authentication. In order to verify your identity, you can provide: • Something you know • Something you have • Something about you (something that you are) The most common authentication mechanism is to provide something that only you, the valid user, should know. The most frequently used example of this is the common userid (or username) and password. In theory, since you are not supposed to share your password with anybody else, only you should know your password, and thus by providing it you are proving to the system that you are who you claim to be. In theory, this should be a fairly decent method to provide authentication. Unfortunately, for a variety of reasons, such as the fact that people have a tendency to choose very poor and easily guessed passwords, this technique to provide authentication is not as reliable as it should be. Other authentication mechanisms are consequently always being developed and deployed. Another method to provide authentication involves the use of something that only valid users should have in their possession. A physical-world example of this would be a simple lock and key. Only those individuals with the correct key will be able to open the lock and thus provide admittance to your house, car, office, or whatever the lock was protecting. A similar method can be used to authenticate users for a computer system or network (though the key may be electronic and may reside on a smart card or similar device). The problem with this technology is that people will lose their keys (or cards), which means they can’t log in to the system and somebody else who finds the key may then be able to access the system, even though they are not authorized. To address this problem, a combination of the something-you-know/something-you-have methods is often used so that the individual with the key may also be required to provide a Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 59 Chapter-1 : Computer Security – Gscheme -- 2014 password or passcode. The key is useless unless you know this code. An example of this is the ATM card most of us carry. The card is associated with a personal identification number (PIN), which only you should know. Knowing the PIN without having the card is useless, just as having the card without knowing the PIN will also not provide you access to your account. The third general method to provide authentication involves something that is unique about you. We are used to this concept in our physical world, where people’s fingerprints, or a sample of their DNA, can be used to identify them. This same concept can be used to provide authentication in the computer world. The field of authentication that uses something about you or something that you are is known as biometrics. A number of different mechanisms can be used to accomplish this type of authentication, such as a voice print, a retinal scan, or hand geometry. All of these methods obviously require some additional hardware in order to operate. While these three approaches to authentication appear to be easy to understand and in most cases easy to implement, authentication is not to be taken lightly, since it is such an important component of security. Potential attackers are constantly searching for ways to get past the system’s authentication mechanism, and there have been some fairly ingenious methods employed to do so. Consequently, security professionals are constantly devising new methods, building on these three basic approaches, to provide authentication mechanisms for computer systems and networks. Q.Describe methods of Defense Security is the process of ensuring the confidentiality, integrity, authenticity, nonrepudiation, and availability of electronic communications and transactions. To ensure the security of an e-business and e-commerce it is necessary to implement security policies and technologies that enable trusted electronic transactions and communalizations. The methods for ensuring security in systems include: Authentication Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon pas words. Knowledge of the password is assumed to guarantee that that user is authentic. Each user registers initially (or is registered by someone else), using an assigned or selfdeclared password. On each subsequent use, the user must know and use the previously declared password. The weakness in this system for transactions that aresignificant (such as the exchange of money) is that passwords can often be stolen, accidentally revealed, or forgotten. For this reason, Internet business and many other transactions require a more stringent authentication process. The use of digital certificates issued and verified by a Certificate Authority (CA) as part of a PM is considered likely to become the standard way to perform authentication on the Internet. Logically, authentication precedes authorization (although they may often seem to be combined). Authorization: Authorization is the process of giving someone permission to do or have something. In multi-u4er computer systems, a system administrator defines for the system which users are allowed access to the system and what privileges of use (such as access to which file directories, hours of access, amount of allocated storage space, and so forth). Assuming that someone has logged in to a computer operating system or aç4plication, Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 60 Chapter-1 : Computer Security – Gscheme -- 2014 the system or application may want to identify what resources the user can be given during this session. Thus, authorization is sometimes seen as both the preliminary setting up of permissions by a system administrator and the actual checking of the permission values that have been set up when a user is getting access. Logically, authorization is preceded by authentication. Cryptography: Cryptography mathematical methods and techniques are used to ensure the confidentiality, integrity and non-repudiation of communications and transactions. Cryptography will be discussed in detail in next chapter. Risks Analysis: In order for an effective security strategy to be implemented, assets must be identified, probable risks determined, and an approximate value placed on organizational assets. Value in an intangible electronic medium can sometimes be difficult to determine. However the enterprise must assess the value of issues like reputation, customer confidence, financial fraud, disclosure of proprietary information, and trade secrets. After a detailed risk analysis is conducted, cost- effective e-business and e-commerce enabling policies, processes, and procedures can be developed to minimize the risk of unauthorized access and disclosure of organizational assets. Costs associated with minimizing risks should never exceed the cost of replacing the asset. Security Policy: It is essential that easy-to-understand and enforceable security policies be documented and disseminated to all e-business and e-commerce constituencies including employees, customers, partners, and suppliers. Security policies should clearly define the proper use of network resources and e-business assets. Roles and responsibilities- need to be defined for policy creation, revision, and implementation. Security technologies are designed to implement, monitor, and verify organizational security policies. Processes and procedures need to be established for the implementation and - maintenance of authentication, authorization, accounting, and cryptography standards in support of the e business and e-commerce. In order for a secure e-business and e-commerce initiative to be effective it Is critical that an organization establish simple and effective ground rules for the proper use of network resources and assets. Audit and Assessment: The purpose of a security assessment is to determine the effectiveness of the current security infrastructure by identi1 the extent of network-level vulnerabilities and the organization’s ability to monitor, detect, and respond to network-driven attacks. Legal framework: To fight against the crime the cyber laws has been adopted by the various countries of the world. In 1996, the United Nations Commission on International Trade Law (UNCITRAL) adopted the UNCITRAL Model Law on Electronic Commerce. Its consent is to harmonize and unify international trade law to remove unnecessary legal obstacles. The Model Law is prepared to serve as a model to countries for the evaluation and modernization of certain aspects of their laws and practices in the field of commercial relationship involving the use of computerized or other modern communication technique, and for the establishment of relevant legislation where none presently exist. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 61 Chapter-1 : Computer Security – Gscheme -- 2014 The model law enables or facilitates the use of electronic commerce and provides equal treatment to users of paper-based documentation and to the users of computerbased information. Depending on the situation in each enacting State, the Model Law could be implemented in various ways, either as a single statute or in several pieces of legislation In addition to information technology act of .the respective countries the international rules and regulate has strengthen the power against cyber crimes. The International Corporation for Assigned Names and Numbers (ICANN) has adopted Uniform Domain Name Dispute Resolution Policy to resolve domains name disputes. World Intellectual Property Organization (WIPO) has prepared new copyright treaties viz, the Copyright treaty, and the Performance and Phonograms treaty to fight against Intellectual Property and Licensing. Controls: Above mentioned methods of defense like authentication, authorization cryptography are implemented using various Hardware and Software controls. and Different hardware controls like smart cards, firewalls, intrusion detection system, locks or cables limiting access, devices to verify user’s identities etc. are used. Software controls that aids in a secure computing environment are internal program controls that are themselves parts of the program and enforce security restrictions, operating system and network. System controls are the limitations enforced by operating systems or networks. Independent control programs are the application programs which verifies passwords, detect intrusion, scans viruses etc. Quality standards that are enforced in software development like cycle to prevent software faults from becoming exploitable vulnerabilities. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 62 Chapter-1 : Computer Security – Gscheme -- 2014 Q.What is Kerberos and CHAP describe Ans. Kerberos Developed as part of MIT’s project Athena, Kerberos is a network authentication protocol designed for a client/server environment. Taking its name from the three-headed dog of Greek mythology, Kerberos is designed to work across the Internet, an inherently insecure environment. Kerberos uses strong encryption so that a client can prove its identity to a server and the server can in turn authenticate itself to the client. The basis for authentication in a Kerberos environment is something known as a ticket. Tickets are granted by the authentication server, which is an entity trusted by both the client and the server the client wishes to access. The client can then present this ticket to the server to provide proof of identity. Since the entire session can be encrypted, this will eliminate the inherently insecure transmission of items such as a password that can be intercepted on the network. Since the tickets are time-stamped, attempting to reuse them will not be successful. To illustrate how the Kerberos authentication service works, think about the common driver’s license. You have received a license that you can present to other entities to prove you are who you claim to be. Because these other entities trust the state the license was issued in, they will accept your license as proof of your identity. The state the license was issued in is analogous to the Kerberos authentication service. It is the trusted entity both sides rely on to provide valid identifications. This analogy is not perfect, because we all probably have heard of individuals who obtained a phony driver’s license, but it serves to illustrate the basic idea behind Kerberos. CHAP CHAP, the Challenge Handshake Authentication Protocol, is used to provide authentication across a point-to-point link using the Point-to-Point Protocol (PPP). In this protocol, authentication after the link has been established is not mandatory. CHAP is designed to provide authentication periodically through the use of a challenge/response system sometimes described as a three-way handshake, as illustrated in Figure . The initial challenge (a randomly generated number) is sent to the client. The client uses a one-way hashing function to calculate what the response should be and then sends this back. The server compares the response with what it calculated the response should be. If it matches, communication continues. If the two values don’t match, then the connection is terminated. This mechanism relies on a shared secret between the two entities so that the correct values can be calculated. Certificates Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 63 Chapter-1 : Computer Security – Gscheme -- 2014 Certificates are a method to establish authenticity of specific objects such as an individual’s public key (more on this specific subject in Chapter 10) or downloaded software. A digital certificate is generally seen as an attachment to a message and is used to verify that the message did indeed come from the entity it claims to have come from. The digital certificate can also contain a key that can be used to encrypt further communication. Tokens A token is a hardware device that can be used in a challenge/response authentication process. In this way, it functions as both a something-you-have and something- youknow authentication mechanism. There have been several variations on this type of device, but they all work on the same basic principles. The device has an LCD screen and may or may not have a numeric keypad. Devices without a keypad will display a password (often just a sequence of numbers) that changes at a constant interval, usually about every 60 seconds. When an individual attempts to log in to a system, they enter their own user identification number and then the number that is showing on the LCD. The system knows which device they have and is synchronized with it so that it will know the number that should have been displayed. Since this number is constantly changing, a potential attacker who is able to see the sequence will not be able to use it later, since the code will have changed. Devices with a keypad work in a similar fashion (and may also be designed to function as a simple calculator). The individual who wants to log in to the system will first type their personal identification number into the calculator. They will then attempt to log in. The system will then provide a challenge; the user must enter that challenge into the calculator and press a special function key. The calculator will then determine the correct response and display it. The user provides the response to the system they are attempting to log in to, and the system verifies that this is the correct response. Since each user has a different PIN, two individuals receiving the same challenge will have different responses. The device can also use the date or time as a variable for the response calculation so that the same challenge at different times will yield different responses, even for the same individual. Multifactor Multifactor is a term used to describe the use of more than one authentication mechanism at the same time. An example of this is the hardware token, which requires both a personal identification number or password and the device itself to determine the correct response in order to authenticate to the system. This means that both the something- you-have and something-you-know mechanisms are used as factors in verifying authenticity of the user. Biometrics are also often used in conjunction with a personal identification number so that they too can be used as part of a multifactor authentication scheme, in this case something you are as well as something you know. The purpose of multifactor authentication is to increase the level of security, since more than one mechanism would have to be spoofed in order for an unauthorized individual to gain access to a computer system or network. The most common example of multifactor security is the common ATM card most of us have in our wallets. Mutual Authentication Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 64 Chapter-1 : Computer Security – Gscheme -- 2014 Mutual authentication is a term used to describe a process in which each side of an electronic communication verifies the authenticity of the other. We are used to the idea of having to authenticate ourselves to our Internet service provider (ISP) before we access the Internet, generally through the use of a user identification/password pair, but how do we actually know that we are really communicating with our ISP and not some other system that has somehow inserted itself into our communication (a man-inthe-middle attack). Mutual authentication would provide a mechanism for each side of a client/ server relationship to verify the authenticity of the other to address this issue. Board Question Paper Solution Sample Paper -1 a. List and Describe basic components of computer security Ans.Refer Q.No. b. Describe the of denial of service attack with help of diagram. Ans.Refer Q.No. c. What is virus and Worms? Describe the virus spreading mechanism. Ans.Refer Q.No. d. Describe Threat , Vulnerability and attack as characteristics of Computer Ans.Refer Q.No. Sample Paper – II a. Describe Criminal organization and Terrorist and Information warfare. Ans.Refer Q.No. b. What is attack, Describe DOS , DDOS , POD. Ans.Refer Q.No. c. Describe stealth virus , polymorphic virus , macro Virus ,Boot sector virus. Ans.Refer Q.No. d. Describe in details different layers of security. Ans.Refer Q.No. e. What is threat , describe Interruption , modification , fabrication related to threat. Ans.Refer Q.No. Winter 2008 a. Describe the following terms: (i)Overwriting viruses (ii)Stealth viruses Ans.Refer Q.No. b. Describe the different phase of viruses Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 65 Chapter-1 : Computer Security – Gscheme -- 2014 Ans. Refer Q.No. c. What is computer security? Describe any three function of computer security Ans. Refer Q.No. d. With neat sketch diagram, explain the following: (i) SYN flood attack (ii) Bucket-Bridge attack Ans. Refer Q.No. Summer 2009 a. Describe the term authentication. Explain authenticity Ans. Refer Q.No. b. Describe the term virus and worms with example. Ans. Refer Q.No. Winter 2009 a. Compare Intruders and Insiders. Ans. Refer Q.No. b. Explain denial of service attack Ans. Refer Q.No. c. Explain different methods of authentication. Ans. Refer Q.No. d. What are the different ways of spoofing ? Explain Ans. Refer Q.No. Summer 2010 a. List and describe basic component of computer security. Ans. Refer Q.No. b. Define the terms data security, information security n/w security and computer security Ans. Refer Q.No. c. What is virus and worm? Describe the worms spreading mechanism Ans. Refer Q.No. d. Describe Sniffing and Spoofing. Ans. Refer Q.No. e. Describe Trojan horse, Rabbit Bacterium and Scavenging. Ans. Refer Q.No. Question Bank Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 66 Chapter-1 : Computer Security – Gscheme -- 2014 Chapter-1 Q1. Describe the basic components of Computer Security. Q2. Differentiate between Viruses and Worms. Q3. Describe the term Viruses. Q4. Describe the term Worms, Q5. Describe the term Trojan Horse. Q6. Describe the term Logic Bombs. Q7. Discuss why insiders are considered such a threat to organization? Q8. What is Threats? Describe all types of Threats. Q9. Describe the importance of Security. Q10. What are the main types of PC Viruses? Q11. Describe the term Polymorphic Virus. Q12. List different types of attacks. Q13. Describe the two categories of Viruses. Q14. List the Triggers of the Virus Attack, Q15. Describe the steps for protection against viruses. Q16. Draw the structure of a worm. Q17. Describe two example of worm. Q18. What is meant by Attacks? List the types of Attack. Q19. What is meant by Backdoors Attack? Q20. What is meant by Trapdoors Attack? Q21. Explain the operational model of computer security? Q22. Explain in why the criminal organizations are to flow into the structured threat category? Q23. What is Information warfare? Why many nations are conducting Information warfare? Q24. What are different possible ways of attack? Q25. Explain the Backdoor and Trapdoor attacks? Q26. What are different ways of spoofing? Q27. Describe the term Denial of Service (DOS) Attack. Q28. Describe the term Sniffing. Q29. Describe the term Spooling Attack. Q30. Draw and describe the Man-in-the Middle Attack. Q31. What is TCP/IP Hijacking? Q32. What is CIA of a security? Q33. what are layers of security? Q34. Explain different models of access controls? Q35. Explain different methods of authentication? Q36. Describe the basic components of Computer Security? Q37. Differentiate between Viruses And Worms. Q38. What is Threats? Describe all types of Threats. Q39. What are the main types of PC Viruses? Q40. Describe the two categories of Viruses. Q41. List the triggers of the Virus Attack. Q42. Describe the steps for protection against viruses. Q43. Describe the term TCP/IP Hijacking Q44. Describe the term Boot Sector Viruses. Q45. Describe the layers of the Computer Security. Q46. Describe the two methods used in Mandatory Access Control. Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 67 Chapter-1 : Computer Security – Gscheme -- 2014 Q47. Describe two Access Control Techniques. Q48. Describe the term Memory Resident Viruses. Q49. Describe the term TCP/IP Hijacking. Q50. Describe the term Encryption Attacks. Q51. Describe the term Malware. Q52. List the types of Malicious Code. Q53. List the characteristics of Virus. Q54. Describe the term Boot Sector Viruses. Q55. Describe the term Memory Resident Viruses. Q56. Describe the details of Security Basics. Q57. Describe the layers of Computer Security. Q58. Describe two Access Control Techniques. Q59. What are the two concept in Discretionary Access Control? Q60. Describe the two methods used in Mandatory Access Control. Q61. Describe the three primary rules for role Based Access Control Q62. What is Authentication? List the two example. Q63. Write a short note on - DOS - Sniffing - Viruses - Man-In-Middle attack Prepared By : Prof.Manoj S. Kavedia ---- 9324258878 – 9860174297 --- Computer Security 68