Chapter-1 : Computer Security – Gscheme -- 2017

Chapter-1

INTRODUCTION TO COMPUTER SECURITY

AND SECURITY TRENDS
Syllabus --- 22 Marks ---- 10 Hours
Objectives:
 To understand CIA model.
 To identify the risks and threats.
 To understand security attacks.
Contents :
1.1. Definition of Computer Security, Need for security, Security basics:
Confidentiality, Integrity, Availability, Accountability, Non-repudiation. Example
of Security, Challenges for security, Model for Security.
1.2. Risk and Threat Analysis: Assets, Vulnerability, Threats, Risks, Counter
measures.
1.3. Threat to Security: Viruses and Worms, Intruders, Insiders , Criminal
organizations, Terrorists, Information warfare Avenues of attack, steps in attack
1.4. Security attacks: Active and Passive attacks, Denial of service, backdoors and
trapdoors, sniffing, spoofing, man in the middle, replay, TCP/IP Hacking,
encryption attacks.
1.5. Malware : Viruses, Logic bombs

Q.What is computer security means?

Ans. Computer security is a branch of computer technology known as information
security as applied to computers and networks. The objective of computer security
includes protection of information and property from theft, corruption, or natural
disaster, while allowing the information and property to remain accessible and
productive to its intended users. The term computer system security means the
collective processes and mechanisms by which sensitive and valuable information and
services are protected from publication, tampering or collapse by unauthorized activities
or untrustworthy individuals and unplanned events respectively. The strategies and
methodologies of computer security often differ from most other computer technologies
because of its somewhat elusive objective of preventing unwanted computer behavior
instead of enabling wanted computer behavior.

Q.What is Data Security?

Ans. Data security is the means of ensuring that data is kept safe from corruption and
that access to it is suitably controlled. Thus data security helps to ensure privacy. It also
helps in protecting personal data.
Data Security Technologies
 Disk Encryption
 Hardware based Mechanisms for Protecting Data
 Backups
 Data Masking
 Data Erasure

1
Chapter-1 : Computer Security – Gscheme -- 2017
Information security means protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification or destruction.
The terms information security, computer security and information assurance are
frequently incorrectly used interchangeably. These fields are interrelated often and share
the common goals of protecting the confidentiality, integrity and availability of
information; however, there are some subtle differences between them.
These differences lie primarily in the approach to the subject, the methodologies used,
and the areas of concentration. Information security is concerned with the
confidentiality, integrity and availability of data regardless of the form the data may
take: electronic, print, or other forms.
Computer security can focus on ensuring the availability and correct operation of
a computer system without concern for the information stored or processed by the
computer.
Governments, military, corporations, financial institutions, hospitals, and private
businesses amass a great deal of confidential information about their employees,
customers, products, research, and financial status. Most of this information is now
collected, processed and stored on electronic computers and transmitted across
networks to other computers.
Should confidential information about a business' customers or finances or new
product line fall into the hands of a competitor, such a breach of security could lead to
lost business, law suits or even bankruptcy of the business. Protecting confidential
information is a business requirement, and in many cases also an ethical and legal
requirement.
For the individual, information security has a significant effect on privacy, which
is viewed very differently in different cultures.
The field of information security has grown and evolved significantly in recent
years. As a career choice there are many ways of gaining entry into the field. It offers
many areas for specialization including: securing network(s) and allied infrastructure,
securing applications and databases, security testing, information systems auditing,
business continuity planning and digital forensics science, to name a few, which are
carried out by Information Security Consultants

Q.What is Network Security ?

In the field of networking, the specialist area of network security consists of the
provisions made in an underlying computer network infrastructure, policies adopted by
the network administrator to protect the network and the network-accessible resources
from unauthorized access, and consistent and continuous monitoring and measurement
of its effectiveness (or lack) combined together.

Network security concepts

Network security starts from authenticating the user, commonly with a username
and a password. Since this requires just one thing besides the user name, i.e. the
password which is something you 'know', this is sometimes termed one factor
authentication. With two factor authentication something you 'have' is also used (e.g. a
security token or 'dongle', an ATM card, or your mobile phone), or with three factor
authentication something you 'are' is also used (e.g. a fingerprint or retinal scan).

2
Chapter-1 : Computer Security – Gscheme -- 2017
Once authenticated, a firewall enforces access policies such as what services are
allowed to be accessed by the network users. Though effective to prevent unauthorized
access, this component may fail to check potentially harmful content such as computer
worms or Trojans being transmitted over the network. Anti-virus software or an
intrusion prevention system (IPS) help detect and inhibit the action of such malware. An
anomaly-based intrusion detection system may also monitor the network and traffic for
unexpected (i.e. suspicious) content or behavior and other anomalies to protect
resources, e.g. from denial of service attacks or an employee accessing files at strange
times. Individual events occurring on the network may be logged for audit purposes and
for later high level analysis.

Communication between two hosts using a network could be encrypted to

maintain privacy.

Honeypots, essentially decoy network-accessible resources, could be deployed in a

network as surveillance and early-warning tools. Techniques used by the attackers that
attempt to compromise these decoy resources are studied during and after an attack to
keep an eye on new exploitation techniques. Such analysis could be used to further
tighten security of the actual network being protected by the honeypot.

Q.What Does "Secure" Mean?

Ans.How do we protect our most valuable assets? One option is to place them in a safe
place, like a bank. We seldom hear of a bank robbery these days, even though it was
once a fairly lucrative undertaking. Communications and transportation were primitive
enough that it might have been hours before the legal authorities were informed of a
robbery and days before they could actually arrive at the scene of the crime, by which
time the robbers were long gone. To control the situation, a single guard for the night
was only marginally effective.
Should you have wanted to commit a robbery, you might have needed only a little
common sense and perhaps several days to analyze the situation; you certainly did not
require much sophisticated training. Indeed, you usually learned on the job, assisting
other robbers in a form of apprenticeship. On balance, all these factors tipped very
much in the favor of the criminal, so bank robbery was, for a time, considered to be a
profitable business. Protecting assets was difficult and not always effective.
Today, however, asset protection is easier, with many factors working against the
potential criminal. Very sophisticated alarm and camera systems silently protect secure
places like banks whether people are around or not. The techniques of criminal
investigation have become so effective that a person can be identified by genetic material
(DNA), fingerprints, retinal patterns, voice, a composite sketch, ballistics evidence, or
other hard-to-mask characteristics.
The assets are stored in a safer form. For instance, many bank branches now
contain less cash than some large retail stores because much of a bank's business is
conducted with checks, electronic transfers, credit cards, or debit cards. Sites that must
store large amounts of cash or currency are protected with many levels of security:
several layers of physical systems, complex locks, multiple-party systems requiring the
agreement of several people to allow access, and other schemes.
Significant improvements in transportation and communication mean that police
can be at the scene of a crime in minutes; dispatchers can alert other officers in seconds
3
Chapter-1 : Computer Security – Gscheme -- 2017
about the suspects to watch for. From the criminal's point of view, the risk and required
sophistication are so high that there are usually easier ways than bank robbery to make
money.

Q.Describe the term Interception , Interruption , Modification and Fabrication

related to threats
Ans.

 An interception means that some unauthorized party has gained access to an

asset. The outside party can be a person, a program, or a computing system.
Examples of this type of failure are illicit copying of program or data files, or
wiretapping to obtain data in a network. Although a loss may be discovered fairly
quickly, a silent interceptor may leave no traces by which the interception can be
readily detected.
 In an interruption, an asset of the system becomes lost, unavailable, or
unusable. An example is malicious destruction of a hardware device, erasure of a
program or data file, or malfunction of an operating system file manager so that it
cannot find a particular disk file.

 If an unauthorized party not only accesses but tampers with an asset, the threat
is a modification. For example, someone might change the values in a database,
alter a program so that it performs an additional computation, or modify data
being transmitted electronically. It is even possible to modify hardware. Some
cases of modification can be detected with simple measures, but other, more
subtle, changes may be almost impossible to detect.
 Finally, an unauthorized party might create a fabrication of counterfeit objects on
a computing system. The intruder may insert spurious transactions to a network
communication system or add records to an existing database. Sometimes these

4
Chapter-1 : Computer Security – Gscheme -- 2017
additions can be detected as forgeries, but if skillfully done, they are virtually
indistinguishable from the real thing.

These four classes of threats interception, interruption, modification, and fabrication

describe the kinds of problems we might encounter.

Q.Describe the term Confidentiality, Integrity, availability related to Security

Ans.
Security Goals
We use the term "security" in many ways in our daily lives. A "security system"
protects our house, warning the neighbors or the police if an unauthorized intruder tries
to get in. "Financial security" involves a set of investments that are adequately funded;
we hope the investments will grow in value over time so that we have enough money to
survive later in life. And we speak of children's "physical security," hoping they are safe
from potential harm. Just as each of these terms has a very specific meaning in the
context of its use, so too does the phrase "computer security."
When we talk about computer security, we mean that we are addressing three
important aspects of any computer-related system: confidentiality, integrity, and
availability.
 Confidentiality ensures that computer-related assets are accessed only by
authorized parties. That is, only those who should have access to something will
actually get that access. By "access," we mean not only reading but also viewing,
printing, or simply knowing that a particular asset exists. Confidentiality is
sometimes called secrecy or privacy.
 Integrity means that assets can be modified only by authorized parties or only in
authorized ways. In this context, modification includes writing, changing,
changing status, deleting, and creating.
 Availability means that assets are accessible to authorized parties at appropriate
times. In other words, if some person or system has legitimate access to a
particular set of objects, that access should not be prevented. For this reason,
availability is sometimes known by its opposite, denial of service.
Security in computing addresses these three goals. One of the challenges in building
a secure system is finding the right balance among the goals, which often conflict. For
example, it is easy to preserve a particular object's confidentiality in a secure system
simply by preventing everyone from reading that object. However, this system is not
secure, because it does not meet the requirement of availability for proper access. That
is, there must be a balance between confidentiality and availability.

5
Chapter-1 : Computer Security – Gscheme -- 2017

Confidentiality
You may find the notion of confidentiality to be straightforward: Only authorized
people or systems can access protected data. However, as we see in later chapters,
ensuring confidentiality can be difficult. For example, who determines which people or
systems are authorized to access the current system? By "accessing" data, do we mean
that an authorized party can access a single bit? the whole collection? pieces of data out
of context? Can someone who is authorized disclose those data to other parties?
Confidentiality is the security property we understand best because its meaning is
narrower than the other two. We also understand confidentiality well because we can
relate computing examples to those of preserving confidentiality in the real world.

Integrity
Integrity means different things in different contexts. When we survey the way some
people use the term, we find several different meanings. For example, if we say that we
have preserved the integrity of an item, we may mean that the item is
 precise
 accurate
 unmodified
 modified only in acceptable ways
 modified only by authorized people
 modified only by authorized processes
 consistent
 internally consistent
 meaningful and usable
Integrity can also mean two or more of these properties. Welke and Mayfield recognize
three particular aspects of integrity, authorized actions, separation and protection of
resources, and error detection and correction. Integrity can be enforced in much the
same way as can confidentiality: by rigorous control of who or what can access which
resources in what ways. Some forms of integrity are well represented in the real world,
and those precise representations can be implemented in a computerized environment.
But not all interpretations of integrity are well reflected by computer implementations.
6
Chapter-1 : Computer Security – Gscheme -- 2017

Availability
Availability applies both to data and to services (that is, to information and to
information processing), and it is similarly complex. As with the notion of confidentiality,
different people expect availability to mean different things. For example, an object or
service is thought to be available if
 It is present in a usable form.
 It has capacity enough to meet the service's needs.
 It is making clear progress, and, if in wait mode, it has a bounded waiting time.
 The service is completed in an acceptable period of time.
We can construct an overall description of availability by combining these goals. We say
a data item, service, or system is available if
 There is a timely response to our request.
 Resources are allocated fairly so that some requesters are not favored over others.
 The service or system involved follows a philosophy of fault tolerance, whereby
hardware or software faults lead to graceful cessation of service or to work-
arounds rather than to crashes and abrupt loss of information.
 The service or system can be used easily and in the way it was intended to be
used.
 Concurrency is controlled; that is, simultaneous access, deadlock management,
and exclusive access are supported as required.
Because of the increased use of networks, two additional security goals have been added
to the original three in the CIA of security those are
1.Authentication : It deals with the desire to ensure that an individual is who they
claim to be. The need for this in an online transaction is obvious.
2.Non-repudiation : which deals with the ability to verify that a message has been sent
and received and that the sender can be identified and verified. The requirement for this
capability in online transactions should also be readily apparent.

Q.Write Short Note on Non-repudiation

Non-repudiation refers to a state of affairs where the purported maker of a statement
will not be able to successfully challenge the validity of the statement or contract. The term
is often seen in a legal setting wherein the authenticity of a signature is being challenged.
In such an instance, the authenticity is being "repudiated".
Regarding digital security, the cryptological meaning and application of non-repudiation
shifts to mean:
 A service that provides proof of the integrity and origin of data.
 An authentication that can be asserted to be genuine with high assurance.
Proof of data integrity is typically the easiest of these requirements to accomplish.
A data hash, such as SHA2, is usually sufficient to establish that the likelihood of data
being undetectably changed is extremely low. Even with this safeguard, it is still possible
to tamper with data in transit, either through a man-in-the-middle attack or phishing.
Due to this flaw, data integrity is best asserted when the recipient already possesses the
necessary verification information.
The most common method of asserting the digital origin of data is through digital
certificates, a form of public key infrastructure, to which digital signatures belong. Note
that the public key scheme is not used for encryption in this form, confidentiality is not
achieved by signing a message with a private key (since anyone can obtain the public

7
Chapter-1 : Computer Security – Gscheme -- 2017
key to reverse the signature). Verifying the digital origin means that the certified/signed
data can be, with reasonable certainty, trusted to be from somebody who possesses the
private key corresponding to the signing certificate. If the key is not properly
safeguarded by the original owner, digital forgery can become a major concern.
Nonrepudiation can be obtained through the use of:
 digital signatures-- function as a unique identifier for an individual, much like a
written signature.
 confirmation services -- the message transfer agent can create digital receipts to
indicated that messages were sent and/or received.
 timestamps -- timestamps contain the date and time a document was composed and
proves that a document existed at a certain time.

Q.Write Short Note on Authentication

Q.State need of Security
Q.Describe Examples of Security and Challenges

Q.Describe Operational Model of Security

Ans. For many years, the focus of security was on prevention. If we could prevent
somebody from gaining access to our computer systems and networks, then we
assumed that we had obtained security. Protection was thus equated with prevention.
While the basic premise of this is true, it fails to acknowledge the realities of the
networked environment our systems are part of. No matter how well we seem to do in
prevention technology, somebody always seems to find a way around our safeguards.
When this happens, our system is left unprotected. What is needed is multiple
prevention techniques and also technology to alert us when prevention has failed and to
provide ways to address the problem. This results in a modification to our original
security equation with the addition of two new elements—detection and response. Our
security equation thus becomes:

Protection = Prevention + (Detection + Response)

Protection = Prevention ( Detection + Response)

Access Control Audit Logs Backups
Firewall Intrusion Detection Incident Response
System Team
Encryption Honey Pots Computer Forensic

This is known as the operational model of computer security, Every security technique
and technology falls into at least one of the three elements of the equation. Examples of
the types of technology and techniques that represent each are depicted in Figure.

Q.Write short note on Security Principles

Ans. There are three ways an organization can choose to address the protection of its
networks:
1) Ignore security issues,
2) Provide host security, and
8
Chapter-1 : Computer Security – Gscheme -- 2017
3) Approach security at a network level.
The last two, host and network security, have prevention as well as detection and
response components.
If an organization decides to ignore security, it has chosen to utilize the minimal
amount of security that is provided with its workstations, servers, and devices. No
additional security measures will be implemented. Each ―out of the box‖ system has
certain security settings that can be configured, and they should be. To actually protect
an entire network however, requires work in addition to the few protection mechanisms
that come with systems by default.

Host security
Host security takes a granular view of security by focusing on protecting each computer
and device individually instead addressing protection of the network as a whole. When
host security is used, each computer is relied upon to protect itself an organization
decides to implement only host security and does not include network security, there is
a high probability of introducing or overlooking vulnerabilities. Most environments are
filled with different operating systems (Windows, UNIX. Linux, Macintosh), different
versions of those operating systems, and different types of installed applications.
Each operating system has security configurations that differ from other systems,
and different versions of the same operating system may in fact have variations between
them. Ensuring that every computer is ‗locked down‖ to the same degree as every other
system in the environment can be overwhelming and often results in an unsuccessful
and frustrating effort.

Least Privilege
One of the most fundamental approaches to security is least privilege. This concept is
applicable to many physical environments as well as network and host security. Least
privilege means that a subject (which may be a user, application, or process) should
have only the necessary rights and privileges to perform its task with no additional
permissions. Limiting an object‘s privileges limits the amount of harm that can be
caused, thus limiting an organization‘s exposure to damage. Users may have access to
the files on their workstations and a select set of files on a file server, but no access to
critical data that is held within the database. This rule helps an organization protect its
most sensitive resources and helps ensure that whoever is interacting with these
resources has a valid reason to do so.

Different operating systems and applications have different ways of implementing

rights, permissions, and privileges. Before they are actually configured, an overall plan
should be devised and standardized methods developed to ensure that a solid security
baseline is actually implemented. For example, a company may want all of the
Accounting employees, but no one else, to be able to access employee payroll and profit
margin spreadsheets held on a server. The easiest way to implement this is to develop
an Accounting group, put all Accounting employees in this group, and assign rights to
the group instead of each individual person.
As another example, there maybe a requirement to implement a hierarchy of
administrators that perform different functions and require specific types of rights. Two
people may be tasked with performing backups of individual workstations and servers;
thus they do not need administrative permissions with full access to all resources. Three
people may be in charge of setting up new user accounts and password management,
9
Chapter-1 : Computer Security – Gscheme -- 2017
which means they do not need full, or perhaps any, access to the company‘s routers and
switches. Once these lines are delineated, indicating what subjects require which rights
and permissions, then it is much easier to configure settings to provide the least
privileges for different subjects.
The concept of least privilege applies to more network security issues than just
providing users with specific rights and permissions. When trust relationships are
created, they should not be implemented in such a way that everyone trusts each other
simply because it is easier. One domain should trust another for very specific reasons
and the implementers should have a full understanding of what the trust relationship
allows between two domains. If one domain trusts another, do all of the users
automatically become trusted, and can they thus easily access any and all resources on
the other domain? Is this a good idea? Is there a more secure way of providing the same
functionality? If a trusted relationship is implemented such that users in one group can
access a plotter or printer that is available on only one domain, it might make sense to
simply purchase another plotter so that other, more valuable or sensitive, resources are
not accessible by the entire group.
Another issue that falls under the least privilege concept is the security context in
which an application runs. All applications, scripts and batch files run in the security
context of a specific user on an operating system. They will execute with specific
permissions as if they were a user. The application may be Microsoft Word and run in
the space of a regular user, or it maybe a diagnostic program that needs access to more
sensitive system files and so must run under an administrative user account, or it may
be a program that performs backups and so should operate within the security context
of a backup operator. The crux of this issue is that programs should execute only in the
security context that is needed for that program to perform its duties successfully. In
many environments, people do not really understand how to make programs run under
different security contexts or it just seems easier to have them all run under the
administrator account. If attackers can compromise a program or service running under
the administrative account, they have effectively elevated their access level and have
much more control over the system and many more possibilities to cause damage.

Layered Security
A bank does not just protect the money that it stores only by using a vault. It has one or
more security guards as a first defense to watch for suspicious activities and to secure
the facility when the bank is closed. It may have monitoring systems that watch various
activities that take place in the bank, whether involving customers or employees. The
vault is usually located in the center of the facility, and thus there are layers of rooms or
walls before arriving at the vault. There is access control, which ensures that the people
entering the vault have to be given the authorization beforehand the systems, including
manual switches, are connected directly to the police station in case determined bank
robber successfully penetrates any one of these layers of protection.

Networks should utilize the same type of layered security architecture. There is no
100 percent secure system, and there is nothing that is foolproof, so a single specific
protection mechanism should never be solely relied upon. Every piece of software and
every device can be compromised in some way, and every encryption algorithm can be
broken, given enough time and resources. The goal of security is to make the effort of
actually accomplishing a compromise more costly in time and effort than it is worth to a
potential attacker.
10
Chapter-1 : Computer Security – Gscheme -- 2017
As an example, consider the steps an intruder might have to take to access critical
data held within a company‘s back-end database. The intruder will first need to
penetrate the firewall and use packets and methods that will not be identified and
detected by the intrusion detection system (more on these devices can be found in
Chapter 8). The attacker will then have to circumvent an internal router performing
packet filtering and possibly penetrate another firewall that is used to separate one
internal network from another. From here, the intruder must break the access controls
that are on the database, which means having to do a dictionary or brute-force attack to
be able to authenticate to the database software. Once the intruder has gotten this far,
the data still needs to be located within the database. This may in turn be complicated
by the use of access control lists outlining who can actually view or modify the data.
That is a lot of work.
This example illustrates the different layers of security many environments
employ. It is important to implement several different layers because if intruders
succeed at one layer, you want to be able to stop them at the next. The redundancy of
different protection layers ensures that there is no one single point of failure pertaining
to security. If a net- work used only a firewall to protect its assets, an attacker
successfully able to penetrate this device would find the rest of the network open and
vulnerable.
It is important that every environment have multiple layers of security. These
layers may employ a variety of methods such as routers, firewalls, network segments,
IDSs, encryption, authentication software, physical security, and traffic control. The
layers need to work together in a coordinated manner so that one does not impede
another‘s functionality and introduce a security hole. Security at each layer can be very
complex and putting different layers together can increase the complexity exponentially.
Although having layers of protection in place is very important, it is also important to
understand how these different layers interact either by working together or in some
cases by working against each other.
One case of how different security methods can work against each other is
exemplified when firewalls encounter encrypted network traffic. An organization may
utilize encryption so that an outside customer communicating with a specific web server
is assured that sensitive data being exchanged is protected. If this encrypted data is
encapsulated within Secure Sockets layer (SSL) packets and then is sent through a
firewall, the firewall will not be able to read the payload information in the individual
packets. This may enable the customer, or an outside attacker, to send malicious code
or instructions through the SSL connection undetected. There are other mechanisms
that can be introduced in these situations, such as designing web pages to accept
information only in certain formats and having the web server parse through the data
for malicious activity. The important piece is to understand the level of protection that
each layer provides and how each level of protection can be affected by things that take
place in other layers.
The layers usually are depicted starting at the top with more general types of
protection, and progressing downward through each layer, with increasing granularity at
each layer as you get closer to the actual resource, as you can see in Figure 2-2. This is
because the top-layer protection mechanism is responsible for looking at an enormous
amount of traffic and it would be overwhelming and cause too much of a performance
degradation

11
Chapter-1 : Computer Security – Gscheme -- 2017

if each aspect of the packet were inspected. Instead, each layer usually digs deeper into
the packet and looks for specific items. Layers that are closer to the resource have to
deal with only a fraction of the traffic that the top-layer security mechanism does, and
thus it will not cause much of a performance hit to look deeper and at more granular
aspects of the traffic.

Q.List and Describe the security goals

Ans. A "security system" protects our house, warning the neighbors or the police if an
unauthorized intruder tries to get in. "Financial security" involves a set of investments
that are adequately funded; we hope the investments will grow in value over time so that
we have enough money to survive later in life. And we speak of children's "physical
security," hoping they are safe from potential harm. Just as each of these terms has a
very specific meaning in the context of its use, so too does the phrase "computer
security."
When we talk about computer security, we mean that we are addressing three
important aspects of any computer-related system: confidentiality, integrity, and
availability.
 Confidentiality ensures that computer-related assets are accessed only by
authorized parties. That is, only those who should have access to something will
actually get that access. By "access," we mean not only reading but also viewing,
printing, or simply knowing that a particular asset exists. Confidentiality is
sometimes called secrecy or privacy.
 Integrity means that assets can be modified only by authorized parties or only in
authorized ways. In this context, modification includes writing, changing,
changing status, deleting, and creating.
 Availability means that assets are accessible to authorized parties at appropriate
times. In other words, if some person or system has legitimate access to a
particular set of objects, that access should not be prevented. For this reason,
availability is sometimes known by its opposite, denial of service.

12
Chapter-1 : Computer Security – Gscheme -- 2017
Security in computing addresses these three goals. One of the challenges in building a
secure system is finding the right balance among the goals, which often conflict. For
example, it is easy to preserve a particular object's confidentiality in a secure system
simply by preventing everyone from reading that object. However, this system is not
secure, because it does not meet the requirement of availability for proper access. That
is, there must be a balance between confidentiality and availability.

Q.Describe Assets, Vulnerability, Threat, Risk, counter Measures

A security risk analysis is a procedure for estimating the risk to computer related
assets and loss because of manifested threats. The procedure first determines an asset's
level of vulnerability by identifying and evaluating the effect of in-place
countermeasures. An asset's level of vulnerability to the threat population is determined
solely by countermeasures [controls/safeguards] that are in-place at the time the risk
analysis is done.
Next, detailed information about the asset is used to determine the significance of
the asset's vulnerabilities. This includes how the asset is (or will be) used, data
sensitivity levels, mission criticality, inter-connectivity, etc. Finally, the negative impact
[expected loss] to the asset is estimated by examining various combinations of threats
and vulnerability areas.
Risk Analysis Terminology
Asset - Anything with value and in
need of protection.
Threat - An action or potential
action with the propensity to cause
damage.
Vulnerability - A condition of
weakness. If there were no
vulnerabilities, there would be no
concern for threat activity.
Countermeasure - Any device or
action with the ability to reduce
vulnerability.
Expected Loss - The anticipated
negative impact to assets due to
threat manifestation.
Impact - Losses as a result of threat
activity are normally expressed in
one or more impact areas. Four areas
are commonly used; Destruction,
Denial of Service, Disclosure, and
Modification.

Detailed Description
13
Chapter-1 : Computer Security – Gscheme -- 2017
System
System is a cluster of software modules and/or hardware components together with
sets of operational and business procedures. Systems are the target of the threat
analysis process. Each system is characterized by its specific goals, functionality,
architecture, configuration and users.
System's Maximal Risk is a calculated value that expresses the maximal financial
damage that may be caused to the system's assets due to the identified threats. It
reflects the potential risks of all threats to the system's assets and is displayed in $
value as well as in percents of the total system assets.

System's Minimal Risk is a calculated value that expresses the financial damage that
may be caused to the system's assets and the remaining risks of all threats after full
implementation of all mitigation plans. It is displayed in $ value as well as in percents of
the total system assets. AKA Residual Risk - "The risk left over after all proposed
countermeasures, safeguards and mitigation strategies have been implemented"

System's Current Risk is a calculated value that expresses the financial damage that
may be caused to the system's assets according to current implementation level of
mitigation plans. It is displayed in $ value as well as in percents of the total system
assets.

System's Total Value of Assets is the calculated total value of all the system assets.

System's Countermeasures Implementation Cost is the calculated cost of implementing

all countermeasures in all mitigation plans.

System's Current Investment in Implementation is the cost of countermeasures already

applied to the system.

Asset
Asset is information, capability, an advantage, a feature, a financial or a technical
resource that may be damaged, lost or disrupted. Assets may be digital (software
sources), physical (a server machine) or commercial (the corporate brand). Damage to an
asset may affect the normal function of the system as well as that of individuals and/or
organizations involved with the system.

Assest‘s Fixed Value is the estimated one-time expense (in $) associated with the loss of
the asset. For example: financial losses caused by blocking the company's e-commerce
operation for 7 days etc.

Asset's Fixed Value Period is the number of years over which the asset's fixed value lasts
(for economical and accounting considerations).

Asset's Recurring Value is the estimated recurring value (in $) of losses that may be
caused when the asset is damaged. For example: recurring expense due to the non-
availability of a software service.

14
Chapter-1 : Computer Security – Gscheme -- 2017
Asset's Weighted Value is the calculated financial value of the loss when asset is totally
damaged, destroyed or stolen. The value is displayed in 'annual $' and expresses the
weighted average of the asset's fixed and recurring values.

Asset's Relative Value is the calculated percentage of the specific asset's value from the
total value of all system assets.

Asset's Maximal Risk is the calculated maximal risk (in percents of the asset's value)
that threatens the asset. The calculation is based on the parameters of all threats that
might damage the asset.

Asset's Minimal Risk is the calculated risk that threatens the asset after all mitigation
plans are implemented. It reflects the actual lowest value of risk that can be achieved
after the full implementation of all mitigation plans of the threats that threaten the
asset.

Asset's Current Risk is the calculated risk that threatens the asset according to current
implementation level of mitigation plans.

Vulnerability
Vulnerability is a weakness, limitation or a defect in one or more of the system's
elements that can be exploited to disrupt the normal function of the system.
Vulnerabilities may be in specific modules of the system, its layout, its users and
operators, and/or in its associated regulations, operational and business procedures.

Threat
Threat is a specific scenario or a sequence of actions that exploits a set of vulnerabilities
and may cause damage to one or more of the system's assets.

Threat's Probability is the likelihood that the threat scenario will materialize. PTA defines
the threat's probability as the "expected number of threat incidents per year". In some
documentation the threat's probability is termed as the "Annual Rate of Occurrence"
(ARO).

Threat's Damage Level to Asset is the financial value of damage caused by one incident
of a specific threat to a specific asset, expressed in percents of the asset's value - if level
is 100% the damage to the asset is maximal.

Threat's Damage is the total damage (in percents of the total value of all assets) that the
specific threat may cause to the system. The calculation is based on the damage caused
to each of the threatened assets.
Threat's Maximal Risk is a calculated value that expresses the maximal potential
financial damage to system assets due to the specific threat. It is displayed in $ value as
well as in percents of the total system assets. In some documentation the threat's risk is
termed "Annual Loss Expectancy" (ALE).

Threat's Minimal Risk is a calculated value that expresses the potential financial
damage to system assets after all countermeasures relevant to the specific threat are
implemented. It is displayed in $ value as well as in percents of the total system's assets.
15
Chapter-1 : Computer Security – Gscheme -- 2017

Threat's Current Risk is a calculated value that expresses the potential financial damage
to system assets according to current implementation level of the threat's mitigation
plan. It is displayed in $ value as well as in percents of the total system's assets.

Threat's Recommended Countermeasures is a set of all possible countermeasures that

mitigate the threat's vulnerabilities and reduce the threat's risk.

Threat's Mitigation Plan is a subset of recommended countermeasures that is assumed

to be the most effective for mitigating a specific threat. The analyst uses his/her
expertise to decide which of the recommended countermeasures are most effective when
applied together and will be included in the Threat's Mitigation Plan. A threat mitigation
plan is said to be implemented only if all of its countermeasures are implemented.

Threat's Maximal Mitigation is the maximal mitigation level (as percentage of the specific
threat's risk) that may be achieved by applying all countermeasures in the threat's
mitigation plan.

Threat's Current Mitigation is the portion of mitigation (as percentage of the specific
threat's risk) that is provided by the countermeasures that are currently implemented.

Countermeasure
Countermeasure is a procedure, action or mean of mitigating a specific vulnerability.
One countermeasure may mitigate several different vulnerabilities. In some standards
documentation countermeasures are termed "controls" or "safeguards".

Countermeasure's Fixed Cost is the estimated one-time expense (in $) for implementing
a countermeasure. For example purchase of equipment, enhancing the software, etc.

Countermeasure's Fixed Cost Period is the number of years over which the fixed expense
lasts (for economical and accounting considerations).

Countermeasure's Recurring Cost is the estimated recurring cost (in $) of implementing

a countermeasure. For example: administrator's salary, insurance payment etc.

Countermeasure's Weighted Cost is the calculated weighted average of the

countermeasure's fixed and recurring implementation costs, displayed in "annual $"
units.

Countermeasure's Overall Mitigation is the calculated degree of mitigation provided by a

specific countermeasure to the overall system risk, displayed as percentage of the overall
risk.

Countermeasure's Cost-Effectiveness is the degree of mitigation provided by a specific

countermeasure to the overall system risk relative to the countermeasure's
implementation cost. The value is displayed in "percents of overall mitigation per
$1,000" units.

16
Chapter-1 : Computer Security – Gscheme -- 2017

Q.Explain what are active and Passive Attacks

Main aim of a security system is to detect and prevent such security attacks.
Security attacks have been classified as passive attacks and active attacks.
Passive Attacks:
Passive attacks are kind of a read only attack where attacker is usually interested
in just gathering information without disruption of computer system‘s operations and
service. Passive attack usually involves monitoring and analysis of data transmission to
gain some meaningful information out of it. Passive attacks are made by directly laying
hands on message contents in the form of emails, sensitive files etc. consisting
confidential information.
Another way in which a passive attack is made is by analysis of traffic where raw
data is studied and analyzed to deduce interesting patterns out - of it. For example an
attack by studying the data traffic rate of a victim can deduce at what is the peak time of
data transfer when his operations can be disrupted and will affect most.
Since passive attacks are silent in nature and show no immediate and visible signs of
attack, they are very difficult to detect.

Active Attacks:
Involves alteration of data or disruption of normal working of a system. Active
attacks are usually made by masquerading attackers identity with someone else‘s to
either gain extra privileges or save attackers butt when the attack is detected. IP
masquerading is one widely used technique for active attacks.
Denial Of Service (DOS) attacks are the active attacks which disrupts the services
and operations of a specific target to an extent that the target starts denying any
genuine request for the services. This is done by sending a large number of messages
and overloading the victim.
One famous attack is ‗ping of death‘ (POD)where a system is pinged with packets
of very large size that cannot be replied and thus leading to manual rebooting of the
system for normal operations.
Modification of message involves altering of data packets to change the original
meaning of the same giving a differed effect. Eg. Transfer 1000 Rs. from account A to
account B can be changed to transfer 1000 Rs. from account A to account C.
Active attacks can usually be detected immediately but require very sophisticated,
methods and controls to prevent.

Classification of security and Attacks

17
Chapter-1 : Computer Security – Gscheme -- 2017

Classification of security and Attacks

Classification of Attacks

Q.What is the characteristics of Computer Intrusion

Ans. Any part of a computing system can be the target of a crime. When we refer to a
computing system, we mean a collection of hardware, software, storage media, data,
and people that an organization uses to perform computing tasks. Sometimes, we
assume that parts of a computing system are not valuable to an outsider, but often we
are mistaken. For instance, we tend to think that the most valuable property in a bank
is the cash, gold, or silver in the vault. But in fact the customer information in the
bank's computer may be far more valuable.
Stored on paper, recorded on a storage medium, resident in memory, or
transmitted over telephone lines or satellite links, this information can be used in
myriad ways to make money illicitly. A competing bank can use this information to steal
clients or even to disrupt service and discredit the bank. An unscrupulous individual
could move money from one account to another without the owner's permission. A group
of con artists could contact large depositors and convince them to invest in fraudulent
schemes. The variety of targets and attacks makes computer security very difficult.
Any system is most vulnerable at its weakest point. A robber intent on stealing
something from your house will not attempt to penetrate a two-inch-thick metal door if a
window gives easier access. Similarly, a sophisticated perimeter physical security system
does not compensate for unguarded access by means of a simple telephone line and a
modem. We can codify this idea as one of the principles of computer security.

Principle of Easiest Penetration: An intruder must be expected to use any available

means of penetration. The penetration may not necessarily be by the most obvious
means, nor is it necessarily the one against which the most solid defense has been
installed. And it certainly does not have to be the way we want the attacker to behave.
This principle implies that computer security specialists must consider all
possible means of penetration. Moreover, the penetration analysis must be done
repeatedly, and especially whenever the system and its security change. People
18
Chapter-1 : Computer Security – Gscheme -- 2017
sometimes underestimate the determination or creativity of attackers. Remember that
computer security is a game with rules only for the defending team: The attackers can
(and will) use any means they can. Perhaps the hardest thing for people outside the
security community to do is to think like the attacker. One group of creative security
researchers investigated a wireless security system and reported a vulnerability to the
system's chief designer, who replied "that would work, but no attacker would try it".
Don't believe that for a minute: No attack is out of bounds.
Strengthening one aspect of a system may simply make another means of
penetration more appealing to intruders. For this reason, let us look at the various ways
by which a system can be breached.

Q.Describe the term Threat , Vulnerability , Attack an Control related to computer

security
Ans. Vulnerabilities, Threats, Attacks, and Controls
A computer-based system has
three separate but valuable
components: hardware, software,
and data. Each of these assets
offers value to different members of
the community affected by the
system. To analyze security, we can
brainstorm about the ways in which
the system or its information can
experience some kind of loss or
harm. For example, we can identify
data whose format or contents
should be protected in some way.
We want our security system to
make sure that no data are
disclosed to unauthorized parties. Neither do we want the data to be modified in
illegitimate ways. At the same time, we must ensure that legitimate users have access to
the data. In this way, we can identify weaknesses in the system.

A vulnerability is a weakness in the security system, for example, in procedures,

design, or implementation, that might be exploited to cause loss or harm. For instance,
a particular system may be vulnerable to unauthorized data manipulation because the
system does not verify a user's identity before allowing data access.

A threat to a computing system is a set of circumstances that has the potential to

cause loss or harm. To see the difference between a threat and a vulnerability, consider
the illustration in Figure. Here, a wall is holding water back. The water to the left of the
wall is a threat to the man on the right of the wall: The water could rise, overflowing
onto the man, or it could stay beneath the height of the wall, causing the wall to
collapse. So the threat of harm is the potential for the man to get wet, get hurt, or be
drowned. For now, the wall is intact, so the threat to the man is unrealized.
However, we can see a small crack in the wall a vulnerability that threatens the man's
security. If the water rises to or beyond the level of the crack, it will exploit the
vulnerability and harm the man.

19
Chapter-1 : Computer Security – Gscheme -- 2017
There are many threats to a computer system, including human-initiated and
computer-initiated ones. We have all experienced the results of inadvertent human
errors, hardware design flaws, and software failures. But natural disasters are threats,
too; they can bring a system down when the computer room is flooded or the data center
collapses from an earthquake, for example.
A human who exploits a vulnerability perpetrates an attack on the system. An attack
can also be launched by another system, as when one system sends an overwhelming
set of messages to another, virtually shutting down the second system's ability to
function. Unfortunately, we have seen this type of attack frequently, as denial-of-service
attacks flood servers with more messages than they can handle.
How do we address these problems?
We use a control as a protective measure. That is, a control is an action, device,
procedure, or technique that removes or reduces a vulnerability. In Figure , the man is
placing his finger in the hole, controlling the threat of water leaks until he finds a more
permanent solution to the problem. In general, we can describe the relationship among
threats, controls, and vulnerabilities in this way:
A threat is blocked by control of a vulnerability.

Q.Write short note on computer criminals

Ans For the purposes of studying computer security, we say computer crime is any crime
involving a computer or aided by the use of one. Although this definition is admittedly
broad, it allows us to consider ways to protect ourselves, our businesses, and our
communities against those who use computers maliciously.
To be sure, some computer criminals are mean and sinister types. But many more
wear business suits, have university degrees, and appear to be pillars of their
communities. Some are high school or university students. Others are middle-aged
business executives. Some are mentally deranged, overtly hostile, or extremely
committed to a cause, and they attack computers as a symbol. Others are ordinary
people tempted by personal profit, revenge, challenge, advancement, or job security. No
single profile captures the characteristics of a "typical" computer criminal, and many
who fit the profile are not criminals at all.

Amateurs
Amateurs have committed most of the computer crimes reported to date. Most
embezzlers are not career criminals but rather are normal people who observe a
weakness in a security system that allows them to access cash or other valuables. In the
same sense, most computer criminals are ordinary computer professionals or users
who, while doing their jobs, discover they have access to something valuable.
When no one objects, the amateur may start using the computer at work to write
letters, maintain soccer league team standings, or do accounting. This apparently
innocent time-stealing may expand until the employee is pursuing a business in
accounting, stock portfolio management, or desktop publishing on the side, using the
employer's computing facilities. Alternatively, amateurs may become disgruntled over
some negative work situation (such as a reprimand or denial of promotion) and vow to
"get even" with management by wreaking havoc on a computing installation.

Crackers or Malicious Hackers

System crackers, often high school or university students, attempt to access
computing facilities for which they have not been authorized. Cracking a computer's
20
Chapter-1 : Computer Security – Gscheme -- 2017
defenses is seen as the ultimate victimless crime. The perception is that nobody is hurt
or even endangered by a little stolen machine time. Crackers enjoy the simple challenge
of trying to log in, just to see whether it can be done. Most crackers can do their harm
without confronting anybody, not even making a sound. In the absence of explicit
warnings not to trespass in a system, crackers infer that access is permitted. An
underground network of hackers helps pass along secrets of success; as with a jigsaw
puzzle, a few isolated pieces joined together may produce a large effect. Others attack for
curiosity, personal gain, or self-satisfaction. And still others enjoy causing chaos, loss,
or harm. There is no common profile or motivation for these attackers.
The security community distinguishes between a "hacker," someone who
(nonmaliciously) programs, manages, or uses computing systems, and a "cracker,"
someone who attempts to access computing systems for malicious purposes. Crackers
are the "evildoers." Now, hacker has come to be used outside security to mean both
benign and malicious users.

Career Criminals
By contrast, the career computer criminal understands the targets of computer
crime. Criminals seldom change fields from arson, murder, or auto theft to computing;
more often, criminals begin as computer professionals who engage in computer crime,
finding the prospects and payoff good. There is some evidence that organized crime and
international groups are engaging in computer crime. Recently, electronic spies and
information brokers have begun to recognize that trading in companies' or individuals'
secrets can be lucrative.

Terrorists
The link between computers and terrorism is quite evident. We see terrorists using
computers in three ways:
 targets of attack: denial-of-service attacks and web site defacements are popular
for any political organization because they attract attention to the cause and bring
undesired negative attention to the target of the attack.
 propaganda vehicles: web sites, web logs, and e-mail lists are effective, fast, and
inexpensive ways to get a message to many people.
 methods of attack: to launch offensive attacks requires use of computers.
We cannot accurately measure the amount of computer-based terrorism because our
definitions and measurement tools are rather weak. Still, there is evidence that all three
of these activities are increasing.

Threat to Security
Q. what are virus and Worms
Ans. Viruses and Worms
While your organization may be exposed to viruses and worms as a result of your
employees not following certain practices or procedures, generally you will not have to
worry about your employees writing or releasing viruses and worms, It is important to
draw a distinction between the writers of malware and those who release them. Debates
over the ethics of writing viruses permeate the industry, but currently simply writing
them is not considered a criminal activity. Like a baseball bat, it is not the bat that is
evil. it is the inappropriate use of the bat (such as to smash a car‘s window) that falls
into the category of criminal activity. (Some may argue that this is not a very good

21
Chapter-1 : Computer Security – Gscheme -- 2017
analogy since baseball bat has a useful purpose—to play ball-—but viruses have no
useful purpose. In general, this is true but in some limited environments, such as in
specialized computer science courses, the study and creation of viruses can be
considered a useful learning experience.) By far, viruses and worms will be the most
common problem that an organization fares since there are literally thousands of them
that have been created. Fortunately, antivirus software and procedures can eliminate
the largest portion of this threat. Viruses and worms are also generally non-
discriminating threats that are released on the Internet in a general fashion and aren‘t
targeted at a specific organization. They are also typically highly visible once released, so
they aren‘t the best tool to use in highly structured attacks where secrecy is vital. This is
not to say that the technology used in virus and worm propagation won‘t be used by
highly organized criminal groups, but their use for what these individuals are normally
interested in accomplishing is limited. The same cannot be said for terrorist
organizations that generally want to create a large impact and have it be highly visible.

Q.Explain the term Intruder

Ans. The act of deliberately accessing computer systems and networks without
authorization is generally referred to as hacking. The term also applies to the act of
exceeding ones authority in a system. This would include authorized users who attempt
to gain access to files or obtain permissions that they have not been granted. While the
act of breaking into computer systems and networks has been glorified in the media and
movies, the physical act does not live up to the Hollywood hype.
Intruders are, if nothing else, extremely patient since the process to gain access to
a system takes persistence and dogged determination.
The first attack may fail, so the intruders will need to try another angle, they will
need to search for another possible vulnerability that may not have been patched.
This second attempt may also be blocked so a third will be tired, and so until
either a new target is selected or the attackers eventually find a hole left unpatched.
Generally, attacks by an individual or even small group of attackers fall into the
unstructured threat category. Attacks at this level are generally conducted over short
periods of time (lasting at most a few months), do not involve a large number of
individuals, have little financial backing, and are accomplished by insiders or outsiders
who do not seek collusion with insiders.
Intruders, or those who are attempting to conduct an intrusion, definitely come in many
different varieties and have varying degrees of sophistication.
At the low end technically are what are generally referred to as script kiddies,
individuals who do not have the technical expertise to develop scripts or discover new
vulnerabilities in software but who have just enough understanding of computer
systems to be able to download and run scripts that others have developed. These
individuals are generally not-as interested in attacking specific targets, but instead
simply want to find any organization that may not have patched a newly discovered
vulnerability for which the script kiddie has located a script to exploit.
It is hard to estimate how many of the individuals performing activities, such as
probing networks or scanning individual systems are part of this group, but it is
undoubtedly the fastest growing group and at least 85 to 90 percent of the ―unfriendly‖
activity occurring on the Internet is probably carried out by these individuals.
At the next level are those people who are capable of writing scripts to exploit
known vulnerabilities. These individuals are much more technically competent than

22
Chapter-1 : Computer Security – Gscheme -- 2017
script kiddies and they account for an estimated 8 to 12 percent of malicious Internet
activity.
At the top end of this spectrum are those highly technical individuals, often
referred to as elite hackers who not only have the ability to write scripts that exploit
vulnerability ties but who also are capable of discovering new vulnerabilities. This group
is the smallest of the lot, however, for at most only 1 to 2 percent of them are
responsible for intrusive activity.

Q.Describe who are Insiders in terms of computer security

Ans.It is generally acknowledged by security professionals that insiders are more
dangerous in many respects than outside intruders. The reason for this is simple—
insiders have access and knowledge necessary to cause immediate damage to an
organization. Security is designed to protect against outside intruders and thus lies at
the boundary between the organization and the rest of the world. Insiders may actually
already have all the access they need to perpetrate criminal activity such as fraud. In
addition to unprecedented access, insiders also frequently have knowledge of the
security systems in place and will be better able to avoid detection.
Employees are not the only insiders that organizations need to be concerned with.
There are often a number of other individuals who have physical access to faci1ities.
Custodial crews will frequently have unescorted access throughout the facility, often
when nobody else is around. Other individuals, such as contractors or partners, may
not only have physical access to the organizations facilities but may also have access to
computer systems and networks.

Q.Write short note on Criminal Organizations

Ans.As businesses became increasingly reliant upon computer s and networks, and as
the amount of financial transactions conducted via the Internet increased, it was
inevitable that criminal organizations would eventually turn to the electronic world as a
new target to exploit. Criminal activity on the Internet at its most basic is no different
than criminal activity in the physical world. Fraud, extortion, theft, embezzlement, and
forgery all take place in the electronic environment.
One difference between criminal groups and the ―average‖ hacker is the level of
organization that criminal elements may employ in their attack. Criminal groups may
have more money to spend on accomplishing the criminal activity and are willing to
spend extra time accomplishing the task provided the level of reward at the conclusion
is great enough. With the tremendous amount of money that is exchanged via the
Internet on a daily basis, the level of reward for a successful attack is high enough to
interest criminal elements. Attacks by criminal organizations can fall into the structured
threat category, which is characterized by a greater amount of planning, a longer period
of time to conduct the activity, more financial backing to accomplish it, and possibly
corruption of, or collusion with, insiders.

Q.Write short note on Terrorists and Information Warfare

Ans.As nations have increasingly become dependent on computer systems and
networks, the possibility that these essential elements of society might become a target
for organizations or nations determined to adversely affect another nation became a
reality. Many nations today have developed to some extent the capability to conduct
information warfare.

23
Chapter-1 : Computer Security – Gscheme -- 2017
There are several definitions for information warfare, but a simple one is that it is
warfare conducted against the information and information processing equipment used
by an adversary. In practice, this is a much more complicated subject since information
may not only be the target of an adversary, it may also be used as a weapon. Whatever
definition you use, information warfare falls into the highly structured threat category.
This type of threat is characterized by a much longer period of preparation (years
is not uncommon), tremendous financial backing, and a large and organized group of
attackers. The threat may not only include attempts to subvert insiders but might also
consist of attempts to plant individuals inside of a potential target in advance of a
planned attack.
An interesting aspect of information warfare is the list of possible targets available.
We have grown accustomed to the idea that, during war, military forces will target
opposing military forces but will generally attempt to destroy as little civilian
infrastructure as possible.
In information warfare, military forces are certainly still a key target, but much
has been written about other targets, such as the various infrastructures that a nation
relies on for its daily existence, Water, electricity, oil and gas refineries and distribution,
banking and finance and telecommunications—all fall into the category of critical
infrastructures for a nation. Critical infrastructures are those whose loss would have
severe repercussions on the nation.
With countries relying so heavily on these infrastructures, it is inevitable that they
would be viewed as valid targets during conflict. Given how dependent these
infrastructures are on computer systems and networks, it is also inevitable that these
same computer systems and networks may be targeted for a cyber attack in an
information war.
Another interesting aspect of information warfare is the potential list of attackers.
As mentioned, several countries are currently capable of conducting this type of warfare.
Nations, however, are not the only ones that can conduct information, or cyber, warfare.
Terrorist organizations can also accomplish this. Such groups fall into the category of
highly structured threats since they too are willing to conduct long-tern operations, have
in some cases tremendous financial support, and often have a large following.
Reports out of Afghanistan related stories of soldiers and intelligence officers
finding laptop computers formerly owned by members of Al Qaeda that contained
information about various critical infrastructures in the United States. This showed that
terrorist organizations were not only considering targeting such infrastructures, but
were doing so at an unexpected level of sophistication.

Q.What is Avenues of Attack

Ans. There are two general reasons a particular computer system is attacked:
1. either it is specifically targeted by the attacker, or
2. it is an opportunistic target.
In the first case, the attacker has chosen the target not because of the hardware
or software the organization is running but for another reason, perhaps a political
reason. An example of this type of attack would be an individual in one country
attacking a government system in another. Alternatively, the attacker may be targeting
the organization as part of a hacktivist attack. An example, in this case, might be an
attacker who defaces the web site of a company that sells fur coats because the attacker
feels using animals this way is unethical. Perpetrating some sort of electronic fraud is
another reason a specific system might be targeted. Whatever the reason, an attack of
24
Chapter-1 : Computer Security – Gscheme -- 2017
this nature is decided upon before the hardware and software of the organizations
known.
The second type of attack, an attack against a target of opportunity, is conducted
against a site that has hardware or software that is vulnerable to a specific exploit. The
attackers, in this case, are not targeting the organization; they have instead learned of
vulnerability and are simply looking for an organization with this vulnerability that they
can exploit. This is not to say that an attacker might not be targeting a given sector and
looking for a target of opportunity in that sector, however. For example, an attacker may
desire to obtain credit card or other personal information and may search for any
exploitable company with credit card information in order to carry out the attack.
Targeted attacks are more difficult and take more time than attacks on a target of
opportunity. The latter simply relies on the fact that with any piece of widely distributed
software, there will almost always be somebody who has not patched the system as they
should have.

Q.Describe the steps in an Attack

Ans. The steps an attacker takes in attempting to penetrate a targeted network are
similar to the ones that a security consultant performing a penetration test would take.
The attacker will need to gather as much information about the organization as possible.
There are numerous ways to do this,
1. including studying the organizations own web site,
2. looking for postings on newsgroups, or
3. consulting resources such as the Securities and Exchange Commission‘s (SEC‘s)
EDGAR web site (www.sec.gov/edgar.shtml).
A number of different financial reports are available through the EDGAR website
that can provide information about an organization that is useful for an attack—
particularly a social engineering attack. The type of information that the attacker wants
includes IP addresses, phone numbers, names of individuals, and what networks the
organization maintains.
Typically, the first step in the technical part of an attack is to determine what
target systems are available and active. This is usually done with a ping sweep, which
simply sends a ―ping‖ (an ICMP echo request) to the target machine. If the machine
responds, it is reachable.
The next step is often to perform a port scan. This will help identify which ports
are open, thus giving an indication of which services may be running on the target
machine. Determining the operating system that is running on the target machine, as
well as specific application programs, follows along with determining the services that
are available.
Various techniques can be used to send specifically formatted packets to the ports
on a target system to view the response. Often this response provides dues as to which
operating system and specific application is running on the target system. Once this is
done, the attacker would have a list of possible target machines, the operating system
running on them, and some specific applications or services to target.
Up until this point, the attacker has simply been gathering the information needed
to take the next step: an actual attack on the target. Knowing the operating system and
ser vices on the target helps the attacker decide which tools to use in the attack.
Numerous web sites provide information on the vulnerabilities of specific
application programs and operating systems. This information is valuable to
administrators, since they need to know what problems exist and how to patch them. In
25
Chapter-1 : Computer Security – Gscheme -- 2017
addition to in formation about specific vulnerabilities, some sites may also provide tools
that can be used to exploit the vulnerabilities. An attacker can search for known
vulnerabilities and tools that exploit them, download the information and tools, and
then use them against a site.
If the administrator for the targeted system has not installed the correct patch, the
attack maybe successful; if the patch has been installed, the attacker will move onto the
next possible vulnerability. If the administrator has installed all of the appropriate
patches so that all known vulnerabilities have been addressed, the attacker may have to
resort to a brute force attack which involves guessing a userid and password
combination. Unfortunately, this type of attack which could be easily prevented
sometimes proves successful.
As an summary it is the general process of :
1. gathering as much information about the target as possible (using both electronic
and non-electronic means),
2. gathering information about possible exploits based on the information about the
system, and
3. then systematically attempting to use each exploit. If the exploits don‘t work other
less system attacks may be attempted.

Types of Attacks

Q.List different types if attacks

Ans. Different type of attacks are
A.DOS –Denial of Service
B.POD – Ping of Death
C.DDOS – Distributed Denial of DOS

Q.Describe the three way Handshake protocol

Ans. The first system sends a SYN packet to the system it wishes to communicate with.

The second system will respond with a SYN/ACK if it is able to accept the request.
When the initial system receives the SYN/ACK from the second system, it responds with
an ACK packet, and communication can then proceed. This process is shown in Figure.

Q.Describe Denial of Service attack

Ans. Denial of service (DOS) attacks can exploit a known vulnerability in a specific
application or operating system, or they may attack features (or weaknesses) in specific
protocols or services. In this form of attack, the attacker is attempting to deny
authorized users access either to specific information or to the computer system or
network itself.
The purpose of such an attack can be to simply prevent access to the target
system, or the attack can be used in conjunction with other actions in order to gain
unauthorized access to a computer or network. For example, a SYN flooding attack may
26
Chapter-1 : Computer Security – Gscheme -- 2017
be used to temporarily prevent service to a system in order to take advantage of a
trusted relationship that exists between that system and another.
SYN flooding is an example of a DOS attack that takes advantage of the way
TCP/IP networks were designed to function, and it can be used to illustrate the basic
principles of any DOS attack. SYN flooding utilizes the TCP three-way handshake that is
used to establish a connection between two systems.
In a SYN flooding attack, the attacker sends fake communication requests to the
targeted system. Each of these requests will be answered by the target system, which
then waits for the third part of the handshake. Since the requests are fake (a
nonexistent IP address is used in the requests, so the target system is responding to a
system that doesn‘t exist), the target will wait for responses that will never come, as
shown in Figure .

The target system will drop these connections after a specific time-out period, but if the
attacker sends requests faster than the time-out period eliminates them, the system will
quickly be filled with requests. The number of connections a system can support is
finite, so when more requests come in than can be processed, the system will soon be
reserving all its connections for fake requests. At this point, any further requests are
simply dropped (ignored), and legitimate users who want to connect to the target system
will not be able to. Use of the system has thus been denied to them.

Q.Describe the Ping of Death type if attack

Ans.Another simple DOS attack is the famous ping-of-death (POD), and it illustrates the
other type of attack—one targeted at a specific application or operating system, as
opposed to SYN flooding, which targets a protocol.
In the POD attack, the attacker sends an Internet Control Message Protocol (ICMP)
―ping‖ packet equal to, or exceeding 64KB (which is to say, greater than 64 * 1024 =
65,536 bytes). This type of packet should not occur naturally (there is no reason for a
ping packet to be larger than 64KB). Certain systems were not able to handle this size of
packet, and the system would hang or crash.

Q.What is Distributed Denial of Service attack (DDOS)

Ans.DOS attacks are conducted using a single attacking system. A denial of service
attack employing multiple attacking systems is known as a distributed denial of service
(DDOS) attack. The goal of a DDOS attack is the same: to deny the use of or access to a
specific service or system. DDOS attacks were made famous in 2000 with the highly
publicized attacks on eBay, CNN, Amazon, and Yahoo.
In a DDOS attack, the method used to deny service is simply to overwhelm the
target with traffic from many different systems. A network of attack agents (sometimes
called zombies) is created by the attacker, and upon receiving the attack command from
27
Chapter-1 : Computer Security – Gscheme -- 2017
the attacker, the attack agents commence sending a specific type of traffic against the
target. If the attack network is large enough, even ordinary web traffic can quickly
overwhelm the largest of sites, such as the ones targeted in 2000.
Creating a DDOS network is not a simple task. The attack agents are not willing
agents—they are systems that have been compromised and on which the DDOS attack
software has been installed. In order to compromise these agents, the attacker has to
have gained unauthorized access to the system or tricked authorized users to run a
program that installed the attack software. The creation of the attack network may in
fact be a multistep process in which the attacker first compromises a few systems that
are then used as handlers or masters, and which in turn compromise other systems.
Once the network has been created, the agents wait for an attack message that
will include data on the specific target before launching the attack. One important
aspect of a DDOS attack that should be mentioned is that with just a few messages to
the agents, the attacker can have a flood of messages sent against the targeted system.
Figure illustrates a DDOS network with agents and handlers.

Q.How can you stop or mitigate the effects of a DOS or DDOS attack?
Ans.One important precaution is to ensure that you have applied the latest patches and
upgrades to your systems and the applications running on them. Once a vulnerability is
discovered, it does not take long before multiple exploits are written to take advantage of
it. Generally you will have a small window of opportunity in which to patch your system
between the time a vulnerability is discovered and the time exploits become widely
available.
Another approach involves changing the timeout option for TCP connections so
that attacks such as the SYN flooding attack, described previously, are harder to
perform because unused connections are dropped more quickly.
For DDOS attacks, much has been written about distributing your own workload across
several systems so that any attack against your system would have to target several
hosts in order to be completely successful. While this is true, if large enough DDOS
networks are created (with tens of thousands of zombies, for example) any network, no
matter how much the load is distributed, can be successfully attacked. This approach
also involves an additional cost to your organization in order to establish this distributed

28
Chapter-1 : Computer Security – Gscheme -- 2017
environment. Addressing the problem in this manner is actually an attempt to mitigate
the effect of the attack, as opposed to preventing or stopping an attack.
In order to prevent a DDOS attack, you have to either be able to intercept or block
the attack messages or keep the DDOS network from being established in the first place.
Tools have been developed that will scan your systems, searching for sleeping zombies
waiting for an attack signal. The problem with this type of prevention approach,
however, is that it is not something you can do to prevent an attack on your network—it
is something you can do to keep your network from being used to attack other networks
or systems. You have to rely on the rest of the community to test their own systems in
order to prevent attacks on yours.
A final option you should consider that will address several forms of DOS and
DDOS attacks is to block ICMP packets at your border, since many attacks rely on
ICMP. Careful consideration should be given to this approach, because it will also
prevent the use of some possibly useful troubleshooting tools.

Q.Write short note on BackDoor and Trap Doors

Ans. Backdoors were originally (and sometimes still are) nothing more than methods
used by software developers to ensure that they could gain access to an application even
if something were to happen in the future to prevent normal access methods. An
example would be a hard-coded password that could be used to gain access to the
program in the event that administrators forgot their own system password. The obvious
problem with this sort of backdoor (also sometimes referred to as a trapdoor) is that,
since it is hard-coded, it cannot be removed. Should an attacker learn of the backdoor,
all systems running that software would be vulnerable to attack.
The term backdoor is also, and more commonly, used to refer to programs that
attackers install after gaining unauthorized
access to a system to ensure that they can
continue to have unrestricted access to the
system, even if their initial access method is
discovered and blocked. Backdoors can also
be installed by authorized individuals
inadvertently, should they run software that
contains a Trojan horse.
Common backdoors include NetBus
and Back Orifice. Both of these, if running on
your system, will allow an attacker remote
access to your system—access that allows
them to perform any function on your system.
A variation on the backdoor is the rootkit, and
they are established not to gain root access
but rather to ensure continued root access.
Rootkits are generally installed at a
lower level, closer to the actual kernel level of
the operating system.

Q.Write short note on Sniffing

Ans. The group of protocols that make up the
TCP/IP suite was designed to work in a friendly environment where everybody who
connected to the network used the protocols as they were designed. The abuse of this
29
Chapter-1 : Computer Security – Gscheme -- 2017
friendly assumption is illustrated by network-traffic sniffing programs, sometimes
referred to as sniffers.
A network sniffer is a software or hardware device that is used to observe traffic as
it passes through a network on shared broadcast media. The device can be used to view
all traffic, or it can target a specific protocol, service, or even string of characters (for
example, looking for logins). Normally the network device that connects a computer to a
network is designed to ignore all traffic that is not destined for that computer. Network
sniffers ignore this friendly agreement and observe all traffic on the network, whether
destined for that computer or others, as shown in Figure .
A network card that is listening to all network traffic and not just its own is said to
be in ―promiscuous mode.‖ Some network sniffers are designed not just to observe all
traffic but to modify traffic as well.
Network sniffers can be used by network administrators for monitoring network
performance. They can be used to perform traffic analysis, for example, in order to
determine what type of traffic is most commonly carried on the network and to
determine which segments are most active. They can also be used for network
bandwidth analysis and to troubleshoot certain problems (such as duplicate MAC
addresses).

Q.What is Spoofing?List the types if Spoofing

Ans. Spoofing is nothing more than making data look like it has come from a different
source. This is possible in TCP/IP because of the friendly assumptions behind the
protocols.
When the protocols were developed, it was assumed that individuals who had
access to the network layer would be privileged users who could be trusted. When a
packet is sent from one system to another, it includes not only the destination IP
address and port but the source IP address as well. You are supposed to fill in the
source with your own address, but there is nothing that stops you from filling in another
system‘s address. This is one of the several forms of spoofing.
1. Spoofing E-Mail
2. IP address Spoofing
3. Spoofing and Trusted Relationships
4. Spoofing and Sequence Numbers

Q.Describe what is Email Spoofing

Ans. E-mail spoofing is where you send a message with a From address different than
your own. This can be easily accomplished, and there are several different ways to do it
and programs that can assist you in doing so. A very simple method often used to
demonstrate how simple it is to spoof an e-mail address is to telnet to port 25 (the port
associated with e-mail) on a system. From there, you can fill in any address for the From
and To sections of the message, whether or not the addresses are yours and whether
they actually exist or not.
There are some simple ways to determine that an e-mail message was probably
not sent by the source it claims to have been sent from, but most users do not question
their e-mail and will accept where it appears to have come from. A variation on e-mail
spoofing, though it is not technically spoofing, is for the attacker to acquire a URL close
to the one they want to spoof so that e-mail sent from their system appears to have

30
Chapter-1 : Computer Security – Gscheme -- 2017
come from the official site unless you read the address carefully. For example, if
attackers wanted to spoof XYZ Corporation, which owned XYZ.com, the attackers might
gain access to the URL XYZ.Corp.com. An individual receiving a message from the
spoofed corporation site would not normally suspect it to be a spoof but would take it to
be official.
This same method can be, and has been, used to spoof web sites. The most
famous example of this is probably www.whitehouse.com. The www.whitehouse.gov site
is the official site for the White House. The www.whitehouse.com URL takes you to a
pornographic site. In this case, nobody is likely to take the pornographic site to be the
official government site, and it was not intended to be taken that way. If, however, the
attackers made their spoofed site appear similar to the official one, they could easily
convince many viewers that they were at the official site.

Q.What is URL Spoofing?

URL spoofing is the process of creating a fake or forged URL which impersonates a
legitimate and secure website.
The spoofed URL or website address looks exactly like the original and safe URL,
but is actually redirecting all the traffic to a ‗booby trapped‘ website.
Such websites and forged URLs are primarily used in cybercrimes such as identity
theft, phishing, and various scams. The forged or spoofed URL is sent to as many target
victims as possible through different means, including emails, texts, and instant
messaging.
Forged URLs are also posted on other websites that are not harmful at all but they
contain spoofed and forged links that would eventually lead the user to a dangerous
website.
A slightly different version of URL spoofing is one in which the attacker not only
creates a fake and forged URL, but he also builds a website that looks exactly like the
original website.
This kind of URL spoofing attack can be potentially more harmful and dangerous,
because the website looks exactly like the original one.
The website asks you to enter your username, password, credit card number, or
whatever information the attacker wants to extract using that spoofed URL.
Spoofed URLs of banking or ecommerce websites could lead to heavy financial
losses.Spoofed URLs are also used by websites to track visitors and traffic on their
websites. In this case, the spoofed URL is the address of the webpage which actually
contains the link to the website. This kind of URL spoofing is legitimate, and is known
as a URL referer.

Q. Describe what is IP address Spoofing

Ans. The way the IP protocol is designed to work is to have the originators of any IP
packet include their own IP address in the ―From‖ portion of the packet. While this is the
intent, there is nothing that prevents a system from inserting a different address in the
―From‖ portion of the packet. This is known as IP Address Spoofing. An IP address may
be spoofed for several reasons. In a specific DOS attack known as a smurf attack, the
attacker sends a spoofed packet to the broadcast address for a network, which
distributes the packet to all systems on that network.

31
Chapter-1 : Computer Security – Gscheme -- 2017
In the smurf attack, the packet sent by the attacker to the broadcast address is an
echo request with the From address forged so that it appears that another system (the
target system) has made the echo request. The normal response of a system to an echo
request is an echo reply, and it is used in the ping utility to let a user know if a remote
system is reachable and is responding.

In the smurf attack,the request is sent to all systems on the network, so all will
respond with an echo reply to the target system, as shown in Figure. The attacker has
sent one packet and has been able to generate as many as 254 responses aimed at the
target. Should the attacker send several of these spoofed requests, or send them to
several different networks, the target can quickly become overwhelmed with the volume
of echo replies it receives.

Q.Explain how trusted relation ship can be spoofed

Ans. Spoofing can also take advantage of a trusted relationship between two systems. If
two systems are configured to accept the authentication accomplished by each other, an
individual logged on to one system might not be forced to go through an authentication
process again to access the other system. An attacker can take advantage of this
arrangement by sending a packet to one system that appears to have come from a
trusted system.
Since the trusted relationship is in place, the targeted system may perform the
requested task without authentication.
Since a reply will often be sent once a packet is received, the system that is being
impersonated could interfere with the attack, since it would receive an acknowledgement
for a request it never made. The attacker will often initially launch a DOS attack (such
as a SYN flooding attack) to temporarily take out the spoofed system for the period of
time that the attacker is exploiting the trusted relationship. Once the attack is
32
Chapter-1 : Computer Security – Gscheme -- 2017
completed, the DOS attack on the spoofed system would be terminated and possibly,
apart from having a temporarily non-responsive system, the administrators for the
systems may never notice that the attack occurred. Figure illustrates a spoofing attack
that includes a SYN flooding attack.

Because of this type of attack, administrators are encouraged to strictly limit any
trusted relationships between hosts. Firewalls should also be configured to discard any
packets from outside of the firewall that have From addresses indicating they originated
from inside the network (a situation that should not occur normally and that indicates
spoofing is being attempted).

Q.Describe the Spoofing the sequence number technique of Spoofing

Ans. How complicated the spoofing is depends heavily on several factors, including
whether the traffic is encrypted and where the attacker is located in relationship to the
target.
Spoofing attacks from inside a network, for example, are much easier to perform
than attacks from outside of the network because the inside attacker can observe the
traffic to and from the target and can do a better job of formulating the necessary
packets.
Formulating the packets is more complicated for external attackers because there is a
sequence number associated with TCP packets. A sequence number is a 32-bit number
established by the host that is incremented for each packet sent. Packets are not
guaranteed to be received in order, and the sequence number can be used to help
reorder packets as they are received and to refer to packets that may have been lost in
transmission.
In the TCP three-way handshake, two sets of sequence numbers are created, as
shown in Figure . The first system chooses a sequence number to send with the original
SYN packet that it sends. The system receiving this SYN packet acknowledges with a
SYN/ACK. It sends back the first sequence number plus one (that is, it increments the
sequence number sent to it by one). It then also creates its own sequence number and
sends that along with it. The original system receives the SYN/ACK with the new
sequence number. It increments the sequence number by one and uses it in an ACK
package it responds with.
The difference in the difficulty of attempting a spoofing attack from inside a network
33
Chapter-1 : Computer Security – Gscheme -- 2017
and from outside involves determining the sequence number. If the attacker is inside of
the network and can observe the traffic the target host responds with, the attacker can
easily see the sequence number the system creates and can respond with the correct
sequence number. If the attacker is external to the network, the sequence number the
target system generates will not be observed, making it hard for the attacker to provide
the final ACK with the correct sequence number. What the attacker has to do is guess
what the sequence number might be.
Predicting sequence numbers is possible, because sequence numbers are
somewhat predictable. Sequence numbers for each session are not started from the
same number, so that different packets from different concurrent connections will not
have the same sequence numbers. Instead, the sequence number for each new
connection is incremented by some large number to keep them from being the same.

The sequence number may also be incremented by some large number every
second (or some other time period). What an external attacker has to do is determine
what the values used for these increments are. The attacker can do this by attempting
connections at various time intervals in order to observe how the sequence numbers are
incremented. Once the pattern is determined, the attacker can attempt a legitimate
connection to determine the current value, and then immediately attempt the spoofed
connection. The spoofed connection sequence number should be the legitimate
connection incremented by the determined value or values.

Q.Explain Man in middle attack

Ans. A man-in-the-middle attack, as the name implies, generally occurs when attackers
are able to place themselves in the middle of two other hosts that are communicating.
Ideally, this is done by ensuring
that all communication going to
or from the target host
is routed through the attacker‘s
host (which may be accomplished
if the attacker can
compromise the router for the
target host). The attacker can
then observe all traffic before
relaying it and can actually
modify or block traffic. To the
target host, it appears that
communication is occurring
normally, since all expected replies are received. Figure. illustrates this type of attack.

34
Chapter-1 : Computer Security – Gscheme -- 2017

The amount of information that can be obtained in a man-in-the-middle attack

will obviously be limited if the communication is encrypted. Even in this case, however,
sensitive information may still be obtained, since knowing what communication is being
conducted, and between which individuals, may in fact provide information that is
valuable in certain circumstances.

Q.Describe replay and TCP/IP hijacking attack

Ans. Replay Attacks
A replay attack is exactly what it sounds like: it is an attack where the attacker
captures a portion of a communication between two parties and retransmits it at a later
time. For example, an attacker might replay a series of commands and codes used in a
financial transaction in order to cause the transaction to be conducted multiple times.
Generally replay attacks are associated with attempts to circumvent authentication
mechanisms, such as the capturing and reuse of a certificate or ticket.
The best way to prevent replay attacks is with encryption, cryptographic
authentication, and time stamps. If a portion of the certificate or ticket includes a
date/time stamp or an expiration date/time, and this portion is also encrypted as part
of the ticket or certificate, replaying it at a later time will prove useless, since it will be
rejected as having expired.

TCP/IP Hijacking
TCP/IP hijacking and session hijacking are terms used to refer to the process of taking
control of an already existing session between a client and a server. The advantage to an
attacker of hijacking over attempting to penetrate a computer system or network is that
the attacker doesn‘t have to circumvent any authentication mechanisms, since the user
has already authenticated and established the session. Once the user has completed the
authentication sequence, the attacker can then usurp the session and carry on as if the
attacker, and not the user, had authenticated with the system. In order to prevent the
user from noticing anything unusual, the attacker may decide to attack the user‘s
system and perform a denial of service attack on it, taking it down so that the user, and
the system, will not notice the extra traffic that is taking place.
Hijack attacks generally are used against web and telnet sessions. The previous
discussion on sequence numbers as they applied to spoofing also applies to session
hijacking, since the hijacker will need to provide the correct sequence number to
continue the appropriated sessions.

Q.What is attack on Encryption

Ans, Attacks on Encryption
Cryptography is the art of ―secret writing,‖ and encryption is the process of
transforming plaintext into an unreadable format known as ciphertext using a specific
technique or algorithm. Most encryption techniques use some form of key in the
encryption process. The key is used in a mathematical process to scramble the original
message to arrive at the unreadable ciphertext.
Another key (sometimes the same one and sometimes a different one) is used to
decrypt or unscramble the ciphertext to re-create the original plaintext. The length of the
key often directly relates to the strength of the encryption.

35
Chapter-1 : Computer Security – Gscheme -- 2017
Cryptanalysis is the process of attempting to break a cryptographic system—it is
an attack on the specific method used to encrypt the plaintext.

Weak Keys
Certain encryption algorithms may have specific keys that yield poor, or easily
decrypted, ciphertext. Imagine an encryption algorithm that consisted solely of a single
XOR function (an exclusive XOR function where two bits are compared and a 1 is
returned if either of the original bits, but not both, is a 1), where the key was repeatedly
used to XOR with the plaintext. A key where all bits are 0‘s, for example, would result in
ciphertext that is the same as the original plaintext. This would obviously be a weak key
for this encryption algorithm. In fact, any key with long strings of 0‘s would yield
portions of the ciphertext that were the same as the plaintext. In this simple example,
there would be many keys that could be considered weak.
Encryption algorithms used in computer systems and networks are much more
complicated than a simple, single XOR function, but some algorithms have still been
found to have weak keys that make cryptanalysis easier.

Exhaustive Search of Key Space

Even if the specific algorithm used to encrypt a message is complicated and has
not been shown to have weak keys, the key length will still play a significant role in how
easy it is to attack the method of encryption. Generally speaking, the longer a key is, the
harder it will be to attack. Thus, a 40-bit encryption scheme will be easier to attack
using a brute-force technique (which tests all possible keys, one by one) than a 256-bit
method will be. This is easily demonstrated by imagining a scheme that employed a 2-bit
key.
Even if the resulting ciphertext were completely unreadable, performing a brute-
force attack until one key is found that can decrypt the ciphertext would not take long,
since there are only four possible keys. Every bit that is added to the length of a key
doubles the number of keys that have to be tested in a brute-force attack on the
encryption. It is easy to understand why a scheme utilizing a 40-bit key would be much
easier to attack than a scheme that utilized a 256-bit key.

Indirect Attacks
One of the most common ways of attacking an encryption system is to find
weaknesses in mechanisms surrounding the cryptography. Examples include poor
random number generators, unprotected key exchanges, keys stored on hard drives
without sufficient protection, and other general programmatic errors, such as buffer
overflows. In attacks that target these types of weaknesses, it is not the cryptographic
algorithm itself that is being attacked, but rather the implementation of that algorithm
in the real world.

Password Guessing
The most common form of authentication is the userid and password combination.
While it is not inherently a poor mechanism for authentication, the userid and password
combination can be attacked in several ways. All too often, these attacks will yield
favorable results for the attacker not as a result of a weakness in the scheme but
usually due to the user not following good password procedures.

36
Chapter-1 : Computer Security – Gscheme -- 2017
Poor Password Choices
The least technical of the various password-attack techniques consists of the attacker
simply attempting to guess the password of an authorized user of the system or
network.
It is surprising how often this simple method works, and the reason it does is because
people are notorious for picking poor passwords. The problem the users face is that they
need to select a password that they can remember. In order to do this, many select
simple things, such as their birthday, their mother‘s maiden name, the name of their
spouse or one of their children, or even simply their userid itself. All it takes is for the
attacker to obtain a valid userid (often a simple matter, because organizations tend to
use an individual‘s names in some combination—first letter of their first name combined
with their last name, for example) and a little bit of information about the user before
guessing can begin. Organizations sometimes make it even easier for attackers to obtain
this sort of information by posting the names of their ―management team‖ and other
individuals, sometimes with short biographies, on their web sites.
Even if the person doesn‘t use some personal detail as their password, the attacker
may still get lucky, since many people pick a common word for their password.
Attackers can obtain lists of common passwords—there are a number of them on the
Internet. Words such as ―password‖ and ―secret‖ have often been used as passwords.
Names of favorite sports teams also often find their way onto lists of commonly used
passwords.

Dictionary Attack
Another method of determining passwords is to use a password-cracking program.
There are a number of both commercial and public-domain password cracking programs
available. The programs use a variety of methods to crack passwords, including
using variations on the userid. These programs often also use a dictionary of words—the
words can be used by themselves, or two or more smaller ones may be combined to
form a single possible password.
The programs often permit the attacker to create various rules that tell the program
how to combine words to form new possible passwords. Users commonly substitute
certain numbers for specific letters. If the user wanted to use the word secret for a
password, for example, the letter e may be replaced with the number 3 yielding s3cr3t.
This password will not be found in the dictionary, so a pure dictionary attack will not
crack it.

At the same time, the password is still easy for the user to remember. If a rule were
created that tried all words in the dictionary and then tried the same words substituting
the number 3 for the letter e, the password would be cracked.
Rules can also be defined so that the cracking program will substitute special characters
for other characters, or combine words together. The ability of the attacker to crack
passwords is directly related to the method the user employed to create the password in
the first place, as well as the dictionary and rules used.

Brute-Force Attack
If the user has selected a password that will not be found in a dictionary, even if various
numbers or special characters are substituted for other letters, the only way the
password can be cracked is to attempt a brute-force attack. This entails the password
cracking program attempting all possible password combinations.
37
Chapter-1 : Computer Security – Gscheme -- 2017
The length of the password and the size of the set of possible characters in the password
will greatly affect the time a brute-force attack will take. A few years ago, this method of
attack was very unreliable, since it took considerable time to generate all possible
combinations. With the increase in computer speed, however, the time it takes to
generate password combinations makes it much more feasible to launch brute-force
attacks against certain computer systems and networks. A brute-force attack on a
password can take place at two levels. It can be an attack on a system where the
attacker is attempting to guess the password at a login prompt, or it can be an attack
against the list of passwords contained in a password file. The first attack can be made
more difficult by locking the account after a few failed login attempts. The second attack
can be thwarted by securely maintaining your password file so that others may not
obtain a copy of it.

Birthday Attack
The birthday attack is a special type of brute-force attack. It gets its name from
something known as the birthday paradox, which states that in a group of at least 23
people, the chance that there will be two individuals with the same birthday is greater
than 50 percent. Mathematically, we can use the equation 1.2k1/2 (with k equaling the
size of the set of possible values), and in the birthday paradox, k would be equal to 365
(the number of possible birthdays). This same phenomenon applies to passwords, with k
just being quite a bit larger.

38
Chapter-1 : Computer Security – Gscheme -- 2017

Malwares – Virus and Worms

Introduction
A computer virus is a computer program that can replicate itself and spread from one
computer to another. The term "virus" is also commonly, but erroneously, used to refer
to other types of malware, including but not limited to adware and spyware programs
that do not have a reproductive ability.
Malware includes computer viruses, computer worms, ransom ware, trojan
horses, keyloggers, most rootkits, spyware, dishonest adware, malicious BHOs and
other malicious software. The majority of active malware threats are usually trojans or
worms rather than viruses.
Malware such as trojan horses and worms is sometimes confused with viruses, which
are technically different: a worm can exploit security vulnerabilities to spread itself
automatically to other computers through networks, while a trojan horse is a program
that appears harmless but hides malicious functions.
Worms and trojan horses, like viruses, may harm a computer system's data or
performance. Some viruses and other malware have symptoms noticeable to the
computer user, but many are surreptitious or simply do nothing to call attention to
themselves. Some viruses do nothing beyond reproducing themselves.
Classification
In order to replicate itself, a virus must be permitted to execute code and write to
memory. For this reason, many viruses attach themselves to executable files that may
be part of legitimate programs (code injection). If a user attempts to launch an infected
program, the virus' code may be executed simultaneously. Viruses can be divided into
two types based on their behavior when they are executed. Nonresident viruses
immediately search for other hosts that can be infected, infect those targets, and finally
transfer control to the application program they infected. Resident viruses do not search
for hosts when they are started. Instead, a resident virus loads itself into memory on
execution and transfers control to the host program. The virus stays active in the
background and infects new hosts when those files are accessed by other programs or
the operating system itself.
Nonresident viruses
Nonresident viruses can be thought of as consisting of a finder module and a replication
module. The finder module is responsible for finding new files to infect. For each new
executable file the finder module encounters, it calls the replication module to infect
that file.
Resident viruses
Resident viruses contain a replication module that is similar to the one that is employed
by nonresident viruses. This module, however, is not called by a finder module. The
virus loads the replication module into memory when it is executed instead and ensures
that this module is executed each time the operating system is called to perform a
certain operation. The replication module can be called, for example, each time the

39
Chapter-1 : Computer Security – Gscheme -- 2017
operating system executes a file. In this case the virus infects every suitable program
that is executed on the computer.

Computer virus is a harmful software program written intentionally to enter a

computer without the user's permission or knowledge. It has the ability to replicate
itself, thus continuing to spread. Some viruses do little but replicate, while others can
cause severe harm or adversely affect the program and performance of the system. A
virus should never be assumed harmless and left on a system.

There are different types of viruses which can be classified according to their origin,
techniques, types of files they infect, where they hide, the kind of damage they cause,
the type of operating system, or platform they attack. Let us have a look at few of them.

Memory Resident Virus

These viruses fix themselves in the computer memory and get activated whenever the
OS runs and infects all the files that are then opened. This type of virus hides in the
RAM and stays there even after the malicious code is executed. It gets control over the
system memory and allocate memory blocks through which it runs its own code, and
executes the code when any function is executed.It can corrupt files and programs that
are opened, closed, copied, renamed, etc. Examples: Randex, CMJ, Meve, and MrKlunky
Protection is possible due by Installing an antivirus program.

Direct Action Viruses

The main purpose of this virus is to replicate and take action when it is executed. When
a specific condition is met, the virus will go into action and infect files in the directory or
folder that are specified in the AUTOEXEC.BAT file path. This batch file is always
located in the root directory of the hard disk and carries out certain operations when the
computer is booted.

FindFirst/FindNext technique is used where the code selects a few files as its victims. It
also infects the external devices like pen drives or hard disks by copying itself on them.
The viruses keep changing their location into new files whenever the code is executed,
but are generally found in the hard disk's root directory. It can corrupt files. Basically, it
is a file-infecter virus.Examples: Vienna virus. Protection is possible due by Installing an
antivirus scanner. However, this type of virus has minimal effect on the computer's
performance.

Overwrite Viruses

A virus of this kind is characterized by the fact that it deletes the information contained
in the files that it infects, rendering them partially or totally useless once they have been
infected. The virus replaces the file content. However, it does not change the file size.
Examples: Way, Trj.Reboot, Trivial.88.D For protection the only way to clean a file
infected by an overwrite virus is to delete the file completely, thus losing the original

40
Chapter-1 : Computer Security – Gscheme -- 2017
content.However, it is very easy to detect this type of virus, as the original program
becomes useless.

Boot Sector Virus

This type of virus affects the boot sector of a hard disk. This is a crucial part of the disk,
in which information of the disk itself is stored along with a program that makes it
possible to boot (start) the computer from the disk. This type of virus is also called
Master Boot Sector Virus or Master Boot Record Virus. It hides in the memory until DOS
accesses the floppy disk, and whichever boot data is accessed, the virus infects it.
Examples: Polyboot.B, AntiEXE. The best way of avoiding boot sector viruses is to
ensure that floppy disks are write-protected. Also, never start your computer with an
unknown floppy disk in the disk drive.

Macro Virus

Macro viruses infect files that are created using certain applications or programs that
contain macros, like .doc, .xls, .pps, .mdb, etc. These mini-programs make it possible to
automate series of operations so that they are performed as a single action, thereby
saving the user from having to carry them out one by one. These viruses automatically
infect the file that contains macros, and also infects the templates and documents that
the file contains. It is referred to as a type of e-mail virus.These hide in documents that
are shared via e-mail or networks.Examples: Relax, Melissa.A, Bablas, O97M/Y2K
The best protection technique is to avoid opening e-mails from unknown senders. Also,
disabling macros can help to protect your useful data.

Directory Virus

Directory viruses (also called Cluster Virus/File System Virus) infect the directory of
your computer by changing the path that indicates the location of a file. When you
execute a program file with an extension .EXE or .COM that has been infected by a
virus, you are unknowingly running the virus program, while the original file and
program is previously moved by the virus. Once infected, it becomes impossible to locate
the original files. It is usually located in only one location of the disk, but infects the
entire program in the directory. Examples: Dir-2 virus.For protection all you can do is,
reinstall all the files from the backup that are infected after formatting the disk.

Polymorphic Virus

Polymorphic viruses encrypt or encode themselves in a different way (using different

algorithms and encryption keys) every time they infect a system. This makes it
impossible for antivirus software to find them using string or signature searches
(because they are different in each encryption). The virus then goes on to create a large
number of copies.Examples: Elkern, Marburg, Satan Bug and Tuareg. Install a high-end
antivirus as the normal ones are incapable of detecting this type of virus.

Companion Viruses

41
Chapter-1 : Computer Security – Gscheme -- 2017

Companion viruses can be considered as a type of file infector virus, like resident or
direct action types. They are known as companion viruses because once they get into
the system they 'accompany' the other files that already exist. In other words, to carry
out their infection routines, companion viruses can wait in memory until a program is
run (resident virus), or act immediately by making copies of themselves (direct action
virus).
Hideout: These generally use the same filename and create a different extension of it.
For example: If there is a file "Me.exe", the virus creates another file named "Me.com"
and hides in the new file. When the system calls the filename "Me", the ".com" file gets
executed (as ".com" has higher priority than ".exe"), thus infecting the system.
Examples: Stator, Asimov.1539 and Terrax.1069. For protection install an antivirus
scanner and also download Firewall.

FAT Virus

The file allocation table (FAT) is the part of a disk used to store all the information about
the location of files, available space, unusable space, etc. FAT virus attacks the FAT
section and may damage crucial information. It can be especially dangerous as it
prevents access to certain sections of the disk where important files are stored. Damage
caused can result in loss of information from individual files or even entire directories.
Examples: Link Virus. Before the virus attacks all the files on the computer, locate all
the files that are actually needed on the hard drive, and then delete the ones that are
not needed. They may be files created by viruses.

Multipartite Virus

These viruses spread in multiple ways possible. It may vary in its action depending upon
the operating system installed and the presence of certain files. In the initial phase,these
viruses tend to hide in the memory as the resident viruses do; then they infect the hard
disk.Examples: Invader, Flip and Tequila. You need to clean the boot sector and also the
disk to get rid of the virus, and then reload all the data in it. However, ensure that the
data is clean.

Web Scripting Virus

Many web pages include complex codes in order to create an interesting and interactive
content. This code is often exploited to bring about certain undesirable actions. The
main sources of web scripting viruses are the web browsers or infected web pages.
Examples: JS.Fortnight is a virus that spreads through malicious e-mails.
Protection: Install the microsoft tool application that is a default feature in Windows
2000, Windows 7 and Vista. Scan the computer with this application.
Worms

A worm is a program very similar to a virus; it has the ability to self-replicate and can
lead to negative effects on your system. But they can be detected and eliminated by an
antivirus software. These generally spread through e-mails and networks. They do not
infect files or damage them, but they replicate so fast that the entire network may

42
Chapter-1 : Computer Security – Gscheme -- 2017
collapse.Examples: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, Mapson. Install an
updated version of antivirus.

Trojans

Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike
viruses, do not reproduce by infecting other files, nor do they self-replicate like worms.
In fact, it is a program which disguises itself as a useful program or application.

Beware of the fact that these viruses copy files in your computer (when their carrier
program is executed) that can damage your data, and even delete it. The attacker can
also program the trojans in such a manner that the information in your computer is
accessible to them.

Logic Bombs

They are not considered viruses because they do not replicate. They are not even
programs in their own right, but rather camouflaged segments of other programs. They
are only executed when a certain predefined condition is met. Their objective is to
destroy data on the computer once certain conditions have been met. Logic bombs go
undetected until launched, the results can be destructive, and your entire data can be
deleted!

Malicious Code
The term malicious code refers to software that has been designed for some
nefarious purpose.
Such software may be designed to cause damage to a system, such as by deleting
all files, or it may be designed to create a backdoor in the system in order to grant
access to unauthorized individuals. Generally the installation of malicious code is done
so that it is not obvious to the authorized users. There are several different types of
malicious software, such as viruses, Trojan horse, logic bombs, and worms, and they
differ in the ways they are installed and their purposes.

VIRUS (Vital Information Resources Under Siege)

Viruses
The best-known type of malicious code is the virus. Much has been written about
viruses as a result of several high-profile security events that involved them. A virus is a
piece of malicious code that replicates by attaching itself to another piece of executable
code.
When the other executable code is run, the virus also executes and has the
opportunity to infect other files and perform any other nefarious actions it was designed
to do. The specific way that a virus infects other files, and the type of files it infects,
depends on the type of virus. The first viruses were of two types—boot sector or program
viruses.

43
Chapter-1 : Computer Security – Gscheme -- 2017
Boot Sector Virus
A boot sector virus infects the boot sector portion of either a floppy disk or a hard
drive (just a few years ago, not all computers had hard drives, and many booted from a
floppy). When a computer is first turned on, a small portion of the operating system is
initially loaded from hardware. This small operating system then attempts to load the
rest of the operating system from a specific location (sector) on either the floppy or the
hard drive. A boot sector virus infects this portion of the drive.
An example of this type of virus was the Stoned virus, which moved the true
Master Boot Record (MBR) from the first to the seventh sector of the first cylinder, and
replaced the original MBR with itself. When the system was then turned on, the virus
was first executed, which had a one in seven chance of displaying a message stating the
computer was ―stoned‖; otherwise it would not announce itself and would instead
attempt to infect other boot sectors. This virus was rather tame in comparison to other
viruses of its time, which often were designed to delete the entire hard drive after a
period of time in which they would attempt to spread.

Program Virus
A second type of virus is the program virus, which attaches itself to executable
files—typically files ending in .exe or .com on Windows-based systems. The virus is
attached in such a way that it is executed before the program. Most program viruses
also hide a nefarious purpose, such as deleting the hard drive, which is triggered by a
specific event, such as a date or after a certain number of other files were infected.
Like other types of viruses, program viruses are often not detected until after they
execute their malicious payload. One method that has been used to detect this sort of
virus before it has an opportunity to damage a system is to calculate checksums for
commonly used programs or utilities. Should the checksum for an executable ever
change, it is quite likely that this is due to a virus infection.

Macro Virus
In the late 90s, another type of virus appeared that now accounts for the majority
of viruses. As systems became more powerful, as well as the operating systems that
managed them, the boot sector virus, which once accounted for most reported
infections, became less common. Systems no longer commonly booted from floppies,
which were the main method for boot sector viruses to spread. Instead, the proliferation
of software that included macro-programming languages resulted in a new breed of virus
the macro virus.
The Concept virus was the first known example of this new breed. It appeared to
be
created to demonstrate the possibility of attaching a virus to a document file, something
that had been thought to be impossible before the introduction of software that included
powerful macro language capabilities. By this time, however, Microsoft Word documents
could include segments of code written in a derivative of Visual Basic. Further
development of other applications that allowed macro capability, and enhanced
versions of the original macro language, had the side effect of allowing the proliferation
of viruses that took advantage of this capability.
This type of virus is so common today that it is considered a security best practice
to advise users to never open a document attached to an e-mail if it seems at all
suspicious. Many organizations now routinely have their mail servers eliminate any
attachments containing Visual Basic macros.
44
Chapter-1 : Computer Security – Gscheme -- 2017

Polymorphic virus
A virus that changes its virus signature (i.e., its binary pattern) every time it
replicates and infects a new file in order to keep from being detected by an antivirus
program.
In computer terminology, polymorphic code is code that uses a polymorphic
engine to mutate while keeping the original algorithm intact. That is, the code changes
itself each time it runs, but the function of the code (its semantics) will not change at all.
This technique is sometimes used by computer viruses, shellcodes and computer
worms to hide their presence.
Encryption is the most common method to hide code. With encryption, the main
body of the code (also called its payload) is encrypted and will appear meaningless. For
the code to function as before, a decryption function is added to the code. When the
code is executed this function reads the payload and decrypts it before executing it in
turn.
Encryption alone is not polymorphism. To gain polymorphic behavior, the
encryptor/decryptor pair are mutated with each copy of the code. This allows different
versions of some code while all function the same.

Polymorphic infections are difficult for virus detection programs to cleanse

because one polymorphic virus could have hundreds or thousands of variants.
Developers that design the detection programs have to write extra lines of code in order
to make the programs better at detecting the virus infections. Even the best antivirus
programs have trouble with detecting and cleansing polymorphic infections, although
antivirus programs with heuristic do have a better time at detecting these types of
viruses.

The first known polymorphic virus was developed in 1990, in the early days of the
Internet, illustrating the fact that virus creators have always been ahead of the curve
when it comes to developing malicious code. These viruses operate with the assistance of
an encryption engine which changes with each virus replication; this keeps the
encrypted virus functional, while still hiding the virus from the computer it infects and
allowing the virus to slip through security systems which are designed to prevent
malicious code from entering or exiting a network.

Metamorphic and polymorphic Malware (Malicious Software)

Metamorphic and polymorphic malware are two categories of malicious software
programs (malware) that have the ability to change their code as they propagate.

Metamorphic malware is rewritten with each iteration so that each succeeding version of
the code is different from the preceding one. The code changes makes it difficult for
signature-based antivirus software programs to recognize that different iterations are the
same malicious program.

In spite of the permanent changes to code, each iteration of metamorphic malware

functions the same way. The longer the malware stays in a computer, the more
iterations it produces and the more sophisticated the iterations are, making it
increasingly hard for antivirus applications to detect, quarantine and disinfect.

45
Chapter-1 : Computer Security – Gscheme -- 2017
Polymorphic malware also makes changes to code to avoid detection. It has two
parts, but one part remains the same with each iteration, which makes the malware a
little easier to identify.

For example, a polymorphic virus might have a virus decryption routine (VDR) and
an encrypted virus program body (EVB). When an infected application launches, the
VDR decrypts the encrypted virus body back to its original form so the virus can perform
its intended function. Once executed, the virus is re-encrypted and added to another
vulnerable host application. Because the virus body is not altered, it provides a kind of
complex signature that can be detected by sophisticated antivirus programs.

In another example, a new key might be randomly generated with each copy to
change the appearance of the encrypted virus body -- but the virus decryption routine
woud remain constant. In either scenario, it is the static part of the code that makes it
possible for an anti-virus program to identify the presence of malware.

Metamorphic malware is considered to be more difficult to write than polymorphic

malware. The author may use may use multiple transformation techniques, including
register renaming, code permutation, code expansion, code shrinking and garbage code
insertion. Consequently, advanced techniques such as generic decryption scanning,
negative heuristic analysis, emulation and access to virtualization technologies are
required for detection.

Stealth Virus
A computer virus that actively hides itself from antivirus software by either
masking the size of the file that it hides in or temporarily removing itself from the
infected file and placing a copy of itself in another location on the drive, replacing the
infected file with an uninfected one that it has stored on the hard drive.

Definition - What does Stealth Virus mean?

A stealth virus is a hidden computer virus that attacks operating system processes and
averts typical anti-virus or anti-malware scans. Stealth viruses hide in files, partitions
and boot sectors and are adept at deliberately avoiding detection.

Stealth virus eradication requires advanced anti-virus software or a clean system reboot.

In order to avoid detection, stealth viruses also self-modify in the following ways:

Code Modification: The stealth virus changes the code and virus signature of each
infected file.

Encryption: The stealth virus encrypts data via simple encryption and uses a different
encryption key for each infected file.

Brain, the first stealth virus, spread internationally during the mid-1980s.

46
Chapter-1 : Computer Security – Gscheme -- 2017
Example: The very first DOS virus, Brain, a boot-sector infector,monitors physical disk
I/O and re-directs any attempt to read a Brain-infected boot sector to the disk area
where the original boot sector is stored.The nextviruses to use this technique werethe
fileinfectors Number of the Beast and Frodo (aka 4096, 4K).

Countermeasures: A "clean" system is needed so that no virus is present to distort

theresultsof system status checks. Thus the system should be started from a trusted,
clean, bootable diskette before any virus-checkingis attempted;

Fast and Slow Infectors

A fast infector infects any file accessed, not just run. A slow infector only infects files as
they are being created or modified.
The term fast or slow when dealing with viruses pertains to how often and under what
circumstances they spread the infection.
Typically, a virus will load itself into memory when an infected program is run. It sits
there and waits for other programs to be run and infects them at that time.

Fast: A fast infector infects programs not just when they are run, but also when they are
simply accessed. The purpose of this type of infection is to ride on the back of anti-virus
software to infect files as they are being checked. By its nature, anti-virus software (a
scanner, in particular) opens each file on a disk being checked in order to determine if a
virus is present. A fast infector that has not been found in memory before the scanning
starts will spread itself quickly throughout the disk.

Slow: A slow infector does just the opposite. A slow infector will only infect files when
they are created or modified. Its purpose is to attempt to defeat integrity checking
software by piggybacking on top of the process which legitimately changes a file.
Because the user knows the file is being changed, they will be less likely to suspect the
changes also represent an infection. By its nature (and because executable code is not
usually changed) a slow infector does not spread rapidly and if the integrity checker has
a scanning component it will likely be caught. Also, an integrity checker that is run on a
computer booted from a known-clean floppy disk will be able to defeat a slow infector.

What are "fast" and "slow" infectors? (Computer virus)

A typical file infector (such as the Jerusalem) copies itself to memory when a program
infected by it is executed, and then infects other programs when they are executed.

A FAST infector is a virus that, when it is active in memory, infects not only programs
which are executed, but even those that are merely opened. The result is that if such a
virus is in memory, running a scanner or integrity checker can result in all (or at least
many) programs becoming infected. Examples are the Dark Avenger and the Frodo
viruses.
Fast infectors are designed to infect as many files as possible. For instance, a fast
infector can infect every potential host file that is accessed. This poses a special problem
to anti-virus software, since a virus scanner will access every potential host file on a
computer when it performs a system-wide scan. If the virus scanner fails to notice that
such a virus is present in memory, the virus can piggy-back on the virus scanner and in
47
Chapter-1 : Computer Security – Gscheme -- 2017
this way infect all files that are scanned. Fast infectors rely on their fast infection rate to
spread. The disadvantage of this method is that infecting many files may make detection
more likely, because the virus may slow down a computer or perform many suspicious
actions that can be noticed by anti-virus software.

The term "SLOW infector" is sometimes used to refer to a virus that only
infect files as they are modified or as they are created. The purpose is to fool people who
use integrity checkers into thinking that modifications reported by their integrity
checker are due solely to legitimate reasons. An example is the Darth Vader virus.

Companion Virus
A type of computer virus that compromises a feature of DOS that enables software with
the same name, but different extensions, to operate with different priorities. For example
you may have program.exe on your computer, and the virus may create
a file called program.com. When the computer executes program.exe, the virus
runs program.com before program.exe is executed. In many cases, the real program will
run so users believe that the system is operating normally and aren't aware that a virus
was run on the system.

A specific type of virus where the infected code is stored not in the host program, but in
a separate ‗companion‘ file. For example, the virus might rename the standard
NOTEPAD.EXE file to NOTEPAD.EXD and create a new NOTEPAD.EXE containing the
virus code. When the user subsequently runs the Notepad application, the virus will run
first and then pass control to the original program, so the user doesn‘t see anything
suspicious.

Companion viruses replicate by exploiting the precedence hierarchy according to which

the operating system executes program files based on their filename extensions. For
example, under MS-DOS files with the extension .BAT (batch files) are executed before
those with the extension of .COM which, in turn, are executed before those of an
extension of .EXE. Companion viruses can create standalone files containing their viral
code, but have a higher-precedence file extension or rename the "targeted" file with a
lower-precedence filename extension so the file containing the viral code is executed
before transferring control to the original program file (or activating its payload).
Another example of a companion virus on today‘s Windows platforms is one that exploits
the search order of DLL libraries. For example, if the malware copied itself as a DLL to
an application‘s directory, it would take precedence over the DLL with the same name in
the system directory, or in one of the directories specified by the PATH environment
variable.

Armored Virus

Placing ―armor‖ around a virus makes it difficult and time consuming for computer
experts to take the virus apart, understand how it works, and then design methods for
defeating it. New forms of armor are constantly being developed by virus creators

An ARMORED virus is one that uses special tricks to make tracing, disassembling and
understanding of its code more difficult. A good example is the Whale virus.
48
Chapter-1 : Computer Security – Gscheme -- 2017
An ARMORED virus is one which uses special tricks to make the tracing, disassembling
and understanding of their code more difficult. A good example is the Whale virus. Go
top a10) Miscellaneous Jargon and Abbreviations BSI = Boot Sector Infector: a virus
which takes control when the computer attempts to boot (as opposed to a file infector).
CMOS = Complementary Metal Oxide Semiconductor: A memory area that is used in AT
and higher class PCs for storage of system information. CMOS is battery backed RAM
(see below), originally used to maintain date and time information while the PC was
turned off. CMOS memory is not in the normal CPU address space and cannot be
executed. While a virus may place data in the CMOS or may corrupt it, a virus cannot
hide there. DOS = Disk Operating System. We use the term "DOS" to mean any of the
MS-DOS, PC-DOS, or DR DOS systems for PCs and compatibles, even though there are
operating systems called "DOS" on other (unrelated) machines. MBR = Master Boot

A type of virus that has been designed to thwart attempts by analysts from examining
its code by using various methods to make tracing, disassembling and reverse
engineering more difficult. An Armored Virus may also protect itself from antivirus
programs, making it more difficult to trace. To do this, the Armored Virus attempts to
trick the antivirus program into believing its location is somewhere other than where it
really is on the system.

Macro Virus
In computing terminology, a macro virus is a virus that is written in a macro language:
that is to say, a language built into a software application such as a word processor.
Since some applications (notably, but not exclusively, the parts of Microsoft Office) allow
macro programs to be embedded in documents, so that the programs may be run
automatically when the document is opened, this provides a distinct mechanism by
which viruses can be spread. This is why it may be dangerous to open
unexpected attachments in e-mails. Modern antivirus software detects macro viruses as
well as other types.

A macro virus is a computer virus that "infects" a Microsoft Word or similar application
and causes a sequence of actions to be performed automatically when the application is
started or something else triggers it. Macro viruses tend to be surprising but relatively
harmless. A typical effect is the undesired insertion of some comic text at certain points
when writing a line. A macro virus is often spread as an e-mail virus. A well-known
example in March, 1999 was the Melissa virus virus.

Trojan Horse
A Trojan Horse is an email virus usually released by an email attachment. If opened, it
will scour your hard drive for any personal and financial information such as your social
security, account, and PIN numbers. Once it has collected your info, it is sent to a thief‘s
database.

Now, there are Trojan Horses and there are viruses, but there's no such thing as a
Trojan Horse virus. In fact, the very definition of each precludes any chance of there
being such a thing. A Trojan does not replicate. Viruses do. That fact alone means there
can never be a "Trojan Horse virus".

49
Chapter-1 : Computer Security – Gscheme -- 2017
"A Trojan Horse is an email virus usually released by an email attachment." Not so. A
Trojan may be sent as an attachment in email, but it's certainly not an email virus. (In
fact there are few true email viruses, but that's a whole other topic). So it may or may
not arrive in email, and it's equally likely to have been downloaded from a website or
resulted from a P2P file transfer. In other words, vector has nothing to do with whether
something is or isn't a Trojan.

what is a Trojan? A Trojan is a program that appears to be legitimate, but in fact does
something malicious. Quite often, that something malicious involves gaining remote,
surreptitious access to a user's system. Unlike viruses, a Trojan does not replicate (i.e.
infect other files), nor does it make copies of itself as worms do.

There are several different types of Trojans. Some of these include: remote access
Trojans (RATs), backdoor Trojans (backdoors), IRC Trojans (IRCbots), and keylogging
Trojans. Many Trojan encompass multiple types. For example, a Trojan may install both
a keylogger and a backdoor. IRC Trojans are often combined with backdoors and RATs
to create collections of infected computers known as botnets.

But one thing you probably won't find a Trojan doing is scouring your hard drive for
personal details, as the Visa description alleges. Contextually, that would be a bit of a
trick for a Trojan. Instead, this is where the keylogging functionality most often comes
into play - capturing the user's keystrokes as they type and sending the logs to the
attackers. Some of these keyloggers can be pretty sophisticated, targeting only certain
websites (for example) and capturing any keystrokes involved with that particular
session.

But why is it important to know the difference between a virus, a worm, and a Trojan?
Because a virus infects legitimate files, thus if antivirus software detects a virus, that file
should be cleaned. Conversely, if antivirus software detects a worm or a Trojan, there is
no legitimate file involved and action should be to delete the file.

The seven main types of Trojan horses are:

 Remote Access Trojans
 Data Sending Trojans
 Destructive Trojans
 Proxy Trojans
 FTP Trojans
 security software disabler Trojans
 denial-of-service attack (DoS) Trojans

A Trojan horse, or Trojan, is a non-self-replicating type of malware which gains

privileged access to the operating system while appearing to perform a desirable function
but instead drops a malicious payload, often including a backdoor allowing
unauthorized access to the target's computer. These backdoors tend to be invisible to
average users, but may cause the computer to run slow. Trojans do not attempt to inject
themselves into other files like a computer virus. Trojan horses may steal information, or
harm their host computer systems. Trojans may use drive-by downloads or install via
50
Chapter-1 : Computer Security – Gscheme -- 2017
online games or internet-driven applications in order to reach target computers. The
term is derived from the Trojan Horse story in Greek mythology because Trojan horses
employ a form of ―social engineering,‖ presenting themselves as harmless, useful gifts, in
order to persuade victims to install them on their computers.

The Difference Between a Computer Virus, Worm and Trojan Horse

Viruses, worms and Trojan Horses are all malicious programs that can cause damage to
your computer, but there are differences among the three.
One common mistake that people make when the topic of a computer virus arises is to
refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are
often used interchangeably, they are not exactly the same thing. Viruses, worms and
Trojan Horses are all malicious programs that can cause damage to your computer, but
there are differences among the three, and knowing those differences can help you
better protect your computer from their often damaging effects.

What Is a Virus?
A computer virus attaches itself to a program or file enabling it to spread from one
computer to another, leaving infections as it travels. Like a human virus, a computer
virus can range in severity: some may cause only mildly annoying effects while others
can damage your hardware, software or files. Almost all viruses are attached to
an executable file, which means the virus may exist on your computer but it actually
cannot infect your computer unless you run or open the malicious program. It is
important to note that a virus cannot be spread without a human action, (such as
running an infected program) to keep it going. Because a virus is spread by human
action people will unknowingly continue the spread of a computer virus by sharing
infecting files or sending emails with viruses as attachments in the email.

What Is a Worm?
A worm is similar to a virus by design and is considered to be a sub-class of a virus.
Worms spread from computer to computer, but unlike a virus, it has the capability to
travel without any human action. A worm takes advantage of file or information
transport features on your system, which is what allows it to travel unaided.
The biggest danger with a worm is its capability to replicate itself on your system, so
rather than your computer sending out a single worm, it could send out hundreds or
thousands of copies of itself, creating a huge devastating effect. One example would be
for a worm to send a copy of itself to everyone listed in your e-mail address book. Then,
the worm replicates and sends itself out to everyone listed in each of the receiver's
address book, and the manifest continues on down the line.
Due to the copying nature of a worm and its capability to travel across networks the end
result in most cases is that the worm consumes too much system
memory (or network bandwidth), causing Web servers, network servers and individual
computers to stop responding. In recent worm attacks such as the much-talked-about
Blaster Worm, the worm has been designed to tunnel into your system and allow
malicious users to control your computer remotely.

51
Chapter-1 : Computer Security – Gscheme -- 2017

What Is a Trojan horse?

A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named
after. The Trojan Horse, at first glance will appear to be useful software but will actually
do damage once installed or run on your computer. Those on the receiving end of a
Trojan Horse are usually tricked into opening them because they appear to be receiving
legitimate software or files from a legitimate source. When a Trojan is activated on your
computer, the results can vary. Some Trojans are designed to be more annoying than
malicious (like changing your desktop, adding silly active desktop icons) or they can
cause serious damage by deleting files and destroying information on your system.
Trojans are also known to create a backdoor on your computer that gives malicious
users access to your system, possibly allowing confidential or personal information to be
compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other
files nor do they self-replicate.

What Are Blended Threats?

Added into the mix, we also have what is called a blended threat. A blended threat is a
more sophisticated attack that bundles some of the worst aspects of viruses, worms,
Trojan horses and malicious code into one single threat. Blended threats can use server
and Internet vulnerabilities to initiate, then transmit and also spread an attack.
Characteristics of blended threats are that they cause harm to the infected system or
network, they propagates using multiple methods, the attack can come from multiple
points, and blended threats also exploit vulnerabilities.
To be considered a blended thread, the attack would normally serve to transport
multiple attacks in one payload. For example it wouldn't just launch a DoS attack — it
would also, for example, install a backdoor and maybe even damage a local system in
one shot. Additionally, blended threats are designed to use multiple modes of transport.
So, while a worm may travel and spread through e-mail, a single blended threat could
use multiple routes including e-mail, IRC and file-sharing sharing networks.
Lastly, rather than a specific attack on predetermined .exe files, a blended thread could
do multiple malicious acts, like modify your exe files, HTML files and registry keys at the
same time — basically it can cause damage within several areas of your network at one
time.
Blended threats are considered to be the worst risk to security since the inception of
viruses, as most blended threats also require no human intervention to propagate.

Tips to Combat Viruses, Worms and Trojan Horses on Your Computer

Keep The Operating System Updated
The first step in protecting your computer from any malicious there is to ensure that
your operating system (OS) is up-to-date. This is essential if you are running a Microsoft
Windows OS. Secondly, you need to have anti-virus software installed on your system
and ensure you download updates frequently to ensure your software has the latest fixes
for new viruses, worms, and Trojan horses. Additionally, you want to make sure your
anti-virus program has the capability to scan e-mail and files as they are downloaded
from the Internet, and you also need to run full disk scans periodically. This will help
prevent malicious programs from even reaching your computer.

Use a Firewall

52
Chapter-1 : Computer Security – Gscheme -- 2017
You should also install a firewall. A firewall is a system that prevents unauthorized use
and access to your computer. A firewall can be either hardware or software. Hardware
firewalls provide a strong degree of protection from most forms of attack coming from the
outside world and can be purchased as a stand-alone product or in broadband routers.
Unfortunately, when battling viruses, worms and Trojans, a hardware firewall may be
less effective than a software firewall, as it could possibly ignore embedded worms in out
going e-mails and see this as regular network traffic.
For individual home users, the most popular firewall choice is a software firewall. A
good software firewall will protect your computer from outside attempts to control or
gain access your computer, and usually provides additional protection against the most
common Trojan programs or e-mail worms. The downside to software firewalls is that
they will only protect the computer they are installed on, not a network.
It is important to remember that on its own a firewall is not going to rid you of your
computer virus problems, but when used in conjunction with regular operating system
updates and a good anti-virus scanning software, it will add some extra security and
protection for your computer or network.

What is a Worm? (Computer virus)

Acomputer WORMis a self-contained program (or set of programs), that is able to spread
functional copies of itself or its segments to other computer systems (usually via
network connections).

Note that unlike viruses, worms do not need to attach themselves to a host program.
There are two types of worms--hostcomputer worms and network worms.

Hostcomputer wormsare entirely contained in the computer they run on and use
network connections only to copy themselves to other computers. Hostcomputer
wormswhere the original terminates itself after launching a copy on another host (so
there is only one copy ofthe wormrunning somewhere on the network at any given
moment), are sometimes called "rabbits."

Network worms consist of multiple parts (called "segments"), each running on different
machines (and possibly performing different actions) and using the network for several
communication purposes.

Propagating a segment from one machine to another is only one of those purposes.
Network worms that have one main segment which coordinates the work of the other
segments are sometimes called "octopuses."

The infamous Internet Worm (perhaps covered best in "The Internet Worm Program: An
Analysis," Eugene H. Spafford, PurdueTechnical ReportCSD-TR-823) was a
hostcomputer worm, while the Xerox PARC worms were network worms (a good starting
point for these is "The WormPrograms--Early Experience with a
DistributedComputation," Communications of theACM, 25, no.3, March 1982, pp. 172-
180).

53
Chapter-1 : Computer Security – Gscheme -- 2017
Avoiding Virus Infection Always being cautious about executing programs or opening
documents given to you is a good security practice. ―If you don‘t know where it came
from or where it has been, don‘t open or run it‖ should be the basic guideline for all
computer users.
Another security best practice for protecting against virus infection is to install and run
an antivirus program. Since these programs are designed to protect against known
viruses, it is also important to maintain an up-to-date listing of virus signatures for your
antivirus software. Antivirus software vendors provide this, and administrators should
stay on top of the latest updates to the list of known viruses.
Two advances in virus writing have made it more difficult for antivirus software to detect
viruses. These advances are the introduction of stealth virus techniques and polymorphic
viruses. A stealthy virus employs techniques to help evade being detected by antivirus
software that uses checksums or other techniques. Polymorphic viruses also attempt to
evade detection, but they do so by changing the virus itself (the virus ―evolves‖). Because
the virus changes, signatures for that virus may no longer be valid, and the virus may
escape detection by antivirus software.

Virus Hoaxes Viruses have caused so much damage in the last few years that many
Internet users have become extremely cautious anytime a rumor of a new virus is heard.
Many users will not connect to the Internet when they hear about a virus outbreak, just
to be sure they don‘t get infected themselves. This has given rise to virus hoaxes, in
which word is spread about a new virus and the extreme danger it poses. It may warn
users to not read certain files or connect to the Internet.
A good example of a virus hoax was the Good Times virus warning, which has been
copied repeatedly and can still be seen in various forms today. It caused widespread
panic as users read about this extremely dangerous virus, which could actually cause
the processor to overheat (from being put into an ―nth complexity infinite binary loop‖)
and be destroyed. Many folks saw through this hoax, but many less experienced users
did not, and they passed the warning along to all of their friends.
Hoaxes can actually be even more destructive than just wasting time and bandwidth.
Some hoaxes warning of a dangerous virus have included instructions to delete certain
files if found on the user‘s system. Unfortunately for those who follow the advice, the
files may actually be part of the operating system, and deleting them could keep the
system from booting properly. This suggests another good piece of security advice: make
sure of the authenticity and accuracy of any virus report before following somebody‘s
advice. Antivirus software vendors are a good source of factual data for this sort of
threat as well.

Trojan Horses
A Trojan horse, or simply Trojan, is a piece of software that appears to do one
thing (and may, in fact, actually do that thing) but that hides some other functionality.
The analogy to the famous story of antiquity is very accurate. In the original case, the
object appeared to be a large wooden horse, and in fact it was. At the same time, it hid
something much more sinister and dangerous to the occupants of the city. As long as
the horse was left outside the city walls, it could cause no damage to the inhabitants. It
had to be taken in by the inhabitants, and it was inside the hidden purpose was
activated. A computer
Trojan works in much the same way. Unlike a virus, which reproduces by
attaching itself to other files or programs, a Trojan is a standalone program that must be
54
Chapter-1 : Computer Security – Gscheme -- 2017
copied and installed by the user—it must be ―brought inside‖ the system by an
authorized user. The challenge for the attacker is enticing the user to copy and run the
program.
This generally means that the program must be disguised as something that the
user would want to run—a special utility or game, for example. Once it has been copied
and is ―inside‖ the system, the Trojan will perform its hidden purpose with the user
often still unaware of its true nature.
A good example of a Trojan is Back Orifice (BO), originally created in 1999 and
now in several versions. BO can be attached to a number of types of programs. Once it
is, and once an infected file is run, BO will create a way for unauthorized individuals to
take over the system remotely, as if they were sitting at the console. BO is designed to
work with Windows-based systems.
The single best method to prevent the introduction of a Trojan to your system is to
never
run software if you are unsure of its origin, security, and integrity. A virus-checking
program may also be useful in detecting and preventing the installation of known
Trojans.

Logic Bombs
Logic bombs, unlike viruses and Trojans, are a type of malicious software that is
deliberately installed, generally by an authorized user. A logic bomb is a piece of code
that sits dormant for a period of time until some event invokes its malicious payload. An
example of a logic bomb might be a program that is set to automatically load and run,
and that periodically checks an organization‘s payroll or personnel database for a
specific employee. If the employee is not found, the malicious payload executes, deleting
vital corporate files.
If the trigger is some event, such as not finding a specific name in the personnel
file, the code is referred to as a logic bomb. If the event is a specific date or time, the
program will often be referred to as a time bomb. In one famous example of a time bomb,
a disgruntled employee left a time bomb in place just prior to being fired from his job.
Two weeks later, thousands of client records were deleted. Police were able to eventually
track the malicious code to the disgruntled ex-employee, who was prosecuted for his
actions.
He had hoped that the two weeks that had passed since his dismissal would have
caused investigators to assume he could not have been the individual who had caused
the deletion of the records.
Logic bombs are difficult to detect because they are often installed by authorized
users and, in particular, have been installed by administrators who are also often
responsible for security. This demonstrates the need for a separation of duties and a
periodic review of all programs and services that are running. It also illustrates the need
to maintain an active backup program so that if your organization loses critical files to
this sort of malicious code, you only lose transactions since the most recent backup and
don‘t permanently lose the data.

Worms
Originally it was easy to distinguish between a worm and a virus. Recently, with
the introduction of new breeds of sophisticated malicious code, the distinction has
blurred.

55
Chapter-1 : Computer Security – Gscheme -- 2017
Worms are pieces of code that attempt to penetrate networks and computer
systems. Once a penetration occurs, the worm will create a new copy of itself on the
penetrated system. Reproduction of a worm thus does not rely on the attachment of the
virus to another piece of code or to a file, which is the definition of a virus.
The blurring of the distinction between viruses and worms has come about
because of the attachment of malicious code to e-mail. Viruses were generally thought of
as a system-based problem, and worms were network-based. If the malicious code is
sent throughout a network, it may subsequently be called a worm. The important
distinction, however, is whether the code has to attach itself to something else (a virus),
or if it can ―survive‖ on its own (a worm).

The Morris Worm The most famous example of a worm was the Morris worm in 1988.
Also sometimes referred to as the Internet worm, because of its effect on the early
Internet, the worm was able to insert itself into so many systems connected to the
Internet that it has been repeatedly credited with ―bringing the Internet to its knees‖ for
several days. It was this worm that provided the impetus for the creation of what was
once the Computer Emergency Response Team Coordination Center though is now
simply the CERT Coordination Center (CERT/CC) located at Carnegie Mellon University.

The Morris worm was created by a graduate student named Robert Morris. It
utilized several known vulnerabilities to gain access to a new system, and it also relied
on password guessing to obtain access to accounts. Once a system had been penetrated,
a small bootstrap program was inserted into the new system and executed. This
program then downloaded the rest of the worm to the new system. The worm had some
stealth characteristics to make it harder to determine what it was doing, and it suffered
from one major miscalculation. The worm would not be loaded if a copy of it was already
found on the new system, but it was designed to periodically ignore this check,
reportedly to ensure that the worm could not be easily eliminated. The problem with this
plan was that interconnected systems were constantly being reinfected. Eventually the
systems were running so many copies of the worm that the system response time
ground to a stop. It took a concerted effort by many individuals before the worm was
eliminated. While the Morris worm carried no malicious payload, it is entirely possible
for worms to do so.

Protection Against Worms How you protect a system against worms depends on the
type of worm. Those attached and propagated through e-mail can be avoided by
following the same guidelines about not opening files and not running attachments
unless you are absolutely sure of their origin and integrity. Protecting against the Morris
type of Internet worm involves securing systems and networks against penetration in the
same way you would protect your systems against human attackers. Install patches,
eliminate unused and unnecessary services, enforce good password security, and utilize
firewalls and intrusion detection systems.

War-Dialing and War-Driving

War-dialing is the term used to describe an attacker‘s attempt to discover
unprotected modem connections to computer systems and networks. The term‘s origin is
the 1983 movie War Games, in which the star has his machine systematically call a
sequence of phone numbers in an attempt to find a computer connected to a modem. In

56
Chapter-1 : Computer Security – Gscheme -- 2017
the case of the movie, the intent was to find a machine with games the attacker could
play, though obviously an attacker could have other purposes once access is obtained.
War-dialing is surprisingly successful, mostly because of rogue modems. These
are unauthorized modems attached to computers on a network by authorized users.
Generally the reason for attaching the modem is not malicious—the individual may
simply want to be able to go home and then connect to the organization‘s network in
order to continue working. The problem is that if a user can connect, so can an attacker.
If the authorized user has not implemented any security protection, this means of
access could be totally open. This is often the case. Most organizations have a strict
policy against connecting unauthorized modems, but it is hard to enforce this kind of
policy. Recently, new technology has been developed to address this common backdoor
into corporate networks. Telephone firewalls have been created, which block any
unauthorized modem connections into an organization. These devices make it
impossible for an unauthorized modem connection to be established and can also
enforce strict access policies on any authorized modems.
Another avenue of attack on computer systems and networks has seen a
tremendous increase over the last few years because of the increase in the use of
wireless networks.
Wireless networks have some obvious advantages—they free employees from
the cable connection to a port on their wall, allowing them to wander throughout the
building with their machine and still be connected. An employee could, for example,
leave their desk with their laptop and move to a conference room where they could then
make a presentation, all without ever having to disconnect their machine from the wall
or find a connection in the conference room.
The problem with wireless networks is that it is hard to limit access to them. Since
there is no physical connection, the distance that a user can go and still remain
connected is a function of the wireless network itself and where the various components
of the network are placed. In order to ensure access throughout a facility, stations are
often placed at numerous locations, some of which may actually provide access to areas
outside of the organization in order to ensure that the farthest offices in the organization
can be reached. Frequently access extends into adjacent offices or into the parking lot or
street. Attackers can locate these access areas that fall outside of the organization and
attempt to gain unauthorized access.
The term war-driving has been used to refer to the activity where attackers
wander throughout an area (often in a car) with a computer with wireless capability,
searching for wireless networks they can access. There are security measures that can
limit an attacker‘s ability to succeed at this activity, but, just as in war-dialing, the
individuals who set up the wireless networks don‘t always activate these security
mechanisms.

Social Engineering
Social engineering relies on lies and misrepresentation, which an attacker uses to
trick an authorized user into providing information or access the attacker would not
normally be entitled to. The attacker might, for example, contact a system administrator
pretending to be an authorized user in order to have a password reset. Another common
ploy is to pose as a representative from a vendor needing temporary access in order
to perform some emergency maintenance. Social engineering also applies to physical
access. Simple techniques include impersonating pizza or flower delivery personnel in
order to gain physical access to a facility.
57
Chapter-1 : Computer Security – Gscheme -- 2017
Attackers know that, due to poor security practices, if they can gain physical
access to an office, the chances are good that, given a little unsupervised time, a userid
and password pair might be found on a notepad or sticky note. Unsupervised access
may noteven be required, depending on how poor the security practices of the
organization are.
One of the authors of this book was once considering opening an account at a
bank near his home. As he sat down at the desk across from the bank employee taking
his information, the author noticed one of the infamous little yellow notes attached to
the computer monitor the employee was using. The note read ―password for July is
―julyjuly‖. It probably isn‘t too hard to guess what August‘s password might be.
Unfortunately, this is all too often the state of security practices in most organizations.
With that in mind, it is easy to see how social engineering might work and might provide
all the information needed to gain unauthorized access to a system or network.

Security Basics

Access Controls
Q.What is Access Control?List Different types of it?
Ans. The term access control has been used to describe a variety of protection schemes. It is sometimes
used to refer to all security features used to prevent unauthorized access to a computer system or
network. In this sense, it may be confused with authentication.
More properly, access is the ability of a subject (such as an individual or a process running on a computer
system) to interact with an object (such as a file or hardware device).
Authentication, on the other hand, deals with verifying the identity of a subject. To help understand the
difference, consider the example of an individual attempting to log in to a computer system or network.
Authentication is the process used to verify to the computer system or network that the individual is who
they claim to be. The most common method to do this is through the use of a userid and password. Once
the individual has verified their identity, access controls regulate what the individual can actually do
on the system. Just because a person is granted entry to the system, that does not mean that they should
have access to all data the system contains.
To further illustrate, consider another example. When you go to your bank to make a withdrawal, the
teller at the window will verify that you are indeed who you claim to be. This is usually done by asking you
to provide some form of identification with your picture on it, such as your driver‘s license. You may also
have to provide information such as your bank account number. Once the teller verifies your identity, you will have
proved that you are a valid (authorized) customer of this bank. This does not, however, mean that you
have the ability to view all information that the bank protects—such as your neighbor‘s balance. The teller
will control what information, and funds, you may have access to and will grant you access only to that
which you are authorized. In this example, your identification and bank account number serve as your
method of authentication and the teller serves as the access control mechanism.
In computer systems and networks, there are several ways that access controls can be implemented. An
access control matrix provides the simplest framework for illustrating the process. An example of an access
control matrix is provided in Table 1-1. In this matrix, the system is keeping track of two processes, two
files, and one hardware device.
Process 1 can read both File 1 and File 2 but can write only to File 1. Process 1 cannot access
Process 2, but Process 2 can execute Process 1. Both processes have the ability to write to the printer.
While simple to understand, the access control matrix is seldom used in computer systems because it is
extremely costly in terms of storage space and processing. Imagine the size of an access control matrix for
a large network with hundreds of users and thousands of files. The actual mechanics of how access
controls are implemented in a system varies, though access control lists (ACLs) are common. An ACL is
nothing more than a list that contains the subjects that have access rights to a particular object. The list
will identify not only the subject but the specific access that that subject has for the object. Typical types
of access include read, write, and execute as indicated in our example access control matrix.
No matter what specific mechanism is used to implement access controls in a computer system or
network, the controls should be based on a specific model of access. Several different models are

58
Chapter-1 : Computer Security – Gscheme -- 2017
discussed in security literature, including discretionary access control (DAC), mandatory access control
(MAC), and role-based access control (RBAC).
Discretionary Access Control
Both discretionary access control and mandatory access control are terms originally used by the military to describe two different
approaches to controlling what access an individual had on a system. As defined by the “Orange Book,” a Department of Defense
document that at one time was the standard for describing what constituted a trusted computing system, discretionary access
controls are “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The

controls are discretionary in the sense that a subject with a certain access permission is capable of
passing that permission (perhaps indirectly) on to any other subject.‖ While this may appear to many to
be typical ―government-speak‖ and confusing, the principle is really rather simple. In systems that employ
discretionary access controls, the owner of an object can decide which other subjects may have access to
the object and what specific access they may have. One common method to accomplish this is the
permission bits used in UNIX-based systems. The owner of a file can specify what permissions
(read/write/execute) members in the same group may have and also what permissions all others
may have. Access control lists are another common mechanism used to implement discretionary access
control.

Mandatory Access Control

A less frequently employed system for restricting access is mandatory access control.
This system, generally used only in environments where different levels of security
classifications exist, is much more restrictive of what a user is allowed to do. Again
referring to the Orange Book, we can find a definition for mandatory access controls,
which is ―a means of restricting access to objects based on the sensitivity (as
represented by a label) of the information contained in the objects and the formal
authorization (i.e., clearance) of subjects to access information of such sensitivity.‖ In
this case, the owner or subject can‘t determine whether access is to be granted to
another subject; it is the job of the operating system to decide. In MAC, the security
mechanism controls access to all objects and individual subjects cannot change that
access. The key here is the label attached to every subject and object. The label will
identify the level of classification for that object and the level that the subject is entitled
to. Think of military security classifications such as Secret and Top Secret. A file that
has been identified as Top Secret (has a label indicating that it is Top Secret) may be
viewed only by individuals with a Top Secret clearance. It is up to the access control
mechanism to ensure that an individual with only a Secret clearance never gains access
to a file labeled as Top Secret. Similarly, a user cleared for Top Secret access will not be
allowed by the access control mechanism to change the classification of a file labeled as
Top Secret to Secret or to send that Top Secret file to a user cleared only for Secret
information. The complexity of such a mechanism can be further understood when you
consider today‘s windowing environment. The access control mechanism will not allow a
user to cut a portion of a Top Secret document and paste it into a window containing a
document with only a Secret label. It is this separation of differing levels of classified

59
Chapter-1 : Computer Security – Gscheme -- 2017
information that results in this sort of mechanism being referred to as multilevel
security. A final comment should be made: just because a subject has the appropriate
level of clearance to view a document, that does not mean that they will be allowed to do
so. The concept of ―need to know,‖ which is a discretionary access control concept, also
exists in mandatory access control mechanisms.

Role-Based Access Control

Access control lists can be cumbersome and can take time to administer properly.
Another access control mechanism that has been attracting increased attention is the
role-based access control (RBAC). In this scheme, instead of each user being assigned
specific access permissions for the objects associated with the computer system or
network, that user is assigned a set of roles that the user may perform. The roles are in
turn assigned the access permissions necessary to perform the tasks associated with the
role. Users will thus be granted permissions to objects in terms of the specific duties
they must perform—not of a security classification associated with individual objects.

Q.Write short note on Authentication

Ans. Authentication
Access controls define what actions a user can perform or what objects a user can have
access to. These controls assume that the identity of the user has been verified. It is the
job of authentication mechanisms to ensure that only valid users are admitted.
Described another way, authentication is using some mechanism to prove that you are
who you claim to be. There are three general methods used in authentication. In order
to verify your identity, you can provide:
• Something you know
• Something you have
• Something about you (something that you are)
The most common authentication mechanism is to provide something that only
you, the valid user, should know. The most frequently used example of this is the
common userid (or username) and password. In theory, since you are not supposed to
share your password with anybody else, only you should know your password, and thus
by providing it you are proving to the system that you are who you claim to be. In
theory, this should be a fairly decent method to provide authentication. Unfortunately,
for a variety of reasons, such as the fact that people have a tendency to choose very poor
and easily guessed passwords, this technique to provide authentication is not as reliable
as it should be. Other authentication mechanisms are consequently always being
developed and deployed.
Another method to provide authentication involves the use of something that only
valid users should have in their possession. A physical-world example of this would be a
simple lock and key. Only those individuals with the correct key will be able to open the
lock and thus provide admittance to your house, car, office, or whatever the lock was
protecting. A similar method can be used to authenticate users for a computer system or
network (though the key may be electronic and may reside on a smart card or similar
device).
The problem with this technology is that people will lose their keys (or cards),
which means they can‘t log in to the system and somebody else who finds the key may
then be able to access the system, even though they are not authorized. To address this
problem, a combination of the something-you-know/something-you-have methods is
often used so that the individual with the key may also be required to provide a
60
Chapter-1 : Computer Security – Gscheme -- 2017
password or passcode. The key is useless unless you know this code. An example of this
is the ATM card most of us carry. The card is associated with a personal identification
number (PIN), which only you should know. Knowing the PIN without having the card is
useless, just as having the card without knowing the PIN will also not provide you
access to your account.
The third general method to provide authentication involves something that is
unique about you. We are used to this concept in our physical world, where people‘s
fingerprints, or a sample of their DNA, can be used to identify them. This same concept
can be used to provide authentication in the computer world. The field of authentication
that uses something about you or something that you are is known as biometrics. A
number of different mechanisms can be used to accomplish this type of authentication,
such as a voice print, a retinal scan, or hand geometry. All of these methods obviously
require some additional hardware in order to operate. While these three approaches to
authentication appear to be easy to understand and in most cases easy to implement,
authentication is not to be taken lightly, since it is such an important component of
security. Potential attackers are constantly searching for ways to get past the system‘s
authentication mechanism, and there have been some fairly ingenious methods
employed to do so. Consequently, security professionals are constantly devising new
methods, building on these three basic approaches, to provide authentication
mechanisms for computer systems and networks.

Q.Describe methods of Defense

Security is the process of ensuring the confidentiality, integrity, authenticity, non-
repudiation, and availability of electronic communications and transactions. To ensure
the security of an e-business and e-commerce it is necessary to implement security
policies and technologies that enable trusted electronic transactions and
communalizations. The methods for ensuring security in systems include:
Authentication
Authentication is the process of determining whether someone or something is, in fact,
who or what it is declared to be. In private and public computer networks (including the
Internet), authentication is commonly done through the use of logon pas words.
Knowledge of the password is assumed to guarantee that that user is authentic. Each
user registers initially (or is registered by someone else), using an assigned or self-
declared password. On each subsequent use, the user must know and use the
previously declared password. The weakness in this system for transactions that are-
significant (such as the exchange of money) is that passwords can often be stolen,
accidentally revealed, or forgotten.
For this reason, Internet business and many other transactions require a more stringent
authentication process. The use of digital certificates issued and verified by a Certificate
Authority (CA) as part of a PM is considered likely to become the standard way to
perform authentication on the Internet. Logically, authentication precedes authorization
(although they may often seem to be combined).
Authorization:
Authorization is the process of giving someone permission to do or have something. In
multi-u4er computer systems, a system administrator defines for the system which
users are allowed access to the system and what privileges of use (such as access to
which file directories, hours of access, amount of allocated storage space, and so forth).
Assuming that someone has logged in to a computer operating system or aç4plication,

61
Chapter-1 : Computer Security – Gscheme -- 2017
the system or application may want to identify what resources the user can be given
during this session. Thus, authorization is sometimes seen as both the preliminary
setting up of permissions by a system administrator and the actual checking of the
permission values that have been set up when a user is getting access. Logically,
authorization is preceded by authentication.

Cryptography:
Cryptography mathematical methods and techniques are used to ensure the
confidentiality, integrity and non-repudiation of communications and transactions.
Cryptography will be discussed in detail in next chapter.

Risks Analysis:
In order for an effective security strategy to be implemented, assets must be identified,
probable risks determined, and an approximate value placed on organizational assets.
Value in an intangible electronic medium can sometimes be difficult to determine.
However the enterprise must assess the value of issues like reputation, customer
confidence, financial fraud, disclosure of proprietary information, and trade secrets.
After a detailed risk analysis is conducted, cost- effective e-business and e-commerce
enabling policies, processes, and procedures can be developed to minimize the risk of
unauthorized access and disclosure of organizational assets. Costs associated with
minimizing risks should never exceed the cost of replacing the asset.
Security Policy:
It is essential that easy-to-understand and enforceable security policies be documented
and disseminated to all e-business and e-commerce constituencies including employees,
customers, partners, and suppliers. Security policies should clearly define the proper
use of network resources and e-business assets. Roles and responsibilities- need to be
defined for policy creation, revision, and implementation. Security technologies are
designed to implement, monitor, and verify organizational security policies. Processes
and procedures need to be established for the implementation and - maintenance of
authentication, authorization, accounting, and cryptography standards in support of the
e business and e-commerce. In order for a secure e-business and e-commerce initiative
to be effective it Is critical that an organization establish simple and effective ground
rules for the proper use of network resources and assets.

Audit and Assessment:

The purpose of a security assessment is to determine the effectiveness of the
current security infrastructure by identi1 the extent of network-level vulnerabilities and
the organization‘s ability to monitor, detect, and respond to network-driven attacks.

Legal framework:
To fight against the crime the cyber laws has been adopted by the various
countries of the world. In 1996, the United Nations Commission on International Trade
Law (UNCITRAL) adopted the UNCITRAL Model Law on Electronic Commerce. Its
consent is to harmonize and unify international trade law to remove unnecessary legal
obstacles. The Model Law is prepared to serve as a model to countries for the evaluation
and modernization of certain aspects of their laws and practices in the field of
commercial relationship involving the use of computerized or other modern
communication technique, and for the establishment of relevant legislation where none
presently exist.
62
Chapter-1 : Computer Security – Gscheme -- 2017
The model law enables or facilitates the use of electronic commerce and provides
equal treatment to users of paper-based documentation and to the users of computer-
based information. Depending on the situation in each enacting State, the Model Law
could be implemented in various ways, either as a single statute or in several pieces of
legislation
In addition to information technology act of .the respective countries the
international rules and regulate has strengthen the power against cyber crimes. The
International Corporation for Assigned Names and Numbers (ICANN) has adopted
Uniform Domain Name Dispute Resolution Policy to resolve domains name disputes.
World Intellectual Property Organization (WIPO) has prepared new copyright treaties viz,
the Copyright treaty, and the Performance and Phonograms treaty to fight against
Intellectual Property and Licensing.

Controls:
Above mentioned methods of defense like authentication, authorization and
cryptography are implemented using various Hardware and Software controls.

Different hardware controls like smart cards, firewalls, intrusion detection system, locks
or cables limiting access, devices to verify user‘s identities etc. are used.
Software controls that aids in a secure computing environment are internal
program controls that are themselves parts of the program and enforce security
restrictions, operating system and network. System controls are the limitations enforced
by operating systems or networks. Independent control programs are the application
programs which verifies passwords, detect intrusion, scans viruses etc. Quality
standards that are enforced in software development like cycle to prevent software faults
from becoming exploitable vulnerabilities.

63
Chapter-1 : Computer Security – Gscheme -- 2017
Q.What is Kerberos and CHAP describe
Ans. Kerberos
Developed as part of MIT‘s project Athena, Kerberos is a network authentication protocol
designed for a client/server environment. Taking its name from the three-headed
dog of Greek mythology, Kerberos is designed to work across the Internet, an inherently
insecure environment. Kerberos uses strong encryption so that a client can prove its
identity to a server and the server can in turn authenticate itself to the client. The basis
for authentication in a Kerberos environment is something known as a ticket. Tickets are
granted by the authentication server, which is an entity trusted by both the client and
the server the client wishes to access. The client can then present this ticket to the
server to provide proof of identity. Since the entire session can be encrypted, this will
eliminate the inherently insecure transmission of items such as a password that can be
intercepted on the network. Since the tickets are time-stamped, attempting to reuse
them will not be successful. To illustrate how the Kerberos authentication service works,
think about the common driver‘s license. You have received a license that you can
present to other entities to prove you are who you claim to be. Because these other
entities trust the state the license was issued in, they will accept your license as proof of
your identity. The state the license was issued in is analogous to the Kerberos
authentication service. It is the trusted entity both sides rely on to provide valid
identifications. This analogy is not perfect, because we all probably have heard of
individuals who obtained a phony driver‘s license, but it serves to illustrate the basic
idea behind Kerberos.

CHAP
CHAP, the Challenge Handshake Authentication Protocol, is used to provide
authentication across a point-to-point link using the Point-to-Point Protocol (PPP). In
this protocol, authentication after the link has been established is not mandatory. CHAP
is designed to provide authentication periodically through the use of a
challenge/response system sometimes described as a three-way handshake, as
illustrated in Figure . The initial challenge (a randomly generated number) is sent to the
client.

The client uses a one-way hashing function to calculate what the response should be
and then sends this back. The server compares the response with what it calculated the
response should be. If it matches, communication continues. If the two values don‘t
match, then the connection is terminated. This mechanism relies on a shared secret
between the two entities so that the correct values can be calculated.

Certificates

64
Chapter-1 : Computer Security – Gscheme -- 2017
Certificates are a method to establish authenticity of specific objects such as an
individual‘s public key (more on this specific subject in Chapter 10) or downloaded
software. A digital certificate is generally seen as an attachment to a message and is
used to verify that the message did indeed come from the entity it claims to have come
from. The digital certificate can also contain a key that can be used to encrypt further
communication.

Tokens
A token is a hardware device that can be used in a challenge/response authentication
process. In this way, it functions as both a something-you-have and something- you-
know authentication mechanism. There have been several variations on this type of
device, but they all work on the same basic principles. The device has an LCD screen
and may or may not have a numeric keypad. Devices without a keypad will display a
password (often just a sequence of numbers) that changes at a constant interval, usually
about every 60 seconds. When an individual attempts to log in to a system, they enter
their own user identification number and then the number that is showing on the LCD.
The system knows which device they have and is synchronized with it so that it will
know the number that should have been displayed. Since this number is constantly
changing, a potential attacker who is able to see the sequence will not be able to use it
later, since the code will have changed. Devices with a keypad work in a similar fashion
(and may also be designed to function as a simple calculator). The individual who wants
to log in to the system will first type their personal identification number into the
calculator. They will then attempt to log in. The system will then provide a challenge;
the user must enter that challenge into the calculator and press a special function key.
The calculator will then determine the correct response and display it. The user provides
the response to the system they are attempting to log in to, and the system verifies that
this is the correct response. Since each user has a different PIN, two individuals
receiving the same challenge will have different responses. The device can also use the

date or time as a variable for the response calculation so that the same challenge at
different times will yield different responses, even for the same individual.

Multifactor
Multifactor is a term used to describe the use of more than one authentication
mechanism at the same time. An example of this is the hardware token, which requires
both a personal identification number or password and the device itself to determine the
correct response in order to authenticate to the system. This means that both the
something- you-have and something-you-know mechanisms are used as factors in
verifying authenticity of the user. Biometrics are also often used in conjunction with a
personal identification number so that they too can be used as part of a multifactor
authentication scheme, in this case something you are as well as something you know.
The purpose of multifactor authentication is to increase the level of security, since more
than one mechanism would have to be spoofed in order for an unauthorized individual
to gain access to a computer system or network. The most common example of
multifactor security is the common ATM card most of us have in our wallets.

Mutual Authentication

65
Chapter-1 : Computer Security – Gscheme -- 2017
Mutual authentication is a term used to describe a process in which each side of an
electronic communication verifies the authenticity of the other. We are used to the idea
of having to authenticate ourselves to our Internet service provider (ISP) before we
access the Internet, generally through the use of a user identification/password pair,
but how do we actually know that we are really communicating with our ISP and not
some other system that has somehow inserted itself into our communication (a man-in-
the-middle attack). Mutual authentication would provide a mechanism for each side of a
client/ server relationship to verify the authenticity of the other to address this issue.

Board Question Paper Solution

Sample Paper -1
a. List and Describe basic components of computer security
Ans.Refer Q.No.

b. Describe the of denial of service attack with help of diagram.

Ans.Refer Q.No.

c. What is virus and Worms? Describe the virus spreading mechanism.

Ans.Refer Q.No.

d. Describe Threat , Vulnerability and attack as characteristics of Computer

Ans.Refer Q.No.

Sample Paper – II
a. Describe Criminal organization and Terrorist and Information warfare.
Ans.Refer Q.No.

b. What is attack, Describe DOS , DDOS , POD.

Ans.Refer Q.No.

c. Describe stealth virus , polymorphic virus , macro Virus ,Boot sector

virus.
Ans.Refer Q.No.

d. Describe in details different layers of security.

Ans.Refer Q.No.

e. What is threat , describe Interruption , modification , fabrication related

to threat.
Ans.Refer Q.No.

Winter 2008
a. Describe the following terms:
(i)Overwriting viruses (ii)Stealth viruses
Ans.Refer Q.No.

b. Describe the different phase of viruses

66
Chapter-1 : Computer Security – Gscheme -- 2017
Ans. Refer Q.No.

c. What is computer security? Describe any three function of computer

security
Ans. Refer Q.No.

d. With neat sketch diagram, explain the following:

(i) SYN flood attack (ii) Bucket-Bridge attack
Ans. Refer Q.No.

Summer 2009
a. Describe the term authentication. Explain authenticity
Ans. Refer Q.No.

b. Describe the term virus and worms with example.

Ans. Refer Q.No.

Winter 2009
a. Compare Intruders and Insiders.
Ans. Refer Q.No.

b. Explain denial of service attack

Ans. Refer Q.No.

c. Explain different methods of authentication.

Ans. Refer Q.No.

d. What are the different ways of spoofing ? Explain

Ans. Refer Q.No.

Summer 2010
a. List and describe basic component of computer security.
Ans. Refer Q.No.

b. Define the terms data security, information security n/w security and
computer security
Ans. Refer Q.No.

c. What is virus and worm? Describe the worms spreading mechanism

Ans. Refer Q.No.

d. Describe Sniffing and Spoofing.

Ans. Refer Q.No.

e. Describe Trojan horse, Rabbit Bacterium and Scavenging.

Ans. Refer Q.No.

Question Bank
67
Chapter-1 : Computer Security – Gscheme -- 2017
Chapter-1
Q1. Describe the basic components of Computer Security.
Q2. Differentiate between Viruses and Worms.
Q3. Describe the term Viruses.
Q4. Describe the term Worms,
Q5. Describe the term Trojan Horse.
Q6. Describe the term Logic Bombs.
Q7. Discuss why insiders are considered such a threat to organization?
Q8. What is Threats? Describe all types of Threats.
Q9. Describe the importance of Security.
Q10. What are the main types of PC Viruses?
Q11. Describe the term Polymorphic Virus.
Q12. List different types of attacks.
Q13. Describe the two categories of Viruses.
Q14. List the Triggers of the Virus Attack,
Q15. Describe the steps for protection against viruses.
Q16. Draw the structure of a worm.
Q17. Describe two example of worm.
Q18. What is meant by Attacks? List the types of Attack.
Q19. What is meant by Backdoors Attack?
Q20. What is meant by Trapdoors Attack?
Q21. Explain the operational model of computer security?
Q22. Explain in why the criminal organizations are to flow into the structured threat
category?
Q23. What is Information warfare? Why many nations are conducting Information
warfare?
Q24. What are different possible ways of attack?
Q25. Explain the Backdoor and Trapdoor attacks?
Q26. What are different ways of spoofing?
Q27. Describe the term Denial of Service (DOS) Attack.
Q28. Describe the term Sniffing.
Q29. Describe the term Spooling Attack.
Q30. Draw and describe the Man-in-the Middle Attack.
Q31. What is TCP/IP Hijacking?
Q32. What is CIA of a security?
Q33. what are layers of security?
Q34. Explain different models of access controls?
Q35. Explain different methods of authentication?
Q36. Describe the basic components of Computer Security?
Q37. Differentiate between Viruses And Worms.
Q38. What is Threats? Describe all types of Threats.
Q39. What are the main types of PC Viruses?
Q40. Describe the two categories of Viruses.
Q41. List the triggers of the Virus Attack.
Q42. Describe the steps for protection against viruses.
Q43. Describe the term TCP/IP Hijacking
Q44. Describe the term Boot Sector Viruses.
Q45. Describe the layers of the Computer Security.
Q46. Describe the two methods used in Mandatory Access Control.
68
Chapter-1 : Computer Security – Gscheme -- 2017
Q47. Describe two Access Control Techniques.
Q48. Describe the term Memory Resident Viruses.
Q49. Describe the term TCP/IP Hijacking.
Q50. Describe the term Encryption Attacks.
Q51. Describe the term Malware.
Q52. List the types of Malicious Code.
Q53. List the characteristics of Virus.
Q54. Describe the term Boot Sector Viruses.
Q55. Describe the term Memory Resident Viruses.
Q56. Describe the details of Security Basics.
Q57. Describe the layers of Computer Security.
Q58. Describe two Access Control Techniques.
Q59. What are the two concept in Discretionary Access Control?
Q60. Describe the two methods used in Mandatory Access Control.
Q61. Describe the three primary rules for role Based Access Control
Q62. What is Authentication? List the two example.
Q63. Write a short note on
- DOS
- Sniffing
- Viruses
- Man-In-Middle attack

69