Cs Latest Class PPT Combined PDF

BITS Pilani Presentation
BITS Pilani Jagdish Prasad

Pilani Campus WILP
Agenda
• Course description
• Objective
• Content
• Text books
• Structure & schedule
• Lecture plan
• Understanding cyber space environment and security
• Introduction
• Attacks on web
BITS Pilani, Pilani Campus

Course objectives
No Objective
CO1 To learn techniques for assessing network attacks & vulnerabilities, to
learn for systematically reducing vulnerabilities and mitigating risks.
CO2 Acquire knowledge about Cybercrime tools and applications.
CO3 To provide depth knowledge in computer, information, organizational
and human security to recover the important evidence for identifying
various computer crimes.
CO4 To have a fundamental understanding of Digital Forensics and to learn
theoretical and practical knowledge in forensic computing.

Course content
• Introduction
• The web attacks
• Operating system security
• Network attacks
• Strategic defense
• Management and incidents
• Introduction to cyber crime
• Cyber offenses
• Tools and methods used in cyber crime
• Cyber laws and ethics: The legal perspective
• Understanding computer forensics
Text books
Text books
T1 Charles P. Pfleeger, Shari Lawrence Pfleeger, Jonathan Margulies,
Security in Computing, 5th edition Pearson Education , 2015
T2 Nina Godbole, Sunit Belapure, Cyber Security, Wiley India, New Delhi
Reference books
R1 Ethical Hacking & Network Defense, Michael T. Simpson, Cengage
Learning
R2 Cryptography, Network Security and Cyber Laws – Bernard Menezes,
Cengage Learning, 2010 edition
R3 Cyber security and Cyber Laws, Alfred Basta, Nadine Basta, Mary
brown, Ravindrakumar, Cengage learning
Course structure & schedule
• 16 on-line lectures (2 hours each) + self study

• Assessment strategy
• Quiz(s) – 3 Quiz(s) after 4th, 8th & 12th lectures
• Lab assignments (TBD)
• Mid-Semester Test (close book): Topics 1-8
• Comprehensive Examination (open book): Full course
• Schedule
• Semester start (first lecture) : 08-Aug-2020
• Last lecture : 25-Nov-2020
• Mid Sem Test : 09-11-Oct-2020
• Mid Sem Test Makeup : 16-18-Oct-2020
• Comprehensive Exam : 27-29-Nov-2020
• Comprehensive Exam Makeup : 11-13-Dec-2020

Lecture plan
Lecture # Topic Covered Date
LO1 Understanding the cyber space environment and security 08-Aug
LO2 The attacks on web 16-Aug
LO3 Security in operating systems 29-Aug
LO4 The attacks in networks 30-Aug
L05 – L06 Strategic defence 05-Sep, 12-Sep
L07 Management & Incidents 19-Sep
L08 Risk analysis 26-Sep
L09 Introduction to cyber crime 27-Sep
L10 Cyber offenses 03-Oct
L11– L12 Tools and methods used in cyber crime 04-Oct, 24-Oct
L13 Cyber laws and ethics – The legal perspective 31-Oct
L14 Understanding computer forensics 07-Nov
L15 Network forensics 08-Nov
L16 OSI 7 layer model for computer forensics and social networking 25-Nov
Buffer If required

Introduction

Computer security
• Computer security is protection of items or ASSETS of a

computer or computer system
• The ASSETS have a value to an individual
• Assets are of following types:
• Hardware: Computers, Devices (disk drives, memory cards,
printers etc), Networks
• Software: Operating system, utilities, commercial applications
(MS-Office, Oracle apps, SAP etc), individual applications
• Data: Documents, photos, emails, projects, corporate data etc
• The computer systems (hardware, software, data) have
a value and deserve security protection

Asset value
• Has an owner or user perspective

• May be monetary or non-monetary
• Is personal, time dependent & often imprecise

Vulnerability – Threat - Control
paradigm
• ‘Vulnerability’ is a weakness in the system that might be
exploited to cause loss or harm
• ‘Threat’ is a set of circumstances that has a potential to
cause loss or harm to system
• A person who exploits the vulnerability perpetrates an
‘Attack’
• ‘Control’ is an action, device, procedure of technique
that removes or reduces the vulnerability

Vulnerability – Threat - Control
example
• Vulnerability: Crack in the

wall
• Threat: Rising water level
• Attack: Someone
pumping more water
• Control: Fill the gap,
strengthen the wall

Security triad - CIA
• Confidentiality: Ability of a system
to ensure that an asset is viewed by
only authorized parties
• Integrity: Ability of a system to
ensure that an asset is modified by
only authorized parties
• Availability: Ability of a system to
ensure that an asset can be used by
any authorized parties
Additional two properties:

• Authentication: Ability of a system to validate the identity of a sender
• Non-repudiation or Accountability: Ability of a system to confirm
that a sender can not convincingly deny having sent something

Confidentiality
• Only authorized person, program or
process can access protected data
• Failure of data confidentiality
• An unauthorized person access a data item
• An unauthorized program or process access a data item
• A person authorized to access certain data accesses
other data which he is not authorized to access
• An unauthorized person accesses approximate data
value
• An unauthorized person learns the existence of data
value
• Terminology:
• Subject: a person, program or process. -> who
• Object: data item. -> what
• Access mode: kind of access (read, write, execute) ->
how
• Policy: authorization –> who+what+how = yes/no

Integrity
Integrity means Integrity requires

• Precise • Actions are authorized,
• Accurate • Resources are separated &
• Unmodified protected
• Modified only in acceptable ways • Errors are detected &
• Modified only by authorized people corrected
• Modified only by authorized processes
• Consistent
• Meaningful and usable
Integrity enforcement: Who or what can access which

resources in what ways

Availability
• An object or service is available if:

• it is present in usable form
• It has enough capacity to meet the service needs
• It is making clear progress i.e. it has bounded waiting
time
• It is completed in an acceptable period of time
• Applies to both services and data
• Timely response to requests
• resources are allocated fairly so that some requests
don’t get preferred treatment
• concurrency is controlled
• Services or systems are fault tolerant
• Services or systems are easily usable

Acts of harm
Interception: Confidentiality lost
Interruption: Availability lost
Modification: Integrity lost
Fabrication: Integrity lost

Computer security … refined
• Computer security seeks to prevent unauthorized

viewing (confidentiality) or modification (integrity) of data
while preserving access (availability)
• Access control is fundamental to security
• Threats are potential cause of harm
• Threats can be caused by human or non-human
• Human threats can be malicious or non-malicious
• Malicious threats can be direct or random attack

Computer security … refined
• Threats are caused both by human

and other sources
• Threats can be malicious or not
• Threats can be random or targeted
• Advance persistent threat attacks
come from organized, well
financed, patient and often govt or
quasi-govt affiliated groups

Type of attackers
• Individual
• Hackers
• Terrorist
• Criminal for hire
• Loosely connected group
• Organized crime member
• computer crime is lucrative

Security threats
• Virus: A computer virus is a malicious program which is loaded into the
user’s computer without user’s knowledge. It replicates itself and infects
the files and programs on the user’s PC.
• Worm: A computer worm is a software program that can copy itself
from one computer to another, without human interaction. The potential
risk here is that it will use up your computer hard disk space because a
worm can replicate in great volume and with great speed.
• Phishing: Disguising as a trustworthy person or business, phishers
attempt to steal sensitive financial or personal information through
fraudulent email or instant messages. Phishing in unfortunately very
easy to execute. You are deluded into thinking it’s the legitimate mail
and you may enter your personal information.

Security threats…
• Botnet: A botnet is a group of computers connected to the internet,
that have been compromised by a hacker using a computer virus. An
individual computer is called ‘zombie computer’. The result of this
threat is the victim’s computer, which is the bot will be used for
malicious activities and for a larger scale attack like DDoS.
• Rootkit: A rootkit is a computer program designed to provide
continued privileged access to a computer while actively hiding its
presence. Once a rootkit has been installed, the controller of the rootkit
will be able to remotely execute files and change system configurations
on the host machine.
• Key Loggers: Keyloggers can track the real-time activity of a user on
his computer. It keeps a record of all the keystrokes made by user
keyboard. Keylogger is also a very powerful threat to steal people’s
login credential such as username and password.
• Apart from these, there are others like spyware, wabbits, scareware,
bluesnarfing and many more
Security approach
• Negative consequences of an actualized threat is harm

• Risk management involves choosing which threats to
control and what resources to devote for protection
• The risk that remains uncovered by controls is called
residual risk
• Spending on security is based on impact and likelihood
of potential harm

Method – opportunity - motive
• Method: Skill, knowledge, tools and other things (scripts,

model programs etc) to perpetrate the attack
• Opportunity: Time and access to execute an attack
• Motive: Reason for attack (money, fame, self-esteem,
politics, terror etc)
• Method, opportunity and motive are essential for an

attack – deny any one of these and the attack will fail
• Vulnerabilities are weaknesses in the system that allow
harm to occur

Security controls
• Prevent it by blocking attack or closing the vulnerability

• Deter it by making the attack harder but not impossible
• Deflect it by making another target more attractive
• Mitigate it by making the impact of attack less severe
• Detect it as it happens or sometime after the fact
• Recover from effects
• Security professionals balance the cost and

effectiveness of controls with the likelihood and severity
of harm

Security controls…

Security controls…
Physical Procedural or Technical

• Walls, fence, locks administrative • Passwords,
• Human guards • Advice to people on programs or
• Sprinklers and fire how to act operating system
extinguishers • Laws and regulations access controls
• Policies, procedures • Network protocols,
and guidelines network traffic flow
regulators
• Copyright and
patents • Firewalls and
intrusion detection
• Contracts and systems
agreements
• Encryption

Security control dimensions

Web browser
• Browsers connects a user to more than one address shown in
the address bar
• Browser software can be malicious or could be corrupted
• Browsers support add-in/extension which leave a user
vulnerable to intrusions
• Browsers run with same privileges as the user and hence can
access any data on user’s computer
• Browser data transfer to/from user computer is invisible to
user i.e. occur without user knowledge and explicit permission
• Browsers connect a user to outside network(s) but few users
can monitor the actual actions, tasks and data performed /
transmitted

Browser vulnerabilities

Browser attack vectors
• User operating system to impede browser’s correct and

secure working
• Tackle the browser or one of it’s component/add-on/plug-in
to alter browser’s working
• Intercept or modify communication to or from browser

Browser attack types
• Man in the browser: Trojan horse that intercepts data

passing thru browser (SilentBanker)
• Key stroke logger: Hardware and software versions
• Page in the middle: user redirected to authentic looking
but malicious page like fake ‘login’ page
• Program download substitution: A malicious program
is installed using a download button
• User in the middle: Puts a human action between two
automated processes – CAPTCHA can be defeated by
using techniques pixel count, histogram analysis and
color filing segment

How to avoid browser attacks?
• Strong identification and authentication

• Shared secret: mother’s maiden name, 3-digit verification number
on credit card etc
• One Time Password (OTP)
• Out of band communication: mail PIN separately
• Continuous communication: session id

Web attacks targeting users
• False or misleading content

• Defaced website
• Fake website
• Fake or malicious code
• Malicious web content
• Web bug
• Clickjacking: tricking a user into clicking by disguising
what the link pertains to
• Drive by download: downloading and installing code
other than what a user expects

Protecting web sites against attacks
• Integrity checksums
• Signed code or data
• Access control separation: separate operating system
level privileges to install programs
• Manage and monitor site code
• User vigilance

Thank You

BITS Pilani
Pilani Campus
SSZG681: Cyber Security

Lecture No: 02
Email Attacks & Operating System Security
Agenda
• The attack in web: Email attacks
• Fake email spam
• Phishing
• Protecting against email attacks
• Operating system security
• Operating system overview
• Architecture & functions
• Memory management functions
• Design goals & principles
• Layered & Kernelized design
• Correctness and completeness
• Secure design principles
• Trusted systems

Email attacks
• Substantial number of emails sent everyday day are fake and can be malicious.
• Typical Email attacks are:
• Identity theft
• Phishing:
• Vishing: phishing using voice communication technology
• Smishing: phishing using text messaging on mobile platforms
• Whaling: phishing targeting high profile persons
• Spear phishing: phishing impersonating a trusted person
• Pharming: impersonation of authorized website
• Virus:
• Spyware: collects information about user’s computer activities – keyloggers,
activity trackers, data capture etc
• Scareware: persuades user to take specific action based on fear
• Adware: Pop-up advertising message spam

Email attacks – Spear phishing

Fake emails
• Illegitimate emails are generated and sent by fraudsters for monetary or

informational purpose
• These are done with varying degree of sophistication – some may be very
poor (bad spellings, wrong English etc) but some can be very polished
• Examples:
• Your bank account is de-activated
• Your Facebook account is de-activated
• These ask to click on a button to activate or perform the required action. The
click performs an action as desired by the fraudster
• Motivation: Very inexpensive and easy to send. Even if 0.1% receivers fall
prey to a main sent to 100,000, a fraudster will get 100 victims.

Fake emails : example

Fake email messages as spam
• Spam in the form of fictitious, misleading, offer to buy designer goods at

throw away price, get rich schemes etc is old now
• Fake message have started using more realistic sounding subjects:
• Fake ‘non-delivery’ messages (“Your message X could not be delivered”)
• False social networking messages especially attempt to obtain login details
• Current event messages (“Want more details on event X”)
• Shipping messages (“X was unable to deliver a package to your address as shown
in this link”)
• Originally, emails only had static content and they would persuade a user to
go to a website for action however now the action links are embedded in the
mail itself – button or links

Spam volume
• M86 Security Lab estimates 86% mails are spam

• Google estimates 50-75 spam messages per user per day
• Top countries originating spam are China (22.93%), USA
(19.05%), and South Korea (12.80%)
• As per Symantec’s analysis of spam mails 69.7% sexual/ dating
content, 17.7% pharmaceuticals, 6.2% jobs

Spam volume – Fake Apple id spams
10-Mar-2019 to 31-Mar-2019

Why spam
• Spammers make enough money to make the work worthwhile

• Advertising
• Pump and dump
• Publicity
• Malicious payload
• Link to malicious web sites
• Price is right – rent target addresses, pay to compose, and
send message

How to stop spam
• Create Inbox filters – identify and block
• Report spam mails – mark these as fraudulent
• Don’t reply or use unsubscribe option
• Unsubscribe to promotional mails (only when you are sure)
• Create a disposable email id for promotional and similar requirements
• Never reveal your email address on social media or your own website - use a
‘contact me’ form
• Write the address as ‘a at b dot com’ rather than a@b.com would evade
crawlers working for spammers.
• Tag unreliable IP and email addrsses
• Limit sender’s email volume for a certain time period
• Take legal action against persistent criminals – Microsoft did it for Waledac
• Postage – small fee for each mail from sender (international community to
agree) - aspirational
Don’t invite spam

Fake email header data
• Original email protocol like SMTP etc are defined assuming

trustworthy participants so no authentication added
• Headers in email are easy to fake like ‘From:’ making an email
coming from a known safe source
• Email header form is standardized but not the content
• Headers like ‘From:’ are upto sender to define
• Check header information if in doubt. Use the feature provided
by email provider like in outlook ‘view source’ for an email.

Email header data

Email attack types
• Phishing: Email message tries to trick the user into disclosing private data or
taking another unsafe actions. 94% receive phishing mail everyday
• Phishing emails claim to be from trusted sources like known person, reputed
companies, popular websites etc
• Use of social engineering to personalize the message
• Business Email Compromise (BEC): Special form of phishing in which the
attacker tricks the victim into transferring funds into the attacker’s account.
Often, the email will appear to be from an executive within the organization or
from a legitimate vendor or business partner. A survey found that 73 percent
of BEC attack victims suffered financial losses.
• Internal Threat: A malicious activity that spreads from one infected user to
others within the organization. As per survey, 71 percent were hit by an
internal threat with almost half (47 percent) hit via infected email
attachments, while 40 percent said they spread through infected URLs.

Phishing techniques used by attackers
• Embedding a link in an email that redirects your employee to an unsecure

website that requests sensitive information
• Installing a Trojan via a malicious email attachment or ad which will allow
the intruder to exploit loopholes and obtain sensitive information
• Spoofing the sender address in an email to appear as a reputable source
and request sensitive information
• Attempting to obtain company information over the phone by
impersonating a known company vendor or IT department

Phishing email example
https://photo-print.fr/

Protecting against email attacks
• Educate your employees and conduct training sessions with mock phishing
scenarios. Share update on latest attack vectors/threats
• Deploy a SPAM filter that detects viruses, blank senders, etc.
• Keep all systems current with the latest security patches and updates.
• Install an antivirus solution, schedule signature updates, and monitor the
antivirus status on all equipment.
• Develop a security policy that includes but isn't limited to password expiration
and complexity.
• Deploy a web filter to block malicious websites.
• Encrypt all sensitive company information.
• Require encryption for employees that are telecommuting.
• Use tools or machine learning to identify and stop spoofing emails
• Analyse potential threats and isolate them

Email encryption
• Encryption ensures confidentiality
• PGP (Pretty Good Policy) – performs following steps
• Create a random session key for symmetric algorithm
• Encrypt the message using the session key (message confidentiality)
• Encrypt the session key using recipient’s public key
• Generate a message digest or hash; sign the hash by encrypting it with sender’s
private key (message authenticity and integrity)
• Attach the encrypted session key to the encrypted message and hash
• Transmit the message to recipient
• S/MIME (Secure Multi-purpose Internet Mail Extensions)
• Similar to PGP and is used by commercial email packages like Microsoft Outlook
• Major difference is the method of KEY exchange
• PGP usage Ring of Trusted while S/MIME usage hierarchy of validated certificates
• S/MIME usage DES, AES, RC2 for encryption
• S/MIME handles all data type like text, binary, audio, video etc in mail body as well
as attachment
Operating System

Security in operating system
• OS is controller of all system resources

which makes it primary target of
attack
• OS is crucial in implementing
separation and access control
• OS is initialized at boot time then
initiates tasks in a sequence from disk
like device drivers, process controllers,
memory management etc.
• External anti-virus utilities are
initiated in the last
• Any control of OS in early stage of
loading will provide control on the
computer

Operating system functions

Operating system architecture
• Hardware layer: Hardware consists
of all peripheral devices (RAM/ HDD/
CPU etc).
• Kernel: It is the core component of
Operating System, interacts directly
with hardware, provides low level
services to upper layer components.
• Shell: An interface to kernel, hiding
complexity of kernel's functions from
users. The shell takes commands
from the user and executes kernel's
functions.
• Utilities: Utility programs that
provide the user most of the
functionalities of an operating
systems.

Operating system structure
Functions involving security
• Enforced sharing
• Inter-process communication and
synchronization
• Protection of critical operating
system data
• Guaranteed fair service
• Interface to hardware
• User authentication
• Memory protection
• File I/O device access control
• Allocation and access control to
general objects
Fundamental functions are provided

by OS Kernel
Operating system modules

Operating system loading sequence

Operating system loading sequence

Process control block (PCB)
• Process ID: Unique identification for each of the process
in the operating system.
• Process State: The current state of the process i.e.
ready, running, waiting etc.
• Process privileges: Allow/disallow access to which
system resources.
• Pointer: A pointer to parent process.
• Program Counter: A pointer to the address of the next
instruction to be executed for this process.
• CPU registers: Various CPU registers where process
need to be stored for execution for running state.
• CPU Scheduling Information: Process priority and
other scheduling information required to schedule the
process.
• Memory management information: Information of page
table, memory limits, Segment table depending on
memory used by the operating system.
• Accounting information: Amount of CPU used for
process execution, time limits, execution ID etc.
• IO status information: I/O devices allocated to process.

Operating system layers
• Some tasks related to protection
functions are performed outside
the security kernel.
• Ex: User authentication may
require accessing a password
file, challenging the user to
supply a password, verifying the
correctness of the password etc.
• Disadvantage of performing all
these operations inside the
security kernel is that some of
the operations (such as
formatting the user terminal
interaction and searching for the
user in a table of known users)
do not warrant high security.
Authentication function spanning
layers in operating system
• A single logical function is
implemented in several
different modules
• In this design, trustworthiness
and access rights are the basis
of the layering.
• A single function may be
performed by a set of
modules operating in different
layers
• The modules of each layer
perform operations of a
certain degree of sensitivity.

Operating system tools to implement
security
• Access control and audit log
• Virtualization: presenting a user with appearance of resource he/she is
entitled to use
• Virtual machines for each users
• Hypervisor (Virtual machine monitor): software implementing virtual machine
• Sandbox: an environment from which a process can have only a limited,
controlled impact on outside resources
• Honeypot: system to lure an attacker into an environment that can be both
controlled and monitored
• Separation and sharing: keep one users object separate from other
users objects
• Physical separation
• Temporal separation
• Logical separation
• Cryptographic separation

Hardware protection of memory
• Fence: method to confine users to one side of boundary

• Fixed fence

Fence register
• Contains end of operating system memory boundary

Base/Bound registers
• Base and bound registers surround a program, data area
or domain
• Base register: defines the starting address for a program
• Bound register: defines the upper address limit for a
program

Tagged architecture
• Base and bound registers either
allow or disallow a program to
make changes to an entire data
block
• Tagged architecture allows each
word in memory to be tagged for
access rights

Memory Terminology
• Page: A fixed-length contiguous block of virtual memory residing on disk.
• Frame: A fixed-length contiguous block located in RAM; whose sizing is
identical to pages.
• Physical memory: The computer’s random access memory (RAM), typically
contained in DIMM cards attached to the computer’s motherboard.
• Virtual memory: Virtual memory is a portion of an HDD or SSD that is
reserved to emulate RAM. The MMU serves up virtual memory from disk to
the CPU to reduce the workload on physical memory.
• Virtual address: The CPU generates a virtual address for each active process.
The MMU maps the virtual address to a physical location in RAM and passes
the address to the bus. A virtual address space is the range of virtual
addresses under CPU control.
• Physical address: The physical address is a location in RAM. The physical
address space is the set of all physical addresses corresponding to the CPU’s
virtual addresses. A physical address space is the range of physical addresses
under MMU control.
Virtual memory: Paging
• A page table stores the definition
of each page.
• MMU uses page tables to
translate virtual addresses to
physical ones.
• Each table entry indicates where
a page is located: in RAM or on
disk as virtual memory.
• A memory cache called the
Translation Lookaside Buffer
(TLB) stores recent translations
of virtual to physical addresses
for rapid retrieval.
• Different frame sizes are
Paging specifies storage locations to the CPU as additional available for data sets with larger
memory, called virtual memory. The CPU cannot directly access or smaller pages and matching-
storage disk, so the MMU emulates memory by mapping pages to sized frames.
frames that are in RAM.
Virtual memory: Paging

Virtual memory: Segmentation
• Each segment stores the
processes primary function,
data structures, and utilities.
• CPU keeps a segment map table
for every process and memory
blocks, along with segment id
and memory locations.
• CPU generates virtual addresses
for running processes.
• Segmentation translates the
CPU-generated virtual
addresses into physical
addresses that refer to a unique
physical memory location.
Segmentation is a virtual process that creates address • The translation is not strictly
spaces of various sizes in a computer system, called one-to-one: different virtual
segments. Each segment is a different virtual address space
addresses can map to the same
that directly corresponds to process objects.
physical address.
Virtual memory: Segmentation

Virtual memory: Paging + Segmentation
• Modern computers use a hybrid function
called segmented paging.
• Main memory is divided into variably-
sized segments, which are then divided
into smaller fixed-size pages on disk.
• Each segment contains a page table, and
there are multiple page tables per
process.
• Each of the tables contains information
on every segment page, while the
segment table has information about
every segment.
• Segment tables are mapped to page
tables, and page tables are mapped to
individual pages within a segment.
• Advantages are: less memory usage,
more flexibility on page sizes, simplified
memory allocation, and an additional
level of data access security over paging.

Operating System Security

Operating System Security
• Operating systems have old as well new piece of code

• During boot process operating system creates many open points where
other pieces of functions attach during the boot process
• Exploiters find out interfaces which remain unoccupied and latch their
code with that interfaces
• The more complex an operating system becomes the more chances of
finding a vulnerability
• House with more windows has higher risk of being burgled than one
without windows
• Simple, modular, loosely coupled design presents fewer opportunities for
an attacker

Security Design Goals
• Designed for high level of protection
• Modular structure for easier control and support
• Kernel level implementation for maximum effectiveness
• Information abstraction from users
• Consistent security policy with appropriate protection
• Easy to understand, build, test and execute

Layered Design
There 4 layers of a computer system

• Hardware
• Kernel: Monolithic and Micro Kernel
• Operating system
• User
• quasi-system programs like database managers and UI interfaces –
these require separate security consideration
• Each layer has sub-layers

Layered Trust
• A secure operating system consists of series of concentric circles with most

important functions at the innermost circle
• Trustworthiness and access rights of a process depend on its proximity to the
centre
• Each layer properly encapsulates the functionality of layers below it
• This hierarchical structure identifies most critical parts which can be analysed
intensely for correctness and security – so the number of problem areas
becomes small
• Isolation limits the impact of problems to hierarchical level at or above the
level of problem so harmful effects are contained

Operating System Kernel
• Part of an operating system which performs at the lowest level ( nucleus

or core) functions
• Implements operations such as inter process communication,
synchronization, message passing and interrupt handling
• Security functions are part of security kernel (part of overall kernel)
• Provides security interface between hardware, operating system and other
parts of computer
• Focus of all security enforcement

Security Kernel Design Consideration
• Coverage: Every access to a protected object must pass through the security
kernel. Security kernel can ensure that every access is checked.
• Separation: Isolating security mechanisms both from the rest of the operating
system and from the user space makes it easier to protect those mechanisms
from penetration by the operating system or the users.
• Unity: All security functions are performed by a single set of code, so it is easier
to trace the cause of any problems that arise with these functions.
• Modifiability: Changes to the security mechanisms are easier to make and easier
to test. And because of unity, the effects of changes are localized so interfaces
are easier to understand and control.
• Compactness: Because it performs only security functions, the security kernel is
likely to be relatively small.
• Verifiability: Being relatively small, the security kernel can be analyzed
rigorously. Formal methods can be used to ensure that all security situations
(such as states and state changes) are covered by the design.

Components of Security Module
• Reference monitor
• Authentication processing
• Identification
• Auditing
• Setting enforcement parameters

Reference Monitor
• Part of security kernel that controls access to
objects
• Enforces that a subject can only access those
objects which are allowed by security policy
for that subject
• Controls access for devices, files, memory,
inter process communication and other
objects
• A brick wall around operating system or
trusted software to mediate access by
subjects to objects
• Tamperproof: impossible to weaken or disable
• Unbypassable: always invoked when access to
any object is required
• Analyzable: small enough to be subjected to
analysis and testing, the completeness of
which can be ensured
Correctness and Completeness
• Correctness means that design clearly defines which object will be

protected in what way and what subject will have access and at what level
• Completeness means that security functionality is included in all places
necessary
• Security is never an add-on, it’s part of initial philosophy, requirements,
design, and implementation

Design Principles for Secure Systems
• Least privilege: Each user and each program should operate using the fewest privileges
possible. This minimizes the accidental or wilful damage.
• Economy of mechanism: The design of the protection system should be small, simple,
and straightforward. Such a protection system can be carefully analyzed, exhaustively
tested, perhaps verified, and relied on.
• Open design: The mechanism should be public, depending on secrecy of relatively few
key items, such as a password table. Public scrutiny of an open design will provide
independent confirmation of the design security.
• Complete mediation: Every access attempt must be checked - both direct access
attempts (requests) and attempts to circumvent the access.
• Permission based: The default condition should be denial of access.
• Separation of privilege: Access to objects should depend on more than one condition,
such as user authentication plus a cryptographic key.
• Least common mechanism: Systems employing physical or logical separation reduce
the risk from sharing.
• Ease of use: An easy to use protection mechanism is unlikely to be avoided.

Trusted Systems
• Trusted system is one which has shown a degree of trust/security that it will
perform certain activities faithfully
• Features of trusted systems
• A defined policy that details what security qualities it enforces
• Measure and mechanism by which it enforces that security policy adequately
• Scrutiny or evaluation to ensure that the measures and mechanisms have been
selected and implemented properly
• US defense department published Trusted Computer System Evaluation
Criteria (TCSEC) or orange book in late 70s. This did not reach the required
acceptance level
• In 2003 Common Criteria for Information Technology Security Evaluation
agreed

Trusted System Guidelines
• Orange book
• Developed in late 1970s by US department of defense for secure computing
• Defines a two part rating scale for trusted systems with six ratings - C1
(lowest), C2, B1, B2, B3, A1 (highest)
• It tied features with assurance at each level
• Strict rules limited the commercial applicability of this book
• Common criteria
• Separation between features and assurances
• Seven assurance levels EAL1 (lowest) thru EAL7 (highest)
• At higher levels practices are more stringent and rigorous
• Allowed open ended protection profiles for future products like firewalls and
intrusion detection devices

Trusted Systems Characteristics
• Functional correctness: The program does what it is supposed to, and it works
correctly.
• Enforcement of integrity: Even if presented erroneous commands or
commands from unauthorized users, the program maintains the correctness
of the data with which it has contact.
• Limited privilege: The program is allowed to access secure data, but the
access is minimized and neither the access rights nor the data are passed
along to other untrusted programs or back to an untrusted caller.
• Appropriate confidence level: The program has been examined and rated at a
degree of trust appropriate for the kind of data and environment in which it is
to be used.

Trusted System Functions
• Trusted computing base (TCB): Parts of trusted operating system responsible for
correct enforcement of security policies
• TCB constituents:
• Hardware: processors, memory, registers, clock and I/O devices
• Security critical processes
• Primitive files: security access control database, authentication & identification data
• Protected memory
• Inter-process communication

TCB & Non-TCB Sections
• TCB maintains secrecy and

integrity of each domain
• Process activation
• Execution domain switching
• Memory protection
• I/O separation
• TCB code runs into a
protected state that protects
it from interference and
compromise by any non-TCB
code

TCB Monitored Functions
• Process activation: In a multiprogramming environment, activation and

deactivation of processes occur frequently. Changing from one process to
another requires a complete change of registers, relocation maps, file access
lists, process status information, and other pointers, much of which is
security- sensitive information.
• Execution domain switching: Processes running in one domain often invoke
processes in other domains to obtain more or less sensitive data or services.
• Memory protection: Because each domain includes code and data stored in
memory, the TCB must monitor memory references to ensure secrecy and
integrity for each domain.
• I/O operation: In some systems, software is involved with each character
transferred in an I/O operation. This software connects a user program in the
outermost domain to an I/O device in the innermost (hardware) domain.
Thus, I/O operations can cross all domains.

TCB Implementation
• A security kernel is built just

above hardware
• Security kernel monitors all
hardware access and
performs all protection
functions
• Secure startup is done to
ensure no malicious code can
block or interfere with
security enforcement

Trusted Path
• A user is validated thru authentication mechanism

• A trusted path is an unforgeable connection by which the user can be
confident of communicating directly with the operating system, not with
any fraudulent intermediate application.
• A trusted path precludes interferences between a user and security
enforcement mechanism of the operating system
• All security critical operations like changing a password require a trusted
path between user and itself

Object Reuse
• Different user programs share computer resources

• Normally a new user writes data first and then reads
• A malicious user may claim a resource and may try to read first in which
case he/she will get access to previous user data
• This attack is ‘object reuse’
• Object sanitization ensures that no leakage of data happens if a subject
usage an object released by another subject
• Operating systems ‘clear’ the object before allocating it to others

Audit
• Trusted system maintain an audit log of all security related changes like
installation of new programs, or modification to operating system
• Audit log is protected against tampering, modification and deletion by
unauthorized users
• Audit logging is active throughout system operations
• If audit medium fills to capacity, the system shuts down

BITS Pilani
Pilani Campus

Lecture No: 03
OS Hardening, Encryption & Rootkits
Agenda
• Hardening OS
• Encryption Technologies
• Rootkit
• Rootkit & Types
• How rootkit evades detection
• Sony XCP rootkit
• TDSS rootkit
• Other rootkits
• Defense against rootkits

Hardening OS

What is Hardening of OS?
• Hardening of the OS is the act of configuring an OS securely, updating it,

creating rules and policies to help govern the system in a secure manner,
and removing unnecessary applications and services. This is done to
minimize a computer OS's exposure to threats and to mitigate possible risk.
• OS hardening refers to adding extra security measures to operating system in

order to strengthen it against the risk of cyberattack.

OS Hardening Actions
• Disable unnecessary features: Remove unnecessary programs
• Linux server runs a graphical interface by default but you will only be accessing the
system through an SSH client, you should disable (or, better, uninstall completely)
the graphical interface.
• Windows workstation has Skype installed by default but the users will actually be
running Skype, disable or uninstall the program.
• Use of Service Packs: Keep up-to-date and install the latest version. No one
thing ensures protection, especially from zero-day attacks, but this is an easy
rule to follow.
• Patches and patch management: Planning, testing, implementing and auditing
patch management should be part of regular security regimen. Make sure the
OS is patched regularly, as well as the individual programs on the client's
computer.

• Group policies: Define what groups can or can not access and maintain these
rules. Sometimes, it’s simply user error that leads to a successful cyber attack.
Establish or update user policies and ensure all users are aware and comply
with these procedures. For example, everyone should be implementing strong
passwords, securing their credentials and changing them regularly.
• Security templates: Group of policies which can be loaded into one procedures
– commonly used in corporate environment.
• Configuration baseline: Baseline the process of measuring changes in

networking, hardware, software etc. To create a baseline, select something to
measure and measure it consistently for a period of time.

• Data and Workload Isolation
• Isolate data and workloads from one another as much as possible. Isolation can be
achieved by hosting different databases or applications inside different virtual
machines or containers, or restricting network access between different workloads.
That way, if an attacker is able to gain control of one workload, he won't necessarily
be able to access others as well.
• Hardening Frameworks
• Some operating systems provide frameworks that are designed for the specific
purpose of adding extra access control and anti-buffer-overflow features to the
system and the applications it hosts. AppArmor and SELinux are examples of this
type of software on Linux. In general, installing or enabling these tools is a good
system hardening best practice.
• Antivirus: Install and configure anti-virus software to to detect and remediate
malware software

MAC Hardening Actions
• Create a standard account (non-admin) for everyday operations

• Disable automatics login
• Uninstall standalone flash players
• Use password manager to cope with phishing attacks
• Run a two way firewall
• Enable full disk encryption
• Disable spotlight suggestions
• Audit your security and privacy settings
• Check for software updates
• Don’t leave computer unattended and unlocked
• Use VPN software
• Avoid illegal file sharing
• Have a backup solution

Encryption Technologies

What is data encryption?
• The conversion of data from a readable format into an encoded format that
can only be read or processed after it's been decrypted
• Example:
Plain Text: Lets meet for coffee at 4:00pm at Barista
Encrypted Text:
fUfDPzlyJu5LOnkBAf4vxSpQgQZltcz7LWwEtrughon5kSQIkQlZtfxtSTstutq6gVX4SmlC3
A6RDAhhL2FfhfoeimC7sDv9G1Z7pCNzFLp0lgAWWA9ACm8r44RZOBiO5skw9cBZjZVfg
mQ9VpFzSwzLLODhCU7/2THg2iDrW3NGQZfz3SSWviwCe7GmNIvp5jEkGPCGcla4Fgdp
/xuyewPk6NDlBewftLtHJVf

How does encryption Work?
• The conversion of data from a readable format into an encoded

format involves use of an encryption key and algorithm

Why do we need encryption?
• Authentication: To ensure that the participants in a network transactions are
legitimately what they claim to be. An SSL certificate can ensure that your are
talking to right website.
• Privacy: To guarantee confidentiality of the messages or data except the
legitimate recipient or data owner. Encryption prevents cybercriminals,
hackers, ISPs etc from accessing and reading personal data.
• Regulatory Compliance: Many industries and governments have rules in place
that require organizations that work with users’ personal information to keep
that data encrypted. A sampling of regulatory and compliance standards that
enforce encryption include HIPAA, PCI-DSS, and the GDPR.
• Security: Encryption helps protect information from data breaches, whether
the data is at rest or in transit. For example:
• If a corporate-owned device is misplaced or stolen, the data stored on it
will most likely be secure if the hard drive is properly encrypted.
• Encryption protect data against malicious activities like man-in-the-middle
attacks, and lets parties communicate without the fear of data leaks.
Type of encryption
• Symmetric: Sender and the receiver share the same key. The recipient needs
to have the key before the message is decrypted. This method works best for
closed systems, which have less risk of a third-party intrusion.
• It is faster than asymmetric encryption. However, both parties need to make sure
the key is stored securely and available only to them only.
• Asymmetric: Uses two keys for the encryption process, a public and a private
key, which are mathematically linked. The user employs one key for
encryption and the other for decryption. Public key is freely available to
anyone, whereas the private key remains with the owner only.
• Hashing: Generates a unique signature of fixed length for a data set or
message. Each specific message has its unique hash, making minor changes to
the information easily trackable. Data encrypted with hashing cannot be
deciphered or reversed back into its original form. That’s why hashing is used
only as a method of verifying data.
• Its an effective way of showing that no one has tampered with the information.

Encryption algorithms
• AES: The Advanced Encryption Standard is the trusted standard algorithm used across
world. It uses keys of 128, 192 and 256 bits for encryption. AES is widely considered
invulnerable to all attacks except for brute force.
• Triple DES: Triple DES is created in response to hackers who figured out how to breach
DES. TripleDES applies the DES algorithm three times to every data block and is
commonly used to encrypt UNIX passwords and ATM PINs.
• RSA: RSA is a public-key encryption asymmetric algorithm that works off the
factorization of the product of two large prime numbers. Only a user with knowledge
of these two numbers can decode the message successfully. RSA creates a massive
bunch of gibberish that frustrates hackers, causing them to expend a lot of time and
energy to crack into systems. Digital signatures use RSA, but the algorithm slows down
when it encrypts large volumes of data.
• Blowfish: This symmetric tool breaks messages into 64-bit blocks and encrypts them
individually. Blowfish is fast, flexible, and unbreakable. Blowfish is used for e-
commerce platforms, securing payments, and password management tools.
• Twofish: It’s a symmetric encryption that deciphers 128-bit data blocks. It is perfect for
both software and hardware environments and is considered one of the fastest of its
type. Many of today’s file and folder encryption software solutions use this method.
General Scheme of DES
• 16 iterations (rounds): Each round contain
• Substitution (Confusion)
• Transpositions (diffusion)
• Avalanche Effects: A small change in either
plaintext or key must result in a significant change
in ciphertext
Strength of DES:
• Use of 56-bit key: 256 or 7.2x1016 keys hence
brute-force attach will be difficult. High speed
computing @ 1013 encryptions per second would
require about 1 hour to break
• Nature of DES algorithm: DES usage 8
substitution tables (S-Boxes) for iterations. These
are secret and may have some weakness though
so far no one claimed to break these tables
• Timing attack: key principle being that an
encryption algorithm will take different amount
of time for different inputs. By providing varying
inputs and measuring time difference one can try
guessing the key.
Iteration Block

AES Outline
• Encrypts and decrypts
using 128 bits of data block
• Usage 10, 12 or 14 rounds
• Usage a 128, 192 or 256 bit
key
• Pre-round and Last round

are different in structure
• Rest rounds have same
structure (step)

Structure of a round
• Encrypts and decrypts using 128

bits of data block
• Usage 10, 12 or 14 rounds
• Usage a 128, 192 or 256 bit key
• Pre-round has only AddRoundKey

step
• Last round doesn’t have mix
column step

ROOTKIT

Rootkit
• A piece of code that sits in between operating system and hardware
• Rootkit can circumvent, disable or alter the working of operating
system
• In Unix/Linux/Windows Root/Admin is the most privileged subject –
getting Root/Admin access is the ultimate goal of a hacker
• Rootkit: A piece of code which attains Root privileges
• The term rootkit is combination of two words: root + kit. "Root"
refers to the administrator account with full privileges and
unrestricted access. ”Kit" refers to the programs that allow a threat
actor to obtain unauthorized root/admin access to the computer.
• The rootkit enables the threat actor to perform all these actions
surreptitiously without the user's consent or knowledge.

Rootkit Types
• Hardware or firmware rootkit: This type of malware could infect your computer’s hard
drive or its system BIOS, the software that is installed on a small memory chip in your
computer’s motherboard. It can even infect your router. Hackers can use these rootkits
to intercept data written on the disk.
• Bootloader rootkit: It loads your computer’s operating system when you turn the
machine on. A bootloader toolkit, then, attacks this system, replacing your computer’s
legitimate bootloader with a hacked one.
• Memory rootkit: This type of rootkit hides in your computer’s RAM, or Random Access
Memory. These rootkits will carry out harmful activities in the background. They only
live in your computer’s RAM and will disappear once you reboot your system, though
sometimes further work is required to get rid of them.
• Application rootkit: Application rootkits replace standard files in your computer with
rootkit files. These rootkits might infect programs such as Word, Paint, or Notepad.
Every time you run these programs, you will give hackers access to your computer.
• Kernel mode rootkits: These rootkits target the core of your computer’s operating
system. Cybercriminals can use these to change how your operating system functions.

Use of Rootkits: Malicious
• Stealth capabilities: Modern rootkits add stealth capabilities to malicious
software payloads (such as keyloggers and viruses) to make them
undetectable.
• Backdoor access: Rootkits permit unauthorized access through backdoor
malware.
• Subverts the login mechanism and create a secret login access for the attacker.
• Bypass authentication and authorization mechanisms to provide admin privileges
to the attacker.
• DDoS attacks: Rootkits allow the compromised computer to be used as a bot
for distributed-denial-of-service attacks.
• The attack would now be traced to the compromised computer and not to the
attacker's system.
• These bots (zombie) can be used as part of bot networks to launch the DDoS
attacks, and other malicious activities such as click fraud and spam email
distribution.

How rootkit evades detection
• Rootkits intercept the operating systems calls then alter results of

the call if required. This allows rootkit to evade it’s detection –
antivirus tools or operating system tools

How rootkit evades detection…
Normal OS call execution Rootkit controlled OS call

execution

Rootkit operates unchecked
• Rootkits are difficult to detect, and eradicate.

• 7% of malicious code is rootkits
• Rootkits interfere with normal OS functions to remain hidden
• Normal trick is to intercept the file directory enumeration call to
conceal rootkit’s presence
• Rootkit revealer is a program that directly interfaces with disk or
file system and enumerates files and compares this with the OS
function results

Use of Rootkits: Good Cause
• In a honeypot to detect attacks
• To enhance emulation software
• To enhance security software – it enables the software to secure itself from
malicious actions
• Digital rights management enforcement
• Device anti-theft protection - BIOS-based rootkit software enables monitoring,
disabling and wiping of data on mobile devices when they get lost or stolen

Example: Phone Rootkit
• Mobile phone operating system is simple and less secure
• Researchers at Rutgers University planted rootkit on phones
• Test 1: operate microphone of the phone without users
knowledge. This allowed them to eavesdrop on the user
conversation
• Test 2: obtain location of the phone thru it’s GPS system thru a
text message hence tracking whereabouts of a user
• Test 3: put on power hungry functions of a phone like Bluetooth
radio and GPS receiver thus draining the battery faster and
putting it out of use for emergencies
• All attacks were undetectable

Rootkit Examples
• Stuxnet
• Sony BMG Copy Protection
• Lion
• NTRootkit

Sony XCP rootkit
• In 2005 Mark Russinovich detected a rootkit on his machine
• The rootkit was installed when a Sony music CD was inserted to be played on
the computer
• Sony used an auto install program to install the rootkit when a CD was
inserted first time in the CD drive.
• This would allow the Sony music player to play the CD songs but would
prevent any other program to read the CD
• This was basically a copy protection mechanism (XCP – eXtended Copy
Protection)
• Rootkit hid the display of any program starting with $sys$ from any source –
malicious or not
• It created a vulnerability in user systems – they were open to attack by virus
writers who could name their virus as $sys$viru-1 and so on

Sony XCP rootkit…
• Sony released an uninstaller which was thought thru properly
• Shortsighted solution opened further security holes than to fix the issue
• Uninstaller was presented thru a web page to be downloaded and run
• Uninstaller didn’t check what code was being executed on the machine and
the uninstaller remained on the machine even after XCP was uninstalled
• Count of this rootkit victims but it was upwards of 500000

TDSS rootkit
• Family of rootkits TDL-1 to TDL-4 based on Alureon rootkit
• TDL-1 originated in 2008 with basic objective of collecting and extracting
personal data
• TDL-1 hides itself using:
• Installed filter code in the stack of divers associated with access to each disk drives. Filters
drop all files with ‘tdl’ as name prefix
• TDL-1 could install as many files on as many disk drives anywhere
• Windows registry was loaded with entries to cause these malicious drivers to
reload on every system startup
• TDL-1 hides these registry entries by modifying system function
NTEnumerateKey used to list data items in registry
• Early 2009 TDL-2 was released. Functionality was same except that the code
was scrambled, encrypted and padded with nonsense data
• Later in 2009, TDL-3 was released. It implemented it’s own file system thus
becoming completely independent of Windows file system (FAT and NTFS)

TDSS rootkit…
• TDL-3 also introduced command and control structure with which rootkit
communicate to receive work assignments and return collected data
• TDL-3 used encrypted communication streams effectively preventing security analysts
to check it’s growth
• In 2009, more than 3 million computers were infected by TDL-3 (more than half in US)
• TDL-4 appeared in autumn 2010 and circumvented Microsoft security techniques
• Microsoft implemented an cryptographic technique by which it encrypted part of it’s
each driver using a digital signature
• That helps it verify source integrity of kernel code each time it was loaded
• TDL-4 changed a system configuration value LoadIntegrityCheckPolicy to allow
unsigned rootkit to be loaded
• TDL-4 also infects Master Boot Record (MBR) and replaces kernel debugger
(kdcomm.dll) to always return safe values

Other rootkits
• Not all rootkits are malicious
• As a security in-charge of very sensitive information (medical records of high
profile patients, intellectual property etc) one may want this information to be
available internally but restrict it go out.
• Rootkits can control this.
• Products like eBlaster or Spector are rootkits which allow parents to monitor
email, messaging, web searches etc on their kids computers
• Law enforcement agencies use rootkits on suspect machines to gather
evidence
• Security tools like anti-virus of intrusion detection tools also sometime act in
stealth and hard to detect manner like rootkits

Defense Against Rootkits: Preventive
• Don’t ignore OS or standard application updates: Keeping operating system,
antivirus software, and other applications updated
• Watch out for phishing emails: Never click on any links on phishing email or a
suspicious looking email from known sources (friends, companies etc)
• Be careful of drive-by downloads: Drive-by downloads happen automatically
when you visit a website and it installs malware on your computer. Keep
always most up-to-date protections in place for your computer system.
• Don’t download files sent by people you don’t know: Be careful when
opening attachments sent by unknown people.
• Regularly run anti-virus and occasionally run anti-rootkit tools on sensitive
machines.
• Use behavioural-based detection (analyse system behaviour) to discover
suspicious patterns of API calls or CPU usage, which may indicate a rootkit.
• Closely examine network logs from packet analysers, firewalls, or other
network tools to identify rootkits communicating with a remote control centre
Defense Against Rootkits: Scanners
• Scanners are programs designed to parse a system in order to weed out active
rootkits.
• Scanners can help detect and remove application-layer rootkits
• Scanners are ineffective against rootkits operating at the kernel, boot or
firmware level.
• No individual scanner can guarantee that a system is completely clean, hence
use multiple scanners and rootkit removers.
• To fully secure system from rootkits operating at the boot, firmware or
hypervisor level, the only remedy is to backup data, then wipe the device and
perform a clean install.

BITS Pilani
Pilani Campus

Lecture No: 04
Attacks in Network
Agenda
• Network Transmission Overview
• Network Flooding
• Malicious Code
• Resource Exhaustion
• Distributed Denial-of-Service
• Scripted Denial-of-Service Attacks
• Bots
• Botnets
• Autonomous Mobile Agents

Network Transmission Media
Medium Strength Weakness
Wire/Cable • Widely used • Susceptible to wiretapping
• Inexpensive • Susceptible to radiation
Optical Fiber • Immune to radiation • Potential exposure of radiation at join
• Difficult to wiretap points
Microwave • Strong signal • Can be intercepted along path of
• Not impacted by transmission
weather • Requires line of site for transmission
• Signal must be repeated approx every
50Km
Wireless • Widely available • Suitable for short range
(Radio, WiFi) • Built as part of • Can be intercepted around
computers transmitter
Satellite • Strong signal • Signal travel larger distance
• Faster signal speed • Signal exposed in WAN

OSI & TCP/IP Models of Networking

Network Topology Types

Network Transmission: Example 1

Network Transmission: Example 2

Addressing and Routing
• MAC (Media Access Control): Unique of a Network Interface Card

(NIC) that connects a computer and a network
• Routers direct traffic on a path that leads to destination
• Port: Number associated with an application program that serves
or monitors for a network service

MAC Address Format
• 12-digit hexadecimal number (6-

Byte binary number), represented
by Colon-Hexadecimal notation.
• First 6-digits (ex 00:40:96) of MAC
Address identify the manufacturer,
called as OUI (Organizational
Unique Identifier).
• IEEE Registration Authority
Committee assign these MAC
prefixes to its registered vendors.
CC:46:D6 - Cisco
3C:5A:B4 - Google, Inc.
3C:D9:2B - Hewlett Packard
00:9A:CD - HUAWEI TECHNOLOGIES CO.,LTD

Message Routers
• Network routers are loose confederation of mutually trusting components

• Each router sends message to other routers listing addresses to which it has
path
• This way routers build a web of network and use an optimum path for
sending messages from one user to another

Example: Message Routers
• A is not directly connected with T. Shortest path is ABNPQT. Can also

communicate thru ABCMNPQT
• Any corruption in routers tables can lead to traffic mis-alignment i.e. if T
broadcasts that it’s 1 distance away from 10.0.0.0 subnet all request will come
to it instead A
• Routers implicitly trust each other
Source Routing
• Internet traffic travels by best available route (next hop) –
routers determine the path
• Strict source routing: Sender can specify the exact route for the
message to receiver
• Loose source routing: Sender can specify certain required
intermediate points of the route
• Source routing is usually used for testing and troubleshooting
the identified path
• Source routing can be mis-used to flood a particular route on
the network

Threats to Network Communication
• Interception: Unauthorized viewing

• Modification: Unauthorized change
• Fabrication: Unauthorized creation
• Interruption: Preventing authorized access

Interception
• Wiretapping
• Causes for interception
• Anonymity
• Many points of attack
• Sharing
• System complexity
• Unknown perimeter
• Unknown path

Modification and Fabrication
• Causes data corruption

• Can occurs naturally
because of minor failures
of transmission media
• Can also be induced for
malicious purposes.
• Causes for modification/
fabrication
• Sequencing
• Substitution
• Insertion
• Replay
• Physical replay

Interruption
• Loss of service
• Causes for interruption
• Routing
• Excessive demand
• Component failure
• Network design incorporates
redundancy to counter
hardware failure

Port Scanning
• A port scan maps the topology and hardware and software components of a
network segment
• Port scanning tools: Nmap, Netcat, Unicornscan, Zenmap
• Port scanning data
• how many hosts are there and what their IP addresses are
• what their physical (MAC) addresses are
• what brand each is and what operating system each runs, and what version
• what ports respond to service requests
• what service applications respond, and what program and version they are running
• how long responses took
• Network and vulnerability scanners can be used positively for management and
administration and negatively for attack planning

Port Scanning: Nmap Examples
• nmap -v scanme.nmap.org
Scans all reserved TCP ports on the machine scanme.nmap.org in verbose mode
• nmap -sS -O scanme.nmap.org/24
Launches a stealth SYN scan against each machine that is up out of the 256 IPs on the
class C sized network where Scanme resides. It also tries to determine what operating
system is running on each host that is up and running.
• nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
Launches host enumeration and a TCP scan at the first half of each of the 255 possible
eight-bit subnets in the 198.116 class B address space. This tests whether the systems
run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564.
• nmap -v -iR 100000 -Pn -p 80
Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80).
• nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap
216.163.128.20/20
This scans 4096 IPs for any web servers (without pinging them) and saves the output in
grepable and XML formats.

Port Scanning: Nmap Examples

Network Flooding
• Flooding is caused by excessive demand which is far more than
available capacity
• Can be caused by malicious or natural events
• It is a routing technique in computer networks where a source or node sends
packets through every outgoing link
• A packet tries to access all available network routes and ultimately reaches its
destination, but there is always the potential for packet duplication
• Hop count and some selective flooding techniques are used to avoid
communication delay and duplication
• Flooding is also used as a denial of service attack by flooding network traffic to
bring down a network service
• The service is flooded with many incomplete server connection requests
• Due to the number of flooded requests, the server or host is not able to process
genuine requests at the same time

Network Flooding…
• Volume based attacks generating much higher demand than available system
capacity
• Attacker can present commands more quickly than the system can handle
• Commands queue up and ultimately chock the system by overloading or flooding
• Application based attack to overwhelm network capacity
• Targets for flooding: database, network, operating system, print servers,
routers etc
• Block Access
• interfere with network routing and prevent access requests to the system
• Change/delete access control records or disable access fully
• Access failure
• Software failure due to malfunction
• Hardware failure due faulty device or component
• Disable communication link between two points

Example: Estonian Web Failure
• In 2007 Estonia decides to move a statue ‘Bronze Soldier’ which
commemorated Russian involvement in WW2
• Russia doesn’t like it – large scale public protests in Moscow around Estonian
embassy and in Estonia by Russian ethnic people
• Estonia is one of highest computerized countries in world
• Immediately after protests, Estonian govt & public organization websites are
flooded with traffic of 100-200 mbps – a very high traffic volume in 2007
• Attacks started on Apr 27 and continued for several days
• Attacks surged again during May 8-9 period when Russia celebrates victory
over Germany and surged again around middle May
• Security experts found that attacks largely came from outside Estonia
• Pinpointing the source of attack was not possible due to complex re-routing
of traffic but suspicion is on Russia

Few More Examples
• In Jan 2013, New York Times, Washington Post and Wall Street Journal
sites were sent massive traffic resulting in collapse of these sites
• Allegedly these were attacked by hackers with allegiance to China
• In August 2013, Syrian Electronic Army shut access to New York Times
website for 20 hours
• In June 2014, Syrian Electronic Army redirected Reuters readers to a
message that the site has been hacked

How does Flooding Work?
Flooding exploits weakness in network protocols and utilities:

• Insufficient resources
• Insufficient capacity
• Incoming bandwidth is insufficient, or resources like devices, computing
power, software or table capacity are inadequate

Malicious Flooding
• Basic denial of service tactics are aimed to degrade or stop performance by
flooding the network
• Packets don’t reach or if reach then performance is severely degraded
• Misusage the robustness of TCP internet protocol
• ICMP protocol commands/utilities
• Ping, Echo, Destination unreachable, Source quench
• Can be mis-used for network flooding

Ex1: Ping Flood
• A ping is a network utility used

to test a network connection, a
“pulse” is sent out and the
“echo” from that pulse tells the
operator information about the
environment.
• If the connection is working,
the source machine receives a
reply from the targeted
machine.
There are variations of ping that can be used to execute an attack, some are:
• ping –n : specify the number of times a request is sent
• ping –l : specify the amount of data sent with each packet
• ping –t : continue pinging until the host times out

Ex2: Ping of Death
• A Ping of Death is an attack, in which the attacker aims to disrupt a targeted machine by
sending a packet larger than the maximum allowable size, causing the target machine to
freeze or crash.
• While ping packets are normally very small, IP4 ping packets can be as larger than the
maximum allowable packet size of 65,535 bytes. Some TCP/IP systems were never
designed to handle packets larger than the maximum, making them vulnerable to
packets above that size.
• When a maliciously large packet is transmitted from the attacker to the target, the
packet becomes fragmented into segments, each of which is below the maximum size
limit. When the target machine attempts to put the pieces back together, the total size
exceeds the limit and a buffer overflow can occur, causing the target machine to freeze,
crash or reboot.
Ex3: Smurf
• Smurf malware builds a spoofed packet that has its source address set to the real IP
address of the targeted victim.
• The packet is then sent to an IP broadcast address of a router or firewall, which in turn
sends requests to every host device address inside the broadcasting network, increasing
the number of requests by the number of networked devices on the network.
• Each device inside the network responds to the spoofed address of the target with an
ICMP Echo Reply packet.
• The target victim then receives a deluge of ICMP Echo Reply packets, becoming
overwhelmed and resulting in denial-of-service to legitimate traffic.
Ex4: Echo-Chargen
• CHARGEN (character Generation) protocol, is a network service developed to simplify

testing, troubleshooting and evaluating networks and applications.
• CHARGEN is a service that can be accessed both by TCP and UDP protocol (via port 19). If
the service is accessed, it will use that connection to send a random number of random
characters (data).
• CHARGEN attack exploits the CHARGEN protocol points of contact.
• The most common type of these attacks uses CHARGEN as an amplifier for UDP-based
attacks using IP spoofing.
• The attack is simple: Attackers have their botnet send tens of thousands of CHARGEN
requests to one or more publicly accessible systems offering the CHARGEN service.
• Requests use UDP protocol and the bots use the target’s IP address as sender IP so that
the CHARGEN service’s replies are sent to the target instead of the attacker resulting in
tens of thousands of replies getting submitted to the attack target.

Ex5: SYN Flood
TCP connection exhibits three distinct processes in
order to make a connection.
1. First, the client sends a SYN packet to the server in
order to initiate the connection.
2. The server then responds to that initial packet with
a SYN/ACK packet, in order to acknowledge the
communication.
3. Finally, the client returns an ACK packet to
acknowledge the receipt of the packet from the
server. After completing this sequence of packet
sending and receiving, the TCP connection is open
and able to send and receive data.
An attacker exploits the fact that after an initial SYN packet has been received, the server will respond
back with one or more SYN/ACK packets and wait for the final step in the handshake.
1.Attacker sends a high volume of SYN packets to the targeted server, often with spoofed IP addresses.
2.The server then responds to each one of the connection requests and leaves an open port ready to
receive the response.
3.While the server waits for the final ACK packet, which never arrives, the attacker continues to send
more SYN packets. The arrival of each new SYN packet causes the server to temporarily maintain a new
open port connection for a certain length of time, and once all the available ports have been utilized the
server is unable to function normally.
Ex6: Resource Exhaustion
• Computers do context switching while executing multiple

applications
• Context values of switched out applications are stored in registers
• Buffers, log files can be exhausted causing loss of context

Ex7: Traffic Re-direction
• An attacker can ask a router to declare that it has best path for all
IP addresses
• All traffic will be re-directed to this router automatically resulting
in flooding

Ex8: IP Fragmentation: Tear Drop
• Mis-use of a feature actually intended for network performance

communication
• Single data unit is fragmented and sent to receiver as per
datagram protocol
• Each fragment has a relative position and length in the data unit
• An attacker may send datagrams with overlapping fragments
hence receiver will not be able to assemble the assemble the
data unit

How does DNS Work?
• DNS resolves a hostname into IP address like www.xyz.com into 192.152.68.1
• 4 servers involved in this conversion:
• DNS Recursor: Recursor is like a librarian who is asked to go find a particular book
somewhere in a library. The DNS recursor receive queries from client machines through
applications such as web browsers. It makes further requests on behalf of client.
• Root Nameserver: The first step in translating host names into IP addresses. It can be
thought of like an index in a library that points to different racks of books - typically it
serves as a reference to other more specific locations.
• TLD Nameserver: Top Level Domain (TLD) server is like a specific rack of books in a
library. This nameserver is the next step in the search for a specific IP address, and it
hosts the last portion of a hostname (in xyz.com, the TLD server is “com”).
• Authoritative Nameserver: This final nameserver can be thought of as a dictionary on a
rack of books, in which a specific name can be translated into its definition. The
authoritative nameserver is the last stop in the nameserver query. If the authoritative
name server has access to the requested record, it will return the IP address for the
requested hostname back to the DNS Recursor that made the initial request.

How does DNS Work?
1. A user types ‘xyz.com’ into a web browser. The
query is received by DNS recursive resolver.
2. The resolver queries a DNS root nameserver (.).
3. The root server responds to the resolver with the
address of a TLD DNS server (such as .com or .net),
which stores the information for its domains. The
search request for xyz.com is pointed toward the
.com TLD.
4. The resolver then makes a request to the .com
TLD.
5. The TLD server responds with the IP address of the
domain’s nameserver (xyz.com).
Once the DNS lookup have returned the IP
6. The recursive resolver sends a query to the address for xyz.com, the browser is able to
domain’s nameserver. make the request for the web page:
7. The IP address for xyz.com is then returned to the 9. The browser makes a HTTP request to the IP
resolver from the nameserver. address.
8. The DNS resolver then responds to the web 10. The server at that IP returns the webpage to
browser with the IP address of the domain be rendered in the browser.
requested initially.
How does DNS Work?

DNS Attacks
• Most common implementation of name
server software is thru BIND (Berkley
Internet Name Domain) which has flaws
like buffer overflow. An attacker can
overtake the server and re-route the traffic
• Top level domain attack
• 13 top level domain servers spread across
world
• Translate the top level or last part of address
like .com, .uk, .in, .org, .edu etc
• A 2002 attack flooded the top level server
causing major internet outages, Possible
cause was some mis-configured firewalls
• 2007 similar attack happened and outages of
6 hours. The attack originated from APAC
region.
• Root name servers use a new design ‘anycast’
which spreads the lookup to many servers
thus nullifying the attack on one single server
Ex1: DNS Spoofing
• Mis-routing: change of IP address

• DNS server translates internet names into IP addresses
• A ‘man in the middle’ attack can intercept the communication between user
and DNS server and change address resulting in denial of service or be the
intermediate person
• Attackers also try to insert inaccurate entries in DNS server cache known as
DNS poisoning

Ex2: Session Hijack
• Attacker allows communication to start between parties and then takes over
i.e. take control once authentication is over
• Un-encrypted sites have high exposure to this risk
• It takes advantage of TCP/IP design protocol. Changes source IP in the IP
header causing communication redirect

Ex3: DNS Cache Poisoning
• Send a forged message to DNS regarding change in address of a website

• A DNS server asks it’s root server for unresolved queries who passes it to other
severs. These queries are assigned a simple sequence number
• A rogue response will result in bad match for an address
• In 2010 internet governing bodies came with a DNSSEC security extension
(RFC 4033) which signs the root server DNS records
• This would eliminate fake responses

Exploiting Known Vulnerabilities
• Hackers often begin with known vulnerabilities for which patches haven’t been
installed by the user
• Zero-day-exploit: exploitation of a vulnerability for which a patch is not yet
available
• R-U-Dead-Yet, EvilGrade, Zeus are some tools which identify vulnerabilities to
help organize an attack

Denial of Service

Denial of Services
• Attempt to disrupt availability of computer systems

• User is denied access to authorized services or data
• Disruption in the services thru:
• communication link breakage,
• sever flooding
• Attack on confidentiality & integrity of service is binary in nature
• Attack on availability is nuanced i.e. it could be of insufficient or
unacceptable level

Distributed Denial of Services (DDOS)
• DDOS attacks change the balance between attacker and victim by

marshalling many forces towards attacker
• Stats (Arbor Networks):
• More than 350,000 DDOS attacks 2009 – one attack every 90 seconds
• SYN flood accounts for over half of these attacks
• 20000 attacks exceeded 1 GBPS speed
• 4000 of the 1+ GBPS attacks lasted for 8 hrs or more
• 3500 attacks were more than 4 GBPS and 2000 were more than 10 GBPS
• In 2014 33% attacks were over 20 GBPS
• Web sites are served 6 – 8 million requests per second which hardly any
website is designed to service

DDOS Approach
• Attacker conscripts multiple machines thru a Trojan horse

• The Trojan remain silent and is harmless to infected machine
• Each compromised machine is called a Zombie
• Attacker asks Zombies to start attack using varied methods

DDOS Approach…
• Tool based scripted attacks

• Tool can be used to install and control Zombies
• Zombies/Bots are normally unpatched machines – attackers
identifies these by scanning machine for vulnerabilities
• Botnets (network of Bots) is used or massive DDOS attack

Botnet Command and Control

Rent-a-Bot
• Bot Master: Person who controls the bots

• Bot master uses bots to:
• Carry out attacks on victims
• Rent out bot(s) to others for attacks – revenue generation
• Create a network of compromised hosts to launch an attacks (for self or
rented)
• Opt-in-bot: Like minded bots to add to your lone voice

Physical Disconnect
• A broken cable, appliance or connector results into denial of

service
• Machine along transmission route can fail
• Component failure like circuit board, storage device, monitoring
device failure
• Consequences of a hardware failure can be like data corruption,
software corruption etc

Defense against DDOS Attacks
• Develop a DDOS service response plan

• Secure network infrastructure
• Install patches for vulnerabilities
• Adjust number of active servers
• Use load balancers
• Blacklist rogue IPs
• Practice basic network security – complex password
• Build strong network architecture – build redundancies
• Leverage cloud, Enroll for cloud scrubbers like ‘akamai’
• Understand and listen for warning signs

Mobile Agents

Mobile Agent
• A mobile agent is a process that can transport its state from one environment
to another, with its data intact, and be capable of performing appropriately in
the new environment
• Just as a user directs an Internet browser to "visit" a website (the browser
merely downloads a copy of the site or one version of it in the case of
dynamic web sites), similarly, a mobile agent accomplishes a move through
data duplication mobile agent is a specific form of mobile code.
• A mobile agent is a specific form of mobile code and mobile agents are active
in that they can choose to migrate between computers at any time during
their execution

Mobile Agent

Properties of Mobile Agent
• Adaptive learning: Mobile agents can learn from experiences and adapt
themselves to the environment. They can monitor traffic in large networks and
learn about the trouble spots in the network. Based on the experiences of the
agent in the network the agent can choose better routes to reach the next
host.
• Autonomy: Mobile agents can take some decisions on its own. For example,
mobile agents are free to choose the next host and when to migrate to the
next host. These decisions are transparent to the user and the decisions are
taken in the interest of the user.
• Mobility: Mobile agents have the ability to move from one host to another in
the network.

Advantages of Mobile Agent
• Reduction in network load
• Overcome network latency
• Protocol encapsulation
• Asynchronous and autonomous execution
• Fault tolerance

Disadvantages of Mobile Agent
• Security risk in using mobile agents
• Malicious mobile agent can damage a host
• A virus can be disguised as a mobile agent and distributed in the network
causing damage to the host machines that execute the agent
• Malicious host can tamper with the functioning of the mobile agent

BITS Pilani
Pilani Campus

Lecture No: 05
Strategic Defense
Agenda
• Network Security Strategies
• Network & Browser Encryption
• The Onion Routing (TOR)
• IP Security Protocol Suite
• Virtual Private Networks
• Network Architecture
• Firewalls
• What is a firewall
• Design of firewall
• Types of firewall
• Comparison of firewall types
• Firewall configuration
• Network address translation
• Data Loss Prevention
Network Encryption
• Encryption protects only what is encrypted. At sender or

receiver end once data is decrypted, it’s exposed to threats
• Encryption algorithm design is work of professionals
• Encryption is no more secure than its key management. Once
key is revealed, encryption is of no use
• Encryption is not cure for all ailments. A flawed system design
with super encryption is still a flawed system
• Encryption types:
• Link encryption: Host to Host
• End to end encryption: Application to Application

Link Encryption
• Data is encrypted just before it’s
put on the physical network
• Encryption occurs at layer 1 or 2 in
OSI network model
• Link encryption covers the
communication from one node to
next on the path to destination
• Message remains plaintext within
the hosts
• Data is in an encrypted state while
it travels on its communication
Useful when all hosts are reasonably secure path. However, when it reaches a
but communication line is not router or another intermediate
device, it gets decrypted so that
the intermediator knows which
way to send it next.
End to End Encryption
• Encryption is applied between two
users
• Encryption is performed at highest
level of network layers
• Data confidentiality is maintained
even if a lower layer fails or
communication passes thru
unsecure nodes
• Only the communicating users can
read the messages. In principle, it
prevents potential eavesdroppers
– including telecoms, ISPs and
other intermediaries.

Link v/s End-to-End Encryption

Browser Encryption
• Browsers can encrypt data during transmission.
• Browser negotiates with the server an algorithm for encryption
• SSH (Secure Shell):
• Provides authentication and encryption service to Shell or OS commands
• Replaces telnet, rlogin, rsh for remote access
• Protects against spoofing and data modification during transmission
• Usage algorithm (DES, AES etc) for encryption and (Public keys, Kerberos etc) for
authentication
• SSL/TLS (Secure Socket Layer/Transport Layer Security):
• SSL has 3 version 1.0, 2.0. 3.0. Version 3.1 is known as TLS
• Implemented at layer 4 (transport layer)
• SSL operates at application level
• Provides server authentication, optionally client authentication and encrypted
communication channel between client and server

Cypher Suite
• Cypher suite is client & server negotiated encryption algorithm

for authentication, session encryption and hashing
• Diffie-Hellman
• DES
• AES
• RC4
• RSA
• ….
• Server sends a set of records listing cypher suite identifiers it
can use
• Client responds with the preferred choices from the shared set

SSL (HTTPS) Session
• Client requests an SSL session

• Client sends a symmetric session key encrypted using server’s public key
• Server decrypts the session key and responds back to client
• Both server and client compute session key and initiate encrypted
communication
• Details of the session can be viewed in the browser
• SSL certificates are signed by Certified Authorities
• SSL protects data from client browser to server’s decryption point
• Keystroke logger and man in browser can still access plaintext data
• LocalSSL provides the local environment protection

The Onion Routing (TOR)
• Link & End to end encryption data is encrypted but client & server address
remain exposed
• TOR prevents an eavesdropper from learning source, destination, or content
of data in transit
• Protection is achieved by transferring communication around a network of
computer before delivery to receiver
• Ex: A needs to send a packet to B. It routes it thru X, Y & Z.
• A encrypts the packet with B’s public key and appends a header from Z to B
• Then A encrypts the result with Z’s public key and appends a header from Y to Z
• Then A encrypts the result with Y’s public key and appends a header from X to Y
• Then A encrypts the result with X’s public key and appends a header from A to X
• Upon receipt of the packet, intermediate nodes only know the previous and next nodes for
the packet and not the whole path
• Used in covert mails, private browsing, dark web etc

• Browsers: TOR, Orfox, Epic, Comodo Ics Dragon
The Onion Routing (TOR)
• The client with access to all the encryption keys i.e key 1, key 2 & key 3 encrypts the message (get request) thrice
wrapping it under 3 layers like an onion which have to be peeled one at a time.
• This triple encrypted message is then sent to the first server i.e. Node 1(Input Node).
• Node 1 only has the address of Node 2 and Key 1. So it decrypts the message using Key 1 and realises that it
doesn’t make any sense since it still has 2 layers of encryption so it passes it on to Node 2
• Node 2 has Key 2 and the addresses of the input & exit nodes. So it decrypts the message using Key 2 realises that
its still encrypted and passes it onto the exit node
• Node 3 (exit node) peels of the last layer of encryption and finds a GET request for youtube.com and passes it onto
the destination server
• The server processes the request and serves up the desired webpage as a response. The response passes through
the same nodes in the reverse direction where each node puts on a layer of encryption using their specific key
• It finally reaches the client in the form of a triple encrypted response which can be decrypted since the client has
access to all the keys

IP Security Protocol (IPSec)
• IPSec implemented at OSI layer 2 (data layer)
• Implements encryption and authentication
• Allows two communicating parties to agree on mutually supported set of
protocols
• Security Association (SA): a set of security parameter for a secured
communication channel
• SA includes:
• Encryption algorithm, key and mode
• Encryption parameters like initialization vector
• Authentication protocol and key
• Life span of the SA
• Address of opposite end of association
• Sensitivity level of protected data (used for classified information)
• A host (network server or firewall) may have multiple SAs in operation at any
given point of time
Headers and Data
• IPSec has two fundamental

data structure:
• Authentication Header (AH)
• Encapsulated Security
Payload (ESP) – replaces TCP
header & data portion of
packet
• Sequence number is
incremented by 1 for each
packet transmitted
• IPSec encapsulated security
payload contains descriptors
to tell a recipient how to
interpret encrypted content

Communication Setup Between
Sender & Receiver

Key Management
• Managed thru Internet Security Association Key Management Protocol

(ISAKMP)
• Distinct key for each security association
• Key exchange between sender and receiver implemented thru ISAKMP Key
Exchange (IKE)
• Usage Diffie-Hellman scheme to generate a mutually shared secret key to be
used for encryption
• IPSec enforces both confidentiality (thru symmetric encryption) and
authentication (thru asymmetric algorithm for signing with private key)
• A hash function can also be used to protect against modifications (integrity)

Modes of Operation
• Transport mode: Normal mode

where IP address header is
unencrypted
• Tunnel mode: Recipient address is
concealed thru encryption, IPSec
substitutes address of a remote
device like firewall, that will
receive the packet and remove
IPSec encryption.

Virtual Private Networks (VPNs)
• A VPN simulates the security
of a dedicated, protected
communication line on a
shared network
• Link encryption between two
secure sites can provide a
VPN between two distant
sites
• Firewalls used to establish
VPN connections
• Can also be used for
communication between
office and home users

Network Architecture
• Network architecture can be
designed to protect a set of
computers from outside
network access
All visible to
outside network • Something similar to limited
direct inward dialing feature of a
hospital telephone system
• Protected subnets are created
for this implementation
• Protected subnets can separate
Only A visible to
outside network departments, projects, clients,
areas, any sub-group requiring
controlled access to data or
communication

Firewalls

What is a Firewall?
• Firewalls are network security devices which protect a subnet (mainly
internal) from harm by another subnet (mainly external)
• Can also be used to separate the sensitive segments of a network i.e. R&D
• Firewall filters traffic between a protected (inside) network and less
trustworthy (outside) network
• Firewalls run on dedicated systems for performance and security reasons
• Firewall is a traffic cop that permits or block data flow between two parts of a
network architecture
• Firewall system typically doesn’t have compilers, linkers, loaders, text editors,
debuggers, programming libraries or other tools which an attacker can take
advantage of
• CISCO runs its own OS on it’s firewalls
• Firewalls enforce pre-determined rules (security policies) to govern traffic
flow
• Two rules commonly used – default permit and default deny
How Does Firewall Work?
• Security Policy: Set of rules that
define what traffic can or can
not pass thru the firewall
• Firewalls enforce pre-
determined rules (security
policies) to govern traffic flow
• Rule 1: Allow traffic from any outside host to 192.168.1 subnet on port 25 (mail transfer)
• Rule 2: Allow traffic from any outside host to 192.168.1 subnet on port 69 (file transfer)
• Rule 3: Allow traffic from 192.168.1 subnet to any outside host on port 80 (web pages)
• Rule 4: Allow traffic from any outside host to 192.168.1.18 on port 80 (web server)
• Rule 5 & Rule 6: Deny all other traffic (inbound or outbound)

Firewall Trust
• Firewall is a reference monitor, positioned to monitor all traffic, is not

accessible to outside attacks, and implements only access control
• Firewall is positioned as single physical point of connection between
protected and uncontrolled networks. This placement ensures firewall is
invoked always
• Typically implemented on a separate & dedicated computer with stripped
down operating system running minimal utilities hence making it temper
proof. Even firewall traffic audit logs need to be transported to another
machine for reading purpose
• Firewall are simple and small with bare minimum functionality

Firewall Generation
• First Generation: Packet filtering gateways or screening routers

• Second Generation: Stateful inspection firewalls
• Third Generation:
• Application Proxy Firewall
• Circuit level gateways
• Guard Firewall
• Personal firewall
• Network Address Translation (NAT) Firewall
• Next Generation Firewall (NGFW)

Packet Filtering Firewall
1. Incoming packets from network
192.168.21.0 are blocked.
2. Incoming packets destined for
internal TELNET server (port 23) are
blocked.
3. Incoming packets destined for host
192.168.21.3 are blocked.
4. All well-known services to the
network 192.168.21.0 are allowed.
• Simplest form of firewalls
• Controls access based on packet address (source or destination) or specific transport
protocol type (HTTP, Telnet)
• Doesn’t inspect data inside packet and treats each packet in isolation. It has no ability to
judge whether a packet is part of an existing stream of traffic.
• Can detect outside traffic with a forged source header
• Usage separate interface cards for inside and outside
• Can not implement complex rules
Stateful Inspection Firewall
• Stateful inspection firewalls
judge traffic based on
information from multiple
packets
• If someone is trying to scan
ports in a short time, firewall
will block that host
• Ex: first attempt (port 1) from
• Stateful firewalls (performs Stateful Packet 10.1.3.1 will be allowed but
Inspection) are able to determine the connection access time recorded, port 2
state of packet which makes it more efficient. allowed, port 3 allowed but
• It keeps track of the state of networks connection at port 4 the abnormal
travelling across it, such as TCP streams.
behavior is noticed and dis-
• Filtering decisions would not only be based on
defined rules, but also on packet’s history in the
allowed
state table.

Application Proxy Firewall
• Application proxy firewall
simulates the behavior of a
protected application on the
inside network, allowing in
only safe data
• Application proxy intrudes in
the middle of protocol
between sender and receiver,
similar to man in the middle
• Proxy acts an intermediary between two end • Proxy interprets the protocol
systems. Can filter traffic at application level. stream as an application
• The client must send a request to the firewall, would and takes control
where it is then evaluated against a set of security action based on things visible
rules and then permitted or blocked.
inside the protocol
• Proxy firewalls monitor traffic for layer 7 protocols
(HTTP, FTP etc) and use both stateful and deep
packet inspection to detect malicious traffic.
Circuit Level Gateway
• This firewall allows one network

to be extension of another
network and functions as a
virtual gateway between two
networks
• Firewall verifies the circuit at
time of creation after which
data transfer is normal
• VPNs are implemented thru
circuit level gateways

Guard Firewall
• A guard is a proxy type firewall

• A guard implements programmable set of conditions, even if the
program conditions become very sophisticated
• Great firewall of China (Golden Shield Program) is a guard
firewall. It filters content based on government restrictions/ rules.
• Initiated, developed, and operated by the Ministry of Public Security (MPS)
• Blocks politically inconvenient incoming data from foreign countries
• Web sites belonging to "outlawed" or suppressed groups, such as pro-
democracy activists

Personal Firewall
• Personal firewall is program that runs on a single host to monitor

and control traffic to that host
• It works in conjunction with support from operating system
• Ex: SaaS Endpoint Protection (McAfee), F-Secure Internet Security,
Microsoft Windows Firewall, Zone Alarm, Checkpoint
• Personal firewalls:
• List of safe/unsafe sites
• Policy to download code/files
• Unrestricted data sharing
• Management access from corporate but not from outside
• Combine action with anti-virus software

Network Address Translation (NAT)
• Allow multiple devices with independent
network addresses to connect to the internet
using a single IP address, keeping individual IP
addresses hidden.
• Hence, attackers scanning a network for IP
addresses can't capture specific details,
providing greater security against attacks.
• NAT firewalls are similar to proxy firewalls in
that they act as an intermediary between a
group of computers and outside traffic.
• Every packet between two hosts contains source address & port and destination
address & port
• NAT firewall conceals real internal addresses from outsiders who don’t know the
real addresses and can not access these real addresses directly
• Firewall replaces source address by its own address and keeps entries of original
source address & port and destination address & port in a mapping table.

Next Generation Firewalls (NGFW)
• Combines traditional firewall technology with additional
functionality, such as encrypted traffic inspection, intrusion
prevention systems, anti-virus etc.
• Has capability to deep packet inspection (DPI). While basic firewalls
only look at packet headers, deep packet inspection examines the
data within the packet itself, enabling users to more effectively
identify, categorize, or stop packets with malicious traffic
• TCP handshake checks
• Surface level packet inspection
• May also include other technologies as well, such as intrusion
prevention systems (IPSs) that work to automatically stop attacks
against network

Next Generation Firewalls (NGFW)
• According to Gartner, a next-generation firewall must include:
• Standard firewall capabilities like stateful inspection
• Integrated intrusion prevention
• Application awareness and control to see and block risky apps
• Upgrade paths to include future information feeds
• Techniques to address evolving security threats
• Examples: FortiGate (Fortinet), Cisco ASA, Cisco Meraki MX, Sophos XG,
SonicWall TZ, CheckPoint, Palo Alto, Juniper etc

Threat Focused NGFW
• These firewalls include all the capabilities of a traditional NGFW
and also provide advanced threat detection and remediation. With
a threat-focused NGFW you can:
• Know which assets are most at risk with complete context awareness
• Quickly react to attacks with intelligent security automation that sets policies
and hardens your defenses dynamically
• Better detect evasive or suspicious activity with network and endpoint event
correlation
• Greatly decrease the time from detection to clean-up with retrospective
security that continuously monitors for suspicious activity and behaviour
even after initial inspection
• Ease administration and reduce complexity with unified policies that protect
across the entire attack continuum

NGFW Features
• Breach prevention and advanced security
• Prevention to stop attacks before they get inside
• A best-of-breed next-generation IPS built-in to spot stealthy threats and stop them fast
• URL filtering to enforce policies on hundreds of millions of URLs
• Built-in sandboxing and advanced malware protection that continuously analyzes file behavior
to quickly detect and eliminate threats
• A world-class threat intelligence organization that provides the firewall with the latest
intelligence to stop emerging threats
• Comprehensive network visibility
• Threat activity across users, hosts, networks, and devices
• Where and when a threat originated, where else it has been across your extended
network, and what it is doing now
• Active applications and websites
• Communications between virtual machines, file transfers, and more

NGFW Features
• Flexible management and deployment options
• Management for every use case--choose from an on-box manager or centralized
management across all appliances
• Deploy on-premises or in the cloud via a virtual firewall
• Customize with features that meet your needs--simply turn on subscriptions to get
advanced capabilities
• Choose from a wide range of throughput speeds
• Fastest time to detection
• Detect threats in seconds
• Detect the presence of a successful breach within hours or minutes
• Prioritize alerts so you can take swift and precise action to eliminate threats
• Make your life easier by deploying consistent policy that's easy to maintain, with
automatic enforcement across all the different facets of your organization

NGFW Features
• Automation and product integrations
• Seamlessly integrates with other tools from the same vendor
• Automatically shares threat information, event data, policy, and contextual
information with email, web, endpoint, and network security tools
• Automates security tasks like impact assessment, policy management and tuning,
and user identification

Comparison of Firewalls

DMZ (De-Militarized Zone)
• A DMZ Network (De-Militarized Zone)
functions as a subnetwork containing
an organization's exposed, outward-
facing services.
• The goal of a DMZ is to add an extra
layer of security to an organization's
local area network. A protected and
monitored network node that faces
outside the internal network can
access what is exposed in the DMZ,
while the rest of the organization's
network is safe behind a firewall.
• A DMZ gives extra protection in
detecting and mitigating security
breaches before they reach the
internal network, where valuable
assets are stored.

Objective of DMZ
• DMZ Network protects the host’s most vulnerable to attack. These

hosts usually involve services that extend to users outside of the
local area network like email, web servers, and DNS servers.
• Because of the increased potential for attack, they are placed into
the monitored subnetwork to help protect the rest of the network
if they become compromised.
• Hosts in the DMZ have tightly controlled access permissions to
other services within the internal network, because the data
passed through the DMZ is not as secure.
• All services accessible to users on communicating from an external
network should be placed in the DMZ. The most common services
are: Web Server, Mail Server, FTP Server etc.

Single Firewall DMZ
• Requires a single firewall and minimum of 3 network interfaces.

• DMZ is placed Inside of this firewall.
• Tier of operations are as follows:
• External network device makes the connection from the ISP
• Internal network is connected by the second device
• Connections within the DMZ is handled by the third network
device.

Dual Firewall DMZ
• More secure approach is to use two firewalls to create a DMZ.

• The first firewall (referred to as the “frontend” firewall) is
configured to only allow traffic destined for the DMZ.
• The second firewall (referred to as the “backend” firewall) is only
responsible for the traffic that travels from the DMZ to the internal
network.
• An effective way of further increasing protection is to use firewalls
built by separate vendors, because they are less likely to have the
same security vulnerabilities.
• While more effective, this scheme can be more costly to
implement across a large network.

Firewall Limitations
• Firewall can protect an environment only if the firewall controls entire

perimeter
• Firewalls do not protect data outside perimeter
• Firewalls are most visible part of an installation to outsiders and hence most
attractive target for attack
• Firewalls must be configured correctly and the configuration must be updated
as the internal and external environment changes
• Firewalls are targets for intruders, check firewall logs periodically for evidence
of attempted or successful intrusions
• Firewalls exercise only limited control over the content inside packet and
hence may not be able to stop malicious code or inaccurate data completely

Data Loss Prevention (DLP)
• Set of technologies designed to detect and possibly prevent attempt to send
data where it is not allowed to go
• Classified documents, proprietary information, personal information etc in light
of Wiki leaks / Edward Snowden scandal
• Two implementation of DLP:
• Agent based: Installed as a rootkit to monitor user behavior like network
connections, file access, applications run etc
• Application based: Software agents to monitor email, file transfer etc
• DLP looks for indicators:
• Keywords: set of identified words in the data
• Traffic patterns: bulk file transfer, file sharing, connection to outside email etc
• Encoding/encryption: block outgoing files that they can’t decode/decrypt

Leading Enterprise Firewall Products
• Fortinet Fortigate
• Cisco ASA NGFW
• pfSense
• Sophos UTM
• WatchGuard Firebox
• Meraki MX Firewalls
• Juniper SRX
• Palo Alto Network VM-Series

BITS Pilani
Pilani Campus

Lecture No: 06
Strategic Defenses
Agenda
• Intrusion Evasion Techniques
• Intrusion Detection Systems (IDS)
• Overview and types of IDS
• Methods used by IDS
• IDS benefits
• IDS strengths and limitations
• IDS products
• Intrusion Prevention Systems (IPS)
• Overview and working of IPS
• Methods used by IPS
• Preventive actions by IPS
• IPS products
• IDS v/s IPS
• Firewall v/s IDS v/s IPS
Intrusion Evasion Techniques
• Fragmentation: Sending fragmented packets allows an attacker to stay under the
radar, bypassing the detection system's ability to detect the attack signature.
• Avoiding defaults: A port utilized by a protocol does not always provide an
indication to the protocol that’s being transported. If an attacker had
reconfigured it to use a different port, the IDS may not be able to detect the
presence of a trojan.
• Coordinated, low-bandwidth attacks: coordinating a scan among numerous
attackers, or even allocating various ports or hosts to different attackers. This
makes it difficult for the IDS to correlate the captured packets and deduce that a
network scan is in progress.
• Address spoofing/proxying: attackers can obscure the source of the attack by
using poorly secured or incorrectly configured proxy servers to bounce an attack.
If the source is spoofed and bounced by a server, it makes it very difficult to
detect.
• Pattern change evasion: IDS rely on pattern matching to detect attacks. By
making slight adjust to the attack architecture, detection can be avoided.
Intrusion Detection System
(IDS)

What is an IDS?
• Intrusion Detection System (IDS) is a system that monitors

network traffic for suspicious activity and issues alerts when such
activity is discovered
• IDS is like a smoke detector that raises alarm if specific events
occur
• IDS response may be:
• Manual: raise alarm for someone to take action
• Automate: get into protection mode to isolate the intruder (IPS)

How does IDS Work?
• Raw inputs from sensors
• Data storage of raw inputs
• Analysis of events
• Intrusion identification
• Countermeasure plan
• Response to events

What are IDS Functions?
• Monitor the operation of routers, firewalls, key management servers and files
that are needed by other security controls aimed at detecting, preventing or
recovering from cyberattacks
• Help administrators to tune, organize and understand relevant operating
system audit trails and other logs that are often otherwise difficult to track or
parse
• Assess integrity of critical system files for vulnerabilities and misconfiguration
• Provide a user-friendly interface so non-expert staff members can assist with
managing system security
• Build and maintain an extensive attack signature database against which
information from the system can be matched
• Recognize and report when data files have been altered

What are IDS Functions?...
• Manage audit trails and highlighting user violation of policy or normal activity
• Correct system configuration errors
• Install and operate traps to record information about intruders
• Generate an alarm and notify when security has been breached
• React to intruders by blocking them or blocking the server

Goals for IDS
An IDS should be simple, fast and accurate

• Filter on packet headers
• Filter on packet contents
• Filter in real time (on-line) mode
• Maintain connection state
• Use complex, multipacket signatures
• Use minimal number of signatures with maximum effect
• Hide it’s presence
• Use optimal sliding-time window size to match signatures

IDS Types
• Host based: Runs on a single host to protect that particular host
• Network based: A separate device attached to a network to
monitor traffic thru that network

Host Based IDS (HIDS)
• Examines events on a computer in a network rather than the traffic that
passes around the system.
• Mainly operates by looking at data in admin files including log and config files
on the computer that it protects.
• HIDS will back up the config files so system can restore settings, should a
malevolent virus loosen the security of the system by changing the setup of
the computer.
• Another key element that it guards is a root access on Unix-like platforms or
registry alterations on Windows systems. A HIDS won’t be able to block
these changes, but it would be able to raise alert if any such access occurs.
• HIDS must be installed on each host it is expected to monitor for effective
monitoring of overall network.
• This ensures that config changes on any of the host are not overlooked.
• A distributed HIDS system needs to include a centralized control module.

Network Based IDS (NIDS)
• NIDS examines the traffic on the network. A typical NIDS includes a packet
sniffer in order to gather network traffic for analysis.
• The analysis engine of a NIDS is rule-based which supports addition, deletion
and modification of rules.
• With many NIDS, the provider of the system, or the user community make
rules available which can be imported into system for implementation.
• There is no need to dump all of the traffic into files or run the whole lot
through a dashboard because it wouldn’t be able to analyze all of that data.
• Rules that drive analysis in a NIDS also create selective data capture. For
example, if there is a rule for a type of worrisome HTTP traffic, NIDS should
only pick up and store HTTP packets that display those characteristics.
• Typically, a NIDS is installed on a dedicated piece of hardware. A NIDS
requires a sensor module to pick up traffic, so it should be possible to load it
onto a LAN analyzer, or may choose to allocate a computer to run the task.

Front-End IDS
• Placed at entry point of a network

• Monitors traffic coming to network
• Can analyze the traffic and initiate action against
suspicious traffic
• Visible to outside world and is exposed to attack
• Can not monitor internal traffic

Internal IDS
• Monitors activity within network

• Can spot suspicious activities from within network
• If an attacker sends a normal packet to a compromised
machine and asks it to launch DOS attack, this
implementation will be able to spot it
• Well protected from outside attack
• Can learn the typical behavior of internal users and spot
any sudden change in their behavior

NIDS v/s HIDS
• A NIDS gives a lot more
monitoring power than a HIDS
as it can intercept attacks as
they happen, whereas a HIDS
only notices anything wrong
once a file or a setting on a
device has already changed
• NIDS is usually installed on a
stand-alone piece of equipment
and doesn’t drag down the
server processors
• The activity of HIDS is not as
aggressive as that of NIDS and
can be fulfilled by a lightweight
daemon on the computer with
very small load on host CPU
• Neither NIDS nor HIDS generate
extra network traffic

IDS Methods
• Signature based:
• Monitor all the packets traversing the network
• Compares traffic against a database of signatures or attributes of known
malicious threats,
• Works similar to antivirus software
• Anomaly based:
• Monitor network traffic and compare it against an established baseline,
• Determines what is considered normal for the network with respect to
bandwidth, protocols, ports and other devices.
• Also known as Heuristic based IDS

Signature Based IDS
• Monitors for known patterns of malicious behavior
• Port scan i.e. same sender trying to communicate with multiple ports at
same time
• Abnormal packet sizes i.e. ICMP packet size of 65535 will crash the
protocol stack
• Use statistical analysis to identify malicious behavior
• Works well with ping, echo-chargen type of DDOS attacks
• Attacker may change signature of attack
• Conversion to upper/lowercase
• Conversion to symbols/ASCII character set
• Induction of spurious packet in between
• Change of signature
• Attacks with new signatures can’t be detected
Anomaly Based IDS
• Monitors abnormal behavior:
• One user normally performs email reading, word processing and file backup activities
• If suddenly he starts executing administrator functions then it’s suspicious – someone
else might be using his account
• Monitors the system ‘dirtiness’ factor and raises alarm when it crosses a
threshold.
• Activities classified as good/benign, suspicious, unknown
• Evaluates combined impact of asset of events
• Ana tries to connect to Amit’s machine, Amit’s machine denies access (unusual)
• Ana tries to connect to Abhay’s machine, gets an open port and connects (more
unusual)
• Ana obtains listing of folder from Abhay’s machine (suspicious)
• Ana copies files from Abhay’s machine (attack – raise alarm)
• Inference engine makes the decision to categorize actions and raise alarm

Inference Engine Types
• State based
• Monitors system going thru overall state change
• Identify when a system has veered into unsafe state
• Model based
• List of known bad activities
• Each activity has a degree of bad
• Action when an activity of certain bad degree occurs
• Overall cumulative activities cross a certain degree of bad
• Misuse intrusion detection
• Compare real activity with a known representation of normality
• Ex: password file being access by utilities other than login, change
password, create user etc

Stateful Protocol Analysis: SYN Flood
Attack

Other IDS Technologies…
• Protocol-based Intrusion Detection System (PIDS): comprises of a system or
agent that resides at the front end of a server, controlling and interpreting the
protocol between a user/device and the server. It tries to secure the web
server by regularly monitoring the HTTPS protocol stream and accept the
related HTTP protocol.
• Application Protocol-based Intrusion Detection System (APIDS): a system or
agent that resides within a group of servers. It identifies the intrusions by
monitoring and interpreting the communication on application specific
protocols. For example, this would monitor the SQL protocol explicit to the
middleware as it transacts with the database in the web server.
• Hybrid Intrusion Detection System : combination of two or more approaches
of the intrusion detection system. In this, host agent or system data is
combined with network information to develop a complete view of the
network system. Hybrid intrusion detection system is more effective in
comparison to the other intrusion detection system. Prelude is an example of
Hybrid IDS
Other IDS Technologies…
• Code modification checkers: compares the active version of source code with
saved version (Tripwire)
• Vulnerability scanners: checks and report known vulnerabilities and flaws in a
network (ISS Scanner, Nessus)

Accurate Situation Assessment
• Accuracy is important factor for IDS else administrators will have
trust deficit
• False Positive: Alarm raised where not real attack happened
• False Negative: No alarm raised when a real attack happened
• Sensitivity = both False Positive & False Negative should be minimized

Stealth Mode
• IDS runs in stealth mode to

avoid attack (DDOS etc)
• IDS has two network
interfaces:
• A. For the network being
monitored – used only for
inputs – this interface is not
published – it’s a wiretap
• B. for alerts a separate control
network interface is
configured

IDS Strengths and Limitations
• Strengths:
• Can detect ever growing number of attacks
• New signatures can be configured
• Have become cheaper and easy to operate
• Can operate in stealth mode to avoid attackers
• Limitations:
• Requires strong defense else attacker can render an IDS ineffective
• Attackers tend to gain insight into IDS working over a period of time
• Poor sensitivity could limit accuracy
• Someone needs to monitor IDS reports for actions

Benefits of IDS
• Ability to identify security incidents and help analyze the quantity and types of
attacks
• Help organizations to change their security systems or implement more
effective controls
• Identify bugs or problems with their network device configurations
• Use IDS data to assess future risks
• Help the enterprise attain required regulatory compliances by providing
greater visibility across their networks
• Use IDS logs as part of the documentation to show regulators that they are
meeting certain compliance requirements.
• Improve response to security incidents
• Inspect data within the network packets and identify the operating system
services being used

Popular IDS Products
• SolarWinds Security Event Manager: Combines both HIDS and NIDS functionality to give full
Security Information and Event Management (SIEM) system
• Snort: Provided by Cisco Systems and free to use, a leading network-based intrusion detection
system
• OSSEC: Excellent host-based intrusion detection system that is free to use
• Suricata: Network-based intrusion detection system that operates at the application layer for
greater visibility
• Bro: Network monitor and network-based intrusion prevention system
• Sagan: Log analysis tool that can integrate reports generated on snort data, so it is a HIDS with a bit
of NIDS
• Security Onion: Network monitoring and security tool made up from elements pulled in from other
free tools
• AIDE: Advanced Intrusion Detection Environment is a HIDS for Unix, Linux, and MacOS
• OpenWIPS-NG: Wireless NIDS and intrusion prevention system from makers of Aircrack-NG
• Samhain: HIDS for Unix, Linux, and Mac OS
• Fail2Ban: Lightweight HIDS for Unix, Linux, and Mac OS

IDS Products Comparison

Snort

Intrusion Prevention System (IPS)

What is an IPS?
• IPS is a network security application that monitors network or

system activities for malicious activity
• IPS identifies malicious activity, collects information about this
activity, reports it and attempts to block or stop it
• Intrusion Prevention System is also known as Intrusion Detection
and Prevention System
• IPS is an IDS with in-built protective response capability

How Does an IPS Work?
• IPS performs real-time packet inspection, deeply inspecting every

packet that travels across the network. If any malicious or
suspicious packets are detected, the IPS will carry out one of the
following actions:
• Terminate the TCP session that has been exploited and block the offending
source IP address or user account from accessing any application, target
hosts or other network resources unethically.
• Reprogram or reconfigure the firewall to prevent a similar attack occurring
in the future.
• Remove or replace any malicious content that remains on the network
following an attack. This is done by repackaging payloads, removing header
information and removing any infected attachments from file or email
servers.

How Does IPS Work?...
• Signal an alert to other protection components
• Cut-off user access
• Reject traffic from identified sources
• Block all users to access a particular resource
• Call a human
• High numbers of alarms generated may miss a human attention
• Happened with Target in Nov/Dec 2013 where Russian hacker stole 40Mn credit card
details

IPS Types
• Network-based intrusion prevention system (NIPS): Monitors the
entire network for suspicious traffic by analyzing protocol activity.
• Wireless intrusion prevention system (WIPS): Monitors a
wireless network for suspicious traffic by analyzing wireless
networking protocols.
• Network behavior analysis (NBA): Examines network traffic to
identify threats that generate unusual traffic flows, such as
distributed denial of service attacks, specific forms of malware
and policy violations.
• Host-based intrusion prevention system (HIPS): Inbuilt software
package which operates a single host for doubtful activity by
scanning events that occur within that host.

IPS Detection Methods
• Signature-based: operates packets in the network and compares with pre-built
and preordained attack patterns known as signatures.
• Statistical anomaly-based: monitors network traffic and compares it against an
established baseline. The baseline will identify what is normal for that network
and what protocols are used. However, It may raise a false alarm if the
baselines are not intelligently configured.
• Stateful protocol analysis: recognizes divergence of protocols stated by
comparing observed events with pre-built profiles of generally accepted
definitions of not harmful activity.
• Policy-based: requires administrators to configure security policies according
to organizational security policies and the network infrastructure. When an
activity occurs that violates a security policy, an alert is triggered and sent to
the system administrators.

Adaptive Behavior
IPS can be configured to initiate following actions

• Continue to monitor the network
• Block the attack by re-directing attack traffic to monitoring host,
discarding the traffic or terminate session
• Re-configure the network by bringing other hosts on-line
(increase capacity) or adjust load balancers
• Adjust performance to slow the attack i.e. drop some of the
incoming traffic
• Deny access to particular network hosts or services
• Shut down whole network

Counter Attack
• Final option against an attack is counterattack

• Counterattack must be taken after good thought and caution
• Reasons for caution:
• Apparent attacker may not be real attacker, taking action against wrong
party could make matters worse
• Counterattack may lead to rea-time battle of info-war
• Legality may shift – taking offensive action may open one to legal geopardy
• Provoking attacker may lead to escalation
• Example: Wikileaks battle in Dec, 2006

Popular IPS Products
• McAfee NSP
• Trend Micro TippingPoint
• HillStone NIPS
• Darktrace Enterprise Immune System
• NSFocus NGIPS
• H3C SecBlade IPS
• Huawei NIP
• Entrust IoTrust Identity and Data Security
• Cisco FirePower NGIPS

Popular IPS Products…
Vendor Use Cases Metrics Intelligence
McAfee NSP is deployed across all market Aggregate Performance - 40 Gbps; Maximum Bot analysis, endpoint-enhanced application
segments in the data center, cloud, or number of connections ranges from 40,000 on control, analysis of flow data, self-learning DoS
hybrid enterprise environments the 100 Mbps appliance up to 32 million on profiles and an analytics feature to report
the 40 Gbps appliance potentially malicious hosts
Trend Micro Large and very large enterprises 40 Gbps inspection throughput in a 1U form TippingPoint solutions provide rea l-time, threat
factor; can be stacked to deliver 120 Gbps in a prevention for vulnerabilities through Digital
3U form factor. Network traffic inspection Vaccine threat intelligence
throughputs 250 Mbps to 120 Gbps
Hillstone Government, finance, education, ISP Can identify more than 3,000 applications, Advanced threat detection engine and abnormal
and enterprises customers including mobile and cloud applications. IPS behavior detection engine
throughput up to 14 Gbps
Darktrace Large enterprise sites across all The Darktrace vSensor extracts only relevant Machine learning
verticals metadata, sending 1% of network traffic onto
the master appliance
NSFocus Fortune 500 companies, mobile Up to 20 Gbps of application-layer data Virtual sandboxing appliance is capable of
providers, global financial institutions, processing capacity detecting, analyzing and mitigating known, zero-
SMEs and service providers day, and advanced persistent threats
H3C All market sizes Millisecond response to threats Defense and traffic pattern self-learning capabilities
Huawei Large- and medium- size enterprises, as NIP can identify more than 1,200 network Protocol anomaly detection, traffic anomaly
well as carrier-grade enterprises applications detection, and heuristic detection
Entrust Energy, utility, chemical, automotive, More than 10 million identity and payment Data filtering, aggregation and integration with
telecom and manufacturing credentials daily edge analytics
Cisco From remote offices to large data Appliances range from 50 Mbps to 60 Gbps of URL-based security intelligence, AMP Threat Grid
centers inspected IDPS throughput integration, security research team

IDS v/s IPS
• IPS are placed in-line and are
able to actively prevent or
block intrusions that are
detected.
• IPS can take such actions as
sending an alarm, dropping
detected malicious packets,
resetting a connection or
blocking traffic from the
offending IP address.
• IPS also can correct cyclic
redundancy check (CRC)
errors, defragment packet
streams, mitigate TCP
sequencing issues and clean
up unwanted transport and
network layer options.

Firewalls v/s IDS v/s IPS
• Firewall is first line of perimeter defense. Best practices recommend that
firewall be explicitly configured to DENY all incoming traffic and then you open
up holes where necessary. You may need to open up port 80 to host websites
or port 21 to host an FTP file server.
• Each of these holes may be necessary from one standpoint, but they also
represent possible vectors for malicious traffic to enter network rather than
being blocked by the firewall.
• That is where IDS would come in, the IDS will monitor the inbound and
outbound traffic and identify suspicious or malicious traffic which may have
somehow bypassed the firewall or it could possibly be originating from inside
network as well.
• An IPS is essentially a firewall which combines network-level and application-
level filtering with a reactive IDS to proactively protect the network.

BITS Pilani Presentation
BITS Pilani Jagdish Prasad

Pilani Campus WILP
BITS Pilani
Pilani Campus

Lecture No: 07
Management and Incidents
Agenda
• Event, Incident and Incident Management
• Incident Management phases
• Preparation phase
• Security response plan
• Security committee
• Business Continuity Plan
• Detection phase
• Containment, Mitigation and Recovery phase
• Post-review
• Communication phase
• Computer Emergency Response Team (CERT)

Security Incident Management: Key
Definitions
• Cyber Security Event: A cyber security change
that may have an impact on organisational operations (including
mission, capabilities, or reputation).
• Cyber Security Incident: A single or a series of unwanted or
unexpected cyber security events that are likely to compromise
organisational operations.
• Cyber Security Incident Management: Processes for preparing,
for detecting, reporting, assessing, responding to, dealing with
and learning from cyber security incidents.

Basic Principles
• There is no simple one-size-fits-all solution
• Top management’s commitment is paramount: active
involvement with budget
• Involve every member of the organization
• Keep an off-line copy of documents required during an incident
• Don’t link backups to rest of the system
• Importance of logging and keeping security logs for a certain
period (upto 6 months)
• Keep cyber security response plan and related information/
documents regularly updated
• Ensure compliance to all legal aspects while managing a cyber
security incident
• Document every step of a cyber security incident
Security Incident Management Phases
1. Preparation phase: Plan how to handle a security incident
• Create a cyber security incident response plan and keep it up to date
• Content of a cyber security incident response plan
• Assigning responsibilities and creating a cyber security incident response
team
• Call upon external experts
• Equip your organisation to address a cyber security incident
• Prepare your communication strategy
• Cyber insurance
2. Detection phase: Identify potential security incidents
• Categories of incidents
• Methods to detect incidents

Security Incident Management Phases
3. Containment, Mitigation & Recovery phase: Handling an actual
security incident
• Convene your cyber security incident response team
• Situational awareness
• Containing a cyber security incident
• Eradication and clean-up
• Recovery
4. Prepare for Future: Follow-up, closure and learnings for future
• Evaluation of lessons learned and future actions: organise a post-incident
review
• Incident tracking and reporting
5. Communication: During and post security incident
• Tools
• Incident specific communication plan
Preparation Phase

Preparation Phase
• Plan how to handle a security incident
• Create a cyber security incident response plan and keep it up to date
• Content of a cyber security incident response plan
• Assigning responsibilities and creating a cyber security incident response
team
• Call upon external experts
• Equip your organisation to address a cyber security incident
• Prepare your communication strategy
• Cyber insurance

Security Response Plan
• A security plan is an official record of current security practices

plus a blueprint for orderly plan to improve those practices
• Security plan identifies and organizes the security activities of
critical computer assets
• Create a formal document for cyber security incident response
plan and keep it up to date
• Review cyber security response plan at regular interval and
incorporate changes as required
• Define a number of standard operating procedures for common
incidents that are likely to occur in the organization

Security Response Plan: Key Elements
• What to protect
• What is a security incident
• who has the ultimate responsibility in case of a security incident
• Potential incident categories
• Composition and roles of incident response team
• How to address technical protection and end-point protection
• When will external experts be involved
• Internal and external communication in case of security incident
• Identify vital assets and potential threats
• When will external experts be involved
• Internal and external communication in case of security incident

Contents of Security Plan
1. Security Policy: Goals for security and willing ness of people to

work to achieve those goals
2. Current State Assessment: Assessment of current status security
3. Security Requirements: Recommendation to meet the security
goals
4. Recommended Controls: Mapping controls to the vulnerability
identified in the policy and requirements
5. Accountability: Who is responsible for each security activity
6. Timetable: When different security activities are to be done
7. Plan Maintenance: Specifying a process for periodic updation of
security plan

1: Security Policy
• Documentation of an organization’s security needs and priorities

• High level statement of purpose and intent
• What are the most precious assets for an organization to protect:
• Pharmaceutical: research on new drugs, marketing strategy
• Hospital: Confidentiality of its patients
• TV Studio: Archives of previous broadcasts
• On-line Merchant: Availability of on-line presence
• Trade-off between level of security and cost, inconvenience, time
factors

1: Security Policy…
• Policy document must answer:

• Who should be allowed access?
• To what systems and organizational resources should the access be
allowed?
• What type of access should each user be allowed for each resource?
• Policy document should also specify:
• Organizations goals on security: protect data leakage, data loss, data
integrity, loss of business due to system failure etc. what is higher priority –
serving customers or securing data?
• Where does the responsibility of security lie: should it be with security
team, each employee or respective managers?
• Organizations commitment to security: where does security fit into
organization structure (a team in some department or an executive level
position), who provides security support to employees?
2: Current Status Assessment
• What are current vulnerabilities – perform risk analysis

• A systematic analysis of systems, IT environment and where things
could go wrong
• Listing of current assets, controls in place to protect the assets and
security threats to the assets
• Limits of responsibility for security
• Who is responsible: in joint ventures may have one organization providing
security support
• Boundaries of responsibility: who provides security for routers, leased
lines, internal systems, cloud data storage etc?
• Vulnerabilities to the system
• Due to use of system in an unanticipated manner
• Due to new scenarios or requirements
3: Security Requirements
• Identify assets and potential threats
• Identify businesses and resources that need to be protected
• Determine ’Vital’ assets and resources
• Assign business priority for recovery
• Document how these business systems work: Network schema, equipment
and services inventory, account and access list etc
• Document internal and external security demands
• Document functional and performance requirements for desired
level of security
• Determine compliance to regulatory or commercial standards
• Confidentiality, integrity and availability needs
• Strength and quality level of security required

3: Requirement, Constraints & Controls
Requirement Characteristics
• Correctness
• Consistency
• Completeness
• Realism
• Need
• Verifiability
• Traceability

4: Recommended Controls
• Mechanism to implement the security requirements

• Vulnerability mapping and methods to address the vulnerabilities
• How system will be designed and developed to implement the
requirements

5: Accountability
Following questions need to be answered:
• Who is responsible for implementing controls when a new vulnerability is
discovered?
• Who is the internal contact point for cyber security incidents? And how can he
be contacted?
• What are the different incident response tasks? And who is responsible for
doing what?
• Who is managing the incident from business/technical side? This should be
someone within the company with decision-making authority, who will follow
the incident from the beginning until the end.
• Who will liaise with senior management?
• Who can engage the external incident response partner?
• Who can file a complaint with law enforcement/inform the regulatory bodies?
• Who is entitled to communicate with the press and external parties?

5: Accountability…
Smaller organization will need a minimum of Incident Response Manager and ICT Technical Staff
5: Accountability…
• Specific responsibilities
• Users may be responsible for their own personal computers and devices
• Project leaders may be responsible for project data and assets
• Managers may be responsible to ensure that people they supervise
implement security measures
• DBAs may be responsible for access to and integrity of their databases
• Information officers may be responsible for creation, use, retention and
proper disposal of data
• HR may be responsible for screening employees and training them in
security measures
• Document the contact (phone, backup phone, email, residential
address etc) details of security response team members and keep
it in secure place

6: Timetable
• Timeline of how and when the elements of the plan will be

executed
• Major milestone dates
• Expensive and complicated security measures should be
implemented in gradual manner
• Order of control implementation and proper training plan for the
same
• Extensible plan to ensure inclusion of new conditions and changes
• Plan should be reviewed periodically

7: Plan Maintenance
• Security plan must be revisited periodically to adapt it to changing

conditions
• Review of security situation periodically to evaluate that the
system is as secure as it is intended to be
• Change in users, data, equipment, and new exposures need to be
addressed
• Current means of control may become obsolete or ineffective
• Inventory of assets and list of controls needs to be scrutinized and
updated
• Security plan should define the timeline for these periodic reviews

Composition of Security Committee
• A security committee should be constituted representing all

stakeholders (interested parties)
• Representation from different aspects of computer systems like
operating system, networks, applications etc
• Committee size depends on size and complexity of security
requirements of the organization
• Optimum size is between 5 – 9 members
• Sub-committees can be formed to address a particular section of
the security plan (if required)

Commitment to Security Plan
• Plan must be accepted by organization leadership
• Commitment across all organization layers is required for
implementation and execution of security functions
• Three groups of people are MUST for success:
• Management, Operations and Users/Customers
• Planning team must be sensitive to needs of each group affected by plan
• Groups affected by security recommendations must understand what the
plan means for the way they will use the system and perform business
activities
• Management must be committed to use and enforce the security measures
• Training and publicity is critical to understand security objectives
• Users to use the controls properly and effectively

Commitment to Security Plan…
• Security plan must articulate the potential losses v/s cost incurred
in implementing security measures
• Security plan must present technical issues in a language which
can be understood and appreciated by non-technical people
• Security plan should avoid technical jargon and should use
business terminology
• Security plan should describe vulnerabilities and risks in terms of
financial terms for management attention

Business Continuity Planning
• For a business: ‘No computers - means no customers - means no
sales - means no profit’
• For govt, educational, non-profit agencies: ‘No computers means no
effective services to customers hence adverse future impact’
• 80 percent of the organizations affected by security disasters close
down in 18-24 months
• Business Continuity Plan (BCP) documents how business will
function during or after a computer security incident
• Normal security plan covers computer security during normal operations
protecting against vulnerabilities
• BCP deals with situations having:
• Catastrophic situations: all or major part of computing capacity is unavailable
• Long duration: outage is expected to last so long that business will suffer
Business Continuity Planning…
• BCP guides response to a crisis that threatens the business
existence
• Fire destroys complete network of the company
• Seemingly permanent failure of a software renders computing system
unusable
• Abrupt failure of a supplier of electricity, network, telecom, or other critical
service component
• Natural disasters prevent support staff to reach operation centre
• Strategy to cope with such critical situations is to advance planning
and preparation. The BCP steps are:
• Assess the business impact of the crisis
• Develop a strategy to control the impact
• develop and implement a plan for the strategy

Business Continuity Plan Steps
1. Assess business impact

2. Develop strategy
3. Develop plan

1: Assess Business Impact
• What are the essential assets – things if lost will prevent doing
business
• Network, customer reservation system, traffic controllers etc
• What could disrupt availability of these assets – what are the
vulnerabilities
• A network could be unavailable due to failure, loss of power or corruption
• What is the minimum set of assets or activities required to keep
business operational to some degree
• Prepare manual system for such activities

2: Develop Strategy
• Plan to safeguard critical assets

• Create backups, redundant hardware, manual process as
alternatives
• Plan for operations at reduced capacity
• Pl for service from another center (in case of call centers)
• Identify function to preserve – half of A and half of B or full of A
• Define timeframe for restoration of business to normal
• Define strategy with multiple steps depending on how much &
long the business will be disabled
• BCP forces a company to set base priorities
• Strategy must result in selection of best alternatives

3: Develop Plan
• A Plan specifies – who is in-charge when an incident occurs, what to do and
who does it?
• Defines & justifies advance arrangements – redundant site, backup hardware,
stockpiling supplies etc
• Advance training of people to respond to crisis
• Documented action procedures
• Person in-charge
• Declares start and end of emergency
• Decides to take actions best suited to the situation at give moment
• Focus of plan is
• To keep critical assets and serious vulnerabilities to avoid business disruption for
long
• To keep the business going while someone else addresses the crisis
• BCP plan focuses on business needs

Detection Phase

How to identify Incidents?
• Identify warning signs: Normal operations throw exceptions which

could be precursor to a larger failure
• A pop-up for security patch application
• A software upgrade
• A network capacity utilization threshold break warning
• An important configuration file missing
• Monitor and manage the warnings to avoid bigger catastrophe
• Develop incident handling capability to identify and respond to
such incidents

How to identify Incidents?
• Categories of incidents
– Define cyber security incident and related terms
– Identify possible categories of cyber security
incidents
• Methods to detect incidents
– Employees are best positioned to detect an
incident
– Create awareness in employees about cyber
security incidents and create a mechanism to
reports such incidents
– Technology and end point protection
– Detection tools like IDS and IPS
– Network and system logs
– Anti-virus tools
Containment, Mitigation &
Recovery Phase

Security Incident Management Phase
• Handling an actual security incident
• Convene your cyber security incident response team
• Situational awareness
• Containing a cyber security incident
• Eradication and clean-up
• Recovery

Convene Security Response Plan
• When an actual incident is detected, inform security response

manager
• Security response manager must convene a meeting of the cyber
security incident response team
• Team must evaluate the risks fast in order to take the right
measures.
• The cyber security incident manager and his team will report to
the CEO, who will have to validate their decisions.

Situational Awareness
• Collect all available information on the activities around the

incident’s timeframe.
• Preserve integrity of the information and indexation.
• Verify if any data have been lost/stolen.
• Create full disk images, take (remote) memory dumps of a
suspicious machine and protect these with write-blockers.
• Central storage of security information (images, logs, firewall logs
etc) enables faster analysis and query resolution during
investigation process.

Containing an Incident
• Recover quickly or gather evidence:
• Disconnect the systems immediately, recover fast and limit damage
• Take the time to collect evidence against the cybercriminal who
perpetrated the system
• Find a balanced approach
– What could happen if the incident were not contained?
– Is the attack or breach doing immediate severe damage?
– Is there (potential) damage and/or theft of assets?
– Is it necessary to preserve evidence? And if so, what sources of evidence
should the organisation acquire? Where will the evidence be stored? How
long should evidence be retained?
– Is it necessary to avoid alerting the hacker?
– Do you need to ensure service availability or is it OK to take the system
offline? (for example, services provided to external parties)
Investigation: Gathering evidence
• To gather evidence, forensic investigation must be performed
before you eradicate the incident
• Ask for external experts if required specifically in areas of digital
forensics and legal. Some type of attacks (i.e. DDOS) also require
specialized technical knowledge
• In order to admissible in court, evidence should be collected
according to procedures that meet all applicable laws and
regulations.
• Avoid compromising the evidence like:
• Don’t immediately shutdown servers
• Don’t immediately cut of the servers from internet
• Don’t restore from backup if you are not sure about backup infection
• Don’t re-install on same server without a forensic copy
Eradication and Cleanup
• Eradication must be started after investigation is complete and root
cause of incident is known
• Eradication exercise must be fast, synchronized and thorough for all
infected artifacts
• Potential list of actions:
• Running a virus or spyware scanner to remove the offending files and services
• Deleting malware and Updating signatures
• Disabling or changing password of breached user accounts
• Identifying and mitigating all vulnerabilities that were exploited
• Identifying security gaps and fixing them
• Informing employees about the threat and giving them instructions on what to
avoid in the future
• Informing external stakeholders such as the media and your customers
• Informing top management about eradication and clean-up results
Eradication and Cleanup…
• Few action examples:
• Individual files can be detected, quarantined or deleted from systems by the
anti-virus solution. This solution should be open to accept specific virus
definitions provided by you
• Phishing e-mails can be blocked on the mail gateway by blocking based on
the sender, the mail relay or parts of the content
• IP and domain-based indicators can be blocked based on network traffic, by
adding them to access lists, firewall policies or proxy policies. Therefore, it is
important to have the necessary capability to implement these changes in an
ad-hoc manner

Recovery
• Recovery refers to restoring of the system(s) in order to return to
normal operation and (if applicable) remediate vulnerabilities to
prevent similar incidents.
• There are multiple ways to restore following a cyber security
incident with different impact on recovery time, cost limitations or
data loss.
• Recovery depends on time and financial means at disposal
• It also depends on damage the incident may have caused to
infrastructure
• For example, it is possible that you don’t have an uninfected backup. In that
case the system must be reinstalled from scratch
• Before the system is put back online, it should be validated for
both security and business functions.
V.
RECOVERY
Recovery… return to normal operation and (if applicable) remediate vulnerabilities to prevent similar
them have a different impact on recovery time, cost limitations or data loss:
RECOVERY TIME COST DATA LOSS REMARKS
Clean the Fast Cost-effective

malicious artefacts behind
artefacts and
replacing the
compromised
versions
Restore from Medium Cost-effective This is only possible if you have a

a backup
it is hard to determine the timestamp
of the initial incident, or the incident
time, with no backup from the period
Rebuild the Slow, not Chances of This is, however, the only way to be
Very costly
system(s) or data loss
environment
from zero
Statistics show
that very often
incidents are only Therefore, it is important to check your backup for viruses, rootkits and backdoors before
revealed after BITS Pilani, Pilani Campus
Communication Phase

Communication
• Communication strategy
• Communicate TO WHOM
• WHICH INFORMATION to Communicate
• WHO will communicate
• WHEN to communicate
• Communication types
• Compliance related: Regulatory authorities & affected customers
• Incident handling and resolution progress: Internal teams and third party
response teams.
• Reputation damage limiting: Customers, partners, media and internal staff
• Communication stakeholders
• Internal stakeholders: Top management, impacted managers, employees
• External stakeholders: media, customers, suppliers, other partners, etc.
• Official stakeholders: Privacy Commission, Industry Regulator, CERT, Police
When to Communicate
• Timing is important:
– Some stakeholders will need information as soon as possible, because they
can help in containing the cyber security incident (e.g. organisation’s top
management, employees)
– Other stakeholders have to be contacted within a certain legally imposed
timeframe (e.g. Privacy Commission, affected customers)
– Others may contact you and in such a case you should have your answers
ready (e.g. media)
• In order not to alert the attacker, it may be necessary to insert a
no-communication time from the moment of the detection of the
incident until the moment a full picture of the incident and an
action plan is ready.
• Alerted attacker may re-treat and remove all his/her traces

Reporting to Authorities
• Reporting to authorities is a very specific and important for
different reasons:
• In some cases, reporting data leakage or other security incidents is legally
mandatory
• Certain authorities can help you. The cyber security incident you are faced
with may not be an isolated incident. Authorities may have information that
can help you contain your incident faster.
• In case you want to file a complaint against the criminal behind the cyber
security incident, you need to contact the law enforcement authorities.
• Reporting to the authorities is a necessary step, allowing the stocktaking
and measuring of cybercrime in the country.
• Increased knowledge and understanding of the phenomenon and its
prevalence will help to improve the overall security landscape, e.g. through
the shaping of preventive measures and countermeasures.

Reporting to CERT
• Cyber security incidents should be reported to the central Cyber Emergency
Response Team (CERT).
• CERT documents ‘Indicators Of Compromise’ (IOCs) observed on a network or
an operating system that indicate that there has been an intrusion.
• CERT can determine whether the incident is isolated or not
• CERT will be able to provide some information and advice related to the
incident that can help the victim to take effective countermeasures
• The information shared with CERT may help to prevent attacks on other
computer systems.
• Information reported to CERT includes:
• Your contact details , type of the incident, date of incident
• Is the incident ongoing?
• How did you notice this incident and What’s the impact of the incident?
• Have you already taken actions or measures? If so, which ones?
• Do you have logs or other useful data?
• Who have you already informed? BITS Pilani, Pilani Campus
Notifying Individuals whose Personal
Data were Compromised
• The notification to the persons involved needs to be clear and
easy to understand.
• Following as a minimum needs to be informed:
• Name of responsible for data processing
• Contact information for further information
• Short description of the incident during which the data breach occurred;
• Probable date of the incident
• Type and nature of personal data involved
• Possible consequences of the breach for the persons involved
• Circumstances in which the data breach occurred
• Measures taken by the data processor to prevent the data breach
• Measures which the person responsible recommends the involved persons
to take to limit possible damages

Post-Incident Review Phase

Lessons Learned and Future Actions
• Is any security control action to be taken

• Incident happened because patches were not updated
• Access breached due to poor password
• So, action required to ensure controls (patches to be applied in certain
period, educate users for stronger passwords)
• What can be done to avoid any control failures
• Did the incident response plan work
• Did everyone knew who to inform?
• Did the team have required resources to deal with incident?
• Was the response quick?
• What should eb done differently next time?

Post Incident Review
• Objective: All cyber security incidents should be formally reviewed after the
incident resolution to verify if security mechanisms or mitigating controls need to
be put in place or adapted to prevent similar incidents in the future
• Why: Cyber security incidents can indicate important shortcomings in your
security strategy or practice. Every important incident needs to be analysed to
evaluate if lessons for future improvement can be learned.
• Checklist of questions that can help to evaluate:
• Were the cyber security incident management plan and procedures followed? Were
they adequate? Should the plan be adapted on certain points?
• Was information available in time? If no, would it have been possible to have it sooner
and how?
• Were there any steps or actions you have taken that might have inhibited the
recovery?
• Could your information sharing with other organisations be improved?

Post Incident Review…
• What corrective actions could prevent similar incidents in the future?
• Are there precursors or indicators that should be monitored to detect similar incidents
more easily in the future?
• What additional tools or resources are needed to detect, analyse, mitigate future cyber
security incidents?
• Did the cyber security response team have the right organisational authority to
respond to the incident? Should you recruit more people or place a consulting firm,
lawyer,...on retainer in case of a future cyber security incident?

Incident Tracking and Reporting
• Objective:
• TRACKING: All cyber security incidents and their resolution must be documented.
• REPORTING: All cyber security incidents and their resolution must be reported to top
management and, if this function exists within your organisation, to the Information
Security Officer.
• Why:
• TRACKING: Similar incidents might happen again and might require the same handling
procedures, or a small incident might turn out to be a part of a bigger incident that you
discover later.
• REPORTING: Top management and/or the people within your organisation that analyse
your organisation’s risks (e.g. Operational Risk Committee or equivalent) need to be
aware of cyber security incidents.
• A report based on post-review conclusions, must be written for all cyber security
incidents and kept together with other cyber security incident reports.
• All major security incidents should be reported immediately to top management.
• At least once a year all cyber security incidents must be reported and explained to
top management and the people that analyse organisation’s risks. BITS Pilani, Pilani Campus
Computer Emergency Response Team
(CERT)

Incident Response Teams
• Organizations maintain a team of people trained and authorized to

handle security incidents
• Called ‘Computer Emergency Response Team’ (CERT) or
‘Computer Security Incident Response Team’ (CSIRT)
• These have dedicated people, and flexible on call specialists

CSIRT Types
• Full organizational response team to cover all incidents

• Coordination centers to coordinate incident response activity
across organizations
• National CSIRT to coordinate within country and with national
CSIRTs of other countries
• Sector CSIRTs to assist investigating incidents specific to a
particular business sector
• Vendor CSIRTs to coordinate with manufacturer of an
equipment/product
• Outsourced CSIRTs hired to perform incident response on contract
basis to other companies

CSIRT Types…
• CSIRTs operate within organizations, nationally, internationally, by

vendor or by sector
• Security Operation Centers (SOC) perform day to day monitoring
of networks and are first to notice an unusual situation
• Information Sharing and Analysis Centers (ISAC) share threat and
incident data across CSIRTs

CSIRT Activities
• Reporting
• Detection
• Triage
• Response
• Post-mortem
• Education
• Study current data to predict future attack trends (preventive
measure)

CSIRT Team Skills
• Collect, analyze and preserve digital forensic evidence

• Analyze data to infer trends
• Analyze the source, impact and structure of malicious code
• Help manage installations and networks by developing defenses
such as signatures
• Perform penetration testing and vulnerability analysis
• Understand current technologies used in attacks

Information Sharing
• Incident affecting one site may affect another site and analysis
from one place may help another place
• No standards for automated information sharing between CSIRTs
• Sharing is also hindered due to fear of competition, regulations
and negative publicity

BITS Pilani
Pilani Campus

Lecture No: 08
Risk Analysis
Agenda
• What is a Security Assessment?

• Risk Analysis: Definitions and Nomenclature
• Risk Analysis: Methodology and Objectives
• Risk Analysis: Deliverables and Work Plan
• Risk Analysis: Tools and Usage
• Risk Analysis: Dealing with Risk
Content Courtesy (First 5 Topics): Mr Sanjay Goel, University at Albany, SUNY

Security Assessment

Security Assessment Outline
• What is security assessment?

• What are the non-intrusive types?
• How do you choose between these types?
• What are the intrusive types?
• What are the types of risk reduction?
• What is effective security?
• What are the limitations to security assessment?
5
Security Assessment Overview
• Definition
– Security assessment identifies existing IT vulnerabilities and recommends
countermeasures for mitigating potential risks
• Goal
– Make the infrastructure more secure
– Identify risks and reduce them
• Consequences of Failure
– Loss of services
– Financial loss
– Loss of reputation
– Legal consequences

Security Assessment Type
• Non-Intrusive
– Security Audit
– Risk Assessment
– Risk Analysis
• Intrusive
– Vulnerability Scan
– Penetration Testing / Ethical Hacking
• Goal is to identify vulnerabilities and improving security
– Differ in rules of engagement and limited purpose of the specific
engagement (what is allowed, legal liability, purpose of analysis, etc.)

Security Assessment: Non-Intrusive Types
1. Security Audit
• Security Audit: Independent review and examination of system

records & activities to determine adequacy of system controls,
ensure compliance of security policy & operational procedures,
detect breaches in security, and recommend changes in these
processes.
• Features
– Formal Process
– Paper Oriented: Review of policies for compliance and best practices
– Review System Configurations: Questionnaire, or console based
– Automated Scanning
– Checklists

2. Risk Assessment
• Risk Assessment (Vulnerability Assessment):
– determination of state of risk associated with a system based upon
thorough analysis.
– includes recommendations to support subsequent security
controls/decisions.
– takes into account business as well as legal constraints.
• Involves more testing than traditional paper audit
• Primarily required to identify weaknesses in the information
system
• Steps
– Identify security holes in the infrastructure
– Look but not intrude into the systems
– Focus on best practices (company policy is secondary)

3. Risk Analysis
• Risk Analysis is the identification or study of:
– an organization’s assets
– threats to these assets
– system’s vulnerability to the threats
• Risk Analysis is done in order to determine exposure and potential
loss
• Computationally intensive and requires data to
– Compute probabilities of attack
– Valuation of assets
– Efficacy of the controls
• More cumbersome than audit or assessment and usually requires
an analytically trained person

Security Assessment
Audit v/s Assessment v/s Analysis
Audit Assessment Analysis

Objective Measure against a Baseline Determine Exposure and
Standard Potential Loss
Method Audit Program/ Various (including Various (including use of
Checklist use of tools) tools)
Deliverables Audit Report Gaps and Identification of Assets,
Recommendations Threats & Vulnerabilities
Performed by Auditors Internal or External Internal or External
Value Compliance Focused Preparation for

Improvement Assessment

Security Assessment: Intrusive Types
1. Vulnerability Scan
• Definition: Scan the network using automated tools to identify
security holes in the network
• Usually a highly automated, fast and cheap process
• Limitations
– False findings
– System disruptions (due to improperly run tools)
• Differences in regular scans can often identify new vulnerabilities

Security Assessment: Intrusive Types
2. Penetration Testing
• Definition: Penetration Testing (Ethical Hacking) is a simulated
attacks on computer networks to identify weaknesses in the
network.
• Steps
– Find a vulnerability
– Exploit the vulnerability to get deeper access
– Explore the potential damage that the hacker can cause
• Example
– Scan web server: Exploit buffer overflow to get an account
– Scan database (from web server)
– Find weakness in database: Retrieve password
– Use password to compromise firewall

Security Assessment: Risk Reduction
There are three strategies for risk reduction:
• Avoid the risk: by changing requirements for security or other
system characteristics
• Transfer the risk: by allocating the risk to other systems, people,
organizations assets or by buying insurance
• Assume the risk: by accepting it, controlling it with available
resources

Security Assessment: Effective Security
• Effective security relies on several factors
– Security Assessments
– Policies & Procedures
– Education (IT team, users & managers)
– Configuration Standards/Guidelines
• OS Hardening
• Network Design
• Firewall Configuration
• Router Configuration
• Web Server Configuration
– Security Coding Practices

Security Assessment: Limitations
• Often locates previously known issues
– Provides false sense of security
• Just the first step
– Needs due diligence in applying the recommendation of the
assessment
• Becomes obsolete rapidly
– Needs to be repeated periodically

Risk Analysis: Definitions and Nomenclature

Risk Analysis: Outline
• What is risk analysis?
• What terms are needed in risk analysis?
• What are assets?
• What are vulnerabilities?
• What are threats?
• What types of risk exist?
– Security Risk
– Physical Asset Risks
– Mission Risks
– Security Risks

Risk Analysis: Concept Map
• Threats exploit system vulnerabilities which expose system assets.

• Security controls protect against threats by meeting security requirements
established on the basis of asset values.
Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000

Risk Analysis: Basic Definitions
• Assets: Something that the agency values and has to protect. Assets include
all information and supporting items that an agency requires to conduct
business.
• Vulnerability: A weak characteristic of an information asset or group of
assets which can be exploited by a threat. Consequence of weaknesses in
controls.
• Threat: Potential cause of an unwanted event that may result in harm to the
agency and its assets.1 A threat is a manifestation of vulnerability.
• Security Risk: is the probability that a specific threat will successfully exploit
a vulnerability causing a loss.
• Security Controls: Implementations to reduce overall risk and vulnerability.

Risk Analysis: Assets
• Assets: Something that the agency values and has to
protect. Assets include all information and supporting
items that an agency requires to conduct business.
• Data
– Breach of confidentiality • Organization
– Loss of data integrity – Loss of trust
– Denial of service – Embarrassment
– Management failure
– Corruption of Applications
• Personnel
– Disclosure of Data – Injury and death
– Sickness
– Loss of morale

Risk Analysis: Assets…
• Infrastructure • Legal
– Electrical grid failure – Use or acceptance of
– Loss of power unlicensed software
– Chemical leaks – Disclosure of Client
– Facilities & equipment Secrets
– Communications • Operational
– Interruption of services
– Loss/Delay in Orders
– Delay in Shipments

Risk Analysis: Vulnerabilities
• Vulnerabilities are flaws within an asset, such as an operating
system, router, network, or application, which allows the asset
to be exploited by a threat.
• Examples
– Software design flaws
– Software implementation errors
– System misconfiguration (e.g. misconfigured firewalls)
– Inadequate security policies
– Poor system management
– Lack of physical protections
– Lack of employee training (e.g. passwords on post-it notes in drawers
or under keyboards)

Risk Analysis: Threats
• Threats are potential causes of events which have a negative
impact.
• Threats exploit vulnerabilities causing impact to assets
• Examples
– Denial of Service (DOS) Attacks
– Spoofing and Masquerading
– Malicious Code
– Human Error
– Insider Attacks
– Intrusion

Risk Analysis: Source of Threats
Source Examples of Reasons

• Espionage
External Hackers with Malicious Intent • Intent to cause damage
• Terrorism
External Hackers Seeking Thrill • Popularity
• Anger at company
Insiders with Malicious Intent
• Competition with co-worker(s)
Accidental Deletion of Files and Data • User errors
• Floods
Environmental Damage • Earthquakes
• Fires
Equipment and Hardware Failure • Hard disk crashes

Risk Analysis: Security Risk
• Risk is the probability that a specific threat will successfully
exploit a vulnerability causing a loss.
• Risks of an organization are evaluated by three distinguishing
characteristics:
– loss associated with an event, e.g., disclosure of confidential data, lost
time, and lost revenues.
– likelihood that event will occur, i.e. probability of event occurrence
– Degree that risk outcome can be influenced, i.e. controls that will
influence the event
• Various forms of threats exist
• Different stakeholders have various perception of risk
• Several sources of threats exist simultaneously

Risk Analysis: Risk Exposure
• Risk Exposure = Probability of Risk * Risk Impact

• Example:
• Likelihood (Probability of Risk) of a virus attack is 0.30 and cost of
cleanup (Risk Impact) after virus attack is 10000 then Risk Exposure is
3000
• Cost of an antivirus is 500 which reduces the likelihood to 0.05,
revised Risk Exposure is 1000 (500 + 0.05*10000)
• Thus investment in antivirus is worth it

Risk Analysis: Risk Leverage
• Cost associated with risk occurrence = Risk Impact

• Cost associated with risk control = Risk Reduction
• Risk Leverage is amount of benefit per unit spent
Risk Exposure (before Reduction – after Reduction)

Risk Leverage = -------------------------------------------------------------------
Cost of Risk Reduction
Example: Risk Leverage = (3000 – 1000) / 500

=4:1

Risk Analysis: Risk Types
• Physical Asset Risks: Relating to physical and tangible items that
have an associated financial value
• Mission Risks: Relating to functions, jobs or tasks that need to be
performed
• Security Risks: Integrates with both asset and mission risks

Risk Analysis: Methodology

Risk Analysis: Methodology Outline
• What are the key steps in risk analysis?
• When should risk analysis be performed?
• How to determine breadth and depth?
• How to determine a baseline?
• How to determine the scope?
– Strategic Context
– Organizational Context
– Risk Management Context
• What criteria should be used for risk evaluation?
• What standards should be considered?

Risk Analysis: Methodology Steps
1. Define objectives
2. Define deliverables
3. Establish a work plan
4. Determine tools to assist with process

Risk Assessment: Define Periodicity
• Periodically
– Often event-driven
– Typically year-over-year comparison
– Generally labor-intensive
– Most organizations start with periodic assessments
• Continuously
– Part of the normal workflow
– Provides “real-time” risk view
– Often supported by technology and analysis tools
– Integrated with other IT/business processes

Risk Analysis: Define Objectives
• Breadth
– Organizational
– People
– Processes
– Technology
– Physical
• Depth of Analysis
– Comprehensive vs. Sampling
– Key Components vs. Individual Elements

Risk Analysis: Define Baseline
• Baseline
– Where is the organization today?
– What controls are in place?
• Evaluation of security control effectiveness

– Where should the security of the organization be?
– Where are the gaps?
– What are opportunities for improvement?
• Establish awareness of threats & vulnerabilities

• Lay foundation for development of security improvement plan

Risk Analysis: Define Scope
• Defining the scope will set the framework for the risks to be
managed and will provide guidance for future decisions. This
avoids unnecessary work and improves the quality of risk
analysis.
• Components
– Establish strategic context
– Establish organizational context
– Establish risk management context
– Develop risk evaluation criteria

Risk Analysis: Define Standards
• ISO 17799
– Information technology (Code of practice for information security
management)
– Starting point for developing policies
• ISO 13335
– Information technology (Guidelines for the management of IT Security -
Part 1: Concepts and models for IT Security)
– Assists with developing baseline security.
• NIST SP 800-xx
– Different standards for various applications
• Center for Internet Security

– Configuration Standards (benchmarks)
Risk Analysis: Define Strategic Context
• This is based on the environment in which the agency operates.
• The agency should understand:
– Strengths, weaknesses, opportunities, & threats
– Internal and external stakeholders (objectives and perceptions)
– Financial, operational, competitive, political, social, client, cultural and
legal aspects of agency’s functions.
• Risk analysis should be related to agency’s mission or strategic
objectives
• Cross-organizational issues should be taken into consideration
when applicable
Source: Information Security Guidelines for NSW Government

Agencies Part 1 Information Security Risk Management

Risk Analysis: Define Organizational Context
• Organizational Context requires
– Understanding of agency
– How it is organized
– Capabilities, goals, objectives, and strategies
– Knowledge of assets and values
• This assists in:

– Defining criteria to determine risk acceptability
– Forms the basis of controls and risk treatment options


Risk Analysis: Define Risk Management Context
• Define review project and establish goals and objectives
– Will review cover whole organization or just a single project, individual
assets or groups of assets?
• Define timeframe and location of review

– What is budgeted time for review?
– Where will the review take place? (one site or group of sites)


Risk Analysis: Define Risk Management
Context…
• Identify resources required to conduct review
– Use to identify sources of risk, common vulnerabilities, threat types and
areas of impact
– Is assessment done internally or through an outside consultant?
– How many people will be involved?
– Who are the best people to involve?
– What tools are going to be used?
• Define extent of risk analysis
– What are the functions of the parts of organization participating in
managing risk?
– What is the relationship between the risk assessment and other
projects within other parts of the agency?


Risk Analysis: Define Risk Evaluation Criteria
• Qualitative or Quantitative methods
• Level of acceptable risk should be considered
• Baseline
– a collection of policies, standards, processes and technologies that
establish a defined security level.
• Risk criteria is influenced by:
– Agency’s internal policy, goals and objectives
– Expectations of stakeholders and customers
– Legal requirements

Risk Analysis: Deliverables and Work Plan

Risk Analysis: Deliverables and Work Plan Outline
• Who is the intended audience for risk analysis?
• Who should take part in risk analysis?
• How is a work plan created?
– Planning
– Preparation
– Threat Assessment
– Risk Assessment
– Recommendations

Risk Analysis: Target Audiences
• Executives
– Upward communication
– Brief and concise
• Operational
– What needs to be done for implementation of controls
• Internal Employees
– Awareness
– Training
• External Parties

Risk Analysis: Work Plan Team Composition
• Business
– Security Officer: planning, budgeting and management of security staff
– Security Manager: policy negotiation, data classification, risk assessment, role
analysis
• Technical
– Security Operations: vulnerability assessment, patch management, intrusion
detection, scanning, forensics, response management, security technology
research
– Security Architect: technology implementation, implementation options
– Security Administrator: user administration, server security configuration,
desktop security
– Resource Owner: own any residual risk after controls are implemented
– Resource Custodian: implements/monitors controls
• Communications
– Security Communications: marketing, awareness
Source: CSCIC & Meta Group, Inc.

Risk Analysis: Work Plan Creation
1. Planning Stage 4. Risk Assessment
– Aim and scope – Evaluation of existing controls
– Identification of security – Vulnerabilities and exploit
baselines probability
– Schedule and methodology – Analysis of risk
– Acknowledgement of 5. Recommendations
responsibility
– Addition of new controls
2. Preparation – Modification of existing
– Asset and value listings controls
3. Threat Assessment – Removal of
– Threats, sources, and impact obsolete/inadequate controls

Risk Analysis: Tools and Usage

Risk Analysis: Tools and Usage Outline
• What are asset inventory tools?
• What are software usage tools?
• What are vulnerability assessment tools?
• What are configuration validation tools?
• What are penetration testing tools?
• What are password auditing tools?
• What are documentation tools?

Risk Analysis: Tool Types
• Tools can speed up the security assessment and help in
automation of the risk analysis process.
• Several categories of tools exist:
– Asset Inventory
– Software Usage
– Vulnerability Assessment
– Configuration Validation
– Penetration Testing
– Password Auditing
– Documentation

Risk Analysis: Assets & Tools Inventory
• Inventory process includes physical inventory and automated tools
• Physical inventory of IT assets that are not attached to the network
– e.g. in storage closets or locally attached and that are thus not discoverable.
• Auto-discovery tools collect physical data on an enterprise's IT assets and
record history of changes made to the asset from the last scan
– e.g. memory, processor, and software version
• Inventory tools can either:
– install an agent on the hardware device, which lets the inventory run even if the
device is not attached to the network,
– or be agentless, which can send information only when it is attached to the network.
• In environments with mobile set of assets that are sporadically connected (e.g.
once a month), agentless technology requires alternatives way to capture the
inventory
– e.g. such as an e-mail that kicks off the scan.
• The assets that need to be discovered include
– PDAs, PCs, networking equipment, and servers.

Name Description
Inventory software tool intended to audit software and hardware
Asset components installed on computers over a network. It collects network
Tracker for inventory information, provides detailed comprehensive reports and allows
Networks export of assets details to external storages, such as SQL database or web
site. http://www.alchemy-lab.com/products/atn/
Peregrine Autodiscovery/inventory tool which maintains “an evolving
snapshot of IT infrastructure” and provides: what hardware and software is
Asset
available, asset connection to other assets, location of assets, access to
Center
assets, as well as financial and contractual information on assets.
http://www.peregrine.com/products/assetcenter.asp
Computer Associates International asset management tool. It features:
Unicenter
“automated discovery, hardware inventory, network inventory, software
Access
inventory, configuration management, software usage monitoring, license
Managem
management and extensive cross-platform reporting.”
ent
http://www3.ca.com/Solutions/Product.asp?ID=194

Name Description
Tally Systems offers three tools which can be used for IT asset inventory.
These are: TS Census Asset Inventory, WebCensus and PowerCensus.
Tally These products provide unparalleled IT asset inventory and tracking,
Systems hosted PC inventory and reporting, and enhanced inventory for Microsoft
SMS respectively.
http://www.tallysystems.com/products/itassettracking.html
Isogon offers multiple tools. SoftAudit gathers software inventory and
usage data from your z/OS, OS/390, or UNIX server. Asset insight offers
PC, PDA, & network device auto-discovery software & captures data. Vista
Isogon
manages and organizes details from contracts, contract
addenda/attachments, and maintenance
agreements. http://www.isogon.com/SAM%20Solutions.htm

Risk Analysis: Software Usage
• Tools monitor the use of software applications in an organization
• Several uses of such tools
– Track usage patterns and report on trends to assist with server load
balancing and license negotiation to prevent costly overbuying or risk-
laden under buying.
– Used to monitor and control the use of unauthorized applications (for
example, video games and screen savers).
– Important for vendor auditing the customers especially for monitoring
clients for subscription-based pricing
Name Description
Designed to help detect and identify pirated software through
Software Audit Tool tracking licenses. It is a suite of tools used by the Business
(GASP) Software Alliance and is freely available at:
http://global.bsa.org/uk/antipiracy/tools/gasp.phtml

Risk Analysis: Vulnerability Assessment Tools
• Vulnerability Assessment helps determine vulnerabilities in
computer networks at any specific moment in time.
• Deliverables:
– List of exploits and threats to which systems and networks are
vulnerable. (Ranked according to risk levels)
– Specific information about exploits and threats listed. (name of exploit or
threat, how the threat/exploit works)
– Recommendations for mitigating risk from these threats and exploits.
• Tools used can be:
– Commercial or open source (decide based on staff skills)
– Perform analysis such as Host-based or network-based

Host-based Tools Network-Based Tools

Pros Pros
Can provide rich security information, such Once deployed, have limited impact on
as by checking user access logs. network traffic.
Can give a quick look at what weaknesses Available as software, appliances and
hackers and worms can exploit. managed services.
Cons Cons
Costs can add up when deploying agents Deployment can be time-consuming.
across many desktops and servers.
Requires careful planning to avoid conflict Generates considerable network traffic.
with security systems.

Name Description
Cerberus Windows web server vulnerability tester designed to help administrators locate and fix security
Internet holes in their computer systems
Scanner http://www.cerberus-infosec.co.uk/cis.shtml
A web vulnerability scanner which searches interesting directories and files on a site. Looks for
Cgichk interesting and hidden directories such as logs, scripts, restricted code, etc.
http://sourceforge.net/projects/cgichk/
Server and client software vulnerability assessment tool which provides remote and local security
Nessus checking.
http://www.nessus.org/download.html
SAINT (Security Administrator's Integrated Network Tool) is a security assessment tool. It scans
through a firewall updated security checks from CERT & CIAC bulletins. Also, it features 4 levels of
SAINT
severity (red, yellow, brown, & green) through an HTML interface. Based on SATAN model.
http://www.saintcorporation.com/products/saint_engine.html
SARA (Security Auditor's Research Assistant) Third generation UNIX-based security analysis tool. It
contains: SANS/ISTS Certified, CVE standards support, an enterprise search module, standalone or
SARA
daemon mode, user extension support and is based on the SATAN model
http://www.www-arc.com/sara/
A web server scanner which performs comprehensive tests against web servers for multiple items,
Nikto including over 2200 potentially dangerous files/CGIs, versions on over 140 servers, and problems on
over 210 servers http://www.cirt.net/code/nikto.shtml

Risk Analysis: Configuration Validation Tools
• Configuration Validation
– is the process in which the current configuration of a specific system,
software, or hardware tool is tested against configuration guidelines.
• Human error is shown to be the 2nd largest

reason for network downtime.
• Using configuration validation tools will help
correct for human error

• Depending on focus, especially with network and OS

configurations, configuration validation can utilize the same tools
as vulnerability assessment & penetration testing
• However, there are more specialized tools for validating specific
software applications and hardware.

Name Description
Method of identifying common security misconfigurations among Microsoft
Microsoft Windows NT 4.0, 2000, XP, 2003, IIS, SQL Server, Exchange Server, Media
Baseline Security Player, Data Access Components (MDAC), Virtual Machine, Commerce Server,
Analyzer Content Management Server, BizTalk Server, Host Integration Server & Office.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
This offers advanced configuration support for LAN and WAN interfaces, NAT,
Stateful Firewall Policy, Inline Intrusion Prevention and IPSec virtual private
CISCO Router network (VPN) features. It also provides a 1-click router lockdown and ability
and Security
to check and recommend changes to router configuration based on ICSA Labs,
Device Manager
and Cisco TAC recommendations.”
http://www.cisco.com/en/US/products/sw/secursw/ps5318/
Linux This site provides a listing of various Linux configuration tools for system and
Configuration network configuration, X configuration, library and kernel dependency
and Diagnostic management, and general diagnostics.
Tools http://www.comptechdoc.org/os/linux/usersguide/linux_ugdiag.html

Risk Analysis: Penetration Testing Tools
• Penetration Testing is the evaluation of a system for weaknesses through
attempting to exploit vulnerabilities.
• Can be done in-house or by a neutral 3rd party
• “Black-box” (no knowledge) or “White-box” (complete knowledge)
• Steps
– Define scope (External: servers, infrastructure, underlying software; Internal:
network access points; Application: proprietary applications and/or systems;
Wireless/Remote Access; Telephone/Voice Technologies; Social Engineering)
– Find correct tools (freeware or commercial software)
– Properly configure tools to specific system
– Gather information/data to narrow focus (“white-box”)
– Scan using proper tools
• Penetration Testing tools can include:
– Network exploration (ping, port scanning, OS fingerprinting)
– Password cracking
– IDS, Firewall, Router, Trusted System, DOS, Containment Measures Testing
– Application Testing and Code Review

Risk Analysis: Penetration Testing Tools
Name Description
Domain name lookup to find administrative, technical, and billing contacts. It
Whois
also provides name servers for the domain. http://www.allwhois.com
Utility for network exploration or security auditing. Can scan large networks or
single hosts. It uses raw IP packets to determine hosts available on network,
Nmap
services those hosts are running, OS and OS version they are running, type of
packet filters/firewalls being used, etc.
http://www.insecure.org/nmap/nmap_download.html
Network Reconnaissance Tool. Supports various TCP port & filter scans, UDP
MingSweeper scans, OS detection (NMAP and ICMP style), Banner grabbing etc.
http://www.hoobie.net/mingsweeper/
Network mapping tool with graphical user interface (GUI).
Cheops
http://www.marko.net/cheops/
Remote OS detector. Sends obscure TCP packets to determine remote OS.
QueSO
http://www.antiserver.it/Unix/scanner/Unix-Scanner/

Risk Analysis: Password Auditing Tools
• Used for testing passwords for weaknesses which lead to vulnerable systems
• Reasons for password weakness
– Poor encryption
– Social engineering (e.g. password is spouse’s, pet’s or child’s name)
– Passwords less than 8 characters
– Passwords do not contain special characters and numbers in addition to lower and
uppercase letters.
– Passwords from any dictionary
• Software tools might perform these tasks:
– Extracting hashed passwords / encrypted passwords
– Dictionary attack (cracks passwords by trying entries in a pre-installed dictionary)
– Brute force attack (cracks passwords by trying all possible combinations of
characters)
• Deliverables
– Recommendations for future password policies

Risk Analysis: Password Auditing Tools
Name Description OS
Detects weak UNIX passwords. “Uses highly optimized modules to decrypt different
John the All
ciphertext formats and architectures” Can be modified to crack LM hashes in
Ripper Windows. http://www.openwall.com/john/ platforms
Brutus Remote password cracker. http://www.hoobie.net/brutus/ Windows

Audits the AppleTalk users file for weak passwords using brute force methods.
Magic Key Macintosh
http://freaky.staticusers.net/security/auditing/MK3.2.3a.sit
Assesses, recovers, and remediates Windows and Unix account passwords from Windows &
L0phtcrack multiple domains and systems. http://www.atstake.com/products/lc/ UNIX
Extracts information about users from SAM-files and performs brute force attack of
SAMInside Windows NT/2000/XP. Breaks defense of Syskey. Windows
http://www.topshareware.com/SAMInside-download-5188.htm
Cracks weakly encrypted Cisco IOS type 7 passwords once encrypted password file
Cisco Router
GetPass! is obtained.
IOS
http://www.networkingfiles.com/Network/downloads/bosongetpassdownload.htm
Brute force utility that will try to crack web authentication. Can use a word file or
wwwhack try all possible combinations, and by trial-and-error, will attempt to find a correct Windows
username/password combination. http://www.securityfocus.com/tools/1785

Risk Analysis: Documentation Tools
• Documentation contains data from the risk analysis
• These documents should contain deliverables from other parts of
the process (asset inventory, vulnerability assessment etc.).
– These can be provided automatically from specialized software or through
compiled reports.
• Documentation critical for legal cases where it can be used as
evidence to justify expense on controls.
• Documentation might include:
– Focus of analysis
– Current system vulnerabilities
– Cost benefit analysis
– Recommended controls

Risk Analysis: Dealing With Risks

Dealing With Risks: Dealing with Natural
Disasters
• Flood
• Redundant assets like servers, data storage etc
• Mechanisms to save machines from water like plastic waterproof bags to
cover computing machines
• Store backup at safe and separate location
• Fire
• Plan to shutdown system in orderly manner
• Windowless fire-resistant facility especially for critical assets like servers,
data backup etc
• Regular fire drills to assess readiness
• Other natural disasters: Storms, Earthquakes, Volcanoes etc
• Develop contingency plans so that people know how to react
• Take insurance cover for physical assets
• Preserve sensitive data by maintaining physical/digital copy at separate
location BITS Pilani, Pilani Campus
Dealing With Risks: Dealing with Power Loss
• Uninterrupted power supply

• Surge suppressors

Dealing With Risks: Human Vandals
• Disgruntled employee, Saboteur, Bored operator, People

seeking excitement, Unwitting bumblers
• Physical security
• Unauthorized access and use
• Intercept access, access by authorization only
• Theft: portable reports or PDAs
• Prevent access & portability of assets, Detect at exit

Dealing With Risks: Preventing Access
• Physical guards: record of each person entering/exiting the

facility
• Lock control: Mechanical or digital. Piggy-backing is a
challenge
• Magnetic strip cards, RFID cards, smart cards with electronic
chips

Dealing With Risks: Preventing Portability
• Pad connected with fixed cables

• Large lockable cabinets for computing devices
• Movement activated alarms

Dealing With Risks: Detecting Theft
• Marking with special labels which can be detected at exit:

libraries use it
• Security tags like to one used by retails stores
• GPS enabled tags to show location of asset
• Radio enabled tags

Dealing With Risks: Interception of Sensitive
Information
• Shredding
• Overwriting magnetic data: data can be reconstrcuted
• Degaussing: usage powerful magnetic force to realign
magnetic particles
• Protecting against emanation: radio signals emitted by devise
(screens, disk drives, printers) can be read and data
reconstructed.
• Tempest: US govt program to certify a device as emission free

Dealing With Risks: Contingency Planning -
Backup
• Backup: enables recovery from loss or failure of comuting
devices
• Complete or incremental
• All assets or selected assets
• Revolving backup
• Completeness of backups
• Restorability of backups
• Cost of backup
• Individuals often fail to backup their data
• Off-site backup: Purpose of backup is to protect against
disaster thus disaster should not destroy backup.

Dealing With Risks: Contingency Planning -
Backup
• Network storage: Provided by private players, Good for critical data
• Cloud backup: Google Docs, Amazon S3, Dropbox, Apple etc
• Cloud provider may go out of business
• Data privacy/secrecy issues
• Cold or Shell site: A facility with power and cooling available where
computing machines can be installed to immediately start limited
or full operations. Normally operations can start within a week.
• Hot site: Facility with installed and ready to run computing
systems. To start operations, team needs to load software and data
only.
• Self owned hot site
• Third party owned hot site (shared)

Security Assessment: Summary
• Security Assessment is critical to build a measured defense

against intrusions
• Risk Analysis involves:
– Asset Valuation
– Vulnerability Analysis
– Threat Identification
– Evaluation and Recommendation of Controls
• Several levels of risk analysis can be performed:
– Audit (checklists and rules)
– Non-Intrusive Vulnerability Assessment
– Penetration Testing

BITS Pilani
Pilani Campus

Lecture No: 09
Introduction to Cyber Crime
Agenda
• Cyber crime definition

• Cyber crime and information security
• Classification of cyber crime
• Cyber crime and Indian ITA 2000
• Global perspective on cyber crime

Introduction
§ The internet is growing rapidly.

§ It has given rise to new opportunities in every field one
can think of - be it entertainment, business, sports or
education.
§ Internet also has its own disadvantages.
§ Cyber crime is an illegal activity committed on the
internet
4
Cyber Crime: What is it?
§ Crime committed using a computer and internet to steal data or

information.
§ Illegal activities: Actions carried out
§ Malicious programs: Software tools
• Any illegal act where a special knowledge of computer
technology is essential for its perpetration, investigation or
prosecution.
• Any traditional crime that has acquired a new dimension or
order of magnitude through the aid of a computer, and abuses
that have come into being because of computers.
• Any financial fraud that takes place using a computer.
• Any threats to the computer itself, such as theft of hardware or
software, sabotage and demands for ransom.
5
Cyber Crime: Definition
• “Cybercrime (computer crime) is any illegal behavior, directed

by means of electronic operations, that target the security of
computer systems and the data processed by them”.
• Cybercrime is also called as computer-related crime, computer
crime, E-crime, Internet crime, High-tech crime etc.
6
Cyber Crime: Alternate Definition
• A crime committed using a computer and the internet to steal a

person’s identity (identity theft) or sell contraband or stalk
victims or disrupt operations with malevolent programs.
• Any illegal activity through the Internet or on the computer.
• All criminal activities carried out using the medium of
computers, the Internet, cyberspace and the www.
7
Cyber Crime Attack Types
• Techno-crime: Active attack

– Techno Crime is the term used by law enforcement agencies to denote criminal
activity which uses (computer) technology, not as a tool to commit the crime, but
as the subject of the crime itself. Techno Crime is usually pre-meditated and
results in the deletion, corruption, alteration, theft or copying of data on an
organization's systems.
– Techno Criminals will usually probe their target system for weaknesses and will
almost always leave an electronic 'calling card' to ensure that their pseudonym
identity is known.
• Techno–vandalism: Passive attack
– Techno Vandalism is a term used to describe a hacker or cracker who breaks into
a computer system with the sole intent of defacing and or destroying its contents.
– Techno Vandals deploy 'sniffers' on the Internet to locate insecure targets and
then execute a range of commands using a variety of protocols towards a range of
ports. The best weapon against such attacks is a firewall to hide and disguise your
presence on the Internet.
8
Impact of Cyber Crime in India
Direct impact on
ime s
business with
e r C r financial loss
C y b
s e in o v id
cre a o f C
in h s
60% 5 mont
la s t
in
9
Challenges for Securing Data
• Cyber crimes occupy an important space in information security

due to their impact
• Unwillingness of organizations to segregate the cost of computer
security incidents into their accounting
• Difficulty in attaching a quantifiable monetary value to the
corporate data
• Financial loses may not be detected by the victimized
organization in case of insider attacks i.e. someone leaking
customer data
11
Who are Cyber Criminals?
• Those who conduct acts such as:

– Credit card fraud
– Cyber stalking
– Child pornography
– Defaming someone online
– Gaining unauthorized access to computer systems
– Ignoring copyrights
– Software licensing and trademark violation
– Overriding encryption to make illegal copies
– Software piracy
– Stealing another’s identity to perform criminal acts
– etc…etc
12
Categories of Cyber Criminals
• Hungry for recognition

• Not interested in recognition
• The Insiders
13
Hungry for Recognition
• Hobby hackers: A person who enjoys exploring the limits of

what is possible, in a spirit of playful cleverness. May modify
hardware/software
• Ethical hackers: Person with no financial or other motives, helps
improve security
• Political hackers: Supports objectives of individuals, groups or
nations for causes such as anti-globalization, transnational
conflicts, global warming etc.
• Terrorist organizations
– Cyber terrorism
– Internet attacks as part of terrorist activity
– Large scale disruption of computer networks and personal computers
attached to internet via viruses
14
Not Interested in Recognition
• Psychological perverts
– Express sexual desires, deviates from normal behavior
• Financially motivated hackers
– Make money from cyber attacks
– Bots-for-hire: fraud through phishing, information theft, spam and
extortion
• State-sponsored hacking
– Hacktivists
– Extremely professional groups working for governments
– Have ability to worm into the networks of the media, major corporations,
defense departments etc
15
The Insiders
• Disgruntled current or former employees seeking revenge

• Competing companies using employees to gain economic
advantage through damage and/or theft
• Internally competing employees
16
Motives for Cyber Crime
• Money
• Gain power
• Publicity
• Revenge
• Sense of adventure
• Thrill to access forbidden information
• Destructive mindset
• Sell security services
17
Classification of Cyber Crimes
• Against an individual
• Against property
• Against organization
• Against society
• Crimes emanating from Usenet newsgroup
18
Cyber Crimes: Against an Individual
• Electronic mail spoofing and other online frauds

• Phishing, spear phishing
• Spamming
• Cyber defamation
• Cyber stalking and harassment
• Computer sabotage
• Pornographic offenses
• Password sniffing
19
Cyber Crimes: Against Property
• Credit card frauds

• Intellectual property (IP) crimes
• Internet time theft
20
Cyber Crimes: Against Organization
• Unauthorized accessing of computer

• Password sniffing
• Denial-of-service attacks
• Virus attack/dissemination of viruses
• E-Mail bombing/mail bombs
• Salami attack/Salami technique
• Logic bomb
• Trojan horse
• Data diddling
• Industrial spying or industrial espionage
• Computer network intrusions
• Software piracy
21
Cyber Crimes: Against Society
• Forgery
• Cyber terrorism
• Web jacking
22
Cyber Crimes: Emanating from Usenet
Newsgroup
• Usenet groups may carry very offensive, harmful, inaccurate
material
• Postings that have been mislabeled or are deceptive in another
way
• These should be taken in with a considered view
23
E-Mail Spoofing
• E-mail spoofing is the forgery of an e-mail header so that the message appears to have
originated from someone or somewhere other than the actual source.
• It is possible to send a message that appears to be from anyone, anywhere, saying
whatever the sender wants it to say.
• Thus, someone could send spoofed e-mail that appears to be from you with a message
that you didn't write.
• Example: senders who might prefer to disguise the source of the e-mail include a sender
reporting mistreatment by a spouse to a welfare agency.
• Most spoofed e-mails fall into the "nuisance" category and require little action other
than deletion; the more malicious varieties can cause serious problems and security
risks.
• Spoofed e-mail may purport to be from someone in a position of authority, asking for
sensitive data, such as passwords, credit card numbers, or other personal information -
any of which can be used for a variety of criminal purposes.
• Bank of America, eBay, and Wells Fargo are among the companies who were spoofed in
mass spam mailings.
• One type of e-mail spoofing, self-sending spam, involves messages that appear to be
both to and from the recipient.
24
Spamming
• Spam is abuse of electronic messaging systems to send unsolicited bulk messages

indiscriminately. People creating spam are called spammers
• Spamming may be:
– E-Mail Spam
– Instant messaging spam
– Usenet group spam
– Web search engine spam
– Blogs or wiki spam
– Online classified ads spam
– Mobile phone messaging spam
– Internet forum spam
– Junk fax spam
– Social networking spam
• Spamming is difficult to control because:
– spammers have no operating costs beyond the management of their mailing lists
– difficult to hold senders accountable for their mass mailings
25
Search Engine Spamming
• Alteration or creation of a document with the intent to deceive an

electronic catalog or a filing system
• Some web authors use “subversive techniques” to ensure that
their site appears more frequently or higher number in returned
search results.
• Remedy: Permanently exclude from the search index
26
Web Publishing Techniques to Avoid
• Repeating keywords
• Use of keywords that do not relate to the content on the site
• Use of fast meta refresh i.e. change to the new page in few
seconds.
• Redirection
• IP cloaking i.e. including related links, information, and terms.
• Use of colored text on the same color background
• Tiny text usage
• Duplication of pages with different URLs
• Hidden links
27
Cyber Defamation
• An act of defaming, insulting, offending or otherwise causing harm

through false statements pertaining to an individual in cyberspace.
• Example: Someone publishes defamatory matter about someone
on a website or sends an e-mail containing defamatory information
to all friends of that person.
28
What Amount to Defamation?
• If imputation to a deceased person would harm the reputation of

that person, and is intended to be hurtful to the feelings of his
family or other near relatives
• An imputation is made concerning a company or an association or
collection of people as such.
• An imputation in the form of an alternative or expressed ironically
• An imputation that directly or indirectly, in the estimation of
others, lowers the moral or intellectual character of that person, or
lowers the character of that person in respect of his caste or of his
calling, or lowers the credit of that person.
29
Types of Defamation
• Libel: written defamation

• Slander: oral defamation
• The plaintiff must have to show that the defamatory statements
were unlawful and would indeed injure the person’s or
organization’s reputation.
– If failed to prove, the person who made the allegations may still be held
responsible for defamation.
30
Cyber Defamation Case Examples
• First case of cyber defamation in India (14-Dec-2009),

– An employee of a corporate defamed its reputation. He was sending derogatory and
defamatory emails against the company and its managing director
– A Delhi Court restrained the defendant from sending derogatory, defamatory,
obscene, vulgar, humiliating and abusive emails.
– The court passed as important ex-parte injunction.
• In another case, accused posted obscene, defamatory and annoying message about a
divorcee woman and sent emails to the victim.
– Offender was traced and was held guilty of offences under section 469, 509 IPC and 67 of IT Act,
2000.
• Other defamation cases:
– A malicious customer review by a competitor could destroy a small business.
– A false accusation of adultery on a social networking site could destroy a marriage.
– An allegation that someone is a “crook” could be read by a potential employer or business
partner
31
Internet Time Theft
• An unauthorized person uses the Internet hours paid for by

another person
• Comes under hacking
• The person get access to someone else’s ISP user ID and password,
either by hacking or by gaining access to it by illegal means
• Uses the internet without the other person’s knowledge
• This theft can be identified when Internet time is recharged often,
despite infrequent usage.
• This comes under “identity theft”
32
Salami Attack / Salami Technique
• Salami are used for committing financial crimes.

• Attackers makes alterations so insignificant that in a single case it
would go completely unnoticed.
• Example: a bank employee inserts a program, into the bank’s
server, that deduces a small amount from the account of every
customer every month,
– The unauthorized debit goes unnoticed by the customers, but the employee
will make a sizable amount every month.
• Examples:
– Small “shavings” for Big gains!
– The petrol pump fraud: delivering a few milli-liter less fuel than actual
33
Data Diddling
• Data diddling involves changing data input to a computer.

• Information is changed from the way it should be entered by a person typing in
the data.
– data changed by a virus
– programmer changes database or application to change data
• Example: a person entering accounting may change data to show their account,
or that or a friend or family member, is paid in full. By changing or failing to
enter the information, they are able to steal from the company.
• To deal with this type of crime, a company must implement policies and internal
controls.
• Performing regular audits, using software with built-in features to combat such
problems, and supervising employees.
• Example: Electricity board in India have been victims to data diddling programs
inserted when private parties computerized their systems.
34
Forgery
• The act of forging something, especially the unlawful act of counterfeiting a

document or object for the purposes of fraud or deception.
• Something that has been forged, especially a document that has been copied or
remade to look like the original.
• Counterfeit currency notes, postage, revenue stamps, marksheets etc. can be
forged using sophisticated computers, printers and scanners.
• Stamp Paper Scam: a racket that flourished on loopholes in the system
– Abdul Karim Telgi, the mastermind of the multi-crore counterfeiting, printed fake stamp papers
worth thousands of crores of rupees using printing machines purchased illegally with the help
of some conniving officials of the Central Govt.’s Security Printing Press (India Security Press)
located in Nasik.
– These fake stamp papers penetrated in more than 12 states through a widespread network of
vendors who sold the counterfeits without any fear and earned hefty commissions.
– Amount swindled Rs. 172 crores
35
Hacking
• Act committed toward breaking into a computer and/or network is

hacking.
• Purpose
– Greed
– Power
– Publicity
– Revenge
– Adventure
– Desire to access forbidden information
– Destructive mindset
36
History of Hacking
• Hacking is any technical effort to manipulate the normal behavior of network

connections and connected systems.
• A hacker is any person engaged in hacking.
• The term "hacking" historically referred to constructive, clever technical work
that was not necessarily related to computer systems.
• M.I.T. engineers in the 1950s and 1960s first popularized the term and concept
of hacking.
• The so-called "hacks" perpetrated by these hackers were intended to be
harmless technical experiments and fun learning activities.
• Later, outside of M.I.T., others began applying the term to less honorable
pursuits. for example, several hackers in the U.S. experimented with methods to
modify telephones for making free long-distance calls over the phone network
illegally.
• As computer networking and the Internet exploded in popularity, data networks
became by far the most common target of hackers and hacking.
37
Hacking V/S Cracking
• Malicious attacks on computer networks are officially known as

cracking
• Hacking truly applies only to activities having good intentions
• Most non-technical people fail to make this distinction
• Outside of academia, its extremely common to see the term "hack"
misused and be applied to cracks as well
38
Types of Hackers
• Black Hats: Criminal Hackers.

– Possess desire to destruction
– Hack for personal monetary gains : Stealing credit card information,
transferring money from various bank accounts to their own account, extort
money from corporate giant by threatening.
• White Hats: Ethical Hackers.
– Network Security Specialist.
• Grey Hats: Deals in both of the above (jack of all trades, master of
none).
39
Case Study 1: NASA Site Hacked thru SQL
Injection (2009)
• Two NASA sites recently were hacked by an individual wanting to demonstrate that the
sites are susceptible to SQL injection.
• The websites for NASA's Instrument Systems and Technology Division and Software
Engineering Division were accessed by a researcher, who posted to his blog screen shots
taken during the hack.
• A researcher, using alias "c0de.breaker," used SQL injection to hijack the sites.
• SQL injection is an attack process where a hacker adds additional SQL code commands to
a page request and the web server then tries to execute those commands within the
backend database
• The NASA hack yielded the credentials of some 25 administrator accounts.
• The researcher also gained access to a web portal used for managing and editing those
websites.
• In this particular case, the researcher found the vulnerabilities, made NASA aware of
them, then published findings after the websites had been fixed.
• An attacker, however, could have tried to use that web server as an entry point into
other systems NASA might control or edit the content of the sites and use them for drive-
by downloads.
40
Case Study 2: Nadia Suleman’s Site Hacked
(2009)
41
Case Study 2: Nadia Suleman’s Site Hacked
(2009) – The Story
• LOS ANGELES, CA: Octuplet mom Nadya Suleman launched a website to solicit
donations, but it was immediately hacked by a group of vigilante mothers!
• The website originally featured photos of all eight octuplets, a “thank you” note from
Suleman, images of children’s toys and a large donation button for viewers to send
money through. Suleman also provided an address where people can send baby use
items.
• The site was hacked and brought down within hours. The original homepage was left up
but defaced, as seen in the screenshot.
• The site was tagged by famous hacker group MOD (Mothers of Disappointment). The
group has a history of attacking personal sites they disapprove of, including Britney
Spears when she hung dry her sons on a clothes after a bath.
• Reporters received a short note from an anonymous e-mail address:
– MOD will not tolerate the selfish acts of bad parenting, we will remain true to our mission despite any
setbacks viva la maternity (call your mother, she misses you)
• Site was restored with extra security measures to guard against future attacks.
42
How do Pedophiles Operate?
• Pedophiles use false identity to trap the children/teenagers.

• Pedophiles contact children/teens in various chat rooms which are used by
children/teen to interact with other children/teen.
• Befriend the child/teen and extract personal information from the child/teen by
winning his confidence.
• Get the e-mail address of the child/teen and start making contacts on the
victims e-mail address as well.
• Start sending pornographic images/text to the victim including child
pornographic images in order to help child/teen shed his/her inhibitions so that
a feeling is created in the mind of the victim that what is being fed to him/her is
normal and that everybody does it.
• Extract personal information from child/teen.
• At the end of it, the pedophile set up a meeting with the child/teen out of the
house and then drag him/her into the net to further sexually assault him/her or
to use him/her as a sex object.
43
Software Piracy
• Theft of software through the illegal copying of genuine programs

or the counterfeiting and distribution of products intended to pass
for the original.
• End-user copying
• Hard disk loading with illicit means
• Counterfeiting
• Illegal downloads from internet
44
Pirated Software Has a Lot to Loose
• Getting untested software that may have been copied thousands

of times
• Potentially may contain hard-ware infecting viruses
• No technical support in case of software failure
• No warranty protection
• No legal right to use the product
45
Computer Sabotage
• Computer sabotage involves deliberate attacks intended to disable computers or

networks for the purpose of disrupting commerce, education and recreation for
personal gain, committing espionage or facilitating criminal conspiracies.
– Through viruses, worms, logic bombs
• Chernobyl virus
– The Chernobyl virus is a computer virus with a potentially devastating payload that destroys all
computer data when an infected file is executed
• Y2K virus
– Y2K bug also called Year 2000 bug or Millennium Bug is a problem in the coding of
computerized systems that was projected to create havoc in computers and
computer networks around the world at the beginning of the year 2000
46
E-Mail Bombing / Mail Bombs
• An email bomb is a form of net abuse consisting of sending huge

volume of emails to an address in an attempt to overflow the
mailbox or overwhelm the server where the email address is
hosted in a denial-of-service attack.
• Configures a computer to repeatedly send emails to a specified
person’s email address.
• It overwhelm the recipient’s personal account and potentially can
shut down the entire system.
47
Network Intrusion
• An intrusion to computer network from any where in the world

and steal data, plant viruses, create backdoors, insert trojan horse
or change passwords and user names.
• An intrusion detection system (IDS) inspects all inbound and
outbound network activity and identifies suspicious patterns that
may indicate a network or system attack from someone attempting
to break into or compromise a system.
• Use of strong password, well configured firewalls and dedicated
IDS safeguard against Network Intrusion.
48
Password Sniffing
• Password sniffers are programs that monitor and record the

authentication details (name and password) of network users as
they login, jeopardizing security at a site.
• Once authentication details are found out (using sniffers), one can
impersonate an authorized user and access restricted
systems/information.
49
Credit Card Frauds
• Credit card fraud is a term for theft and fraud committed using or
involving a payment card, such as a credit card or debit card, as a
fraudulent source of funds in a transaction.
• The purpose may be to obtain goods without paying or to obtain
unauthorized funds from an account.
• Credit card fraud is also an adjunct to identity theft.
50
Identity Theft
• Identity theft is a fraud involving another person’s identity for an

illicit purpose.
• The criminal uses someone else’s identity for his/ her own illegal
purposes.
• Phishing and identity theft are related offenses
• Examples:
– Fraudulently obtaining credit
– Stealing money from victim’s bank account
– Using victim’s credit card number
– Establishing accounts with utility companies
– Renting an apartment
– Filing bankruptcy using the victim’s name
51
Identity Theft: Real Cases
• Dr. Gerald Barnes

Gerald Barnbaum lost his pharmacist license after committing Medicaid fraud.
He stole the identity of Dr. Gerald Barnes and practiced medicine under his
name. A type 1 diabetic died under his care. “Dr. Barnes” even worked as a staff
physician for a center that gave exams to FBI agents. He’s was prisoned for this.
• Andrea Harris-Frazier
Margot Somerville lost her wallet on a trolley. Andrea Harris-Frazier had
defrauded several banks - using Somerville’s identity - out of tens of thousands
of dollars. Two years later she was arrested.
• Abraham Abdallah
A busboy named Abraham Abdallah got into the bank accounts of Steven
Spielberg and other famous people after tricking his victims via computer,
getting sufficient data to fake being their financial advisors - then calling their
banks…and you know the rest.
52
Cyber Crime: Legal Perspective
• Cybercrime possess a mammoth challenge

• Computer crime: Criminal Justice Resource Manual (1979)
– Any illegal act for which knowledge of computer technology is essential for a
successful prosecution.
• International legal aspects of computer crimes were studied in
1983
– Encompasses any illegal act for which the knowledge of computer
technology is essential for its perpetration
53
Cyber Crime: Legal Perspective…
• The network context of cyber crime make it one of the most

globalized offenses of the present and most modernized threats of
the future.
• Solution:
– Divide information system into segments bordered by state boundaries. Not
possible and unrealistic because of globalization
– Incorporate the legal system into an integrated entity obliterating these
state boundaries.
54
Cyber Crime: Indian Perspective
• India has the fourth highest number of internet users in the world.
• 350+ million internet users in India
• 37% - in cyber cafes
• 57% are between 18 and 35 years
• Information Technology (IT) Act, 2000, specifies the acts which are
punishable. The primary objective of this Act is to create an
enabling environment for commercial use of IT
55
Cyber Crime: Indian Perspective…
• 217 cases were registered under IT Act during the year 2007 as
compared to 142 cases during the previous year (2006)
• Thereby reporting an increase of 52.8% in 2007 over 2006.
• 22.3% cases (49out of 217 cases) were reported from Maharashtra
followed by Karnataka (40), Kerala (38) and Andhra Pradesh and
Rajasthan (16 each).
56
Incidence of Cyber Crime in Cities (2006
v/s 2007)
• 17 out of 35 mega cities did not report any case of Cyber Crime i.e,
neither under the IT Act nor under IPC Sections) during the year
2007.
• 17 mega cities have reported 118 cases under IT Act and 7
megacities reported 180 cases under various section of IPC.
• There was an increase of 32.6% (from 89 cases in 2006 to 118
cases in 2007) in cases under IT Act as compared to previous year
(2006),
• An increase of 26.8% (from 142 cases in 2006 to 180 cases in 2007)
of cases registered under various section of IPC
• Bengaluru (40), Pune (14) and Delhi (10) cities have reported high
incidence of cases (64 out of 118 cases) registered under IT Act,
accounting for more than half of the cases (54.2%) reported under
the Act. 57
BITS Pilani
Pilani Campus
SSZG681: Cyber Offenses

Lecture No: 10
How Criminals Plan the Attacks
Agenda
• Overview of cyber attacks
• Cyber attack life cycle
• Tools to gather target information
• Overview of social engineering
• Role of cyber cafe in cybercrime
• Understand cyber stalking
• Learn about botnet

Cyber Crime Overview - Recap

Terminology
• Hacker: A person with strong interest in computers who enjoys
learning and experimenting with them
• Hackers are usually very talented, smart people who understand computers better
than the others.
• Brute Force Hacking: A technique used to find passwords or
encryption keys. It involves trying every possible combination of
letters, numbers, etc., until the code is broken.
• Cracker: A person who breaks into computers. He is a computer
criminal.
• Acts include vandalism, theft and snooping in unauthorized areas.

Terminology…
• Cracking: An act of breaking into computers.
• Cracking is a popular, growing subject on the internet.
• Many sites are devoted to supplying crackers with tools that allow them to crack
computers (like guessing passwords)
• Cracker Tools: Programs that break into computers i.e. password
crackers, trojans, viruses, war dialers, worms etc.
• Phreaking: Art of breaking into phone or other communication
systems.
• War Dialer: Program that automatically dials phone numbers
looking for computers on the other end. It catalogs numbers so
that the hackers can call back and try break in.

Vulnerabilities Exploited by Hackers
• Inadequate border Commonly exploited vulnerabilities:
protection • Minimally protected phone
systems
• Remote Access Servers
• Weak email credentials and
(RASs) with weak access phishing
controls. • Poorly protected customer info
• Applications with known • Source code
exploits • Website vulnerabilities
• Mis-configured or default • OSINT gathering
configured systems • Distributed Denial of Service
• Software vulnerabilities
• Out of date patching

Hacker Types…
• White Hat: White hats are ethical hackers.
• They use their knowledge and skill to thwart the black hats
and secure the integrity of computer systems or networks.
• They use hacking to identify vulnerabilities and inform the
owners of systems so that the vulnerabilities can be
plugged-in.
• If a black hat decides to target you, it’s a great thing to
have a white hat around.
• Black Hat: These are the bad guys. A black hat
is a cracker and usage hacking with malicious
intent
• Black hats may also share information about the “break in”
with other black hat crackers so they can exploit the same
vulnerabilities before the victim becomes aware and takes
appropriate measures.

Hacker Types…
• Gray Hat – A gray hat is a bit of both a white
hat and a black hat.
• Their main objective is not to do damage to a system
or network, but to expose flaws in system security.
• The black hat part of the mix is that they may very well
use illegal means to gain access to the targeted system
or network, but not for the purpose of damaging or
destroying data:
• They want to expose the security weaknesses of a
particular system and then notify the “victim” of their
success.
• Often this is done with the intent of then selling their
services to help correct the security failure so black
hats can not gain entry and/or access for more
devious and harmful purposes.

Categories of Cyber Crime
• Based on target of the crime
– Crimes targeted at individuals
– Crimes targeted at property
– Crimes targeted at organizations
• Based on whether the crime occurs as a single event or as a
series of events
– Single event cybercrime: hacking or fraud
– Series of events: cyber stalking

Cyber Attacks Types
• Active attack
– Used to alter system
– Affects the availability, integrity and authenticity of data
• Passive attack
– Attempts to gain information about the target
– Leads to breaches of confidentiality
• Inside attack
– Attack originating and/or attempted within the security perimeter of an
organization
– Gains access to more resources than expected.
• Outside attack
– Is attempted by a source outside the security perimeter,
– May be an insider or an outsider, who is indirectly associated with the
organization
– Attempted through internet or remote access connection
Cyber Crime Life Cycle

Cyber Crime Planning
Cyber crime has 8 major phases:
• Reconnaissance: Get to know the target
• Weaponization: Things that need to get into the network
• Delivery: Attack starts
• Exploitation: Exploit the network and get better idea of network
• Installation: Ensure continued access to network
• Command & control: Take commanding position on the network
• Action on Objective: Achieve objectives
• Close and Cover the Tracks: Remove foot prints

Reconnaissance
• Identify a vulnerable target and explore the best ways to exploit
it. The initial target can be anyone in an organization. The
attacker requires a single point of entrance to get started.
• The questions that attacker needs answering at this stage are:
• Who are the important people in the company? This can be answered by
looking at the company web site or LinkedIn.
• Who do they do business with? For this they may be able to use social
engineering, by make a few “sales calls” to the company. The other way is
good old-fashioned dumpster diving.
• What public data is available about the company? Hackers collect IP
address information and run scans to determine what hardware and
software they are using. They check the ICAAN web registry database.
• An attacker attempts to gather information in two manners:
Passive & Active
Passive Information Gathering
• Involves gathering information about the target without his/her
knowledge
• Google or Yahoo search: to locate information about employees
• Surfing online community group: Facebook to gain information
about an individual
• Organization website: for personnel directory or information
about key employees; used in social engineering attack to reach
the target
• Blogs, newsgroups, press releases, job postings etc.
• Network sniffing: information on Internet Protocol address
ranges, hidden servers or networks or services on the system

Passive Information Gathering Tools
• Google Earth nslookup
• Internet Archive > ndtv.com
Non-authoritative answer:
• Linkedin, Facebook Name: ndtv.com
• People Search Address: 72.247.54.47
• Domain Name Confirmation
WHOIS
• WHOIS Hostname: 72-247-54-47.
deploy.static.akamaitechnologies.com
• Nslookup Address type IPv4 ASNAS9498
• Dnsstuff BHARTI Airtel Ltd. Organization Akamai
Technologies, Inc. (akamai.com)
• Traceroute
Route72.247.54.0/23
• VisualRoute Trace
• eMailTrackerPro
• HTTrack

Active Information Gathering
• Involves probing the network to discover individual hosts to
confirm the information gathered in the passive attack phase
• Can provide confirmation to an attacker about security
measures in place
• Arphound: Listens network traffic and reports • Hmap: finger printing of web servers
IP/MAC mismatches & IP conflicts • Hping: TCP/IP packet analyzer
• Arping: Discovers and probes computers on a • Hunt: Exploit vulnerabilities in TCP/IP
network • Netcat: reads and writes network
• Bugtraq: Mailing list about security related issues connections using TCP & UDP
• Dig: Queries domain name service database • Nmap: network explorer – security and
• DNStacer: Where does a DNS servers gets it port scanner
information from and follows the chain of servers • TCPdump: command line packet
• Dsniff: Password sniffing and network analysis tool analyzer
• Filesnarf: sniffs files from NFS file system • TCPreplay: edits and replays previously
• FindSMB: information about machine and subnets captured packets

How Reconnaissance Works?
• WHOIS Lookups: Used for gathering domain names, IP
addresses, and web system information.
• NMAP Port Scanning: A network discovery tool that can be used
to identify open ports and vulnerabilities to exploit in your
network.
• Web Page Analysis & Email Address Search: Using search
engines and queries, attackers can gather information available
about your organization and its email communications online.
• Social Media Research: Learning about your organization and its
employees through Facebook, Linkedin, Twitter, and more can
prove valuable for attackers looking to craft targeted phishing
attacks.

Weaponization
• Coupling a remote access Trojan with a computer operating
system or software application exploit into a deliverable payload.
Increasingly, data files such as Microsoft Office documents or
Adobe PDF files have been used as a weapon platform
• Three step process:
• Step 1: Create believable Spear Phishing e-mails. These would look like e-
mails that they could potentially receive from a known vendor or other
business contact.
• Step 2: Create Watering Holes, or fake web pages. These web pages will
look identical to a vendor’s web page or even a bank’s web page. But the
sole purpose is to capture your user name and password, or to offer you a
free download of a document or something else of interest.
• Step 3: Collect the tools that attacker plans to use once he gains access to
the network so that he can successfully exploit any vulnerabilities found.

Delivery
• Implant of malware by remote or physical access to a targeted
computer.
• Transmission of the payload to the target. The three commonly
used delivery vectors for weaponized payloads:
• Email messages with attachments containing malware
• Websites containing malware that attack from a remote location
• USB and other removable media containing malware
• Phishing e-mails are sent, Watering Hole web pages are posted to
the Internet.
• If the Phishing e-mail contains a weaponized attachment, then the
attacker waits for someone to open the attachment and for the
malware to call home
• Attacker waits for all the data they need to start rolling in.
Exploitation
• Triggering of the attacker’s code. The payload exploits an
application or operating system vulnerability.
• It can exploit the user by persuading him to open an executable
attachment, or leverage a feature of the operating system that
auto-executes code
• If a user name and password arrive, the attacker tries it against
web-based e-mail systems or VPN connections of the company
network.
• If malware-loaded attachments were sent, then the attacker
remotely accesses the infected computers.
• The attacker explores the network and gains a better idea of the
traffic flow on the network, what systems are connected to the
network and how they can be exploited.
Exploitation…
• Examples:
• The attacker’s malware seeks and locates a known or previously unknown
software application or operating system vulnerability on a targeted
network
• An attacker persuades a user to open a malware executable attachment
• The interception of computer wireless transmissions to monitor, modify,
interrupt, or deny normal system or user operations or functions

Installation
• Creation of access point on a victimized computer that allows the
attacker unauthorized entry and exit on a victimized computer and
network.
• Attacker will install a persistent backdoor, create Admin accounts
on the network, disable firewall rules and perhaps even activate
remote desktop access on servers and other systems on the
network.
• Example
• Installing a remote access Trojan or backdoor on the victimized system and
network, allowing the attackers to affect all users of the system
• The physical emplacement of internal or external hardware devices that
allow an attacker unauthorized access to a computer system or network
• An attacker leverages a feature of a computer operating system that auto-
executes malicious functions
Command & Control
• Now attacker has access to the network, administrator accounts,
and all the needed tools are in place.
• This is unfettered access to the entire network.
• Attacker can look at anything, impersonate any user on the
network, and even send e-mails from the CEO to all employees.
• Attacker is in control and can even lock you out of your network
• Examples:
• An outbound beacon from the infected computer to the attacker, which is
sort of a “phone home” function, that initiates a command and control
dialogue between the attacker and the targeted computer
• A connection that provides an attacker with “hands-on-the-keyboard”
access to a targeted computer
• The initiation of applications on a targeted computer that are not a normal
user command or operating systems function
Action on Objectives
• Now attacker has the control and will work to achieve attack
objectives.
• Stealing information on employees, customers, product designs, etc.
• Disrupt the operations of the company
• If you take online orders, attacker can shut down your order-taking system or
delete orders from the system.
• Create orders and have them shipped to your customers.
• Common Actions
• Data exfiltration—copying and removing files from computers or servers
• Data corruption—altering or erasing data from computers or servers
• Attacks to destroy—launching harmful applications or queries
• Redirecting browser queries
• Cover the track – delete access logs, temporary files so that there is
no trail attack.
Ways to Launch Attack Vectors
• Attack by email attachments
• Attack by Deception: Social Engineering/Hoaxes
• Hackers
• Heedless Guests (attack by webpage)
• Attack of the Worms
• Malicious Macros
• Foist ware/ Sneak ware
• Viruses

Zero-Day Attack
• A zero-day (or zero-hour or day zero) attack or threat is an
attack that exploits a previously unknown vulnerability in a
computer application or operating system, one that developers
have not had time to address and patch.
• Software vulnerabilities may be discovered by hackers, by
security companies or researchers, by the software vendors
themselves, or by users.
• If discovered by hackers, an exploit will be kept secret for as long
as possible and will circulate only through the ranks of hackers,
until software or security companies become aware of it or of
the attacks targeting it.

Scan for Information
• Scanning and scrutinizing gathered information is a key step
to examine and identify vulnerabilities
• The objectives are:
• Port scanning
• Network scanning
• Vulnerability scanning

Port Scan
• A port scan consists of sending a message to each port, one at a
time. The kind of response received indicates whether the port is
used and can therefore be probed for weakness.
• The result of a scan on a port is usually generalized into one of
the following categories:
• Open or accepted
• Closed or not listening
• Filtered or blocked.

Types of Port Scans
• Vanilla: the scanner attempts to connect to all 65,535 ports
• Strobe: a more focused scan looking only for known services to
exploit
• Fragmented packets: the scanner sends packet fragments that get
through simple packet filters in a firewall
• UDP: the scanner looks for open UDP ports
• Sweep: the scanner connects to the same port on more than one
machine
• FTP bounce: the scanner goes through an FTP server in order to
disguise the source of the scan
• Stealth scan: the scanner blocks the scanned computer from
recording the port scan activities.

Scrutinize Phase
• Called as “enumeration” in the hacking world
• Objective is to identify:
• Valid user accounts or groups
• Network resources and/or shared resources
• OS and different applications that are running on the machine.

Social Engineering

Social Engineering
• It is an art of exploiting the trust of people (“Con Game”)
• Influence and persuade a person to share his confidential
information or perform some action.
• A social engineer usually uses telecommunications or internet to
get them to do something that is against the security practices
and policies of the organization.
• Involves gaining sensitive information or unauthorized access
privileges by building inappropriate trust relationships with
insiders.
• Social engineering is a non-technical method of intrusion that
relies heavily on human interaction and often involves tricking
people into breaking normal security procedures.

Social Engineering: Human Based
• Requires interaction with humans (person-to-person contact) to
retrieve desired information. Popular human based social
engineering techniques are:
– Impersonating an employee or user
– Posing as an important user
– Being a third person
– Being a technical support Person
– Shoulder surfing
– Dumpster diving

Social Engineering: Computer Based
• Computer-based social engineering uses computer software that
attempts to retrieve the desired information:
– Fake E-mails
– Baiting
– E-mail attachments
– Pop-up windows

Impersonation: An Employee or User
• Hacker pretends to be an employee or valid user on the system.
• Hacker may gain physical access by pretending to be a janitor,
employee, or contractor.
• Valid credentials are a coveted assets for attackers.
• An attacker who has obtained valid user credentials through
social engineering techniques has the ability to roam the
network with impunity searching for valuable data.
• In log data, the attacker’s activities are easily hidden due to the
inability to see the subtle differences in behaviors and access
characteristics.
• This phase of attack chain often represents the lengthiest portion
of the attack.

Impersonation: An Important User
• Hacker pretends to be a VIP or high-level manager who has
the authority to use computer systems or files.
• Most of the time, low-level employees don’t ask any
questions of someone who appears in this position.

Impersonation: A Third Party Person
• Hacker pretends to have permission from an authorized person
to use the computer system.
• It works when the authorized person is unavailable for some
time.

Impersonation: A Technical Support Person
• Calling tech support for assistance is a classic social-engineering
technique.
• Help desk and technical support personnel are trained to help
users, which makes them good prey for social engineering
attacks.

Shoulder Surfing
• Shoulder surfing: Shoulder surfing is
the technique of gathering passwords
by watching over a person’s shoulder
while they log in to the system.
• A hacker can watch a valid user log in
and then use that password to gain
access to the system.

Dumpster Diving
• Dumpster diving involves looking in the trash for information
written on pieces of paper or computer printouts.
• Hacker can often find passwords, filenames, or other pieces of
confidential information like SSN, PAN, Credit card ID numbers
etc
• Also called dumpstering, binning, trashing, garbage gleaning,
scavenging etc.

Fake E-mails
• Phishing involves false emails, chats, or websites designed to
impersonate real systems with the goal of capturing sensitive
data.
• A message might come from a bank or other well-known
institution with the need to “verify” your login information.
• It will usually be a mocked-up login page with all the right logos
to look legitimate.
• The term was coined in 1996 by hackers who were stealing AOL
Internet accounts by scamming passwords without the
knowledge of AOL users.
• They replaced “f” by “ph”

Baiting
• Baiting involves dangling something you want to entice you to
take an action the criminal desires.
• It can be in the form of a music or movie download on a peer-
to-peer site or it can be a USB flash drive with a company logo
labeled “Executive Salary Summary Q1 2013ʺ left out in the
open for you to find.
• Once the device is used or downloaded, the person or
company’s computer is infected with malicious software
allowing the criminal to advance into your system.

E-Mail Attachments
• Emails sent by scammers may have attachments that include
malicious code inside the attachment.
• Those attachments can include key loggers to capture users’
passwords, viruses, Trojans, or worms.

Pop-up Windows
• Pop-up windows can be used in social engineering attacks.
• Pop-up windows that advertise special offers may tempt users
to unintentionally install malicious software.

Don’t Be a Victim
• Slow down: Spammers want you to act first and think later. If the message
conveys a sense of urgency, or uses high-pressure sales tactics be skeptical
• Research the facts: Be suspicious of any unsolicited messages. If the email
looks like it is from a company you use, do your own research. Use a search
engine to go to the real company’s site, or a phone directory to find their
phone number.
• Delete any request for financial information or passwords: If you get asked to
reply to a message with personal information, it’s a scam.
• Reject requests for help or offers of help: Legitimate companies and
organizations do not contact to provide help. If you did not specifically request
assistance from the sender, consider any offer to help i.e. restore credit scores,
refinance a home, answer your question etc., a scam.
• Don’t use an in-line link to access websites: Find the websites using a search
engine to be sure you land where you intend to land. Hovering over links in
email will show the actual URL at the bottom, but a good fake can still steer
you wrong.
Don’t Be a Victim…
• Email hijacking is rampant: Hackers taking over control of people’s email accounts (and
other communication accounts) is rampant. Even when sender is known but you aren’t
expecting an email with a link or attachment, check with your friend before opening
links or downloading attachment.
• Beware of any download: If you don’t know the sender personally and got an
attachment from them, avoid downloading it.
• Foreign offers are fake: Emails from a foreign lottery, money offer from an unknown
relative or requests to transfer funds from a foreign country for a share of the money,
are scam.
• Set your spam filters to high: Use email spam filter, set these filters to high and check
your spam folder periodically to see if legitimate email has been categorized as spam.
• Secure your computing devices: Install anti-virus software, firewalls, email filters and
keep these up-to-date. Set your operating system to automatically update, and if your
smart phone doesn’t automatically update, manually update it whenever you receive a
notice to do so.
• Avoid phishing: Use an anti-phishing tool offered by your web browser or third party to
alert you to risks.

Cyber Stalking

Cyber Stalking
• Cyber stalking is the use of the Internet or other electronic means
to stalk or harass an individual, a group, or an organization.
• May include false accusations, defamation, slander and libel.
• May include monitoring, identity theft, threats, vandalism,
solicitation for sex, or gathering information that may be used to
threaten or harass.
• Also referred to as Internet stalking, e-stalking or online stalking.

Cyber Stalking…
• Cyber stalking is a crime in which the attacker harasses a victim
using electronic communication, such as e-mail or instant
messaging or messages posted to a web site or a discussion
group.
• A cyber stalker relies upon the anonymity afforded by the
internet to allow them to stalk their victim without being
detected.
• Cyber stalking messages differ from ordinary spam in that a cyber
stalker targets a specific victim with often threatening messages,
while the spammer targets a multitude of recipients with simply
annoying messages.

Types of Stalkers
• Online and Offline stalkers
• Stalking is a criminal offense
• Stalker is motivated by a desire to control, intimidate or
influence a victim
• Stalker may be an online stranger or a person whom the
target knows
• Stalker may be anonymous and solicit involvement of other
people online who do not even know the target

How Stalking Works?
• Personal information gathering about the victim
• Establish a contact with the victim through telephone/cell phone and
start threatening or harassing
• Establish a contact with the victim through email
• Keep sending repeated emails asking for various kinds of favors or
threaten the victim
• Post victim’s personal information on any website related to illicit
services
• Whosoever comes across the information, start calling the victim on
the given contact details, asking for illicit services
• Some stalkers may subscribe/ register email account of the victim to
innumerable pornographic and sex sites, because of which victim starts
receiving such unsolicited emails

Cyber Cafe and Cyber Crimes
• An Internet café or cybercafé is a place which provides
Internet access to the public, usually for a fee.
• According to Nielsen Survey on the profile of cyber cafes users
in India:
– 37% of the total population use cyber cafes
– 90% of this were males in age group 15-35 years
– 52% graduates and post-graduates
– > 50% were students
• Its extremely important to understand the IT security and
governance practiced in the cyber cafes.

Cyber Café: Usage Risks
• Can be used for either real or false terrorist communication
• For stealing bank passwords, fraudulent withdrawal of money
– Key loggers or spywares
– Shoulder surfing
• For sending obscene mails to harass people.
• Not considered as network service providers according to
ITA2000
• They are responsible for “due diligence”

Cyber Café: Illegal Activities
• Pirated software: OS, Browser, Office
• Antivirus software not in use or not updated
• Cybercafes should have “deep freeze” software
– Clears details of all activities carried out, when one clicks “restart” button
• Annual Maintenance Contract(AMC): normally not in place
– Its a risk as cybercriminal can install malicious code for criminal activities
• Pornographic websites and similar websites are not blocked
• Owners have low awareness about IT Security and IT
Governance.
• IT Governance guidelines are not provided by cyber cell wing
• No periodic audit visits by cyber cell wing (state police) or
cyber cafe association

Cyber Café: Safety and Security Measures
• Always Logout: do not save login information through
automatic login information
• Stay with the computer
• Clear history and temporary files before and after use
• Be alert: don’t be a victim of shoulder surfing
• Avoid Online Financial Transaction
• Don’t change passwords
• Use virtual Keyboards
• Look for security warnings

Botnets: The Fuel for Cybercrime
• Bot: An automated program for doing a particular task, often
over a network
• Botnet (zombie army): A number of internet computers that,
although their owners are unaware of it, have been set up to
forward transmissions (including spam or viruses) to other
computers on the internet
• Zombie: A computer "robot" or "bot" that serves the wishes of a
master spam or virus originator
• Most computers compromised in this way are home-based.
• As per Russia based Kaspersky Labs, botnets - not spam, viruses,
or worms - pose the biggest threat to the internet

Use of Botnets
Botnet creation
Botnet renting Botnet Selling
DDoS attacks
Malware and spamdexing Phishing
Adware installation attacks
Spam attacks Stealing
confidential
information
Selling Credit card Selling internet

and bank account Selling personal services and shops
details identity information account

Measures to Secure the System
• Use antivirus and anti-spyware
• Install updates
• Use firewall
• Disconnect internet when not in use
• Don’t trust free downloads
• Check regularly inbox and sent items
• Take immediate action if system is infected

Prominent Cyber Attack Examples
• Iran Nuclear Program
• Earliest instance of a nation waging cyberwar was the Stuxnet worm, which was used to attack Iran's nuclear program in 2010. The
malware targeted SCADA (supervisory control and data acquisition) systems and was spread with infected USB devices. United States
and Israel have both been linked to the development of Stuxnet, neither nation has formally acknowledged its role.
• Ukraine DDOS Attack
• In March 2014, the Russian government allegedly perpetrated a DDOS attack that disrupted the internet in Ukraine, enabling pro-
Russian rebels to take control of Crimea.
• In May 2014, three days before Ukraine's presidential election, a Russian hacking group took down Ukraine's election commission's
system, including the backup system. Ukrainian computer experts were able to get the system up and running before the election. The
attack was launched to wreak havoc and damage the nationalist candidate while helping the pro-Russian candidate, who ultimately
lost the election.
• Sony Picture Attack
• Hackers associated with the government of North Korea were blamed for the 2014 cyber attack on Sony Pictures after Sony released
the film ’The Interview’, which portrayed the North Korean leader Kim Jong-un in a negative light. During its investigation into the
hack, the FBI noted that the code, encryption algorithms, data deletion methods and compromised networks were similar to malware
previously used by North Korean hackers. In addition, the hackers used several IP addresses associated with North Korea.
• German Parliament Infection
• A 2015 attack on the German parliament, suspected to have been carried out by Russian secret services, caused massive disruption
when the attack infected 20,000 computers used by German politicians, support staff members and civil servants. Sensitive data was
stolen, and the attackers demanded several million euros to clean up the damage. Although a group of Russian nationalists who
wanted the government of Berlin to stop supporting Ukraine claimed responsibility, members of the Russian intelligence were also
reported to be involved.

Prominent Cyber Attack Examples…
• Malware Analysis Report (MAR) issued by the Department of Homeland Security (DHS) and the FBI identified two
malware codes, HOPLIGHT and ELECTRICFISH, released by North Korea.
• In 2015, cybercriminals backed by the Chinese state were accused of breaching the website of U.S. Office of
Personnel Management to steal data on approximately 22 million current and former employees of the U.S.
government. Chinese cybercriminals have been implicated in the theft of U.S. military aircraft designs, an incident
that caused then-president Barack Obama to call for a treaty on cyber arms control.
• In December 2016, more than 230,000 customers in Ukraine experienced a blackout, the result of remote intrusions
at three regional electric power distribution companies. The attack was suspected to originate from Russia. The
perpetrators flooded phone lines with a DoS attack and also used malware to attack and destroy data on hard drives
at the affected companies. While the power was restored within hours, it took months for the companies to restore
full functionality to the control centers that had been attacked.
• In 2016, 2017 and 2018, variations of malware known as Shamoon struck businesses in the Middle East and Europe.
McAfee’s Advanced Threat Research concluded that the Iranian hacker group APT33, or a group masquerading as
APT33, is likely responsible for these attacks.
• On August 2, 2017, President Trump signed into law the Countering America’s Adversaries Through Sanctions Act
(Public Law 115-44) (CAATSA), imposing new sanctions on Iran, Russia, and North Korea.

Thank You

Cs Latest Class PPT Combined PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cs Latest Class PPT Combined PDF

Caricato da

Copyright:

Formati disponibili

BITS Pilani Presentation

BITS Pilani Jagdish Prasad

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

• 16 on-line lectures (2 hours each) + self study

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

• Computer security is protection of items or ASSETS of a

BITS Pilani, Pilani Campus

• Has an owner or user perspective

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

• Vulnerability: Crack in the

BITS Pilani, Pilani Campus

Additional two properties:

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

Integrity means Integrity requires

Integrity enforcement: Who or what can access which

BITS Pilani, Pilani Campus

• An object or service is available if:

BITS Pilani, Pilani Campus

Interception: Confidentiality lost

Interruption: Availability lost

Modification: Integrity lost

Fabrication: Integrity lost

BITS Pilani, Pilani Campus

• Computer security seeks to prevent unauthorized

BITS Pilani, Pilani Campus

• Threats are caused both by human

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

• Negative consequences of an actualized threat is harm

BITS Pilani, Pilani Campus

• Method: Skill, knowledge, tools and other things (scripts,

• Method, opportunity and motive are essential for an

BITS Pilani, Pilani Campus

• Prevent it by blocking attack or closing the vulnerability

• Security professionals balance the cost and

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

Physical Procedural or Technical

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

• User operating system to impede browser’s correct and

BITS Pilani, Pilani Campus

• Man in the browser: Trojan horse that intercepts data

BITS Pilani, Pilani Campus

• Strong identification and authentication

BITS Pilani, Pilani Campus

• False or misleading content

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

SSZG681: Cyber Security

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

BITS Pilani, Pilani Campus

• Illegitimate emails are generated and sent by fraudsters for monetary or