Notes

Q1: What are the key principles of security?

Ans 1 (a) Network security consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: It secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

The Different security principles are

1. Confidentiality is a service used to keep the content of information from all but those authorized to have it. Secrecy is a term synonymous with confidentiality and privacy. There are numerous approaches to providing confidentiality, ranging from physical protection to mathematical algorithms which render data unintelligible.

2. Data integrity is a service which addresses the unauthorized alteration of data. To assure data integrity, one must have the ability to detect data manipulation by unauthorized parties. Data manipulation includes such things as insertion, deletion, and substitution.

3. Authentication is a service related to identification. This function applies to both entities and information itself. Two parties entering into a communication should identify each other. Information delivered over a channel should be authenticated as to origin, date of origin, data content, time sent, etc. For these reasons this aspect of cryptography is usually subdivided into two major classes: entity authentication and data origin authentication. Data origin authentication implicitly provides data integrity (for if a message is modified, the source has changed).

4. Non-repudiation is a service which prevents an entity from denying previous commitments or actions. When disputes arise due to an entity denying that certain actions were taken, a means to resolve the situation is necessary. For example, one entity may authorize the purchase of property by another entity and later deny such authorization was granted. A procedure involving a trusted third party is needed to resolve the dispute.

Q2: What are the types of malicious software? Briefly explain each of them.

Ans 1 (b) Security Threats

Trap door is a secret entry point into a program that allows someone that is aware of the trap door to gain access without going through the procedures. Trap doors have been used legitimately for many years by programmers to debug and test programs. This usually is done when the programmer is developing an application that has an authentication procedure, or a long setup, requiring the user to enter many different values, to run the application. To debug the program, the developer may wish to gain special privileges or to avoid all the necessary setup and authentication. Trap doors become threats when they are used by unscrupulous programmers to gain unauthorized access. It is difficult to implement operating system controls for trap doors. Security measures must focus on the program development and software update activities.

Logic Bomb One of the oldest types of program threat, predating viruses and worms, is the logic bomb. The logic bomb is code embedded in some legitimate program that is set to explode‖ when certain conditions are met. Examples of conditions that can be used as triggers for a logic bomb are the presence or absence of certain files, a particular day of the week or date, or a particular user running the application. eg: a logic bomb checked for a certain employee ID numb and then triggered if the ID failed to appear in two consecutive payroll calculations. Once triggered, a bomb may alter or delete data or entire files, cause a machine halt, or do some other damage.

A Trojan horse is a useful program or command procedure containing hidden code that, when invoked, performs some unwanted or harmful function. Trojan horse programs can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. For example, to gain access to the files of another user on a shared system, a user could create a Trojan horse program that, when executed, changed the invoking RT 801 20 Security in Computing user‘s file permissions so that the file‘are readable by any user. The author could then induce users to run the program by placing it in a common directory and naming it such that it appears to be a useful utility.

Viruses A virus is a program that cans infect other programs by modifying them: the modification includes a copy of the virus program, which can then go on to infect other programs. A computer virus carries in its instructional code the recipe for making perfect copies of itself. Lodged in a host computer, the typical virus takes temporary control of the computer‘s disk operating system.

Worms Network worm programs use network connections to spread from system to system. Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions.

To replicate itself, a network worm uses some sort of network vehicle. Examples include the following

• Electronic mail facility: A worm mails a copy of itself to other systems

• Remote execution capability A worm executes a copy of itself on another system.

• Remote login capability: A worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other.

The new copy of the worm program is then run on the remote system where, in addition to any functions that it performs at that system, it continues to spread in the same fashion. A network worm exhibits the same characteristics as a computer virus:

Zombie is a computer that has been taken over by another controlling computer. The source computer contacts and utilizes the victim computer via the internet and uses the victim's computer network to send spam in the form of posts, comments or email. Often times, the zombie computer will not be able to recognize that the process is happening. The source computer will use a Trojan horse, malware or other viruses or cracker software to take over the victim's computer. The zombie code can be transferred through opening an email, download or an attachment onto a victim's computer. Once installed, the source computer also can execute DoS (denial-of-service) or host phishing attacks against web sites in addition to spam attacks.

Q3: What is an intruder? Describe the function & benefits of Intrusion detection..

Ans : Any set of actions that threatens the integrity, availability, or confidentiality of a network resource. EXP: Denial of service (DOS): Attempts to starve a host of resources needed to function correctly.

Intrusion detection

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions. Intrusions are caused by attackers accessing the systems from the Internet, authorized users of the systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given them. Intrusion Detection Systems (IDSs) are software or hardware products that automate this monitoring and analysis process

Functions of Intrusion detection systems:

• Monitoring and analysis of user and system activity

• Auditing of system configurations and vulnerabilities

• Assessing the integrity of critical system and data files

• Recognition of activity patterns reflecting known attacks

• Statistical analysis for abnormal activity patterns

Benefits of intrusion detection :

• Improving integrity of other parts of the information security infrastructure

• Improved system monitoring

• Tracing user activity from the point of entry to point of exit or impact

• Recognizing and reporting alterations to data files

• Spotting errors of system configuration and sometimes correcting them

• Recognizing specific types of attack and alerting appropriate staff for defensive responses

• Keeping system management personnel up to date on recent corrections to programs

• Allowing non-expert staff to contribute to system security

• Providing guidelines in establishing information security policies

Q4: Differentiate between cryptanalysis and cryptography.

Ans Technically, any method employed to break a cipher or code is cryptanalysis. However, when We refer to cryptanalysis we are specifically talking about employing mathematical analysis to break a code. This method requires a high level of skill and sophistication. It is usually only employed by academics and governments. Today it relies very heavily on the use of ultrafast super computers.

Probably the most active and successful organization in the world, dedicated to breaking codes, is the National Security Agency (NSA). This is the largest and most secret spy agency in the United States. It is sometimes referred to as the Puzzle Palace, because the group spends so much time and energy on codes and cipher. The NSA employs tens of thousands of people. The only comparable organization in the world ever to have existed in terms of size is the former Soviet Union's KGB. But with the breakup of the Soviet Union, the NSA is now left without peers.

Q5: What is steganography? What are various drawback and advantages of steganography.

Ans Steganography is the art, science, or practice in which messages, images, or files are hidden inside other messages, images, or files. The concept of steganography is not a new one; it dates back many millennia when messages used to be hidden on things of everyday use such as watermarks on letters, carvings on bottom sides of tables, and other objects. The more recent use of this concept emerged with the dawn of the digital world. Experiments have shown that data can be hidden in many ways inside different types of digital files. The main benefit of steganography is that the payload is not expected by the investigators who get to examine the computer data. The person sending the hidden data and the person meant to receive the data are the only ones who know about

it; but to everyone else, the object containing the hidden data just seems like an everyday normal object.

Q6: What is Phishing? Explain DNS based phishing.

Ans : phishing refers to online identity theft in which confidential information is obtained from an individual. It is distinguished from offline identity theft such as card skimming and "dumpster diving," as well as from large-scale data compromises in which information about many individuals is obtained at once. Phishing includes many different types of attacks, including: • Deceptive attacks, in which users are tricked by fraudulent messages into giving out information;

• Malware attacks, in which malicious software causes data compromises; and • DNS-based attacks, in which the lookup of host names is altered to send users to a fraudulent server (sometimes also referred to as "phanning"). Phishing targets many kinds of confidential information, including usemamcs and pass-words, social security numbers, credit-card numbers, bank account numbcrs, and personal information such as birthdates and mothers' maiden names. Phishing has been credibly estimated to cost US financial institutions in excess of SI billion a year in direct losses. Indirect losses arc much higher. including customer service expenses, account replacement costs, and higher expenses due to decreased use of online services in the face of widespread fear about the security of online financial transactions. Phishing also causes substantial hardship for victimized consumers, due to the difficulty of repairing credit damaged by fraudulent activity.

Both the frequency of phishing attacks and their sophistication is increasing dramatically. Phishing often spans multiple countries and is commonly perpetrated by organized crime. While legal remedies can and should be pursued by affected institutions, technical measures to prevent phishing are an integral component of any long-term solution. This chapter examines technologies employed by phishers and evaluates technical coun-termeasures, both commercially available and proposed.

DNS-based phishing is used here to refer generally to any form of phishing that interferes with the integrity of the lookup process for a domain name. This includes hosts file poison-ing, even though the hosts file is not properly part of the Domain Name System. Hosts file poisoning is discussed in the malware section since it involves changing a file on the user's computer. Another form of DNS based phishing involves polluting the user's DNS cache with incorrect information that will be used to direct the user to an incorrect location.

Q7: Write short notes on Firewall and their design principles.

Ans Firewalls can be an effective means of protecting a local system or network of systems from network-based security threats while at the same time affording access to the outside world via wide area networks and the Internet. We begin this chapter with an overview of the functionality and design principles of firewalls. Next, we address the issue of the security of the firewall itself and, in particular, the concept of a trusted system, or secure operating system

Firewall Design Principles

Information systems in corporations, government agencies, and other organizations have undergone a steady evolution:

Centralized data processing system, with a central mainframe supporting a number of directly connected terminals

Local area networks (LANs) interconnecting PCs and terminals to each other and the mainframe

Premises network, consisting of a number of LANs, interconnecting PCs, servers, and perhaps a mainframe or two

Enterprise-wide network, consisting of multiple, geographically distributed premises networks interconnected by a private wide area network (WAN)

Internet connectivity, in which the various premises networks all hook into the Internet and may or may not also be connected by a private WAN

Q8: What are the different classes of hackers? Discuss them in details

CLASSES OF HACKERS:

Blackhat Hackers

Hackers with malicious intent. These type of hackers use different methods to tap into a network or computer for the soul purpose of destroying or stealing.

Whitehat Hackers These hackers look for security flaws in a network or computer, for research or testing reasons. The intent of these type of hackers is NOT malicious.

TYPES OF HACKERS

Script Hackers

A script hacker uses existing, well-known and easy-to-find techniques and scripts to search for and exploit weaknesses in other computers on the Internet.

An example would be a script hacker creating a program (script), or using an existing script, to send a simple search request to a server. This request is not the problem because it's the same request a normal internet user would use to call up a website from a server. The problem occurs when the hacker sends an overwhelming number of requests to the same server (CGI script) in an attempt to crash the server. This particular example is call "denial of service". The server gets overwhelmed and will not allow anymore requests.

Code Hackers

These type of hackers are usually programmers or individuals who have a deep understanding of computer programming. Code hackers create programs that exploit holes in a network or computer. Although all code hackers are not bad, there are others who write code for the single purpose of destroying a computer and/or network. These type of hackers create what can be referred to as "malicious code".

Admin Hackers

Admin or Administrative Hackers are very familiar with networking and are commonly network administrators. These type of hackers use tools to record and collect information such as passwords or user names. These hackers don't have the kind of programming knowledge the coder has. Admin hackers are most commonly an inside attacker because they may have access from the inside of the network.